hpe msr1000 msr2000 msr3000 msr4000- cmw710 …h20628. · 4 2. debugging fixes bugs. cmw710-r0305...
TRANSCRIPT
HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P81 Release Notes
The information in this document is subject to change without notice. © Copyright [First Year] 2013, [Current Year] 2016 Hewlett Packard Enterprise Development LP
i
Contents
Version information ···········································································1
Version number ··························································································································· 1 Version history ···························································································································· 2 Hardware and software compatibility matrix ······················································································ 7 Upgrading restrictions and guidelines······························································································· 8
Hardware feature updates ··································································8
CMW710-R0306P81 ····················································································································· 8 CMW710-R0306P30 ····················································································································· 9 CMW710-R0306P07 ····················································································································· 9 CMW710-R0305P08 ····················································································································· 9 CMW710-R0305P04 ····················································································································· 9 CMW710-R0304P02 ····················································································································· 9 CMW710-R0304 ·························································································································· 9 CMW710-E0302P06 ····················································································································· 9 CMW710-E0102 ························································································································ 10
Software feature and command updates ············································· 10
MIB updates ·················································································· 10
Operation changes ········································································· 20
Restrictions and cautions ································································· 20
Open problems and workarounds ······················································ 21
List of resolved problems ································································· 21
Resolved problems in CMW710-R0306P81 ···················································································· 21 Resolved problems in CMW710-R0306P80 ···················································································· 22 Resolved problems in CMW710-R0306P70 ···················································································· 25 Resolved problems in CMW710-R0306P52 ···················································································· 27 Resolved problems in CMW710-R0306P30 ···················································································· 32 Resolved problems in CMW710-R0306P12 ···················································································· 35 Resolved problems in CMW710-R0306P11 ···················································································· 37 Resolved problems in CMW710-R0306P07 ···················································································· 39 Resolved problems in CMW710-R0305P08 ···················································································· 42 Resolved problems in CMW710-R0305P04 ···················································································· 48 Resolved problems in CMW710-R0305 ·························································································· 51 Resolved problems in CMW710-R0304P12 ···················································································· 53 Resolved problems in CMW710-R0304P04 ···················································································· 56 Resolved problems in CMW710-R0304P02 ···················································································· 62 Resolved problems in CMW710-R0304 ·························································································· 63 Resolved problems in CMW710-E0302P06 ····················································································· 64 Resolved problems in CMW710-E0102 ·························································································· 66 Resolved problems in CMW710-E0006P02 ····················································································· 66
Support and other resources····························································· 66
Accessing Hewlett Packard Enterprise Support················································································ 66 Documents ······························································································································· 66
Related documents ·············································································································· 67 Documentation feedback ······································································································ 68
Appendix A Feature list ··································································· 69
Hardware features ······················································································································ 69 Software features ······················································································································· 76
ii
Appendix B Upgrading software ························································ 80
Software types ·························································································································· 80 Upgrade methods ······················································································································ 80 Preparing for the upgrade ············································································································ 81 Centralized devices upgrading from the CLI ···················································································· 82
Saving the running configuration and verifying the storage space ················································· 82 Downloading the image file to the router ·················································································· 82 Specifying the startup image file ····························································································· 83 Rebooting and completing the upgrade ··················································································· 84
Distributed devices upgrading from the CLI ····················································································· 85 Display the slot number of the active MPU ··············································································· 85 Save the current configuration and verify the storge space ·························································· 85 Download the image file to the router ······················································································ 86 Specifying the startup image file ····························································································· 86 Reboot and completing the upgrade ······················································································· 88
Distributed devices ISSU ············································································································· 89 Disabling the standby MPU auto-update function ······································································· 90 Saving the running configuration and verifying the storage space ················································· 90 Downloading the upgrade image file to the router ······································································ 91 Upgrading the standby MPU ·································································································· 91 Upgrading the active MPU ···································································································· 93
Upgrading from the BootWare menu ······························································································ 95 Accessing the BootWare menu ······························································································ 95 Using TFTP/FTP to upgrade software through an Ethernet port ··················································· 97 Using XMODEM to upgrade software through the console port ·················································· 100
Managing files from the BootWare menu ······················································································ 104 Displaying all files ·············································································································· 105 Changing the type of a system software image ······································································· 105 Deleting files ···················································································································· 106
Handling software upgrade failures ······························································································ 107
Appendix C Handling console login password loss ······························ 107
Disabling password recovery capability ························································································ 107 Handling console login password loss ·························································································· 108
Examining the password recovery capability setting ································································· 109 Using the Skip Current System Configuration option ································································ 110 Using the Skip Authentication for Console Login option ···························································· 111 Using the Restore to Factory Default Configuration option························································· 111
iii
List of Tables
Table 1 Version history .................................................................................................................................................................... 2
Table 2 HPE product device numbers matrix ......................................................................................................................... 7
Table 3 Hardware and software compatibility matrix ......................................................................................................... 7
Table 4 MIB updates ...................................................................................................................................................................... 10
Table 5 MSR1000 specifications ................................................................................................................................................ 69
Table 6 MSR2000/MSR2000 TAA specifications ................................................................................................................. 69
Table 7 MSR3000/MSR3000 TAA specifications ................................................................................................................. 70
Table 8 MSR4000 specifications ................................................................................................................................................ 71
Table 9 MSR4000/MSR4000 TAA MPU Specification ........................................................................................................ 71
Table 10 MSR4000 SPU Specification ..................................................................................................................................... 71
Table 11 MSR2004-24 AC power module specifications ................................................................................................. 72
Table 12 MSR2004-48 DC power module specifications ................................................................................................ 72
Table 13 MSR3044/MSR3064/MSR4060/MSR4080 AC power module specifications ........................................ 72
Table 14 MSR3044/MSR3064/MSR4060/MSR4080 DC power module specifications ........................................ 72
Table 15 MSR3044/MSR3064/MSR4060/MSR4080 PoE power module specifications ...................................... 72
Table 16 MSR series routes Module List ................................................................................................................................ 72
Table 17 Sierra Modem Module and Host/card compatibility matrix........................................................................ 76
Table 18 MSR Series routers software features ................................................................................................................... 76
Table 19 Storage media ................................................................................................................................................................ 81
Table 20 BootWare menu options ............................................................................................................................................ 96
Table 21 Ethernet submenu options ....................................................................................................................................... 97
Table 22 Network parameter fields and shortcut keys ..................................................................................................... 98
Table 23 Serial submenu options .......................................................................................................................................... 100
Table 24 File Control submenu options .............................................................................................................................. 105
Table 25 BootWare options and password recovery capability compatibility matrix ....................................... 107
1
This document describes the features, restrictions and guidelines, open problems, and workarounds for version R0306P81. Before you use this version in a live network, back up the configuration and test the version to avoid software upgrade affecting your live network.
Use this document in conjunction with HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P81 Release Notes (Software Feature Changes) and the documents listed in “Related documents”
Version information
Version number
HPE Comware Software, Version 7.1.059, Release 0306P81
Please see the example below generated by the display version command:
<HPE> display version
HPE Comware Software, Version 7.1.059, Release 0306P81
Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP
HPE MSR3064 uptime is 0 weeks, 0 days, 0 hours, 2 minutes
Last reboot reason : User reboot
Boot image: cfa0:/msr3000-cmw710-boot-r0306p81.bin
Boot image version: 7.1.059P27, Release 0306P81
Compiled Mar 16 2016 16:00:00
System image: cfa0:/msr3000-cmw710-system-r0306p81.bin
System image version: 7.1.059, Release 0306P81
Compiled Mar 16 2016 16:00:00
Feature image(s) list:
cfa0:/msr3000-cmw710-security-r0306p81.bin, version: 7.1.059
Compiled Mar 16 2016 16:00:00
cfa0:/msr3000-cmw710-voice-r0306p81.bin, version: 7.1.059
Compiled Mar 16 2016 16:00:00
cfa0:/msr3000-cmw710-data-r0306p81.bin, version: 7.1.059
Compiled Mar 16 2016 16:00:00
CPU ID: 0x4
2G bytes DDR3 SDRAM Memory
8M bytes Flash Memory
PCB Version: 2.0
CPLD Version: 2.0
Basic BootWare Version: 1.60
Extended BootWare Version: 1.60
[SLOT 0]AUX (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]GE0/0 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]GE0/1 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]GE0/2 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]CELLULAR0/0 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]CELLULAR0/1 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 6]HMIM-1CE3 (Hardware)2.0, (Driver)1.0, (CPLD)1.0
[SLOT 7]HMIM-2T1 (Hardware)3.0, (Driver)1.0, (CPLD)4.0
2
[SLOT 9]HMIM-4T1-F (Hardware)3.0, (Driver)1.0, (CPLD)3.0
Version history
Table 1 Version history
Version
number Last version
Release
date
Release
type Remarks
CMW710-R0306P81
CMW710-R0306P80
2016-12-01
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
Fixes bugs
CMW710-R0306P80
CMW710-R0306P70
2016-10-31
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
Fixes bugs
CMW710-R0306P70
CMW710-R0306P52
2016-09-28
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
Fixes bugs
CMW710-R0306P52
CMW710-R0306P30
2016-08-26
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
New feature:
1. MAC address recording in TCP packets
2. Configuring the leased line service for an ISDN BRI interface
3. LLDP PVID inconsistency check
Modified feature:
1. High encryption
2. OSPF
3. Policy-based routing
4. MIB objects
5. Setting ISP domain status
6. Excluding an attribute from portal protocol packets
7. NTP
8. Transceiver modules
9. E1POS
Fixes bugs
CMW710-R0306P30
CMW710-R0306P12
2016-06-08
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
New feature:
1. SIP compatibility
Modified feature:
1. OSPF performance
2.Telnet redirect
3.POS terminal access
4.License
5.IP performance optimization
Fixes bugs
3
CMW710-R0306P12
CMW710-R0306P11
2016-04-27
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
Modified feature:
1. Configuring an SSH user
2. AAA
3. Configuring a cellular interface for a 3G/4G modem
4. VXLAN
5. DHCP
Fixes bugs.
CMW710-R0306P11
CMW710-R0306P07
2016-04-13
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
New feature:
1. Voice VLAN
Modified feature:
1. MPLS QoS support for matching the EXP field
2. MPLS QoS support for marking the EXP field
3. Automatic configuration
Removed feature
1. Tinyproxy
Fixes bugs.
CMW710-R0306P07
CMW710-R0305P08
2016-03-16
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
New feature:
1. L2TP-based EAD
2. CFD configuration
Modified feature:
1. Support using dots in user profile name
2. Default size of the TCP receive and send buffer
3. Support for obtaining fan tray and power module vendor information through MIB
4. Supporting per-packet load sharing
5. Automatic configuration
6. Software image signature
Fixes bugs.
CMW710-R0305P08
CMW710-R0305P04
2016-01-10
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC
New feature:
1. mGRE
2. Disabling transceiver module alarm
Modified feature:
1. Default user role
4
2. Debugging
Fixes bugs.
CMW710-R0305P04
First release 2015-12-18
Release version
Only support MSR3012 AC Router
CMW710-R0305P04
CMW710-R0305
2015-11-25
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. Public key management support for Suite B
2. PKI support for Suite B
3. IPsec support for Suite B
4. SSL support for Suite B
5. FIPS support for Suit B
6. SSH support for Suite B
7. Ignoring the first AS number of EBGP route updates for a peer or peer group
Modified feature:
1. Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces
2. Changing the maximum number of FIB table entries
3. Enabling CWMP
4. The logo of HP is changed to HPE
Fixes bugs.
CMW710-R0305 CMW710-R0304P12
2015-10-23
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. IKE
Modified feature:
1. IPsec
Fixes bugs.
CMW710-R0304P12
CMW710-R0304P04
2015-09-15
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. Including vendor information in PPP accounting requests
2. BFD for an aggregation group
Modified feature:
1. SSH username
2. IS-IS hello packet sending interval
3. MP-group interface numbering
Fixes bugs.
CMW710-R0304P04
CMW710-R0304P02
2015-08-18
Release version
Support MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. Media Stream Control (MSC) logging
Modified feature:
5
1. ESP encryption algorithms
Fixes bugs.
CMW710-R0304P02
CMW710-R0304
2015-07-22
Release version
Support MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. IMSI/SN binding authentication
2. Specifying a band for a 4G modem
3. CFD
4. Using tunnel interfaces as OpenFlow ports
5. NETCONF support for ACL filtering
6. Specifying a backup traffic processing unit
7. WAAS
8. Support for the MKI field in SRTP or SRTCP packets
9. SIP domain name
10. E&M logging
11. Add new cards
Modified feature:
1. Setting the global link-aggregation load-sharing mode
Fixes bugs.
CMW710-R0304 CMW710-E0302P06
2015-06-29
Release version
Support MSR1000_2000_3000_4000 series, added MSR1003-8S
New feature:
1. Setting the RTC version
2. Setting the maximum size of advertisement files
3. IRF
4. Frame Relay
5. EVI
6. VPLS
7. Multicast VPN support for inter-AS option B
Modified feature:
1. 802.1X redirect URL
2. Displaying information about NTP servers from the reference source to the primary NTP server
3. Saving, rolling back, and loading the configuration
4. Displaying information about SSH users
Removed feature
1. Displaying fabric utilization
Fixes bugs
CMW710-E0302P06
CMW710-E0102
2015-04-13
ESS version
Support MSR1000_2000_3000_4000 series
New feature:
1. Object policies
6
2. IPHC
3. Support of PPPoE server for IPv6
4. QSIG tunneling over SIP-T
5. Playout delay
6. BGP L2VPN support for NSR
7. BGP support for dynamic peers
8. ARP PnP
9. Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts
10. QoS soft forwarding
11. Filtering by application layer protocol status
12. ADVPN support for multicast forwarding
13. MPLS LDP support for IPv6
14. Port security
15. Customizable IVR
16. SRST
17. NEMO
18. Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation
19. Support for LLDP on CPOS interfaces
20. SMS-based automatic configuration
21. ARP attack protection
22. SIP support for VRF
Fixes bugs
CMW710-E0102 CMW710-E0006P02
2013-08-10
ESS version
Support MSR2000_3000_4000 series
New feature:
1. Portal authentication
2. MSDP
3. IPsec MIB and IKE MIB
4. PoE
5. CoPP software forwarding feature
6. Configuring MPLS LDP FRR
7. Enhanced routing features
8. Python
9. ATM
10. DHCP MIB
Fixes bugs.
CMW710-E0006P02
CMW710-E0006
2013-04-23
ESS version
Only support MSR3000_4000 series, not support MSR2000 series
Fixes bugs.
CMW710-E0006 First release 2013-01-28
ESS version None
7
Hardware and software compatibility matrix
CAUTION:
To avoid an upgrade failure, use Table 3 to verify the hardware and software compatibility before performing an upgrade.
Table 2 HPE product device numbers matrix
Product code HPE Product name
JG402A HPE MSR4080 Router Chassis
JG403A HPE MSR4060 Router Chassis
JG404A HPE MSR3064 Router
JG405A HPE MSR3044 Router
JG406A HPE MSR3024 AC Router
JG407A HPE MSR3024 DC Router
JG408A HPE MSR3024 PoE Router
JG409A HPE MSR3012 AC Router
JG410A HPE MSR3012 DC Router
JG411A HPE MSR2003 AC Router
JG412A HPE MSR4000 MPU-100 Main Processing Unit
JG413A HPE MSR4000 SPU-100 Service Processing Unit
JG414A HPE MSR4000 SPU-200 Service Processing Unit
JG670A HPE MSR4000 SPU-300 Service Processing Unit
JG875A HPE MSR1002-4 AC Router
JH060A HPE MSR1003-8S AC Router
JG861A HPE MSR3024 TAA-compliant AC Router
JG734A HPE MSR2004-24 AC Router
JG735A HPE MSR2004-48 Router
JG866A HPE MSR2003 TAA-compliant AC Router
JG869A HPE MSR4000 TAA-compliant MPU-100 Engine
JG409B HPE MSR3012 AC Router
Table 3 Hardware and software compatibility matrix
Item Specifications
Product family
MSR1000_MSR2000_MSR3000_MSR4000
Boot ROM version
MSR1002-4_MSR1003-8S: 250 or higher
MSR2003_MSR2004-24_MSR2004-48: 160 or higher
MSR3012_MSR3024_MSR3044_MSR3064: 160 or higher
MSR4060_MSR4080: MPU-100: 161 or higher
8
SPU-100/200: 140 or higher
Host software
Hardware software MD5 Check Sum File size
MSR1002-4_MSR1003-8S
MSR100X-CMW710-R0306P81.IPE
6e2a436a41b51b0d598f253caa4ae1ef
67,391,488 bytes
MSR2003_MSR2004-24_MSR2004-48
MSR2000-CMW710-R0306P81.IPE
9d5fbf77d4a2878aa1da072cd4120fda
74,107,904 bytes
MSR3012_MSR3024_MSR3044_MSR3064
MSR3000-CMW710-R0306P81.IPE
64b0e7c133560318d06f7726123c4a71
57,016,320 bytes
MSR4060_MSR4080
MSR4000-CMW710-R0306P81.IPE
9b1df8a19f4f498aa773116bb69152d6
118,542,336 bytes
iMC version
iMC BIMS 7.2 (E0402P02)
iMC EAD 7.2 (E0407)
iMC TAM 7.2 (E0407)
iMC UAM 7.2 (E0407)
iMC IVM 7.2 (E0402H02)
iMC MVM 7.2 (E0402P02)
iMC NTA 7.2 (E0402P02)
iMC PLAT 7.2 (E0403P04)
iMC QoSM 7.2 (E0403H01)
iMC RAM 7.2 (E0402)
iMC SHM 7.2 (E0402l01)
iMC UBA 7.2 (E0401P03)
iMC VFM 7.2 (E0403)
iNode version
iNode PC 7.2 (E0407)
Cards version
Cards Name Software Version CPLD or FPGA version
SIC-3G-HSPA 280 or higher 200 or higher
SIC-3G-CDMA 280 or higher 200 or higher
Upgrading restrictions and guidelines
1. After the software is upgraded from a version earlier than E0302P06 to E0302P06 or a later version, the unit of the VRRP preemption delay is changed from seconds to centiseconds.
2. To upgrade from R0305 to R0305P04 or a later version, you must first install the R0305H01 hot patch.
Hardware feature updates
CMW710-R0306P81
None.
9
CMW710-R0306P30
Add new hardware:
Add new card:
4-port 100BASE-FX/1000BASE-X(SFP) Ethernet L2/L3 SIC Module-RT-SIC-4GSWF
CMW710-R0306P07
Add new hardware:
SFP-GPON-SM-ONU
USB modem E3533
CMW710-R0305P08
Add new router:
HPE MSR3012 AC Router(JG409B)
Add new card:
1-port E1 / T1 Voice SIC Module(JH240A)
CMW710-R0305P04
The logo of HP is changed to HPE.
CMW710-R0304P02
Add new cards:
HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B)
HPE MSR 4G LTE SIC Mod for ATT (JG743B)
HPE MSR 4GLTE SIC Mod for Global (JG744B)
HPE MSR HSPA+/WCDMA SIC Module (JG929A)
CMW710-R0304
Add new router:
HPE MSR1003-8S AC Router
CMW710-E0302P06
Add new hardware:
8-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH169A)
4-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH170A)
2-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH171A)
10
8-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH172A)
4-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH173A)
2-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH174A)
8-port 100BASE-FX/1000BASE-X / 4-port 1000BASE-T (Combo) L2/L3 HMIM Module (JH238A)
CMW710-E0102
Add new hardware:
4-port 10/100 Mbps Ethernet L2 switching module-PoE card(SIC-4FSW-POE)
1-port ADSL over POTS SIC interface module (SIC-1ADSL)
1 port E1/CE1/PRI SIC interface module(SIC-1EPRI-V3)
9-port 10/100 Mbps Ethernet L2 switching module -PoE card (DSIC-9FSW-POE)
1-port 8-wire G.SHDSL (RJ45) DSIC Module
2-port 1000BASE-X HMIM Module (HMIM-2GEF)
4-port 1000BASE-X HMIM Module (HMIM-4GEF)
8-port 1000BASE-X HMIM Module (HMIM-8GEF)
24-port Gig-T Switch HMIM Module (HMIM-24GSW)
24-port Gig-T PoE Switch HMIM Module (HMIM-24GSW-POE)
1-port OC-3 / STM-1 CPOS HMIM Module (HMM-1CPOS)
2-port OC-3 / STM-1 CPOS HMIM Module (HMIM-2CPOS)
1-port OC-3c / STM-1c ATM SFP HMIM Module (HMIM-ATMOC3)
1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W)(need to config HMIM-Adapter)
SPU-300 service module
MSR3012-DC
MSR3024-DC
MSR3024-POE
300W DCPower(PSR300-12D2)
Support USB modem E303c and E3131
Software feature and command updates
For more information about the software feature and command update history, see HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P81 Release Notes (Software Feature Changes).
MIB updates
Table 4 MIB updates
Item MIB file Module Description
CMW710-R0306P81
New None None None
11
Modified None None None
CMW710-R0306P12
New None None None
Modified rfc1213.mib RFC1213-MIB Modified description of sysDescr and sysObjectID
CMW710-R0306P11
New None None None
Modified rfc1213.mib RFC1213-MIB Modified description of sysObjectID
CMW710-R0306P07
New None None None
Modified rfc1213.mib RFC1213-MIB Modified description of sysDescr and sysObjectID
CMW710-R0305P08
New None None None
Modified hh3c-3gmodem.mib HH3C-3GMODEM-MIB
Modified description of hh3cWirelessCardOnlineTable, hh3cWirelessCardModemMode, hh3cWirelessCardCurNetConn, hh3cWirelessCardOnlineTime, hh3cWirelessCardOnlineType, hh3cUIMInfoTable,hh3cUIMIndex, hh3cUIMStatus,hh3cUIMImsi, hh3c3GCdma1xRttBID, hh3c3GCdma1xRttSID, hh3c3GCdma1xRttNID, hh3c3GCdmaEvDoSubNetID, hh3c3GGsmMcc, hh3c3GGsmMnc, hh3cSmsSrcNumberBind, hh3cSmsTimeBind, hh3cSmsEncodeBind, hh3cSmsContentBind, hh3cSmsRxNotifSwitch and hh3cSmsRxNotification
CMW710-R0305P04
New None None None
Modified rfc1213.mib RFC1213-MIB
Modified description of sysDescr, sysContact, sysName and sysLocation, sysObjectID
CMW710-R0305
New None None None
Modified rfc1213.mib RFC1213-MIB Modified description of sysDescr and sysObjectID
12
CMW710-R0304P12
New None None None
Modified
rfc2925-disman-ping.mib DISMAN-PING-MIB Modified description of pingCtlTable
hh3c-nqa.mib HH3C-NQA-MIB Modified description of hh3cNqaCtlTable
hh3c-mplsext.mib HH3C-MPLSEXT-MIB Added hh3cMplsExtVpnStatsTable
CMW710-R0304
New None None None
Modified hh3c-transceiver-info.mib HH3C-TRANSCEIVER-INFO-MIB
Modified description of hh3cTransceiverCurTXPower and hh3cTransceiverCurRXPower
CMW710-E0302P06
New
hh3c-stack.mib HH3C-STACK-MIB Added HH3C-STACK-MIB
rfc5060-pim-std.mib PIM-STD-MIB Added PIM-STD-MIB
rfc5240-pim-bsr.mib PIM-BSR-MIB Added PIM-BSR-MIB
hh3c-qinqv2.mib HH3C-QINQV2-MIB Added
HH3C-QINQV2-MIB
rfc3019-ipv6-mld.mibs IPV6-MLD-MIB Added IPV6-MLD-MIB
hh3c-nqa.mib HH3C-NQA-MIB Added HH3C-NQA-MIB
hh3c-posa.mib HH3C-POSA-MIB Added HH3C-POSA-MIB
rfc1473-ppp-ip.mib PPP-IP-NCP-MIB Added PPP-IP-NCP-MIB
rfc1471-ppp-lcp.mib PPP-LCP-MIB Added PPP-LCP-MIB
hh3c-mp-v2.mib HH3C-MP-V2-MIB Added HH3C-MP-V2-MIB
hh3c-mplsext.mib HH3C-MPLSEXT-MIB Added HH3C-MPLSEXT-MIB
hh3c-mplste.mib HH3C-MPLSTE-MIB Added H3C-MPLSTE-MIB
rfc6445-mpls-frr-facility-std.mib
MPLS-FRR-FACILITY-STD-MIB
Added MPLS-FRR-FACILITY-STD-MIB
rfc6445-mpls-frr-general-std.mib
MPLS-FRR-GENERAL-STD-MIB
Added MPLS-FRR-GENERAL-STD-MIB
rfc3812-mpls-te-std.mib MPLS-TE-STD-MIB Added MPLS-TE-STD-MIB
rfc3970-te.mib TE-MIB Added TE-MIB
hh3c-transceiver-info.mib HH3C-TRANSCEIVER-INFO-MIB
Added HH3C-TRANSCEIVER-INFO-MIB
rfc5519-mgmd-std.mib MGMD-STD-MIB Added MGMD-STD-MIB
rfc4560-disman-traceroute.mib
DISMAN-TRACEROUTE-MIB
Added DISMAN-TRACEROUTE-MI
13
B
rfc2925-disman-ping.mib DISMAN-PING-MIB Added DISMAN-PING-MIB
rfc5603-pw-enet-std.mib PW-ENET-STD-MIB Added PW-ENET-STD-MIB
rfc5601-pw-std.mib PW-STD-MIB Added PW-STD-MIB
hh3c-snmp-ext.mib HH3C-SNMP-EXT-MIB Added HH3C-SNMP-EXT-MIB
hh3c-posa.mib HH3C-POSA-MIB Added HH3C-POSA-MIB
hh3c-bfd-std.mib HH3C-BFD-STD-MIB Added HH3C-BFD-STD-MIB
hh3c-ppp-over-sonet.mib HH3C-PPP-OVER-SONET-MIB
Added HH3C-PPP-OVER-SONET-MIB
rfc3815-mpls-ldp-std.mib MPLS-LDP-STD-MIB Added MPLS-LDP-STD-MIB
rfc4382-mpls-l3vpn-std.mib MPLS-L3VPN-STD-MIB Added MPLS-L3VPN-STD-MIB
hh3c-license.mib HH3C-LICENSE-MIB Added HH3C-LICENSE-MIB
hh3c-tunnel.mib HH3C-TUNNEL-MIB Added HH3C-TUNNEL-MIB
rfc5643-ospfv3.mib OSPFV3-MIB Added OSPFV3-MIB
rfc2981-disman-event.mib DISMAN-EVENT-MIB Added DISMAN-EVENT-MIB
hh3c-pvst.mib HH3C-PVST-MIB Added HH3C-PVST-MIB
hh3c-evi.mib HH3C-EVI-MIB Added HH3C-EVI-MIB
hh3c-l2vpn.mib HH3C-L2VPN-MIB Added HH3C-L2VPN-MIB
Modified
rfc4444-isis.mib ISIS-MIB
Modified description of
isisSysLevelMinLSPGenInt
rfc1213.mib RFC1213-MIB
Modified description of sysDescr and sysObjectID; Modified TAA description of sysObjectID;
Modified index of ipv6InterfaceTable; Modified description of sysContact and sysLocation;
Modified Access of ipAddressStorageType.
rfc4444-isis.mib ISIS-MIB
Modified description of
isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex, isisCirc3WayEnabled, isisCircExtendedCircID,
isisISAdj3WayState 和
isisISAdjNbrExtendedCircID
rfc2465-ipv6.mib IPV6-MIB Modified description of
ipv6IfDescr
hh3c-splat-mstp.mib HH3C-LswMSTP-MIB Modified description of
hh3cdot1sStpForceVersi
14
on
rfc2933-igmp-std.mib IGMP-STD-MIB Modified description and
PDS of IGMP-STD-MIB
rfc2863-if.mib IF-MIB
Updated the rfc2863-if.mib from rfc2233-if.mib
hh3c-dns.mib HH3C-DNS-MIB Modified description of HH3C-DNS-MIB
hh3c-domain.mib H3C-DOMAIN-MIB Modified description of HH3C-DOMAIN-MIB
hh3c-sys-man.mib HH3C-SYS-MAN-MIB Modified example of hh3cSysBtmLoadTable
hh3c-config-man.mib HH3C-CONFIG-MAN-MIB
Modified description of hh3cCfgLogTerminalUser and hh3cCfgLogCmdSrcAddress
rfc2933-igmp-std.mib IGMP-STD-MIB
Modified description of igmpInterfaceQueryMaxResponseTime, igmpInterfaceRobustness, igmpInterfaceLastMembQueryIntvl, mldInterfaceQueryMaxResponseDelay, mldInterfaceRobustness, mldInterfaceLastListenQueryIntvl;
Modified PDS of igmpCacheAddress, igmpCacheIfIndex, igmpCacheSelf, mldCacheAddress, mldCacheIfIndex, mldCacheSelf
rfc2925-disman-ping.mib DISMAN-PING-MIB
Modified description of pingCtlIfIndex;
Added pingProbeFailed, pingTestFailed, pingTestCompleted, hh3cNqaProbeTimeOverThreshold, hh3cNqaJitterRTTOverThreshold, hh3cNqaProbeFailure, hh3cNqaJitterPacketLoss, hh3cNqaJitterSDOverThreshold, hh3cNqaJitterDSOverThreshold, hh3cNqaICPIFOverThreshold, hh3cNqaMOSOverThreshold
rfc4133-entity.mib ENTITY-MIB Modified description of entPhysicalAlias, entPhysicalAssetID
15
hh3c-if-ext.mib HH3C-IF-EXT-MIB Modified description of HH3C-IF-EXT-MIB
hh3c-config-man.mib HH3C-CONFIG-MAN-MIB Modified description of HH3C-CONFIG-MAN-MIB
hh3c-trng2.mib HH3C-TRNG2-MIB Modified description of HH3C-TRNG2-MIB
rfc2925-disman-ping.mib DISMAN-PING-MIB Modified description of pingCtlTable
hh3c-ntp.mib HH3C-NTP-MIB Modified description of hh3cNTPSystemMIB
hh3c-entrelation.mib HH3C-ENTRELATION-MIB Modified description of hh3cEntRelationTable
hh3c-entity-ext.mib HH3C-ENTITY-EXT-MIB
Added hh3cEntityExtCpuUsageRecoverThreshold, hh3cEntityExtMemSizeRev, hh3cEntityExtCpuUsageIn1Minute, hh3cEntityExtCpuUsageIn5Minutes,
hh3cEntityExtVoltageTable;
Modified description and relationship of hh3cEntityExtTemperatureThreshold,
Modified description of hh3cEntityExtTemperature.
hh3c-ssh.mib HH3C-SSH-MIB Added hh3cSTelnetServerEnable, hh3cSCPServerEnable
hh3c-lsw-dev-adm.mib HH3C-LSW-DEV-ADM-MIB
Added hh3cLswSlotMemRev, hh3cLswSlotPhyMemRev, hh3cLswSlotRunTime and hh3cLswSlotMemUsedRev
hh3c-lsw-dev-adm.mib HH3C-LSW-DEV-ADM-MIB
Added hh3cLswCpuTable
hh3c-3gmodem.mib HH3C-3GMODEM-MIB Added hh3cLteInfoTable
hh3c-trap.mib HH3C-TRAP-MIB Modified description of hh3cTrapConfigSwitch
rfc2863-if.mib IF-MIB Modified description of ifOutQLen
hh3c-ip-address.mib HH3C-IP-ADDRESS-MIB Added hh3cIpAddrFirstTrapTime
fc1471-ppp-lcp.mib PPP-LCP-MIB Modified description of pppLinkStatusBadFCSs
ieee8023-lag.mib IEEE8023-LAG-MIB Modified title of IEEE8023-LAG-MIB
hh3c-lag.mib HH3C-LAG-MIB Modified title of
16
HH3C-LAG-MIB
hh3c-domain.mib HH3C-DOMAIN-MIB Modified description of hh3cDomainDefault and hh3cDomainName
hh3c-if-ext.mib HH3C-IF-EXT-MIB Added hh3cIfOperStatus and hh3cIfDownTimes
rfc5603-pw-enet-std.mib PW-ENET-STD-MIB Modified pwEnetTable
rfc5602-pw-mpls-std.mib PW-MPLS-STD-MIB Modified the module of PW-MPLS-STD-MIB
rfc5603-pw-enet-std.mib PW-ENET-STD-MIB Modified the table of PW-ENET-STD-MIB
table hh3cPosParamTable HH3C-PPP-OVER-SONET-MIB
Only support POS interfaces
hh3c-acl.mib HH3C-ACL-MIB
Modified hh3cAclNumberGroupTable, hh3cPfilterApplyTable, hh3cPfilterAclGroupRunInfoTable, hh3cPfilterStatisticSumTable and added the hh3cAclNamedGroupTable, hh3cAclIPAclNamedBscTable, hh3cAclIPAclNamedAdvTable, hh3cAclNamedMACTable, hh3cAclIntervalTable hh3cAclNamedUserTable, hh3cPfilter2ApplyTable, hh3cPfilter2, hh3cPfilter2AclGroupRunInfoTable, hh3cPfilter2AclRuleRunInfoTable, hh3cPfilter2StatisticSumTable,
hh3cAclNamedGroupTable
hh3c-stack.mib HH3C-STACK-MIB Modified description of hh3cStackTopology
rfc2819-rmon.mib RMON-MIB Modified description of default value in RMON-MIB
rfc4502-rmon.mib RMON2-MIB Modified description of default value in RMON2-MIB
lldp-ext-dot1-v2.mib LLDP-EXT-DOT1-V2-MIB
Removed lldpXdot1dcbxConfigETSConfigurationTable
lldpXdot1dcbxConfigETSRecommendationTable
lldpXdot1dcbxConfigPFCTable
lldpXdot1dcbxConfigApplicationPriorityTable
lldpXdot1dcbxLocETSBasicConfigurationTable
lldpXdot1dcbxLocETSConPr
17
iorityAssignmentTable
lldpXdot1dcbxLocETSConTrafficClassBandwidthTable
lldpXdot1dcbxLocETSConTrafficSelectionAlgorithmTable
lldpXdot1dcbxLocETSRecoTrafficClassBandwidthTable
lldpXdot1dcbxLocETSRecoTrafficSelectionAlgorithmTable
lldpXdot1dcbxLocPFCBasicTable
lldpXdot1dcbxLocPFCEnableTable
lldpXdot1dcbxLocApplicationPriorityAppTable
lldpXdot1dcbxRemETSBasicConfigurationTable
lldpXdot1dcbxRemETSConPriorityAssignmentTable
lldpXdot1dcbxRemETSConTrafficClassBandwidthTable
lldpXdot1dcbxRemETSConTrafficSelectionAlgorithmTable
lldpXdot1dcbxRemETSRecoTrafficClassBandwidthTable
lldpXdot1dcbxRemETSRecoTrafficSelectionAlgorithmTable
lldpXdot1dcbxRemPFCBasicTable
lldpXdot1dcbxRemPFCEnableTable
lldpXdot1dcbxRemApplicationPriorityAppTable
lldpXdot1dcbxAdminETSBasicConfigurationTable
lldpXdot1dcbxAdminETSConPriorityAssignmentTable
lldpXdot1dcbxAdminETSConTrafficClassBandwidthTable
lldpXdot1dcbxAdminETSConTrafficSelectionAlgorithmTable
lldpXdot1dcbxAdminETSRecoTrafficClassBandwidthTable
lldpXdot1dcbxAdminETSRecoTrafficSelectionAlgorithmTable
18
lldpXdot1dcbxAdminPFCBasicTable
lldpXdot1dcbxAdminPFCEnableTable
lldpXdot1dcbxAdminApplicationPriorityAppTable
CMW710-E0102
New
rfc5060-pim-std.mib PIM-STD-MIB Added PIM-STD-MIB
rfc5240-pim-bsr.mib PIM-BSR-MIB Added PIM-BSR-MIB
hh3c-qinqv2.mib HH3C-QINQV2-MIB Added HH3C-QINQV2-MIB
rfc3019-ipv6-mld.mibs IPV6-MLD-MIB Added IPV6-MLD-MIB
hh3c-lsw-dev-adm.mib HH3C-LSW-DEV-ADM-MIB
Added hh3cLswSlotMemRev, hh3cLswSlotPhyMemRev, hh3cLswSlotRunTime and hh3cLswSlotMemUsedRev
hh3c-nqa.mib HH3C-NQA-MIB Added HH3C-NQA-MIB
hh3c-posa.mib HH3C-POSA-MIB Added HH3C-POSA-MIB
Modified
rfc4444-isis.mib ISIS-MIB Modified description of isisSysLevelMinLSPGenInt
hh3c-entity-ext.mib HH3C-ENTITY-EXT-MIB
Modified description and relationship of hh3cEntityExtTemperatureThreshold
rfc1213.mib RFC1213-MIB Modified description of sysDescr and sysObjectID
rfc4444-isis.mib ISIS-MIB
Modified description of isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex, isisCirc3WayEnabled, isisCircExtendedCircID, isisISAdj3WayState and isisISAdjNbrExtendedCircID
rfc2465-ipv6.mib IPV6-MIB Modified description of ipv6IfDescr
hh3c-splat-mstp.mib HH3C-LswMSTP-MIB Modified description of hh3cdot1sStpForceVersion
rfc2933-igmp-std.mib IGMP-STD-MIB Modified description and PDS of nodes in IGMP-STD-MIB
rfc4133-entity.mib ENTITY-MIB Modified description and PDS of entPhysicalAlias and entPhysicalAssetID
hh3c-posa.mib HH3C-POSA-MIB Modified description of hh3cPosaFcmIdleTimeout
rfc2863-if.mib IF-MIB Updated the rfc2863-if.mib from rfc2233-if.mib
CMW710-E0102
New hh3c-ike-monitor.mib HH3C-IKE-MONITOR-MIB Added
19
HH3C-IKE-MONITOR-MIB
hh3c-ike-monitor.mib HH3C-IPSEC-MONITOR-V2-MIB
Added HH3C-IPSEC-MONITOR-V2-MIB
lldp-v2.mib LLDP-V2-MIB Added LLDP-V2-MIB
lldp-ext-dot1-v2.mib LLDP-EXT-DOT1-V2-MIB Added LLDP-EXT-DOT1-V2-MIB
lldp-ext-dot3-v2.mib LLDP-EXT-DOT3-V2-MIB Added LLDP-EXT-DOT3-V2-MIB
rfc2620-radius-acc-client.mib RADIUS-ACC-CLIENT-MIB
Added RADIUS-ACC-CLIENT-MIB
rfc2618-radius-auth-client.mib
RADIUS-AUTH-CLIENT-MIB
Added RADIUS-AUTH-CLIENT-MIB
hh3c-domain.mib HH3C-DOMAIN-MIB Added HH3C-DOMAIN-MIB
hh3c-domain.mib HH3C-DOMAIN-MIB Added HH3C-DOMAIN-MIB
hh3c-user.mib HH3C-USER-MIB Added HH3C-USER-MIB
hh3c-qos-capability.mib HH3C-QOS-CAPABILITY-MIB
Added HH3C-QOS-CAPABILITY-MIB
rfc3621-power-ethernet.mib POWER-ETHERNET-MIB Added POWER-ETHERNET-MIB
hh3c-power-eth-ext.mib HH3C-POWER-ETH-EXT-MIB
Added HH3C-POWER-ETH-EXT-MIB
rfc3814-mpls-ftn-std.mib MPLS-FTN-STD-MIB Added MPLS-FTN-STD-MIB
hh3c-dhcp4.mib HH3C-DHCP4-MIB Added HH3C-DHCP4-MIB
hh3c-dhcp-snoop2.mib HH3C-DHCP-SNOOP2-MIB
Added HH3C-DHCP-SNOOP2-MIB
rfc2662-adsl-line.mib ADSL-LINE-MIB Added ADSL-LINE-MIB
rfc2819-rmon.mib RMON-MIB Added RMON-MIB
rfc4502-rmon.mib RMON2-MIB Added RMON2-MIB
hh3c-rmon-ext2.mib HH3C-RMON-EXT2-MIB Added HH3C-RMON-EXT2-MIB
rfc5132-ipmcast.mib IPMCAST-MIB Added IPMCAST-MIB
Modified
hh3c-common-system.mib HH3C-COMMON-SYSTEM-MIB
Modified HH3C-COMMON-SYSTEM-MIB to V2.4
hh3c-splat-inf.mib HH3C-LswINF-MIB Modified HH3C-LswINF-MIB to V3.4
hh3c-infocenter.mib HH3C-INFO-CENTER-MIB
Added hh3cICLogbufferContTable in HH3C-INFO-CENTER-MIB
hh3c-lsw-dev-adm.mib HH3C-LSW-DEV-ADM-MIB
Added hh3cLswSlotPktBufFree, hh3cLswSlotPktBufInit, hh3cLswSlotPktBufMin and
20
hh3cLswSlotPktBufMiss in hh3cLswSlotTable
rfc2465-ipv6.mib IPV6-MIB Added ipv6RouteNumber, ipv6DiscardedRoutes and ipv6RouteTable
rfc2096-ip-forward.mib IP-FORWARD-MIB
Added inetCidrRouteNumber, inetCidrRouteDiscards and inetCidrRouteTable
hh3c-config-man.mib HH3C-CONFIG-MAN-MIB Modified the description of hh3cCfgRunModifiedLast
hh3c-cbqos2.mib HH3C-CBQOS2-MIB
Modified the description of hh3cCBQoSPolicyClassNextIndex and hh3cCBQoSPolicyClassCfgInfoTable,and deleted hh3cCBQoSRedirectCfgInfoTable and hh3cCBQoSMirrorIfCfgInfoTable
rfc3415-snmp-vacm.mib NMP-VIEW-BASED-ACM-MIB
Modified the description of vacmContextName
rfc1213.mib RFC1213-MIB Modified the description of ipNetToMediaIfIndex
rfc3415-snmp-vacm.mib SNMP-VIEW-BASED-ACM-MIB
Modified the description of vacmContextName
rfc2233-if.mib IF-MIB Modified the description of ifAlias
hh3c-common-system.mib HH3C-COMMON-SYSTEM-MIB
Modified the description of hh3cSysStatisticPeriod, hh3cSysSamplePeriod, hh3cSysTrapResendPeriod, hh3cSysTrapCollectionPeriod, hh3cSysSnmpPort, hh3cSysSnmpTrapPort, hh3cSysNetID, hh3cSysLastSampleTime.And Modified the PDS of hh3cSysNetID
rfc1213.mib RFC1213-MIB Modified the description of sysDescr and sysObjectID
Operation changes
None
Restrictions and cautions
1. HPE’s FXS not supporting call transfers from an analog phone to Lync Server.
21
Open problems and workarounds
None
List of resolved problems
Resolved problems in CMW710-R0306P81
201611090368
Symptom: The total number of error packets displayed on the network management software and that displayed from the CLI are different.
