03-access control command reference-book
TRANSCRIPT
-
8/11/2019 03-Access Control Command Reference-book
1/147
H3C SecPath U Series Security Products
Access Control Command Reference
Hangzhou H3C Technologies Co., Ltd.http://www.h3c.com
Software version: SECPATH200US&200UCS&200UCM-CMW520-R5116
SECPATH200UA&200UM&200UCA-CMW520-R5116Document version: 6PW103-20111221
-
8/11/2019 03-Access Control Command Reference-book
2/147
Copyright 2009-2011, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.Trademarks
H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.
-
8/11/2019 03-Access Control Command Reference-book
3/147
Preface
The H3C SecPath U Series Security Products command references describe the commands andcommand syntax options available for the H3C SecPath U Series Security Products.
The Access Control Command Reference describes the ACL, session management, connection limit,portal, and AAA configuration commands.
This preface includes:
Audience
Conventions
About the H3C SecPath U Series Security Products documentation set
Obtaining documentation
Technical supportDocumentation feedback
AudienceThis documentation is intended for:
Network planners
Field technical support and servicing engineers
Network administrators working with the SecPath U series
ConventionsThis section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface
Boldtext represents commands and keywords that you enter literally as shown.
Italic Italictext represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from whichyou select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, fromwhich you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by verticalbars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by verticalbars, from which you select one choice, multiple choices, or none.
&The argument or keyword and argument combination before the ampersand (&) sign canbe entered 1 to n times.
-
8/11/2019 03-Access Control Command Reference-book
4/147
Convention Description
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
BoldfaceWindow names, button names, field names, and menu items are in Boldface. Forexample, the New Userwindow appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File> Create> Folder.
Symbols
Convention Description
WARNINGAn alert that calls attention to important information that if not understood or followed canresult in personal injury.
CAUTIONAn alert that calls attention to important information that if not understood or followed canresult in data loss, data corruption, or damage to hardware or software.
IMPORTANT An alert that calls attention to essential information.
NOTE An alert that contains additional or supplementary information.
TIPAn alert that provides helpful information.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
About the H3C SecPath U Series Security Productsdocumentation set
The H3C SecPath U Series Security Products documentation set includes:
Category Documents Purposes
Product description andspecifications
Marketingbrochures
U200-A
Describe product specifications andbenefits.
U200-M
U200-S
U200-CM
U200-CS
Hardware specificationsand installation
Compliance andsafetymanual
U200-A/M/SProvides regulatory information and thesafety instructions that must be followedduring installation.U200-CM/CS
Installationguide
U200-A/M/S Provides a complete guide to hardwareinstallation and hardware specifications.U200-CM/CS
http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-A/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-M/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-S/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CM/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CS/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Installationhttp://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CS/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CM/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-S/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-M/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-A/ -
8/11/2019 03-Access Control Command Reference-book
5/147
Category Documents Purposes
Software configuration
Configuration guides
U200-A/M/S Describe software features andconfiguration procedures.U200-CM/CS
Command
references
U200-A/M/S Provide a quick reference to all available
commands.U200-CM/CS
Configurationexamples
U200-A/M/S Describe typical network scenarios andprovide configuration examples andinstructions.U200-CM/CS
Operations andmaintenance
Releasenotes
U200-A
Provide information about the productrelease, including the version history,hardware and software compatibilitymatrix, version upgrade information,technical support information, andsoftware upgrading.
U200-M
U200-S
U200-CA
U200-CM
U200-CS
Obtaining documentationYou can access the most up-to-date H3C product documentation on the World Wide Webat http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] Provides hardware installation, softwareupgrading, and software feature configuration and maintenance documentation.
[Products & Solutions]Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] Provides the documentation released with thesoftware version.
Technical [email protected]
http://www.h3c.com
Documentation feedbackYou can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Commandhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Commandhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-A/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-M/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-S/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CA/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CM/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CS/http://www.h3c.com/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/http://www.h3c.com/portal/Products___Solutions/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/http://www.h3c.com/portal/Products___Solutions/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/http://www.h3c.com/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CS/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CM/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CA/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-S/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-M/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-A/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Commandhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Commandhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Configuration -
8/11/2019 03-Access Control Command Reference-book
6/147
i
Contents
ACL configuration commands 1
acl 1acl copy 2
acl name 3description 3
display acl 4
display time-range 5reset acl counter 6rule (Ethernet frame header ACL view) 6
rule (IPv4 advanced ACL view) 8
rule (IPv4 basic ACL view) 12rule comment 13
step 14
time-range 15
Session management commands 17application aging-time 17display session relation-table 17display session statistics 19
display session table 20reset session 23reset session statistics 23session aging-time 24
session checksum 25session persist acl 25
Connection limit configuration commands 27
connection-limit apply policy 27
connection-limit policy 27
display connection-limit policy 28
limit 29
Portal configuration commands 31display portal acl 31
display portal connection statistics 33
display portal free-rule 36
display portal interface 37display portal server 38
display portal server statistics 39display portal tcp-cheat statistics 40
display portal user 42
portal auth-network 43portal delete-user 44
portal domain 44portal free-rule 45
portal max-user 46
portal nas-id 47
portal nas-id-profile 47portal nas-ip 48portal server 48
-
8/11/2019 03-Access Control Command Reference-book
7/147
ii
portal server method 49reset portal connection statistics 50
reset portal server statistics 51reset portal tcp-cheat statistics 51
web-redirect 51
AAA configuration commands 53
AAA configuration commands 53
aaa nas-id profile 53
access-limit enable 53
accounting command 54
accounting default 55accounting lan-access 55
accounting login 56accounting optional 57accounting portal 58accounting ppp 59
authentication default 59
authentication lan-access 60
authentication login 61
authentication portal 62
authentication ppp 63
authorization command 63authorization default 64
authorization lan-access 65authorization login 66authorization portal 67
authorization ppp 68
authorization-attribute user-profile 69
cut connection 69display connection 71
display domain 73
domain 75domain default enable 76idle-cut enable 76
ip pool 77
nas-id bind vlan 78self-service-url enable 78
state (ISP domain view) 79
Local user configuration commands 80
access-limit 80authorization-attribute (local user view/user group view) 80
bind-attribute 82display local-user 83
display user-group 85
expiration-date (local user view) 85
group 86
local-user 87local-user password-display-mode 87
password 88service-type 89
state (local user view) 90user-group 90
RADIUS configuration commands 91
accounting-on enable 91
-
8/11/2019 03-Access Control Command Reference-book
8/147
-
8/11/2019 03-Access Control Command Reference-book
9/147
1
ACL configuration commands
aclSyntax
acl numberacl-number[ nameacl-name] [ match-order{ auto | config} ]
undoacl{ all| name acl-name| numberacl-number}
View
System view
Default level
2: System level
Parameters
number acl-number: Specifies the number of an IPv4 access control list (ACL):
2000 to 2999 for IPv4 basic ACLs
3000 to 3999 for IPv4 advanced ACLs
4000 to 4999 for Ethernet frame header ACLs
name acl-name: Assigns a name to the ACL for easy identification. The acl-nameargument takes acase-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, itcannot be all..
match-order: Sets the order in which ACL rules are compared against packets:
autoCompares ACL rules in depth-first order. The depth-first order differs with ACL categories. Formore information, seeACL and QoS Configuration Guide.
configCompares ACL rules in ascending order of rule ID. The rule with a smaller ID has higherpriority. If no match order is specified, the config order applies by default.
all: Deletes all IPv4 ACLs.
Description
Use the aclcommand to create an IPv4 ACL and enter its view. If the ACL has been created, you enter itsview directly.
Use the undoaclcommand to delete the specified IPv4 ACL or all IPv4 ACLs.
By default, no ACL exists.
You can assign a name to an IPv4 ACL only when you create it. After an ACL is created with a name, youcannot rename it or remove its name.
You can change match order only for ACLs that do not contain any rules.
To display any ACLs you have created, use the display aclcommand.
Examples
# Create IPv4 basic ACL 2000, and enter its view.
syst em- vi ew
[ Sysname] acl number 2000
-
8/11/2019 03-Access Control Command Reference-book
10/147
2
[ Sysname- acl - basi c- 2000]
# Create IPv4 basic ACL 2001 with the name flow, and enter its view.
syst em- vi ew
[ Sysname] acl number 2001 name f l ow
[ Sysname- acl - basi c- 2001- f l ow]
acl copySyntax
acl copy { source-acl-number | name source-acl-name } to{ dest-acl-number | name dest-acl-name }
View
System view
Default level
2: System level
Parameterssource-acl-number: Specifies a source existing IPv4 ACL by its number:
2000 to 2999 for IPv4 basic ACLs
3000 to 3999 for IPv4 advanced ACLs
4000 to 4999 for Ethernet frame header ACLs
namesource-acl-name: Specifies a source exiting IPv4 ACL by its name. The source-acl-name argumenttakes a case-insensitive string of 1 to 32 characters.
dest-acl-number: Assigns a unique number to the IPv4 ACL you are creating. This number must be fromthe same ACL category as the source ACL. Available value ranges include:
2000 to 2999 for IPv4 basic ACLs3000 to 3999 for IPv4 advanced ACLs
4000 to 4999 for Ethernet frame header ACLs
namedest-acl-name: Assigns a unique name to the IPv4 ACL you are creating. The dest-acl-nametakesa case-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion,it cannot be all. For this ACL, the system automatically picks the smallest number from all availablenumbers in the same ACL category as the source ACL.
