HP A-U200 Command Reference Manual

HP A-U200

Unified Threat Management Products

ccess Control Command Reference

Part number: 5998-2676

Software version: R5116P20

Document version: 6PW100-20111216

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

ACL configuration commands ····································································································································· 1

acl ·············································································································································································· 1 acl copy ····································································································································································· 2 acl name ···································································································································································· 3 description ································································································································································· 3 display acl ································································································································································· 4 display time-range ···················································································································································· 5 reset acl counter ······················································································································································· 6 rule (Ethernet frame header ACL view) ·················································································································· 6 rule (IPv4 advanced ACL view) ······························································································································· 8 rule (IPv4 basic ACL view) ···································································································································· 11 rule comment ·························································································································································· 13 step ·········································································································································································· 13 time-range ······························································································································································ 14

Session management commands ······························································································································ 17

application aging-time ·········································································································································· 17 display session relation-table ······························································································································· 17 display session statistics ········································································································································ 18 display session table ············································································································································· 20 reset session ··························································································································································· 23 reset session statistics ············································································································································ 23 session aging-time ················································································································································· 24 session checksum ··················································································································································· 25 session persist acl ·················································································································································· 25

Connection limit configuration commands ··············································································································· 27

connection-limit apply policy ································································································································ 27 connection-limit policy ··········································································································································· 27 display connection-limit policy ····························································································································· 28 limit ········································································································································································· 29

Portal configuration commands ································································································································· 31

display portal acl ··················································································································································· 31 display portal connection statistics ······················································································································ 33 display portal free-rule ·········································································································································· 36 display portal interface ········································································································································· 37 display portal server ············································································································································· 38 display portal server statistics ······························································································································ 38 display portal tcp-cheat statistics ························································································································· 40 display portal user ················································································································································· 41 portal auth-network ················································································································································ 43 portal delete-user ··················································································································································· 43 portal domain ························································································································································ 44 portal free-rule ························································································································································ 44 portal max-user ······················································································································································ 45 portal nas-id ··························································································································································· 46 portal nas-id-profile ··············································································································································· 47 portal nas-ip ··························································································································································· 47 portal server ··························································································································································· 48

portal server method ············································································································································· 49 reset portal connection statistics ·························································································································· 50 reset portal server statistics ··································································································································· 50 reset portal tcp-cheat statistics ······························································································································ 50 web-redirect ··························································································································································· 51

AAA configuration commands ·································································································································· 53

aaa nas-id profile ·················································································································································· 53 access-limit enable ················································································································································ 53 accounting command ············································································································································ 54 accounting default ················································································································································· 55 accounting lan-access ··········································································································································· 55 accounting login ···················································································································································· 56 accounting optional ·············································································································································· 57 accounting portal ·················································································································································· 58 accounting ppp ······················································································································································ 59 authentication default ············································································································································ 59 authentication lan-access ······································································································································ 60 authentication login ··············································································································································· 61 authentication portal ············································································································································· 62 authentication ppp ················································································································································ 63 authorization command ········································································································································ 63 authorization default ············································································································································· 64 authorization lan-access ······································································································································· 65 authorization login ················································································································································ 66 authorization portal ··············································································································································· 67 authorization ppp ·················································································································································· 68 authorization-attribute user-profile ······················································································································· 69 cut connection ························································································································································ 69 display connection ················································································································································ 71 display domain ······················································································································································ 73 domain ··································································································································································· 75 domain default enable ·········································································································································· 76 idle-cut enable ························································································································································ 76 ip pool ···································································································································································· 77 nas-id bind vlan ····················································································································································· 78 self-service-url enable ············································································································································ 78 state (ISP domain view) ········································································································································· 79

Local user configuration commands ····························································································································· 80

access-limit ····························································································································································· 80 authorization-attribute (local user view/user group view) ················································································ 80 bind-attribute ·························································································································································· 82 display local-user ··················································································································································· 83 display user-group ················································································································································· 85 expiration-date (local user view) ·························································································································· 85 group ······································································································································································ 86 local-user ································································································································································ 87 local-user password-display-mode ······················································································································· 87 password ································································································································································ 88 service-type ····························································································································································· 89 state (local user view) ············································································································································ 90 user-group ······························································································································································ 90