Condition: This symptom occurs when error packets uiAlignErrs and uiInDiscards are received.
201610280217
Symptom: The description command cannot be successfully executed when a PC running the Windows 10 operating system is used to configure the device.
Condition: This symptom might occur when the description command is executed on a PC running the Windows 10 operating system.
201611100317
Symptom: In a VXLAN network, the configured DSCP marking action does not take effect when a QoS policy for incoming packets is applied to the site-facing interface that hosts an AC.
Condition: This symptom occurs when a QoS policy for incoming packets is applied to the site-facing interface that hosts an AC in a VXLAN network.
201610280181
Symptom: Clients cannot log in to a device through IPv6 SSH and Telnet.
Condition: This symptom occurs when the following conditions are met:
The tcp syn-cookie enable command is executed.
The client is not connected to the device directly.
The device uses an IPv6 address.
201610280192
Symptom: L2TP clients go offline.
Condition: This symptom might occur when a user that uses an incorrect username or password sends authentication requests.
201609230618
Symptom: Traffic cannot be forwarded because ARP/ND entry issuing has failed.
Condition: This symptom might occur when a large number of ARP/ND entries are learned or age out.
201611170054
Symptom: The configuration on FXS interfaces gets lost and no call progress tone is played.
Condition: This symptom occurs when over three HMIM-16FXS modules are installed on the device.
22
201611080238
Symptom: AAA accounting fails because the device and the server use inconsistent session ID formats.
Condition: This symptom occurs when AAA authentication uses an old-version server whose accounting session ID format is incompatible with the ID format on the device.
201611070502
Symptom: CVE-2016-8858.
Condition: Vulnerability was reported in OpenSSH. A remote user can send specially crafted data during the key exchange process to trigger a flaw in kex_input_kexinit() and consume excessive memory on the target system. This can be exploited to consume up to 384 MB per connection.
201610260739
Symptom: In an MPLS over GRE network, the device acts as a P device, and packet loss occurs when two CE devices ping each other.
Condition: This symptom might occur when two CE devices are connected through a service provider network.
201610260505
Symptom: The memory usage of the device continues to increase.
Condition: This symptom occurs when a GRE tunnel with TCP MSS set forwards fragmented packets.
201611250487
Symptom: URL redirection configured for EAD assistant does not take effect.
Condition: None.
Resolved problems in CMW710-R0306P80
201609270202
Symptom: Long ping response delay occurs when no SIM card is installed in the SIC-3G module that uses the EM660 modem chip.
Condition: This symptom might occur if no SIM card is installed in the SIC-3G module that uses the EM660 modem chip.
201603110069
Symptom: When the speed is set to 100 Mbps for a fiber port that uses a 1000-Mbps transceiver module, the LED of the port turns yellow or off.
Condition: This symptom might occur if the speed is set to 100 Mbps for a fiber port that uses a 1000-Mbps transceiver module.
201609220199
Symptom: A 4G router cannot access an LNS through 3G dialup.
Condition: This symptom might occur if a 4G router accesses an LNS through 3G dialup.
201610170407
Symptom: When multicast VPN is configured on the router, a switching module does not forward packets that are received from a Layer 3 interface.
Condition: This symptom might occur if multicast VPN is configured on the router, and the incoming interface of traffic is a Layer 3 interface.
23
201610190490
Symptom: The router can be pinged only within a short period of time after startup.
Condition: This symptom might occur if the following conditions exist:
After negotiation, the speed and duplex mode of interfaces on an SIC-4FSW or SIC-9FSW module are set to 100 Mbps and half duplex.
The module receives Layer 3 packets between 61 and 1536 bytes long at 10 Mbps and forwards the packets through VLAN interfaces.
201607230235
Symptom: The router cannot operate correctly when multiple GRE tunnels and one IPsec over GRE tunnel are forwarding traffic.
Condition: This symptom might occur if multiple GRE tunnels and one IPsec over GRE tunnel are set up.
201607020116
Symptom: When a Telnet user logs in to the router by using a username longer than 253 bytes, memory might be exhausted, and the router might reboot unexpectedly.
Condition: This symptom might occur if SNMP and trap notifications are enabled, and a Telnet user logs in to the router by using a username longer than 253 bytes.
201606010250
Symptom: A voice VLAN-enabled Layer 2 interface fails to forward VLAN-tagged traffic.
Condition: This symptom might occur if the source MAC addresses of the received traffic belong to voice VLANs, but the VLAN tags are for non-voice VLANs.
201604280054
Symptom: QoS cannot correctly collect traffic statistics on an IRF fabric.
Condition: This symptom might occur if a rate limiting template is configured for portal users on an IRF fabric.
201609210481
Symptom: SSH login fails when accounting is enabled and no accounting server is specified.
Condition: This symptom might occur if SSH login is performed when accounting is enabled without any accounting server specified.
201609060727
Symptom: BFD MAD does not take effect on two connected IRF fabrics.
Condition: This symptom might occur if BFD MAD is configured on two connected IRF fabrics, and the IRF fabrics can receive BFD detection packets from each other.
201608110527
Symptom: PPPoE clients cannot come online if the PPPoE server uses the DHCP address pool of a local DHCP server for address assignment.
Condition: This symptom might occur if the PPPoE server uses the DHCP address pool of a local DHCP server for address assignment.
201607290325
Symptom: CVE-2016-1409
Condition: The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Cisco IOS XE 2.1 through 3.17S, IOS XR 2.0.0 through 5.3.2, and NX-OS allows remote attackers to cause a denial of service (packet-processing outage) via crafted ND messages, aka Bug ID CSCuz66542, as exploited in the wild in May 2016.
24
201604210076
Symptom: Execution of RSSI commands fails on a distributed router after the router reboots with a configuration file.
Condition: This symptom might occur if RSSI commands are executed on a distributed router that has rebooted with a configuration file.
201609220670
Symptom: The router cannot operate correctly when a Layer 3 interface is changed to a Layer 2 interface during traffic forwarding.
Condition: This symptom might occur if a Layer 3 interface is changed to a Layer 2 interface during traffic forwarding.
201607290311
Symptom: CVE-2016-2177
Condition: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
201606280170
Symptom: PBR does not fake effect when it is configured after the router starts up without any configuration file.
Condition: This symptom might occur if PBR is configured after the router starts up without any configuration file.
201607250050
Symptom: RBAC does not define access control for the ip load-sharing local-first enable command.
Condition: This symptom might occur if the ip load-sharing local-first enable command is configured, and trace logs are displayed.
201610170025
Symptom: The router cannot provide services when IPsec is enabled.
Condition: This symptom might occur if the following conditions exist:
a. IPsec is configured on the router.
b. Multiple data flows trigger IKE SA negotiations simultaneously, and the negotiations fail.
201609260311
Symptom: Incorrect PVST status causes broadcast storms.
Condition: This symptom might occur if the following conditions exist:
A PVST-enabled VLAN is deleted.
The stpd process is restarted, or the stpd process restarts during patch installation.
201610180122
Symptom: When QoS policy nesting is configured on an interface, long ping response delay occurs.
Condition: This symptom might occur if QoS policy nesting is configured on an interface, and GTS is configured in the parent policy.
201609260288
Symptom: When global password control is enabled, an SSH user cannot log in after multiple login failures.
25
Condition: This symptom might occur if global password control is enabled, and an SSH user logs in repeatedly by using a correct username and an incorrect password.
201609230633
Symptom: Installation of a patch or devkit package takes more than 40 minutes or fails.
Condition: This symptom might occur if a patch or devkit package is installed.
201608030540
Symptom: The router cannot forward MPLS L3VPN traffic correctly after the vpn popgo command is executed.
Condition: This symptom might occur if MPLS L3VPN is configured on the router, and the vpn popgo command is executed.
201607290305
Symptom: CVE-2012-0036
Condition: Curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
Resolved problems in CMW710-R0306P70
201608120148
Symptom: The ICCID information for a 3G modem is not displayed in the display cellular command output.
Condition: None.
201608240033
Symptom: The diagnostic and monitoring (DM) feature is not available for ports on a SIC-4G-LTE card.
Condition: None.
201608190032
Symptom: Profile 3 cannot be used by 4G modem for dialup.
Condition: None.
201608290384
Symptom: The CPU usage of an MSR router reaches 50 percent and the delay of audio signals increases.
Condition: This symptom occurs if 12 concurrent calls exist on the MSR router.
201608250025
Symptom: LEDs on the 8GSW card installed in an MSR5660 device cannot operate correctly.
Condition: None.
201609060155
Symptom: Ports on an 8GEE card of an MSR router cannot forward traffic.
Condition: This symptom might occur if the 8GEE card is used in a VRRP network.
201609050247
Symptom: An MSR2004 router runs out of memory after a certain period of use.
26
Condition: This symptom occurs if a VLAN interface is created on the MSR3600 router and the actual forwarding speed of the VLAN interface is higher than the set speed 10 Mbps.
201608300072
Symptom: Portal authentication cannot correctly control user access to the network after users switch to different VLANs.
Condition: None.
201608290529
Symptom: CVE-2009-3238
Condition: The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."
201607190451
Symptom: The CLI of an MSR router hangs.
Condition: This symptom occurs if the following conditions exist:
LLDP and 802.1X authentication are enabled on the MSR router.
A port is configured to be shut down upon receiving an illegal frame.
An IP phone fails 802.1X authentication and triggers intrusion protection.
201605200138
Symptom: An MSR router does not support EAD quick deployment. However, no error message is displayed when EAD quick deployment is configured on a 9FSW card installed in the router.
Condition: None.
201607190461
Symptom: An MSR router cannot work with a Cisco NX9000 switch in an IS-IS network.
Condition: None.
201608110387
Symptom: The BGP NSR status of a two-MPU router is not correct, and the status cannot recover.
Condition: This symptom occurs if the memory threshold is reached during an active/standby switchover.
201608160017
Symptom: Ports on the MSR device are always in loopback state.
Condition: This symptom occurs if an external loopback test is performed on a card configured with PPP.
201608090279
Symptom: No voices but only signals are exchanged in the channels for voice services.
Condition: This symptom occurs if PPP compression and VAD are used during satellite link switchover for VHF services.
201607260049
Symptom: The country mode for call progress tones does not take effect on a voice card of an MSR router.
27
Condition: This symptom occurs if call program tones are changed to non-default ones.
201607010523
Symptom: An MSR router in a full-mesh mGRE network reboots unexpectedly.
Condition: This symptom occurs if an aggregate interface is used as the mGRE tunnel interface and the port link modes of member ports in the aggregation group are changed.
201606280148
Symptom: In an MSR IRF fabric, errors exist in VLAN-instance mappings and STP status on ports cannot be correctly set.
Condition: This symptom occurs if the following conditions are met:
a. The spanning tree mode on the IRF fabric is PVST.
b. VLANs are created in the ascending order of VLAN IDs and then some VLANs are deleted. Or, VLANs are not created in the ascending order of VLAN IDs. For example, create VLAN 10 and then create 5.
c. An interface card on the IRF fabric is rebooted.
d. An IRF master/subordinate switchover occurs. Or, the STP process restarts because a patch is installed or uninstalled or an ISSU is performed.
201607180362
Symptom: The AAA NAS-ID profile configuration on an MSR router does not take effect after the router reboots.
Condition: This symptom occurs if the running configuration is saved and the router is rebooted.
201607190489
Symptom: Stream media services are interrupted, because NAT 444 does not create correct entries for RTSP traffic.
Condition: This symptom occurs if the service client instead of the server initiates the service negotiation.
201607280123
Symptom: Fast forwarding does not take effect on a one-armed MSR router.
Condition: This symptom occurs if the one-armed router uses the same Layer 3 interface to perform traffic forwarding. For example, VLAN-interface 361 is configured with a primary interface and secondary interfaces. Traffic arrives at VLAN-interface 361 and then is forwarded out of VLAN-interface 361.
Resolved problems in CMW710-R0306P52
201605260540
Symptom: After the APN-profile is configured, only the authentication mode is modified, but the configuration does not take effect.
Condition: None.
201606200046
Symptom: The device reboots unexpectedly.
Condition: This symptom occurs if the device acts as an SSL VPN gateway and the user logs into the device through the Web interface.
201606290087
Symptom: The device reboots because of memory leak.
28
Condition: This symptom occurs if the SIM card is absent or fails on the 4G interface.
201605300494
Symptom: 802.1X authentication on the SIC-4FSW/DSIC-9FSW cards fails. Layer 2/Layer 3 forwarding is performed without authentication.
Condition: This symptom occurs if the EAD assistant feature is configured on the SIC-4FSW/DSIC-9FSW cards.
201605060278
Symptom: The system fails to obtain the next startup configuration file through MIB.
Condition: None.
201603040253
Symptom: When both voice VLAN and MAC authentication are configured on an interface, MAC authentication is also performed for packets with OUI addresses.
Condition: None.
201605040492
Symptom: When an SSL client policy is configured, the configuration takes effect only after you disable SSL session renegotiation, save the configuration, and reboot the device.
Condition: None.
201604150420
Symptom: If the MAC address of data packets is learned in a voice VLAN, the packets are not forwarded.
Condition: This symptom occurs if the source MAC address of the data packets is an OUI address and the VLAN tag of the packets is not the voice VLAN.
201605260553
Symptom: The PIM process exits exceptionally.
Condition: This symptom occurs if the PIM DM mode is used to create 32K entries and an outgoing interface is configured as the multicast forwarding boundary.
201606070297
(1)Symptom: CVE-2016-2105
(1)Condition: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
(2)Symptom: CVE-2016-2106
(2)Condition: Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
(3)Symptom: CVE-2016-2107
(3)Condition: The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
(4)Symptom: CVE-2016-2108
(4)Condition: The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
29
(5)Symptom: CVE-2016-2109
(5)Condition: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
(6)Symptom: CVE-2016-2176
(6)Condition: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
201605200360
Symptom: A voice call fails.
Condition: This symptom occurs if the longest match is configured and the dialed number is a short number.
201605030252
Symptom: An L2TP user fails to come online through dialup.
Condition: This symptom occurs if the device acts as an LNS and the idle-timeout assigned by the AAA server is 0.
201606290046
Symptom: When the RADIUS server remotely assigns an address, you must configure an IKE address pool.
Condition: None.
201605030237
Symptom: When IKE local extended authentication and address authorization are configured, the configuration is an old version is incompatible with the configuration in a new version.
Condition: None.
201511200124
Symptom: An E1/T1 interface still processes RAI alarms when RAI detection is disabled on the interface.
Condition: None.
201606280531
Symptom: An HMIM-2/4/8E1T1 (-F) card fails to start up.
Condition: This symptom occurs if the device is powered off when the card updates the logic.
201607020231
Symptom: The device reboots unexpectedly because of memory exhaustion.
Condition: This symptom occurs if a user telnets to the device by using a username longer than 127 bytes.
201606290412
Symptom: An interface on which the maximum number of secure MAC addresses is limited goes down when forwarding traffic.
Condition: This symptom might occur if the maximum number of secure MAC addresses set on the interface is small.
201607010400
Symptom: The free-rule 1 source any configuration is added to the configuration file after the device reboots.
30
Condition: This symptom occurs if the device starts up with a .cfg startup configuration file.
201607010364
Symptom: Portal users can come online through an interface with portal authentication disabled, but the status of portal users is not correct.
Condition: None.
201607150110
Symptom: A busy error occurs when an asynchronous serial interface operating in flow mode reversely telnets to the device.
Condition: This symptom occurs if the asynchronous serial interface reversely telnets to the device when it is enabled with terminal service.
201607040302
(1)Symptom: CVE-2016-4953
(1)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending a spoofed packet with incorrect authentication data at a certain time.
(2)Symptom: CVE-2016-4954
(2)Condition: Fixed vulnerability in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending spoofed packets from source IP addresses in a certain scenario.
(3)Symptom: CVE-2016-4956
(3)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service via a spoofed broadcast packet.
201605060581
(1)Symptom: CVE-2015-8138
(1)Condition: Fixed vulnerability in ntpd which attackers may be able to disable time synchronization by sending a crafted NTP packet to the NTP client.
(2)Symptom: CVE-2015-7979
(2)Condition: Fixed vulnerability in ntpd allows attackers to send special crafted broadcast packets to broadcast clients, which may cause the affected NTP clients to become out of sync over a longer period of time.
(3)Symptom: CVE-2015-7974
(3)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key.
(4)Symptom: CVE-2015-7973
(4)Condition: Fixed vulnerability when NTP is configured in broadcast mode, a man-in-the-middle attacker or a malicious client could replay packets received from the broadcast server to all (other) clients, which cause the time on affected clients to become out of sync over a longer period of time.
201605180120
(1)Symptom: CVE-2016-1547
(1)Condition: Fixed vulnerability where an off-path attacker can deny service to ntpd clients by demobilizing preemptable associations using spoofed crypto-NAK packets.
(2)Symptom: CVE-2016-1548
(2)Condition: Fixed vulnerability where an attacker can change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode.
31
(3)Symptom: CVE-2016-1550
(3)Condition: Fixed vulnerability in ntpd function allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by ntpd.
(4)Symptom: CVE-2016-1551
(4)Condition: Fixed vulnerability in ntpd allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering.
(5)Symptom: CVE-2016-2519
(5)Condition: Fixed vulnerability in ntpd will abort if an attempt is made to read an oversized value.
(6)Symptom: CVE-2015-7704
(6)Condition: Fixed vulnerability in ntpd that a remote attacker could use, to send a packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server.
201607140270
Symptom: A user fails to dial up by using a POS terminal.
Condition: This symptom occurs if the SoftX device sends an 18x response with an SDP, a 180 response without an SDP, and a 200 OK response without an SDP in order. The media of the devices is not connected, so fax or modem switchover fails.
201607080214
Symptom: When SIP session refresh using re-INVITE requests is enabled, calls are cut off at about 3 minutes.
Condition: This symptom might occur if SIP session refresh using re-INVITE requests is enabled.
201607130473
Symptom: When command accounting is enabled for a Telnet user that passes TACACS authentication, long command execution delay exists.
Condition: This symptom might occur if one of the following conditions exists:
The router does not have connectivity to the TACACS server.
The TACACS server does not respond to accounting requests.
The network has great latency.
201607140274
Symptom: Both the calling party and the called party are silent during a call established between the device and a SoftX device.
Condition: This symptom occurs if the SoftX device sends an 18x response with an SDP, a 180 response without an SDP, and a 200 OK response without an SDP in order. The media of the devices is not connected, so both parties cannot hear any voices.
201607120078
Symptom: When a TTY user logs in through an asynchronous serial interface of an SIC-16AS card, the user connection is not terminated after the idle timeout, the user cannot be forcibly logged off, and reverse Telnet is unavailable.
Condition: This symptom might occur if the following conditions exist:
The flow mode is enabled for the asynchronous serial interface.
The undo shell command is not configured for the user line.
The interface goes down when receiving and sending data.
32
201608230032
Symptom: An MSR3012 router reboots unexpectedly.
Condition: This symptom might occur if an HMIM-8E1T1 card with CPLD version 7.0 is hot plugged into the MSR3012 router when the router is being powered on.
Resolved problems in CMW710-R0306P30
201603140497
Symptom: An MSR2003 router displays the message "Watchdog timeout ==MSR2003 Reboot with CW7 e0402l10" if GRE over IPsec runs on a subinterface and MPLS L3VPN settings are configured on the GRE tunnel interface.
Condition: This symptom might occur if GRE over IPsec runs on a subinterface and MPLS L3VPN settings are configured on the GRE tunnel interface.
201604200661
Symptom: When the full duplex mode is configured and the speed is set to 1000 Mbps for a Layer 2 interface on an SIC-4GSW card, the interface cannot come up or uses an incorrect duplex mode.
Condition: This symptom might occur if the full duplex mode is configured and the speed is set to 1000 Mbps for a Layer 2 interface on an SIC-4GSW card.
201604280272
Symptom: On a China Telecom 3G interface, when the EVDO mode is enabled, an hh3c3GRssiWeakSignalTrap notification for the CDMA-1x RTT mode is falsely generated. When the CDMA-1x RTT mode is enabled, an hh3c3GRssiWeakSignalTrap notification for the EVDO mode is falsely generated.
Condition: None.
201604220195
Symptom: Modem dialups fail on FXS, FXO, E&M, and BSV cards when modem pass-through and fax pass-through are enabled.
Condition: This symptom might occur if modem pass-through and fax pass-through are enabled.
201604220017
Symptom: When the receiving power and transmitting power of a transceiver module change, the corresponding values in the MIB are not updated on time.
Condition: None.
201603140402
Symptom: The router provides 4G dialup services to an LTE network with two LNSs. When the primary LNS fails, services are not switched to the standby LNS.
Condition: None.
201604260058
Symptom: The error packet suppression feature is removed.
Condition: None.
33
201605060432
Symptom: The format of POSA hello messages is incorrect, and the handshaking feature does not take effect.
Condition: None.
201512230234
Symptom: In a dynamic link aggregation group, an Ethernet subinterface is not Selected after certain operations are performed.
Condition: This symptom might occur if the following operations are performed:
a. Create a dynamic link aggregation group and assign an Ethernet subinterface to the group.
b. Delete the link aggregation group.
c. Re-create the link aggregation group and assign the Ethernet subinterface to the group.
201604110398
Symptom: CVE-2016-2842。
Condition: Fixed vulnerability in the doapr_outch function in crypto/bio/b_print.c, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string.
201603230025
Symptom(1): CVE-2016-0705。
Condition(1):Fixed vulnerability when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources.
Symptom(2): CVE-2016-0798
Condition(2): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt.
Symptom(3): CVE-2016-0797
Condition(3): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference).
Symptom(4): CVE-2016-0799
Condition(4): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service which could lead to memory allocation failure or memory leaks.
Symptom(5): CVE-2016-0702
Condition(5): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g which makes it easier for local users to discover RSA keys leveraging cache-bank conflicts, aka a "CacheBleed" attack.
201603170257
Symptom(1): CVE-2016-0701:
Condition(1): The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
Symptom(2): CVE-2015-3197。
34
Condition(2): ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
201605040142
Symptom: IKE SA setup fails because "Number of negotiating IKE SAs exceeded the limit" after certain operations are performed.
Condition: This symptom might occur if the IKE keychain settings at the two ends of an IKE SA are inconsistent and the IKE SA is repeatedly created and deleted.
201604260409
Symptom: IPv6 policy-based routing does not take effect.
Condition: None.
201604280185
Symptom: A device using non-standard protocols might drop the frames sent by the router when the frames are VLAN-tagged and 64-byte long (including padding and CRC).
Condition: None.
201604260624
Symptom: After a port goes down, the FIB entry for a direct route that contains the port is deleted after a delay of 20 seconds.
Condition: This symptom might occur if the router keeps forwarding traffic matching the direct route.
201604180578
Symptom: The router does not process R2 B3 messages and forwards a wrong B message to a PBX when receiving a SIP 410 message.
Condition: None.
201602180272
Symptom: An incorrect PSTN cause code is returned for an ISDN link down event.
Condition: None.
201605040146
Symptom: The undo mac-address dynamic mac-address vlan vlan-id command cannot delete a dynamic MAC address entry.
Condition: None.
201603220579
Symptom: An MFR subinterface cannot forward traffic if the PVC is deleted at one end of the link or the type of the PVC is modified from dynamic to static on the DTE.
Condition: This symptom might occur if the PVC of an MFR subinterface is deleted on one end of the link or the type of the PVC is modified from dynamic to static on the DTE.
201605100011
Symptom: NetStream has incorrect outgoing traffic statistics for an interface if the interface forwards traffic from an IP network to an MPLS network.
Condition: This symptom might occur if an interface forwards traffic from an IP network to an MPLS network.
35
201605160128
Symptom: The router sends a wrong Release Cause code in a no pickup call.
Condition: None.
201605130382
Symptom: An incorrect PSTN cause code results in an incorrect SIP status code.
Condition: None.
201604290522
Symptom: Mirrored packets from a Layer 3 mirroring source port might carry an incorrect IP version value.
Condition: None.
201603140262
Symptom: On an MSR4000 router, a GRE tunnel goes down because the router does not receive GRE keepalive responses from the peer.
Condition: This symptom might occur if the router can receive GRE keepalive requests from the peer, but no GRE keepalive responses are received.
201604090478
Symptom: On a voice VLAN-enabled Layer 2 port, MAC address entries of a non-voice VLAN age out even when the port constantly receives traffic of the non-voice VLAN.
Condition: None.
201605260501
Symptom: After the debugging physical card e1posdm calling command is executed in probe view, the undo form of the command does not take effect.
Condition: None.
201606060042
Symptom: A call is disconnected 30 seconds after a user places the call on hold.
Condition: This symptom occurs if the router does not send an RTCP message to the Lync server within 30 seconds.
Resolved problems in CMW710-R0306P12
201602290360
Symptom: After a .cfg configuration file is used to restore the configuration of the router, OSPF sessions that are not configured with a router ID do not use the global router ID.
Condition: This symptom might occur if a .cfg configuration file is used to restore the configuration of the router.
201604010161
Symptom: MAC address entries age out on a voice VLAN-enabled Layer 2 interface when the interface has been forwarding traffic to and from the corresponding MAC addresses.
Condition: This symptom might occur if voice VLAN is enabled on a Layer 2 interface.
201604130088
Symptom: On an MSR4000 router, interfaces remain in discarding state after spanning tree is globally enabled.
36
Condition: This symptom might occur if spanning tree is globally enabled on an MSR4000 router.
201604090420
Symptom: The QoS policy configuration issued by IMC contains incorrect parameters for the CAR action of a traffic behavior.
Condition: None.
201603050111
Symptom: After voice VLAN is enabled, and the router is rebooted, the priority of voice VLAN packets is incorrect.
Condition: This symptom might occur if voice VLAN is enabled, and the router is rebooted.
201512310070
Symptom: CVE-2015-3194
Condition: Certificate verify crash with missing PSS parameter.
Symptom: CVE-2015-3195
Condition: X509_ATTRIBUTE memory leak.
Symptom: CVE-2015-3196
Condition: Race condition handling PSK identify hint.
Symptom: CVE-2015-1794
Condition: Anon DH ServerKeyExchange with 0 p parameter.
201603160152
Symptom: Aggressive IKE negotiation fails for specific Android phones, for example, phones running Android 5.1.1.
Condition: This symptom might occur if the router authenticates specific Android phones.
201511160131
Symptom: POS terminal listening fails if the listening port or the adjacent ports are used by other applications.
Condition: This symptom might occur if the POS terminal listening port or the adjacent ports are used by other applications.
201604060109
Symptom: The 4G MIB is inaccessible.
Condition: None.
201604230042
Symptom: IMC SNMP cannot automatically discover LNS IP addresses.
Condition: None.
201603140262
Symptom: A GRE tunnel goes down unexpectedly.
Condition: This symptom might occur if the router and its peer send keepalive packets to each other, but the router does not receive any keepalive acknowledgment packet from the peer.
37
Resolved problems in CMW710-R0306P11
201602290064
Symptom: After the pre-shared key is modified, IKE negotiation fails, and the router displays the "2th byte of the structure ISAKMP Identification Payload must be 0" message.
Condition: This symptom might occur if the old pre-shared key is not deleted when the new key is set.
201602170270
Symptom: On a CDMA-1xRTT/CDMA-EVDO network, 3G VPDN access fails if the mode of the SIC-4G-LTE module is switched to 3G.
Condition: This symptom might occur if the mode of the SIC-4G-LTE module is switched to 3G.
201601260255
Symptom: After the router reboots, BFD sessions cannot be set up on subinterfaces that are in an aggregation group.
Condition: This symptom might occur if the router reboots.
201603150157
Symptom: IMC obtains incorrect packet statistics for Layer 2 interfaces on an MSR2004-24 router.
Condition: This symptom might occur if IMC reads the packet statistics on Layer 2 interfaces of an MSR2004-24 router.
201602260225
Symptom: An interface on an SIC-4/9FSW module cannot send broadcast traffic in its VLAN after certain operations are performed.
Condition: This symptom might occur if the following operations are performed:
a. Enable STP globally, and form a loop on an interface of an SIC-4/9FSW module.
b. Remove the blocked interface from its VLAN.
c. Disable STP globally, and assign the interface to its original VLAN.
201602260270
Symptom: The router does not display the command execution result after AT commands are manually executed.
Condition: None.
201603110385
Symptom: The router does not send a trap message after a warm or cold reboot.
Condition: This symptom might occur if a warm or cold reboot is performed.
201603240091
Symptom: Dialup fails if a 4G module is operating in 3G mode.
Condition: This symptom might occur if the following operations are performed:
a. Install a 4G SIM card in a 4G module.
b. Set the mode of the 4G module to 3G, and reboot the module.
38
201603100323
Symptom: When a portal preauthentication domain and MAC-based quick portal authentication are used together, authorization attributes in the preauthentication domain do not take effect on preauthentication users.
Condition: This symptom might occur if a portal preauthentication domain and MAC-based quick portal authentication are used together, and MAC-based quick portal authentication is triggered when preauthentication users access the network.
201601210332
Symptom: After a subcard is removed and the router is rebooted, the interface indexes for the subcard change in the MIB.
Condition: This symptom might occur if a subcard is removed and the router is rebooted.
201601180511
Symptom: When OpenFlow is enabled, application layer processing is slow and packet loss occurs.
Condition: This symptom might occur if OpenFlow is enabled.
201603290254
Symptom: The router reboots unexpectedly if it has 4 GB of memory.
Condition: This symptom might occur if the router has 4 GB of memory.
201602290118
Symptom: The route filtering settings of RIP processes running in VPNs are lost after the running configuration is saved and the router is rebooted.
Condition: This symptom might occur if one of the following operations is performed:
Upgrade the software and reboot the router.
Use a .cfg configuration file when rebooting the router.
201602260072
Symptom: An L2TP LAC does not have uplink traffic statistics for users.
Condition: None.
201602200075
Symptom: PPPoE clients fail to come online when the router acts as the PPPoE server if the DNS server IP address is an IPCP configuration option in IPCP negotiation.
Condition: This symptom might occur if the DNS server IP address is an IPCP configuration option in IPCP negotiation.
201602010352
Symptom: When network congestion occurs, high-priority packets are dropped on a CBQ-enabled MP link.
Condition: This symptom might occur if CBQ is configured for an MP link, and network congestion occurs.
201602150740
Symptom: 4G dialup fails if an APN profile specifies the username and password.
Condition: This symptom might occur if an APN profile specifies the username and password for 4G dialup.
201604060109
Symptom: No information can be obtained from the 4G MIB.
39
Condition: None.
201604070435
Symptom: An HMIM module might drop packets or stop forwarding traffic.
Condition: None.
201604130088
Symptom: When STP is globally enabled on a distributed router, the state of Layer 2 interfaces becomes discarding.
Condition: None.
Resolved problems in CMW710-R0306P07
201601190330
Symptom: The VPM light of the RT-SPU-100 module fails the equipment test.
Condition: None.
201601200375
Symptom: The GPS track curve reported by the router is inaccurate.
Condition: This symptom occurs when the 4G modem just starts to work.
201601220079
Symptom: Repeated satellite information is displayed when you view the 4G modem information.
Condition: None.
201512300275
Symptom: TACACS accounting configured at the CLI does not take effect.
Condition: This symptom occurs if the super command is used to obtain another user role.
201511270766
Symptom: The status of a Layer 2 aggregate interface is incorrect.
Condition: This symptom occurs if master/subordinate switchover is repeatedly performed for the router.
201601080547
Symptom: The configuration of an Ethernet subinterface is lost after it is assigned to an aggregation group.
Condition: This symptom occurs if the router reboots after the software is upgraded or the router is started by using a .cfg configuration file.
201601120609
Symptom: The user profile name cannot contain periods (.).
Condition: None.
201601130385
Symptom: The router reboots unexpectedly.
Condition: This symptom occurs if LDP receives abnormal TCP PDUs with the length field value 0 in the header.
40
201601120436
Symptom: The CPU usage reaches 100% in the core where the LDP active process resides.
