03-access control command reference-book

8/11/2019 03-Access Control Command Reference-book

1/147

H3C SecPath U Series Security Products

Access Control Command Reference

Hangzhou H3C Technologies Co., Ltd.http://www.h3c.com

Software version: SECPATH200US&200UCS&200UCM-CMW520-R5116

SECPATH200UA&200UM&200UCA-CMW520-R5116Document version: 6PW103-20111221


2/147

Copyright 2009-2011, Hangzhou H3C Technologies Co., Ltd. and its licensors

All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.Trademarks

H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.


3/147

Preface

The H3C SecPath U Series Security Products command references describe the commands andcommand syntax options available for the H3C SecPath U Series Security Products.

The Access Control Command Reference describes the ACL, session management, connection limit,portal, and AAA configuration commands.

This preface includes:

Audience

Conventions

About the H3C SecPath U Series Security Products documentation set

Obtaining documentation

Technical supportDocumentation feedback

AudienceThis documentation is intended for:

Network planners

Field technical support and servicing engineers

Network administrators working with the SecPath U series

ConventionsThis section describes the conventions used in this documentation set.

Command conventions

Convention Description

Boldface

Boldtext represents commands and keywords that you enter literally as shown.

Italic Italictext represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from whichyou select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars, fromwhich you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by verticalbars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by verticalbars, from which you select one choice, multiple choices, or none.

&The argument or keyword and argument combination before the ampersand (&) sign canbe entered 1 to n times.


4/147


# A line that starts with a pound (#) sign is comments.

GUI conventions


BoldfaceWindow names, button names, field names, and menu items are in Boldface. Forexample, the New Userwindow appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File> Create> Folder.

Symbols


WARNINGAn alert that calls attention to important information that if not understood or followed canresult in personal injury.

CAUTIONAn alert that calls attention to important information that if not understood or followed canresult in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIPAn alert that provides helpful information.

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

About the H3C SecPath U Series Security Productsdocumentation set

The H3C SecPath U Series Security Products documentation set includes:

Category Documents Purposes

Product description andspecifications

Marketingbrochures

U200-A

Describe product specifications andbenefits.

U200-M

U200-S

U200-CM

U200-CS

Hardware specificationsand installation

Compliance andsafetymanual

U200-A/M/SProvides regulatory information and thesafety instructions that must be followedduring installation.U200-CM/CS

Installationguide

U200-A/M/S Provides a complete guide to hardwareinstallation and hardware specifications.U200-CM/CS
http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-A/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-M/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-S/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CM/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CS/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Installationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Installationhttp://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CS/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CM/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-S/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-M/http://www.h3c.com/portal/Products___Solutions/Products/Security_Products/H3C_SecPath_UTM/SecPath_U200-A/


5/147

Category Documents Purposes

Software configuration

Configuration guides

U200-A/M/S Describe software features andconfiguration procedures.U200-CM/CS

Command

references

U200-A/M/S Provide a quick reference to all available

commands.U200-CM/CS

Configurationexamples

U200-A/M/S Describe typical network scenarios andprovide configuration examples andinstructions.U200-CM/CS

Operations andmaintenance

Releasenotes

U200-A

Provide information about the productrelease, including the version history,hardware and software compatibilitymatrix, version upgrade information,technical support information, andsoftware upgrading.

U200-M

U200-S

U200-CA

U200-CM

U200-CS

Obtaining documentationYou can access the most up-to-date H3C product documentation on the World Wide Webat http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents] Provides hardware installation, softwareupgrading, and software feature configuration and maintenance documentation.

[Products & Solutions]Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] Provides the documentation released with thesoftware version.

Technical [email protected]

http://www.h3c.com

Documentation feedbackYou can e-mail your comments about product documentation to [email protected].

We appreciate your comments.
http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Commandhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Commandhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-A/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-M/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-S/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CA/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CM/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CS/http://www.h3c.com/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/http://www.h3c.com/portal/Products___Solutions/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/http://www.h3c.com/portal/Products___Solutions/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/http://www.h3c.com/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CS/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CM/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-CA/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-S/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-M/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/Security_Products/H3C_SecPath_UTM/H3C_SecPath_U200-A/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Commandhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Commandhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200-CS_U200-CM/#Configurationhttp://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Security_Products/H3C_SecPath_U200_Series_UTM_Products/#Configuration


6/147

i

Contents

ACL configuration commands 1

acl 1acl copy 2

acl name 3description 3

display acl 4

display time-range 5reset acl counter 6rule (Ethernet frame header ACL view) 6

rule (IPv4 advanced ACL view) 8

rule (IPv4 basic ACL view) 12rule comment 13

step 14

time-range 15

Session management commands 17application aging-time 17display session relation-table 17display session statistics 19

display session table 20reset session 23reset session statistics 23session aging-time 24

session checksum 25session persist acl 25

Connection limit configuration commands 27

connection-limit apply policy 27

connection-limit policy 27

display connection-limit policy 28

limit 29

Portal configuration commands 31display portal acl 31

display portal connection statistics 33

display portal free-rule 36

display portal interface 37display portal server 38

display portal server statistics 39display portal tcp-cheat statistics 40

display portal user 42

portal auth-network 43portal delete-user 44

portal domain 44portal free-rule 45

portal max-user 46

portal nas-id 47

portal nas-id-profile 47portal nas-ip 48portal server 48


7/147

ii

portal server method 49reset portal connection statistics 50

reset portal server statistics 51reset portal tcp-cheat statistics 51

web-redirect 51

AAA configuration commands 53

AAA configuration commands 53

aaa nas-id profile 53

access-limit enable 53

accounting command 54

accounting default 55accounting lan-access 55

accounting login 56accounting optional 57accounting portal 58accounting ppp 59

authentication default 59

authentication lan-access 60

authentication login 61

authentication portal 62

authentication ppp 63

authorization command 63authorization default 64

authorization lan-access 65authorization login 66authorization portal 67

authorization ppp 68

authorization-attribute user-profile 69

cut connection 69display connection 71

display domain 73

domain 75domain default enable 76idle-cut enable 76

ip pool 77

nas-id bind vlan 78self-service-url enable 78

state (ISP domain view) 79

Local user configuration commands 80

access-limit 80authorization-attribute (local user view/user group view) 80

bind-attribute 82display local-user 83

display user-group 85

expiration-date (local user view) 85

group 86

local-user 87local-user password-display-mode 87

password 88service-type 89

state (local user view) 90user-group 90

RADIUS configuration commands 91

accounting-on enable 91


8/147


9/147

1

ACL configuration commands

aclSyntax

acl numberacl-number[ nameacl-name] [ match-order{ auto | config} ]

undoacl{ all| name acl-name| numberacl-number}

View

System view

Default level

2: System level

Parameters

number acl-number: Specifies the number of an IPv4 access control list (ACL):

2000 to 2999 for IPv4 basic ACLs

3000 to 3999 for IPv4 advanced ACLs

4000 to 4999 for Ethernet frame header ACLs

name acl-name: Assigns a name to the ACL for easy identification. The acl-nameargument takes acase-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, itcannot be all..

match-order: Sets the order in which ACL rules are compared against packets:

autoCompares ACL rules in depth-first order. The depth-first order differs with ACL categories. Formore information, seeACL and QoS Configuration Guide.

configCompares ACL rules in ascending order of rule ID. The rule with a smaller ID has higherpriority. If no match order is specified, the config order applies by default.

all: Deletes all IPv4 ACLs.

Description

Use the aclcommand to create an IPv4 ACL and enter its view. If the ACL has been created, you enter itsview directly.

Use the undoaclcommand to delete the specified IPv4 ACL or all IPv4 ACLs.

By default, no ACL exists.

You can assign a name to an IPv4 ACL only when you create it. After an ACL is created with a name, youcannot rename it or remove its name.

You can change match order only for ACLs that do not contain any rules.

To display any ACLs you have created, use the display aclcommand.