RADIUS configuration commands ································································································································ 91

accounting-on enable ············································································································································ 91

attribute 25 car ······················································································································································ 92 data-flow-format (RADIUS scheme view) ············································································································· 93 display radius scheme ·········································································································································· 93 display radius statistics ········································································································································· 96 display stop-accounting-buffer (for RADIUS) ······································································································· 99 key (RADIUS scheme view)································································································································· 100 nas-ip (RADIUS scheme view) ···························································································································· 100 primary accounting (RADIUS scheme view) ····································································································· 101 primary authentication (RADIUS scheme view) ································································································ 102 radius client ·························································································································································· 103 radius nas-ip ························································································································································· 104 radius scheme ······················································································································································ 105 radius trap ···························································································································································· 105 reset radius statistics ············································································································································ 106 reset stop-accounting-buffer (for RADIUS) ········································································································· 106 retry ······································································································································································· 107 retry realtime-accounting ···································································································································· 108 retry stop-accounting (RADIUS scheme view) ··································································································· 109 secondary accounting (RADIUS scheme view) ································································································· 110 secondary authentication (RADIUS scheme view) ··························································································· 111 security-policy-server ··········································································································································· 112 server-type ···························································································································································· 113 state primary ························································································································································ 114 state secondary ···················································································································································· 114 stop-accounting-buffer enable (RADIUS scheme view) ···················································································· 115 timer quiet (RADIUS scheme view) ···················································································································· 116 timer realtime-accounting (RADIUS scheme view) ··························································································· 117 timer response-timeout (RADIUS scheme view) ································································································ 118 user-name-format (RADIUS scheme view) ········································································································· 118

HWTACACS configuration commands ····················································································································· 119

data-flow-format (HWTACACS scheme view) ·································································································· 119 display hwtacacs ················································································································································· 120 display stop-accounting-buffer (for HWTACACS) ···························································································· 123 hwtacacs nas-ip ··················································································································································· 123 hwtacacs scheme················································································································································· 124 key (HWTACACS scheme view) ························································································································ 125 nas-ip (HWTACACS scheme view) ··················································································································· 125 primary accounting (HWTACACS scheme view) ···························································································· 126 primary authentication (HWTACACS scheme view) ······················································································· 127 primary authorization ········································································································································· 128 reset hwtacacs statistics ······································································································································ 129 reset stop-accounting-buffer (for HWTACACS) ································································································ 129 retry stop-accounting (HWTACACS scheme view) ·························································································· 130 secondary accounting (HWTACACS scheme view) ························································································ 130 secondary authentication (HWTACACS scheme view) ··················································································· 131 secondary authorization ····································································································································· 132 stop-accounting-buffer enable (HWTACACS scheme view) ··········································································· 133 timer quiet (HWTACACS scheme view) ··········································································································· 134 timer realtime-accounting (HWTACACS scheme view) ··················································································· 134 timer response-timeout (HWTACACS scheme view) ······················································································· 135 user-name-format (HWTACACS scheme view) ································································································ 136

Support and other resources ·································································································································· 137

Contacting HP ······························································································································································ 137

Subscription service ············································································································································ 137

iii

Related information ······················································································································································ 137

Documents ···························································································································································· 137 Websites ······························································································································································· 137

Conventions ·································································································································································· 138

Index ········································································································································································ 140

ACL configuration commands

acl

Syntax

acl number acl-number [ name acl-name ] [ match-order { auto | config } ]

undo acl { all | name acl-name | number acl-number }

View

System view

Default level

2: System level

Parameters

number acl-number: Specifies the number of an IPv4 access control list (ACL):

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, it cannot be all..

match-order: Sets the order in which ACL rules are compared against packets:

• auto—Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For

• config—Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher

all: Deletes all IPv4 ACLs.

Description

Use the acl command to create an IPv4 ACL and enter its view. If the ACL has been created, you enter its view directly.

Use the undo acl command to delete the specified IPv4 ACL or all IPv4 ACLs.

By default, no ACL exists.

You can assign a name to an I Pv4 ACL only when you cre ate it. After an ACL is created with a name, you cannot rename it or remove its name.

You can change match order only for ACLs that do not contain any rules.

To display any ACLs you have created, use the display acl command.

more information, see ACL and QoS Configuration Guide.

priority. If no match order is specified, the config order applies by default.