Description
Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. The new
ACL has the same properties and content as the source ACL, but not the same ACL number and name.You can assign a name to an IPv4 ACL only when you create it. After an IPv4 ACL is created with a name,you cannot rename it or remove its name.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
syst em- vi ew
[ Sysname] acl copy 2001 t o 2002
-
8/11/2019 03-Access Control Command Reference-book
11/147
3
acl nameSyntax
aclnameacl-name
View
System view
Default level
2: System level
Parameters
acl-name: Specifies an IPv4 ACL name, a case-insensitive string of 1 to 32 characters. It must start withan English letter. The IPv4 ACL must already exist.
Description
Use the acl namecommand to enter the view of an IPv4 ACL that has a name.
Related commands: acl.
Examples
# Enter the view of IPv4 ACL flow.
syst em- vi ew
[ Sysname] acl name f l ow
[ Sysname- acl - basi c- 2001- f l ow]
descriptionSyntax
descriptiontext
undo description
View
IPv4 basic/advanced ACL view, Ethernet frame header ACL view
Default level
2: System level
Parameters
text: ACL description, a case-sensitive string of 1 to 127 characters.
Description
Use the descriptioncommand to configure a description for an ACL.
Use the undo descriptioncommand to remove the ACL description.
By default, an ACL has no ACL description.
Related commands: display acl.
Examples
# Configure a description for IPv4 basic ACL 2000.
syst em- vi ew
-
8/11/2019 03-Access Control Command Reference-book
12/147
4
[ Sysname] acl number 2000
[ Sysname- acl - basi c- 2000] descr i pt i on Thi s i s an I Pv4 basi c ACL.
display aclSyntax
displayacl{ acl-number| all| nameacl-name}
View
Any view
Default level
1: Monitor level
Parameters
acl-number: Specifies an ACL by its number:
2000 to 2999 for IPv4 basic ACLs
3000 to 3999 for IPv4 advanced ACLs
4000 to 4999 for Ethernet frame header ACLs
all: Displays information for all IPv4 ACLs.
name acl-name: Specifies an ACL by its name. The acl-nameargument takes a case-insensitive string of1 to 32 characters. It must start with an English letter.
Description
Use the displayaclcommand to display the IPv4 ACL configuration and match statistics.
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples# Display all IPv4 configuration and match statistics.
di spl ay acl al l
Basi c ACL 2000, named f l ow, 3 r ul es,
ACL' s st ep i s 5
r ul e 0 permi t
r ul e 5 per mi t sour ce 1. 1. 1. 1 0 ( 2 ti mes matched)
r ul e 10 per mi t vpn- i nst ance mk
Basi c ACL 2001, named - none- , 3 r ul es, match- order i s aut o,
ACL' s st ep i s 5r ul e 10 per mi t vpn- i nstance r d
r ul e 10 comment Thi s r ul e i s used i n VPN r d.
r ul e 5 permi t sour ce 2. 2. 2. 2 0
r ul e 0 permi t
Table 1Output description
Field Description
Basic ACL 2000Category and number of the ACL. The following fieldinformation is about IPv4 basic ACL 2000.
-
8/11/2019 03-Access Control Command Reference-book
13/147
5
Field Description
named flowThe name of the ACL is flow. "-none-" means the ACL is notnamed.
3 rules
The ACL contains three rules.
match-order is autoThe match order for the ACL is auto, which sorts ACL rules indepth-first order. This field is not present when the match orderis config.
ACL's step is 5 The rule numbering step is 5.
rule 0 permit Content of rule 0
2 times matched
There have been two matches for the rule. The statistic countsonly ACL matches performed in software.
This field is not displayed when no packets have matched therule.
Uncompleted
Applying the rule to hardware failed because no sufficientresources were available or the hardware does not supportthe rule. This event might occur when you modify a rule in anACL that has been applied.
rule 10 comment This rule is used in VPN rd. The description of ACL rule 10 is "This rule is used in VPN rd."
display time-rangeSyntax
displaytime-range{time-range-name| all}
View
Any view
Default level
1: Monitor level
Parameters
time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It muststart with an English letter.
all: Displays the configuration and status of all existing time ranges.
Description
Use the displaytime-rangecommand to display the configuration and status of the specified time rangeor all time ranges.
Examples
# Display the configuration and status of time range t4.
di spl ay t i me- r ange t 4
Curr ent t i me i s 17: 12: 34 4/ 13/ 2010 Tuesday
Ti me- r ange : t 4 ( I nact i ve )
10: 00 to 12: 00 Mon
14: 00 t o 16: 00 Wed
-
8/11/2019 03-Access Control Command Reference-book
14/147
6
f r om 00: 00 1/ 1/ 2010 t o 23: 59 1/ 31/ 2010
f r om 00: 00 6/ 1/ 2010 t o 23: 59 6/ 30/ 2010
Table 2Output description
Field Description
Current time Current system time
Time-range
Configuration and status of the time range, including its name,status (active or inactive), and start time and end time.
reset acl counterSyntax
resetaclcounter{ acl-number| all| nameacl-name}
View
User viewDefault level
2: System level
Parameters
acl-number: Specifies an IPv4 ACL by its number:
2000 to 2999 for IPv4 basic ACLs
3000 to 3999 for IPv4 advanced ACLs
4000 to 4999 for Ethernet frame header ACLs
all: Clears statistics for all IPv4 ACLs.
name acl-name: Specifies an IPv4 ACL by its name. The acl-nameargument takes a case-insensitivestring of 1 to 32 characters. It must start with an English letter.
Description
Use the resetaclcountercommand to clear IPv4 ACL statistics.
Related commands: displayacl.
Examples
# Clear statistics for IPv4 basic ACL 2001.
r eset acl counter 2001
# Clear statistics for IPv4 ACL flow. r eset acl counter name f l ow
rule (Ethernet frame header ACL view)Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-macdest-addrdest-mask | { lsap lsap-typelsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask |time-rangetime-range-name] *
undorulerule-id [ counting| time-range] *
-
8/11/2019 03-Access Control Command Reference-book
15/147
7
View
Ethernet frame header ACL view
Default level
2: System level
Parametersrule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACLrule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of thenumbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos vlan-pri:Matches an 802.1p priority. The vlan-priargument can be a number in the range of 0 to 7,or in words, best-effort(0), background(1), spare(2), excellent-effort(3), controlled-load(4),video(5),voice(6), or network-management(7).
dest-macdest-addrdest-mask: Matches a destination MAC address range. The dest-addrand dest-maskarguments represent a destination MAC address and mask in H-H-H format.
lsap lsap-typelsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-typeargument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-maskargument is a 16-bit hexadecimal number that represents the LSAP mask.
typeprotocol-typeprotocol-type-mask: Matches one or more protocols in the Ethernet frame header. Theprotocol-typeargument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II andEthernet_SNAP frames. The protocol-type-maskargument is a 16-bit hexadecimal number that representsa protocol type mask.
source-macsour-addrsource-mask: Matches a source MAC address range. The sour-addrargumentrepresents a source MAC address, and the sour-maskargument represents a mask in H-H-H format.
time-rangetime-range-name: Specifies a time range for the rule. The time-range-nameargument is acase-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is notconfigured, the system creates the rule; however, the rule using the time range can take effect only afteryou configure the timer range.
Description
Use the rulecommand to create or edit an Ethernet frame header ACL rule. You can edit ACL rules onlywhen the match order is config.
Use the undorulecommand to delete an Ethernet frame header ACL rule or some attributes in the rule.
If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments areprovided, you delete the specified attributes.
By default, an Ethernet frame header ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creatingor editing has the same deny or permit statement as another rule in the ACL, your creation or editingattempt fails.
To view rules in an ACL and their rule IDs, use the display acl allcommand.
Related commands: acl, display acl, step, and time-range.
