This document contains proprietary information, which is protected by
copyright. No part of this document may be photocopied, reproduced,
or translated into another language without the prior written consent of
Hewlett-Packard.
Microsoft and Windows are U.S. registered trademarks of Microsoft
Corporation. CompactFlash is a U.S. registered trademark of the
CompactFlash Association. AOL Instant Messenger (AIM) is a U.S.
registered trademark of American Online, Inc. Quake is a U.S.
registered trademark of id Software, Inc. ICQ is a U.S. registered
trademark of ICQ, Inc. pcAnywhere is a U.S. trademark of Synamtec
Corporation.
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF
ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with
the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the
express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or
omissions contained herein.
Hewlett-Packard assumes no responsibility for the use or reliability of
its software on equipment that is not furnished by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with the product.
A copy of the specific warranty terms applicable to your HewlettPackard products and replacement parts can be obtained from your HP
Sales and Service Office or authorized dealer.
This manual provides information about the commands that are available with all of the ProCurve Secure
routers.
If you are new to the Operating System’s Command Line Interface (CLI), take a few moments to review
the information provided in the section which follows (CLI Introduction).
If you are already familiar with the CLI and you need information on a specific command or group of
commands, proceed to Command Descriptions on page 9 of this guide.
CLI INTRODUCTION
This portion of the Command Reference Guide is designed to introduce you to the basic concepts and
strategies associated with using the Operating System’s Command Line Interface (CLI).
Accessing the CLI from your PC
All products using the are initially accessed by connecting a VT100 terminal (or terminal emulator) to the
CONSOLE port located on the rear panel of the unit using a standard DB-9 (male) to DB-9 (female) serial
cable. Configure the VT100 terminal or terminal emulation software to the following settings:
•9600 baud
•8 data bits
•No parity
•1 stop bit
•No flow control
Note
For more details on connecting to your unit, refer to the Quick Configuration Guides and
Quick Start Guides located on the Secure Router OS Documentation CD provided with
your unit.
Understanding Command Security Levels
The has two command security levels — Basic and Enable. Both levels support a specific set of
commands. For example, all interface configuration commands are accessible only through the Enable
security level. The following table contains a brief description of each level.
To prevent unauthorized users from accessing the configuration functions of your product,
•manage the startup and running
configurations
•use the debug commands
•enter any of the configuration modes
immediately install an Enable-level password. Refer to the Quick Configuration Guides
and Quick Start Guides located on the Secure Router OS Documentation CD provided
with your unit for more information on configuring a password.
Understanding Configuration Modes
The Secure Router OS has four configuration modes to organize the configuration commands – Global,
Line, Router, and Interface. Each configuration mode supports a set of commands specific to the
configurable parameters for the mode. For example, all Frame Relay configuration commands are
accessible only through the Interface Configuration Mode (for the virtual Frame Relay interface). The
following table contains a brief description of each level.
ModeAccess by...Sample Prompt With this mode you
can...
Global
entering
command security level prompt.
For example:
config
while at the Enable
>enable
config term
#
(config)#
•set the system’s
Enable-level
password(s)
•configure the
system global IP
parameters
•configure the SNMP
parameters
•enter any of the
other configuration
modes
Linespecifying a line (console or Telnet)
while at the Global Configuration Mode
prompt.
For example:
•Obtain syntax help for a specific command by entering the command, a space, and
then a question mark (?). The CLI displays the range of values and a brief
description of the next parameter expected for that particular command. For
example:
Command Reference GuidePerforming Common CLI Functions
ShortcutDescription
<Ctrl> + AJump to the beginning of the displayed command line. This shortcut is helpful when using
the
no
form of commands (when available). For example, pressing <Ctrl + A> at the
following prompt will place the cursor directly after the
(config-eth 0/1)#
<Ctrl> + EJump to the end of the displayed command line. For example, pressing <Ctrl + E> at the
following prompt will place the cursor directly after the
(config-eth 0/1)#
<Ctrl> + UClears the current displayed command line. The following provides an example of the <Ctrl
+ U> feature:
(config-eth 0/1)#
ip address 192.33.55.6
ip address 192.33.55.6
ip address 192.33.55.6
#
:
6
:
(Press <Ctrl + U> here)
(config-eth 0/1)#
auto finishYou need only enter enough letters to identify a command as unique. For example,
entering
configuration parameters for the specified T1 interface. Entering
would work as well, but is not necessary.
int t1 1/1
at the Global configuration prompt provides you access to the
interface t1 1/1
Performing Common CLI Functions
The following table contains descriptions of common CLI commands.