Examples

# Create IPv4 basic ACL 2000, and enter its view.

<Sysname> system-view [Sysname] acl number 2000

[Sysname-acl-basic-2000]

# Create IPv4 basic ACL 2001 with the name flow, and enter its view.

<Sysname> system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow]

acl copy

Syntax

acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

View

System view

Default level

2: System level

Parameters

source-acl-number: Specifies a source existing IPv4 ACL by its number:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

name source-acl-name: Specifies a source exiting IPv4 ACL by its name. The source-acl-name argument takes a case-insensitive string of 1 to 32 characters.

dest-acl-number: Assigns a unique number to the IPv4 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

name dest-acl-name: Assigns a unique name to the IPv4 ACL you are creating. The dest-acl-name takes a case-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, it cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.

Description

Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

You can assign a name to an IPv4 ACL only when you create it. After an IPv4 ACL is created with a name, you cannot rename it or remove its name.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

<Sysname> system-view [Sysname] acl copy 2001 to 2002

acl name

Syntax

acl name acl-name

View

System view

Default level

2: System level

Parameters

acl-name: Specifies an IPv4 ACL name, a case-insensitive string of 1 to 32 characters. It must start with an English letter. The IPv4 ACL must already exist.

Description

Use the acl name command to enter the view of an IPv4 ACL that has a name.

Related commands: acl.

Examples

# Enter the view of IPv4 ACL flow.

<Sysname> system-view [Sysname] acl name flow [Sysname-acl-basic-2001-flow]

description

Syntax

description text

undo description

View

IPv4 basic/advanced ACL view, Ethernet frame header ACL view

Default level

2: System level

Parameters

text: ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use the description command to configure a description for an ACL.

Use the undo description command to remove the ACL description.

By default, an ACL has no ACL description.

Related commands: display acl.

Examples

# Configure a description for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] description This is an IPv4 basic ACL.

display acl

Syntax

display acl { acl-number | all | name acl-name }

View

Any view

Default level

1: Monitor level

Parameters

acl-number: Specifies an ACL by its number:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

all: Displays information for all IPv4 ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument takes a case-insensitive string of

1 to 32 characters. It must start with an English letter.

Description

Use the display acl command to display the IPv4 ACL configuration and match statistics.

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples

# Display all IPv4 configuration and match statistics.

<Sysname> display acl all Basic ACL 2000, named flow, 3 rules, ACL's step is 5 rule 0 permit rule 5 permit source 1.1.1.1 0 (2 times matched) rule 10 permit vpn-instance mk

Basic ACL 2001, named -none-, 3 rules, match-order is auto, ACL's step is 5 rule 10 permit vpn-instance rd rule 10 comment This rule is used in VPN rd. rule 5 permit source 2.2.2.2 0 rule 0 permit

Table 1 Output description

Field

Descri

Basic ACL 2000

Category and number of the ACL. The following field information is about IPv4 basic ACL 2000.

tion

Field Description

named flow The name of the ACL is flow. "-none-" means the ACL is not named.

3 rules

match-order is auto

ACL's step is 5 The rule numbering step is 5.

rule 0 permit Content of rule 0

2 times matched

Uncompleted

rule 10 comment This rule is used in VPN rd.

display time-range

Syntax

display time-range { time-range-name | all }

View

The ACL contains three rules.

The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config.

There have been two matches for the rule. The statistic counts only ACL matches performed in software.

This field is not displayed when no packets have matched the rule.

Applying the rule to hardware failed because no sufficient resources were available or the hardware does not support the rule. This event might occur when you modify a rule in an ACL that has been applied.

The description of ACL rule 10 is "This rule is used in VPN rd."

Any view

Default level

1: Monitor level

Parameters

time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It must start with an English letter.

all: Displays the configuration and status of all existing time ranges.

Description

Use the display time-range command to display the configuration and status of the specified time range or all time ranges.