-
8/11/2019 03-Access Control Command Reference-book
16/147
8
Examples
# Create a rule in ACL 4000 to permit ARP packets and deny RARP packets.
syst em- vi ew
[ Sysname] acl number 4000
[ Sysname- acl - ethernet f r ame- 4000] r ul e permi t t ype 0806 f f f f
[ Sysname- acl - ethernet f r ame- 4000] r ul e deny type 8035 f f f f
rule (IPv4 advanced ACL view)Syntax
rule[ rule-id] { deny| permit} protocol [ { { ackack-value| finfin-value| pshpsh-value| rstrst-value| synsyn-value| urgurg-value} * } | destination{ dest-addr dest-wildcard| any} | destination-portoperator port1[port2 ] | dscpdscp |fragment| icmp-type{icmp-type[ icmp-code]| icmp-message}| logging|precedenceprecedence| reflective| source{sour-addr sour-wildcard| any} | source-portoperator port1[port2 ] |time-rangetime-range-name| tostos|vpn-instance vpn-instance-name] *
undo rule rule-id[ { { ack| fin |psh| rst| syn| urg }*} |destination |destination-port| dscp|fragment| icmp-type |logging| precedence |reflective | source | source-port |time-range |tos |vpn-instance ] *
View
IPv4 advanced ACL view
Default level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACLrule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of thenumbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Protocol carried by IPv4. It can be a number in the range of 0 to 255, or in words, gre (47),icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 3describes the parameters that youcan specify regardless of the value that the protocolargument takes.
Table 3Match criteria and other rule information for IPv4 advanced ACL rules
Parameters Function Description
source{ sour-addrsour-wildcard| any}
Specifies a source address
The sour-addr sour-wildcardarguments representa source IP address and wildcard mask in dotteddecimal notation. An all-zero wildcard specifies ahost address.
The anykeyword specifies any source IP address.
-
8/11/2019 03-Access Control Command Reference-book
17/147
9
Parameters Function Description
destination{ dest-addrdest-wildcard| any}
Specifies a destinationaddress
The dest-addr dest-wildcardarguments represent adestination IP address and wildcard mask indotted decimal notation. An all-zero wildcardspecifies a host address.
The anykeyword represents any destination IPaddress.
precedenceprecedenceSpecifies an IP precedencevalue
The precedenceargument can be a number in therange of 0 to 7, or in words, routine(0), priority(1), immediate(2), flash(3), flash-override(4),critical(5), internet(6), or network(7).
tostos Specifies a ToS preference
The tosargument can be a number in the range of0 to 15, or in words, max-reliability (2),max-throughput (4), min-delay (8),min-monetary-cost (1), or normal (0).
dscpdscp Specifies a DSCP priority
The dscpargument can be a number in the range
of 0 to 63, or in words, af11(10), af12(12), af13(14), af21(18), af22(20), af23(22), af31(26),af32(28), af33(30), af41(34), af42(36), af43(38), cs1(8), cs2(16), cs3(24), cs4(32), cs5(40),cs6(48), cs7(56), default(0), or ef(46).
logging Logs matching packetsThis function requires that the module that uses theACL supports logging.
reflectiveSpecifies that the rule bereflective
A rule with the reflectivekeyword can be definedonly for TCP, UDP, or ICMP packets and can onlybe a permit statement.
vpn-instancevpn-instance-name
Applies the rule to packets ina VPN instance
The vpn-instance-nameargument takes a
case-sensitive string of 1 to 31 characters.If no VPN instance is specified, the rule appliesonly to non-VPN packets.
fragmentApplies the rule to onlynon-first fragments
Without this keyword, the rule applies to allfragments and non-fragments.
time-rangetime-range-name
Specifies a time range forthe rule
The time-range-nameargument takes acase-insensitive string of 1 to 32 characters. It muststart with an English letter. If the time range is notconfigured, the system creates the rule; however,the rule using the time range can take effect onlyafter you configure the timer range.
NOTE:
If you provide the precedenceor toskeyword in addition to the dscpkeyword, only the dscpkeywordtakes effect.
If the protocolargument takes tcp(6) or udp(7), set the parameters shown in Table 4.
-
8/11/2019 03-Access Control Command Reference-book
18/147
10
Table 4TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters Function Description
source-portoperatorport1[port2 ]
Specifies one or moreUDP or TCP sourceports
The operatorargument can be lt(lower than), gt(greater than), eq(equal to), neq(not equal to), or range(inclusive range).
The port1 and port2arguments are TCP or UDP portnumbers in the range of 0 to 65535. port2is neededonly when the operatorargument is range.
TCP port numbers can be represented as: chargen(19),bgp(179), cmd(514), daytime(13), discard(9),domain(53), echo(7), exec(512), finger(79), ftp(21),ftp-data(20), gopher(70), hostname(101), irc(194),klogin(543), kshell(544), login(513), lpd(515), nntp(119), pop2(109), pop3(110), smtp(25), sunrpc(111), tacacs(49), talk(517), telnet(23), time(37),uucp(540),whois(43), andwww(80).
UDP port numbers can be represented as: biff (512),bootpc (68), bootps (67), discard (9), dns (53), dnsix(90), echo(7), mobilip-ag (434), mobilip-mn (435),nameserver (42), netbios-dgm (138), netbios-ns (137),netbios-ssn (139), ntp (123), rip (520), snmp (161),snmptrap (162), sunrpc (111), syslog (514), tacacs-ds(65), talk (517), tftp (69), time (37),who (513), and
xdmcp (177).
destination-portoperatorport1[port2 ]
Specifies one or moreUDP or TCP destinationports
{ ackack-value| finfin-value|pshpsh-value|rstrst-value| synsyn-value|urgurg-value}
*
Specifies one or moreTCP flags includingACK, FIN, PSH, RST,
SYN, and URG
Parameters specific to TCP.
The value for each argument can be 0 (flag bit not set) or1 (flag bit set).
For example, a rule configured with ack1 psh0 may
match packets that have the ACK flag bit set or the PSHflag bit not set on one device.
If the protocolargument takes icmp(1), set the parameters shown in Table 5.
Table 5ICMP-specific parameters for IPv4 advanced ACL rules
Parameters Function Description
icmp-type{ icmp-type[ icmp-code] |icmp-message}
Specifies the ICMPmessage type andcode
The icmp-typeargument is in the range of 0 to 255.
The icmp-codeargument is in the range of 0 to 255.
The icmp-messageargument specifies a message name.
Supported ICMP message names and their correspondingtype and code values are listed in Table 6.
Table 6ICMP message names supported in IPv4 advanced ACL rules
ICMP message name ICMP message type ICMP message code
echo 8 0
echo-reply 0 0
fragmentneed-DFset 3 4
host-redirect 5 1
-
8/11/2019 03-Access Control Command Reference-book
19/147
11
ICMP message name ICMP message type ICMP message code
host-tos-redirect 5 3
host-unreachable 3 1
information-reply 16 0
information-request 15 0
net-redirect 5 0
net-tos-redirect 5 2
net-unreachable 3 0
parameter-problem 12 0
port-unreachable 3 3
protocol-unreachable 3 2
reassembly-timeout 11 1
source-quench 4 0source-route-failed 3 5
timestamp-reply 14 0
timestamp-request 13 0
ttl-exceeded 11 0
Description
Use the rulecommand to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only whenthe match order is config.
Use the undorulecommand to delete an entire IPv4 advanced ACL rule or some attributes in the rule. Ifno optional keywords are provided, you delete the entire rule. If optional keywords or arguments areprovided, you delete the specified attributes.
By default, an IPv4 advanced ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creatingor editing has the same deny or permit statement as another rule in the ACL, your creation or editingattempt fails.
To view rules in an ACL and their rule IDs, use the display acl allcommand.
Related commands: acl,display acl, step, and time-range.
Examples# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from129.9.0.0/16 to 202.38.160.0/24, and enable logging matching packets.
syst em- vi ew
[ Sysname] acl number 3000
[ Sysname- acl - adv- 3000] r ul e per mi t t cp sour ce 129. 9. 0. 0 0. 0. 255. 255 dest i nat i on
202. 38. 160. 0 0. 0. 0. 255 dest i nati on- por t eq 80 l oggi ng
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for192.168.1.0/24.
syst em- vi ew
-
8/11/2019 03-Access Control Command Reference-book
20/147
-
8/11/2019 03-Access Control Command Reference-book
21/147
13
configured, the system creates the rule; however, the rule using the time range can take effect only afteryou configure the timer range.
vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-nameargument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the ruleapplies only to non-VPN packets.
DescriptionUse the rulecommand to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when thematch order is config.
Use the undorulecommand to delete an entire IPv4 basic ACL rule or some attributes in the rule. If nooptional keywords are provided, you delete the entire rule. If optional keywords or arguments areprovided, you delete the specified attributes.
By default, an IPv4 basic ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creatingor editing has the same deny or permit statement as another rule in the ACL, your creation or editingattempt fails.
To view rules in an ACL and their rule IDs, use the display acl allcommand.