Examples

# Create IPv4 basic ACL 2000, and enter its view.

syst em- vi ew

[ Sysname] acl number 2000


10/147

2

[ Sysname- acl - basi c- 2000]

# Create IPv4 basic ACL 2001 with the name flow, and enter its view.

syst em- vi ew

[ Sysname] acl number 2001 name f l ow

[ Sysname- acl - basi c- 2001- f l ow]

acl copySyntax

acl copy { source-acl-number | name source-acl-name } to{ dest-acl-number | name dest-acl-name }

View

System view

Default level

2: System level

Parameterssource-acl-number: Specifies a source existing IPv4 ACL by its number:




namesource-acl-name: Specifies a source exiting IPv4 ACL by its name. The source-acl-name argumenttakes a case-insensitive string of 1 to 32 characters.

dest-acl-number: Assigns a unique number to the IPv4 ACL you are creating. This number must be fromthe same ACL category as the source ACL. Available value ranges include:

2000 to 2999 for IPv4 basic ACLs3000 to 3999 for IPv4 advanced ACLs


namedest-acl-name: Assigns a unique name to the IPv4 ACL you are creating. The dest-acl-nametakesa case-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion,it cannot be all. For this ACL, the system automatically picks the smallest number from all availablenumbers in the same ACL category as the source ACL.

Description

Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. The new

ACL has the same properties and content as the source ACL, but not the same ACL number and name.You can assign a name to an IPv4 ACL only when you create it. After an IPv4 ACL is created with a name,you cannot rename it or remove its name.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

syst em- vi ew

[ Sysname] acl copy 2001 t o 2002


11/147

3

acl nameSyntax

aclnameacl-name

View

System view

Default level

2: System level

Parameters

acl-name: Specifies an IPv4 ACL name, a case-insensitive string of 1 to 32 characters. It must start withan English letter. The IPv4 ACL must already exist.

Description

Use the acl namecommand to enter the view of an IPv4 ACL that has a name.

Related commands: acl.

Examples

# Enter the view of IPv4 ACL flow.

syst em- vi ew

[ Sysname] acl name f l ow

[ Sysname- acl - basi c- 2001- f l ow]

descriptionSyntax

descriptiontext

undo description

View

IPv4 basic/advanced ACL view, Ethernet frame header ACL view

Default level

2: System level

Parameters

text: ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use the descriptioncommand to configure a description for an ACL.

Use the undo descriptioncommand to remove the ACL description.

By default, an ACL has no ACL description.

Related commands: display acl.

Examples

# Configure a description for IPv4 basic ACL 2000.

syst em- vi ew


12/147

4


[ Sysname- acl - basi c- 2000] descr i pt i on Thi s i s an I Pv4 basi c ACL.

display aclSyntax

displayacl{ acl-number| all| nameacl-name}

View

Any view

Default level

1: Monitor level

Parameters

acl-number: Specifies an ACL by its number:




all: Displays information for all IPv4 ACLs.

name acl-name: Specifies an ACL by its name. The acl-nameargument takes a case-insensitive string of1 to 32 characters. It must start with an English letter.

Description

Use the displayaclcommand to display the IPv4 ACL configuration and match statistics.

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples# Display all IPv4 configuration and match statistics.

di spl ay acl al l

Basi c ACL 2000, named f l ow, 3 r ul es,

ACL' s st ep i s 5

r ul e 0 permi t

r ul e 5 per mi t sour ce 1. 1. 1. 1 0 ( 2 ti mes matched)

r ul e 10 per mi t vpn- i nst ance mk

Basi c ACL 2001, named - none- , 3 r ul es, match- order i s aut o,

ACL' s st ep i s 5r ul e 10 per mi t vpn- i nstance r d

r ul e 10 comment Thi s r ul e i s used i n VPN r d.

r ul e 5 permi t sour ce 2. 2. 2. 2 0

r ul e 0 permi t

Table 1Output description

Field Description

Basic ACL 2000Category and number of the ACL. The following fieldinformation is about IPv4 basic ACL 2000.


13/147

5

Field Description

named flowThe name of the ACL is flow. "-none-" means the ACL is notnamed.

3 rules

The ACL contains three rules.

match-order is autoThe match order for the ACL is auto, which sorts ACL rules indepth-first order. This field is not present when the match orderis config.

ACL's step is 5 The rule numbering step is 5.

rule 0 permit Content of rule 0

2 times matched

There have been two matches for the rule. The statistic countsonly ACL matches performed in software.

This field is not displayed when no packets have matched therule.

Uncompleted

Applying the rule to hardware failed because no sufficientresources were available or the hardware does not supportthe rule. This event might occur when you modify a rule in anACL that has been applied.

rule 10 comment This rule is used in VPN rd. The description of ACL rule 10 is "This rule is used in VPN rd."

display time-rangeSyntax

displaytime-range{time-range-name| all}

View

Any view

Default level

1: Monitor level

Parameters

time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It muststart with an English letter.

all: Displays the configuration and status of all existing time ranges.

Description

Use the displaytime-rangecommand to display the configuration and status of the specified time rangeor all time ranges.

Examples

# Display the configuration and status of time range t4.

di spl ay t i me- r ange t 4

Curr ent t i me i s 17: 12: 34 4/ 13/ 2010 Tuesday

Ti me- r ange : t 4 ( I nact i ve )

10: 00 to 12: 00 Mon

14: 00 t o 16: 00 Wed


14/147

6

f r om 00: 00 1/ 1/ 2010 t o 23: 59 1/ 31/ 2010

f r om 00: 00 6/ 1/ 2010 t o 23: 59 6/ 30/ 2010


Field Description

Current time Current system time

Time-range

Configuration and status of the time range, including its name,status (active or inactive), and start time and end time.

reset acl counterSyntax

resetaclcounter{ acl-number| all| nameacl-name}

View

User viewDefault level

2: System level

Parameters

acl-number: Specifies an IPv4 ACL by its number:




all: Clears statistics for all IPv4 ACLs.

name acl-name: Specifies an IPv4 ACL by its name. The acl-nameargument takes a case-insensitivestring of 1 to 32 characters. It must start with an English letter.

Description

Use the resetaclcountercommand to clear IPv4 ACL statistics.

Related commands: displayacl.

Examples

# Clear statistics for IPv4 basic ACL 2001.

r eset acl counter 2001

# Clear statistics for IPv4 ACL flow. r eset acl counter name f l ow

rule (Ethernet frame header ACL view)Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-macdest-addrdest-mask | { lsap lsap-typelsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask |time-rangetime-range-name] *

undorulerule-id [ counting| time-range] *


15/147

7

View

Ethernet frame header ACL view

Default level

2: System level

Parametersrule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACLrule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of thenumbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos vlan-pri:Matches an 802.1p priority. The vlan-priargument can be a number in the range of 0 to 7,or in words, best-effort(0), background(1), spare(2), excellent-effort(3), controlled-load(4),video(5),voice(6), or network-management(7).

dest-macdest-addrdest-mask: Matches a destination MAC address range. The dest-addrand dest-maskarguments represent a destination MAC address and mask in H-H-H format.

lsap lsap-typelsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-typeargument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-maskargument is a 16-bit hexadecimal number that represents the LSAP mask.

typeprotocol-typeprotocol-type-mask: Matches one or more protocols in the Ethernet frame header. Theprotocol-typeargument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II andEthernet_SNAP frames. The protocol-type-maskargument is a 16-bit hexadecimal number that representsa protocol type mask.

source-macsour-addrsource-mask: Matches a source MAC address range. The sour-addrargumentrepresents a source MAC address, and the sour-maskargument represents a mask in H-H-H format.

time-rangetime-range-name: Specifies a time range for the rule. The time-range-nameargument is acase-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is notconfigured, the system creates the rule; however, the rule using the time range can take effect only afteryou configure the timer range.

Description

Use the rulecommand to create or edit an Ethernet frame header ACL rule. You can edit ACL rules onlywhen the match order is config.

Use the undorulecommand to delete an Ethernet frame header ACL rule or some attributes in the rule.

If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments areprovided, you delete the specified attributes.

By default, an Ethernet frame header ACL does not contain any rule.

Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creatingor editing has the same deny or permit statement as another rule in the ACL, your creation or editingattempt fails.

To view rules in an ACL and their rule IDs, use the display acl allcommand.

Related commands: acl, display acl, step, and time-range.