CommandDescription
do
The do command provides a way to execute commands in
other command sets without taking the time to exit the
current and enter the desired one. The following example
shows the
interface configuration while currently in the T1 interface
command set:
(config)#
do
command used to view the Frame Relay
interface t1 1/1
(config-t1 1/1)#
no
To undo an issued command or to disable a feature, enter
no
before the command.
For example:
no shutdown t1 1/1
copy running-config startup-config
When you are ready to save the changes made to the
configuration, enter this command. This copies your
changes to the unit’s nonvolatile random access memory
(NVRAM). Once the save is complete, the changes are
retained even if the unit is shut down or suffers a power
outage.
The overhead associated with the debug command takes up a large portion of your
Use the
may be experiencing on your network. These commands
provide additional information to help you better interpret
possible problems. For information on specific debug
commands, refer to the section
Set
To turn off any active debug commands, enter this
command.
debug
on page 20.
command to troubleshoot problems you
Enable Mode Command
product’s resources and at times can halt other processes. It is best to only use the debug
command during times when the network resources are in low demand (non-peak hours,
weekends, etc.).
Understanding CLI Error Messages
The following table lists and defines some of the more common error messages given in the CLI.
MessageHelpful Hints
%Ambiguous command
%Unrecognized Command
The command may not be valid in the current command mode, or you may
not have entered enough correct characters for the command to be
recognized. Try using the “?” command to determine your error. See
The command may not be valid in the current command mode, or you may
not have entered all of the pertinent information required to make the
command valid. Try using the “?” command to determine your error. See
Using CLI Shortcuts
The error in command entry is located where the caret (^) mark appears.
Enter a question mark at the prompt. The system will display a list of
applicable commands or will give syntax information for the entry.
on page 6 for more information.
Command Reference GuideCommand Descriptions
COMMAND DESCRIPTIONS
This portion of the guide provides a detailed listing of all available commands for the CLI (organized by
command set). Each command listing contains pertinent information including the default value, a
description of all sub-command parameters, functional notes for using the command, and a brief
technology review. To search for a particular command alphabetically, use the Index. To search for
information on a group of commands within a particular command set, use the linked references given
below:
Basic Mode Command Set
on page 10
Enable Mode Command Set on page 20
Global Configuration Mode Command Set on page 200
DHCP Pool Command Set on page 355
IKE Policy Command Set on page 373
IKE Policy Attributes Command Set on page 386
IKE Client Command Set on page 392
Crypto Map IKE Command Set on page 396
Crypto Map Manual Command Set on page 405
Radius Group Command Set on page 416
CA Profile Configuration Command Set on page 418
Certificate Configuration Command Set on page 429
Ethernet Interface Configuration Command Set on page 433
DDS Interface Configuration Command Set on page 486
Serial Interface Configuration Command Set on page 494
T1 Interface Configuration Command Set on page 504
DSX-1 Interface Configuration Command Set on page 520
E1 Interface Configuration Command Set on page 530
G.703 Interface Configuration Command set on page 545
Modem Interface Configuration Command Set on page 552
BRI Interface Configuration Command set on page 556
Frame Relay Interface Config Command Set on page 567
Frame Relay Sub-Interface Config Command Set on page 587
ATM Interface Config Command Set on page 644
ATM Sub-Interface Config Command Set on page 647
ADSL Interface Config Command Set on page 701
BGP Configuration Command Set on page 705
BGP Neighbor Configuration Command Set on page 711
PPP Interface Configuration Command Set on page 715
Tunnel Configuration Command Set on page 778
HDLC Command Set on page 811
Loopback Interface Configuration Command Set on page 847
Line (Console) Interface Config Command Set on page 876
Line (Telnet) Interface Config Command Set on page 887
Router (RIP) Configuration Command Set on page 894
Router (OSPF) Configuration Command Set on page 903
Common Commands on page 922
SROS Command Line Interface Reference GuideBasic Mode Command Set
BASIC MODE COMMAND SET
To activate the Basic Mode, simply log in to the unit. After connecting the unit to a VT100 terminal (or
terminal emulator) and activating a terminal session, the following prompt displays:
Router>
The following command is common to multiple command sets and is covered in a centralized section of
this guide. For more information, refer to the section listed below:
exit on page 930
All other commands for this command set are described in this section in alphabetical order.