Examples

# Display the configuration and status of time range t4.

<Sysname> display time-range t4 Current time is 17:12:34 4/13/2010 Tuesday

Time-range : t4 ( Inactive ) 10:00 to 12:00 Mon 14:00 to 16:00 Wed from 00:00 1/1/2010 to 23:59 1/31/2010 from 00:00 6/1/2010 to 23:59 6/30/2010

Table 2 Output description

Field

Descri

tion

Current time Current system time

Time-range

reset acl counter

Syntax

reset acl counter { acl-number | all | name acl-name }

View

User view

Default level

2: System level

Parameters

acl-number: Specifies an IPv4 ACL by its number:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

Configuration and status of the time range, including its name, status (active or inactive), and start time and end time.

all: Clears statistics for all IPv4 ACLs.

name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case-insensitive

string of 1 to 32 characters. It must start with an English letter.

Description

Use the reset acl counter command to clear IPv4 ACL statistics.

Related commands: display acl.

Examples

# Clear statistics for IPv4 basic ACL 2001.

<Sysname> reset acl counter 2001

# Clear statistics for IPv4 ACL flow.

<Sysname> reset acl counter name flow

rule (Ethernet frame header ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask | time-range time-range-name ] *

undo rule rule-id [ counting | time-range ] *

View

Ethernet frame header ACL view

Default level

2: System level

Parameters

rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask

arguments represent a destination MAC address and mask in H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.

type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and

Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.

source-mac sour-addr source-mask: Matches a source MAC address range. The sour-addr argument represents a source MAC address, and the sour-mask argument represents a mask in H-H-H format.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.

Description

Use the rule command to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config.

Use the undo rule command to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an Ethernet frame header ACL does not contain any rule.

Wit hin an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creati ng or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.

To view rules in an ACL and their rule IDs, use the display acl all command.

Related commands: acl, display acl, step, and time-range.

Examples

# Create a rule in ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view [Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff

[Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff

rule (IPv4 advanced ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value

| syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance vpn-instance-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | sy fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos | vpn-instance ] *

View

IPv4 advanced ACL view

Default level

2: System level

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Protocol carried by IPv4. It can be a number in the range of 0 to 255, or in words, gre (47), icmp (1) , igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17) . Table 3 de

can specify regardless of the value that the protocol argument takes.

Table 3 Match criteria and other rule information for IPv4 advanced ACL rules

n | urg } * } | destination | destination-port | dscp |

scribes the parameters that you

Parameters Function Descri

source

{ sour-addr sour-wildcard |

any }

destination

{ dest-addr dest-wildcard |

any }

precedence

tos tos

Specifies a source address

Specifies a destination address

Specifies an IP precedence value

Specifies a ToS preference

The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.

The any keyword specifies any source IP address.

The dest-addr dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.

The any keyword represents any destination IP address.

The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).

The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8),

min-monetary-cost (1), or normal (0).

tion

Parameters Function Description

The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38),

cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).

dscp dscp

Specifies a DSCP priority

logging

reflective

vpn-instance

vpn-instance-na me

fragment

time-range

time-range-nam e

Logs matching packets

Specifies that the rule be reflective

Applies the rule to packets in a VPN instance

Applies the rule to only non-first fragments

Specifies a time range for the rule

This function requires that the module that uses the ACL supports logging.

A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and can only be a permit statement.

The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters.

If no VPN instance is specified, the rule applies only to non-VPN packets.

Without this keyword, the rule applies to all fragments and non-fragments.

The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.

NOTE:

If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect.

If the protocol argument takes tcp (6) or udp (7), set the parameters shown in Table 4.

Table 4 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

source-port

operator port1 [ port2 ]

destination-port operator port1

[ port2 ]

Specifies one or more UDP or TCP source ports

Specifies one or more UDP or TCP destination ports

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).

The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range.

TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80).

UDP

bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).

tion

port numbers can be represented as: biff (512), bootpc (68),

Parameters Function Description

{ ack ack-value | fin fin-value | psh

psh-value | rst rst-value | syn syn-value | urg urg-value } *

Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG

Parameters specific to TCP.

The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).

For example, a rule configured with ack 1 psh 0 may match packets that have the ACK flag bit set or the PSH flag bit not set on one device.

If the protocol argument takes icmp (1), set the parameters shown in Table 5.