16/147

8

Examples

# Create a rule in ACL 4000 to permit ARP packets and deny RARP packets.

syst em- vi ew


[ Sysname- acl - ethernet f r ame- 4000] r ul e permi t t ype 0806 f f f f

[ Sysname- acl - ethernet f r ame- 4000] r ul e deny type 8035 f f f f

rule (IPv4 advanced ACL view)Syntax

rule[ rule-id] { deny| permit} protocol [ { { ackack-value| finfin-value| pshpsh-value| rstrst-value| synsyn-value| urgurg-value} * } | destination{ dest-addr dest-wildcard| any} | destination-portoperator port1[port2 ] | dscpdscp |fragment| icmp-type{icmp-type[ icmp-code]| icmp-message}| logging|precedenceprecedence| reflective| source{sour-addr sour-wildcard| any} | source-portoperator port1[port2 ] |time-rangetime-range-name| tostos|vpn-instance vpn-instance-name] *

undo rule rule-id[ { { ack| fin |psh| rst| syn| urg }*} |destination |destination-port| dscp|fragment| icmp-type |logging| precedence |reflective | source | source-port |time-range |tos |vpn-instance ] *

View

IPv4 advanced ACL view

Default level

2: System level

Parameters

rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACLrule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of thenumbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Protocol carried by IPv4. It can be a number in the range of 0 to 255, or in words, gre (47),icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 3describes the parameters that youcan specify regardless of the value that the protocolargument takes.

Table 3Match criteria and other rule information for IPv4 advanced ACL rules

Parameters Function Description

source{ sour-addrsour-wildcard| any}

Specifies a source address

The sour-addr sour-wildcardarguments representa source IP address and wildcard mask in dotteddecimal notation. An all-zero wildcard specifies ahost address.

The anykeyword specifies any source IP address.


17/147

9


destination{ dest-addrdest-wildcard| any}

Specifies a destinationaddress

The dest-addr dest-wildcardarguments represent adestination IP address and wildcard mask indotted decimal notation. An all-zero wildcardspecifies a host address.

The anykeyword represents any destination IPaddress.

precedenceprecedenceSpecifies an IP precedencevalue

The precedenceargument can be a number in therange of 0 to 7, or in words, routine(0), priority(1), immediate(2), flash(3), flash-override(4),critical(5), internet(6), or network(7).

tostos Specifies a ToS preference

The tosargument can be a number in the range of0 to 15, or in words, max-reliability (2),max-throughput (4), min-delay (8),min-monetary-cost (1), or normal (0).

dscpdscp Specifies a DSCP priority

The dscpargument can be a number in the range

of 0 to 63, or in words, af11(10), af12(12), af13(14), af21(18), af22(20), af23(22), af31(26),af32(28), af33(30), af41(34), af42(36), af43(38), cs1(8), cs2(16), cs3(24), cs4(32), cs5(40),cs6(48), cs7(56), default(0), or ef(46).

logging Logs matching packetsThis function requires that the module that uses theACL supports logging.

reflectiveSpecifies that the rule bereflective

A rule with the reflectivekeyword can be definedonly for TCP, UDP, or ICMP packets and can onlybe a permit statement.

vpn-instancevpn-instance-name

Applies the rule to packets ina VPN instance

The vpn-instance-nameargument takes a

case-sensitive string of 1 to 31 characters.If no VPN instance is specified, the rule appliesonly to non-VPN packets.

fragmentApplies the rule to onlynon-first fragments

Without this keyword, the rule applies to allfragments and non-fragments.

time-rangetime-range-name

Specifies a time range forthe rule

The time-range-nameargument takes acase-insensitive string of 1 to 32 characters. It muststart with an English letter. If the time range is notconfigured, the system creates the rule; however,the rule using the time range can take effect onlyafter you configure the timer range.

NOTE:

If you provide the precedenceor toskeyword in addition to the dscpkeyword, only the dscpkeywordtakes effect.

If the protocolargument takes tcp(6) or udp(7), set the parameters shown in Table 4.


18/147

10

Table 4TCP/UDP-specific parameters for IPv4 advanced ACL rules


source-portoperatorport1[port2 ]

Specifies one or moreUDP or TCP sourceports

The operatorargument can be lt(lower than), gt(greater than), eq(equal to), neq(not equal to), or range(inclusive range).

The port1 and port2arguments are TCP or UDP portnumbers in the range of 0 to 65535. port2is neededonly when the operatorargument is range.

TCP port numbers can be represented as: chargen(19),bgp(179), cmd(514), daytime(13), discard(9),domain(53), echo(7), exec(512), finger(79), ftp(21),ftp-data(20), gopher(70), hostname(101), irc(194),klogin(543), kshell(544), login(513), lpd(515), nntp(119), pop2(109), pop3(110), smtp(25), sunrpc(111), tacacs(49), talk(517), telnet(23), time(37),uucp(540),whois(43), andwww(80).

UDP port numbers can be represented as: biff (512),bootpc (68), bootps (67), discard (9), dns (53), dnsix(90), echo(7), mobilip-ag (434), mobilip-mn (435),nameserver (42), netbios-dgm (138), netbios-ns (137),netbios-ssn (139), ntp (123), rip (520), snmp (161),snmptrap (162), sunrpc (111), syslog (514), tacacs-ds(65), talk (517), tftp (69), time (37),who (513), and

xdmcp (177).

destination-portoperatorport1[port2 ]

Specifies one or moreUDP or TCP destinationports

{ ackack-value| finfin-value|pshpsh-value|rstrst-value| synsyn-value|urgurg-value}

*

Specifies one or moreTCP flags includingACK, FIN, PSH, RST,

SYN, and URG

Parameters specific to TCP.

The value for each argument can be 0 (flag bit not set) or1 (flag bit set).

For example, a rule configured with ack1 psh0 may

match packets that have the ACK flag bit set or the PSHflag bit not set on one device.

If the protocolargument takes icmp(1), set the parameters shown in Table 5.

Table 5ICMP-specific parameters for IPv4 advanced ACL rules


icmp-type{ icmp-type[ icmp-code] |icmp-message}

Specifies the ICMPmessage type andcode

The icmp-typeargument is in the range of 0 to 255.

The icmp-codeargument is in the range of 0 to 255.

The icmp-messageargument specifies a message name.

Supported ICMP message names and their correspondingtype and code values are listed in Table 6.

Table 6ICMP message names supported in IPv4 advanced ACL rules

ICMP message name ICMP message type ICMP message code

echo 8 0

echo-reply 0 0

fragmentneed-DFset 3 4

host-redirect 5 1


19/147

11

ICMP message name ICMP message type ICMP message code

host-tos-redirect 5 3

host-unreachable 3 1

information-reply 16 0

information-request 15 0

net-redirect 5 0

net-tos-redirect 5 2

net-unreachable 3 0

parameter-problem 12 0

port-unreachable 3 3

protocol-unreachable 3 2

reassembly-timeout 11 1

source-quench 4 0source-route-failed 3 5

timestamp-reply 14 0

timestamp-request 13 0

ttl-exceeded 11 0

Description

Use the rulecommand to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only whenthe match order is config.

Use the undorulecommand to delete an entire IPv4 advanced ACL rule or some attributes in the rule. Ifno optional keywords are provided, you delete the entire rule. If optional keywords or arguments areprovided, you delete the specified attributes.

By default, an IPv4 advanced ACL does not contain any rule.



Related commands: acl,display acl, step, and time-range.

Examples# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from129.9.0.0/16 to 202.38.160.0/24, and enable logging matching packets.

syst em- vi ew


[ Sysname- acl - adv- 3000] r ul e per mi t t cp sour ce 129. 9. 0. 0 0. 0. 255. 255 dest i nat i on

202. 38. 160. 0 0. 0. 0. 255 dest i nati on- por t eq 80 l oggi ng

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for192.168.1.0/24.

syst em- vi ew


20/147


21/147

13

configured, the system creates the rule; however, the rule using the time range can take effect only afteryou configure the timer range.

vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-nameargument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the ruleapplies only to non-VPN packets.

DescriptionUse the rulecommand to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when thematch order is config.

Use the undorulecommand to delete an entire IPv4 basic ACL rule or some attributes in the rule. If nooptional keywords are provided, you delete the entire rule. If optional keywords or arguments areprovided, you delete the specified attributes.

By default, an IPv4 basic ACL does not contain any rule.