Condition: This symptom occurs if the following conditions exist:
LDP NSR is configured. After the session comes up, active/standby switchover has occurred.
The number of messages that the session sends by using TCP is incorrectly counted.
201511260615
Symptom: The router reboots unexpectedly.
Condition: This symptom occurs if IPsec SAs and IKE SAs are repeatedly set up and deleted.
201511050564
Symptom: The router reboots unexpectedly.
Condition: This symptom occurs if IPsec protects OSPFv3 routes, and active/standby switchover is performed for the router.
201411190490
Symptom: An ADVPN tunnel fails to be established.
Condition: This symptom occurs if the ADVPN tunnel interface is bound to a VPN instance.
201510300470
Symptom: The operating mode configuration for an SIC-1VE1T1 module does not take effect.
Condition: This symptom occurs if the following operations are performed:
a. Configure the module to operate in T1 mode, and save the configuration.
b. Switch the operating mode to E1.
Reboot the router without saving the configuration.
201601270151
Symptom: The cable impedance of a CE1/PRI interface on an SIC-1VE1T1 module is set to 120 ohm, but the command output shows that the interface's cable impedance is 75 ohm.
Condition: This symptom might occur if the cable impedance of a CE1/PRI interface on an SIC-1VE1T1 module is set to 120 ohm.
201602030487
Symptom: A Layer 3 subinterface on an SIC-4/9FSW(P) module cannot forward traffic if the VLAN numbered with the subinterface number is not created.
Condition: This symptom might occur if a Layer 3 subinterface is created on an SIC-4/9FSW(P) module and the VLAN numbered with the subinterface number is not created.
201512110251
Symptom: The router does not have packet statistics for an aggregate interface that uses subinterfaces as members.
Condition: None.
201601240052
Symptom: MFR subinterfaces cannot be created.
Condition: None.
201512250041
Symptom: Modification of the service type for users in an ISP domain takes effect, but the router still displays the old configuration.
41
Condition: This symptom might occur if the service type for users in an ISP domain is modified.
201601280133
Symptom: The expired license of the router is reactivated, but some features are still unavailable after the router automatically loads the image file.
Condition: This symptom might occur if the expired license is reactivated.
201602240243
Symptom: The router might reboot unexpectedly after running for 497 days.
Condition: None.
201602010060
Symptom: RIP route filtering settings on the router are lost after the running configuration is saved and the router is rebooted.
Condition: This symptom might occur if one of the following operations is performed:
Upgrade the software and reboot the router.
Use a .cfg configuration file when rebooting the router.
201603090066
Symptom: An ADVPN tunnel cannot be set up if a loopback interface provides the tunnel source address and the physical tunnel outgoing interface is a NAT-enabled PPPoE dialer interface.
Condition: This symptom might occur if a loopback interface provides the tunnel source address and the physical tunnel outgoing interface is a NAT-enabled PPPoE dialer interface.
201603090064
Symptom: The DVPN service is interrupted during IPsec SA renegotiation.
Condition: This symptom might occur if the IPsec SA expires and IPsec SA renegotiation is performed.
201603020540
Symptom: The memory usage keeps rising if no ACL is specified for an IPsec policy template.
Condition: This symptom might occur if no ACL is specified for an IPsec policy template.
201601120419
Symptom: An NMS returns an error when it reads the 3G modem table from the MIB of the router.
Condition: This symptom might occur if two SIC-3G cards are installed on the router.
201601160235
Symptom: The router as a PPPoE server has duplicate PPPoE client information.
Condition: None.
201601180617
Symptom: The global DHCP address pool usage is incorrect.
Condition: None.
201601260049
Symptom: The router reboots unexpectedly when it receives GRE packets with the DF bit set.
Condition: This symptom might occur if the router receives GRE packets with the DF bit set.
201601190036
Symptom: The secondary IP addresses of a Virtual-Template interface are unavailable.
42
Condition: None.
201601210335
Symptom: The PPP IP segment match feature does not take effect if the user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured.
Condition: This symptom might occur if the user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured.
201602010492
Symptom: A VLAN interface cannot forward IPv6 traffic if a Layer 2 aggregate interface performs forwarding for the VLAN interface.
Condition: This symptom might occur if a Layer 2 aggregate interface performs forwarding for a VLAN interface.
201601210099
Symptom: When the FTP, SSH, Telnet, DNS, HTTP, or HTTPS service is enabled, 31 irrelevant TCP ports are also opened.
Condition: This symptom might occur if the FTP, SSH, Telnet, DNS, HTTP, or HTTPS service is enabled.
201601120047
Symptom: When execution of the description command in interface view fails because the specified description contains unsupported special characters, no prompt is displayed for the failure.
Condition: This symptom might occur if the description command specifies a description that contains unsupported special characters.
201601260439
Symptom: Memory leaks and the device reboots unexpectedly.
Condition: This symptom probably occurs if GRE tunnels/ADVPN tunnels are established over PPPoE and traffic are forwarded through these tunnels.
Resolved problems in CMW710-R0305P08
201512030136
Symptom: A nested QoS policy cannot classify traffic correctly.
Condition: This symptom occurs if QoS pre-classify is enabled for IPsec, and a nested QoS policy is configured to classify the encrypted traffic by using DSCP values.
201508060073
Symptom: GTS cannot well process bursty traffic, and traffic is not sent evenly. When a small burst size is configured, the traffic cannot reach the expected rate.
Condition: This symptom occurs if GTS is configured on an interface to shape traffic.
201512090619
Symptom: The system displays an invalid version notification when the software of a distributed router or an IRF fabric is upgraded from R0305P04.
Condition: This symptom occurs if one of the following conditions exists:
On the distributed router, the slot number of the active MPU is higher than the slot number of the standby MPU, and the software image is stored on the active MPU.
43
On the IRF fabric, the chassis number of the master IRF member router is higher than the chassis numbers of the subordinate IRF member routers, and the software image is stored on the master IRF member router.
201511200241
Symptom: HMIM-8GEE interface cards might stop sending packets.
Condition: This symptom might occur if interfaces on the HMIM-8GEE interface cards receive MPLS frames greater than 3072 bytes.
201509250085
Symptom: Operating modes do not take effect on interfaces on DSIC-1SHDSL-8W interface cards.
Condition: This symptom might occur if the DSIC-1SHDSL-8W interface cards are installed in the router together with other interface cards.
201512210405
Symptom: After a static MAC address entry is configured on the MSR2004, MAC address table synchronization fails and the static MAC address entry cannot be deleted from switching chips.
Condition: This symptom might occur if the MAC address in the static MAC address entry is the source MAC address of traffic.
201511050149
Symptom: Memory leak occurs.
Condition: This symptom occurs if the display debugging command is repeatedly executed.
201512230491
Symptom: A serial interface goes down and then comes up.
Condition: This symptom occurs if the following operations have been performed:
a. The operating mode of the serial interface is changed from synchronous to asynchronous.
b. A master/subordinate switchover occurs.
201511140166
Symptom: The system fails to display or clear statistics for FCM interfaces.
Condition: This symptom occurs if you do not specify an FCM interface when executing the display fcm statistics or reset fcm statistics command.
201512030136
Symptom: No traffic matches a child QoS policy.
Condition: This symptom occurs if the child QoS policy is nested in a parent QoS policy.
201508060073
Symptom: The download speed is slow when a QoS GTS action is configured.
Condition: This symptom occurs if you set a small CBS value for the QoS GTS action.
201511060514
Symptom: QoS queuing configuration cannot be modified on an interface on the MSR4000 after a master/subordinate switchover.
Condition: None.
201512110364
Symptom: The L2VE interface and L3VE interface display up state twice after a master/subordinate switchover.
44
Condition: None.
201512010186
Symptom: CVE-2015-7704
Condition: Denial of Service by Spoofed Kiss-of-Death.
Symptom: CVE-2015-7705
Condition: Denial of Service by Priming the Pump.
Symptom: CVE-2015-7855
Condition: Denial of Service Long Control Packet Message.
Symptom: CVE-2015-7871
Condition: NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability.
201507140251
Symptom: VRRPv3 does not support packet authentication. However, no error is displayed when packet authentication is configured for VRRPv3.
Condition: None.
201505270318
Symptom: No prompt is displayed when the router finishes downloading a file as an FTP client.
Condition: This symptom occurs if the downloaded file is greater than 2147483647 bytes.
201512300140
Symptom: NTP time synchronization fails between the router and a Cisco device with a time accuracy of 2
32.
Condition: This symptom occurs if NTP time synchronization occurs between the device and a Cisco device with a time accuracy of 2
32.
201507210022
Symptom: IPsec RRI cannot be implemented based on negotiated traffic flow in the IPsec VPN.
Condition: None.
201511260648
Symptom: Traffic cannot be forwarded through ADVPN tunnels.
Condition: This symptom occurs if ADVPN tunnels are established over an IPv6 network.
201511300165
Symptom: The results of tests that FIPS performs for 3DES and AES-wrap are unexpected.
Condition: None.
201507020257
Symptom: The DF bit setting in IPsec packets does not take effect.
Condition: This symptom occurs if the DF bit of IPsec packers is set on the source interface bound to an IPsec policy.
201512091595
Symptom: IKEv2 uses protocol number 5000 instead of 4500.
Condition: This symptom occurs if IKEv2 NAT traversal is configured.
201510080297
Symptom: The router fails to perform PPTP dial-up.
45
Condition: This symptom might occur if the router accesses the PPTP server through the NAT server.
201512100696
Symptom: The OpenFlow controller fails to discover the router during topology discovery.
Condition: This symptom occurs if the OpenFlow controller uses BDDP to perform topology discovery.
201509160400
Symptom: A user line cannot be configured by using the line number command.
Condition: This symptom occurs if you use the line number command to configure the user line.
201509180141
Symptom: In CWMP, a CPE fails to establish a connection to a server.
Condition: This symptom occurs if the CWMP connection interface belongs to a VPN instance.
201511040399
Symptom: The expected bandwidth configuration on a VLAN interface is lost.
Condition: This symptom occurs after two master/subordinate switchovers.
201512010078
Symptom: The boot-loader file command fails to specify a startup image file.
Condition: This symptom occurs if the startup image file resides on the standby MPU.
201510300441
Symptom: Unexpected page break occurs during faxing or fax negotiation fails.
Condition: This symptom occurs if multiple voice calls are established during faxing.
201512110328
Symptom: MAC address entries age out when they are configured not to age.
Condition: None.
201510160271
Symptom: The dual-stack PPPoE server that mainly provides IPv6 services exhausts IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv6 addresses assigned can log in.
Condition: This symptom occurs if two master/subordinate switchovers occur after IPv6 address exhaustion.
201510220524
Symptom: A logged-in PPPoE user cannot receive traffic.
Condition: This symptom occurs if the following conditions exist:
Two routers form an IRF fabric.
The PPPoE user logs in through an IRF port.
The master device reboots.
201510130373
Symptom: A SIP call cannot be established.
Condition: This symptom occurs if the router receives an INVITE request without SDP information.
46
201507200041
Symptom: The VE1 PRI Layer 3 test fails.
Condition: This symptom occurs if the device receives a SETUP message in which the value of the cap. field is video.
201510160206
Symptom: The dual-stack PPPoE server that mainly provides IPv6 services has available IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv4 addresses assigned cannot log in.
Condition: None.
201509220301
Symptom: The Cellular process reboots unexpectedly.
Condition: This symptom occurs if the profile main command is executed on a cellular interface on the MSR4000.
201510230327
Symptom: If a PPPoE user logs in and then logs out, the CIR specified in the user profile for the user does not take effect.
Condition: This symptom occurs if the following conditions exist:
Two routers form an IRF fabric.
The PPPoE user logs in through an IRF port.
The master device reboots.
201508100249
Symptom: No information is displayed after the display voice sip call command is executed on the MSR4000.
Condition: None.
201512180019
Symptom: The AC of an MPLS L2VPN cannot receive packets from a CE.
Condition: This symptom occurs if a Layer 3 aggregate subinterface is used as the AC of the MPLS L2VPN.
201511250428
Symptom: Settings of the answer-time, idle-time, and trade-time parameters cannot be deployed to interface cards related to POS terminal access.
Condition: This symptom occurs if you set the answer-time, idle-time, and trade-time parameters in system view.
201512010169
Symptom: An error occurs on an IRF physical interface after the router reboots and some operations are performed on the router.
Condition: This symptom occurs if two GigabitEthernet interfaces are used as IRF physical interfaces and one of the IRF physical interfaces goes down.
201512030468
Symptom: Packet filtering does not take effect on an Ethernet interface operating in bridge mode.
Condition: This symptom occurs if packet filtering is enabled on the Ethernet interface operating in bridge mode.
47
201511210055
Symptom: Interfaces on the HMIM-8GSW or HMIM-24GSW interface card receive a large number of ARP requests. Then, a packet statistics error occurs and the switching modules cannot operate correctly.
Condition: This symptom occurs if ARP snooping is enabled on interfaces on the HMIM-8GSW or HMIM-24GSW interface card.
201512180334
Symptom: The MSR2004-24 or MSR2004-48 router reboots unexpectedly.
Condition: This symptom occurs if the parameter of an SDK function on the switching chip of the router is null.
201511120124
Symptom: Packets are sent out of order.
Condition: This symptom occurs if packets are sent in per-flow mode.
201511270774
Symptom: A silent call is established after the called party goes off-hook.
Condition: This symptom occurs if the router uses the SIC-1VE1 or SIC-1VT1 voice card to initiate calls.
201512140104
Symptom: The mac-address max-mac-count command does not take effect, and no error message that the router does not support this command is displayed.
Condition: This symptom occurs if the mac-address max-mac-count command is executed on a Layer 2 aggregate interface.
201511300156
Symptom: The static IPv6 address binding feature does not take effect on an interface of the HMIM-8GSW interface card.
Condition: This symptom occurs if the static IPv6 address binding feature is configured on the interface of the HMIM-8GSW card.
201512100157
Symptom: Transceiver modules on the HMIM-8GSW interface card might fail the equipment test.
Condition: This symptom occurs if the equipment test is performed on the HMIM-8GSW interface card.
201511170229
Symptom: When a POS terminal hangs up, the FCM interface stays in up state and the FCM card becomes unavailable.
Condition: This symptom occurs if the router uses the FCM card for POS dial-up access and a large number of POS terminals repeatedly dial up.
201511250418
Symptom: The 3G chip MC8705 fails to update the firmware.
Condition: This symptom occurs if an MSR2004/4000 router is used to update the firmware of the 3G chip MC8705.
201510190389
Symptom: An L2TP tunnel cannot be established because the router performs strict check on packets with hidden AVPs.
48
Condition: This symptom occurs if the router acts as the L2TP LNS and receives packets with hidden AVPs sent by the LAC.
201510290199
Symptom: An L2TP user with a matching full username fails L2TP authentication. An L2TP tunnel cannot be established.
Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the ppp user attach-format imsi-sn split command.
201510290176
Symptom: An L2TP user whose authentication information does not contain an at sign (@) fails L2TP authentication. An L2TP tunnel cannot be established.
Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the ppp user accept-format imsi-sn split @ command.
201508190420
Symptom: Memory loss occurs after a voice interface card on the router reboots.
Condition: This symptom occurs if the CPU usage of the router reaches 100%.
201510160215
Symptom: The router acts as the PPPoE server and uses DHCPv6 to assign IPv6 addresses to hosts. No IPv6 addresses are displayed for PPPoE users in the display ppp access-user command output.
Condition: This symptom occurs if a master/subordinate switchover occurs after PPPoE users log in.
201511250195
Symptom: The MAC address entry for a VRRP group still exists on the router after the VRRP group is deleted.
Condition: This symptom occurs if you assign an IP address to the VRRP group and then delete the VRRP group.
201506180269
Symptom: The router stops sending packets when a POS terminal accesses the router.
Condition: This symptom might occur if the number of concurrent connections reaches 30 on the AM interface multiple times and configuration of the AM interface changes.
201511170159
Symptom: IPsec does not support SM4 algorithms.
Condition: None.
Resolved problems in CMW710-R0305P04
201510300500
Symptom: Packets are out of order if flow-based forwarding is enabled.
Condition: This symptom might occur if flow-based forwarding is enabled.
201510220351
Symptom: The IMSIs of some China Telecom 3G SIM cards cannot be correctly identified.
Condition: This symptom might occur if the Vodafone IMSIs are stored as the 3GPP IMSIs of the SIM cards.
49
201509300412
Symptom: The peer drops the ARP packets sent by the router if the ARP packets carry 802.1Q VLAN tags with the CFI bit set to 1.
Condition: This symptom might occur if the ARP packets carry 802.1Q VLAN tags with the CFI bit set to 1.
201509240177
Symptom: The router reboots unexpectedly if an HMIM-CNDE module is removed by using the remove command during the IPsec packet forwarding process.
Condition: This symptom might occur if an HMIM-CNDE module is removed by using the remove command during the IPsec packet forwarding process.
201510260569
Symptom: If port isolation is configured on both a Layer 2 aggregate interface and its member ports, the configuration fails on the aggregate interface or its member ports. Removal of the port isolation configuration also fails.
Condition: This symptom might occur if port isolation is configured on a Layer 2 aggregate interface and its member ports.
201509240346
Symptom: Channel configuration on radio interfaces is lost after a reboot.
Condition: None.
201509300064
Symptom: The traffic statistics for 3G/4G serial and Eth-channel interfaces are 0 in the MIB.
Condition: None.
201510300208
Symptom: The router cannot communicate with the peer if the router acts as the LNS to set up an L2TP tunnel to the peer by using a SIC-4FSW module.
Condition: This symptom might occur if the router acts as the LNS to set up an L2TP tunnel to the peer by using a SIC-4FSW module.
201511110304
Symptom: The router reboots unexpectedly if VLAN interfaces are created or deleted during the traffic forwarding process.
Condition: This symptom might occur if VLAN interfaces are created or deleted during the traffic forwarding process.
201508290046
Symptom: The CPU usage of the router rises if the router acts as a Telnet server and Telnet login to the router is aborted abnormally.
Condition: This symptom might occur if the router acts as a Telnet server and Telnet login to the router is aborted abnormally.
201509290092
Symptom: Telnet login with remote TACACS/RADIUS authentication fails.
Condition: This symptom might occur if Telnet login with remote TACACS/RADIUS authentication is performed.
201505130349
Symptom: Static NAT444 traffic does not trigger NAT444 user logging.
50
Condition: None.
201507070217
Symptom: ACL mismatches occur if a connection limit policy is applied to DS-Lite tunnels.
Condition: This symptom might occur if a connection limit policy is applied to DS-Lite tunnels.
201510200471
Symptom: The routing, multicast, authentication, and voice modules stop working, and incorrect information is displayed for the TRAP, NetStream, and DHCP modules.
Condition: This symptom might occur if the router has been running for more than seven months (214 days).
201508260173
Symptom: The time range status is incorrect if NTP is used.
Condition: This symptom might occur if NTP is used.
201510140128
Symptom: DDNS dynamic domain name update fails if the DDNS password contains forward slashes (/).
Condition: This symptom might occur if the DDNS password contains forward slashes (/).
201509160563
Symptom: The router reboots unexpectedly if the router acts as a PPPoE server and PPPoE users repeatedly come online and go offline.
Condition: This symptom might occur if the router acts as a PPPoE server and PPPoE users repeatedly come online and go offline.
201401100267
Symptom: PPP IPCP negotiation fails when a PPPoE client initiates a connection request to the router, and the VA interface goes up and comes down constantly.
Condition: This symptom might occur if NAT is performed for the PPPoE client, and IP address negotiation is enabled on the dialer interface.
201509170256
Symptom: Information about the last login is not displayed for a user that passes authentication.
Condition: None.
201507160359
Symptom: CVE-2014-8176
Condition: If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages. May result in a segmentation fault or potentially, memory corruption.
Symptom:CVE-2015-1788
Condition: When processing an ECParameters structure OpenSSL enters an infinite loop. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates.
Symptom: CVE-2015-1789
Condition: X509_cmp_time does not properly check the length of the ASN1_TIME string and/or accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs.
Symptom: CVE-2015-1790
51
Condition: The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing.
Symptom: CVE-2015-1791
Condition: If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.
Symptom: CVE-2015-1792
Condition: When verifying a signedData message the CMS code can enter an infinite loop. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.
201510130373
Symptom: SIP calls cannot be placed if the router receives INVITE requests with no SDP information.
Condition: This symptom might occur if the router receives INVITE requests with no SDP information.
201507200041
Symptom: The router sends a SIP response message that contains an incorrect call release cause code if the router receives an INVITE request with SDP information that contains the video capability.
Condition: This symptom might occur if the router receives an INVITE request with SDP information that contains the video capability.
201508100249
Symptom: The display voice sip call command outputs nothing if an MSR4000 router is a single-chassis IRF fabric and uses the chassis number 2.
Condition: This symptom might occur if an MSR4000 router is a single-chassis IRF fabric and uses the chassis number 2.
201508190420
Symptom: Memory leaks occur if the voice card is rebooted at the CLI when the CPU usage is 100%.
Condition: This symptom might occur if the voice card is rebooted at the CLI when the CPU usage is 100%.
201510270033
Symptom: Upgrading the standby MPU of the MSR4000 router fails.
Condition: This symptom might occur if the active MPU only has an .ipe startup image file, and
the boot-loader command specifies the .ipe file for upgrading the standby MPU.
Resolved problems in CMW710-R0305
201509070388
Symptom: A fiber port cannot come up if a 100-Mbps optical transceiver module is installed in the port and the speed 100 command is executed on the port.
Condition: This symptom might occur if a 100-Mbps optical transceiver module is installed in the port and the speed 100 command is executed on the port.
52
201504130290
Symptom: Fax transmission fails if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission.
Condition: This symptom might occur if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission.
201509240046
Symptom: Some interfaces on the HMIM-8E1T1-F module cannot come up if the module is produced on 11 August 2015 or after that date.
Condition: This symptom might occur if the HMIM-8E1T1-F module is produced on 11 August 2015 or after that date.
201508040165
Symptom: Some transactions of POS terminals fail if TCP FIN packets contain transaction data.
Condition: This symptom might occur if TCP FIN packets contain transaction data.
201507150251
Symptom: Layer 3 aggregate interfaces cannot be created by using IMC.
Condition: This symptom might occur if IMC is used to create Layer 3 aggregate interfaces.
201508290021
Symptom: The CPU usage is high if the TCP maximum segment size is set to 1400 bytes.
Condition: This symptom might occur if the following operations have been performed:
a. Use the tcp mss command to set the TCP maximum segment size to 1400 bytes.
b. Save the configuration and reboot the router.
201508250213
Symptom: The delay in the result of the NQA ICMP jitter operation is much larger than the delay in the ping operation result.
Condition: This symptom might occur if the NQA ICMP jitter operation is performed.
201509140123
Symptom: The router cannot communicate with a Cisco device through the HDLC link between them.
Condition: This symptom might occur if the ip address slarp interval 1 command is executed on the Cisco device.
201508270343
Symptom: Tracert returns the destination IP address as the first hop if it is used on an L2TP over IPsec tunnel.
Condition: This symptom might occur if tracert is used on an L2TP over IPsec tunnel.
201510130060
Symptom: The signature algorithm does not support HMAC-SHA256 when a certificate request is made in non-FIPS mode.
Condition: This symptom might occur if the certificate request is made in non-FIPS mode.
201510200471
Symptom: The OSPF LSAs on the router do not age out. As a result, peers cannot learn routes from the router.
53
Condition: This symptom might occur if OSPF is enabled on the router, and the router has been operating for more than 210 days.
201507140154
Symptom: The router can be successfully logged in to by using a public key through SSH1, but RSA fails to encrypt the public key.
Condition: This symptom might occur if a public key and SSH are used to log in to the router.
201508280355
Symptom: The HDLC process does not respond if the display interface serial command is executed when the router receives ADDR_REQ packets.
Condition: This symptom might occur if the display interface serial command is executed when the router receives ADDR_REQ packets.
201509220038
Symptom: The router fails TACACS authentication for an incorrect password or invalid shared key if the TACACS server uses ACS V5.6 or later versions.
Condition: This symptom might occur if the TACACS server uses ACS V5.6 or later versions.
Resolved problems in CMW710-R0304P12
201507250134
Symptom: The router can be successfully logged in to by using an incorrect password.
Condition: This symptom might occur if remote TACACS authentication and NETCONF are used to log in to the router.
201508030326
Symptom: An interface goes down and the router reboots unexpectedly if PPPoE sessions are established on a large number of subinterfaces on the interface.
Condition: This symptom might occur if PPPoE sessions are established on a large number of subinterfaces on the interface.
201508030334
Symptom: The secondary RADIUS authentication/authorization server cannot be reconfigured if it has been deleted.
Condition: This symptom might occur if the secondary RADIUS authentication/authorization server is deleted and then reconfigured.
201506190329
Symptom: An interface on an HMIM-8GSWF module cannot communicate with the directly connected peer.
Condition: This symptom might occur if the port security mode of the interface is set to autoLearn, and the HMIM module is rebooted.
201507300171
Symptom: The router reboots unexpectedly if the RADIUS server sends a DM request to log off a user by session ID.
Condition: This symptom might occur if the RADIUS server sends a DM request to log off a user by session ID.
201505200410
Symptom: Matching packets are not assigned to the RTP queue.
54
Condition: This symptom might occur if the UDP port number of the packets is an odd number before byte order reversing.
201508030336
Symptom: The router reboots unexpectedly if the IPsec tunnels on the router have been forwarding traffic for a long period of time.
Condition: This symptom might occur if the IPsec tunnels on the router have been forwarding traffic for a long period of time.
201507270023
Symptom: The router chooses a dynamic address pool over a static address pool when the router processes DHCP INFORM packets sent by a client that uses an IP address in the static address pool.
Condition: This symptom might occur if the dynamic address pool contains all IP addresses of the static address pool.
201508120238
Symptom: When the router acts as a DHCP server, DHCP clients obtain IP addresses after a long delay.
Condition: This symptom might occur if the DHCP clients have errors and are moved from another network.
201508030441
Symptom: Routes configured by using the ppp ip-pool route command are lost after an IRF master/subordinate switchover.
Condition: This symptom might occur if an IRF master/subordinate switchover occurs.
201507160240
Symptom: IMC cannot display the rules of ACLs.
Condition: None.
201508130129
Symptom: The router does not prompt for LDP session reset after the LSR ID is modified, and then MPLS has status or forwarding errors.
Condition: This symptom might occur if the mpls lsr-id command is used to modify the LSR ID.
201508110265
Symptom: The FTP user is logged off after FTP finishes transferring files to the storage medium of the standby MPU.
Condition: This symptom might occur if FTP is used to transfer large files to the storage medium of the standby MPU.
201508110026
Symptom: The router reboots unexpectedly if the IPsec over L2TP tunnels on the router have been forwarding traffic for a long period of time.
Condition: This symptom might occur if the IPsec over L2TP tunnels on the router have been forwarding traffic for a long period of time.
201504210203
Symptom: A centralized IRF member router halts during reboot after its operating mode is changed from IRF to standalone.
Condition: This symptom might occur if the following operations have been performed on the router:
55
a. Save the configuration.
b. Shut down the IRF physical interfaces.
c. Change the operation mode from IRF to standalone after the IRF fabric splits.
201507090504
Symptom: When a PoE profile is configured, the router warns that the maximum PI power specified by using the poe max-power command is invalid even if the value is in the valid power range.
Condition: None.
201508120439
Symptom: The router reboots unexpectedly if the router is deleted from IMC.
Condition: This symptom might occur if the following conditions exist:
The router connects to IMC through a tunnel and passes portal authentication.
The router is deleted from IMC after portal authentication.
201508050381
Symptom: MAC address check on a DHCP relay agent does not take effect after DHCP is disabled.
Condition: This symptom might occur if DHCP is disabled.
201507130082
Symptom: The router reboots unexpectedly if the HMIM-2/4/8GE module is repeatedly rebooted when the module receives traffic.
Condition: This symptom might occur if the HMIM-2/4/8GE module is repeatedly rebooted when the module receives traffic.
201508180093
Symptom: Two terminals in the same 3G or 4G network cannot communicate with each other.
Condition: This symptom might occur if the terminals are assigned the same network segment but different subnet masks.
201508240276
Symptom: The router does not display the legal banner before authentication when an SSH user logs in to the router.
Condition: None.
201508240106
Symptom: Some interfaces on the HMIM-2/4/8E1T1-F module cannot come up.
Condition: None.
201507300132
Symptom: Though the fixed Ethernet interfaces of the MSR2004 router are up, they cannot receive packets.
Condition: This symptom occurs after the MSR2004 router has been operating for a certain period of time.
201507240120
Symptom: Very rarely, the fixed GE0/1 or GE0/2 of MSR2004 router can't UP, and the interface can't receive and send the packets (this occurs in a very small percentage of BCM5221 chips).
Condition: None.
56
201508060025
Symptom: The settings of MP-group interfaces are incompatible after an MSR router is upgraded to E0302P06 or a later version.
Condition: This symptom occurs if an MSR router is upgraded to E0302P06 or a later version.
201507080421
Symptom: The display qos policy interface command outputs incorrect statistics.
Condition: This symptom might occur if MPLS forwarding, PPP IP header compression, and QoS CBQ are enabled on PPP interfaces of the router.
201506050279
Symptom: A POS transaction fails if it has multiple interaction messages.
Condition: This symptom might occur if the following conditions exist:
POS terminal access is enabled on the router.
The background process of POS transactions requires that the messages of a transaction must have the same source TPDU.
201506030302
Symptom: Memory leakage occurs when the router is sending NetStream data packets.
Condition: This symptom might occur if NetStream is enabled on the router.
201507200403
Symptom: In the RADIUS packets that the router sends, '\000' is incorrectly added to the NAS-ID attribute.
Condition: This symptom might occur if RADIUS authentication is configured on the router.
Resolved problems in CMW710-R0304P04
201501200401
Symptom: RBAC cannot control access to the content filtering feature.
Condition: None.
201503020376
Symptom: Packets are dropped after a BGP GR process is completed.
Condition: This symptom occurs if both BFD and GR are enabled for BGP.
201507170124
Symptom: The MPLS ILM entry is not updated after the traffic processing unit is changed for an outgoing interface.
Condition: This symptom occurs if the traffic processing unit is changed for an outgoing interface.
201504190023
Symptom: The BGP process on the PE is stuck.
Condition: This symptom occurs if the following conditions exist:
There is a large number of routes and many types of traffic.
The PE runs for a long time.
57
201507020251
Symptom: A PW is re-created after the L2VPN process is re-optimized by using the placement reoptimize command.
Condition: This symptom occurs if split horizon is enabled for the PW.
201506300136
Symptom: An interface on the SIC-4GSW card cannot ping the directly connected interface on the same subnet after the interface is changed to a Layer 3 interface.
Condition: This symptom occurs if the following operations are performed:
a. Enable port security globally.
b. Configure port security on the interface operating as a Layer 2 interface.
c. Change the interface to a Layer 3 interface.
201505290258
Symptom: Subinterfaces cannot be created or deleted when there are more than 4000 subinterfaces on the router.
Condition: This symptom might occur if the following operations are performed:
a. Perform an active/standby switchover.
b. Restart the standby MPU.
c. Change a main interface between Layer 2 mode and Layer 3 mode.
d. Bring up and shut down the main interface.
201507170043
Symptom: A router in an MPLS network reboots unexpectedly.
Condition: This symptom occurs if the public interface of the router goes down and comes up repeatedly.
201507030323
Symptom: Memory leaks.
Condition: This symptom occurs if NETCONF is used to download files for the FileSystem node.
201506190348
Symptom: The xmlcfgd process crashes.
Condition: This symptom occurs if the xmlcfgd process is accessed through XML when there is no Envelope namespace.
201506190151
Symptom: The router does not preferentially use static address allocation when receiving a DHCP-INFORM message from a client.
Condition: This symptom occurs if the following conditions exist:
The client is bound to an IP address in a DHCP address pool.
Another DHCP address pool includes the IP address bound to the client.
201506100354
Symptom: The router configured with WAAS sends a receiving buffer size different from the set value to the peer device.
Condition: This symptom occurs if the receiving buffer size is modified.
58
201507020391
Symptom: The TTL of a static blacklist entry is different from the actual aging time.
Condition: This symptom occurs if the static blacklist entry is added after a master/subordinate switchover in an IRF fabric.
201505150461
Symptom: An interface cannot forward packets when it is up.
Condition: This symptom occurs if a large number of portal users come online and go offline through the interface.
201506100261
Symptom: ARP reply packets are forwarded through the trusted interface even if there is a match in the MAC address table.
Condition: This symptom occurs when ARP restricted forwarding is enabled.
201506120046
Symptom: The ToS bits in the outer IP header are not set to the same as the ToS bits in the inner header after IP packets are encapsulated with MPLS L3VPN or GRE.
Condition: This symptom occurs if IP packets are encapsulated with MPLS L3VPN or GRE.
201506230020
Symptom: A POS interface cannot forward packets that are greater than 2048 bytes.
Condition: None.
201504270304
Symptom: Only up to 256 ports can be specified in one nat server command.
Condition: None.
201503110416
Symptom: Assertion information is displayed and accounting stops when a user comes online.
Condition: This symptom occurs if the accounting quota-out redirect-url command is configured.
201411190412
Symptom: The tunnel source cannot return Packet Too Big messages for packets tunneled through an IPv6 over IPv4 tunnel.
Condition: This symptom occurs when fragmentation check is enabled for packets to be tunneled.
201503090076
Symptom: IPv4 addresses must be configured on the AFTR of a DS-Lite tunnel.
Condition: This symptom occurs when the AFTR of a DS-Lite tunnel is configured.
201507070230
Symptom: The router establishes calls slowly when using R2 signaling.
Condition: This symptom occurs if R2 signaling is used.
201505200402
Symptom: Too much log information is displayed after RTP packets are interrupted.
Condition: This symptom occurs if the network link fails after a call is established.
59
201505290049
Symptom: The hh3cTransceiver node does not return new information for a different transceiver module type.
Condition: This symptom occurs if the following operations are performed:
a. Replace a transceiver module.
b. Walk the hh3cTransceiver node by using a MIB browser.
201506250411
Symptom: CVE-2015-3143
Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request.
Symptom: CVE-2015-3148
Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
201411190504
Symptom: The number of packets in the ADVPN session statistics is a negative value.
Condition: This symptom occurs if the router forwards traffic for a long time.
201504140088
Symptoms: CVE-2015-0209
Condition: A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources.
Symptoms: CVE-2015-0286
Condition: DoS vulnerability in certificate verification operation. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.
Symptoms: CVE-2015-0287
Condition: Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected.
Symptoms:CVE-2015-0288
Condition: The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid.
Symptoms: CVE-2015-0289
Condition: The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing.
Symptoms: CVE-2015-0292
Condition: A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data.
Symptoms: CVE-2015-0293
Condition: A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message.
60
201505250363
Symptom: Services are interrupted for about 50 minutes after the router runs for a long time with traffic load.
Condition: This symptom might occur if the DH-Group2 algorithm is used in an IPsec VPN environment.
201507200433
Symptom: An interface on an MSR2004 router is up, but does not receive packets.
Condition: This symptom occurs if the following conditions exist:
The router runs for a long time with traffic load.
The interface is configured with multiple features.
201506240472
Symptom: Of multiple EVI tunnels, only one tunnel can forward traffic.
Condition: This symptom occurs if the following conditions exist:
The EVI tunnels have the same source IP address and the same destination IP address.
Each EVI tunnel is used for a different VLAN.
201506030356
Symptom: The feature images are not selected from the storage medium where the current boot and system images reside.
Condition: This symptom occurs if the router has multiple storage media.
201506230200
Symptom: The WAAS optimization effect is bad in per-flow load sharing mode.
Condition: None.
201507070433
Symptom: The peer port is up when the local fiber port is down.
Condition: This symptom occurs after the fiber port is changed from Layer 2 mode to Layer 3 mode.
201506250378
Symptom: An MSR3024 or MSR3044 router cannot forward 65-byte packets at wire speed when fast forwarding is enabled.
Condition: This symptom occurs if fast forwarding is enabled.
201506020161
Symptom: BGP neighbors flap after the IRF fabric is restarted.
Condition: This symptom occurs if a large number of BGP neighbors are established dynamically.
201507270061
Symptom: An aggregate interface with two or more member ports cannot ping the directly connected interface.
Condition: This symptom occurs after the aggregate interface is changed between Layer 2 mode and Layer 3 mode more than 20 times.
201507090496
Symptom: The ARP packets of one VLAN interface are sent out of a member port of another VLAN interface.
61
Condition: This symptom occurs if more than two VLANs exist and their VLAN interfaces are assigned IP addresses.
201504230195
Symptom: On an IRF fabric, assertion information is displayed and subordinate routers reboot when the IPv4 device is pinged from the IPv6 side.
Condition: This symptom occurs if the traffic processing unit for the AFT traffic of a VLAN interface is not on the same forwarding card as the member interfaces of the VLAN interface.
201506090049
Symptom: The FCM card behaves unexpectedly.
Condition: This symptom occurs if FCM subinterfaces are deleted through MIB.
201507070310
Symptom: The link layer protocol of a DTE interface goes down.
Condition: This symptom occurs if the clock selection mode is set to autonegotiation for the DTE interface.
201507010073
Symptom: The router reboots repeatedly after traffic statistics are cleared.