Table 5 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

The icmp-type argument is in the range of 0 to 255.

icmp-type { icmp-type [ icmp-code ] | icmp-message }

Specifies the ICMP message type and code

The icmp-code argument is in the range of 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 6.

tion

Table 6 ICMP message names supported in IPv4 advanced ACL rules

ICMP messa

echo 8 0

e name ICMP message type

ICMP message code

echo-reply 0 0

fragmentneed-DFset 3 4

host-redirect 5 1

host-tos-redirect 5 3

host-unreachable 3 1

information-reply 16 0

information-request 15 0

net-redirect 5 0

net-tos-redirect 5 2

net-unreachable 3 0

parameter-problem 12 0

port-unreachable 3 3

protocol-unreachable 3 2

reassembly-timeout 11 1

source-quench 4 0

source-route-failed 3 5

timestamp-reply 14 0

timestamp-request 13 0

ttl-exceeded 11 0

Description

Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config.

Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an IPv4 advanced ACL does not contain any rule.

To view rules in an ACL and their rule IDs, use the display acl all command.

Related commands: acl, display acl, step, and time-range.

Examples

# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from

129.9.0.0/16 to 202.38.160.0/24, and enable logging matching packets.

<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination

202.38.160.0 0.0.0.255 destination-port eq 80 logging

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for

192.168.1.0/24.

<Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit ip [Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255

# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view [Sysname] acl number 3003 [Sysname-acl-adv-3003] rule permit udp source-port eq snmp [Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap

rule (IPv4 basic ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *

View

IPv4 basic ACL view

Default level

2: System level

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both

fragments and non-fragments.

logging: Logs matching packets. This function is available only when the application module that uses the ACL supports the logging function.

source { sour-addr sour-wildcard | any }: Matches a source address. The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.

vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to non-VPN packets.

Description

Use the rule command to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config.

Use the undo rule command to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an IPv4 basic ACL does not contain any rule.

To view rules in an ACL and their rule IDs, use the display acl all command.

Related commands: acl, display acl, step, and time-range.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8,

172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Sysname-acl-basic-2000] rule deny source any

rule comment

Syntax

rule rule-id comment text

undo rule rule-id comment

View

IPv4 basic/advanced ACL view, Ethernet frame header ACL view

Default level

2: System level

Parameters

rule-id: Specifies an ACL rule ID, in the range of 0 to 65534. The ACL rule must already exist.

text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.

Description

Use the rule comment command to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand.

Use the undo rule comment command to delete the ACL rule comment.

By default, an IPv4 ACL rule has no rule comment.

Related commands: display acl.

Examples

# Create a rule in IPv4 basic ACL 2000 and add a comment about the rule.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0 [Sysname-acl-basic-2000] rule 0 comment This rule is used on GigabitEthernet 0/1.

step

Syntax

step step-value

undo step

View

IPv4 basic/advanced ACL view, Ethernet frame header ACL view

Default level

2: System level

Parameters

step-value: ACL rule numbering step, in the range of 1 to 20.

Description

Use the step command to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.

Use the undo step command to restore the default.

The default rule numbering step is 5. After you restore the default numbering step by the undo step command, the rules are renumbered in steps of 5.

Related commands: display acl.

Examples

# Set the rule numbering step to 2 for IPv4 basic ACL 2000.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] step 2

time-range

Syntax

time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]

View

System view

Default level

2: System level

Parameters

time-range-name: Specifies a time range name. The name is a case-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, it cannot be all.

start-time to end-time: Specifies a periodic statement. Both start-time and end-time are in hh:mm format (24-hour clock), and each value is in the range of 00:00 to 23:59. The end time must be greater than the start time.

days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid. If you specify multiple values, separate each value with a space, and be sure that they do not overlap. These values can take one of the following forms:

• A digit in the range of 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday,

Friday, and Saturday.

• A day of a week in abbreviated words, sun, mon, tue, wed, thu, fri, and sat.

• working-day for Monday through Friday.

• off-day for Saturday and Sunday.

• daily for the whole week.

from time1 date1: Specifies the start time and date of an absolute statement. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range of 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the calendar in the range of 1970 to 2100. If not specified, the start time is 01/01/1970 00:00 AM, the earliest time available in the system.

to time2 date2: Specifies the end time and date of the absolute time statement. The time2 argument has the same format as the time1 argument, but its value is in the range of 00:00 to 24:00. The date2 argument has the same format and value range as the date1 argument. The end time must be greater than the start time. If not specified, the end time is 12/31/2100 24:00 PM, the maximum time available in the system.