Related commands: acl, display acl, step, and time-range.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8,172.17.0.0/16, or 192.168.1.0/24.

syst em- vi ew


[ Sysname- acl - basi c- 2000] r ul e permi t sour ce 10. 0. 0. 0 0. 255. 255. 255



[ Sysname- acl - basi c- 2000] r ul e deny source any

rule commentSyntax

rule rule-id comment text

undo rulerule-idcomment

View

IPv4 basic/advanced ACL view, Ethernet frame header ACL viewDefault level

2: System level

Parameters

rule-id: Specifies an ACL rule ID, in the range of 0 to 65534. The ACL rule must already exist.

text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.

Description

Use the rule commentcommand to add a comment about an existing ACL rule or edit its comment tomake the rule easy to understand.


22/147

14

Use the undo rule commentcommand to delete the ACL rule comment.

By default, an IPv4 ACL rule has no rule comment.


Examples

# Create a rule in IPv4 basic ACL 2000 and add a comment about the rule. syst em- vi ew


[ Sysname- acl - basi c- 2000] r ul e 0 deny sour ce 1. 1. 1. 1 0

[ Sysname- acl - basi c- 2000] r ul e 0 comment Thi s r ul e i s used on Gi gabi t Ethernet 0/ 1.

stepSyntax

stepstep-value

undo stepView

IPv4 basic/advanced ACL view, Ethernet frame header ACL view

Default level

2: System level

Parameters

step-value: ACL rule numbering step, in the range of 1 to 20.

Description

Use the step command to set a rule numbering step for an ACL. The rule numbering step sets theincrement by which the system numbers rules automatically. For example, the default ACL rule numberingstep is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on.The wider the numbering step, the more rules you can insert between two rules. Whenever the stepchanges, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10,13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.

Use the undo stepcommand to restore the default.

The default rule numbering step is 5. After you restore the default numbering step by the undo stepcommand, the rules are renumbered in steps of 5.


Examples# Set the rule numbering step to 2 for IPv4 basic ACL 2000.

syst em- vi ew


[ Sysname- acl - basi c- 2000] st ep 2


23/147

15

time-rangeSyntax

time-rangetime-range-name{ start-timetoend-timedays[ fromtime1 date1] [ totime2 date2 ] | fromtime1 date1[ totime2 date2] | totime2 date2 }

undotime-rangetime-range-name[ start-timetoend-timedays [ fromtime1 date1 ] [ totime2 date2 ]| fromtime1 date1[ totime2 date2] | totime2 date2]

View

System view

Default level

2: System level

Parameters

time-range-name: Specifies a time range name. The name is a case-insensitive string of 1 to 32characters. It must start with an English letter and to avoid confusion, it cannot be all.

start-timetoend-time: Specifies a periodic statement. Both start-timeand end-timeare in hh:mm format(24-hour clock), and each value is in the range of 00:00 to 23:59. The end time must be greater than thestart time.

days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid.If you specify multiple values, separate each value with a space, and be sure that they do not overlap.These values can take one of the following forms:

A digit in the range of 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday,Friday, and Saturday.

A day of a week in abbreviated words, sun, mon, tue,wed, thu, fri, and sat.

working-dayfor Monday through Friday.off-dayfor Saturday and Sunday.

dailyfor the whole week.

from time1 date1: Specifies the start time and date of an absolute statement. The time1 argumentspecifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59.The date1argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is themonth of the year in the range of 1 to 12, DD is the day of the month with the range depending on MM,and YYYY is the year in the calendar in the range of 1970 to 2100. If not specified, the start time is01/01/1970 00:00 AM, the earliest time available in the system.

totime2 date2: Specifies the end time and date of the absolute time statement. The time2argument has

the same format as the time1 argument, but its value is in the range of 00:00 to 24:00. The date2argument has the same format and value range as the date1argument. The end time must be greaterthan the start time. If not specified, the end time is 12/31/2100 24:00 PM, the maximum time availablein the system.

Description

Use the time-rangecommand to configure a time range.

Use the undotime-rangecommand to delete a time range or a statement in the time range.

By default, no time range exists.


24/147

16

You can create multiple statements in a time range. Each time statement can take one of the followingforms:

Periodic statement in the start-timetoend-timedaysformat. A periodic statement recurs periodicallyon a day or days of the week.

Absolute statement in the fromtime1 date1totime2 date2format. An absolute statement does not

recur.Compound statement in the start-timetoend-timedaysfromtime1 date1totime2 date2format. Acompound statement recurs on a day or days of the week only within the specified period. Forexample, to create a time range that is active from 08:00 to 12:00 on Monday between January1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from00:00 01/01/2010 to 23:59 12/31/2010command.

The active period of a time range is calculated as follows:

1. Combining all periodic statements

2. Combining all absolute statements

3. Taking the intersection of the two statement sets as the active period of the time range

You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12absolute statements.

Related commands: displaytime-range.

Examples

# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.

syst em- vi ew

[ Sysname] t i me- r ange t 1 8: 0 t o 18: 0 worki ng- day

# Create an absolute time range t2, setting it to be active in the whole year of 2010.

syst em- vi ew

[ Sysname] t i me- r ange t 2 f r om 0: 0 1/ 1/ 2010 t o 23: 59 12/ 31/ 2010

# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays andSundays of the year 2010.

syst em- vi ew

[ Sysname] t i me- r ange t 3 8: 0 to 12: 0 of f - day f r om0: 0 1/ 1/ 2010 to 23: 59 12/ 31/ 2010

# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.

syst em- vi ew

[ Sysname] t i me- r ange t 4 10: 0 t o 12: 0 1 f r om 0: 0 1/ 1/ 2010 t o 23: 59 1/ 31/ 2010

[ Sysname] t i me- r ange t 4 14: 0 t o 16: 0 3 f r om 0: 0 6/ 1/ 2010 t o 23: 59 6/ 30/ 2010


25/147

17

Session management commands

application aging-timeSyntax

application aging-time {dns | ftp| msn| qq| sip} time-value

undo application aging-time [ dns| ftp| msn| qq| sip]

View

System view

Default level

2: System level

Parameters

dns: Specifies the aging time for DNS sessions.

ftp: Specifies the aging time for FTP sessions.

msn: Specifies the aging time for MSN sessions.

qq: Specifies the aging time for QQ sessions.

sip: Specifies the aging time for SIP sessions.

time-value: Aging time, which ranges from 5 seconds to 100000 seconds.

Description

Use the application aging-time command to set the aging time for sessions of an application layerprotocol.

Use the undo application aging-timecommand to restore the default. If no application layer protocoltype is specified, the command restores the session aging times for all the application layer protocols tothe defaults.

The default session aging times for the application layer protocols is 60 seconds.

Examples

# Set the aging time for FTP sessions to 1800 seconds.

syst em- vi ew

[ Sysname] appl i cati on agi ng- t i me f t p 1800

display session relation-tableSyntax

display session relation-table [vd-name vd-name]

View

Any view


26/147

18

Default level

2: System level

Parameters

vd-namevd-name: Displays the relationship table entries of the specified virtual device. The vd-nameargument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which

can be numerals, letters and underlines.

Description

Use the display session relation-table command to display relationship table entries.

With no virtual device specified, the command displays the relationship table entries of all virtualdevices.

Examples

# Displays all relationship table entries.

di spl ay sessi on r el ati on- t abl e

Local I P/ Por t Gl obal I P/ Por t MatchMode

192. 168. 1. 22/ 99 10. 153. 2. 22/ 99 Local

APP: QQ Pr o: UDP TTL: 2000s Al l owConn: 10

Local I P/ Por t Gl obal I P/ Por t MatchMode

192. 168. 1. 100/ 99 10. 153. 2. 100/ 99 Local

APP: FTP Pr o: TCP TTL: 2000s Al l owConn: 10

Tot al f i nd: 2


Field Description

Local IP/Port

IP address/port number of the inside network

Global IP/Port

IP address/ port number of the outside network

MatchMode

Match mode from session table to relationship table, including Local, Global, andEither.

Local: Indicates that the source IP address/source port of a new session arematched against Local IP/Port in the relation table.

Global: Indicates that the destination IP address/destination port of a newsession are matched against Global IP/Port in the relation table.

Either: Indicates that the IP/port of a new session are matched against LocalIP/Port or Global IP/Port in the relation table.