Condition: This symptom occurs if the following operations are performed:
a. Perform an active/standby switchover for HDLC interfaces that forward Layer 3 IP traffic.
b. Configure NetStream.
c. Enable the application statistics feature by using the application statistics enable command.
201411030517
Symptom: Web redirection fails for a PPPoE user.
Condition: This symptom occurs if Web redirection parameters are assigned through RADIUS.
201503110069
Symptom: The VLAN ID sent to the RADIUS server is incorrect.
Condition: This symptom occurs if a QinQ PPPoE user comes online.
201503090276
Symptom: Users of a domain cannot be displayed or forcibly logged out.
Condition: This symptom occurs if the users come online without domain information.
201503110472
Symptom: Redirection fails after a PPPoE client issues a redirection attribute.
Condition: This symptom occurs if a PPPoE client issues a redirection attribute.
201503110566
Symptom: The redirection attribute issued through a COA message does not take effect.
Condition: This symptom occurs if the redirection attribute is issued through a COA message.
201507150201
Symptom: Assertion information appears when the pppoesd process is restarted on the L2TP LNS.
Condition: This symptom occurs if a user comes online in NAS-initiated tunneling mode.
62
201505190435
Symptom: Some BGP peers go down and come up after the router is rebooted.
Condition: This symptom might occur if the following conditions exist:
The router is in an IRF fabric or is a distributed router in standalone mode.
The router has a large number of BGP peers.
201507200270
Symptom: An MSR1000 router reboots repeatedly.
Condition: This symptom occurs if the following operations are performed:
a. Install a SIC-4SAE card into the router.
b. Send bidirectional traffic between the router and its peer device.
Resolved problems in CMW710-R0304P02
201505200131
Symptom: Voice services are interrupted during long calls.
Condition: This symptom might occur if E&M non-signaling mode and PCM pass-through are enabled.
201506290040
Symptom: On a single-MPU router, the fan speed does not increase when the CPU temperature keeps rising.
Condition: This symptom might occur if the router starts in high-temperature environments.
201505250288
Symptom: NQA TCP operations fail after the router runs for a period of time.
Condition: This symptom might occur if one of following conditions exists:
The interval between NQA probes is shorter than 10 milliseconds.
NQA operations are frequently performed over a long period of time.
201504230250
Symptom: The router displays garbled bandwidth usage-based load-sharing information for an aggregate interface.
Condition: This symptom might occur if bandwidth usage-based load-sharing is enabled on the aggregate interface.
201505250277
Symptom: OpenFlow cannot correctly send ARP packets to the SDN controller.
Condition: This symptom might occur if the following operations have been performed:
a. Save the running configuration and reboot the router.
b. Restore OpenFlow configuration by using an .mdb binary file.
201505150431
Symptom: 802.1X authentication fails.
Condition: This symptom might occur if the server issues VLAN IDs, but the length of the Tunnel-Private-Group-id attribute is not 6 bytes in RADIUS packets sent by the server.
63
201504230250
Symptom: Traffic forwarding is interrupted on the router.
Condition: This symptom might occur if portal users repeatedly come online and go offline over a long period of time when the router is forwarding traffic.
201506120253
Symptom: When the display qos policy interface command is executed for a VT interface configured with QoS policies, nothing is displayed or the console halts.
Condition: This symptom might occur if QoS policies are configured on the VT interface, and more than 2000 online PPPoE users exist on the interface.
201505140232
Symptom: An SD or CF card on the router is not accessible.
Condition: This symptom might occur if the SD or CF card stores more than 15000 files.
201505180304
Symptom: An IRF member router halts after a reboot if it is switched from the IRF mode to the standalone mode.
Condition: This symptom might occur if the following operations have been performed on the router:
a. Save the running configuration.
b. Shut down the IRF physical interfaces.
c. Switch the router to the standalone mode after the IRF fabric splits, and then reboot the router.
201505250207
Symptom: SIP source interface bindings do not take effect after the router reboots.
Condition: This symptom might occur if the following operations have been performed:
a. Configure SIP source interface bindings.
b. Save the running configuration and reboot the router.
201506230030
Symptom: When one of the E1 links on the router goes down, fast forwarding entries update slowly, and forwarding services are affected.
Condition: This symptom might occur if the following conditions exist:
Multiple equal-cost E1 links are configured on the router.
PPP IP header compression is enabled on the serial interfaces for the E1 links.
The router is forwarding multiple data flows.
201506080129(CVE-2015-5434)
Symptoms: When an interface without MPLS enabled receives MPLS-labeled packets, the interface incorrectly forwards the MPLS-labeled packets to the next LSR by LFIB entry.
Condition: This symptom occurs when the interface does not have MPLS enabled and the interface receives MPLS-labeled packet that match the FIB entries.
Resolved problems in CMW710-R0304
201504210231
Symptom: CVE-2015-1799
64
Condition: Authentication doesn't protect symmetric associations against DoS attacks.
201504230275
Symptom: A router replies with a re-INVITE message with the Referred-By header field after receiving a REFER request without the Referred-By header field from a Lync server.
Condition: This symptom occurs when a Lync server sends a REFER request without the Referred-By header field to the router.
201504230289
Symptom: A called phone rings once before going on-hook.
Condition: This symptom occurs if the following conditions exist:
The calling router and called router use different codecs.
The called router connects to the called phone through a VE interface.
201505110326
Symptom: NATed packets fail to be forwarded after the original route becomes unavailable.
Condition: This symptom might occur if the interface used as the backup outgoing interface is not configured with NAT.
201505150401
Symptom: A router configured with IPsec fails to be authenticated by a Comware-V5-based peer device.
Condition: This symptom might occur if the router is configured with an IKE-based IPsec policy and the PFS feature is enabled for the IPsec policy.
Resolved problems in CMW710-E0302P06
201411280347
Symptom: When the MTU of a physical interface is configured greater than 1500 bytes, the interface still uses 1492 as the MTU.
Condition: This symptom occurs when the MTU of the physical interface bound to PPPoE is not 1500.
Workaround: For TPC application, modify the TCP MSS on the dialer or VT interface to avoid improper packet fragmentation.
201502020298
Symptom: On an IRF fabric formed by MSR4000 routers and configured with multichassis Layer 3 aggregation, after a master/subordinate switchover, all users that log in through Selected interfaces on the rebooted router are logged out.
Condition: This symptom occurs when the IRF fabric formed by MSR4000 routers acts as the PPPoE server and the multichassis Layer 3 aggregate interface is used to respond to PPPoE login request.
Workaround: None.
201502100609
Symptom: In an FR L2VPN with one end as an FR network and the other end as an Ethernet link, CEs cannot communicate.
Condition: This symptom occurs when one end of the FR L2VPN is an FR network and the other end is an Ethernet link.
Workaround: None.
65
201501290181
Symptom: When a L2VPN cross-connect is bound to a Layer 3 aggregate interface, receiving LACPDUs times out, and the aggregation group member ports flap frequently.
Condition: This symptom occurs when the L2VPN cross-connect is bound to a Layer 3 aggregate interface.
Workaround: None.
201501080118
Symptom: The VAM process reboots repeatedly.
Condition: This symptom occurs when the hub device also acts as the VAM server.
Workaround: Use a separate device as the VAM server.
201411140486
Symptom: Ping packets are lost on an eight-wire G.SHDSL.BIS EFM interface of the MSR router after the interface is shut down and then brought up.
Condition: This symptom might occur if the EFM interface is connected to a Cisco device.
201502150313
Symptom: Packet loss occurs on an interface that is configured with both policy nesting and CBQ.
Condition: This symptom might occur if the interface has been forwarding traffic at near wire rate for a long time.
201502030476
Symptom: The MSR router forwards some packets out of their incoming interface after an active/standby link switchover.
Condition: This symptom might occur if the active/standby link switchover occurs when the router is forwarding a large amount of traffic.
201502270045
Symptom: The serial communication protocol goes down and LCP packets are lost on a serial interface when it is processing bidirectional traffic during the T1 delay test.
Condition: This symptom might occur if the qos qmtoken 1 command is executed on the interface.
201503090250
Symptom: The MSR router does not update the media channel after it receives a re-INVITE message with only the c field updated.
Condition: This symptom might occur if the MSR router receives a re-INVITE message with only the c field updated.
201503160098
Symptom: CAR does not support the bandwidth percentage method.
Condition: This symptom might occur if CAR is configured by using the bandwidth percentage method.
201407180184
Symptom: A local PBR policy does not take effect when no other services are configured.
Condition: This symptom might occur if only a local PBR policy is configured on the router.
66
Resolved problems in CMW710-E0102
RTV7D000933
Symptom: The fragments can’t be filtered by ACL.
Condition: The fragments can’t be filtered by ACL when using fragment in the rule.
RTV7D000932
Symptom: The statuses of the router in the VRRP group are both Master when using MD5 authentication mode.
Condition: Using MD5 authentication mode.
Resolved problems in CMW710-E0006P02
CM13040119
Symptom: The devices testing failed for manufacture.
Condition: Test for manufacturing devices.
Support and other resources
Accessing Hewlett Packard Enterprise Support
For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:
www.hpe.com/assistance
To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website:
www.hpe.com/support/hpesc
Information to collect:
Technical support registration number (if applicable).
Product name, model or version, and serial number.
Operating system name and version.
Firmware version.
Error messages.
Product-specific reports and logs.
Add-on products or components.
Third-party products or components.
Documents
To find related documents, see the Hewlett Packard Enterprise Support Center website at http://www.hpe.com/support/hpesc.
Enter your product name or number and click Go. If necessary, select your product from the resulting list.
For a complete list of acronyms and their definitions, see HPE FlexNetwork technology acronyms.
67
Related documents
The following documents provide related information:
HPE FlexNetwork MSR2000 Routers Installation Guide
HPE FlexNetwork MSR3000 Routers Installation Guide
HPE FlexNetwork MSR4000 Routers Installation Guide
HPE FlexNetwork MSR2000 Routers Quick Start
HPE FlexNetwork MSR3000 Routers Quick Start
HPE FlexNetwork MSR4000 Routers Quick Start
HPE FlexNetwork MSR Router Series Interface Module Guide
HPE FlexNetwork MSR2000/3000/4000 Routers Compliance and Safety Manual
About the HPE FlexNetwork MSR Router Series Command References(V7)
HPE FlexNetwork MSR Router Series ACL and QoS Command Reference(V7)
HPE FlexNetwork MSR Router Series EVI Command Reference(V7)
HPE FlexNetwork MSR Router Series Fundamentals Command Reference(V7)
HPE FlexNetwork MSR Router Series High Availability Command Reference(V7)
HPE FlexNetwork MSR Router Series Interface Command Reference(V7)
HPE FlexNetwork MSR Router Series IP Multicast Command Reference(V7)
HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Command Reference(V7)
HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Command Reference(V7)
HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Command Reference(V7)
HPE FlexNetwork MSR Router Series Layer 3 - IP Services Command Reference(V7)
HPE FlexNetwork MSR Router Series MPLS Command Reference(V7)
HPE FlexNetwork MSR Router Series NEMO Command Reference(V7)
HPE FlexNetwork MSR Router Series Network Management and Monitoring Command Reference(V7)
HPE FlexNetwork MSR Router Series OAA Command Reference(V7)
HPE FlexNetwork MSR Router Series OpenFlow Command Reference(V7)
HPE FlexNetwork MSR Router Series Probe Command Reference(V7)
HPE FlexNetwork MSR Router Series Security Command Reference(V7)
HPE FlexNetwork MSR Router Series Virtual Technologies Command Reference(V7)
HPE FlexNetwork MSR Router Series Voice Command Reference(V7)
HPE FlexNetwork MSR Router Series WLAN Command Reference(V7)
About the HPE FlexNetwork MSR Router Series Configuration Guides(V7)
HPE FlexNetwork MSR Router Series ACL and QoS Configuration Guide(V7)
HPE FlexNetwork MSR Router Series EVI Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Fundamentals Configuration Guide(V7)
HPE FlexNetwork MSR Router Series High Availability Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Interface Configuration Guide(V7)
HPE FlexNetwork MSR Router Series IP Multicast Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Configuration Guide(V7)
68
HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Layer 3 - IP Services Configuration Guide(V7)
HPE FlexNetwork MSR Router Series MPLS Configuration Guide(V7)
HPE FlexNetwork MSR Router Series NEMO Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Network Management and Monitoring Configuration Guide(V7)
HPE FlexNetwork MSR Router Series OAA Configuration Guide(V7)
HPE FlexNetwork MSR Router Series OpenFlow Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Probe Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Security Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Virtual Technologies Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Voice Configuration Guide(V7)
HPE FlexNetwork MSR Router Series WLAN Configuration Guide(V7)
Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback ([email protected]). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
69
Appendix A Feature list
Hardware features
Table 5 MSR1000 specifications
Item MSR1002-4 MSR1003-8S
Console/AUX port 1 1
USB port 1 1
Gigabit Ethernet port 5 10
SFP port 1 N/A
Asynchronous/synchronous serial interface
1 N/A
Memory 512 MB DDR3 1 GB DDR3
Flash 256 MB 256 MB
SIC/DSIC slot 2 SIC slot (1 DSIC slot) 3 SIC slots (1 DSIC slot)
Dimensions (H × W × D)
(excluding rubber feet and mounting brackets)
44.2 × 360 × 300 mm (1.74 × 14.17 × 11.81 in)
44.2 × 360 × 300 mm (1.74 × 14.17 × 11.81 in)
AC power supply Rated voltage range: 90 VAC to 264 VAC @ 50 Hz/60 Hz
Rated voltage range: 90 VAC to 264 VAC @ 50 Hz/60 Hz
Rated power for AC power supply 30 W 30 W
Operating temperature 0°C to 45°C (32°F to 113°F) 0°C to 45°C (32°F to 113°F)
Relative humidity
(noncondensing) 5% to 90% 5% to 90%
Table 6 MSR2000/MSR2000 TAA specifications
Item MSR2003/MSR2003T
AA MSR2004-24 MSR2004-48
Console/AUX port 1 1 1
USB console port 1 - -
USB port 1 1 1
GE WAN port 2
GE LAN port - 3 3
SFP port - 1 -
Memory 1GB DDR3 1GB DDR3 1GB DDR3
Flash/CF 256MB Flash 256MB CF 256MB CF
SIC/DSIC slot
3 SIC slots
(Slots 1 and 2 can be used for a DSIC interface module by removing the slot divider.)
4 SIC slots 4 SIC slots
70
Dimensions (H × W × D)
(excluding rubber feet and mounting brackets)
360mm×305.3mm×44.2mm
440mm×363.5mm×44.2 440mm×403.5mm×44.2
AC power supply Rated voltage range: 100 VAC to 240 VAC @ 50 Hz/60 Hz
DC power supply - - Rated voltage range:
-48V d.c.~-60V d.c
Maximum power for AC/DC power supply
54W 54W 150W
Operating temperature 0 ~ 45℃
Relative humidity
(noncondensing) 5% to 90%
Table 7 MSR3000/MSR3000 TAA specifications
Item MSR3012 MSR3024/MSR
3024 TAA MSR3044 MSR3064
CON/AUX ports 1
USB console ports 1
USB ports 2
Gigabit Ethernet ports 3
SIC/DSIC slots 2 SIC slots 4 SIC slots/2 DSIC slots
HMIM slots 1 2 4 6
VPM slots 1 1 2 2
Memory DDR3
1 GB/2 GB
DDR3
2 GB (default)
4 GB (maximum)
DDR3
2 GB (default)
4 GB (maximum)
CF card memory (inside)
256 MB (default)
CF card memory (outside)
- 4 GB (maximum)
CF card slot 0 1
Dimensions (H × W × D) (excluding rubber feet and mounting brackets)
44.2 × 440 × 484.3 mm
44.2 × 440 × 484.3 mm
88.1 × 440 × 480 mm
130.5 × 440 × 480 mm
AC power supply Rated voltage range: 100 VAC to 240 VAC @ 50 Hz/60 Hz
DC power supply Rated voltage range: –48 VDC to –60 VDC
Maximum power for AC/DC power supply
125 W 125 W 300 W 300 W
Maximum power for PoE power supply
- 275 W 750 W 750 W
Maximum power for each PoE port
15.4 W
71
RPS power supply 800 W -
Power pluggable and buckup
- Dule power
Operating temperature 0°C to 45°C (32°F to 113°F)
Relative humidity
(noncondensing) 5% to 90%
Table 8 MSR4000 specifications
Item MSR4060 MSR4080
MPU slot 2
SPU slot 1
HMIM slot 6 8
Dimensions (H × W × D), excluding rubber feet and mounting brackets
175.1 × 440 × 480 mm 219.5 × 440 × 480 mm
Power pluggable and buckup
N+1 N+1
Operating temperature 0°C to 45°C (32°F to 113°F)
Operating humidity (noncondensing)
5% to 90%
Table 9 MSR4000/MSR4000 TAA MPU Specification
Item Specification
Console port 1
AUX port 1
GE management port 1
USB console port 1
USB port 1
Memory 2 GB DDR3 (default)
4 GB DDR3 (maximum)
CF card 512 MB (default)
4 GB (maximum)
CF card slot 1
Flash 8 MB
Table 10 MSR4000 SPU Specification
Item SPU-100 SPU-200&SPU-300
USB port 2
VPM slot 2
72
Combo 4
SFP+ port 0 1
Applicable router model MSR4060/MSR4080
Applicable MPU MPU-100
Table 11 MSR2004-24 AC power module specifications
Item Specification
Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz
Rated power 150 W
Table 12 MSR2004-48 DC power module specifications
Item Specification
Rated input voltage range –48 VDC to –60 VDC
Rated power 150 W
Table 13 MSR3044/MSR3064/MSR4060/MSR4080 AC power module specifications
Item Specification
Model PSR300-12A1
Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz
Max power 300 W
Table 14 MSR3044/MSR3064/MSR4060/MSR4080 DC power module specifications
Item Specification
Model PSR300-12D2
Rated input voltage range –48 VDC to –60 VDC
Max power 300 W
Table 15 MSR3044/MSR3064/MSR4060/MSR4080 PoE power module specifications
Item Specification
Model PSR750-A
Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz
Max power 750 W
Table 16 MSR series routes Module List
Module Description
SIC Ethernet interface modules:
4-port 10/100 Mbps Ethernet L2 switching module (RJ45) (SIC-4FSW)
73
1-port 10/100 Mbps Ethernet electrical SIC interface module (RJ45) (SIC-1FEA)
1-port 100 Mbps Ethernet electrical SIC interface module-SIC-1FEF
4-port 10/100 Mbps Ethernet L2 switching module-PoE card(SIC-4FSW-POE)
1-port 10/100/1000BASE-T(RJ45) and 100BASE-FX/1000BASE-X(SFP,Combo)Ethernet SIC module(RT-SIC-1GEC-V2(JG738A))
4-port 10/100/1000BASE-T Ethernet L2 switching electrical SIC interface module(RT-SIC-4GSW(JG739A))
4-port 10/100/1000BASE-T Ethernet L2 switching electrical SIC interface module-PoE(RT-SIC-4GSWP(JG740A))
4-port 100BASE-FX/1000BASE-X(SFP) Ethernet L2/L3 SIC Module-RT-SIC-4GSWF
WAN interface modules:
1-port enhanced synchronous/asynchronous serial SIC interface module (SIC-1SAE)
1-port fractional E1 SIC interface module (SIC-1E1-F-V3)
1-port E1/CE1/PRI SIC interface module (SIC-1EPRI)
1-port analog modem SIC interface module (SIC-1AM)
8-port asynchronous serial interface card (SIC-8AS)
16-port asynchronous serial interface card (SIC-16AS)
1-port ISDN BRI S/T interface card (SIC-1BS)
2-port fractional E1 interface module (SIC-2E1-F)
3G access module ( RT-SIC-3G-HSPA)
CDMA 2000 1x RTT/1x EV-DO Rev.0/1x EV-DO Rev.A 3G access module ( RT-SIC-3G-CDMA)
1-port ADSL over POTS SIC interface module (SIC-1ADSL)
1 port E1/CE1/PRI SIC interface module(SIC-1EPRI-V3)
4G LTE Verizon SIC module(RT-SIC-4G-LTE-V(JG742A))
4G LTE AT&T SIC module(SIC-4G-LTE-A(JG743A))
4G LTE Global SIC module(RT-SIC-4G-LTE-G(JG744A))
2-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-2SAE(JG736A))
4-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-4SAE(JG737A))
HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B)
HPE MSR 4G LTE SIC Mod for ATT (JG743B)
HPE MSR 4GLTE SIC Mod for Global (JG744B)
HPE MSR HSPA+/WCDMA SIC Module (JG929A)
Voice interface modules:
1-port voice module subscriber circuit SIC interface module (SIC-1FXS)
2-port voice module subscriber circuit SIC interface module (SIC-2FXS)
1-port voice module FXO SIC interface module (SIC-1FXO)
2-port voice module FXO SIC interface module (SIC-2FXO)
1-channel E1 voice SIC interface module (SIC-1VE1)
1-channel T1 voice SIC interface module (SIC-1VT1)
1-port ISDN BRI S/T voice interface card (SIC-1BSV)
2-port ISDN BRI S/T voice interface card (SIC-2BSV)
2-port voice subscriber circuit & 1-port voice AT0 analog trunk interface card-SIC-2FXS1FXO
1-port E1 / T1 Voice SIC Module(JH240A)
DSIC
9-port 10/100 Mbps Ethernet L2 switching module (RJ45) (DSIC-9FSW)
4-port voice subscriber circuit & 1-port voice AT0 analog trunk interface card (DSIC-4FXS1FXO)
9-port 10/100 Mbps Ethernet L2 switching module -PoE card (DSIC-9FSW-POE)
74
1-port 8-wire G.SHDSL (RJ45) DSIC Module
HMIM
Ethernet interface modules:
2-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-2GEE)
4-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-4GEE)
8-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-8GEE)
2-port 1000BASE-X HMIM Module (HMIM-2GEF)
4-port 1000BASE-X HMIM Module (HMIM-4GEF)
8-port 1000BASE-X HMIM Module (HMIM-8GEF)
24-port Gig-T Switch HMIM Module (HMIM-24GSW)
24-port Gig-T PoE Switch HMIM Module (HMIM-24GSW-POE)
8-port 10/100/1000BASE-T(RJ45)+2-port100BASE-FX/1000BASE-X(SFP,Combo) Ethernet L2 switching HMIM module(RT-HMIM-8GSW(JG741A))
8-port 100BASE-FX/1000BASE-X / 4-port 1000BASE-T (Combo) L2/L3 HMIM Module (JH238A)
WAN interface modules:
2 port CE1/PRI interface module (HMIM-2E1)
4 port CE1/PRI interface module (HMIM-4E1)
8 port CE1/PRI interface module (HMIM-8E1)
4-port fractional E1 interface module (HMIM-4E1-F)
8-port fractional E1 interface module (HMIM-8E1-F)
2 port CT1/PRI interface module (HMIM-2T1)
8 port CT1/PRI interface module (HMIM-8T1)
4-port fractional T1 interface module HMIM-4T1-F)
8-port fractional T1 interface module HMIM-8T1-F)
1-port T3/CT3 compatible interface module (HMIM-1CT3)
1-port T3/CT3 compatible interface module (HMIM-1CE3)
2 channel enhanced synchronous/asynchronous interface module (HMIM-2SAE)
4 channel enhanced synchronous/asynchronous interface module (HMIM-4SAE)
8 channel enhanced synchronous/asynchronous interface module (HMIM-8SAE)
8 port asynchronous serial interface panel (RJ45) (HMIM-8ASE)
16 port asynchronous serial interface panel (RJ45) (HMIM-16ASE)
1-port OC-3 / STM-1 CPOS HMIM Module (HMM-1CPOS)
2-port OC-3 / STM-1 CPOS HMIM Module (HMIM-2CPOS)
1-port OC-3c / STM-1c ATM SFP HMIM Module (HMIM-ATMOC3)
8-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH169A)
4-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH170A)
2-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH171A)
8-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH172A)
4-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH173A)
2-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH174A)
Voice interface modules:
16-port voice module subscriber circuit interface board(HMIM-16FXS)
1 channel E1 voice HMIM interface module (HMIM-1VE1)
2 channel E1 voice HMIM interface module (HMIM-2VE1)
1 channel T1 voice HMIM interface module (HMIM-1VT1)
2 channel T1 voice HMIM interface module (HMIM-2VT1)
4-port voice module subscriber circuit interface board (HMIM-4FXS)
4-port voice module FXO interface module (HMIM-4FXO)
75
4 channel voice processing board E&M trunk interface module (HMIM-4EM)
VPM
128-channel voice processing module (RT-VPM2-128)
256-channel voice processing module (RT-VPM2-256)
512-channel voice processing module (RT-VPM2-512)
HMIM Adapter
0.5U MIM to HMIM adapter (HMIM Adapter)
1U MIM to HMIM adapter (HMIM Adapter-H)
MIM(need to config the HMIM-Adapter)
Ethernet interface modules:
1-port 10M100M Ethernet electrical MIM interface module (RJ45) (MIM-1FE)
2-port 10M/100M Ethernet electrical MIM interface module (RJ45) (MIM-2FE)
4-port 10M/100M Ethernet electrical MIM interface module (RJ45) (MIM-4FE)
1-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-1GBE)
2-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-2GBE)
1-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-1GEF)
2-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-2GEF)
WAN interface modules:
2 channel enhanced synchronous/asynchronous interface module (MIM-2SAE)
4 channel enhanced synchronous/asynchronous interface module (MIM-4SAE)
8 channel enhanced synchronous/asynchronous interface module (MIM-8SAE)
8 port asynchronous serial interface panel (RJ45) (MIM-8ASE)
16 port asynchronous serial interface panel (RJ45) (MIM-16ASE)
1 port CE1/PRI interface module (MIM-1E1)
2 port CE1/PRI interface module (MIM-2E1)
4 port CE1/PRI interface module (MIM-4E1)
8 port E1 interface module (75ohm) (MIM-8E1 (75))
1-port fractional E1 interface module (MIM-1E1-F)
2-port fractional E1 interface module (MIM-2E1-F)
4-port fractional E1 interface module (MIM-4E1-F)
8 port E1 interface module (75ohm) (MIM-8E1 (75)-F)
2 port CT1/PRI interface module (MIM-2T1)
8 port T1 interface module (MIM-8T1)
2-port fractional T1 interface module MIM-2T1-F)
4-port fractional T1 interface module MIM-4T1-F)
8-port fractional T1 interface module MIM-8T1-F)
1-port T3/CT3 compatible interface module (MIM-1CT3-V2)
1-port T3/CT3 compatible interface module (MIM-1CE3-V2)
1-port SDH/SONET interface module (MIM-1POS-V2)
1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W)
HPE MSR OAP MIM Module with VMware vSphere (JG532A)
Voice interface modules:
1 channel E1 voice MIM interface module (MIM-1VE1)
1 channel T1 voice MIM interface module (MIM-1VT1)
2 channel E1 voice MIM interface module (MIM-2VE1)
2 channel T1 voice MIM interface module (MIM-2VT1)
4-port voice module subscriber circuit interface board (MIM-4FXS)
2-port voice module FXO interface module (MIM-2FXO)
4-port voice module FXO interface module (MIM-4FXO)
8-port voice module FXS-FXO interface module (MIM-8FXS-8FXO)
4 channel voice processing board E&M trunk interface module (MIM-4EM)
76
4-port ISDN BRI S/T voice interface card (MIM-4BSV)
16-port voice module subscriber circuit interface board (MIM-16FXS)
Table 17 Sierra Modem Module and Host/card compatibility matrix
HPE description Product code Module name
HPE MSR 4G LTE SIC Mod for Verizon JG742A Sierra-MC7750
HPE MSR 4G LTE SIC Mod for ATT JG743A Sierra-MC7700
HPE MSR 4G LTE SIC Mod for Global JG744A Sierra-MC7710
CAUTION:
The support and restriction of modules on HPE FlexNetwork MSR Routers Interface Configuration Guide(V7), Appendix Purchase Guide.
Software features
Table 18 MSR Series routers software features
Category Features
LAN protocol:
ARP (proxy ARP, free ARP, authorization ARP)
Ethernet_II
Ethernet_SNAP
VLAN (PORT-BASED VLAN/MAC-BASED VLAN/VLAN-BASED PORT ISOLATE/ VOICE VLAN)
802.3x
LACP(802.3ad)
802.1p
802.1Q
802.1x
QinQ
RSTP(802.1w)
MSTP(802.1s)
GVRP
PORT MUTILCAST suppression
EVI
WAN protocols:
PPP
PPPoE Client
DCC, Dialer Watch
ISDN
Modem
3G Modem
FR
IP services
Fast forwarding (unicast/multicast)
TCP
UDP
77
IP Option
IP unnumber
Policy routing (unicast/multicast)
Non-IP services: Netstream
IP application
Ping and Trace
DHCP Server
DHCP Client
DNS client
DNS Static
NQA
IP Accounting
NTP
Telnet
TFTP Client
FTP Client
FTP Server
IP route
Static routing management
Dynamic routing protocols:
RIP
OSPF
BGP
IS-IS
Multicast routing protocols:
IGMP
PIM-DM
PIM-SM
MBGP
MSDP
Routing policy
MPLS
LDP
LSPM
MPLS TE
MPLS FW
MPLS/BGP VPN
VPLS
IPv6
IPv6 basic functions
IPv6 ND
IPv6 PMTU
IPv6 FIB
IPv6 ACL
IPv6 transition technologies
NAT-PT
IPv6 tunneling
6PE, 6VPE
IPv6 routing
IPv6 static routing management
Multicast routing protocols:
78
MLD
PIM-DM
PIM-SM
PIM-SSM
AAA
Local authentication
Radius
HWTacacs
LDAP
Firewall
ASPF
ACL
FILTER
Security
Port security
IPSec
PORTAL
L2TP
NAT/NAPT
PKI
RSA
SSH V1.5/2.0
URPF
GRE
Reliability
VRRP
Backup center
BFD
IRF
L2 QoS
LR
Flow-base QOS Policy
Port-Based Mirroring
Packet Remarking
Priority Mapping
Port Trust Mode
Port Priority
Flow Filter
FlowControl
ACL
Traffic supervision CAR (Committed Access Rate)
LR (Line Rate)
Congestion management
FIFO, PQ, CQ, WFQ, CBQ, RTPQ
Congestion avoidance
WRED/RED
Traffic shaping GTS (Generic Traffic Shaping)
Other QOS technologies
MPLS QOS
IPHC
Sub-interface QOS
79
Voice Interfaces
FXS
FXO
E&M
E1VI/T1VI
BSV
Voice Signaling R2
DSS1
SIP SIP
SIP Operation
Codec
G.711A law
G.711U law
G.723R53
G.723R63
G.729a
G.729R8
G.729bR8
Media Process RTP
Network management
SNMP V1/V2c/V3
MIB
SYSLOG
RMON
NETCONF
Local management
Command line management
License management
File system management
Auto-configure
Dual Image
User access management
Console interface login
AUX interface login
TTY interface login
Telnet (VTY) login
SSH login
FTP login
XMODEM
80
Appendix B Upgrading software This section describes how to upgrade system software while the router is operating normally or when the router cannot correctly start up.
Software types
The following software types are available:
Boot ROM image—A .bin file that comprises a basic section and an extended section. The basic section is the minimum code that bootstraps the system. The extended section enables hardware initialization and provides system management menus. You can use these menus to load application software and the startup configuration file or manage files when the device cannot correctly start up.
Comware image—Includes the following image subcategories:
Boot image—A .bin file that contains the Linux operating system kernel. It provides process management, memory management, file system management, and the emergency shell.
System image—A .bin file that contains the minimum feature modules required for device
operation and some basic features, including device management, interface management, configuration management, and routing. To have advanced features, you must purchase feature packages.
Feature package—Includes a set of advanced software features. Users purchase feature packages as needed.
Patch packages—Irregularly released packages for fixing bugs without rebooting the device. A patch package does not add new features or functions.
Comware software images that have been loaded are called "current software images." Comware images specified to load at the next startup are called "startup software images."
Boot ROM image, boot image, and system image are required for the system to work. These images might be released separately or as a whole in one .ipe package file. If an .ipe file is used, the system automatically decompresses the file, loads the .bin boot and system images and sets them as startup software images.
Upgrade methods
You can upgrade system software by using one of the following methods:
Upgrade method Remarks
Centralized devices upgrading from the CLI
You must reboot the router to complete the upgrade.
This method can interrupt ongoing network services.
Distributed devices upgrading from the CLI
You must reboot the router to complete the upgrade.
This method can interrupt ongoing network services.
Distributed devices ISSU This method upgrades the router with the least amount of downtime.
Managing files from the BootWare menu Use this method when the router cannot
correctly start up.
81
Preparing for the upgrade
Before you upgrade system software, complete the following tasks:
Set up the upgrade environment as shown in Table 20.
Configure routes to make sure that the router and the file server can reach each other.
Run a TFTP or FTP server on the file server.
Log in to the CLI of the router through the console port.
Copy the upgrade file to the file server and correctly set the working directory on the
TFTP or FTP server.
Make sure the upgrade has minimal impact on the network services. During the
upgrade, the router cannot provide any services.
IMPORTANT:
In the BootWare menu, if you choose to download files over Ethernet, the Ethernet port must be GE0 on an MSR2003, MSR2004-24, MSR2004-48, MSR3012, MSR3024, MSR3044, and MSR3064 router, and must be M-GE0 on an MSR4060 and MSR4080 router.
Table 19 Storage media
Model Storage medium Path Router Types
MSR2003 Flash flash:/ Centralized devices
MSR2004-24 Flash flash:/ Centralized devices
MSR2004-48 Flash flash:/ Centralized devices
MSR3012 CF card cfa0:/ Centralized devices
MSR3024 CF card cfa0:/ Centralized devices
MSR3044 CF card cfa0:/ Centralized devices
MSR3064 CF card cfa0:/ Centralized devices
MSR4060 CF card cfa0:/ Centralized devices
MSR4080 CF card cfa0:/ Distributed devices
Figure 1 Set up the upgrade environment
82
Centralized devices upgrading from the CLI
You can use the TFTP or FTP commands on the router to access the TFTP or FTP server to back up or download files.
Saving the running configuration and verifying the storage space
1. Save the running configuration
<HPE>save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
Configuration is saved to device successfully.
<HPE>
2. Identify the system software image and configuration file names and verify that the flash has sufficient space for the new system software image.
<HPE>dir
Directory of flash:
0 drw- - Aug 15 2012 12:03:13 diagfile
1 -rw- 84 Aug 15 2012 12:17:59 ifindex.dat
2 drw- - Aug 15 2012 12:03:14 license
3 drw- - Aug 15 2012 12:03:13 logfile
4 -rw- 11418624 Dec 15 2011 09:00:00 msr2000-cmw710-boot-a0005.bin
5 -rw- 1006592 Dec 15 2011 09:00:00 msr2000-cmw710-data-a0005.bin
6 -rw- 10240 Dec 15 2011 09:00:00 msr2000-cmw710-security-a0005.bin
7 -rw- 24067072 Dec 15 2011 09:00:00 msr2000-cmw710-system-a0005.bin
8 -rw- 1180672 Dec 15 2011 09:00:00 msr2000-cmw710-voice-a0005.bin
9 drw- - Aug 15 2012 12:03:13 seclog
10 -rw- 1632 Aug 15 2012 12:18:00 startup.cfg
11 -rw- 25992 Aug 15 2012 12:18:00 startup.mdb
262144 KB total (223992 KB free)
<HPE>
Downloading the image file to the router
Using TFTP
Download the system software image file, for example, msr2000.ipe to the flash on the router.
<HPE>tftp 192.168.1.100 get msr2000.ipe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 35.9M 100 35.9M 0 0 559k 0 0:01:05 0:01:05 --:--:-- 546k
<HPE>
83
Using FTP
1. From FTP client view, download the system software image file (for example, msr2000.ipe) to the CF card on the router.
ftp> get msr2000.ipe
msr2000.ipe already exists. Overwrite it? [Y/N]:y
227 Entering passive mode (192,168,1,100,5,20)
125 Using existing data connection
226 Closing data connection; File transfer successful.
37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)
[ftp]
2. Return to user view.
[ftp]quit
221 Service closing control connection
<HPE>
Specifying the startup image file
1. Specify the msr2000.ipe file as the main image file at the next reboot.
<HPE>boot-loader file flash:/msr2000.ipe main
Images in IPE:
msr2000-cmw710-boot-a0005.bin
msr2000-cmw710-system-a0005.bin
msr2000-cmw710-security-a0005.bin
msr2000-cmw710-voice-a0005.bin
msr2000-cmw710-data-a0005.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to the device.
Successfully copied flash:/msr2000-cmw710-boot-a0005.bin to
flash:/msr2000-cmw710-boot-a0005.bin.
Successfully copied flash:/msr2000-cmw710-system-a0005.bin to
flash:/msr2000-cmw710-system-a0005.bin.
Successfully copied flash:/msr2000-cmw710-security-a0005.bin to
flash:/msr2000-cmw710-security-a0005.bin.
Successfully copied flash:/msr2000-cmw710-voice-a0005.bin to
flash:/msr2000-cmw710-voice-a0005.bin.
Successfully copied flash:/msr2000-cmw710-data-a0005.bin to
flash:/msr2000-cmw710-data-a0005.bin.
The images that have passed all examinations will be used as the main startup software
images at the next reboot on the device.