Related commands: acl, display acl, step, and time-range.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8,172.17.0.0/16, or 192.168.1.0/24.
syst em- vi ew
[ Sysname] acl number 2000
[ Sysname- acl - basi c- 2000] r ul e permi t sour ce 10. 0. 0. 0 0. 255. 255. 255
[ Sysname- acl - basi c- 2000] r ul e permi t sour ce 172. 17. 0. 0 0. 0. 255. 255
[ Sysname- acl - basi c- 2000] r ul e permi t sour ce 192. 168. 1. 0 0. 0. 0. 255
[ Sysname- acl - basi c- 2000] r ul e deny source any
rule commentSyntax
rule rule-id comment text
undo rulerule-idcomment
View
IPv4 basic/advanced ACL view, Ethernet frame header ACL viewDefault level
2: System level
Parameters
rule-id: Specifies an ACL rule ID, in the range of 0 to 65534. The ACL rule must already exist.
text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.
Description
Use the rule commentcommand to add a comment about an existing ACL rule or edit its comment tomake the rule easy to understand.
-
8/11/2019 03-Access Control Command Reference-book
22/147
14
Use the undo rule commentcommand to delete the ACL rule comment.
By default, an IPv4 ACL rule has no rule comment.
Related commands: display acl.
Examples
# Create a rule in IPv4 basic ACL 2000 and add a comment about the rule. syst em- vi ew
[ Sysname] acl number 2000
[ Sysname- acl - basi c- 2000] r ul e 0 deny sour ce 1. 1. 1. 1 0
[ Sysname- acl - basi c- 2000] r ul e 0 comment Thi s r ul e i s used on Gi gabi t Ethernet 0/ 1.
stepSyntax
stepstep-value
undo stepView
IPv4 basic/advanced ACL view, Ethernet frame header ACL view
Default level
2: System level
Parameters
step-value: ACL rule numbering step, in the range of 1 to 20.
Description
Use the step command to set a rule numbering step for an ACL. The rule numbering step sets theincrement by which the system numbers rules automatically. For example, the default ACL rule numberingstep is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on.The wider the numbering step, the more rules you can insert between two rules. Whenever the stepchanges, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10,13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.
Use the undo stepcommand to restore the default.
The default rule numbering step is 5. After you restore the default numbering step by the undo stepcommand, the rules are renumbered in steps of 5.
Related commands: display acl.
Examples# Set the rule numbering step to 2 for IPv4 basic ACL 2000.
syst em- vi ew
[ Sysname] acl number 2000
[ Sysname- acl - basi c- 2000] st ep 2
-
8/11/2019 03-Access Control Command Reference-book
23/147
15
time-rangeSyntax
time-rangetime-range-name{ start-timetoend-timedays[ fromtime1 date1] [ totime2 date2 ] | fromtime1 date1[ totime2 date2] | totime2 date2 }
undotime-rangetime-range-name[ start-timetoend-timedays [ fromtime1 date1 ] [ totime2 date2 ]| fromtime1 date1[ totime2 date2] | totime2 date2]
View
System view
Default level
2: System level
Parameters
time-range-name: Specifies a time range name. The name is a case-insensitive string of 1 to 32characters. It must start with an English letter and to avoid confusion, it cannot be all.
start-timetoend-time: Specifies a periodic statement. Both start-timeand end-timeare in hh:mm format(24-hour clock), and each value is in the range of 00:00 to 23:59. The end time must be greater than thestart time.
days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid.If you specify multiple values, separate each value with a space, and be sure that they do not overlap.These values can take one of the following forms:
A digit in the range of 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday,Friday, and Saturday.
A day of a week in abbreviated words, sun, mon, tue,wed, thu, fri, and sat.
working-dayfor Monday through Friday.off-dayfor Saturday and Sunday.
dailyfor the whole week.
from time1 date1: Specifies the start time and date of an absolute statement. The time1 argumentspecifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59.The date1argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is themonth of the year in the range of 1 to 12, DD is the day of the month with the range depending on MM,and YYYY is the year in the calendar in the range of 1970 to 2100. If not specified, the start time is01/01/1970 00:00 AM, the earliest time available in the system.
totime2 date2: Specifies the end time and date of the absolute time statement. The time2argument has
the same format as the time1 argument, but its value is in the range of 00:00 to 24:00. The date2argument has the same format and value range as the date1argument. The end time must be greaterthan the start time. If not specified, the end time is 12/31/2100 24:00 PM, the maximum time availablein the system.
Description
Use the time-rangecommand to configure a time range.
Use the undotime-rangecommand to delete a time range or a statement in the time range.
By default, no time range exists.
-
8/11/2019 03-Access Control Command Reference-book
24/147
16
You can create multiple statements in a time range. Each time statement can take one of the followingforms:
Periodic statement in the start-timetoend-timedaysformat. A periodic statement recurs periodicallyon a day or days of the week.
Absolute statement in the fromtime1 date1totime2 date2format. An absolute statement does not
recur.Compound statement in the start-timetoend-timedaysfromtime1 date1totime2 date2format. Acompound statement recurs on a day or days of the week only within the specified period. Forexample, to create a time range that is active from 08:00 to 12:00 on Monday between January1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from00:00 01/01/2010 to 23:59 12/31/2010command.
The active period of a time range is calculated as follows:
1. Combining all periodic statements
2. Combining all absolute statements
3. Taking the intersection of the two statement sets as the active period of the time range
You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12absolute statements.
Related commands: displaytime-range.
Examples
# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.
syst em- vi ew
[ Sysname] t i me- r ange t 1 8: 0 t o 18: 0 worki ng- day
# Create an absolute time range t2, setting it to be active in the whole year of 2010.
syst em- vi ew
[ Sysname] t i me- r ange t 2 f r om 0: 0 1/ 1/ 2010 t o 23: 59 12/ 31/ 2010
# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays andSundays of the year 2010.
syst em- vi ew
[ Sysname] t i me- r ange t 3 8: 0 to 12: 0 of f - day f r om0: 0 1/ 1/ 2010 to 23: 59 12/ 31/ 2010
# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
syst em- vi ew
[ Sysname] t i me- r ange t 4 10: 0 t o 12: 0 1 f r om 0: 0 1/ 1/ 2010 t o 23: 59 1/ 31/ 2010
[ Sysname] t i me- r ange t 4 14: 0 t o 16: 0 3 f r om 0: 0 6/ 1/ 2010 t o 23: 59 6/ 30/ 2010
-
8/11/2019 03-Access Control Command Reference-book
25/147
17
Session management commands
application aging-timeSyntax
application aging-time {dns | ftp| msn| qq| sip} time-value
undo application aging-time [ dns| ftp| msn| qq| sip]
View
System view
Default level
2: System level
Parameters
dns: Specifies the aging time for DNS sessions.
ftp: Specifies the aging time for FTP sessions.
msn: Specifies the aging time for MSN sessions.
qq: Specifies the aging time for QQ sessions.
sip: Specifies the aging time for SIP sessions.
time-value: Aging time, which ranges from 5 seconds to 100000 seconds.
Description
Use the application aging-time command to set the aging time for sessions of an application layerprotocol.
Use the undo application aging-timecommand to restore the default. If no application layer protocoltype is specified, the command restores the session aging times for all the application layer protocols tothe defaults.
The default session aging times for the application layer protocols is 60 seconds.
Examples
# Set the aging time for FTP sessions to 1800 seconds.
syst em- vi ew
[ Sysname] appl i cati on agi ng- t i me f t p 1800
display session relation-tableSyntax
display session relation-table [vd-name vd-name]
View
Any view
-
8/11/2019 03-Access Control Command Reference-book
26/147
18
Default level
2: System level
Parameters
vd-namevd-name: Displays the relationship table entries of the specified virtual device. The vd-nameargument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which
can be numerals, letters and underlines.
Description
Use the display session relation-table command to display relationship table entries.
With no virtual device specified, the command displays the relationship table entries of all virtualdevices.
Examples
# Displays all relationship table entries.
di spl ay sessi on r el ati on- t abl e
Local I P/ Por t Gl obal I P/ Por t MatchMode
192. 168. 1. 22/ 99 10. 153. 2. 22/ 99 Local
APP: QQ Pr o: UDP TTL: 2000s Al l owConn: 10
Local I P/ Por t Gl obal I P/ Por t MatchMode
192. 168. 1. 100/ 99 10. 153. 2. 100/ 99 Local
APP: FTP Pr o: TCP TTL: 2000s Al l owConn: 10
Tot al f i nd: 2
Table 7Output description
Field Description
Local IP/Port
IP address/port number of the inside network
Global IP/Port
IP address/ port number of the outside network
MatchMode
Match mode from session table to relationship table, including Local, Global, andEither.
Local: Indicates that the source IP address/source port of a new session arematched against Local IP/Port in the relation table.