Description

Use the time-range command to configure a time range.

Use the undo time-range command to delete a time range or a statement in the time range.

By default, no time range exists.

You can create multiple statements in a time range. Each time statement can take one of the following forms:

Examples

• Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically

on a day or days of the week.

• Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not

recur.

• Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format. A

compound statement recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command.

The active period of a time range is calculated as follows:

1. Combining all periodic statements

2. Combining all absolute statements

3. Taking the intersection of the two statement sets as the active period of the time range

You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements.

Related commands: display time-range.

# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.

<Sysname> system-view [Sysname] time-range t1 8:0 to 18:0 working-day

# Create an absolute time range t2, setting it to be active in the whole year of 2010.

<Sysname> system-view [Sysname] time-range t2 from 0:0 1/1/2010 to 23:59 12/31/2010

# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.

<Sysname> system-view [Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010

# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.

<Sysname> system-view [Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 23:59 1/31/2010 [Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 23:59 6/30/2010

Session management commands

application aging-time

Syntax

application aging-time { dns | ftp | msn | qq | sip } time-value

undo application aging-time [ dns | ftp | msn | qq | sip ]

View

System view

Default level

2: System level

Parameters

dns: Specifies the aging time for DNS sessions.

ftp: Specifies the aging time for FTP sessions.

msn: Specifies the aging time for MSN sessions.

qq: Specifies the aging time for QQ sessions.

sip: Specifies the aging time for SIP sessions.

time-value: Aging time, which ranges from 5 seconds to 100000 seconds.

Description

Use the application aging-time command to set the aging time for sessions of an application layer protocol.

Use the undo application aging-time command to restore the default. If no application layer protocol type is specified, the command restores the session aging times for all the application layer protocols to the defaults.

The default session aging times for the application layer protocols is 60 seconds.

Examples

# Set the aging time for FTP sessions to 1800 seconds.

<Sysname> system-view [Sysname] application aging-time ftp 1800

display session relation-table

Syntax

display session relation-table [ vd-name vd-name ]

View

Any view

Default level

2: System level

Parameters

vd-name vd-name: Displays the relationship table entries of the specified virtual device. The vd-name

argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.

Description

Use the display session relation-table command to display relationship table entries.

With no virtual device specified, the command displays the relationship table entries of all virtual devices.

Examples

# Displays all relationship table entries.

<Sysname> display session relation-table Local IP/Port Global IP/Port MatchMode

192.168.1.22/99 10.153.2.22/99 Local APP:QQ Pro:UDP TTL:2000s AllowConn:10 Local IP/Port Global IP/Port MatchMode

192.168.1.100/99 10.153.2.100/99 Local APP:FTP Pro:TCP TTL:2000s AllowConn:10 Total find: 2

Table 7 Output description

Field Descri

Local IP/Port

Global IP/Port

IP address/port number of the inside network

IP address/ port number of the outside network

Match mode from session table to relationship table, including Local, Global, and Either.

• Local: Indicates that the source IP address/source port of a new session are

MatchMode

• Global: Indicates that the destination IP address/destination port of a new

• Either: Indicates that the IP/port of a new session are matched against Local

App

Pro

TTL

AllowConn

Total find

Application layer protocol, FTP, MSN, or QQ

Transport layer protocol, TCP, or UDP

Remaining lifetime of the relationship table entry, in seconds.

Number of sessions allowed by the relationship table entry

Total number of found relationship table entries

tion

matched against Local IP/Port in the relation table.

session are matched against Global IP/Port in the relation table.

IP/Port or Global IP/Port in the relation table.

display session statistics

Syntax

display session statistics [ vd-name vd-name ]

View

Any view

Default level

2: System level

Parameters

vd-name vd-name: Displays the session statistics of the specified virtual device. The vd-name argument

specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.

Description

Use the display session statistics command to display statistics about sessions.

With no virtual device specified, the command displays the session statistics of all virtual devices. With no keyword specified, the command displays all session statistics information. If you specify to display session statistics on a specified virtual device, the output information does not contain the number of dropped packets.