<HPE>
2. Verify that the file has been loaded.
84
<HPE> display boot-loader
Software images on the device:
Current software images:
flash:/msr2000-cmw710-boot-a0004.bin
flash:/msr2000-cmw710-system-a0004.bin
flash:/msr2000-cmw710-security-a0004.bin
flash:/msr2000-cmw710-voice-a0004.bin
flash:/msr2000-cmw710-data-a0004.bin
Main startup software images:
flash:/msr2000-cmw710-boot-a0005.bin
flash:/msr2000-cmw710-system-a0005.bin
flash:/msr2000-cmw710-security-a0005.bin
flash:/msr2000-cmw710-voice-a0005.bin
flash:/msr2000-cmw710-data-a0005.bin
Backup startup software images:
None
<HPE>
Rebooting and completing the upgrade
1. Reboot the router.
<HPE>reboot
Start to check configuration with next startup configuration file, please
wait.........DONE!
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait...
<HPE>
System is starting...
2. After the reboot is complete, verify that the system software image is correct.
<HPE> display version
HPE Comware Software, Version 7.1.042, Release 000702
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
HPE MSR2003 uptime is 0 weeks, 0 days, 13 hours, 23 minutes Last
reboot reason : User reboot
Boot image: flash:/msr2000-cmw710-boot-a0005.bin
Boot image version: 7.1.040, Alpha 0005
System image: flash:/msr2000-cmw710-system-a0005.bin
System image version: 7.1.040, Alpha 0005
CPU ID: 0x1
1G bytes DDR3 SDRAM Memory
2M bytes Flash Memory
PCB Version: 3.0
CPLD Version: 1.0
Basic BootWare Version: 1.04
Extended BootWare Version: 1.04
[SLOT 0]AUX (Hardware)3.0 (Driver)1.0, (Cpld)1.0
[SLOT 0]GE0/0 (Hardware)3.0 (Driver)1.0, (Cpld)1.0
[SLOT 0]GE0/1 (Hardware)3.0 (Driver)1.0, (Cpld)1.0
85
[SLOT 0]CELLULAR0/0 (Hardware)3.0 (Driver)1.0, (Cpld)1.0
<HPE>
Distributed devices upgrading from the CLI
You can use the TFTP or FTP commands on the router to access the TFTP or FTP server to back up or download files.
Display the slot number of the active MPU
Perform the display device command in any view to display the slot number of the active MPU. By default, the standby MPU will automatically synchronize the image files from active MPU.
<HPE>display device
Slot No. Board Type Status Primary SubSlots
-----------------------------------------------------------------------------
0 MPU-100 Normal Master 0
1 MPU-100 Normal Standby 0
2 SPU-100 Normal N/A 10
<HPE>
Save the current configuration and verify the storge space
1. Perform the save command in any view to save the current configuration.
<HPE>save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[cfa0:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
Configuration is saved to device successfully.
<HPE>
2. Perform the dir command in user view to identify the system software image and configuration file names and verify that the CF card has sufficient space for the new system software image.
<HPE>dir
Directory of cfa0:
0 drw- - Jan 07 2013 14:02:12 diagfile
1 -rw- 307 Jan 22 2013 17:02:02 ifindex.dat
2 drw- - Jan 07 2013 14:02:12 license
3 drw- - Jan 22 2013 13:42:00 logfile
4 -rw- 21412864 Jan 22 2013 16:49:00 MSR4000-cmw710-boot-r0005p01.bin
5 -rw- 1123328 Jan 22 2013 16:50:30 MSR4000-cmw710-data-r0005p01.bin
6 -rw- 11264 Jan 22 2013 16:50:26 MSR4000-cmw710-security-r0005p01.bin
7 -rw- 45056000 Jan 22 2013 16:49:34 MSR4000-cmw710-system-r0005p01.bin
8 -rw- 2746368 Jan 22 2013 16:50:26 MSR4000-cmw710-voice-r0005p01.bin
9 drw- - Jan 07 2013 14:02:12 seclog
10 -rw- 2166 Jan 22 2013 17:02:02 startup.cfg
11 -rw- 34425 Jan 22 2013 17:02:02 startup.mdb
507492 KB total (438688 KB free)
86
<HPE>
Download the image file to the router
Using TFTP
Perform the tftp get command in user view to download the system software image file, for example, msr4000.ipe to the CF card on the router.
<HPE>tftp 192.168.1.100 get msr4000.ipe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
45 67.0M 45 30.4M 0 0 792k 0 0:01:26 0:00:39 0:00:47 844k
100 67.0M 100 67.0M 0 0 772k 0 0:01:28 0:01:28 --:--:-- 745k
<HPE>
Using FTP
1. Perform the get command in FTP client view to download the system software image file msr4000.ipe to the CF card on the router.
ftp> get msr4000.ipe
msr4000.ipe already exists. Overwrite it? [Y/N]:y
227 Entering passive mode (192,168,1,100,5,20)
125 Using existing data connection
226 Closing data connection; File transfer successful.
37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)
[ftp]
2. Perform the quit command in FTP client view to return to user view.
[ftp]quit
221 Service closing control connection
<HPE>
Copy the image file to CF card root directory of the standby MPU
<HPE> copy msr4000.ipe slot1#cfa0:/
Copy cfa0:/msr4000.ipe to slot1#cfa0:/msr4000.ipe?[Y/N]:y
Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done.
Specifying the startup image file
1. Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the active MPU on slot 0 at the next reboot.
<HPE>boot-loader file flash:/msr4000.ipe slot 0 main
Images in IPE:
msr4000-cmw710-boot-a0005.bin
msr4000-cmw710-system-a0005.bin
msr4000-cmw710-security-a0005.bin
msr4000-cmw710-voice-a0005.bin
msr4000-cmw710-data-a0005.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to the device.
87
Successfully copied flash:/msr4000-cmw710-boot-a0005.bin to
cfa0:/msr4000-cmw710-boot-a0005.bin.
Successfully copied flash:/msr4000-cmw710-system-a0005.bin to
cfa0:/msr4000-cmw710-system-a0005.bin.
Successfully copied flash:/msr4000-cmw710-security-a0005.bin to
cfa0:/msr4000-cmw710-security-a0005.bin.
Successfully copied flash:/msr4000-cmw710-voice-a0005.bin to
cfa0:/msr4000-cmw710-voice-a0005.bin.
Successfully copied flash:/msr4000-cmw710-data-a0005.bin to
cfa0:/msr4000-cmw710-data-a0005.bin.
The images that have passed all examinations will be used as the main startup software
images at the next reboot on the device.
<HPE>
2. Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the standby MPU on slot 1 at the next reboot.
<HPE>boot-loader file flash:/msr4000.ipe slot 0 main
Images in IPE:
msr4000-cmw710-boot-a0005.bin
msr4000-cmw710-system-a0005.bin
msr4000-cmw710-security-a0005.bin
msr4000-cmw710-voice-a0005.bin
msr4000-cmw710-data-a0005.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to the device.
Successfully copied flash:/msr4000-cmw710-boot-a0005.bin to
cfa0:/msr4000-cmw710-boot-a0005.bin.
Successfully copied flash:/msr4000-cmw710-system-a0005.bin to
cfa0:/msr4000-cmw710-system-a0005.bin.
Successfully copied flash:/msr4000-cmw710-security-a0005.bin to
cfa0:/msr4000-cmw710-security-a0005.bin.
Successfully copied flash:/msr4000-cmw710-voice-a0005.bin to
cfa0:/msr4000-cmw710-voice-a0005.bin.
Successfully copied flash:/msr4000-cmw710-data-a0005.bin to
cfa0:/msr4000-cmw710-data-a0005.bin.
The images that have passed all examinations will be used as the main startup software
images at the next reboot on the device.
<HPE>
3. Perform the display boot-loader command in user view to verify that the file has been loaded.
<HPE> display boot-loader
Software images on slot 0:
Current software images:
cfa0:/MSR4000-cmw710-boot-a0004.bin
cfa0:/MSR4000-cmw710-system-a0004.bin
cfa0:/MSR4000-cmw710-security-a0004.bin
cfa0:/MSR4000-cmw710-voice-a0004.bin
cfa0:/MSR4000-cmw710-data-a0004.bin
Main startup software images:
cfa0:/MSR4000-cmw710-boot-a0005.bin
cfa0:/MSR4000-cmw710-system-a0005.bin
cfa0:/MSR4000-cmw710-security-a0005.bin
88
cfa0:/MSR4000-cmw710-voice-a0005.bin
cfa0:/MSR4000-cmw710-data-a0005.bin
Backup startup software images:
None
Software images on slot 1:
Current software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Main startup software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Backup startup software images:
None
Reboot and completing the upgrade
1. Perform the reboot command in user view to reboot the router.
<HPE>reboot
Start to check configuration with next startup configuration file, please
wait.........DONE!
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait...
<HPE>
System is starting..
2. After the reboot is complete, perform the display version command to verify that the system software image is correct.
<HPE> display version
HPE Comware Software, Version 7.1.042, Release 000702
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
HPE MSR4060 uptime is 0 weeks, 0 days, 11 hours, 49 minutes
Last reboot reason : Power on
Boot image: cfa0:/MSR4000-cmw710-boot-a0005.bin
Boot image version: 7.1.040, Alpha 0005
System image: cfa0:/MSR4000-cmw710-system-a0005.bin
System image version: 7.1.040, Alpha 0005
Feature image(s) list:
cfa0:/MSR4000-cmw710-security-a0005.bin, version: 7.1.040
cfa0:/MSR4000-cmw710-voice-a0005.bin, version: 7.1.040
cfa0:/MSR4000-cmw710-data-a0005.bin, version: 7.1.040
Slot 0: MPU-100 uptime is 0 week, 0 day, 1 hour, 20 minutes
Last reboot reason : Power on
CPU ID: 0x3
89
2G bytes DDR3 SDRAM Memory
8M bytes Flash Memory
PCB Version: 2.0
CPLD Version: 1.0
Basic BootWare Version: 1.04
Extended BootWare Version: 1.04
[SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
Slot 1: MPU-100 uptime is 0 week, 0 day, 1 hour, 8 minutes
Last reboot reason : User reboot
CPU ID: 0x3
2G bytes DDR3 SDRAM Memory
8M bytes Flash Memory
PCB Version: 2.0
CPLD Version: 1.0
Basic BootWare Version: 1.05
Extended BootWare Version: 1.05
[SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
Slot 2: SPU-100 uptime is 0 week, 0 day, 1 hour, 19 minutes
Last reboot reason : Power on
CPU ID: 0x5
2G bytes DDR3 SDRAM Memory
8M bytes Flash Memory
PCB Version: 2.0
CPLD Version: 1.0
Basic BootWare Version: 1.02
Extended BootWare Version: 1.02
[SUBSLOT 0]GE2/0/0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]GE2/0/1 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]GE2/0/2 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]GE2/0/3 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]CELLULAR2/0/0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]CELLULAR2/0/1 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 1]HMIM-4SAE (Hardware)3.0 (Driver)1.0, (Cpld)4.0
Distributed devices ISSU
The In-Service Software Upgrade (ISSU) function enables software upgrade with the least amount of downtime.
To implement ISSU of a distributed device, use these guidelines:
Make sure the device has two MPUs.
Upgrade the standby MPU is upgraded first to form a new forwarding plane and a new control plane.
90
Upgrade the active MPU after the standby MPU operates correctly. The standby MPU will synchronize data and configuration from the active MPU and take over the forwarding and control functions.
Disabling the standby MPU auto-update function
When you upgrade the active MPU of a dual-MPU distributed device, the standby MPU auto-update function automatically upgrades the standby MPU by default. To use ISSU, you must disable the function.
To disable the standby MPU auto-update function:
1. View the roles of the MPUs.
<HPE>display device
Slot No. Board Type Status Primary SubSlots
-----------------------------------------------------------------------------
0 MPU-100 Normal Master 0
1 MPU-100 Normal Standby 0
2 SPU-100 Normal N/A 10
<HPE>
The output shows that the MPU in slot 0 is the active MPU.
2. Disable the standby MPU auto-update function.
<HPE>system-view
[Sysname]version check ignore
[Sysname]undo version auto-update enable
Saving the running configuration and verifying the storage space
1. Save the running configuration.
<HPE>save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[cfa0:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
Configuration is saved to device successfully.
<HPE>
2. Check the storage space.
<HPE>dir
Directory of cfa0:
0 drw- - Jan 07 2014 14:02:12 diagfile
1 -rw- 307 Jan 22 2014 17:02:02 ifindex.dat
2 drw- - Jan 07 2014 14:02:12 license
3 drw- - Jan 22 2014 13:42:00 logfile
4 -rw- 20050944 Jan 10 2014 09:06:48 msr4000-cmw710-boot-e010204.bin
5 -rw- 2001920 Jan 10 2014 09:08:28 msr4000-cmw710-data-e010204.bin
6 -rw- 11264 Jan 10 2014 09:08:18 msr4000-cmw710-security-e010204.bin
7 -rw- 61538304 Jan 10 2014 09:07:36 msr4000-cmw710-system-e010204.bin
8 -rw- 3232768 Jan 10 2014 09:08:22 msr4000-cmw710-voice-e010204.bin
9 drw- - Jan 07 2014 14:02:12 seclog
91
10 -rw- 2166 Jan 22 2014 17:02:02 startup.cfg
11 -rw- 34425 Jan 22 2014 17:02:02 startup.mdb
507492 KB total (438688 KB free)
<HPE>
The output shows the CF card has 438688 KB of free storage space. If the CF card of your device is not sufficient for the upgrade image, delete unused files.
Downloading the upgrade image file to the router
Using TFTP
Download the upgrade image file (for example, msr4000.ipe) to the CF card on the router.
<HPE>tftp 192.168.1.100 get msr4000.ipe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
45 67.0M 45 30.4M 0 0 792k 0 0:01:26 0:00:39 0:00:47 844k
100 67.0M 100 67.0M 0 0 772k 0 0:01:28 0:01:28 --:--:-- 745k
<HPE>
Using FTP
1. From FTP client view, download the upgrade image file (for example, msr4000.ipe) to the CF card on the router.
ftp> get msr4000.ipe
msr4000.ipe already exists. Overwrite it? [Y/N]:y
227 Entering passive mode (192,168,1,100,5,20)
125 Using existing data connection
226 Closing data connection; File transfer successful.
37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)
[ftp]
2. Return to user view.
[ftp]quit
221 Service closing control connection
<HPE>
Copying the image file to the root directory of the CF card on the standby MPU
<HPE> copy msr4000.ipe slot1#cfa0:/
Copy cfa0:/msr4000.ipe to slot1#cfa0:/msr4000.ipe?[Y/N]:y
Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done.
Upgrading the standby MPU
1. Specify the msr4000.ipe file as the main startup image file for the standby MPU.
<HPE>boot-loader file msr4000.ipe slot 1 main
Verifying the IPE file and the images......Done.
HPE MSR4060 images in IPE:
msr4000-cmw710-boot-e010305.bin
msr4000-cmw710-system-e010305.bin
msr4000-cmw710-security-e010305.bin
92
msr4000-cmw710-voice-e010305.bin
msr4000-cmw710-data-e010305.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to slot 1.
Decompressing file msr4000-cmw710-boot-e010305.bin to
slot1#cfa0:/msr4000-cmw710-boo
t-e010305.bin...............Done.
Decompressing file msr4000-cmw710-system-e010305.bin to
slot1#cfa0:/msr4000-cmw710-s
ystem-e010305.bin...............................................Done.
Decompressing file msr4000-cmw710-security-e010305.bin to
slot1#cfa0:/msr4000-cmw710
-security-e010305.bin...Done.
Decompressing file msr4000-cmw710-voice-e010305.bin to
slot1#cfa0:/msr4000-cmw710-vo
ice-e010305.bin....Done.
Decompressing file msr4000-cmw710-data-e010305.bin to
slot1#cfa0:/msr4000-cmw710-dat
a-e010305.bin...Done.
The images that have passed all examinations will be used as the main startup so
ftware images at the next reboot on slot 1.
2. Reboot the standby MPU.
<HPE>reboot slot 1
This command will reboot the specified slot, Continue? [Y/N]:y
Now rebooting, please wait...
3. After the standby MPU starts up, verify the startup image files.
<HPE>display boot-loader
Software images on slot 0:
Current software images:
cfa0:/msr4000-cmw710-boot-e010204.bin
cfa0:/msr4000-cmw710-system-e010204.bin
cfa0:/msr4000-cmw710-security-e010204.bin
cfa0:/msr4000-cmw710-voice-e010204.bin
cfa0:/msr4000-cmw710-data-e010204.bin
Main startup software images:
cfa0:/msr4000-cmw710-boot-e010204.bin
cfa0:/msr4000-cmw710-system-e010204.bin
cfa0:/msr4000-cmw710-security-e010204.bin
cfa0:/msr4000-cmw710-voice-e010204.bin
cfa0:/msr4000-cmw710-data-e010204.bin
Backup startup software images:
cfa0:/msr4000-cmw710-boot-e010203.bin
cfa0:/msr4000-cmw710-system-e010203.bin
cfa0:/msr4000-cmw710-security-e010203.bin
cfa0:/msr4000-cmw710-voice-e010203.bin
cfa0:/msr4000-cmw710-data-e010203.bin
Software images on slot 1:
Current software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
93
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Main startup software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Backup startup software images:
cfa0:/msr4000-cmw710-boot-e010203.bin
cfa0:/msr4000-cmw710-system-e010203.bin
cfa0:/msr4000-cmw710-security-e010203.bin
cfa0:/msr4000-cmw710-voice-e010203.bin
cfa0:/msr4000-cmw710-data-e010203.bin
The output shows that the standby MPU is running the new images.
Upgrading the active MPU
1. Specify the msr4000.ipe file as the main startup image file for the active MPU.
<HPE>boot-loader file msr4000.ipe slot 0 main
Verifying the IPE file and the images......Done.
HPE MSR4060 images in IPE:
msr4000-cmw710-boot-e010305.bin
msr4000-cmw710-system-e010305.bin
msr4000-cmw710-security-e010305.bin
msr4000-cmw710-voice-e010305.bin
msr4000-cmw710-data-e010305.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to slot 0.
Decompressing file msr4000-cmw710-boot-e010305.bin to
cfa0:/msr4000-cmw710-boot-e010
305.bin...............Done.
Decompressing file msr4000-cmw710-system-e010305.bin to
cfa0:/msr4000-cmw710-system-
e010305.bin..............................................Done.
Decompressing file msr4000-cmw710-security-e010305.bin to
cfa0:/msr4000-cmw710-secur
ity-e010305.bin...Done.
Decompressing file msr4000-cmw710-voice-e010305.bin to
cfa0:/msr4000-cmw710-voice-e0
10305.bin....Done.
Decompressing file msr4000-cmw710-data-e010305.bin to
cfa0:/msr4000-cmw710-data-e010
305.bin...Done.
The images that have passed all examinations will be used as the main startup so
ftware images at the next reboot on slot 0.
2. Reboot the active MPU.
94
<HPE>reboot slot 0
This command will reboot the specified slot, Continue? [Y/N]:y
Now rebooting, please wait...
The standby MPU takes over the forwarding and controlling functions before the active MPU reboots.
3. After the active MPU starts up, verify the startup image files.
<HPE>display boot-loader
Software images on slot 0:
Current software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Main startup software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Backup startup software images:
cfa0:/msr4000-cmw710-boot-e010203.bin
cfa0:/msr4000-cmw710-system-e010203.bin
cfa0:/msr4000-cmw710-security-e010203.bin
cfa0:/msr4000-cmw710-voice-e010203.bin
cfa0:/msr4000-cmw710-data-e010203.bin
Software images on slot 1:
Current software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Main startup software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Backup startup software images:
cfa0:/msr4000-cmw710-boot-e010203.bin
cfa0:/msr4000-cmw710-system-e010203.bin
cfa0:/msr4000-cmw710-security-e010203.bin
cfa0:/msr4000-cmw710-voice-e010203.bin
cfa0:/msr4000-cmw710-data-e010203.bin
4. Perform the display boot-loader command in user view to verify that the file has been loaded.
<HPE> display boot-loader
Software images on slot 0:
95
Current software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Main startup software images:
cfa0:/MSR4000-cmw710-boot-a0005.bin
cfa0:/MSR4000-cmw710-system-a0005.bin
cfa0:/MSR4000-cmw710-security-a0005.bin
cfa0:/MSR4000-cmw710-voice-a0005.bin
cfa0:/MSR4000-cmw710-data-a0005.bin
Backup startup software images:
None
Software images on slot 1:
Current software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Main startup software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Backup startup software images:
None
Upgrading from the BootWare menu
You can use the following methods to upgrade software from the BootWare menu:
Using TFTP/FTP to upgrade software through an Ethernet port
Using XMODEM to upgrade software through the console port
Accessing the BootWare menu
1. Power on the router (for example, an HPE MSR 2003 router), and you can see the following information:
System is starting...
Press Ctrl+D to access BASIC-BOOTWARE MENU...
Booting Normal Extended BootWare
The Extended BootWare is self-decompressing....Done.
****************************************************************************
* *
* HPE MSR2003 BootWare, Version 1.20 *
96
* *
****************************************************************************
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
Compiled Date : Jun 22 2013
CPU ID : 0x1
Memory Type : DDR3 SDRAM
Memory Size : 1024MB
Flash Size : 2MB
Nand Flash size : 256MB
CPLD Version : 2.0
PCB Version : 3.0
BootWare Validating...
Press Ctrl+B to access EXTENDED-BOOTWARE MENU...
2. Press Ctrl + B to access the BootWare menu.
Password recovery capability is enabled.
Note: The current operating device is flash
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip authentication for console login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9):
Table 20 BootWare menu options
Item Description
<1> Boot System Boot the system software image.
<2> Enter Serial SubMenu Access the Serial submenu (see Table 23 ) for upgrading system software through the console port or changing the serial port settings.
<3> Enter Ethernet SubMenu Access the Ethernet submenu (see Table 21) for upgrading system software through an Ethernet port or changing Ethernet settings.
<4> File Control Access the File Control submenu (see Table 24) to retrieve and manage the files stored on the router.
97
<5> Restore to Factory Default Configuration
Delete the next-startup configuration files and load the factory-default configuration.
<6> Skip Current System Configuration
Start the router with the factory default configuration. This is a one-time operation and does not take effect at the next reboot. You use this option when you forget the console login password.
<7> BootWare Operation Menu
Access the BootWare Operation menu for backing up, restoring, or upgrading BootWare. When you upgrade the system software image, BootWare is automatically upgraded. HPE does not recommend upgrading BootWare separately. This document does not cover using the BootWare Operation menu.
<8> Skip authentication for console login Clear all the authentication schemes on the console port.
<9> Storage Device Operation Access the Storage Device Operation menu to manage storage devices. Using this option is beyond this chapter.
<0> Reboot Restart the router.
Using TFTP/FTP to upgrade software through an Ethernet port
1. Enter 3 in the BootWare menu to access the Ethernet submenu.
===============================<File CONTROL>===============================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Ethernet Parameter |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-4):
Table 21 Ethernet submenu options
Item Description
<1> Download Application Program To SDRAM And Run
Download a system software image to the SDRAM and run the image.
<2> Update Main Image File Upgrade the main system software image.
<3> Update Backup Image File Upgrade the backup system software image.
<4> Download Files(*.*) Download a system software image to the Flash or CF card.
<5> Modify Ethernet Parameter Modify network settings.
<0> Exit To Main Menu Return to the BootWare menu.
2. Enter 5 to configure the network settings.
=========================<ETHERNET PARAMETER SET>=========================
|Note: '.' = Clear field. |
| '-' = Go to previous field. |
98
| Ctrl+D = Quit. |
==========================================================================
Protocol (FTP or TFTP) :ftp
Load File Name :msr2000.ipe
:
Target File Name :msr2000.ipe
:
Server IP Address :192.168.1.1
Local IP Address :192.168.1.100
Subnet Mask :255.255.255.0
Gateway IP Address :0.0.0.0
FTP User Name :user001
FTP User Password :********
Table 22 Network parameter fields and shortcut keys
Field Description
'.' = Clear field Press a dot (.) and then Enter to clear the setting for a field.
'-' = Go to previous field Press a hyphen (-) and then Enter to return to the previous field.
Ctrl+D = Quit Press Ctrl + D to exit the Ethernet Parameter Set menu.
Protocol (FTP or TFTP) Set the file transfer protocol to FTP or TFTP.
Load File Name Set the name of the file to be downloaded.
Target File Name Set a file name for saving the file on the router. By default, the target file name is the same as the source file name.
Server IP Address Set the IP address of the FTP or TFTP server. If a mask must be set, use a colon (:) to separate the mask length from the IP address. For example, 192.168.80.10:24.
Local IP Address Set the IP address of the router.
Subnet Mask Subnet Mask of the local IP address.
Gateway IP Address Set a gateway IP address if the router is on a different network than the server.
FTP User Name Set the username for accessing the FTP server. This username must be the same as configured on the FTP server. This field is not available for TFTP.
FTP User Password Set the password for accessing the FTP server. This password must be the same as configured on the FTP server. This field is not available for TFTP.
3. Select an option in the Ethernet submenu to upgrade a system software image. For
example, enter 2 to upgrade the main system software image.
Loading.....................................................................
............................................................................
............................................................................
.........................................Done.
37691392 bytes downloaded!
The file is exist,will you overwrite it? [Y/N]Y
Image file msr2000-cmw710-boot-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-boot-a0005.bin .............................
99
......Done.
Image file msr2000-cmw710-system-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-system-a0005.bin ...........................
.........................................Done.
Image file msr2000-cmw710-security-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-security-a0005.bin Done.
Image file msr2000-cmw710-voice-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-voice-a0005.bin ......Done.
Image file msr2000-cmw710-data-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-data-a0005.bin ..Done.
==========================<Enter Ethernet SubMenu>==========================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Ethernet Parameter |
|<0> Exit To Main Menu |
|<Ensure The Parameter Be Modified Before Downloading!> |
============================================================================
Enter your choice(0-4):
4. Enter 0 to return to the BootWare menu
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Modify BootWare Password |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip authentication for console login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Enter your choice(0-9):
5. 1 to boot the system.
Loading the main image files...
Loading file flash:/msr2000-cmw710-system-a0005.bin..........................
Done.
Loading file flash:/msr2000-cmw710-boot-a0005.bin..............Done.
Image file flash:/msr2000-cmw710-boot-a0005.bin is self-decompressing.........
.....Done.
System image is starting...
Line aux0 is available.
100
Press ENTER to get started.
Using XMODEM to upgrade software through the console port
1. Enter 2 in the BootWare menu to access the Serial submenu.
===========================<Enter Serial SubMenu>===========================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Serial Interface Parameter |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-4):
Table 23 Serial submenu options
Item Description
<1> Download Application Program To SDRAM And Run
Download an application to SDRAM through the serial port and run the program.
<2> Update Main Image File Upgrade the main system software image.
<3> Update Backup Image File Upgrade the backup system software image.
<4>Download Files(*.*) Download a system software image to the Flash or CF card.
<5> Modify Serial Interface Parameter Modify serial port parameters
<0> Exit To Main Menu Return to the BootWare menu.
2. Select an appropriate baud rate for the console port. For example, enter 5 to select 115200 bps.
===============================<BAUDRATE SET>===============================
|Note:'*'indicates the current baudrate |
| Change The HyperTerminal's Baudrate Accordingly |
|---------------------------<Baudrate Available>---------------------------|
|<1> 9600(Default)* |
|<2> 19200 |
|<3> 38400 |
|<4> 57600 |
|<5> 115200 |
|<0> Exit |
============================================================================
Enter your choice(0-5):
The following messages appear:
Baudrate has been changed to 115200 bps.
Please change the terminal's baudrate to 115200 bps, press ENTER when ready.
101
NOTE:
Typically the size of a .bin file is over 10 MB. Even at 115200 bps, the download takes about 30 minutes.
3. Select Call > Disconnect in the HyperTerminal window to disconnect the terminal from the router.
Figure 2 Disconnect the terminal connection
NOTE:
If the baud rate of the console port is 9600 bps, jump to step 9.
4. Select File > Properties, and in the Properties dialog box, click Configure.
Figure 3 Properties dialog box
5. Select 115200 from the Bits per second list and click OK.
102
Figure 4 Modify the baud rate
6. Select Call > Call to reestablish the connection.
Figure 5 Reestablish the connection
7. Press Enter.
The following menu appears:
The current baudrate is 115200 bps
===============================<BAUDRATE SET>===============================
|Note:'*'indicates the current baudrate |
| Change The HyperTerminal's Baudrate Accordingly |
|---------------------------<Baudrate Available>---------------------------|
|<1> 9600(Default) |
|<2> 19200 |
|<3> 38400 |
|<4> 57600 |
|<5> 115200* |
|<0> Exit |
============================================================================
Enter your choice(0-5):
103
8. Enter 0 to return to the Serial submenu.
===========================<Enter Serial SubMenu>===========================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Serial Interface Parameter |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-4):
9. Select an option from options 2 to 3 to upgrade a system software image. For example,
enter 2 to upgrade the main system software image.
Please Start To Transfer File, Press <Ctrl+C> To Exit.
Waiting ...CCCCC
10. Select Transfer > Send File in the HyperTerminal window.
Figure 6 Transfer menu
11. In the dialog box that appears, click Browse to select the source file, and select Xmodem from the Protocol list.
Figure 7 File transmission dialog box
12. Click Send. The following dialog box appears:
104
Figure 8 File transfer progress
13. When the Serial submenu appears after the file transfer is complete, enter 0 at the
prompt to return to the BootWare menu.
Download successfully!
37691392 bytes downloaded!
Input the File Name:main.bin
Updating File flash:/main.bin..............................................
.....................................................Done!
===========================<Enter Serial SubMenu>===========================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Serial Interface Parameter |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-4):
14. Enter 1 in the BootWare menu to boot the system.
15. If you are using a download rate other than 9600 bps, change the baud rate of the terminal to 9600 bps. If the baud rate has been set to 9600 bps, skip this step.
Managing files from the BootWare menu
To change the type of a system software image, retrieve files, or delete files, enter 4 in the BootWare menu.
The File Control submenu appears:
==============================<File CONTROL>==============================
|Note:the operating device is cfa0 |
105
|<1> Display All File(s) |
|<2> Set Image File type |
|<3> Set Bin File type |
|<4> Set Configuration File type |
|<5> Delete File |
|<6> Copy File |
|<0> Exit To Main Menu |
==========================================================================
Enter your choice(0-6):
Table 24 File Control submenu options
Item Description
<1> Display All File Display all files.
<2> Set Image File type Change the type of a system software image (.ipe).
<3> Set Bin File type Change the type of a system software image (.bin).
<4> Set Configuration File type Change the type of a configuration file.
<5> Delete File Delete files.
<6> Copy File Copy File
<0> Exit To Main Menu Return to the BootWare menu.
Displaying all files
To display all files, enter 1 in the File Control submenu:
Display all file(s) in flash:
'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED
============================================================================
|NO. Size(B) Time Type Name |
|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |
|2 25992 Aug/15/2012 12:18:00 N/A flash:/startup.mdb |
|3 1632 Aug/15/2012 12:18:00 M flash:/startup.cfg |
|4 84 Aug/15/2012 12:17:59 N/A flash:/ifindex.dat |
|5 11029 Aug/15/2012 13:31:16 N/A flash:/logfile/logfile1.log |
|6 17 Aug/16/2012 07:47:24 N/A flash:/.pathfile |
|7 1006592 Aug/16/2012 07:44:16 M flash:/msr2000-cmw710-data-a0005.bin|
|8 815 Aug/15/2012 12:03:14 N/A flash:/license/DeviceID.did |
|9 1180672 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-voice-a0005. bin|
|10 10240 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-security-a0005.bin|
|11 24067072 Aug/16/2012 07:44:10 M flash:/msr2000-cmw710-system-a0005.bin|
|12 11418624 Aug/16/2012 07:44:05 M flash:/msr2000-cmw710-boot-a0005.bin|
============================================================================
Changing the type of a system software image
System software image file attributes include main (M), and backup (B). You can store only one main image, and one backup image on the router. A system software image can have any combination of the M, and B attributes. If the file attribute you are assigning has been assigned to an image, the
106
assignment removes the attribute from that image. The image is marked as N/A if it has only that attribute.
To change the type of a system software image:
1. Enter 2 in the File Control submenu.
'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED
============================================================================
|NO. Size(B) Time Type Name |
|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |
|0 Exit |
============================================================================
Enter file No:1
2. Enter the number of the file you are working with, and press Enter.
Modify the file attribute:
==========================================================================
|<1> +Main |
|<2> +Backup |
|<0> Exit |
==========================================================================
Enter your choice(0-2):
3. Enter a number in the range of 1 to 4 to add or delete a file attribute for the file.
Set the file attribute success!
Deleting files
When storage space is insufficient, you can delete obsolete files to free up storage space.
To delete files:
1. Enter 5 in the File Control submenu.
Deleting the file in cfa0:
'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED
Deleting the file in flash:
'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED
============================================================================
|NO. Size(B) Time Type Name |
|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |
|2 25992 Aug/15/2012 12:18:00 N/A flash:/startup.mdb |
|3 1632 Aug/15/2012 12:18:00 M flash:/startup.cfg |
|4 84 Aug/15/2012 12:17:59 N/A flash:/ifindex.dat |
|5 11029 Aug/15/2012 13:31:16 N/A flash:/logfile/logfile1.log |
|6 17 Aug/16/2012 07:47:24 N/A flash:/.pathfile |
|7 1006592 Aug/16/2012 07:44:16 M flash:/msr2000-cmw710-data-a0005.bin|
|8 815 Aug/15/2012 12:03:14 N/A flash:/license/DeviceID.did |
|9 1180672 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-voice-a0005. bin|
|10 10240 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-security-a0005.bin|
|11 24067072 Aug/16/2012 07:44:10 M flash:/msr2000-cmw710-system-a0005.bin|
|12 11418624 Aug/16/2012 07:44:05 M flash:/msr2000-cmw710-boot-a0005.bin|
0 Exit
Enter file No.:
2. Enter the number of the file to delete.
107
3. When the following prompt appears, enter Y.
The file you selected is flash:/msr2000-cmw710-security-a0005.bin,Delete it?
[Y/N]Y
Deleting...Done.
Handling software upgrade failures If a software upgrade fails, the system runs the old software version. To handle a software failure:
1. Check the physical ports for a loose or incorrect connection.
2. If you are using the console port for file transfer, check the HyperTerminal settings (including the baud rate and data bits) for any wrong setting.
3. Check the file transfer settings:
If XMODEM is used, you must set the same baud rate for the terminal as for the
console port.
If TFTP is used, you must enter the same server IP addresses, file name, and
working directory as set on the TFTP server.
If FTP is used, you must enter the same FTP server IP address, source file name,
working directory, and FTP username and password as set on the FTP server.
4. Check the FTP or TFTP server for any incorrect setting.
5. Check that the storage device has sufficient space for the upgrade file.
6. If the message “Something is wrong with the file” appears, check the file for file corruption.
Appendix C Handling console login password loss
Disabling password recovery capability
Password recovery capability controls console user access to the device configuration and SDRAM from BootWare menus.
If password recovery capability is enabled, a console user can access the device configuration without authentication to configure new passwords.
If password recovery capability is disabled, console users must restore the factory-default configuration before they can configure new passwords. Restoring the factory-default configuration deletes the next-startup configuration files.
To enhance system security, disable password recovery capability.
Table 25 summarizes options whose availability varies with the password recovery capability setting.
Table 25 BootWare options and password recovery capability compatibility matrix
BootWare menu
option
Password
recovery
enabled
Password
recovery
disabled
Tasks that can be performed
Download Image Program To SDRAM And Run
Yes No Load and run Comware software images in SDRAM.
108
Skip Authentication for Console Login
Yes No Enable console login without authentication.
Skip Current System Configuration
Yes No Load the factory-default configuration without deleting the next-startup configuration files.
Restore to Factory Default Configuration
No Yes Delete the next-startup configuration files and load the factory-default configuration.
To disable password recovery capability:
Step Command Remarks
1. Enter system view. system-view N/A
2. Disable password recovery capability.
undo password-recovery enable By default, password recovery capability is enabled.
When password recovery capability is disabled, you cannot downgrade the device software to a version that does not support the capability through the BootWare menus. You can do so at the CLI, but the BootWare menu password configured becomes effective again.
Handling console login password loss
CAUTION:
Handling console login password loss causes service outage.
The method for handling console login password loss depends on the password recovery capability setting (see Figure 9).
Figure 9 Handling console login password loss
Password recovery
capability enabled?
Yes No
Save the running configuration
Skip Authentication
for Console Login
Reboot the router
Configure new passwords
in system view
Console login password lost
Reboot the router to access
EXTENDED-BOOTWARE menu
Skip Current System
Configuration
Restore to Factory Default
Configuration
109
Examining the password recovery capability setting
1. Reboot the router.
System is starting...
Press Ctrl+D to access BASIC-BOOTWARE MENU...
Press Ctrl+T to start heavy memory test
Booting Normal Extended BootWare........
The Extended BootWare is self-decompressing....Done.
****************************************************************************
* *
* HPE MSR3000 BootWare, Version 1.20 *
* *
****************************************************************************
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
Compiled Date : May 13 2013
CPU ID : 0x2
Memory Type : DDR3 SDRAM
Memory Size : 2048MB
BootWare Size : 1024KB
Flash Size : 8MB
cfa0 Size : 247MB
CPLD Version : 2.0
PCB Version : 2.0
BootWare Validating...
Press Ctrl+B to access EXTENDED-BOOTWARE MENU...