Global: Indicates that the destination IP address/destination port of a newsession are matched against Global IP/Port in the relation table.
Either: Indicates that the IP/port of a new session are matched against LocalIP/Port or Global IP/Port in the relation table.
App
Application layer protocol, FTP, MSN, or QQ
Pro
Transport layer protocol, TCP, or UDP
TTL
Remaining lifetime of the relationship table entry, in seconds.
AllowConn
Number of sessions allowed by the relationship table entry
Total find
Total number of found relationship table entries
-
8/11/2019 03-Access Control Command Reference-book
27/147
19
display session statisticsSyntax
display session statistics [vd-name vd-name]
View
Any view
Default level
2: System level
Parameters
vd-namevd-name: Displays the session statistics of the specified virtual device. The vd-nameargumentspecifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can benumerals, letters and underlines.
Description
Use the display session statistics command to display statistics about sessions.With no virtual device specified, the command displays the session statistics of all virtual devices. Withno keyword specified, the command displays all session statistics information. If you specify to displaysession statistics on a specified virtual device, the output information does not contain the number ofdropped packets.
Examples
# Display statistics about all sessions.
di spl ay sessi on st at i st i cs
Cur r ent sessi on( s) : 593951
Cur r ent TCP sessi on( s) : 0Hal f - Open: 0 Hal f - Cl ose: 0
Curr ent UDP sessi on( s) : 593951
Cur r ent I CMP sessi on( s) : 0
Cur r ent RAWI P sessi on( s) : 0
Cur r ent r el at i on t abl e( s) : 50000
Sessi on est abl i shment r ate: 184503/ s
TCP Sessi on est abl i shment r at e: 0/ s
UDP Sessi on est abl i shment r at e: 184503/ s
I CMP Sessi on establ i shment r ate: 0/ s
RAWI P Sessi on est abl i shment r ate: 0/ s
Recei ved TCP: 1538 packet ( s) 337567 byt e( s)
Recei ved UDP: 86810494849 packet ( s) 4340524910260 byt e( s)
Recei ved I CMP: 307232 packet ( s) 17206268 byte( s)
Recei ved RAWI P: 0 packet( s) 0 byt e(s)
Dr opped TCP: 0 packet( s) 0 byt e(s)
Dr opped UDP: 0 packet( s) 0 byt e( s)
Dr opped I CMP: 0 packet( s) 0 byt e(s)
Dr opped RAWI P: 0 packet( s) 0 byt e( s)
-
8/11/2019 03-Access Control Command Reference-book
28/147
20
Table 8Output description
Field Description
Current session(s) Total number of sessions
Current TCP session(s) Number of TCP sessions
Half-Open Number of TCP sessions in the half-open state
Half-Close Number of TCP sessions in the half-close state
Current UDP session(s) Number of UDP sessions
Current ICMP session(s) Number of ICMP sessions
Current RAWIP session(s) Number of Raw IP sessions
Current relation table(s) Total number of relationship table entries
Session establishment rate Session establishment rate
TCP Session establishment rate Establishment rate of TCP sessions
UDP Session establishment rate Establishment rate of UDP sessions
ICMP Session establishment rate Establishment rate of ICMP sessions
RAWIP Session establishment rate Establishment rate of Raw IP sessions
Received TCP Counts of received TCP packets and bytes
Received UDP Counts of received UDP packets and bytes
Received ICMP Counts of received ICMP packets and bytes
Received RAWIP Counts of received Raw IP packets and bytes
Dropped TCP Counts of dropped TCP packets and bytes
Dropped UDP Counts of dropped UDP packets and bytes
Dropped ICMP Counts of dropped ICMP packets and bytes
Dropped RAWIP Counts of dropped Raw IP packets and bytes
display session tableSyntax
display session table [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ][verbose]
ViewAny view
Default level
2: System level
Parameters
vd-namevd-name: Displays the sessions of the specified virtual device. The vd-nameargument specifiesthe name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals,letters and underlines.
source-ipsource-ip: Displays the sessions with the specified source IP address.
-
8/11/2019 03-Access Control Command Reference-book
29/147
21
destination-ipdestination-ip: Displays sessions with the specified destination IP address.
verbose: Displays detailed information about sessions. Without this keyword, the command displaysbrief information about the specified sessions.
Description
Use the display session table command to display information about sessions.
If no argument is specified, the command displays all sessions.
If no virtual device is specified, the command displays the sessions on all virtual devices.
If both the source-ipand destination-ipkeywords are specified, the command displays only thesessions with the specified source and destination IP addresses.
Examples
# Display brief information about all sessions.
di spl ay sess i on t abl e
I ni t i at or :
Sour ce I P/ Por t : 192. 168. 1. 18/ 2048
Dest I P/ Por t : 192. 168. 1. 55/ 768
Pro : I CMP(I CMP(1) )
VPN- I nst ance/ VLAN I D/ VLL I D:
I ni t i at or :
Sour ce I P/ Por t : 192. 168. 1. 18/ 1212
Dest I P/ Por t : 192. 168. 1. 55/ 23
Pro : TCP(TCP(6) )
VPN- I nst ance/ VLAN I D/ VLL I D:
Tot al f i nd: 2
# Display detailed information about all sessions.
di spl ay sess i on t abl e verboseI ni t i at or :
Sour ce I P/ Por t : 192. 168. 1. 19/ 137
Dest I P/ Por t : 192. 168. 1. 255/ 137
VPN- I nst ance/ VLAN I D/ VLL I D:
Responder:
Sour ce I P/ Por t : 192. 168. 1. 255/ 137
Dest I P/ Por t : 192. 168. 1. 19/ 137
VPN- I nst ance/ VLAN I D/ VLL I D:
Pr o: UDP( 17) App: NBT- name St at e: UDP- OPEN
Star t t i me: 2009- 03- 17 10: 39: 43 TTL: 2s
Root Zone( i n) : Management
Zone(out ) : Local
Recei ved packet ( s) ( I ni t ) : 6 packet ( s) 468 byte(s)
Recei ved packet ( s) ( Repl y): 0 packet ( s) 0 byte( s)
I ni t i at or :
Sour ce I P/ Por t : 192. 168. 1. 18/ 1212
Dest I P/ Por t : 192. 168. 1. 55/ 23
VPN- I nst ance/ VLAN I D/ VLL I D:
Responder:
Sour ce I P/ Por t : 192. 168. 1. 55/ 23
Dest I P/ Por t : 192. 168. 1. 18/ 1212
-
8/11/2019 03-Access Control Command Reference-book
30/147
22
VPN- I nst ance/ VLAN I D/ VLL I D:
Pro: TCP( 6) App: TELNET State: TCP- EST
Star t t i me: 2009- 03- 17 09: 30: 33 TTL: 3600s
Root Zone( i n) : Management
Zone(out ) : Local
Recei ved packet ( s) ( I ni t ) : 1173 packet ( s) 47458 byte( s)
Recei ved packet ( s) ( Repl y) : 1168 packet ( s) 61845 byt e(s)
Tot al f i nd: 2
Table 9Output description
Field Description
Initiator: Session information of the initiator
Responder: Session information of the responder
Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP
VPN-Instance/VLAN ID/VLL IDVPN that the session belongs to and the VLAN and INLINE that the
session belongs to during Layer 2 forwarding
AppApplication layer protocol, FTP, DNS, MSN or QQ
Unknown indicates protocol type of a non-well-known port
State
Session status. Possible values are:
Accelerate
SYN
TCP-EST
FIN
UDP-OPEN
UDP-READY
ICMP-OPEN
ICMP-CLOSED
RAWIP-OPEN
RAWIP-READY
Start Time Session establishment time
TTL Remaining lifetime of the session, in seconds.
VD-name Name of virtual device
Zone(in) Security zone (in)
Zone(out) Security zone (out)
Received packet(s)(Init) Counts of packets and bytes from the initiator to the responder
Received packet(s)(Reply) Counts of packets and bytes from the responder to the initiator
Total find Total number of sessions currently found
-
8/11/2019 03-Access Control Command Reference-book
31/147
23
reset sessionSyntax
reset session [vd-name vd-name] [ source-ipsource-ip] [ destination-ipdestination-ip] [ protocol-type{ icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ]
[vpn-instance vpn-instance-name ]View
User view
Default level
2: System level
Parameters
vd-namevd-name: Clears the sessions on the specified virtual device. The vd-nameargument specifiesthe name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be onlynumerals, letters and underlines.
source-ipsource-ip: Clears the sessions with the specified source IP address of the initiator.
destination-ipdestination-ip: Clears the sessions with the specified destination IP address of the initiator.
protocol-type{ icmp| raw-ip| tcp| udp}: Clears the sessions of the specified protocol type. Theprotocol types include ICMP, Raw IP, TCP, and UDP.
source-portsource-port: Clears the sessions with the specified source port of the initiator.
destination-portdestination-port: Clears the sessions with the specified destination port of the initiator.
vpn-instance vpn-instance-name: Clears the sessions of the specified VPN. The vpn-instance-nameargument is a case-sensitive string of 1 to 31 characters.