App

Application layer protocol, FTP, MSN, or QQ

Pro

Transport layer protocol, TCP, or UDP

TTL

Remaining lifetime of the relationship table entry, in seconds.

AllowConn

Number of sessions allowed by the relationship table entry

Total find

Total number of found relationship table entries


27/147

19

display session statisticsSyntax

display session statistics [vd-name vd-name]

View

Any view

Default level

2: System level

Parameters

vd-namevd-name: Displays the session statistics of the specified virtual device. The vd-nameargumentspecifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can benumerals, letters and underlines.

Description

Use the display session statistics command to display statistics about sessions.With no virtual device specified, the command displays the session statistics of all virtual devices. Withno keyword specified, the command displays all session statistics information. If you specify to displaysession statistics on a specified virtual device, the output information does not contain the number ofdropped packets.

Examples

# Display statistics about all sessions.

di spl ay sessi on st at i st i cs

Cur r ent sessi on( s) : 593951

Cur r ent TCP sessi on( s) : 0Hal f - Open: 0 Hal f - Cl ose: 0

Curr ent UDP sessi on( s) : 593951

Cur r ent I CMP sessi on( s) : 0

Cur r ent RAWI P sessi on( s) : 0

Cur r ent r el at i on t abl e( s) : 50000

Sessi on est abl i shment r ate: 184503/ s

TCP Sessi on est abl i shment r at e: 0/ s

UDP Sessi on est abl i shment r at e: 184503/ s

I CMP Sessi on establ i shment r ate: 0/ s

RAWI P Sessi on est abl i shment r ate: 0/ s

Recei ved TCP: 1538 packet ( s) 337567 byt e( s)

Recei ved UDP: 86810494849 packet ( s) 4340524910260 byt e( s)

Recei ved I CMP: 307232 packet ( s) 17206268 byte( s)

Recei ved RAWI P: 0 packet( s) 0 byt e(s)

Dr opped TCP: 0 packet( s) 0 byt e(s)

Dr opped UDP: 0 packet( s) 0 byt e( s)

Dr opped I CMP: 0 packet( s) 0 byt e(s)

Dr opped RAWI P: 0 packet( s) 0 byt e( s)


28/147

20


Field Description

Current session(s) Total number of sessions

Current TCP session(s) Number of TCP sessions

Half-Open Number of TCP sessions in the half-open state

Half-Close Number of TCP sessions in the half-close state

Current UDP session(s) Number of UDP sessions

Current ICMP session(s) Number of ICMP sessions

Current RAWIP session(s) Number of Raw IP sessions

Current relation table(s) Total number of relationship table entries

Session establishment rate Session establishment rate

TCP Session establishment rate Establishment rate of TCP sessions

UDP Session establishment rate Establishment rate of UDP sessions

ICMP Session establishment rate Establishment rate of ICMP sessions

RAWIP Session establishment rate Establishment rate of Raw IP sessions

Received TCP Counts of received TCP packets and bytes

Received UDP Counts of received UDP packets and bytes

Received ICMP Counts of received ICMP packets and bytes

Received RAWIP Counts of received Raw IP packets and bytes

Dropped TCP Counts of dropped TCP packets and bytes

Dropped UDP Counts of dropped UDP packets and bytes

Dropped ICMP Counts of dropped ICMP packets and bytes

Dropped RAWIP Counts of dropped Raw IP packets and bytes

display session tableSyntax

display session table [ vd-name vd-name ] [ source-ip source-ip ] [ destination-ip destination-ip ][verbose]

ViewAny view

Default level

2: System level

Parameters

vd-namevd-name: Displays the sessions of the specified virtual device. The vd-nameargument specifiesthe name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals,letters and underlines.

source-ipsource-ip: Displays the sessions with the specified source IP address.


29/147

21

destination-ipdestination-ip: Displays sessions with the specified destination IP address.

verbose: Displays detailed information about sessions. Without this keyword, the command displaysbrief information about the specified sessions.

Description

Use the display session table command to display information about sessions.

If no argument is specified, the command displays all sessions.

If no virtual device is specified, the command displays the sessions on all virtual devices.

If both the source-ipand destination-ipkeywords are specified, the command displays only thesessions with the specified source and destination IP addresses.

Examples

# Display brief information about all sessions.

di spl ay sess i on t abl e

I ni t i at or :

Sour ce I P/ Por t : 192. 168. 1. 18/ 2048

Dest I P/ Por t : 192. 168. 1. 55/ 768

Pro : I CMP(I CMP(1) )

VPN- I nst ance/ VLAN I D/ VLL I D:

I ni t i at or :

Sour ce I P/ Por t : 192. 168. 1. 18/ 1212

Dest I P/ Por t : 192. 168. 1. 55/ 23

Pro : TCP(TCP(6) )


Tot al f i nd: 2

# Display detailed information about all sessions.

di spl ay sess i on t abl e verboseI ni t i at or :

Sour ce I P/ Por t : 192. 168. 1. 19/ 137

Dest I P/ Por t : 192. 168. 1. 255/ 137


Responder:

Sour ce I P/ Por t : 192. 168. 1. 255/ 137

Dest I P/ Por t : 192. 168. 1. 19/ 137


Pr o: UDP( 17) App: NBT- name St at e: UDP- OPEN

Star t t i me: 2009- 03- 17 10: 39: 43 TTL: 2s

Root Zone( i n) : Management

Zone(out ) : Local

Recei ved packet ( s) ( I ni t ) : 6 packet ( s) 468 byte(s)

Recei ved packet ( s) ( Repl y): 0 packet ( s) 0 byte( s)

I ni t i at or :

Sour ce I P/ Por t : 192. 168. 1. 18/ 1212

Dest I P/ Por t : 192. 168. 1. 55/ 23


Responder:

Sour ce I P/ Por t : 192. 168. 1. 55/ 23

Dest I P/ Por t : 192. 168. 1. 18/ 1212


30/147

22


Pro: TCP( 6) App: TELNET State: TCP- EST

Star t t i me: 2009- 03- 17 09: 30: 33 TTL: 3600s

Root Zone( i n) : Management

Zone(out ) : Local

Recei ved packet ( s) ( I ni t ) : 1173 packet ( s) 47458 byte( s)

Recei ved packet ( s) ( Repl y) : 1168 packet ( s) 61845 byt e(s)

Tot al f i nd: 2


Field Description

Initiator: Session information of the initiator

Responder: Session information of the responder

Pro Transport layer protocol, TCP, UDP, ICMP, or Raw IP

VPN-Instance/VLAN ID/VLL IDVPN that the session belongs to and the VLAN and INLINE that the

session belongs to during Layer 2 forwarding

AppApplication layer protocol, FTP, DNS, MSN or QQ

Unknown indicates protocol type of a non-well-known port

State

Session status. Possible values are:

Accelerate

SYN

TCP-EST

FIN

UDP-OPEN

UDP-READY

ICMP-OPEN

ICMP-CLOSED

RAWIP-OPEN

RAWIP-READY

Start Time Session establishment time

TTL Remaining lifetime of the session, in seconds.

VD-name Name of virtual device

Zone(in) Security zone (in)

Zone(out) Security zone (out)

Received packet(s)(Init) Counts of packets and bytes from the initiator to the responder

Received packet(s)(Reply) Counts of packets and bytes from the responder to the initiator

Total find Total number of sessions currently found


31/147

23

reset sessionSyntax

reset session [vd-name vd-name] [ source-ipsource-ip] [ destination-ipdestination-ip] [ protocol-type{ icmp | raw-ip | tcp | udp } ] [ source-port source-port ] [ destination-port destination-port ]

[vpn-instance vpn-instance-name ]View

User view

Default level

2: System level

Parameters

vd-namevd-name: Clears the sessions on the specified virtual device. The vd-nameargument specifiesthe name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be onlynumerals, letters and underlines.

source-ipsource-ip: Clears the sessions with the specified source IP address of the initiator.

destination-ipdestination-ip: Clears the sessions with the specified destination IP address of the initiator.

protocol-type{ icmp| raw-ip| tcp| udp}: Clears the sessions of the specified protocol type. Theprotocol types include ICMP, Raw IP, TCP, and UDP.

source-portsource-port: Clears the sessions with the specified source port of the initiator.

destination-portdestination-port: Clears the sessions with the specified destination port of the initiator.

vpn-instance vpn-instance-name: Clears the sessions of the specified VPN. The vpn-instance-nameargument is a case-sensitive string of 1 to 31 characters.