2. Press Ctrl + B within three seconds after the "Press Ctrl+B to access EXTENDED-BOOTWARE MENU..." prompt message appears.
3. Read the password recovery capability setting information displayed before the EXTEND-BOOTWARE menu.
Password recovery capability is enabled.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip Authentication for Console Login |
|<9> Storage Device Operation |
|<0> Reboot |
110
============================================================================
Ctrl+Z: Access EXTEND ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9):
Using the Skip Current System Configuration option
1. Reboot the router to access the EXTEND-BOOTWARE menu, and then enter 6.
The current mode is password recovery.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip Authentication for Console Login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTEND ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9): 6
After the configuration skipping flag is set successfully, the following message appears:
Flag Set Success.
2. When the EXTEND-BOOTWARE menu appears again, enter 1 to reboot the router.
The router starts up with the factory-default configuration without deleting the next-startup configuration files.
3. To use the configuration in a next-startup configuration file, load the file in system view.
<HPE> system-view
[HPE] configuration replace file cfa0:/startup.cfg
Current configuration will be lost, save current configuration? [Y/N]:n
Info: Now replacing the current configuration. Please wait...
Info: Succeeded in replacing current configuration with the file startup.cfg.
4. Configure a new console login authentication mode and a new console login password.
In the following example, the console login authentication mode is password and the authentication password is 123456. For security purposes, the password is always saved in
ciphertext, whether you specify the simple or cipher keyword for the set authentication
password command.
<HPE> system-view
[HPE] line aux 0
[HPE-line-aux0] authentication-mode password
[HPE-line-aux0] set authentication password simple 123456
111
Use the line aux 0 command on an MSR2000 or MSR 3000 routers. The console port and the
AUX port are the same physical port.
Use the line console 0 command on an MSR4000 routers. An MSR4000 router has a separate
console port.
5. To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file.
[HPE-line-aux0] save
Using the Skip Authentication for Console Login option
1. Reboot the router to access the EXTEND-BOOTWARE menu, and then enter 8.
The current mode is password recovery.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip Authentication for Console Login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTEND ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9): 8
The router deletes the console login authentication configuration commands from the main next-startup configuration file. After the operation is completed, the following message appears:
Clear Image Password Success!
2. When the EXTEND-BOOTWARE menu appears again, enter 1 to reboot the router.
The router starts up with the main next-startup configuration file.
3. Configure a console login authentication mode and a new console login password. See "Configure a new console login authentication mode and a new console login password.Configure a new console login authentication mode and a new console login password."
4. To make the setting take effect after a reboot, save the running configuration to the next-startup configuration file.
[HPE-line-aux0] save
Using the Restore to Factory Default Configuration option
CAUTION:
Using the Restore to Factory Default Configuration option deletes both the main and backup next-configuration files.
112
1. Reboot the router to access the EXTEND-BOOTWARE menu, and enter 5.
The current mode is no password recovery.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip Authentication for Console Login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTEND ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9): 5
2. At the prompt for confirmation, enter Y.
The router deletes its main and backup next-startup configuration files and restores the factory-default configuration.
The current mode is no password recovery. The configuration files will be
deleted, and the system will start up with factory defaults, Are you sure to
continue?[Y/N]Y
Setting...Done.
3. When the EXTEND-BOOTWARE menu appears again, enter 1 to reboot the router.
The router starts up with the factory-default configuration.
4. Configure a new console login authentication mode and a new console login password. See "Configure a new console login authentication mode and a new console login password.Configure a new console login authentication mode and a new console login password.".
5. To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file.
[HPE] save
1
HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P81
Software Feature Changes
The information in this document is subject to change without notice. © Copyright [First Year]2013, [Current Year] 2016 Hewlett Packard Enterprise Development LP
i
Contents
Release 0306P81 ··········································································· 13
Release 0306P80 ··········································································· 13
Release 0306P70 ··········································································· 13
Release 0306P52 ··········································································· 13
New feature: MAC address recording in TCP packets ···························· 14
Configuring MAC address recording in TCP packets ········································································· 14 Command reference ··················································································································· 14
New command: tcp mac-record enable ···················································································· 14 New command: tcp mac-record local ······················································································ 15
New feature: Configuring the leased line service for an ISDN BRI interface 16
Configuring the leased line service for an ISDN BRI interface ····························································· 16 Command reference ··················································································································· 16
New command: isdn leased-line ····························································································· 16
New feature: LLDP PVID inconsistency check ······································ 17
Disabling LLDP PVID inconsistency check ······················································································ 17 Command reference ··················································································································· 18
lldp ignore-pvid-inconsistency ································································································ 18
Modified feature: High encryption ······················································ 18
Feature change description ··································································································· 18
Modified feature: OSPF ··································································· 19
Feature change description ·········································································································· 19 Command reference ··················································································································· 19
Modified command: OSPF ···································································································· 19
Modified feature: Policy-based routing ················································ 19
Feature change description ·········································································································· 19 Command reference ··················································································································· 19
New command: apply remark-vpn ·························································································· 19
Modified feature: MIB objects ···························································· 20
Feature change description ·········································································································· 20
Modified feature: Setting ISP domain status ········································· 21
Feature change description ·········································································································· 21 Command changes ···················································································································· 21
Modified command: state ······································································································ 21 New command: state block time-range name ··········································································· 21
Modified feature: Excluding an attribute from portal protocol packets ········· 22
Excluding an attribute from portal protocol packets ··········································································· 22 Command reference ··················································································································· 23
New command: exclude-attribute ··························································································· 23 Modified command: display portal server ················································································· 24
Modified feature: NTP ····································································· 25
Feature change description ·········································································································· 25 Command changes ···················································································································· 25
Modified command: ntp-service authentication-keyid ·································································· 25 Modified command: sntp authentication-keyid ··········································································· 25
ii
Modified feature: Transceiver modules················································ 26
Feature change description ·········································································································· 26
Modified feature: E1POS ································································· 26
Feature change description ·········································································································· 26
Release 0306P30 ··········································································· 26
New feature: SIP compatibility ·························································· 26
Configuring SIP compatibility ········································································································ 26 Command reference ··················································································································· 27
sip-compatible ···················································································································· 27
Modified feature: OSPF performance optimization ································· 28
Feature change description ·········································································································· 28 Command changes ···················································································································· 28
Modified command: spf-schedule-interval ················································································ 28 Modified command: transmit-pacing ························································································ 29
Modified feature: Telnet redirect ························································ 29
Feature change description ·········································································································· 29
Modified feature: POS terminal access ··············································· 29
Feature change description ·········································································································· 29 Command changes ···················································································································· 29
Modified command: posa auto-stop-service enable ···································································· 29
Modified feature: License ································································· 30
Feature change description ·········································································································· 30
Modified feature: IP performance optimization ······································ 30
Feature change description ·········································································································· 30 Command changes ···················································································································· 30
New command: tcp mac-record enable ···················································································· 30 New command: tcp mac-record local ······················································································ 31
Release 0306P12 ··········································································· 32
Modified feature: Configuring an SSH user ·········································· 32
Feature change description ·········································································································· 32
Modified feature: AAA ····································································· 32
Feature change description ·········································································································· 32 Command changes ···················································································································· 32
New command: authorization ike ···························································································· 32
Modified feature: Configuring a cellular interface for a 3G/4G modem ········ 33
Feature change description ·········································································································· 33 Command changes ···················································································································· 34
New command: rssi ············································································································· 34
Modified feature: VXLAN ································································· 35
Feature change description ·········································································································· 35 Command changes ···················································································································· 35
Modified feature: DHCP ··································································· 35
Feature change description ·········································································································· 35 Command changes ···················································································································· 35
New command: dhcp server reply-exclude-option60 ·································································· 35
iii
Release 0306P11 ··········································································· 36
New feature: Voice VLAN ································································ 36
Configuring a voice VLAN ············································································································ 36 Configuring a port to operate in automatic voice VLAN assignment mode ······································ 36 Configuring a port to operate in manual voice VLAN assignment mode ········································· 37 Enabling LLDP for automatic IP phone discovery ······································································ 38 Configuring LLDP to advertise a voice VLAN ············································································ 39 Configuring CDP to advertise a voice VLAN ············································································· 39 Displaying and maintaining voice VLANs ················································································· 39
Command reference ··················································································································· 40
Modified feature: MPLS QoS support for matching the EXP field ·············· 40
Matching the EXP field in the second MPLS label ············································································ 40 Command reference ··················································································································· 40
New command: if-match second-mpls-exp ··············································································· 40
Modified feature: MPLS QoS support for marking the EXP field ················ 41
Marking the EXP field in the second MPLS label ·············································································· 41 Command reference ··················································································································· 41
New command: remark second-mpls-exp ················································································ 41
Modified feature: Automatic configuration ············································ 42
Feature change description ·········································································································· 42
Removed feature: Tinyproxy ····························································· 42
Feature change description ·········································································································· 42 Removed command ··················································································································· 42
http-proxy ·························································································································· 42
Release 0306P07 ··········································································· 43
New feature: L2TP-based EAD ························································· 43
Enabling L2TP-based EAD ·········································································································· 43 Command reference ··················································································································· 44
ppp access-control enable ···································································································· 44 display ppp access-control interface ······················································································· 44
New feature: CFD configuration························································· 45
Configuring CFD configuration ······································································································ 45 Command reference ··················································································································· 46
Modified feature: Support using dots in user profile name ······················· 46
Feature change description ·········································································································· 46 Command changes ···················································································································· 47
Modified command: user-profile ····························································································· 47
Modified feature: Default size of the TCP receive and send buffer ············ 47
Feature change description ·········································································································· 47 Command changes ···················································································································· 47
Modified command: tcp window ····························································································· 47
Modified feature: Support for obtaining fan tray and power module vendor information through MIB ·································································· 48
Feature change description ·········································································································· 48 Command changes ···················································································································· 48
Modified feature: Supporting per-packet load sharing ····························· 48
Feature change description ·········································································································· 48 Command changes ···················································································································· 48
iv
Modified command: ip load-sharing mode ················································································ 48
Modified feature: Automatic configuration ············································ 49
Feature change description ·········································································································· 49 Command changes ···················································································································· 49
Modified feature: Software image signature ········································· 49
Feature change description ·········································································································· 49 Command changes ···················································································································· 50
Modified command: display install active ·················································································· 50 Modified command: display install backup ················································································ 50 Modified command: display install committed ··········································································· 51 Modified command: display install inactive ··············································································· 51 Modified command: display install ipe-info ················································································ 52 Modified command: display install package ·············································································· 52 Modified command: display install which ·················································································· 53
Release 0305P08 ··········································································· 53
New feature: mGRE ········································································ 54
Overview ·································································································································· 54 mGRE operation scheme ······································································································ 54 mGRE operation procedure ··································································································· 54 mGRE support for NAT traversal ···························································································· 57
mGRE configuration task list ········································································································ 57 Configuring an mGRE tunnel ········································································································ 57 Configuring routing ····················································································································· 58 Configuring IPsec for an mGRE tunnel ··························································································· 59 Displaying and maintaining mGRE ································································································ 59 Command reference ··················································································································· 60
New command: display mgre session ····················································································· 60 New command: display nhrp map ··························································································· 63 New command: display nhrp statistics ····················································································· 65 New command: nhrp authentication ························································································ 67 New command: nhrp holdtime ······························································································· 68 New command: nhrp network-id ····························································································· 69 New command: nhrp nhs ······································································································ 69 New command: reset mgre session ························································································ 70 New command: reset mgre statistics ······················································································· 71 New command: reset nhrp statistics ························································································ 71
New feature: Disabling transceiver module alarm ·································· 72
Configuring Disabling transceiver module alarm ··············································································· 72 Command reference ··················································································································· 72
New command: transceiver phony-alarm-disable ······································································· 72
Modified feature: Default user role ····················································· 73
Feature change description ·········································································································· 73 Command changes ···················································································································· 73
Modified command: role default-role enable ············································································· 73
Modified feature: Debugging ····························································· 74
Feature change description ·········································································································· 74 Command changes ···················································································································· 74
Modified command: debugging ······························································································ 74
Release 0305P04 ··········································································· 74
New feature: Public key management support for Suite B ······················· 75
Configuring Suite B in public key management ················································································ 75 Command reference ··················································································································· 75
Modified command: public-key local create ·············································································· 75
v
New feature: PKI support for Suite B ·················································· 76
Configuring Suite B in PKI ··········································································································· 76 Command reference ··················································································································· 76
Modified command: public-key ecdsa ······················································································ 76
New feature: IPsec support for Suite B ················································ 77
Overview ·································································································································· 77 IKEv2 negotiation process····································································································· 77 New features in IKEv2 ·········································································································· 78 Protocols and standards ······································································································· 79
IKEv2 configuration task list ········································································································· 79 Configuring an IKEv2 profile ········································································································· 80 Configuring an IKEv2 policy ········································································································· 83 Configuring an IKEv2 proposal ····································································································· 84 Configuring an IKEv2 keychain ····································································································· 85 Configure global IKEv2 parameters ······························································································· 86
Enabling the cookie challenging feature ··················································································· 86 Configuring the IKEv2 DPD feature ························································································· 86 Configuring the IKEv2 NAT keepalive feature ··········································································· 87 Configuring IKEv2 address pools ···························································································· 87
Displaying and maintaining IKEv2 ································································································· 88 Command reference ··················································································································· 88
New command: aaa authorization··························································································· 88 New command: address ······································································································· 89 New command: authentication-method ···················································································· 90 New command: certificate domain ·························································································· 92 New command: config-exchange ···························································································· 93 New command: description ··································································································· 94 New command: display ike statistics ······················································································· 95 New command: display ikev2 policy ························································································ 96 New command: display ikev2 profile ······················································································· 97 New command: display ikev2 proposal ···················································································· 99 New command: display ikev2 sa ·························································································· 100 New command: display ikev2 statistics ·················································································· 104 New command: dh············································································································· 105 New command: dpd ··········································································································· 106 New command: encryption ·································································································· 107 New command: hostname··································································································· 108 New command: identity ······································································································ 109 New command: identity local ······························································································· 110 New command: ikev2 address-group ···················································································· 111 New command: ikev2 cookie-challenge ················································································· 112 New command: ikev2 dpd ··································································································· 113 New command: ikev2 ipv6-address-group ·············································································· 114 New command: ikev2 keychain ···························································································· 115 New command: ikev2 nat-keepalive ······················································································ 116 New command: ikev2 policy ································································································ 117 New command: ikev2 profile ································································································ 118 New command: ikev2 proposal ···························································································· 118 New command: inside-vrf ···································································································· 120 New command: integrity ····································································································· 121 New command: keychain ···································································································· 122 New command: match local (IKEv2 profile view) ····································································· 123 New command: match local address (IKEv2 policy view) ·························································· 124 New command: match remote ····························································································· 125 New command: match vrf (IKEv2 policy view) ········································································· 126 New command: match vrf (IKEv2 profile view) ········································································ 127 New command: nat-keepalive ······························································································ 128 New command: peer ·········································································································· 129 New command: pre-shared-key ··························································································· 130 New command: prf ············································································································ 132
vi
New command: priority (IKEv2 policy view) ············································································ 133 New command: priority (IKEv2 profile view) ············································································ 133 New command: proposal ···································································································· 134 New command: reset ikev2 sa ····························································································· 135 New command: reset ikev2 statistics ····················································································· 136 New command: sa duration ································································································· 137 New command: esn enable ································································································· 137 New command: ikev2-profile ······························································································· 138 New command: tfc enable ··································································································· 139 Modified command: ah authentication-algorithm ······································································ 140 Modified command: display ipsec { ipv6-policy | policy } ···························································· 141 Modified command: display ipsec { ipv6-policy-template | policy-template } ·································· 141 Modified command: display ipsec sa ····················································································· 141 Modified command: display ipsec transform-set ······································································ 142 Modified command: display ipsec tunnel ················································································ 142 Modified command: esp authentication-algorithm ···································································· 142 Modified command: esp encryption-algorithm ········································································· 143 Modified command: pfs ······································································································ 145 Modified command: pre-shared-key ······················································································ 145 Modified command: authentication-algorithm ·········································································· 146
New feature: SSL support for Suite B ··············································· 147
Configuring Suite B in SSL ········································································································· 147 Command reference ················································································································· 147
New command: display crypto version ··················································································· 147 New command: ssl version disable ······················································································· 148 New command: ssl renegotiation disable ··············································································· 149 Modified command: version ································································································· 150 Modified command: ciphersuite ···························································································· 150 Modified command: prefer-cipher ························································································· 152
New feature: FIPS support for Suit B ················································ 154
Configuring Suite B in FIPS ········································································································ 154 Command reference ················································································································· 154
New command: fips rng random size filename ········································································ 154 New command: fips rng random size round rate-statistics ························································· 155 New command: fips rng entropy size filename ········································································ 155 New command: fips rng entropy size round rate-statistics ························································· 156 New command: fips kdf ······································································································ 157 New command: fips algorithm verify param ············································································ 157 Modified command: fips self-test ·························································································· 158
New feature: SSH support for Suite B ··············································· 158
Configuring SSH based on Suite B algorithms ··············································································· 158 Specifying a PKI domain for the SSH server ··········································································· 158 Establishing a connection to an Stelnet server based on Suite B ················································ 159 Establishing a connection to an SFTP server based on Suite B ·················································· 160 Establishing a connection to an SCP server based on Suite B ··················································· 160 Specifying algorithms for SSH2 ···························································································· 161
Command reference ················································································································· 162 New command: display ssh2 algorithm ·················································································· 162 New command: ssh server pki-domain ·················································································· 163 New command: scp ipv6 suite-b ··························································································· 164 New command: scp suite-b ································································································· 166 New command: sftp ipv6 suite-b ··························································································· 168 New command: sftp suite-b ································································································· 170 New command: ssh2 ipv6 suite-b ························································································· 172 New command: ssh2 suite-b ······························································································· 174 New command: ssh2 algorithm cipher ··················································································· 176 New command: ssh2 algorithm key-exchange ········································································ 177 New command: ssh2 algorithm mac ····················································································· 178 New command: ssh2 algorithm public-key ·············································································· 179
vii
Modified command: display ssh server ·················································································· 180 Modified command: ssh user ······························································································· 181 Modified command: scp ······································································································ 182 Modified command: scp ipv6 ······························································································· 185 Modified command: sftp ······································································································ 188 Modified command: sftp ipv6 ······························································································· 191 Modified command: ssh2 ···································································································· 194 Modified command: ssh2 ipv6 ······························································································ 197 New command: fips kdf ssh ································································································· 200
New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group ·················································································· 201
Configuring Ignoring the first AS number of EBGP route updates for a peer or peer group ····················· 201 Command reference ················································································································· 201
peer ignore-first-as ············································································································ 201
Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces ··············································································· 203
Feature change description ········································································································ 203 Command changes ·················································································································· 205
Modified command: lacp mode ···························································································· 205 Modified command: lacp period short ···················································································· 205 Modified command: link-aggregation port-priority ····································································· 205 Modified command: port link-aggregation group ······································································ 205
Modified feature: Changing the maximum number of FIB table entries ····· 206
Feature change description ········································································································ 206 Command changes ·················································································································· 206
Modified feature: Enabling CWMP ··················································· 207
Feature change description ········································································································ 207 Command changes ·················································································································· 207
Modified command: cwmp enable························································································· 207
Release 0305 ·············································································· 207
New feature: IKE ·········································································· 208
Feature change description ········································································································ 208 Command changes ·················································································································· 208
New command: IKEv2 command ·························································································· 208
Modified feature: IPsec ·································································· 208
Feature change description ········································································································ 208 Command changes ·················································································································· 208
Modified command: ah authentication-algorithm ······································································ 208 New command: esn enable ································································································· 209 Modified command: esp authentication-algorithm ···································································· 210 Modified command: esp encryption-algorithm ········································································· 211 Modified command: pfs ······································································································ 212 New command: tfc enable ··································································································· 213 Modified command: public-key local create ············································································ 214 Modified command: public-key ecdsa ···················································································· 214
Release 0304P12 ········································································· 215
New feature: Including vendor information in PPP accounting requests ··· 215
Configuring Including vendor information in PPP accounting requests ················································ 215 Command reference ················································································································· 215
pppoe-server account-vendor ······························································································ 215
viii
New feature: BFD for an aggregation group ······································· 216
Configuring BFD for an aggregation group ···················································································· 216 Configuration restrictions and guidelines ················································································ 217 Configuration procedure ····································································································· 217
Command reference ················································································································· 217 link-aggregation bfd ipv4 ····································································································· 217
Modified feature: SSH username ····················································· 218
Feature change description ········································································································ 218 Command changes ·················································································································· 219
Modified command: ssh user ······························································································· 219
Modified feature: IS-IS hello packet sending interval ···························· 219
Feature change description ········································································································ 219 Command changes ·················································································································· 220
Modified command: isis timer hello ······················································································· 220
Modified feature: MP-group interface numbering ································· 220
Feature change description ········································································································ 220 Command changes ·················································································································· 220
Modified command: interface mp-group ················································································· 220 Modified command: display interface mp-group ······································································· 220 Modified command: ppp mp mp-group ·················································································· 221 Modified command: reset counters interface mp-group ····························································· 221
Release 0304P04 ········································································· 221
New feature: Media Stream Control (MSC) logging ······························ 221
Command reference ················································································································· 222 sip log enable ··················································································································· 222
Modified feature: ESP encryption algorithms ······································ 222
Feature change description ········································································································ 222 Command changes ·················································································································· 223
Modified command: esp encryption-algorithm ········································································· 223
Release 0304P02 ········································································· 223
New feature: IMSI/SN binding authentication ······································ 224
Command reference ················································································································· 224 ppp lcp imsi accept ············································································································ 224 ppp lcp imsi request ··········································································································· 224 ppp lcp imsi string·············································································································· 225 ppp lcp sn accept ·············································································································· 226 ppp lcp sn request ············································································································· 226 ppp lcp sn string ················································································································ 227 ppp user accept-format imsi-sn split ······················································································ 228 ppp user attach-format imsi-sn split······················································································· 229 ppp user replace ··············································································································· 229
New feature: Specifying a band for a 4G modem ································ 230
Command reference ················································································································· 230 lte band ··························································································································· 230
New feature: CFD ········································································ 231
New feature: Using tunnel interfaces as OpenFlow ports ······················ 231
New feature: NETCONF support for ACL filtering ································ 231
Command reference ················································································································· 232 netconf soap http acl ·········································································································· 232
ix
netconf soap https acl ········································································································ 233
New feature: Specifying a backup traffic processing unit ······················· 234
Specifying a backup traffic processing unit ···················································································· 234 Command reference ················································································································· 234
service standby ················································································································· 234
New feature: WAAS ······································································ 234
Configuring WAAS ··················································································································· 234 Command reference ················································································································· 234
New feature: Support for the MKI field in SRTP or SRTCP packets ········· 234
Command reference ················································································································· 235 mki ································································································································· 235
New feature: SIP domain name ······················································· 235
Command reference ················································································································· 236 sip-domain ······················································································································· 236
New feature: E&M logging ······························································ 236
Command reference ················································································································· 236 em log enable ··················································································································· 236
Modified feature: Setting the global link-aggregation load-sharing mode ·· 237
Feature change description ········································································································ 237 Command changes ·················································································································· 237
Modified command: link-aggregation global load-sharing mode ·················································· 237
Release 0304 ·············································································· 238
New feature: Setting the RTC version ··············································· 238
Configuring Setting the RTC version ···························································································· 238 Command reference ················································································································· 239
rta rtc version ··················································································································· 239
New feature: Setting the maximum size of advertisement files ··············· 240
Configuring the maximum size of advertisement files ······································································ 240 Command reference ················································································································· 240
New feature: IRF ·········································································· 240
Configuring IRF ······················································································································· 240 Command reference ················································································································· 240
New feature: Frame Relay ····························································· 240
Configuring Frame Relay ··········································································································· 240 Command reference ················································································································· 240
New feature: EVI ·········································································· 241
Configuring EVI ······················································································································· 241 Command reference ················································································································· 241
New feature: VPLS ······································································· 241
Configuring VPLS ···················································································································· 241 Command reference ················································································································· 241
New feature: Multicast VPN support for inter-AS option B ····················· 241
Configuring Multicast VPN support for inter-AS option B ·································································· 241 Command reference ················································································································· 241
Modified feature: 802.1X redirect URL ·············································· 242
Feature change description ········································································································ 242 Command changes ·················································································································· 242
x
Modified command: dot1x ead-assistant url ············································································ 242
Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server ···················································· 242
Feature change description ········································································································ 242 Command changes ·················································································································· 242
Modified command: display ntp-service trace ·········································································· 242
Modified feature: Saving, rolling back, and loading the configuration ······· 243
Feature change description ········································································································ 243 Command changes ·················································································································· 243
Modified feature: Displaying information about SSH users ···················· 243
Feature change description ········································································································ 243 Command changes ·················································································································· 244
Modified command: display ssh user-information ····································································· 244
Removed feature: Displaying fabric utilization ····································· 244
Feature change description ········································································································ 244 Removed command ················································································································· 244
display fabric utilization ······································································································· 244
ESS 0302P06 ·············································································· 244
New feature: Object policies ··························································· 246
Configuring Object policies ········································································································ 246 Command reference ················································································································· 247
New feature: IPHC ······································································· 247
Configuring IPHC ····················································································································· 247 Command reference ················································································································· 247
New feature: Support of PPPoE server for IPv6 ·································· 247
Configuring Support of PPPoE server for IPv6 ··············································································· 247 Command reference ················································································································· 247
New feature: QSIG tunneling over SIP-T ··········································· 247
Configuring QSIG tunneling over SIP-T ························································································ 247 Command reference ················································································································· 248
New feature: Playout delay ····························································· 248
Configuring Playout delay ·········································································································· 248 Command reference ················································································································· 248
New feature: BGP L2VPN support for NSR ········································ 248
Configuring BGP L2VPN support for NSR ····················································································· 248 Command reference ················································································································· 248
New feature: BGP support for dynamic peers ····································· 249
Configuring BGP support for dynamic peers ·················································································· 249 Command reference ················································································································· 249
New feature: ARP PnP ·································································· 249
Configuring ARP PnP ··············································································································· 249 Command reference ················································································································· 249
New feature: Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts ·················································································· 250
Configuring Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts ······················ 250 Command reference ················································································································· 250
xi
New feature: QoS soft forwarding ···················································· 250
Configuring QoS soft forwarding ································································································· 250 Command reference ················································································································· 251
New feature: Filtering by application layer protocol status ····················· 251
Configuring Filtering by application layer protocol status ·································································· 251 Command reference ················································································································· 251
New feature: ADVPN support for multicast forwarding ·························· 251
Configuring ADVPN support for multicast forwarding ······································································ 251 Command reference ················································································································· 251
New feature: MPLS LDP support for IPv6 ·········································· 252
Configuring MPLS LDP support for IPv6 ······················································································· 252 Command reference ················································································································· 252
New feature: Port security ······························································ 252
Configuring Port security ··········································································································· 252 Command reference ················································································································· 253
New feature: Customizable IVR ······················································· 253
Configuring Customizable IVR ···································································································· 253 Command reference ················································································································· 253
New feature: SRST ······································································· 253
Configuring SRST ···················································································································· 253 Command reference ················································································································· 253
New feature: NEMO ······································································ 254
Configuring NEMO ··················································································································· 254 Command reference ················································································································· 254
New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation······················································· 254
Configuring Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation ········· 254 Command reference ················································································································· 254
New feature: Support for LLDP on CPOS interfaces ···························· 255
Configuring Support for LLDP on CPOS interfaces ········································································· 255 Command reference ················································································································· 255
New feature: SMS-based automatic configuration ······························· 255
Configuring SMS-based automatic configuration ············································································ 255 Command reference ················································································································· 255
New feature: ARP attack protection ·················································· 255
Configuring ARP attack protection ······························································································· 255 Command reference ················································································································· 256
New feature: SIP support for VRF ···················································· 256
Configuring SIP support for VRF ································································································· 256 Configuration guidelines ····································································································· 256 Configuration procedure ····································································································· 256
Command reference ················································································································· 256 vpn-instance ····················································································································· 256
ESS 0102 ··················································································· 257
New feature: Portal authentication ··················································· 258
Command reference ················································································································· 258
xii
New feature: MSDP ······································································ 258
Configuring MSDP ··················································································································· 258 Command reference ················································································································· 259
New feature: IPsec MIB and IKE MIB ··············································· 259
New feature: PoE ········································································· 259
Configuring PoE ······················································································································ 259 Command reference ················································································································· 260
New feature: CoPP software forwarding feature ·································· 260
Configuring CoPP ···················································································································· 260 Command reference ················································································································· 260
control-plane ···················································································································· 260 control-plane management ·································································································· 261 qos apply policy (interface view, control plane view) ································································· 261
New feature: Configuring MPLS LDP FRR ········································· 263
Configuring MPLS LDP FRR ······································································································ 263 Command reference ················································································································· 263
igp sync delay ··················································································································· 263 igp sync delay on-restart ····································································································· 265 mpls ldp igp sync disable ···································································································· 266
New feature: Enhanced routing features ············································ 266
Configuring enhanced routing features ························································································· 266 Command reference ················································································································· 267
non-stop-routing ················································································································ 267 ip route-static fast-reroute auto ···························································································· 267 import-route (RIP view) ······································································································· 268 import-route (OSPF view) ··································································································· 269 import-route (IS-IS view) ····································································································· 271 import-route (BGP view) ····································································································· 273 import-route (RIPng view) ··································································································· 275 import-route (OSPFv3 view) ································································································ 276 ipv6 import-route (IPv6 IS-IS view)························································································ 278
New feature: Python ····································································· 279
Using Python··························································································································· 279 Command reference ················································································································· 280
New feature: ATM ········································································ 280
Configuring ATM ······················································································································ 280 Command reference ················································································································· 280
New feature: DHCP MIB ································································ 280
DHCP MIB ······························································································································ 280 Command reference ················································································································· 280
if-match ··························································································································· 280
ESS 0006P02 ·············································································· 282
13
Release 0306P81
None.
Release 0306P80
None.
Release 0306P70
None.
Release 0306P52
This release has the following changes:
New feature: MAC address recording in TCP packets
New feature: Configuring the leased line service for an ISDN BRI interface
New feature: LLDP PVID inconsistency check
Modified feature: High encryption
Modified feature: OSPF
Modified feature: Policy-based routing
Modified feature: MIB objects
Modified feature: Setting ISP domain status
Modified feature: Excluding an attribute from portal protocol packets
Modified feature: NTP
Modified feature: Transceiver modules
Modified feature: E1POS
14
New feature: MAC address recording in
TCP packets
Configuring MAC address recording in TCP
packets
The router supports to add an option in each TCP packet sent from the terminal user to record the
MAC address of the terminal user.
Command reference
New command: tcp mac-record enable
Use tcp mac-record enable to enable the MAC address recording in TCP packets.
Use undo tcp mac-record to restore the default.
Syntax
tcp mac-record enable
undo mac-record
Default
The MAC address recording in TCP packets is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to add an option in each TCP packet to record MAC addresses.
Examples
# Enable the MAC address recording in TCP packets on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] tcp mac-record enable
Related commands
tcp mac-record local
15
New command: tcp mac-record local
Use tcp mac-record local to specify the MAC address of the local device for MAC address
recording.
Use undo tcp mac-record local to restore the default.
Syntax
tcp mac-record local mac-address
undo tcp mac-record local
Default
The MAC address of the local device for MAC address recording is not specified.
Parameters
mac-address: Specifies the MAC address of the local device. This MAC address cannot be all 0s,
broadcast MAC address or multicast MAC address.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command is typically configured on the access devices that connect to terminal users, and is
used together with the tcp mac-record enable command.
With these two commands configured, the device adds options to each TCP packet to record the
specified MAC address of itself, and the MAC address of the terminal user.
Examples
# Specify the MAC address of the local device as 0102-0304-0506.
<Sysname> system-view
[Sysname] tcp mac-record local 0102-0304-0506
Related commands
tcp mac-record enable
16
New feature: Configuring the leased line
service for an ISDN BRI interface
Configuring the leased line service for an ISDN BRI interface
ISDN leased lines are implemented by establishing semi-permanent connections. This requires the
PBXs of your telecommunication service provider to provide leased lines and be connected to the
remote device.
To configure the leased line service for an ISDN BRI interface:
Step Command Remarks
3. Enter system view. system-view N/A
4. Enter ISDN BRI interface view.
interface bri interface-number N/A
5. Configure the leased line service for the ISDN BRI interface.
isdn leased-line [ B1 | B2 | 128 ] By default, the leased line service is not configured for an ISDN BRI interface.
Command reference
New command: isdn leased-line
Use isdn leased-line [ B1 | B2 | 128 ] to configure the leased line service for an ISDN BRI interface.
Use undo isdn leased-line [ B1 | B2 | 128 ] to remove the leased line service configuration for an
ISDN BRI interface.
Syntax
isdn leased-line [ B1 | B2 | 128 ]
undo isdn leased-line [ B1 | B2 | 128 ]
Default
The leased line service is not configured for an ISDN BRI interface.
Views
ISDN BRI interface view
Predefined user roles
network-admin
network-operator
17
Parameters
B1: Uses channel B1 as a 64-kbps leased line.
B2: Uses channel B2 as a 64-kbps leased line.
128: Combines channels B1 and B2 into a 128-kbps leased line.
Usage guidelines
The isdn leased-line command without any keywords configures both the B1 and B2 channels as
64-kbps leased lines.
The undo isdn leased-line command without any keywords removes the leased line service
configuration from the specified BRI interface.
You can directly switch an ISDN BRI interface from 64-kbps leased line service to 128-kbps leased
line service, or vice versa.
This command is not available on BSV interfaces.
Examples
# Combine channels B1 and B2 on BRI 2/1 to provide a 128-kbps leased line.
<Sysname> system-view
[Sysname] interface bri 2/1
[Sysname-Bri2/1] isdn leased-line 128
New feature: LLDP PVID inconsistency
check
Disabling LLDP PVID inconsistency check
By default, when the system receives an LLDP packet, it compares the PVID value contained in
packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log
message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
To disable LLDP PVID inconsistency check:
Step Command Remarks
6. Enter system view. system-view N/A
7. Disable LLDP PVID inconsistency check.
lldp ignore-pvid-inconsistency By default, LLDP PVID inconsistency check is enabled.
18
Command reference
lldp ignore-pvid-inconsistency
Use lldp ignore-pvid-inconsistency to disable LLDP PVID inconsistency check.
Use undo lldp ignore-pvid-inconsistency to enable LLDP PVID inconsistency check.
Syntax
lldp ignore-pvid-inconsistency
undo lldp ignore-pvid-inconsistency
Default
LLDP PVID inconsistency check is enabled.
Views
System view
Default command level
network-admin
Usage guidelines
By default, when the system receives an LLDP packet, it compares the PVID value contained in
packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log
message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
Examples
# Disable LLDP PVID inconsistency check.
<Sysname> system-view
[Sysname] lldp ignore-pvid-inconsistency
Modified feature: High encryption
Feature change description
In this release, the HPE router does not require a license to support high encryption. It operates in
high encryption mode by default.
19
Modified feature: OSPF
Feature change description
The device can automatically obtain a router ID from an OSPF interface.
Command reference
Modified command: OSPF
Old syntax
ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] *
undo ospf [ process-id ]
New syntax
ospf [ process-id | router-id { auto-select | router-id } | vpn-instance vpn-instance-name ] *
undo ospf [ process-id ] [ router-id ]
Views
System view
Change description
The auto-select keyword was added to the command for the device to automatically obtain a router
ID from an OSPF interface.
Modified feature: Policy-based routing
Feature change description
The apply remark-vpn command was newly added. You can execute this command in policy node
view or IPv6 policy node view to mark the VPN instance for matching packets.
Command reference
New command: apply remark-vpn
Use apply remark-vpn to mark the VPN instance for matching packets.
Use undo apply remark-vpn to restore the default.
20
Syntax
apply remark-vpn
undo apply remark-vpn
Default
The VPN instance is not marked for matching packets.
Views
Policy node view
Predefined user roles
network-admin
Usage guidelines
The apply access-vpn vpn-instance command is used to forward matching packets in a specified
VPN instance. To make the VPN instance known to the service modules, use the apply remark-vpn
command to mark the VPN instance in the packets.
This command must be used together with the apply access-vpn vpn-instance command.
This command marks a VPN instance in a packet only when the packet is forwarded in the VPN
instance specified by the apply access-vpn vpn-instance command.
Examples
# Mark VPN instance vpn1 for packets that match ACL 3000.
<Sysname> system-view
[Sysname] policy-based-route aaa permit node 10
[Sysname-pbr-aaa-10] if-match acl 3000
[Sysname-pbr-aaa-10] apply access-vpn vpn-instance vpn1
[Sysname-pbr-aaa-10] apply remark-vpn
Modified feature: MIB objects
Feature change description
The startup2Net object in the hh3c-config-man.mib was modified to specify the startup configure
file. The description for the startup object was changed accordingly.
21
Modified feature: Setting ISP domain
status
Feature change description
An ISP domain can be blocked based on time ranges.
Command changes
Modified command: state
Old syntax
state { active | block }
New syntax
state { active | block [ time-range ] [ offline ] }
Views
ISP domain view
Change description
The time-range and offline keywords were added to this command.
time-range: Blocks the ISP domain based on time ranges. If you do not specify this keyword, the ISP
domain is in blocked state until you manually set the state to active.
offline: Logs off all online users when the ISP domain state changes from active to blocked.