DescriptionUse the reset sessioncommand to clear sessions.
If no virtual device is specified, the command clears the sessions on all virtual devices.
If no VPN instance is specified, the command clears the sessions on the public network.
If no parameter is specified, the command clears all sessions.
Examples
# Clear all sessions.
r eset sessi on
# Clear all sessions with the source IP address as 10.10.10.10 of the initiator.
r eset sessi on sour ce- i p 10. 10. 10. 10
reset session statisticsSyntax
reset session statistics[vd-name vd-name]
View
User view
-
8/11/2019 03-Access Control Command Reference-book
32/147
24
Default level
2: System level
Parameters
vd-namevd-name: Clears the session statistics of the specified virtual device. The vd-nameargumentspecifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be
numerals, letters and underlines.
Description
Use the reset session statistics command to clear session statistics.
If no virtual device is specified, the command clears the session statistics on all virtual devices.
Examples
# Clear all session statistics.
r eset sessi on st ati st i cs
session aging-timeSyntaxsession aging-time {accelerate| fin | icmp-closed| icmp-open| rawip-open| rawip-ready| syn|tcp-est| udp-open| udp-ready } time-value
undo session aging-time [ accelerate| fin | icmp-closed| icmp-open| rawip-open| rawip-ready|syn| tcp-est| udp-open| udp-ready]
View
System view
Default level
2: System level
Parameters
accelerate: Specifies the aging time for the sessions in the accelerate queue.
fin: Specifies the aging time for the TCP sessions in the FIN_WAIT state.
icmp-closed: Specifies the aging time for the ICMP sessions in the CLOSED state.
icmp-open: Specifies the aging time for the ICMP sessions in the OPEN state.
rawip-open: Specifies the aging time for the sessions in the RAWIP_OPEN state.
rawip-ready: Specifies the aging time for the sessions in the RAWIP_READY state.
syn: Specifies the aging time for the TCP sessions in the SYN_SENT or SYN_RCV state.
tcp-est: Specifies the aging time for the TCP sessions in the ESTABLISHED state.
udp-open: Specifies the aging time for the UDP sessions in the OPEN state.
udp-ready: Specifies the aging time for the UDP sessions in the READY state.
time-value: Aging time, in seconds in the range of 5 to 10000.
Description
Use the session aging-timecommand to set the aging time for sessions of a specified protocol that arein a specified state.
-
8/11/2019 03-Access Control Command Reference-book
33/147
25
Use the undo session aging-time command to restore the default. If no keyword is specified, thecommand restores the session aging times for all protocol states to the defaults.
The defaults value is 30 seconds.
Examples
# Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds.
syst em- vi ew
[ Sysname] sessi on agi ng- t i me syn 60
session checksumSyntax
session checksum { all| {icmp| tcp| udp } *}
undo session checksum { all| {icmp| tcp| udp } *}
View
System viewDefault level
2: System level
Parameters
all: Enables checksum verification for TCP, UDP, and ICMP packets.
icmp: Enables checksum verification for ICMP packets.
tcp: Enables checksum verification for TCP packets.
udp: Enables checksum verification for UDP packets.
DescriptionUse the session checksum command to enable checksum verification for protocol packets.
Use the undo session checksum command to disable checksum verification.
By default, checksum verification is disabled.
Examples
#Enable checksum verification for UDP packets.
syst em- vi ew
[ Sysname] sessi on checksum udp
session persist aclSyntax
session persist aclacl-number [ aging-timetime-value]
undo session persist
View
System view
Default level
2: System level
-
8/11/2019 03-Access Control Command Reference-book
34/147
26
Parameters
acl-number: ACL number, in the range 2000 to 3999.
aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value of thetime-valueargument is in the range of 0 to 360 and defaults to 24. A value of 0 means the persistentsessions are never aged.
Description
Use the session persist acl command to specify the persistent session rule. All sessions permitted by thespecified ACL are considered persistent sessions.
Use the undo session persist command to remove the configuration.
By default, no persistent session rule is specified.
Persistent sessions will not be removed because they are not matched with any packets within the agingtime. You can manually remove such sessions when necessary.
A persistent session rule can reference only one ACL.
Related commands: reset session.Examples
# Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessionsto 72 hours.
syst em- vi ew
[ Sysname] sessi on per si st acl 2000 agi ng- t i me 72
-
8/11/2019 03-Access Control Command Reference-book
35/147
27
Connection limit configuration commands
connection-limit apply policySyntax
connection-limit apply policypolicy-number
undo connection-limit apply policypolicy-number
View
System view
Default level
2: System level
Parameters
policy-number: Number for an existing connection limit policy, which can only be 0.
Description
Use the connection-limit apply policycommand to apply a connection limit policy.
Use the undo connection-limit apply policycommand to remove the application.
If a connection limit policy is applied, you cannot add, remove, or modify the conneciton limit rules in theconnection limit policy view.
A conneciton limit policy to be applied must contain at least one limit rule.
Related commands:connection-limit policy.Examples
# Apply connection limit policy 0.
syst em- vi ew
[ Sysname] connect i on- l i mi t appl y pol i cy 0
connection-limit policySyntax
connection-limit policypolicy-number
undo connection-limit policy{ policy-number| all}
View
System view
Default level
2: System level
Parameters
policy-number: Connection limit policy number, which can only be 0.
all: Specifies all connection limit policies.
-
8/11/2019 03-Access Control Command Reference-book
36/147
28
Description
Use the connection-limit policy command to create a connection limit policy and enter connection limitpolicy view.
Use the undo connection-limit policy command to delete a specific or all connection limit policies.
A connection limit policy contains a set of rules that limit the number of connections of a specific user. By
default, a connection limit policy uses the default connection limit settings.
When creating a connection limit policy, you must assign it a unique number. Polices are matched bynumber in descending order.
After applying a connection limit policy in system view, you cannot modify, add, or remove connectionlimit rules in the policy.
Examples
# Create a connection limit policy numbered 0 and enter its view.
syst em- vi ew
[ Sysname] connect i on- l i mi t pol i cy 0
[ Sysname- connect i on- l i mi t - pol i cy- 0]
display connection-limit policySyntax
display connection-limit policy{ policy-number| all}
View
Any view
Default level
1: Monitor levelParameters
policy-number: Connection limit policy number, which can only be 0.
all: Displays all connection limit policies.
Description
Use the display connection-limit policy command to display information about a specific or allconnection limit policies.
Related commands: limit.
Examples
# Display information about all connection limit policies.
di spl ay connect i on- l i mi t pol i cy al l
There i s 1 pol i cy:
Connecti on- l i mi t pol i cy 0, r ef count 0 , 3 l i mi t s
l i mi t 1 acl 2000 per - source amount 1111 10
l i mi t 2 acl 2001 per- dest i nat i on amount 300 20
l i mi t 3 acl 2002 per - ser vi ce amount 400 50
# Display information about all connection limit policies.
di spl ay connect i on- l i mi t pol i cy al l
There are 1 pol i ci es:
-
8/11/2019 03-Access Control Command Reference-book
37/147
29
Connecti on- l i mi t pol i cy 0, r ef count 1, 2 l i mi t s
l i mi t 0 sour ce any amount dns 100 ht t p 200 t cp 300 ot her 400 rat e 100 shared
l i mi t 1 sour ce 1. 1. 1. 0 24 amount t cp 100 bandwi dth 200 shared
# Display information about all connection limit policies.
di spl ay connect i on- l i mi t pol i cy al l
There are 1 pol i ci es:Connecti on- l i mi t pol i cy 0, r ef count 0, 1 l i mi t
l i mi t 0 sour ce i p 3. 3. 3. 0 24 sour ce- vpn vpn1 desti nat i on i p any pr ot ocol t cp
max- connect i ons 200 per - source
Table 10Output description
Field Description
Connection-limit policy Number of the connection limit policy
refcount 1, 2 limits Number of times that the policy is applied and number of rules in the policy.
limit xxx Rule in the policy. Refer to the limit command for details.
limitSyntax
limit limit-id{source ip {ip-address mask-length| any }[source-vpn src-vpn-name] |destination ip{ip-address mask-length|any } [destination-vpn dst-vpn-name] } *protocol {dns |http | ip|tcp|udp}max-connections max-num[ per-destination|per-source| per-source-destination ]
undo limit limit-id
View
Connection limit policy view
Default level
2: System level
Parameters
limit-id: ID of a rule in the connection limit policy, which can only be 0.
source ip: Specifies the source IP address of the connections to be limited.
ip-addressmask-length: IP address and its mask length. The mask-lengthargument is in the range of 1 to32.
any: Specifies all IP addresses on the specified network or the public network. For example, source ip anyspecifies all hosts on the source network.
source-vpnsrc-vpn-name: Specifies a source MPLS VPN by its instance name a case-sensitive string of 1to 31 characters. Absence of the option indicates the public network.
destination ip: Specifies the destination IP address of the connections to be limited.
destination-vpndst-vpn-name: Specifies a destination MPLS VPN by its instance name, a case-sensitivestring of 1 to 31 characters. Absence of the option indicates the public network.
protocol: Specifies connections of a protocol.
dns: Specifies connections of the DNS protocol.