DescriptionUse the reset sessioncommand to clear sessions.

If no virtual device is specified, the command clears the sessions on all virtual devices.

If no VPN instance is specified, the command clears the sessions on the public network.

If no parameter is specified, the command clears all sessions.

Examples

# Clear all sessions.

r eset sessi on

# Clear all sessions with the source IP address as 10.10.10.10 of the initiator.

r eset sessi on sour ce- i p 10. 10. 10. 10

reset session statisticsSyntax

reset session statistics[vd-name vd-name]

View

User view


32/147

24

Default level

2: System level

Parameters

vd-namevd-name: Clears the session statistics of the specified virtual device. The vd-nameargumentspecifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be

numerals, letters and underlines.

Description

Use the reset session statistics command to clear session statistics.

If no virtual device is specified, the command clears the session statistics on all virtual devices.

Examples

# Clear all session statistics.

r eset sessi on st ati st i cs

session aging-timeSyntaxsession aging-time {accelerate| fin | icmp-closed| icmp-open| rawip-open| rawip-ready| syn|tcp-est| udp-open| udp-ready } time-value

undo session aging-time [ accelerate| fin | icmp-closed| icmp-open| rawip-open| rawip-ready|syn| tcp-est| udp-open| udp-ready]

View

System view

Default level

2: System level

Parameters

accelerate: Specifies the aging time for the sessions in the accelerate queue.

fin: Specifies the aging time for the TCP sessions in the FIN_WAIT state.

icmp-closed: Specifies the aging time for the ICMP sessions in the CLOSED state.

icmp-open: Specifies the aging time for the ICMP sessions in the OPEN state.

rawip-open: Specifies the aging time for the sessions in the RAWIP_OPEN state.

rawip-ready: Specifies the aging time for the sessions in the RAWIP_READY state.

syn: Specifies the aging time for the TCP sessions in the SYN_SENT or SYN_RCV state.

tcp-est: Specifies the aging time for the TCP sessions in the ESTABLISHED state.

udp-open: Specifies the aging time for the UDP sessions in the OPEN state.

udp-ready: Specifies the aging time for the UDP sessions in the READY state.

time-value: Aging time, in seconds in the range of 5 to 10000.

Description

Use the session aging-timecommand to set the aging time for sessions of a specified protocol that arein a specified state.


33/147

25

Use the undo session aging-time command to restore the default. If no keyword is specified, thecommand restores the session aging times for all protocol states to the defaults.

The defaults value is 30 seconds.

Examples

# Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds.

syst em- vi ew

[ Sysname] sessi on agi ng- t i me syn 60

session checksumSyntax

session checksum { all| {icmp| tcp| udp } *}

undo session checksum { all| {icmp| tcp| udp } *}

View

System viewDefault level

2: System level

Parameters

all: Enables checksum verification for TCP, UDP, and ICMP packets.

icmp: Enables checksum verification for ICMP packets.

tcp: Enables checksum verification for TCP packets.

udp: Enables checksum verification for UDP packets.

DescriptionUse the session checksum command to enable checksum verification for protocol packets.

Use the undo session checksum command to disable checksum verification.

By default, checksum verification is disabled.

Examples

#Enable checksum verification for UDP packets.

syst em- vi ew

[ Sysname] sessi on checksum udp

session persist aclSyntax

session persist aclacl-number [ aging-timetime-value]

undo session persist

View

System view

Default level

2: System level


34/147

26

Parameters

acl-number: ACL number, in the range 2000 to 3999.

aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value of thetime-valueargument is in the range of 0 to 360 and defaults to 24. A value of 0 means the persistentsessions are never aged.

Description

Use the session persist acl command to specify the persistent session rule. All sessions permitted by thespecified ACL are considered persistent sessions.

Use the undo session persist command to remove the configuration.

By default, no persistent session rule is specified.

Persistent sessions will not be removed because they are not matched with any packets within the agingtime. You can manually remove such sessions when necessary.

A persistent session rule can reference only one ACL.

Related commands: reset session.Examples

# Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessionsto 72 hours.

syst em- vi ew

[ Sysname] sessi on per si st acl 2000 agi ng- t i me 72


35/147

27

Connection limit configuration commands

connection-limit apply policySyntax

connection-limit apply policypolicy-number

undo connection-limit apply policypolicy-number

View

System view

Default level

2: System level

Parameters

policy-number: Number for an existing connection limit policy, which can only be 0.

Description

Use the connection-limit apply policycommand to apply a connection limit policy.

Use the undo connection-limit apply policycommand to remove the application.

If a connection limit policy is applied, you cannot add, remove, or modify the conneciton limit rules in theconnection limit policy view.

A conneciton limit policy to be applied must contain at least one limit rule.

Related commands:connection-limit policy.Examples

# Apply connection limit policy 0.

syst em- vi ew

[ Sysname] connect i on- l i mi t appl y pol i cy 0

connection-limit policySyntax

connection-limit policypolicy-number

undo connection-limit policy{ policy-number| all}

View

System view

Default level

2: System level

Parameters

policy-number: Connection limit policy number, which can only be 0.

all: Specifies all connection limit policies.


36/147

28

Description

Use the connection-limit policy command to create a connection limit policy and enter connection limitpolicy view.

Use the undo connection-limit policy command to delete a specific or all connection limit policies.

A connection limit policy contains a set of rules that limit the number of connections of a specific user. By

default, a connection limit policy uses the default connection limit settings.

When creating a connection limit policy, you must assign it a unique number. Polices are matched bynumber in descending order.

After applying a connection limit policy in system view, you cannot modify, add, or remove connectionlimit rules in the policy.

Examples

# Create a connection limit policy numbered 0 and enter its view.

syst em- vi ew

[ Sysname] connect i on- l i mi t pol i cy 0

[ Sysname- connect i on- l i mi t - pol i cy- 0]

display connection-limit policySyntax

display connection-limit policy{ policy-number| all}

View

Any view

Default level

1: Monitor levelParameters

policy-number: Connection limit policy number, which can only be 0.

all: Displays all connection limit policies.

Description

Use the display connection-limit policy command to display information about a specific or allconnection limit policies.

Related commands: limit.

Examples

# Display information about all connection limit policies.

di spl ay connect i on- l i mi t pol i cy al l

There i s 1 pol i cy:

Connecti on- l i mi t pol i cy 0, r ef count 0 , 3 l i mi t s

l i mi t 1 acl 2000 per - source amount 1111 10

l i mi t 2 acl 2001 per- dest i nat i on amount 300 20

l i mi t 3 acl 2002 per - ser vi ce amount 400 50



There are 1 pol i ci es:


37/147

29

Connecti on- l i mi t pol i cy 0, r ef count 1, 2 l i mi t s

l i mi t 0 sour ce any amount dns 100 ht t p 200 t cp 300 ot her 400 rat e 100 shared

l i mi t 1 sour ce 1. 1. 1. 0 24 amount t cp 100 bandwi dth 200 shared



There are 1 pol i ci es:Connecti on- l i mi t pol i cy 0, r ef count 0, 1 l i mi t

l i mi t 0 sour ce i p 3. 3. 3. 0 24 sour ce- vpn vpn1 desti nat i on i p any pr ot ocol t cp

max- connect i ons 200 per - source


Field Description

Connection-limit policy Number of the connection limit policy

refcount 1, 2 limits Number of times that the policy is applied and number of rules in the policy.

limit xxx Rule in the policy. Refer to the limit command for details.

limitSyntax

limit limit-id{source ip {ip-address mask-length| any }[source-vpn src-vpn-name] |destination ip{ip-address mask-length|any } [destination-vpn dst-vpn-name] } *protocol {dns |http | ip|tcp|udp}max-connections max-num[ per-destination|per-source| per-source-destination ]

undo limit limit-id

View

Connection limit policy view

Default level

2: System level

Parameters

limit-id: ID of a rule in the connection limit policy, which can only be 0.

source ip: Specifies the source IP address of the connections to be limited.

ip-addressmask-length: IP address and its mask length. The mask-lengthargument is in the range of 1 to32.

any: Specifies all IP addresses on the specified network or the public network. For example, source ip anyspecifies all hosts on the source network.

source-vpnsrc-vpn-name: Specifies a source MPLS VPN by its instance name a case-sensitive string of 1to 31 characters. Absence of the option indicates the public network.

destination ip: Specifies the destination IP address of the connections to be limited.

destination-vpndst-vpn-name: Specifies a destination MPLS VPN by its instance name, a case-sensitivestring of 1 to 31 characters. Absence of the option indicates the public network.

protocol: Specifies connections of a protocol.

dns: Specifies connections of the DNS protocol.