New command: state block time-range name
Use state block time-range name to specify a time range during which an ISP domain is in blocked
state.
Use undo state block time-range name to remove a time range or all time ranges during which an
ISP domain is in blocked state.
Syntax
state block time-range name time-range-name
undo state block time-range { all | name time-range-name }
Default
No time ranges are specified to block an ISP domain.
Views
ISP domain view
22
Predefined user roles
network-admin
Parameters
time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters.
The name must start with a letter and cannot be the word all.
all: Removes all time ranges.
Usage guidelines
An ISP domain is blocked during the specified time ranges only when the ISP domain is set to be
blocked based on time ranges. To block an ISP domain based on time ranges, use the state block
time-range command.
Execute this command multiple times to specify multiple time ranges during which an ISP domain is
blocked.
Examples
# Specify ISP domain test to be blocked during time ranges t1 and t2.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block time-range name t1
[Sysname-isp-test] state block time-range name t2
Modified feature: Excluding an attribute
from portal protocol packets
Excluding an attribute from portal protocol packets
Support of the portal authentication server for portal protocol attributes varies by the server type. If
the device sends the portal authentication server a packet that contains an attribute unsupported by
the server, the device and the server cannot communicate.
To address this issue, you can configure portal protocol packets to not carry the attributes
unsupported by the portal authentication server.
To exclude an attribute from portal protocol packets:
Step Command Remarks
8. Enter system view. system-view N/A
9. Enter portal authentication server view.
portal server server-name N/A
10. Exclude an attribute from portal protocol packets.
exclude-attribute number { ack-auth | ntf-logout | ack-logout }
By default, no attributes are excluded from portal protocol packets.
23
Command reference
New command: exclude-attribute
Use exclude-attribute to exclude an attribute from portal protocol packets.
Use undo exclude-attribute to not exclude an attribute from portal protocol packets.
Syntax
exclude-attribute number { ack-auth | ntf-logout | ack-logout }
undo exclude-attribute number { ack-auth | ntf-logout | ack-logout }
Default
No attributes are excluded from portal protocol packets.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
number: Specifies an attribute by its number in the range of 1 to 255.
ack-auth: Excludes the attribute from ACK_AUTH packets.
ntf-logout: Excludes the attribute from NTF_LOGOUT packets.
ack-logout: Excludes the attribute from ACK_LOGOUT packets.
Usage guidelines
Support of the portal authentication server for portal protocol attributes varies by the server type. If
the device sends the portal authentication server a packet that contains an attribute unsupported by
the server, the device and the server cannot communicate.
To address this issue, you can configure this command to exclude the unsupported attributes from
specific portal protocol packets sent to the portal authentication server.
You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple
types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).
Table 1 describes all attributes of the portal protocol.
Table 1 Portal attributes
Name Number Description
UserName 1 Username of the user to be authenticated.
PassWord 2 Plaintext password submitted by the user.
24
Name Number Description
Challenge 3 Random challenge for CHAP authentication.
ChapPassWord 4 CHAP password encrypted by MD5.
TextInfo 5
The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.
The attribute value can be a string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.
UpLinkFlux 6 Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.
DownLinkFlux 7 Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.
Port 8 Port information, a string excluding the end character '\0'.
IP-Config 9
This attribute has different meanings in different types of packets.
The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP.
The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.
Examples
# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] exclude-attribute 6 ack-auth
Related commands
display portal server
Modified command: display portal server
Syntax
display portal server [ server-name ]
Views
Any view
Change description
The Exclude-attribute field was added to the output of this command.
25
Modified feature: NTP
Feature change description
NTP can use advanced ACLs to filter packets by source and destination IP addresses.
Command changes
Modified command: ntp-service authentication-keyid
Old syntax
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value
New syntax
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value [ acl
ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
Views
System view
Change description
The acl ipv4-acl-number and ipv6 acl ipv6-acl-number options were added to the command.
Modified command: sntp authentication-keyid
Old syntax
sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value
New syntax
sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value [ acl
ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
Views
System view
Change description
The acl ipv4-acl-number and ipv6 acl ipv6-acl-number options were added to the command.
26
Modified feature: Transceiver modules
Feature change description
The names of SFP-GE-LH70-SM1550 and SFP-GE-LH70-SM1550-D transceiver modules were
changed to SFP-GE-LH80-SM1550 and SFP-GE-LH80-SM1550-D, respectively. Their transmission
distance was increased from 70 km (43.50 miles) to 80 km (49.71 miles).
Modified feature: E1POS
Feature change description
This release added support for displaying the modem negotiation rate of E1POS by using the debug
command.
Release 0306P30
This release has the following changes:
New feature: SIP compatibility
Modified feature: OSPF performance optimization
Modified feature: Telnet redirect
Modified feature: POS terminal access
Modified feature: License
Modified feature: IP performance optimization
New feature: SIP compatibility
Configuring SIP compatibility
If a third-party device does not implement SIP in strict accordance with the RFC standard, you can
configure SIP compatibility for the router to interoperate with the third-party device.
With the sip-compatible t38 command configured, the router excludes :0 from the following SDP
parameters in the originated re-INVITE messages:
27
T38FaxTranscodingJBIG.
T38FaxTranscodingMMR.
T38FaxFillBitRemoval.
With the sip-compatible x-param command configured, the router adds SDP description
information (a=X-fax and a=X-modem) for fax pass-through and modem pass-through in the
originated re-INVITE messages.
To configure SIP compatibility:
Step Command Remarks
11. Enter system view. system-view N/A
12. Enter voice view. voice-setup N/A
13. Enter SIP view. sip N/A
14. Configure SIP compatibility. sip-compatible { t38 | x-param } By default, SIP compatibility is not configured.
Command reference
sip-compatible
Use sip-compatible to configure SIP compatibility with a third-party device.
Use undo sip-compatible to restore the default.
Syntax
sip-compatible { t38 | x-param }
undo sip-compatible { t38 | x-param }
Default
SIP compatibility is not configured.
Views
SIP view
Predefined user roles
network-admin
Parameters
t38: Configures SIP compatibility for standard T.38 fax. With this keyword specified, the router
excludes :0 from the following SDP parameters in the originated re-INVITE messages:
T38FaxTranscodingJBIG.
T38FaxTranscodingMMR.
T38FaxFillBitRemoval.
28
This keyword is required when the router interoperates with a third-party softswitch device to
exchange T.38 fax messages.
x-param: Configures SIP compatibility for fax pass-through and modem pass-through. With this
keyword specified, the router adds SDP description information for fax pass-through and modem
pass-through to outgoing re-INVITE messages. This keyword is required when the router
interoperates with a third-party softswitch device to perform fax pass-through and modem
pass-through.
Usage guidelines
The t38 and x-param keywords can be both configured to interoperate with a third-party softswitch
device.
Examples
# Configure SIP compatibility for standard T.38 fax.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip
[Sysname-voice-sip] sip-compatible t38
Modified feature: OSPF performance
optimization
Feature change description
You can set a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds.
The value range for the LSU packet sending interval was changed to 0 to 1000 milliseconds.
Command changes
Modified command: spf-schedule-interval
Old syntax
spf-schedule-interval { maximum-interval [ minimum-interval [ incremental-interval ] ] }
New syntax
spf-schedule-interval { maximum-interval [ minimum-interval [ incremental-interval ] ] | millisecond
interval }
Views
OSPF view
29
Change description
The millisecond interval argument was added to the command. You can specify this argument to set
a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds.
Modified command: transmit-pacing
Syntax
transmit-pacing interval interval count count
Views
OSPF view
Change description
Before modification: The value range for the interval argument was 10 to 1000 milliseconds.
After modification: The value range for the interval argument is 0 to 1000 milliseconds.
Modified feature: Telnet redirect
Feature change description
Authentication was added on MSR 3000 series routers for Telnet redirect users.
Logging was added for Telnet redirect login events and Telnet redirect exit events.
Modified feature: POS terminal access
Feature change description
The posa auto-stop-service enable command added the function of setting the access interfaces
for all E1POS terminal templates to reply with busy tones when all FEPs are unreachable.
Command changes
Modified command: posa auto-stop-service enable
Syntax
posa auto-stop-service enable
Views
System view
30
Change description
Before modification, this command enables automatic shutdown of the listening ports for TCP-based
POS terminal templates when all FEPs that correspond to TCP-based POS application templates
are unreachable. When any of the FEPs becomes reachable, the router automatically opens the
listening ports for all TCP-based POS terminal templates.
After modification, this command enables the router to automatically perform the following
operations when all FEPs that correspond to TCP-based POS application templates are
unreachable:
Shuts down the listening ports for all TCP-based POS terminal templates.
Sets the access interfaces for all E1POS terminal templates to reply with busy tones.
When any of the FEPs becomes reachable, the router automatically performs the following
operations:
Opens the listening ports for all TCP-based POS terminal templates.
Disables busy tone for all E1POS terminal templates.
Modified feature: License
Feature change description
The device uses high encryption algorithms by default and does not require a license.
Modified feature: IP performance
optimization
Feature change description
The device supports recording MAC addresses in TCP packets. You can also configure the device to
record the MAC address of the local device in TCP packets.
Command changes
New command: tcp mac-record enable
Use tcp mac-record enable to enable MAC address recording in TCP packets.
Use undo tcp mac-record enable to disable MAC address recording in TCP packets.
Syntax
tcp mac-record enable
31
undo tcp mac-record enable
Default
MAC address recording in TCP packets is disabled.
Views
Interface view
Default command level
network-admin
Usage guidelines
This feature records the MAC address of the packet originator in a TCP option. When an attack
occurs, the administrator can quickly locate the attack source according to the recorded MAC
addresses.
Examples
# Enable MAC address recording in TCP packets on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] tcp mac-record enable
New command: tcp mac-record local
Use tcp mac-record local to record the MAC address of the local device in TCP packets.
Use undo tcp mac-record local to restore the default.
Syntax
tcp mac-record local mac-address
undo tcp mac-record local
Default
The destination MAC address is recorded.
Views
System view
Default command level
network-admin
Parameters
mac-address: Specifies the MAC address of the local device. The MAC address cannot be all 0s,
broadcast MAC address, or multicast MAC address.
Usage guidelines
To make this command take effect, you must enable MAC address recording in TCP packets by
using the tcp mac-record enable command.
32
Examples
# Record the MAC address of the local device 0605-0403-0201 in TCP packets.
<Sysname> system-view
[Sysname] tcp mac-record local 0605-0403-0201
Release 0306P12
This release has the following changes:
Modified feature: Configuring an SSH user
Modified feature: AAA
Modified feature: Configuring a cellular interface for a 3G/4G modem
Modified feature: VXLAN
Modified feature: DHCP
Modified feature: Configuring an SSH user
Feature change description
Starting from this software version, the device checks the username validity when an SSH user is
created.
Modified feature: AAA
Feature change description
Starting from this software version, you can configure the authorization method for IKE extended
authentication.
Command changes
New command: authorization ike
Use authorization ike to configure the authorization method for IKE extended authentication.
Use undo authorization ike to restore the default.
Syntax
In non-FIPS mode:
33
authorization ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization ike
In FIPS mode:
authorization ike { local | radius-scheme radius-scheme-name [ local ] }
undo authorization ike
Default
The default authorization method for the ISP domain is used for IKE extended authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive
string of 1 to 32 characters.
Examples
# In ISP domain test, perform local authorization for IKE extended authentication.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ike local
# In ISP domain test, use RADIUS scheme rd as the primary authorization method and local
authorization as the backup authorization method for IKE extended authentication.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ike radius-scheme rd local
Modified feature: Configuring a cellular
interface for a 3G/4G modem
Feature change description
In this release, you can set the RSSI thresholds for a 3G/4G modem.
34
Command changes
New command: rssi
Use rssi to set the RSSI thresholds for a 3G/4G modem.
Use undo rssi to restore the default.
Syntax
rssi { gsm | 1xrtt | evdo | lte } { low lowthreshold | medium mediumthreshold } *
undo rssi { gsm | 1xrtt | evdo | lte } [ low | medium ]
Default
The lower and upper thresholds for a 3G/4G modem are –150 dBm and 0 dBm, respectively.
Views
Cellular interface view
Predefined user roles
network-admin
Parameters
1xrtt: Specifies the 1xRTT mode.
evdo: Specifies the EVDO mode.
gsm: Specifies the GSM mode.
lte: Specifies the LTE mode.
low lowthreshold: Specifies the lower RSSI threshold value in the range of 0 to 150, which represent
a lower RSSI threshold in the range of –150 dBm to 0 dBm. The value of lowthreshold cannot be
smaller than the value of mediumthreshold because the system automatically adds a negative sign
to the RSSI thresholds.
medium mediumthreshold: Specifies the upper RSSI threshold value in the range of 0 to 150, which
represent an upper RSSI threshold in the range of –150 dBm to 0 dBm.
Usage guidelines
The device performs the following operations based on the actual RSSI of the 3G/4G modem:
Sends a trap that indicates high RSSI when the RSSI exceeds the upper threshold.
Sends a trap that indicates normal RSSI when the RSSI is between the lower threshold and
upper threshold (included).
Sends a trap that indicates low RSSI when the RSSI drops to or below the lower threshold.
Sends a trap that indicates low RSSI every 10 minutes when the RSSI remains equal to or
smaller than the lower threshold.
To view the RSSI change information for a 3G/4G modem, use the display cellular command.
35
Examples
# Set the lower threshold for a 3G/4G modem in GSM mode to –110 dBm.
<Sysname> system-view
[Sysname] interface cellular 0/0
[Sysname-Cellular0/0] rssi gsm low 110
Modified feature: VXLAN
Feature change description
This release added support for QoS in the outbound direction of VXLAN tunnel interfaces.
Command changes
None.
Modified feature: DHCP
Feature change description
Starting from this software version, you can configure the DHCP server to send DHCP replies that do
not contain Option 60.
Command changes
New command: dhcp server reply-exclude-option60
Use dhcp server reply-exclude-option60 to configure the DHCP server to send DHCP replies that
do not contain Option 60.
Use undo dhcp server reply-exclude-option60 to restore the default.
Syntax
dhcp server reply-exclude-option60
undo dhcp server reply-exclude-option60
Default
The DHCP server sends DHCP replies containing Option 60.
Views
System view
36
Predefined user roles
network-admin
Example
# Configure the DHCP server to send DHCP replies that do not contain Option 60.
<Sysname> system-view
[Sysname] dhcp server reply-exclude-option6
Release 0306P11
This release has the following changes:
New feature: Voice VLAN
Modified feature: MPLS QoS support for matching the EXP field
Modified feature: MPLS QoS support for marking the EXP field
Modified feature: Automatic configuration
Removed feature: Tinyproxy
New feature: Voice VLAN
Configuring a voice VLAN
Configuring a port to operate in automatic voice VLAN assignment mode
Step Command Remarks
15. Enter system view. system-view N/A
16. (Optional.) Set the voice VLAN aging timer.
voice-vlan aging minutes By default, the aging timer of a voice VLAN is 1440 minutes.
17. (Optional.) Enable the voice VLAN security mode.
voice-vlan security enable By default, the voice VLAN security mode is enabled.
18. (Optional.) Add an OUI address for voice packet identification.
voice-vlan mac-address oui mask oui-mask [ description text ]
By default, system default OUI addresses exist.
37
Step Command Remarks
19. Enter interface view.
Enter Layer 2 Ethernet interface view: interface interface-type
interface-number
Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number
Enter S-channel interface view: interface s-channel interface-number.channel-id
Enter S-channel aggregate interface view: interface schannel-aggregation interface-number:channel-id
Enter Layer 2 RPR logical interface view: interface rpr-bridge interface-number
N/A
20. Set the link type of the port.
Set the port link type to trunk: port link-type trunk
Set the port link type to hybrid: port link-type hybrid
N/A
21. Configure the port to operate in automatic voice VLAN assignment mode.
voice-vlan mode auto By default, the automatic voice VLAN assignment mode is enabled.
22. Enable the voice VLAN feature on the port.
voice-vlan vlan-id enable
By default, the voice VLAN feature is disabled.
Before you execute this command, make sure the specified VLAN already exists.
Configuring a port to operate in manual voice VLAN
assignment mode
Step Command Remarks
23. Enter system view. system-view N/A
24. (Optional.) Enable the voice VLAN security mode.
voice-vlan security enable By default, the voice VLAN security mode is enabled.
25. (Optional.) Add an OUI address for voice packet identification.
voice-vlan mac-address oui mask oui-mask [ description text ]
By default, system default OUI addresses exist.
38
Step Command Remarks
26. Enter interface view.
Enter Layer 2 Ethernet interface view: interface interface-type interface-number
Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number
Enter S-channel interface view: interface s-channel
interface-number.channel-id
Enter S-channel aggregate interface view: interface schannel-aggregation interface-number:channel-id
Enter Layer 2 RPR logical interface view: interface rpr-bridge interface-number
N/A
27. Configure the port to operate in manual voice VLAN assignment mode.
undo voice-vlan mode auto By default, a port operates in automatic voice VLAN assignment mode.
28. Set the link type of the port.
Set the port link type to access: port link-type access
Set the port link type to trunk: port link-type trunk
Set the port link type to hybrid: port link-type hybrid
By default, each port is an access port.
29. Assign the access, trunk, or hybrid port to the voice VLAN.
For the access port: port access vlan vlan-id
For the trunk port: port trunk permit vlan { vlan-id-list | all }
For the hybrid port: port hybrid vlan vlan-id-list { tagged | untagged }
After you assign an access port to the voice VLAN, the voice VLAN becomes the PVID of the port.
30. (Optional.) Configure the voice VLAN as the PVID of the trunk or hybrid port.
For the trunk port: port trunk pvid vlan vlan-id
For the hybrid port: port hybrid pvid vlan vlan-id
This step is required for untagged incoming voice traffic and prohibited for tagged incoming voice traffic.
31. Enable the voice VLAN feature on the port.
voice-vlan vlan-id enable
By default, the voice VLAN feature is disabled.
Before you execute this command, make sure the specified VLAN already exists.
Enabling LLDP for automatic IP phone discovery
Step Command Remarks
32. Enter system view. system-view N/A
33. Enable LLDP for automatic IP phone discovery.
voice-vlan track lldp By default, LLDP for automatic IP phone discovery is disabled.
39
Configuring LLDP to advertise a voice VLAN
For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones
through LLDP-MED TLVs.
To configure LLDP to advertise a voice VLAN:
Step Command Remarks
34. Enter system view. system-view N/A
35. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
N/A
36. Configure an advertised voice VLAN ID.
lldp tlv-enable med-tlv network-policy vlan-id
By default, no advertised voice VLAN ID is configured.
Configuring CDP to advertise a voice VLAN
If an IP phone supports CDP but does not support LLDP, it sends CDP packets to the device to
request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period,
it sends out untagged voice packets. These untagged voice packets cannot be differentiated from
other types of packets.
You can configure CDP compatibility on the device to enable it to perform the following operations:
Receive and identify CDP packets from the IP phone.
Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.
After receiving the advertised VLAN information, the IP phone starts automatic voice VLAN
configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.
To configure CDP to advertise a voice VLAN:
Step Command Remarks
37. Enter system view. system-view N/A
38. Enable CDP compatibility. lldp compliance cdp By default, CDP compatibility is disabled.
39. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
N/A
40. Configure CDP-compatible LLDP to operate in TxRx mode.
lldp compliance admin-status cdp txrx
By default, CDP-compatible LLDP operates in disable mode.
41. Configure an advertised voice VLAN ID.
cdp voice-vlan vlan-id By default, no advertised voice VLAN ID is configured.
Displaying and maintaining voice VLANs
Execute display commands in any view.
40
Task Command
Display the voice VLAN state. display voice-vlan state
Display OUI addresses on a device. display voice-vlan mac-address
Command reference
The following commands were added:
display voice-vlan mac-address.
display voice-vlan state.
voice-vlan aging.
voice-vlan enable.
voice-vlan mac-address.
voice-vlan mode auto.
voice-vlan security enable.
voice-vlan track lldp.
For more information about these commands, see H3C MSR Series Routers Layer 2—LAN
Switching Command Reference(V7).
Modified feature: MPLS QoS support for
matching the EXP field
Matching the EXP field in the second MPLS label
In this release, MPLS QoS supports matching the EXP fields in both the topmost (first) MPLS label
and the second MPLS label.
Command reference
New command: if-match second-mpls-exp
Use if-match second-mpls-exp to define a criterion to match the EXP field in the second MPLS
label.
Use undo if-match second-mpls-exp to delete the match criterion.
Syntax
if-match [ not ] second-mpls-exp exp-value&<1-8>
undo if-match [ not ] second-mpls-exp exp-value&<1-8>
41
Default
No criterion is defined to match the EXP field in the second MPLS label.
Views
Traffic class view
Predefined user roles
network-admin
Parameters
not: Matches packets not conforming to the specified criterion.
exp-value&<1-8>: Specifies a space-separated list of up to eight EXP values. The value range for
the exp-value argument is 0 to 7. If the same MPLS EXP value is specified multiple times, the system
considers them as one. If a packet matches one of the defined MPLS EXP values, it matches the
if-match clause.
Examples
# Define a criterion to match packets with EXP value 3 or 4 in the second MPLS label.
<Sysname> system-view
[Sysname] traffic classifier database
[Sysname-classifier-database] if-match second-mpls-exp 3 4
Modified feature: MPLS QoS support for
marking the EXP field
Marking the EXP field in the second MPLS label
In this release, MPLS QoS supports marking the EXP fields in both the topmost (first) MPLS label
and the second MPLS label.
Command reference
New command: remark second-mpls-exp
Use remark second-mpls-exp to configure an EXP value marking action for the second MPLS label
in a traffic behavior.
Use undo remark second-mpls-exp to delete the action.
Syntax
remark second-mpls-exp second-mpls-exp-value
undo remark second-mpls-exp second-mpls-exp-value
42
Default
No EXP value marking action for the second MPLS label is configured in a traffic behavior.
Views
Traffic behavior view
Predefined user roles
network-admin
Parameters
second-mpls-exp-value: Specifies an EXP value for the second MPLS label, in the range of 0 to 7.
Examples
# Define a traffic behavior to mark packets with EXP value 3 for the second MPLS label.
<Sysname> system-view
[Sysname] traffic behavior b1
[Sysname-behavior-b1] remark second-mpls-exp 3
Modified feature: Automatic configuration
Feature change description
In this release, you can set the maximum retry attempts for automatic configuration. The device will
retry obtaining the settings until the retry attempts reach the limit. If you set the maximum retry
attempts to 0, the device does not perform a retry when encountering an automatic configuration
failure.
Removed feature: Tinyproxy
Feature change description
Support for the tinyproxy feature was removed.
Removed command
http-proxy
Syntax
http-proxy
undo http-proxy
43
Views
System view
Release 0306P07
This release has the following changes:
New feature: L2TP-based EAD
New feature: CFD configuration
Modified feature: Support using dots in user profile name
Modified feature: Default size of the TCP receive and send buffer
Modified feature: Support for obtaining fan tray and power module vendor information through MIB
Modified feature: Supporting per-packet load sharing
Modified feature: Automatic configuration
Modified feature: Software image signature
New feature: L2TP-based EAD
Enabling L2TP-based EAD
EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD
authentication can access network resources. PPP users that fail EAD authentication can only
access the resources in the quarantine areas.
EAD uses the following procedure:
1. The iNode client uses L2TP to access the LNS. After the client passes the PPP authentication,
the CAMS/IMC server assigns isolation ACLs to the LNS. The LNS uses the isolation ACLs to
filter incoming packets.
2. After the IPCP negotiation, the LNS sends the IP address of the CAMS/IMC server to the iNode
client. The server IP address is permitted by the isolation ACLs.
3. The CAMS/IMC sever authenticates the iNode client and performs security check for the iNode
client. If the iNode client passes security check, the CAMS/IMC server assigns security ACLs
for the iNode client to the LNS. The iNode client can access network resources.
To enable L2TP-based EAD:
Step Command Remarks
42. Enter system view. system-view N/A
43. Create a VT interface and enter its view
interface virtual-template virtual-template-number
N/A
44
Step Command Remarks
44. Enable L2TP-based EAD. ppp access-control enable By default, L2TP-based EAD is disabled.
Command reference
ppp access-control enable
Use ppp access-control enable to enable L2TP-based EAD.
Use undo ppp access-control enable to disable L2TP-based EAD.
Syntax
ppp access-control enable
undo ppp access-control enable
Default
L2TP-based EAD is disabled.
Views
VT interface view
Predefined user roles
network-admin
Usage guidelines
This command does not apply to VA interfaces that already existed in the VT interface. It only applies
to newly created VA interfaces.
Different ACLs are required for different users if the VT interface is used as the access interface for
the LNS.
After L2TP-based EAD is enabled, the LNS transparently passes CAMS/IMC packets to the iNode
client to inform the client of EAD server information, such as the IP address.
Examples
# Enable L2TP-based EAD.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] ppp access-control enable
display ppp access-control interface
Use display ppp access-control interface to display access control information for VA interfaces
on a VT interface.
Syntax
display ppp access-control interface { interface-type interface-number | interface-name }
45
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
interface-name: Specifies an interface by its name.
Examples
# Display access control information for VA interfaces on VT interface 2.
<Sysname> display ppp access-control interface virtual-template 2
Interface: Virtual-Template2:0
User Name: mike
In-bound Policy: acl 3000
Totally 0 packets, 0 bytes, 0% permitted,
Totally 0 packets, 0 bytes, 0% denied.
Interface: Virtual-Template2:1
User Name: tim
In-bound Policy: acl 3001
Totally 0 packets, 0 bytes, 0% permitted,
Totally 0 packets, 0 bytes, 0% denied.
Table 1 Command output
Field Description
Interface VA interface that the PPP user accesses.
User Name Username of the PPP user.
In-bound Policy Security ACLs for the PPP user.
Totally x packets, x bytes, x% permitted Total number, data rate, and pass percentage of permitted packets.
Totally x packets, x bytes, x% denied Total number, data rate, and reject percentage of denied packets.
New feature: CFD configuration
Configuring CFD configuration
Configuring a two-way DM continuity test.
Setting the delay thresholds in a two-way DM continuity test.
46
Configuring a one-way packet loss continuity test.
Setting the packet loss ratio thresholds in a one-way packet loss continuity test.
Setting the time that a blocked port must wait before it comes up in a one-way packet loss
continuity test.
Configuring a bit error continuity test.
Setting the error packet ratio thresholds in a bit error continuity test.
Displaying two-way DM continuity test results.
Displaying one-way packet loss continuity test results.
Setting the test mode and action for triggering port association.
Displaying bit error test results.
Command reference
cfd dm two-way continual
cfd dm two-way threshold
cfd slm continual
cfd slm threshold
cfd slm port-trigger up-delay
cfd tst continual
cfd tst threshold
display cfd dm two-way history
display cfd slm history
cfd port-trigger
display cfd tst history
See HPE FlexNetwork MSR Router Series Command References(V7).
Modified feature: Support using dots in
user profile name
Feature change description
In this release, the user profile name supports using dots (.).
47
Command changes
Modified command: user-profile
Syntax
user-profile profile-name
undo user-profile profile-name
Views
System view
Change description
Before modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid
characters are letters, digits, and underscores (_), and the name must start with an English letter.
After modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid
characters are letters, digits, underscores (_), and dots (.), and the name must start with an English
letter.
Modified feature: Default size of the TCP
receive and send buffer
Feature change description
The default value for the TCP receive and send buffer size was changed to 63 KB.
To set the TCP buffer size:
Step Command Remarks
45. Enter system view. system-view N/A
46. Set the TCP receive and send buffer size.
tcp window window-size By default, the TCP receive and send buffer size is 63 KB.
Command changes
Modified command: tcp window
Syntax
tcp window window-size
undo tcp window
48
Views
System view
Change description
Before modification: The default value for the window-size argument was 64 KB.
After modification: The default value for the window-size argument is 63 KB.
Modified feature: Support for obtaining fan tray and power module vendor information through MIB
Feature change description
In this release, the device supports obtaining fan tray and power module vendor information through
MIB.
Command changes
None
Modified feature: Supporting per-packet load sharing
Feature change description
The per-packet keyword was added to the ip load-sharing mode command to support per-packet
load sharing.
Command changes
Modified command: ip load-sharing mode
Old syntax
Centralized devices:
ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ]
Centralized IRF devices–Distributed devices–In standalone mode:
ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] [ slot
slot-number ]
49
Distributed devices–In IRF mode:
ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] [ chassis
chassis-number slot slot-number ]
New syntax
Centralized devices:
ip load-sharing mode { per-flow [ [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }
Centralized IRF devices–Distributed devices–In standalone mode:
ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }
Distributed devices–In IRF mode:
ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }
Views
System view
Change description
The per-packet keyword was added to the ip load-sharing mode command to support per-packet
load sharing.
Modified feature: Automatic configuration
Feature change description
A limit was added to the number of automatic configuration attempts. If the device fails to be
automatically configured within the limit, the device quits the automatic configuration process.
Command changes
None
Modified feature: Software image signature
Feature change description
A field was added to output from a set of display commands to display software image signature
information.
50
Command changes
Modified command: display install active
Syntax
Centralized devices:
display install active [ verbose ]
Centralized IRF devices–Distributed devices–In standalone mode:
display install active [ slot slot-number ] [ verbose ]
Distributed devices–In IRF mode:
display install active [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 2 Command output
Field Description
Software image signature
Signature for the software image:
HP—For software images of the HP version.
HP-US—For software images of the HP US version.
HPE—For software images of the HPE version.
Modified command: display install backup
Syntax
Centralized devices:
display install backup [ verbose ]
Centralized IRF devices–Distributed devices–In standalone mode:
display install backup [ slot slot-number ] [ verbose ]
Distributed devices–In IRF mode:
display install backup [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
51
Table 3 Command output
Field Description
Software image signature
Signature for the software image:
HP—For software images of the HP version.
HP-US—For software images of the HP US version.
HPE—For software images of the HPE version.
Modified command: display install committed
Syntax
Centralized devices:
display install committed [ verbose ]
Centralized IRF devices–Distributed devices–In standalone mode:
display install committed [ slot slot-number ] [ verbose ]
Distributed devices–In IRF mode:
display install committed [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 4 Command output
Field Description
Software image signature
Signature for the software image:
HP—For software images of the HP version.
HP-US—For software images of the HP US version.
HPE—For software images of the HPE version.
Modified command: display install inactive
Syntax
Centralized devices:
display install inactive [ verbose ]
Centralized IRF devices–Distributed devices–In standalone mode:
display install inactive [ slot slot-number ] [ verbose ]
Distributed devices–In IRF mode:
display install inactive [ chassis chassis-number slot slot-number ] [ verbose ]
52
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 5 Command output
Field Description
Software image signature
Signature for the software image:
HP—For software images of the HP version.
HP-US—For software images of the HP US version.
HPE—For software images of the HPE version.
Modified command: display install ipe-info
Syntax
display install ipe-info ipe-filename
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 6 Command output
Field Description
Software image signature
Signature for the software image:
HP—For software images of the HP version.
HP-US—For software images of the HP US version.
HPE—For software images of the HPE version.
Modified command: display install package
Syntax
display install package { filename | all } [ verbose ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
53
Table 7 Command output
Field Description
Software image signature
Signature for the software image:
HP—For software images of the HP version.
HP-US—For software images of the HP US version.
HPE—For software images of the HPE version.
Modified command: display install which
Syntax
Centralized devices:
display install which { component name | file filename }
Centralized IRF devices–Distributed devices–In standalone mode:
display install which { component name | file filename } [ slot slot-number ]
Distributed devices–In standalone mode:
Distributed devices–In IRF mode:
display install which { component name | file filename } [ chassis chassis-number slot
slot-number ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 8 Command output
Field Description
Software image signature
Signature for the software image:
HP—For software images of the HP version.
HP-US—For software images of the HP US version.
HPE—For software images of the HPE version.
Release 0305P08
This release has the following changes:
New feature: mGRE
New feature: Disabling transceiver module alarm
54
Modified feature: Default user role
Modified feature: Debugging
New feature: mGRE
Overview
Multipoint Generic Routing Encapsulation (mGRE) is a dynamic VPN technology that uses the Next
Hop Resolution Protocol (NHRP).
Traditional GRE tunnels for a VPN are static and require manual configuration and maintenance,
resulting in poor extensibility. If branches of an enterprise accesses the public network by using
dynamic IP addresses, it is difficult to set GRE tunnels between the branches.
mGRE can dynamically establish tunnels for the branches, because NHRP can map the private IP
address of a branch to its public IP address.
mGRE operation scheme
An mGRE network uses the client/server model. It has the following types of nodes:
NHS—NHRP server, the hub device in the mGRE network. The NHS is the routing information
exchange center. It is also the data forwarding center in a NHS-NHC network.
NHC—NHRP client, a spoke device in the mGRE network. Typically, it is the gateway of a
branch network. An NHC does not forward data received from other mGRE nodes.
mGRE obtains dynamic public addresses of NHCs through their private addresses to establish
mGRE tunnels and forward packets. The public address is the IP address of the interface connected
to the Internet. The private address is the IP address of the mGRE tunnel interface.
An NHC registers its public and private addresses with the NHS and it registers its public address
whenever the public address changes. An NHC obtains the current public address of a peer NHC
from the NHS through NHRP, so the two NHCs can establish an mGRE tunnel over the Internet.
mGRE operation procedure
The mGRE operation includes the following phases:
Registration.
Tunnel establishment.
Route learning and packet forwarding.
Registration
As shown in Figure 10, the registration process is as follows:
55
1. The NHC sends a registration request to the NHS.
2. After the NHS receives the request, it performs the NHRP packet authentication key and GRE
key matching. If both keys are matched, registration succeeds. The NHS sends a registration
success message to the NHC.
Figure 10 Registration process
Tunnel establishment
mGRE networks support the following types of networking:
Full-mesh network—NHCs can establish tunnels between each other for direct
communication. The NHS acts as the routing information exchange center.
Figure 11 Full-mesh network
NHS-NHC network—NHCs cannot establish tunnels between each other. Instead, they
establish tunnels with the NHS. The NHS forwards data for the NHCs. The NHS acts as both
the routing information exchange center and the data forwarding center.
NHC NHS
1) Registration request
2) Registration acknowledgment
Site 1 Site 2
NHS
NHC 1
Public network
NHC 2
Data
NHS-N
HC
NHS-N
HC
NHC-NHC
56
Figure 12 NHS-NHC network
A mGRE tunnel is as established as follows:
NHC-NHS tunnel establishment process:
An NHC-NHS tunnel is established in the registration process. During registration, the
NHC-NHS tunnel is in initialization state. After registration succeeds, the NHC-NHS tunnel is in
success state.
An NHC-NHS tunnel is permanent. An NHC can establish permanent tunnels to any number of
NHSs.
NHC-NHC tunnel establishment process:
a. In a full-mesh network, when an NHC receives a data packet but finds no tunnel for
forwarding the packet, the NHC (initiator) sends an address resolution request to the NHS.
b. After receiving the request, the NHS looks up the local NHRP mapping table to find the peer
NHC (responder) and forwards the request to the peer NHC.
c. After receiving the request, the peer NHC creates a temporary tunnel and sends an address
resolution response to the initiator.
An NHC-NHC tunnel is dynamic. If no data is exchanged within the NHC-NHC tunnel idle
timeout, the tunnel will be deleted.
Route learning and packet forwarding
mGRE nodes learn private routes by using dynamic routing protocols.
Dynamic routing must be configured for all private networks and mGRE tunnel interfaces to ensure
IP connectivity among the private networks. From the perspective of private networks, an mGRE
tunnel is a link that connects different private networks. A dynamic routing protocol discovers
neighbors and updates routes over mGRE tunnels, and establishes a routing table.
Site 1 Site 2
NHS
NHC 1
Public network
NHC 2
Dat
aData
NHS-N
HC
NHS-N
HC
57
When an NHC receives a packet destined for a remote private network, it performs the following
operations:
1. Searches the routing table for the next hop address to the target private network.
2. Looks up the local NHRP mapping table to obtain the public address that corresponds to the
next hop address.
3. Uses the public address as the tunnel destination address to encapsulate the packet.
4. Sends the encapsulated packet to the peer NHC over the mGRE tunnel.
mGRE support for NAT traversal
An NHC-NHC tunnel can traverse a NAT gateway. The tunnel can be established when the tunnel
initiator, receiver, or both ends reside behind the NAT gateway.
mGRE configuration task list
To set up an mGRE network, first configure the NHSs and then the NHCs.
IMPORTANT:
The device can act only as an NHC. It cannot act as an NHS.
To configure mGRE on an NHC:
Tasks at a glance
(Required.)
Configuring an mGRE tunnel
(Required.) Configuring routing
(Optional.) Configuring IPsec for an mGRE tunnel
Configuring an mGRE tunnel
The public address of an NHC can be statically configured or dynamically assigned. The private
address of an NHC must be statically configured.
For more information about tunnel interfaces, see tunneling configuration in Layer 3—IP Services
Configuration Guide. For more information about the interface tunnel, source, and tunnel dfbit
enable commands and other commands for a tunnel interface, see tunneling commands in Layer
3—IP Services Command Reference.
To configure an mGRE tunnel:
58
Step Command Remarks
47. Enter system view. system-view N/A
48. Create an mGRE tunnel interface and enter tunnel interface view.
interface tunnel number mode mgre
By default, no tunnel interfaces exist.