-
8/11/2019 03-Access Control Command Reference-book
38/147
30
http: Specifies connections of the HTTP protocol.
ip: Specifies connections of the IP protocol.
tcp: Specifies connections of the TCP protocol.
udp: Specifies connections of the UDP protocol.
max-connectionsmax-num: Maximum number of the connections in the range of 0 to 1000000. .
per-destination: Limits connections by destination address.
per-source: Limits connections by source address.
per-source-destination: Limits connections by source-desitnation address pair.
Description
Use the limitcommand to configure an IP address-based conneciton limit policy rule.
Use the undo limitcommand to remove a conneciton limit policy rule.
Any two rules of one policy must have different rule criteria.
The connection limit rules become invalid if the VPN instance with which the rules are associated areremoved.
The connection limit rules in a policy are matched in ascending order of rule ID. If the source addresses,destination addresses, or protocols in two rules are overlapped, the first matched rule takes effect.Therefore, take the match order into consideration when assigning the rules IDs. H3C recommendsarranging the rule by limit granularity and limit range in ascending order.
Related commands:connection-limit policy, display connection-limit policy.
Examples
# Configure connection limit rule 1 for policy 1 to limit TCP connections sourced from 1.1.1.1 with theupper connection limit of 200.
syst em- vi ew
[ Sysname] connect i on- l i mi t pol i cy 0
[ Sysname- connecti on- l i mi t - pol i cy- 0] l i mi t 1 sour ce i p 1. 1. 1. 1 32 pr ot ocol t cp
max- connect i ons 200
# Configure connection limit rule 2 to limit UDP connections destined to 2.2.2.2 with the upperconnection limit of 200.
[ Sysname- connect i on- l i mi t - pol i cy- 0] l i mi t 2 dest i nat i on i p 2. 2. 2. 2 32 pr ot ocol udp
max- connect i ons 200
# Configure connection limit rule 3 to limit IP connections sourced from the segment 1.1.1.0/24 with theupper connection limit of 200.
[ Sysname- connecti on- l i mi t - pol i cy- 1] l i mi t 3 sour ce i p 1. 1. 1. 0 24 pr ot ocol i pmax- connect i ons 200 per - source
# Configure connection limit rule 4 to limit IP connections destined to the segment 2.2.2.0/24 with theupper connection limit of 200.
[ Sysname- connecti on- l i mi t - pol i cy- 0] l i mi t 4 dest i nat i on i p 2. 2. 2. 0 24 pr ot ocol i p
max- connecti ons 200 per- dest i nat i on
# Configure connection limit rule 5 to limit IP connections from vpn1 to vpn2 with the upper connectionlimit of 200.
[ Sysname- connect i on- l i mi t - pol i cy- 0] l i mi t 5 sour ce i p any sour ce- vpn vpn1 desti nat i on i p
any dest i nat i on- vpn vpn2 pr otocol i p max- connecti ons 200
-
8/11/2019 03-Access Control Command Reference-book
39/147
-
8/11/2019 03-Access Control Command Reference-book
40/147
32
Sour ce:
I P : 0. 0. 0. 0
Mask : 0. 0. 0. 0
MAC : 0000- 0000- 0000
I nt er f ace : any
VLAN : 2
Pr ot ocol : 6
Desti nat i on:
I P : 0. 0. 0. 0
Mask : 0. 0. 0. 0
Rul e 2
I nbound i nt erf ace : Gi gabi t Et hernet 0/ 0
Type : dynami c
Act i on : per mi t
Sour ce:
I P : 2. 2. 2. 2Mask : 255. 255. 255. 255
MAC : 000d- 88f 8- 0eab
I nt er f ace : Gi gabi t Et her net 0/ 0
VLAN : 0
Pr ot ocol : 0
Desti nat i on:
I P : 0. 0. 0. 0
Mask : 0. 0. 0. 0
Author ACL:
Number : 3001
Table 11
Output description
Field Description
RuleSequence number of the generated ACL, which is numbered from 0 in ascendingorder
Inbound interface Interface to which portal ACLs are bound
Type Type of the portal ACL
Action Match action in the portal ACL
Source Source information in the portal ACL
IP Source IP address in the portal ACL
Mask Subnet mask of the source IP address in the portal ACL
MAC Source MAC address in the portal ACL
Interface Source interface in the portal ACL
VLAN Source VLAN in the portal ACL
Protocol Protocol type in the portal ACL
Destination Destination information in the portal ACL
-
8/11/2019 03-Access Control Command Reference-book
41/147
33
Field Description
IP Destination IP address in the portal ACL
Mask Subnet mask of the destination IP address in the portal ACL
Author ACLAuthorization ACL of portal ACL. It is displayed only when the Type field has a
value of dynamic.
NumberAuthorization ACL number assigned by the server. None indicates that the serverdid not assign any ACL.
display portal connection statisticsSyntax
display portal connection statistics { all|interfaceinterface-type interface-number }
View
Any viewDefault level
1: Monitor level
Parameters
all: Specifies all interfaces.
interfaceinterface-type interface-number: Specifies an interface by its type and number.
Description
Use the display portal connection statisticscommand to display portal connection statistics on a specificinterface or all interfaces.
Examples
# Display portal connection statistics on interface GigabitEthernet 0/0.
di spl ay port al connect i on st at i st i cs i nt erf ace Gi gabi t Et hernet 0/ 0
- - - - - - - - - - - - - - - I nt er f ace: Gi gabi t Et her net 0/ 0- - - - - - - - - - - - - - - - - - - - - - -
User st at e stat i st i cs:
St at e- Name User - Num
VOI D 0
DI SCOVERED 0
WAI T_AUTHEN_ACK 0
WAI T_AUTHOR_ACK 0
WAI T_LOGI N_ACK 0
WAI T_ACL_ACK 0
WAI T_NEW_I P 0
WAI T_USERI PCHANGE_ACK 0
ONLI NE 1
WAI T_LOGOUT_ACK 0
WAI T_LEAVI NG_ACK 0
Message st at i st i cs:
Msg- Name Tot al Err Di scar d
-
8/11/2019 03-Access Control Command Reference-book
42/147
34
MSG_AUTHEN_ACK 3 0 0
MSG_AUTHOR_ACK 3 0 0
MSG_LOGI N_ACK 3 0 0
MSG_LOGOUT_ACK 2 0 0
MSG_LEAVI NG_ACK 0 0 0
MSG_CUT_REQ 0 0 0
MSG_AUTH_REQ 3 0 0
MSG_LOGI N_REQ 3 0 0
MSG_LOGOUT_REQ 2 0 0
MSG_LEAVI NG_REQ 0 0 0
MSG_ARPPKT 0 0 0
MSG_TMR_REQAUTH 1 0 0
MSG_TMR_AUTHEN 0 0 0
MSG_TMR_AUTHOR 0 0 0
MSG_TMR_LOGI N 0 0 0
MSG_TMR_LOGOUT 0 0 0
MSG_TMR_LEAVI NG 0 0 0MSG_TMR_NEWI P 0 0 0
MSG_TMR_USERI PCHANGE 0 0 0
MSG_PORT_ REMOVE 0 0 0
MSG_VLAN_REMOVE 0 0 0
MSG_I F_ REMOVE 6 0 0
MSG_L3I F_SHUT 0 0 0
MSG_I P_REMOVE 0 0 0
MSG_ALL_REMOVE 1 0 0
MSG_I FI PADDR_CHANGE 0 0 0
MSG_SOCKET_CHANGE 8 0 0
MSG_NOTI FY 0 0 0
MSG_SETPOLI CY 0 0 0
MSG_SETPOLI CY_RESULT 0 0 0
Table 12Output description
Field Description
User state statistics Statistics on portal users
State-Name Name of a user state
User-Num Number of users
VOID Number of users in void state
DISCOVERED Number of users in discovered state
WAIT_AUTHEN_ACK Number of users in wait_authen_ack state
WAIT_AUTHOR_ACK Number of users in wait_author_ack state
WAIT_LOGIN_ACK Number of users in wait_login_ack state
WAIT_ACL_ACK Number of users in wait_acl_ack state
WAIT_NEW_IP Number of users in wait_new_ip state
-
8/11/2019 03-Access Control Command Reference-book
43/147
35
Field Description
WAIT_USERIPCHANGE_ACK Number of users wait_useripchange_ack state
ONLINE Number of users in online state
WAIT_LOGOUT_ACK Number of users in wait_logout_ack state
WAIT_LEAVING_ACK Number of users in wait_leaving_ack state
Message statistics Statistics on messages
Msg-Name Message type
Total Total number of messages
Err Number of erroneous messages
Discard Number of discarded messages
MSG_AUTHEN_ACK Authentication acknowledgment message
MSG_AUTHOR_ACK Authorization acknowledgment messageMSG_LOGIN_ACK Accounting acknowledgment message
MSG_LOGOUT_ACK Accounting-stop acknowledgment message
MSG_LEAVING_ACK Leaving acknowledgment message
MSG_CUT_REQ Cut request message
MSG_AUTH_REQ Authentication request message
MSG_LOGIN_REQ Accounting request message
MSG_LOGOUT_REQ Accounting-stop request message
MSG_LEAVING_REQ Leaving request message
MSG_ARPPKT ARP message
MSG_TMR_REQAUTH Authentication request timeout message
MSG_TMR_AUTHEN Authentication timeout message
MSG_TMR_AUTHOR Authorization timeout message
MSG_TMR_LOGIN Accounting-start timeout message
MSG_TMR_LOGOUT Accounting-stop timeout message
MSG_TMR_LEAVING Leaving timeout message
MSG_TMR_NEWIP Public IP update timeout message
MSG_TMR_USERIPCHANGE User IP change timeout message
MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message
MSG_VLAN_REMOVE VLAN user removed message
MSG_IF_REMOVE Users-of-a-Layer-3-interface-removed message
MSG_L3IF_SHUT Layer 3 interface shutdown message
MSG_IP_REMOVE User-with-an-IP-removed message
-
8/11/2019 03-Access Control Command Reference-book
44/147
36
Field Description
MSG_ALL_REMOVE All-users-removed message
MSG_IFIPADDR_CHANGE Interface IP address change message
MSG_SOCKET_CHANGE Socket change message
MSG_NOTIFY Notification message
MSG_SETPOLICY Set policy message for assigning security ACL
MSG_SETPOLICY_RESULT Set policy response message
display portal free-ruleSyntax
display portal free-rule[ rule-number ]
ViewAny view
Default level
1: Monitor level
Parameters
rule-number: Number of a portal-free rule, in the range of 0 to 15.