38/147

30

http: Specifies connections of the HTTP protocol.

ip: Specifies connections of the IP protocol.

tcp: Specifies connections of the TCP protocol.

udp: Specifies connections of the UDP protocol.

max-connectionsmax-num: Maximum number of the connections in the range of 0 to 1000000. .

per-destination: Limits connections by destination address.

per-source: Limits connections by source address.

per-source-destination: Limits connections by source-desitnation address pair.

Description

Use the limitcommand to configure an IP address-based conneciton limit policy rule.

Use the undo limitcommand to remove a conneciton limit policy rule.

Any two rules of one policy must have different rule criteria.

The connection limit rules become invalid if the VPN instance with which the rules are associated areremoved.

The connection limit rules in a policy are matched in ascending order of rule ID. If the source addresses,destination addresses, or protocols in two rules are overlapped, the first matched rule takes effect.Therefore, take the match order into consideration when assigning the rules IDs. H3C recommendsarranging the rule by limit granularity and limit range in ascending order.

Related commands:connection-limit policy, display connection-limit policy.

Examples

# Configure connection limit rule 1 for policy 1 to limit TCP connections sourced from 1.1.1.1 with theupper connection limit of 200.

syst em- vi ew

[ Sysname] connect i on- l i mi t pol i cy 0

[ Sysname- connecti on- l i mi t - pol i cy- 0] l i mi t 1 sour ce i p 1. 1. 1. 1 32 pr ot ocol t cp

max- connect i ons 200

# Configure connection limit rule 2 to limit UDP connections destined to 2.2.2.2 with the upperconnection limit of 200.

[ Sysname- connect i on- l i mi t - pol i cy- 0] l i mi t 2 dest i nat i on i p 2. 2. 2. 2 32 pr ot ocol udp

max- connect i ons 200

# Configure connection limit rule 3 to limit IP connections sourced from the segment 1.1.1.0/24 with theupper connection limit of 200.

[ Sysname- connecti on- l i mi t - pol i cy- 1] l i mi t 3 sour ce i p 1. 1. 1. 0 24 pr ot ocol i pmax- connect i ons 200 per - source

# Configure connection limit rule 4 to limit IP connections destined to the segment 2.2.2.0/24 with theupper connection limit of 200.

[ Sysname- connecti on- l i mi t - pol i cy- 0] l i mi t 4 dest i nat i on i p 2. 2. 2. 0 24 pr ot ocol i p

max- connecti ons 200 per- dest i nat i on

# Configure connection limit rule 5 to limit IP connections from vpn1 to vpn2 with the upper connectionlimit of 200.

[ Sysname- connect i on- l i mi t - pol i cy- 0] l i mi t 5 sour ce i p any sour ce- vpn vpn1 desti nat i on i p

any dest i nat i on- vpn vpn2 pr otocol i p max- connecti ons 200


39/147


40/147

32

Sour ce:

I P : 0. 0. 0. 0

Mask : 0. 0. 0. 0

MAC : 0000- 0000- 0000

I nt er f ace : any

VLAN : 2

Pr ot ocol : 6

Desti nat i on:

I P : 0. 0. 0. 0

Mask : 0. 0. 0. 0

Rul e 2

I nbound i nt erf ace : Gi gabi t Et hernet 0/ 0

Type : dynami c

Act i on : per mi t

Sour ce:

I P : 2. 2. 2. 2Mask : 255. 255. 255. 255

MAC : 000d- 88f 8- 0eab

I nt er f ace : Gi gabi t Et her net 0/ 0

VLAN : 0

Pr ot ocol : 0

Desti nat i on:

I P : 0. 0. 0. 0

Mask : 0. 0. 0. 0

Author ACL:

Number : 3001

Table 11

Output description

Field Description

RuleSequence number of the generated ACL, which is numbered from 0 in ascendingorder

Inbound interface Interface to which portal ACLs are bound

Type Type of the portal ACL

Action Match action in the portal ACL

Source Source information in the portal ACL

IP Source IP address in the portal ACL

Mask Subnet mask of the source IP address in the portal ACL

MAC Source MAC address in the portal ACL

Interface Source interface in the portal ACL

VLAN Source VLAN in the portal ACL

Protocol Protocol type in the portal ACL

Destination Destination information in the portal ACL


41/147

33

Field Description

IP Destination IP address in the portal ACL

Mask Subnet mask of the destination IP address in the portal ACL

Author ACLAuthorization ACL of portal ACL. It is displayed only when the Type field has a

value of dynamic.

NumberAuthorization ACL number assigned by the server. None indicates that the serverdid not assign any ACL.

display portal connection statisticsSyntax

display portal connection statistics { all|interfaceinterface-type interface-number }

View

Any viewDefault level

1: Monitor level

Parameters

all: Specifies all interfaces.

interfaceinterface-type interface-number: Specifies an interface by its type and number.

Description

Use the display portal connection statisticscommand to display portal connection statistics on a specificinterface or all interfaces.

Examples

# Display portal connection statistics on interface GigabitEthernet 0/0.

di spl ay port al connect i on st at i st i cs i nt erf ace Gi gabi t Et hernet 0/ 0

- - - - - - - - - - - - - - - I nt er f ace: Gi gabi t Et her net 0/ 0- - - - - - - - - - - - - - - - - - - - - - -

User st at e stat i st i cs:

St at e- Name User - Num

VOI D 0

DI SCOVERED 0

WAI T_AUTHEN_ACK 0

WAI T_AUTHOR_ACK 0

WAI T_LOGI N_ACK 0

WAI T_ACL_ACK 0

WAI T_NEW_I P 0

WAI T_USERI PCHANGE_ACK 0

ONLI NE 1

WAI T_LOGOUT_ACK 0

WAI T_LEAVI NG_ACK 0

Message st at i st i cs:

Msg- Name Tot al Err Di scar d


42/147

34

MSG_AUTHEN_ACK 3 0 0

MSG_AUTHOR_ACK 3 0 0

MSG_LOGI N_ACK 3 0 0

MSG_LOGOUT_ACK 2 0 0

MSG_LEAVI NG_ACK 0 0 0

MSG_CUT_REQ 0 0 0

MSG_AUTH_REQ 3 0 0

MSG_LOGI N_REQ 3 0 0

MSG_LOGOUT_REQ 2 0 0

MSG_LEAVI NG_REQ 0 0 0

MSG_ARPPKT 0 0 0

MSG_TMR_REQAUTH 1 0 0

MSG_TMR_AUTHEN 0 0 0

MSG_TMR_AUTHOR 0 0 0

MSG_TMR_LOGI N 0 0 0

MSG_TMR_LOGOUT 0 0 0

MSG_TMR_LEAVI NG 0 0 0MSG_TMR_NEWI P 0 0 0

MSG_TMR_USERI PCHANGE 0 0 0

MSG_PORT_ REMOVE 0 0 0

MSG_VLAN_REMOVE 0 0 0

MSG_I F_ REMOVE 6 0 0

MSG_L3I F_SHUT 0 0 0

MSG_I P_REMOVE 0 0 0

MSG_ALL_REMOVE 1 0 0

MSG_I FI PADDR_CHANGE 0 0 0

MSG_SOCKET_CHANGE 8 0 0

MSG_NOTI FY 0 0 0

MSG_SETPOLI CY 0 0 0

MSG_SETPOLI CY_RESULT 0 0 0


Field Description

User state statistics Statistics on portal users

State-Name Name of a user state

User-Num Number of users

VOID Number of users in void state

DISCOVERED Number of users in discovered state

WAIT_AUTHEN_ACK Number of users in wait_authen_ack state

WAIT_AUTHOR_ACK Number of users in wait_author_ack state

WAIT_LOGIN_ACK Number of users in wait_login_ack state

WAIT_ACL_ACK Number of users in wait_acl_ack state

WAIT_NEW_IP Number of users in wait_new_ip state


43/147

35

Field Description

WAIT_USERIPCHANGE_ACK Number of users wait_useripchange_ack state

ONLINE Number of users in online state

WAIT_LOGOUT_ACK Number of users in wait_logout_ack state

WAIT_LEAVING_ACK Number of users in wait_leaving_ack state

Message statistics Statistics on messages

Msg-Name Message type

Total Total number of messages

Err Number of erroneous messages

Discard Number of discarded messages

MSG_AUTHEN_ACK Authentication acknowledgment message

MSG_AUTHOR_ACK Authorization acknowledgment messageMSG_LOGIN_ACK Accounting acknowledgment message