SROS Command Line Interface Reference GuideBasic Mode Command Set
enable
Use the enable command (at the Basic Command Mode prompt) to enter the Enable Command Mode. Use
the disable command to exit the Enable Command Mode. See the section enable on page 11 for more
information.
Syntax Description
No subcommands.
Default Values
No default value necessary for this command.
Command Modes
>Basic Command Mode
Functional Notes
The Enable Command Mode provides access to operating and configuration parameters and should be
password protected to prevent unauthorized use. Use the
Configuration) to specify an Enable Command Mode password. If the password is set, access to the Enable
Commands (and all other “privileged” commands) is only granted when the correct password is entered.
enable password
command (found in the Global
Usage Examples
The following example enters the Enable Command Mode and defines an Enable Command Mode password:
>
enable
#
configure terminal
(config)#
At the next login, the following sequence must occur:
SROS Command Line Interface Reference GuideBasic Mode Command Set
ping <address>
Use the ping command (at the Basic Command Mode prompt) to verify IP network connectivity.
Syntax Description
<address>Optional.
with no specified address prompts the user with parameters for a more detailed
configuration. See
Specifies the IP address of the system to ping. Entering the
Functional Notes
(below) for more information.
ping
command
ping
Default Values
No default value necessary for this command.
Command Modes
> or #Basic or Enable Command Mode
Functional Notes
The
ping
command helps diagnose basic IP network connectivity using the Packet InterNet Groper program to
repeatedly bounce Internet Control Message Protocol (ICMP) Echo_Request packets off a system (using a
specified IP address). The Secure Router OS allows executing a standard
address or provides a set of prompts to configure a more specific
The following is a list of output messages from the
!
Success
Destination Host Unreachable
$
Invalid Host Address
X
TTL Expired in Transit
?
Unknown Host
*
Request Timed Out
ping
command:
ping
ping
request to a specified IP
configuration.
The following is a list of available extended
Target IP address:
Specifies the IP address of the system to ping.
Repeat Count:
Number of ping packets to send to the system (valid range: 1 to 1000000).
Datagram Size:
SROS Command Line Interface Reference GuideBasic Mode Command Set
Size (in bytes) of the ping packet (valid range: 1 to 1448).
Timeout in Seconds:
If a ping response is not received within the timeout period, the ping is considered unsuccessful (valid range: 1
to 5 seconds).
Extended Commands:
Specifies whether additional commands are desired for more ping configuration parameters.
Source Address (or interface):
Specifies the IP address to use as the source address in the ECHO_REQ packets.
Data Pattern:
Specify an alphanumerical string to use (the ASCII equivalent) as the data pattern in the ECHO_REQ packets.
Sweep Range of Sizes:
Varies the sizes of the ECHO_REQ packets transmitted.
Sweep Min Size:
Specifies the minimum size of the ECHO_REQ packet (valid range: 0 to 1448).
Sweep Max Size:
Specifies the maximum size of the ECHO_REQ packet (valid range: Sweep Min Size to 1448).
Sweep Interval:
Specifies the interval used to determine packet size when performing the sweep (valid range: 1 to 1448).
Verbose Output:
Specifies an extended results output.
Usage Examples
The following is an example of a successful
>
ping
Target IP address:
Repeat count[1-1000000]:
Datagram Size [1-1000000]:
Timeout in seconds [1-5]:
Extended Commands? [y or n]:
192.168.0.30
5
100
2
n
Type CTRL+C to abort.