Description
Use the display portal free-rulecommand to display information about a specific portal-free rule or allportal-free rules.
Related commands: portal free-rule.
Examples
# Display information about portal-free rule 1.
di spl ay port al f r ee- r ul e 1
Rul e- Number 1:
Sour ce:
I P : 2. 2. 2. 0
Mask : 255. 255. 255. 0
MAC : 0000- 0000- 0000
I nt er f ace : anyVl an : 0
Desti nat i on:
I P : 0. 0. 0. 0
Mask : 0. 0. 0. 0
Table 13Output description
Field Description
Rule-Number Number of the portal-free rule
Source Source information in the portal-free rule
-
8/11/2019 03-Access Control Command Reference-book
45/147
37
Field Description
IP Source IP address in the portal-free rule
Mask Subnet mask of the source IP address in the portal-free rule
MAC Source MAC address in the portal-free rule
Interface Source interface in the portal-free rule
Vlan Source VLAN in the portal-free rule
Destination Destination information in the portal-free rule
IP Destination IP address in the portal-free rule
Mask Subnet mask of the destination IP address in the portal-free rule
display portal interface
Syntaxdisplay portal interface interface-type interface-number
View
Any view
Default level
1: Monitor level
Parameters
interface-type interface-number: Specifies an interface by its type and number.
DescriptionUse the display portal interfacecommand to display the portal configuration of an interface.
Examples
# Display the portal configuration of interface GigabitEthernet 0/0.
di spl ay por t al i nter f ace gi gabi t ethernet 0/ 0
I nt er f ace port al conf i gur at i on:
Gi gabi t Et her net 0/ 0: Por t al r unni ng
Por t al server : server name
Aut hent i cat i on type: Di r ect
Por t al backup- group: 1
Aut hent i cat i on domai n: my- domai n
Aut hent i cat i on network:
addr ess : 0. 0. 0. 0 mask : 0. 0. 0. 0
Table 14Output description
Field Description
Interface portal configuration Portal configuration on the interface
GigabitEthernet0/0 Status of the portal feature on the interface, disabled, enabled, or running.
Portal server Portal server referenced by the interface
-
8/11/2019 03-Access Control Command Reference-book
46/147
38
Field Description
Authentication type Authentication mode enabled on the interface
Portal backup-group
Number of the portal group to which the interface belongs.
If the interface does not belong to any portal group, Nonewill bedisplayed.
Authentication domain Mandatory authentication domain of the interface
Authentication network Information of the portal authentication subnet
address IP address of the portal authentication subnet
mask Subnet mask of the IP address of the portal authentication subnet
display portal serverSyntax
display portal server[ server-name ]
View
Any view
Default level
1: Monitor level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.
Description
Use the display portal servercommand to display information about a specific portal server or all portalservers.
Related commands: portal server.
Examples
# Display information about portal server aaa.
di spl ay por t al ser ver aaa
Por t al server:
1) aaa:
I P : 192. 168. 0. 111
Key : por t alPor t : 50100
URL : ht t p: / / 192. 168. 0. 111
Table 15Output description
Field Description
1) Number of the portal server
aaa Name of the portal server
IP IP address of the portal server
-
8/11/2019 03-Access Control Command Reference-book
47/147
39
Field Description
KeyKey for portal authentication
Not configuredwill be displayed if no key is configured.
Port Listening port on the portal server
URL Address the packets are to be redirected toNot configuredwill be displayed if no address is configured.
display portal server statisticsSyntax
display portal server statistics{ all| interfaceinterface-type interface-number }
View
Any view
Default level
1: Monitor level
Parameters
all: Specifies all interfaces.
interfaceinterface-type interface-number: Specifies an interface by its type and name.
Description
Use the display portal server statisticscommand to display portal server statistics on a specific interfaceor all interfaces.
Note that with the allkeyword specified, the command displays portal server statistics by interface andtherefore statistics about a portal server referenced by more than one interface may be displayedrepeatedly.
Examples
# Display portal server statistics on GigabitEthernet 0/0.
di spl ay por t al server s t ati st i cs i nt erf ace gi gabi t ether net 0/ 0
- - - - - - - - - - - - - - - I nt er f ace: Gi gabi t Et her net 0/ 0- - - - - - - - - - - - - - - - - - - - - -
Ser ver name: st
I nval i d packet s: 0
Pkt - Name Tot al Di scar d Checkerr
REQ_CHALLENGE 3 0 0ACK_CHALLENGE 3 0 0
REQ_AUTH 3 0 0
ACK_AUTH 3 0 0
REQ_LOGOUT 1 0 0
ACK_LOGOUT 1 0 0
AFF_ACK_AUTH 3 0 0
NTF_LOGOUT 1 0 0
REQ_I NFO 6 0 0
ACK_I NFO 6 0 0
NTF_USERDI SCOVER 0 0 0
-
8/11/2019 03-Access Control Command Reference-book
48/147
40
NTF_USERI PCHANGE 0 0 0
AFF_NTF_ USERI PCHANGE 0 0 0
ACK_NTF_LOGOUT 1 0 0
Table 16Output description
Field Description
Interface Interface referencing the portal server
Server name Name of the portal server
Invalid packets Number of invalid packets
Pkt-Name Packet type
Total Total number of packets
Discard Number of discarded packets
Checkerr Number of erroneous packets
REQ_CHALLENGE Challenge request message the portal server sends to the access device
ACK_CHALLENGEChallenge acknowledgment message the access device sends to the portalserver
REQ_AUTH Authentication request message the portal server sends to the access device
ACK_AUTHAuthentication acknowledgment message the access device sends to theportal server
REQ_LOGOUT Logout request message the portal server sends to the access device
ACK_LOGOUTLogout acknowledgment message the access device sends to the portalserver
AFF_ACK_AUTH Affirmation message the portal server sends to the access device afterreceiving an authentication acknowledgement message
NTF_LOGOUTForced logout notification message the access device sends to the portalserver
REQ_INFO Information request message
ACK_INFO Information acknowledgment message
NTF_USERDISCOVERUser discovery notification message the portal server sends to the accessdevice
NTF_USERIPCHANGEUser IP change notification message the access device sends to the portal
server
AFF_NTF_USERIPCHANGEUser IP change success notification message the portal