MSG_LOGOUT_ACK Accounting-stop acknowledgment message

MSG_LEAVING_ACK Leaving acknowledgment message

MSG_CUT_REQ Cut request message

MSG_AUTH_REQ Authentication request message

MSG_LOGIN_REQ Accounting request message

MSG_LOGOUT_REQ Accounting-stop request message

MSG_LEAVING_REQ Leaving request message

MSG_ARPPKT ARP message

MSG_TMR_REQAUTH Authentication request timeout message

MSG_TMR_AUTHEN Authentication timeout message

MSG_TMR_AUTHOR Authorization timeout message

MSG_TMR_LOGIN Accounting-start timeout message

MSG_TMR_LOGOUT Accounting-stop timeout message

MSG_TMR_LEAVING Leaving timeout message

MSG_TMR_NEWIP Public IP update timeout message

MSG_TMR_USERIPCHANGE User IP change timeout message

MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message

MSG_VLAN_REMOVE VLAN user removed message

MSG_IF_REMOVE Users-of-a-Layer-3-interface-removed message

MSG_L3IF_SHUT Layer 3 interface shutdown message

MSG_IP_REMOVE User-with-an-IP-removed message


44/147

36

Field Description

MSG_ALL_REMOVE All-users-removed message

MSG_IFIPADDR_CHANGE Interface IP address change message

MSG_SOCKET_CHANGE Socket change message

MSG_NOTIFY Notification message

MSG_SETPOLICY Set policy message for assigning security ACL

MSG_SETPOLICY_RESULT Set policy response message

display portal free-ruleSyntax

display portal free-rule[ rule-number ]

ViewAny view

Default level

1: Monitor level

Parameters

rule-number: Number of a portal-free rule, in the range of 0 to 15.

Description

Use the display portal free-rulecommand to display information about a specific portal-free rule or allportal-free rules.

Related commands: portal free-rule.

Examples

# Display information about portal-free rule 1.

di spl ay port al f r ee- r ul e 1

Rul e- Number 1:

Sour ce:

I P : 2. 2. 2. 0

Mask : 255. 255. 255. 0

MAC : 0000- 0000- 0000

I nt er f ace : anyVl an : 0

Desti nat i on:

I P : 0. 0. 0. 0

Mask : 0. 0. 0. 0


Field Description

Rule-Number Number of the portal-free rule

Source Source information in the portal-free rule


45/147

37

Field Description

IP Source IP address in the portal-free rule

Mask Subnet mask of the source IP address in the portal-free rule

MAC Source MAC address in the portal-free rule

Interface Source interface in the portal-free rule

Vlan Source VLAN in the portal-free rule

Destination Destination information in the portal-free rule

IP Destination IP address in the portal-free rule

Mask Subnet mask of the destination IP address in the portal-free rule

display portal interface

Syntaxdisplay portal interface interface-type interface-number

View

Any view

Default level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

DescriptionUse the display portal interfacecommand to display the portal configuration of an interface.

Examples

# Display the portal configuration of interface GigabitEthernet 0/0.

di spl ay por t al i nter f ace gi gabi t ethernet 0/ 0

I nt er f ace port al conf i gur at i on:

Gi gabi t Et her net 0/ 0: Por t al r unni ng

Por t al server : server name

Aut hent i cat i on type: Di r ect

Por t al backup- group: 1

Aut hent i cat i on domai n: my- domai n

Aut hent i cat i on network:

addr ess : 0. 0. 0. 0 mask : 0. 0. 0. 0


Field Description

Interface portal configuration Portal configuration on the interface

GigabitEthernet0/0 Status of the portal feature on the interface, disabled, enabled, or running.

Portal server Portal server referenced by the interface


46/147

38

Field Description

Authentication type Authentication mode enabled on the interface

Portal backup-group

Number of the portal group to which the interface belongs.

If the interface does not belong to any portal group, Nonewill bedisplayed.

Authentication domain Mandatory authentication domain of the interface

Authentication network Information of the portal authentication subnet

address IP address of the portal authentication subnet

mask Subnet mask of the IP address of the portal authentication subnet

display portal serverSyntax

display portal server[ server-name ]

View

Any view

Default level

1: Monitor level

Parameters

server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.

Description

Use the display portal servercommand to display information about a specific portal server or all portalservers.

Related commands: portal server.

Examples

# Display information about portal server aaa.

di spl ay por t al ser ver aaa

Por t al server:

1) aaa:

I P : 192. 168. 0. 111

Key : por t alPor t : 50100

URL : ht t p: / / 192. 168. 0. 111


Field Description

1) Number of the portal server

aaa Name of the portal server

IP IP address of the portal server


47/147

39

Field Description

KeyKey for portal authentication

Not configuredwill be displayed if no key is configured.

Port Listening port on the portal server

URL Address the packets are to be redirected toNot configuredwill be displayed if no address is configured.

display portal server statisticsSyntax

display portal server statistics{ all| interfaceinterface-type interface-number }

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interfaceinterface-type interface-number: Specifies an interface by its type and name.

Description

Use the display portal server statisticscommand to display portal server statistics on a specific interfaceor all interfaces.

Note that with the allkeyword specified, the command displays portal server statistics by interface andtherefore statistics about a portal server referenced by more than one interface may be displayedrepeatedly.

Examples

# Display portal server statistics on GigabitEthernet 0/0.

di spl ay por t al server s t ati st i cs i nt erf ace gi gabi t ether net 0/ 0

- - - - - - - - - - - - - - - I nt er f ace: Gi gabi t Et her net 0/ 0- - - - - - - - - - - - - - - - - - - - - -

Ser ver name: st

I nval i d packet s: 0

Pkt - Name Tot al Di scar d Checkerr

REQ_CHALLENGE 3 0 0ACK_CHALLENGE 3 0 0

REQ_AUTH 3 0 0

ACK_AUTH 3 0 0

REQ_LOGOUT 1 0 0

ACK_LOGOUT 1 0 0

AFF_ACK_AUTH 3 0 0

NTF_LOGOUT 1 0 0

REQ_I NFO 6 0 0

ACK_I NFO 6 0 0

NTF_USERDI SCOVER 0 0 0


48/147

40

NTF_USERI PCHANGE 0 0 0

AFF_NTF_ USERI PCHANGE 0 0 0

ACK_NTF_LOGOUT 1 0 0


Field Description

Interface Interface referencing the portal server

Server name Name of the portal server

Invalid packets Number of invalid packets

Pkt-Name Packet type

Total Total number of packets

Discard Number of discarded packets

Checkerr Number of erroneous packets

REQ_CHALLENGE Challenge request message the portal server sends to the access device

ACK_CHALLENGEChallenge acknowledgment message the access device sends to the portalserver

REQ_AUTH Authentication request message the portal server sends to the access device

ACK_AUTHAuthentication acknowledgment message the access device sends to theportal server

REQ_LOGOUT Logout request message the portal server sends to the access device

ACK_LOGOUTLogout acknowledgment message the access device sends to the portalserver

AFF_ACK_AUTH Affirmation message the portal server sends to the access device afterreceiving an authentication acknowledgement message

NTF_LOGOUTForced logout notification message the access device sends to the portalserver

REQ_INFO Information request message

ACK_INFO Information acknowledgment message

NTF_USERDISCOVERUser discovery notification message the portal server sends to the accessdevice

NTF_USERIPCHANGEUser IP change notification message the access device sends to the portal

server

AFF_NTF_USERIPCHANGEUser IP change success notification message the portal