Legend: '!' = Success '?' = Unknown host '$' = Invalid host address
'*' = Request timed out '-' = Destination host unreachable
'x' = TTL expired in transit
Pinging 192.168.0.30 with 100 bytes of data:
!!!!!
Success rate is 100 percent (5/5) round-trip min/avg/max = 19/20.8/25 ms
SROS Command Line Interface Reference GuideBasic Mode Command Set
show snmp
Use the show snmp command to display the system Simple Network Management Protocol (SNMP)
parameters and current status of SNMP communications.
Syntax Description
No subcommands.
Default Values
No default value necessary for this command.
Command Modes
> or #Basic or Enable Command Mode
Usage Examples
The following is an example output using the
default Chassis and Contact parameters:
>
show snmp
Chassis: Chassis ID
Contact: Customer Service
0 Rx SNMP packets
0 Bad community names
0 Bad community uses
0 Bad versions
0 Silent drops
0 Proxy drops
0 ASN parse errors
SROS Command Line Interface Reference GuideBasic Mode Command Set
show version
Use the show version command to display the current Secure Router OS version information.
Syntax Description
No subcommands.
Default Values
No default value necessary for this command.
Command Modes
> or #Basic or Enable Command Mode
Usage Examples
The following is a sample
>
show version
ProCurve Secure Router 7203dl
SROS Version: J02.01.01
Checksum: 5509EBDC, built on: Mon Mar 21 14:48:04 2005
Boot ROM version J02.01.01
Checksum: 9C0F, built on: Mon Mar 21 14:48:24 2005
Copyright (c) 2005-2005, Hewlett-Packard, Co.
Platform: ProCurve Secure Router 7203dl
Serial number US449TS029
Flash: 33554432 bytes DRAM: 268435455 bytes
System uptime is 0 days, 21 hours, 27 minutes, 0 seconds
Current system image file is "CFLASH:/J02_01_01.biz"
Boot system image file is "CFLASH:/J02_01_01.biz"
Primary system configuration file is "startup-config"
System booted up using configuration file: "startup-config"
SROS Command Line Interface Reference GuideEnable Mode Command Set
ENABLE MODE COMMAND SET
To activate the Enable Mode, enter the enable command at the Basic Mode prompt. (If an enable password
has been configured, a password prompt will display.) For example:
Router>enable
Password: XXXXXXX
Router#
The following commands are common to multiple command sets and are covered in a centralized section
of this guide. For more information, refer to the section listed below:
SROS Command Line Interface Reference GuideEnable Mode Command Set
clear crypto ipsec sa
Use the clear crypto ipsec sa command to clear existing IPSec security associations (SAs), including
active ones.
Variations of this command include the following:
clear crypto ipsec sa
clear crypto ipsec sa entry <ip address> ah <SPI>
clear crypto ipsec sa entry <ip address> esp <SPI>
clear crypto ipsec sa map <map name>
clear crypto ipsec sa peer <ip address>
Syntax Description
entry
<ip address>
ah
<SPI>
esp
<SPI>
map
<map name>
peer
<ip address>
Clear only the SAs related to a certain destination IP address.
Clear only a portion of the SAs by specifying the AH (authentication header)
protocol and a security parameter index (SPI). You can determine the correct SPI
value using the show crypto ipsec sa command.
Clear only a portion of the SAs by specifying the ESP (encapsulating security
payload) protocol and a security parameter index (SPI). You can determine the
correct SPI value using the show crypto ipsec sa command.
Clear only the SAs associated with the crypto map name given.
Clear only the SAs associated with the far-end peer IP address given.
SROS Command Line Interface Reference GuideEnable Mode Command Set
clear dump-core
The clear dump-core command clears diagnostic information appended to the output of the show version
command. This information results from an unexpected unit reboot.
Syntax Description
No subcommands.
Default Values
No default value necessary for this command.
Command Modes
#Enable Command Mode
Usage Examples
The following example clears the entire database of IKE SAs (including the active associations):