Examples

# Display statistics about all sessions.

<Sysname> display session statistics Current session(s):593951 Current TCP session(s): 0 Half-Open: 0 Half-Close: 0 Current UDP session(s): 593951 Current ICMP session(s): 0 Current RAWIP session(s): 0

Current relation table(s): 50000

Session establishment rate: 184503/s TCP Session establishment rate: 0/s UDP Session establishment rate: 184503/s ICMP Session establishment rate: 0/s RAWIP Session establishment rate: 0/s

Received TCP: 1538 packet(s) 337567 byte(s) Received UDP: 86810494849 packet(s) 4340524910260 byte(s) Received ICMP: 307232 packet(s) 17206268 byte(s) Received RAWIP: 0 packet(s) 0 byte(s) Dropped TCP: 0 packet(s) 0 byte(s) Dropped UDP: 0 packet(s) 0 byte(s) Dropped ICMP: 0 packet(s) 0 byte(s) Dropped RAWIP: 0 packet(s) 0 byte(s)

Table 8 Output description

Field Descri

Current session(s) Total number of sessions

tion

Field Description

Current TCP session(s) Number of TCP sessions

Half-Open Number of TCP sessions in the half-open state

Half-Close Number of TCP sessions in the half-close state

Current UDP session(s) Number of UDP sessions

Current ICMP session(s) Number of ICMP sessions

Current RAWIP session(s) Number of Raw IP sessions

Current relation table(s) Total number of relationship table entries

Session establishment rate Session establishment rate

TCP Session establishment rate Establishment rate of TCP sessions

UDP Session establishment rate Establishment rate of UDP sessions

ICMP Session establishment rate Establishment rate of ICMP sessions

RAWIP Session establishment rate Establishment rate of Raw IP sessions

Received TCP Counts of received TCP packets and bytes

Received UDP Counts of received UDP packets and bytes

Received ICMP Counts of received ICMP packets and bytes

Received RAWIP Counts of received Raw IP packets and bytes

Dropped TCP Counts of dropped TCP packets and bytes

Dropped UDP Counts of dropped UDP packets and bytes

Dropped ICMP Counts of dropped ICMP packets and bytes

Dropped RAWIP Counts of dropped Raw IP packets and bytes

display session table

Syntax

display session table [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ verbose ]

View

Any view

Default level

2: System level

Parameters

vd-name vd-name: Displays the sessions of the specified virtual device. The vd-name argument specifies

the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.

source-ip source-ip: Displays the sessions with the specified source IP address.

destination-ip destination-ip: Displays sessions with the specified destination IP address.

verbose: Displays detailed information about sessions. Without this keyword, the command displays brief information about the specified sessions.

Description

Use the display session table command to display information about sessions.

• If no argument is specified, the command displays all sessions.

• If no virtual device is specified, the command displays the sessions on all virtual devices.

• If both the source-ip and destination-ip keywords are specified, the command displays only the

Examples

# Display brief information about all sessions.

<Sysname> display session table Initiator: Source IP/Port : 192.168.1.18/2048 Dest IP/Port : 192.168.1.55/768 Pro : ICMP(ICMP(1)) VPN-Instance/VLAN ID/VLL ID: Initiator: Source IP/Port : 192.168.1.18/1212 Dest IP/Port : 192.168.1.55/23 Pro : TCP(TCP(6)) VPN-Instance/VLAN ID/VLL ID: Total find: 2

sessions with the specified source and destination IP addresses.

# Display detailed information about all sessions.

<Sysname> display session table verbose Initiator: Source IP/Port : 192.168.1.19/137 Dest IP/Port : 192.168.1.255/137 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 192.168.1.255/137 Dest IP/Port : 192.168.1.19/137 VPN-Instance/VLAN ID/VLL ID: Pro: UDP(17) App: NBT-name State: UDP-OPEN Start time: 2009-03-17 10:39:43 TTL: 2s Root Zone(in): Management Zone(out): Local Received packet(s)(Init): 6 packet(s) 468 byte(s) Received packet(s)(Reply): 0 packet(s) 0 byte(s) Initiator: Source IP/Port : 192.168.1.18/1212 Dest IP/Port : 192.168.1.55/23 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 192.168.1.55/23 Dest IP/Port : 192.168.1.18/1212 VPN-Instance/VLAN ID/VLL ID:

Pro: TCP(6) App: TELNET State: TCP-EST Start time: 2009-03-17 09:30:33 TTL: 3600s Root Zone(in): Management Zone(out): Local Received packet(s)(Init): 1173 packet(s) 47458 byte(s) Received packet(s)(Reply): 1168 packet(s) 61845 byte(s) Total find: 2

Table 9 Output description

Field Descri

Initiator: Session information of the initiator

Responder: Session information of the responder

Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP

VPN-Instance/VLAN ID/VLL ID

App

VPN that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding

Application layer protocol, FTP, DNS, MSN or QQ

Unknown indicates protocol type of a non-well-known port

Session status. Possible values are:

tion

• Accelerate

• SYN

• TCP-EST

• FIN

State

• UDP-OPEN

• UDP-READY

• ICMP-OPEN

• ICMP-CLOSED

• RAWIP-OPEN

• RAWIP-READY

Start Time Session establishment time

TTL Remaining lifetime of the session, in seconds.

VD-name Name of virtual device

Zone(in) Security zone (in)

Zone(out) Security zone (out)

Received packet(s)(Init) Counts of packets and bytes from the initiator to the responder

Received packet(s)(Reply) Counts of packets and bytes from the responder to the initiator

Total find Total number of sessions currently found

reset session

Syntax

reset session [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type

{ icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

View

User view

Default level

2: System level

Parameters

vd-name vd-name: Clears the sessions on the specified virtual device. The vd-name argument specifies

the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be only numerals, letters and underlines.

source-ip source-ip: Clears the sessions with the specified source IP address of the initiator.

destination-ip destination-ip: Clears the sessions with the specified destination IP address of the initiator.

protocol-type { icmp | raw-ip | tcp | udp }: Clears the sessions of the specified protocol type. The

protocol types include ICMP, Raw IP, TCP, and UDP.

source-port source-port: Clears the sessions with the specified source port of the initiator.

destination-port destination-port: Clears the sessions with the specified destination port of the initiator.

vpn-instance vpn-instance-name: Clears the sessions of the specified VPN. The vpn-instance-name

argument is a case-sensitive string of 1 to 31 characters.

Description

Use the reset session command to clear sessions.

• If no virtual device is specified, the command clears the sessions on all virtual devices.

• If no VPN instance is specified, the command clears the sessions on the public network.

• If no parameter is specified, the command clears all sessions.

Examples

# Clear all sessions.

<Sysname> reset session

# Clear all sessions with the source IP address as 10.10.10.10 of the initiator.

<Sysname> reset session source-ip 10.10.10.10

reset session statistics

Syntax

reset session statistics [ vd-name vd-name ]

View

User view

Default level

2: System level

Parameters

vd-name vd-name: Clears the session statistics of the specified virtual device. The vd-name argument

specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.

Description

Use the reset session statistics command to clear session statistics.

If no virtual device is specified, the command clears the session statistics on all virtual devices.

Examples

# Clear all session statistics.

<Sysname> reset session statistics

session aging-time

Syntax

session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value

View

System view

Default level

2: System level

Parameters

accelerate: Specifies the aging time for the sessions in the accelerate queue.

fin: Specifies the aging time for the TCP sessions in the FIN_WAIT state.

icmp-closed: Specifies the aging time for the ICMP sessions in the CLOSED state.

icmp-open: Specifies the aging time for the ICMP sessions in the OPEN state.

rawip-open: Specifies the aging time for the sessions in the RAWIP_OPEN state.

rawip-ready: Specifies the aging time for the sessions in the RAWIP_READY state.

syn: Specifies the aging time for the TCP sessions in the SYN_SENT or SYN_RCV state.

tcp-est: Specifies the aging time for the TCP sessions in the ESTABLISHED state.

udp-open: Specifies the aging time for the UDP sessions in the OPEN state.

udp-ready: Specifies the aging time for the UDP sessions in the READY state.

time-value: Aging time, in seconds in the range of 5 to 10000.

Description

Use the session aging-time command to set the aging time for sessions of a specified protocol that are in a specified state.

+ 113 hidden pages

HP A-U200 Command Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

ACL configuration commands

acl copy

acl name

Description

display acl

display time-range

reset acl counter

rule (Ethernet frame header ACL view)

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule comment

step

time-range

Session management commands

application aging-time

display session relation-table

display session statistics

display session table

reset session

reset session statistics

session aging-time