49. Configure a private address for the tunnel interface.
ip address ip-address { mask | mask-length } [ sub ]
By default, no private address is configured for a tunnel interface.
50. Configure a source address or source interface for the tunnel interface.
source { ip-address | interface-type interface-number }
By default, no source address or source interface is configured for a tunnel interface.
If you specify a source address, it is used as the source IP address of tunneled packets.
If you specify a source interface, the primary IP address of this interface is used as the source IP address of tunneled packets.
51. Configure an NHRP packet authentication key.
nhrp authentication [ cipher | simple ] string
By default, no NHRP packet authentication key is configured. NHRP nodes do not authenticate NHRP packets received from each other.
52. Configure an NHRP network ID for the mGRE tunnel.
nhrp network-id number By default, an mGRE tunnel does not have an NHRP network ID.
53. Configure the holdtime for NHRP mapping entries.
nhrp holdtime seconds By default, the holdtime of NHRP mapping entries is 7200 seconds.
54. Configure an NHS private-to-public address mapping.
nhrp nhs nhs-address nbma nbma-address
By default, no NHS private-to-public address mappings are configured.
55. (Optional.) Configure a GRE key for the tunnel interface.
gre key key
By default, no GRE key is configured for an mGRE tunnel interface.
You must configure the same GRE key or configure no key on both ends of a tunnel.
On the device, you must configure different GRE keys for mGRE tunnel interfaces that have the same source address or source interface.
For more information about the GRE key, see GRE in Layer 3—IP Services Configuration Guide.
56. (Optional.) Set the DF bit for tunneled packets.
tunnel dfbit enable By default, the DF bit is not set. Tunneled packets can be fragmented for forwarding.
Configuring routing
mGRE clients support dynamic routing protocols of OSPF, RIP, and BGP.
When you configure routing for mGRE client, following these restrictions and guidelines:
59
When OSPF is used, specify the OSPF interface network type as broadcast in a full-mesh
network and as p2mp in a NHS-NHC network.
Full-mesh networks do not support RIP. NHS-NHC networks must use the RIP-2 multicast
mode and disable the split horizon feature for NHS nodes.
When BGP is used, configure routing polices to ensure the following:
In a full-mesh network, ensure that the local NHC learns a route to the remote private
network, and the route's next hop address is the address of the remote NHC.
In an NHS-NHC network, ensure that the local NHC learns a route to the remote private
network, and the route's next hop address is the address of the NHS.
For more information about OSPF, RIP, BGP, and routing policy configuration, see Layer 3—IP
Routing Configuration Guide.
Configuring IPsec for an mGRE tunnel
The device supports protecting mGRE tunnel data and control packets by using IPsec profiles.
To configure IPsec for an mGRE tunnel:
1. Configure an IPsec transform set to specify the security protocol, authentication and encryption
algorithms, and encapsulation type.
2. Configure an IKE-based IPsec profile.
3. Apply the IKE-based IPsec profile to the mGRE tunnel interface.
For more information about IPsec configuration, see "Configuring IPsec."
Displaying and maintaining mGRE
Execute display commands in any view and reset commands in user view.
Task Command
Display information about NHRP mapping entries. display nhrp map [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]
Display NHRP packet statistics for tunnel interfaces. display nhrp statistics [ interface tunnel interface-number ]
Display mGRE session information. display mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]
Clear NHRP packet statistics for tunnel interfaces. reset nhrp statistics [ interface tunnel inteface-number ]
Reset mGRE sessions. reset mgre session [ interface tunnel interface-number [ peer ipv4-address ] ]
Clear mGRE session statistics. reset mgre statistics [ interface tunnel interface-number [ peer ipv4-address ] ]
60
Command reference
New command: display mgre session
Use display mgre session to display mGRE session information.
Syntax
display mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range
of 0 to 4095. If you do not specify this option, the command displays mGRE session information for
all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command
displays all mGRE session information for the specified mGRE tunnel interface.
verbose: Displays detailed information about IPv4 mGRE sessions. If you do not specify this
keyword, the command displays brief information about mGRE sessions.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all mGRE
sessions on all tunnel interfaces.
Examples
# Display brief information about all mGRE sessions.
<Sysname> display mgre session
Interface : Tunnel1
Number of sessions: 2
Peer NBMA address Peer protocol address Type State State duration
10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01
10.0.1.4 192.168.180.137 C-C Establishing 00:30:02
# Display brief information about mGRE sessions on the specified tunnel interface.
<Sysname> display mgre session interface tunnel 1
Interface : Tunnel1
Number of sessions: 2
Peer NBMA address Peer protocol address Type State State duration
10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01
10.0.1.4 192.168.180.137 C-C Establishing 00:30:02
61
# Display brief information about the mGRE session with the specified peer address.
<Sysname> display mgre session interface tunnel 1 peer 10.0.0.3
Interface : Tunnel1
Number of sessions: 1
Peer NBMA address Peer protocol address Type State State duration
10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01
Table 26 Command output
Field Description
Interface Name of the mGRE tunnel interface.
Number of sessions Total number of mGRE sessions on the tunnel interface.
Peer NBMA address Public address of the peer.
Peer protocol address IP address of the peer tunnel interface.
Type
mGRE session type:
C-S—The local end is an NHC, and the peer end is the NHS.
C-C—The local end is an NHC, and the peer end is an NHC.
UNKNOWN—The local end is an NHC, and the peer end type is unknown.
State
mGRE session state:
Succeeded.
Establishing.
State duration Duration of the current session state, in the format of hh:mm:ss.
# Display detailed information about all IPv4 mGRE sessions.
<Sysname> display mgre session verbose
Interface : Tunnel1
Link protocol : GRE
Number of sessions: 2
Peer NBMA address : 10.0.1.3
Peer protocol address: 192.168.180.136
Session type : C-S
State : Succeeded
State duration : 00:30:01
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Peer NBMA address : 10.0.1.4
Peer protocol address: 192.168.180.137
Session type : C-S
State : Succeeded
State duration : 00:31:01
Input : 1 packets, 0 data packets, 1 control packets
62
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
Interface : Tunnel2
Link protocol : IPsec-GRE
SA's SPI :
Inbound : 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Number of sessions: 1
Peer NBMA address : 20.0.0.3
Peer protocol Aaddress: 192.168.181.137
Behind NAT : No
Session type : C-C
SA's SPI :
Inbound : 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
State : Establishing
State duration : 00:31:01
Input : 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
# Display detailed information about IPv4 mGRE sessions on interface Tunnel1.
<Sysname> display mgre session interface tunnel 1 verbose
Interface : Tunnel1
Link protocol : GRE
Number of sessions: 1
Peer NBMA address : 20.0.0.3
Peer protocol address: 192.168.181.137
Behind NAT : No
Session type : C-C
State : Succeeded
State duration : 00:31:01
Input : 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
# Display detailed information about the mGRE session with the peer public address 202.12.12.12.
<Sysname> display mgre session peer 202.12.12.12 verbose
Interface : Tunnel1
Link protocol : GRE
Number of sessions: 1
Peer NBMA address : 202.12.12.12
Peer protocol address: 192.168.180.136
Session type : C-S
State : Succeeded
63
State duration : 00:30:01
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Table 27 Command output
Field Description
Interface Name of the mGRE tunnel interface.
Link protocol
Encapsulation protocol used by the mGRE tunnel:
GRE.
IPsec-GRE.
Number of sessions Total number of mGRE sessions on the tunnel interface.
Peer NBMA address Public address of the peer.
Peer protocol address IP address of the peer tunnel interface.
SA's SPI SPI of the inbound and outbound SAs. This field is available when the mGRE tunnel is carried over IPsec.
Behind NAT Whether the peer NHC has traversed a NAT device.
Session type
mGRE session type:
C-S—The local end is an NHC, and the peer end is
the NHS.
C-C—The local end is an NHC, and the peer end is an NHC.
State
mGRE session state:
Succeeded.
Establishing.
State duration Duration of the current session state, in the format of hh:mm:ss.
Input
Statistics on received packets:
packets—Total number of packets.
data packets—Number of data packets.
control packets—Number of control packets.
multicasts—Number of multicast packets.
errors—Number of error packets.
Output
Statistics on received packets:
packets—Total number of packets.
data packets—Number of data packets.
control packets—Number of control packets.
multicasts—Number of multicast packets.
errors—Number of error packets.
New command: display nhrp map
Use display nhrp map to display information about NHRP mapping entries.
64
Syntax
display nhrp map [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range
of 0 to 4095. If you do not specify this option, the command displays NHRP mapping table
information for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command
displays NHRP mapping entries for all peers.
verbose: Displays detailed information about NHRP mapping entries. If you do not specify this
keyword, the command displays brief information about NHRP mapping entries.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all NHRP
mapping entries.
Examples
# Display brief information about all NHRP mapping entries.
<Sysname> display nhrp map
Destination/mask Next hop NBMA address Type Interface
172.16.1.1/32 172.16.1.1 105.112.100.4 cached Tunnel0
172.16.1.2/32 172.16.1.2 105.112.100.92 cached Tunnel0
# Display detailed information about all NHRP mapping entries.
<Sysname> display nhrp map verbose
Interface : Tunnel0
Destination/mask : 172.16.1.1/32
Next hop : 172.16.1.1
Creation time : 00:38:44
Expiration time : 01:21:15
Type : cached
Flags : unique, up, used
NBMA address : 105.112.100.4
Interface : Tunnel0
Destination/mask : 172.16.1.2/32
Next hop : 172.16.1.2
Creation time : 00:25:53
Expiration time : 01:34:06
65
Type : cached
Flags : unique, up, used, ipsec
NBMA address : 105.112.100.92
Table 28 Command output
Field Description
Destination/mask Destination tunnel interface address and mask of the mapping entry.
Nexthop Next hop address to reach the destination network.
Creation time Period of time for which the mapping entry has been created.
Expiration time Period of time in which the mapping entry will expire.
Type
Mapping entry type:
static—The entry is statically configured.
cached—The entry is dynamically obtained.
Incomplete—The entry is dynamic and incomplete.
Flags
Mapping entry flags:
unique—The mapping entry in the registration
request cannot be overwritten by a mapping entry that has the same protocol address and different public addresses. A client can register the new entry with the server only after the mapping entry on the server expires.
used—This mapping entry is used for packet forwarding.
up—Packets can be forwarded.
ipsec—IPsec negotiation succeeded. Packets will be protected by IPsec.
init—Initialization state.
New command: display nhrp statistics
Use display nhrp statistics to display NHRP packet statistics for a tunnel interface.
Syntax
display nhrp statistics [ interface tunnel interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range
of 0 to 4095. If you do not specify this option, the command displays NHRP packet statistics for all
tunnel interfaces.
66
Examples
# Display NHRP packet statistics.
<Sysname> display nhrp statistics
Tunnel0:
NHRP packets sent : 815
Resolution requests : 15
Resolution replies : 1
Registration requests : 0
Registration replies : 797
Purge requests : 2
Purge replies : 0
Error indications : 0
Traffic indications : 0
NHRP packets received : 1453
Resolution requests : 15
Resolution replies : 1
Registration requests : 1435
Registration replies : 2
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
Tunnel1:
NHRP packets sent : 3
Resolution Requests : 0
Resolution replies : 0
Registration requests : 0
Registration replies : 3
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
NHRP packets received : 3
Resolution requests : 0
Resolution replies : 0
Registration requests : 3
Registration replies : 0
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
# Display NHRP packet statistics for the specified tunnel interface.
<Sysname> display nhrp statistics interface tunnel 0
Tunnel0:
67
NHRP packets sent : 815
Resolution requests : 15
Resolution replies : 1
Registration requests : 0
Registration replies : 797
Purge requests : 2
Purge replies : 0
Error indications : 0
Traffic indications : 0
NHRP packets received : 1453
Resolution requests : 15
Resolution replies : 1
Registration requests : 1435
Registration replies : 2
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
New command: nhrp authentication
Use nhrp authentication to configure an NHRP packet authentication key.
Use undo nhrp authentication to restore the default.
Syntax
nhrp authentication { cipher | simple } string
undo nhrp authentication
Default
No NHRP packet authentication key is configured. NHRP nodes do not authenticate NHRP packets
received from each other.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
cipher: Specifies an authentication key in encrypted form.
simple: Specifies an authentication key in plaintext form. For security purposes, the key specified in
plaintext form will be stored in encrypted form.
string: Specifies the key string. Its plaintext form is a case-sensitive string of 1 to 8 characters. Its
encrypted form is a case-sensitive string of 1 to 41 characters.
68
Usage guidelines
After an NHRP packet authentication key is configured for a tunnel interface, the tunnel interface
adds the key in packets sent to the peer. The tunnel interface also uses the key to authenticate
NHRP packets it receives. If a packet fails the authentication, the packet will be dropped.
For mGRE tunnels to be established successfully, configure the same NHRP authentication key for
all NHCs and servers in the same mGRE network.
Examples
# On interface Tunnel1, set the NHRP packet authentication key to 123456.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp authentication simple 123456
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
New command: nhrp holdtime
Use nhrp holdtime to configure the holdtime for NHRP mapping entries.
Use undo nhrp holdtime to restore the default.
Syntax
nhrp holdtime seconds
undo nhrp holdtime
Default
The holdtime of NHRP mapping entries is 7200 seconds.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
seconds: Specifies the holdtime in the range of 1 to 65535 seconds.
Usage guidelines
After the holdtime is configured, the local NHRP holdtime carried in outgoing packets is updated to
the configured holdtime.
Examples
# On interface Tunnel1, set the holdtime of NHRP mapping entries to 600 seconds
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp holdtime 600
69
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
New command: nhrp network-id
Use nhrp network-id to configure an NHRP network ID for an mGRE tunnel.
Use undo nhrp network-id to delete the NHRP network ID of an mGRE tunnel.
Syntax
nhrp network-id number
undo nhrp network-id
Default
An mGRE tunnel does not have an NHRP network ID.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
number: Specifies an NHRP network ID in the range of 1 to 4294967295.
Usage guidelines
A network ID is only locally significant. You can configure different NHRP network IDs for different
tunnel interfaces on the device. The NHC and server can have different NHRP network IDs.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the NHRP network ID to 10 for mGRE tunnel interface Tunnel1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp network-id 10
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
New command: nhrp nhs
Use nhrp nhs to configure an NHS private-to-public address mapping.
Use undo nhrp nhs to delete an NHS private-to-public address mapping.
Syntax
nhrp nhs nhs-address nbma nbma-address
70
undo nhrp nhs nhs-address nbma nbma-address
Default
No NHS private-to-public address mappings are configured.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
nhs-address: Specifies the private address of an NHS.
nbma-address: Specifies the public address (NBMA address) of the NHS.
Usage guidelines
You can configure multiple NHSs for redundancy. If multiple NHSs are configured, NHCs register
with all the NHSs.
Examples
# On interface Tunnel1, configure the NHS private address as 1.1.1.1 and public address as
120.1.1.120.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp nhs 1.1.1.1 nbma 120.1.1.120
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
New command: reset mgre session
Use reset mgre session to reset dynamic mGRE sessions.
Syntax
reset mgre session [ interface tunnel interface-number [ peer ipv4-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range
of 0 to 4095. If you do not specify this option, the command resets dynamic mGRE sessions for all
mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command
resets all dynamic mGRE sessions for the specified mGRE tunnel interface.
71
Usage guidelines
If you do not specify any parameters, this command resets all dynamic mGRE sessions. When an
mGRE session is reset, the NHC reregisters with the NHS.
Examples
# Reset the mGRE sessions on interface Tunnel1.
<Sysname> reset mgre session interface tunnel 1
# Reset the mGRE session with peer address 202.12.12.12 on interface Tunnel1.
<Sysname> reset mgre session interface tunnel 1 peer 202.12.12.12
Related commands
display mgre session
New command: reset mgre statistics
Use reset mgre statistics to clear mGRE session statistics.
Syntax
reset mgre statistics [ interface tunnel interface-number [ peer ipv4-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range
of 0 to 4095. If you do not specify this option, the command clears mGRE session statistics for all
mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command
clears statistics about all mGRE sessions on the specified mGRE tunnel interface.
Examples
# Clear statistics about mGRE sessions on interface Tunnel1.
<Sysname> reset mgre statistics interface tunnel 1
# Clear statistics about the mGRE session with peer public address 192.168.1.200 on interface
Tunnel1.
<Sysname> reset mgre statistics interface tunnel 1 peer 192.168.1.200
New command: reset nhrp statistics
Use reset nhrp statistics to clear NHRP packet statistics.
72
Syntax
reset nhrp statistics [ interface tunnel interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range
of 0 to 4095. If you do not specify this option, the command clears NHRP packet statistics for all
mGRE tunnel interfaces.
Examples
# Clear NHRP packet statistics for interface Tunnel1.
<Sysname> reset nhrp statistics interface tunnel 1
Related commands
display nhrp statistics
New feature: Disabling transceiver module
alarm
Configuring Disabling transceiver module alarm
The device regularly checks transceiver modules for their vendor information. If a transceiver module
does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to
prompt you to replace the module. This feature enables you to suppress the traps and logs.
Command reference
New command: transceiver phony-alarm-disable
Use transceiver phony-alarm-disable to disable the transceiver module alarm feature.
Use undo transceiver phony-alarm-disable to restore the default.
Syntax
transceiver phony-alarm-disable
undo transceiver phony-alarm-disable
73
Default
The transceiver module alarm feature is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The device regularly checks transceiver modules for their vendor information. If a transceiver module
does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to
prompt you to replace the module. To suppress the traps and alarms, execute this command.
Examples
#Disable the transceiver module alarm feature.
<Sysname> system-view
[Sysname] transceiver phony-alarm-disable
Modified feature: Default user role
Feature change description
The default user role can be changed. The role-name argument was added to the role default-role
enable command for specifying a user role as the default user role.
Command changes
Modified command: role default-role enable
Old syntax
role default-role enable
undo role default-role enable
New syntax
role default-role enable [ role-name ]
undo role default-role enable
Views
System view
Change description
Before modification: The default user role is network-operator.
74
After modification: The role-name argument was added to specify any user role that exists in the
system as the default user role. The argument is a case-sensitive string of 1 to 63 characters. If you
do not specify this argument, the default user role is network-operator.
Modified feature: Debugging
Feature change description
The all keyword and the timeout time option were removed from the debugging command. You can
no longer use the command to enable debugging for all modules at the same time or automatically
disable debugging for all modules after a specific period of time.
Command changes
Modified command: debugging
Old syntax
debugging { all [ timeout time ] | module-name [ option ] }
undo debugging { all | module-name [ option ] }
New syntax
debugging module-name [ option ]
undo debugging module-name [ option ]
Views
User view
Change description
The following parameters were removed from the debugging command:
all: Enables debugging for all modules.
timeout time: Specifies the timeout time for the debugging all command. The system
automatically executes the undo debugging all command after the timeout time. The time
argument is in the range of 1 to 1440 minutes. If you do not specify a timeout time, you must
manually execute the undo debugging all command to disable debugging for all modules.
Release 0305P04
This release has the following changes:
New feature: Public key management support for Suite B
75
New feature: PKI support for Suite B
New feature: IPsec support for Suite B
New feature: SSL support for Suite B
New feature: FIPS support for Suit B
New feature: SSH support for Suite B
New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group
Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces
Modified feature: Changing the maximum number of FIB table entries
Modified feature: Enabling CWMP
New feature: Public key management
support for Suite B
Configuring Suite B in public key management
Suite B contains a set of encryption and authentication algorithms that meet high security
requirements.
In this software version, Suite B is available in public key management. Support for new elliptic curve
algorithms was added for generating ECDSA key pairs.
Command reference
Modified command: public-key local create
Old syntax
public-key local create { dsa | ecdsa | rsa } [ name key-name ]
New syntax
public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1] | rsa } [ name
key-name ]
Views
System view
Change description
Before modification: The secp192r1 curve was used to generate the ECDSA key pair by default. No
other elliptic curve algorithms were available.
76
After modification: You can specify the elliptic curve used to generate the ECDSA key pair. The
following elliptic curve algorithms are available:
secp192r1: Uses the secp192r1 curve to generate a 192-bit ECDSA key pair. The secp192r1
curve is used by default.
secp256r1: Uses the secp256r1 curve to generate a 256-bit ECDSA key pair.
secp384r1: Uses the secp384r1 curve to generate a 384-bit ECDSA key pair.
New feature: PKI support for Suite B
Configuring Suite B in PKI
Suite B contains a set of encryption and authentication algorithms that meet high security
requirements. PKI commands were modified to support Suite B.
Command reference
Modified command: public-key ecdsa
Old syntax
public-key ecdsa name key-name
undo public-key
New syntax
public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1]
undo public-key
Views
PKI domain view
Change description
Before modification: The secp192r1 curve was used to generate the ECDSA key pair by default. No
other elliptic curve algorithms were available.
After modification: You can specify the elliptic curve used to generate the ECDSA key pair. The
following elliptic curve algorithms are available:
secp192r1: Uses the secp192r1 curve to generate the key pair. The secp192r1 curve is used
by default.
secp256r1: Uses the secp256r1 curve to generate the key pair.
secp384r1: Uses the secp384r1 curve to generate the key pair.
77
New feature: IPsec support for Suite B
Suite B contains a set of encryption and authentication algorithms that meet high security
requirements. IPsec provide stronger protection by supporting Suite B and IKEv2.
Overview
Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1,
IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable
identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger
protection against attacks and higher key exchange ability and needs less message exchanges than
IKEv1.
IKEv2 negotiation process
Compared with IKEv1, IKEv2 simplifies the negotiation process and is much more efficient.
IKEv2 defines three types of exchanges: initial exchanges, CREATE_CHILD_SA exchange, and
INFORMATIONAL exchange.
As shown in Figure 13, IKEv2 uses two exchanges during the initial exchange process:
IKE_SA_INIT and IKE_AUTH, each with two messages.
IKE_SA_INIT exchange—Negotiates IKE SA parameters and exchanges keys.
IKE_AUTH exchange—Authenticates the identity of the peer and establishes IPsec SAs.
After the four-message initial exchanges, IKEv2 sets up one IKE SA and one pair of IPsec SAs. For
IKEv1 to set up one IKE SA and one pair of IPsec SAs, it must go through two phases that use a
minimum of six messages.
To set up one more pair of IPsec SAs within the IKE SA, IKEv2 goes on to perform an additional
two-message exchange—the CREATE_CHILD_SA exchange. One CREATE_CHILD_SA exchange
creates one pair of IPsec SAs. IKEv2 also uses the CREATE_CHILD_SA exchange to rekey IKE
SAs and Child SAs.
IKEv2 uses the INFORMATIONAL exchange to convey control messages about errors and
notifications.
78
Figure 13 IKEv2 Initial exchange process
New features in IKEv2
DH guessing
In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to
use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the
responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is
finished. If the guess is wrong, the responder responds with an INVALID_KE_PAYLOAD message
that contains the DH group that it wants to use. The initiator then uses the DH group selected by the
responder to reinitiate the IKE_SA_INIT exchange. The DH guessing mechanism allows for more
flexible DH group configuration and enables the initiator to adapt to different responders.
Cookie challenging
Messages for the IKE_SA_INIT exchange are in plain text. An IKEv1 responder cannot confirm the
validity of the initiators and must maintain half-open IKE SAs, which makes the responder
susceptible to DoS attacks. An attacker can send a large number of IKE_SA_INIT requests with
forged source IP addresses to the responder, exhausting the responder's system resources.
IKEv2 introduces the cookie challenging mechanism to prevent such DoS attacks. When an IKEv2
responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging
mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If
the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder
considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the
responder terminates the negotiation.
The cookie challenging mechanism automatically stops working when the number of half-open IKE
SAs drops below the threshold.
Initiator’s policy and key
information
Peer 1 Peer 2
Confirmed policy and
key information
Initiator’s identity,
authentication data, and
IPsec proposals
Responder’s identity,
authentication data, and
IPsec proposals
Authenticate the
identity and
negotiate IPsec
SAs
Negotiate
algorithms and
generate the key
Perform ID and exchange
authentication and
negotiate IPsec SAs
Search for a
matched policy and
generate the key
Receive the
policy and
generate the key
Send the local
IKE policy and
key info
Perform ID and exchange
authentication and
negotiate IPsec SAs
ID exchange,
authentication,
IPsec SA setup
SA exchange,
key exchange
79
IKEv2 SA rekeying
For security purposes, both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the
lifetime expires. An IKEv1 SA lifetime is negotiated. An IKEv2 SA lifetime, in contrast, is configured. If
two peers are configured with different lifetimes, the peer with the shorter lifetime always initiates the
SA rekeying. This mechanism reduces the possibility that two peers will simultaneously initiate a
rekeying. Simultaneous rekeying results in redundant SAs and SA status inconsistency on the two
peers.
IKEv2 message retransmission
Unlike IKEv1 messages, IKEv2 messages appear in request/response pairs. IKEv2 uses the
Message ID field in the message header to identify the request/response pair. If an initiator sends a
request but receives no response with the same Message ID value within a specific period of time,
the initiator retransmits the request.
It is always the IKEv2 initiator that initiates the retransmission, and the retransmitted message must
use the same Message ID value.
Protocols and standards
RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
RFC 4306, Internet Key Exchange (IKEv2) Protocol
RFC 4718, IKEv2 Clarifications and Implementation Guidelines
RFC 2412, The OAKLEY Key Determination Protocol
RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2)
IKEv2 configuration task list
Determine the following parameters prior to IKEv2 configuration:
The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms,
integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide
different levels of protection. A stronger algorithm means better resistance to decryption of
protected data but requires more resources. Typically, the longer the key, the stronger the
algorithm.
The local and remote identity authentication methods.
To use the pre-shared key authentication method, you must determine the pre-shared key.
To use the RSA digital signature authentication method, you must determine the PKI
domain for the local end to use. For information about PKI, see "Configuring PKI."
To configure IKEv2, perform the following tasks:
80
Tasks at a glance Remarks
(Required.) Configuring an IKEv2 profile N/A
(Required.) Configuring an IKEv2 policy N/A
(Optional.) Configuring an IKEv2 proposal If you specify an IKEv2 proposal in an IKEv2 policy, you must configure the IKEv2 proposal.
Configuring an IKEv2 keychain Required when either end or both ends use the pre-shared key authentication method.
Configure global IKEv2 parameters
(Optional.) Enabling the cookie challenging feature
(Optional.) Configuring the IKEv2 DPD feature
(Optional.) Configuring the IKEv2 NAT keepalive feature
(Optional.) Configuring IKEv2 address pools
The cookie challenging feature takes effect only on IKEv2 responders.
Configuring an IKEv2 profile
An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an
IKEv2 profile, perform the following tasks:
1. Specify the local and remote identity authentication methods.
The local and remote identity authentication methods must both be specified and they can be
different. You can specify only one local identity authentication method and multiple remote
identity authentication methods.
2. Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:
To use digital signature authentication, configure a PKI domain.
To use pre-shared key authentication, configure an IKEv2 keychain.
3. Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2
negotiation:
For digital signature authentication, the device can use an ID of any type. If the local ID is an
IP address that is different from the IP address in the local certificate, the device uses the
FQDN as the local ID. The FQDN is the device name configured by using the sysname
command.
For pre-shared key authentication, the device can use an ID of any type other than the DN.
4. Configure peer IDs.
The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a
match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2
profiles will be compared in descending order of their priorities.
5. Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to
the specified interface or IP address. For this task, specify the local address configured in IPsec
policy or IPsec policy template view (using the local-address command). If no local address is
configured, specify the IP address of the interface that uses the IPsec policy.
81
6. Specify a priority number for the IKEv2 profile. To determine the priority of an IKEv2 profile:
a. First, the device examines the existence of the match local command. An IKEv2 profile
with the match local command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKEv2 profile with a smaller
priority number has a higher priority.
c. If a tie still exists, the device prefers an IKEv2 profile configured earlier.
7. Specify a VPN instance for the IKEv2 profile. The IKEv2 profile is used for IKEv2 negotiation
only on the interfaces that belong to the VPN instance.
8. Configure the IKEv2 SA lifetime.
The local and remote ends can use different IKEv2 SA lifetimes. They do not negotiate the
lifetime. The end with a smaller SA lifetime will initiate an SA negotiation when the lifetime
expires.
9. Configure IKEv2 DPD to detect dead IKEv2 peers. You can also configure this feature in
system view. If you configure IKEv2 DPD in both views, the IKEv2 DPD settings in IKEv2 profile
view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in
system view apply.
10. Specify an inside VPN instance. This setting determines where the device should forward
received IPsec packets after it de-encapsulates them. If you specify an inside VPN instance,
the device looks for a route in the specified VPN instance to forward the packets. If you do not
specify an inside VPN instance, the internal and external networks are in the same VPN
instance. The device looks for a route in this VPN instance to forward the packets.
11. Configure the NAT keepalive interval.
Configure this task when the device is behind a NAT gateway. The device sends NAT keepalive
packets regularly to its peer to prevent the NAT session from being aged because of no
matching traffic.
12. Enable the configuration exchange feature.
The configuration exchange feature enables the local and remote ends to exchange
configuration data, such as gateway address, internal IP address, and route. The exchange
includes data request and response, and data push and response.
This feature typically applies to scenarios where branches and the headquarters communicate
through virtual tunnels.
This feature enables the IPsec gateway at a branch to send IP address requests to the IPsec
gateway at the headquarters. When the headquarters receives the request, it sends an IP
address to the branch in the response packet. The headquarters can also actively push an IP
address to the branch. The branch uses the allocated IP address as the IP address of the virtual
tunnel to communicate with the headquarters.
13. Enable AAA authorization.
82
The AAA authorization feature enables IKEv2 to request authorization attributes, such as the
IKEv2 address pool, from AAA. IKEv2 uses the address pool to assign IP addresses to remote
users. For more information about AAA authorization, see "Configuring AAA."
To configure an IKEv2 profile:
Step Command Remarks
57. Enter system view. system-view N/A
58. Create an IKEv2 profile and enter IKEv2 profile view.
ikev2 profile profile-name By default, no IKEv2 profiles exist.
59. Configure the local and remote identity authentication methods.
authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature }
By default, no local or remote identity authentication method is configured.
60. Specify a keychain. keychain keychain-name
By default, no keychain is specified for an IKEv2 profile.
Perform this task when the pre-shared key authentication method is specified.
61. Specify a PKI domain. certificate domain domain-name [ sign | verify ]
By default, the device uses PKI domains configured in system view.
Perform this task when the digital signature authentication method is specified.
62. Configure the local ID.
identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn fqdn-name | key-id key-id-string }
By default, no local ID is configured, and the device uses the IP address of the interface where the IPsec policy applies as the local ID.
63. Configure peer IDs.
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
By default, no peer ID is configured.
You must configure a minimum of one peer ID on each of the two peers.
64. (Optional.) Specify the local interface or IP address to which the IKEv2 profile can be applied.
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
By default, an IKEv2 profile can be applied to any local interface or IP address.
65. (Optional.) Specify a priority for the IKEv2 profile.
priority priority By default, the priority of an IKEv2 profile is 100.
66. (Optional.) Specify a VPN instance for the IKEv2 profile.
match vrf { name vrf-name | any } By default, an IKEv2 profile belongs to the public network.
67. (Optional.) Set the IKEv2 SA lifetime for the IKEv2 profile.
sa duration seconds By default, the IKEv2 SA lifetime is 86400 seconds.
83
68. (Optional.) Configure the DPD feature for the IKEv2 profile.
dpd interval interval [ retry seconds ] { on-demand | periodic }
By default, DPD is disabled for an IKEv2 profile. The global DPD settings in system view are used. If DPD is also disabled in system view, the device does not perform DPD.
69. (Optional.) Specify an inside VPN instance for the IKEv2 profile.
inside-vrf vrf-name
By default, no inside VPN instance is specified for an IKEv2 profile. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.
70. (Optional.) Set the IKEv2 NAT keepalive interval.
nat-keepalive seconds By default, the global IKEv2 NAT keepalive setting is used.
71. (Optional.) Enable the configuration exchange feature.
config-exchange { request | set { accept | send } }
By default, all configuration exchange options are disabled.
72. (Optional.) Enable AAA authorization.
aaa authorization domain domain-name username user-name
By default, AAA authorization is disabled for IKEv2.
Configuring an IKEv2 policy
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP
address of the local security gateway as the matching criterion.
If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of
the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an
incomplete proposal, the IKE_SA_INIT exchange fails.
If no IKEv2 policy is configured, IKEv2 uses the system default IKEv2 policy default.
The device matches IKEv2 policies in the descending order of their priorities. To determine the
priority of an IKEv2 policy:
1. First, the device examines the existence of the match local address command. An IKEv2
policy with the match local address command configured has a higher priority.
2. If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority
number has a higher priority.
3. If a tie still exists, the device prefers an IKEv2 policy configured earlier.
To configure an IKEv2 policy:
Step Command Remarks
73. Enter system view. system-view N/A
74. Create an IKEv2 policy and enter IKEv2 policy view.
ikev2 policy policy-name By default, an IKEv2 policy named default exists.
75. Specify the local interface or address used for IKEv2 policy matching.
match local address { interface-type interface-number | { { ipv4-address | ipv6 ipv6-address } } }
By default, no local interface or address is used for IKEv2 policy matching, and the policy matches any local interface or address.
84
76. Specify a VPN instance for IKEv2 policy matching.
match vrf { name vrf-name | any }
By default, no VPN instance is specified for IKEv2 policy matching. The IKEv2 policy matches all local addresses in the public network.
77. Specify an IKEv2 proposal for the IKEv2 policy.
proposal proposal-name By default, no IKEv2 proposal is specified for an IKEv2 policy.
78. Specify a priority for the IKEv2 policy.
priority priority By default, the priority of an IKEv2 policy is 100.
Configuring an IKEv2 proposal
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the
encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm
specified earlier has a higher priority.
A complete IKEv2 proposal must have at least one set of security parameters, including one
encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a
higher priority.
To configure an IKEv2 proposal:
Step Command Remarks
79. Enter system view. system-view N/A
80. Create an IKEv2 proposal and enter IKEv2 proposal view.
ikev2 proposal proposal-name
By default, an IKEv2 proposal named default exists.
In non-FIPS mode, the default proposal uses the following settings:
Encryption algorithms AES-CBC-128 and 3DES.
Integrity protection algorithms HMAC-SHA1 and HMAC-MD5.
PRF algorithms HMAC-SHA1 and HMAC-MD5.
DH groups 2 and 5.
In FIPS mode, the default proposal uses the following settings:
Encryption algorithms AES-CBC-128 and AES-CTR-128.
Integrity protection algorithms HMAC-SHA1 and HMAC-SHA256.
PRF algorithms HMAC-SHA1 and HMAC-SHA256.
DH groups 14 and 19.
81. Specify the encryption algorithms.
In non-FIPS mode:
encryption { 3des-cbc |
By default, an IKEv2 proposal does not have any encryption algorithms.
85
aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *
In FIPS mode:
encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } *
82. Specify the integrity protection algorithms.
In non-FIPS mode:
integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
In FIPS mode:
integrity { sha1 | sha256 | sha384 | sha512 } *
By default, an IKEv2 proposal does not have any integrity protection algorithms.
83. Specify the PRF algorithms.
In non-FIPS mode:
prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
In FIPS mode:
prf { sha1 | sha256 | sha384 | sha512 } *
By default, an IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.
84. Specify the DH groups.
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *
In FIPS mode:
dh { group14 | group24 | group19 | group20 } *
By default, an IKEv2 proposal does not have any DH groups.
Configuring an IKEv2 keychain
An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation.
An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an
asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host
name, IP address or address range, or ID).
An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching
criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the
matching criterion to search for a peer.
To configure an IKEv2 keychain:
Step Command Remarks
85. Enter system view. system-view N/A
86. Create an IKEv2 keychain and enter IKEv2 keychain view.
ikev2 keychain keychain-name By default, no IKEv2 keychains exist.
86
87. Create an IKEv2 peer and enter IKEv2 peer view.
peer name By default, no IKEv2 peers exist.
88. Configure the information for identifying the IKEv2 peer.
To configure a host name for the peer: hostname host-name
To configure a host IP address or address range for the peer: address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
To configure an ID for the peer: identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string }
By default, no hostname, host IP address, address range, or identity information is configured for an IKEv2 peer.
You must configure different IP addresses/address ranges for different peers.
89. Configure a pre-shared key for the peer.
pre-shared-key [ local | remote ] { ciphertext | plaintext } string
By default, an IKEv2 peer does not have a pre-shared key.
Configure global IKEv2 parameters
Enabling the cookie challenging feature
Enable cookie challenging on responders to protect them against DoS attacks that use a large
number of source IP addresses to forge IKE_SA_INIT requests.
To enable cookie challenging:
Step Command Remarks
90. Enter system view. system-view N/A
91. Enable cookie challenging. ikev2 cookie-challenge number By default, IKEv2 cookie challenging is disabled..
Configuring the IKEv2 DPD feature
IKEv2 DPD detects dead IKEv2 peers in periodic or on-demand mode.
Periodic DPD—Verifies the liveness of an IKEv2 peer by sending DPD messages at regular
intervals.
On-demand DPD—Verifies the liveness of an IKEv2 peer by sending DPD messages before
sending data.
87
Before the device sends data, it identifies the time interval for which the last IPsec packet
has been received from the peer. If the time interval exceeds the DPD interval, it sends a
DPD message to the peer to detect its liveliness.
If the device has no data to send, it never sends DPD messages.
If you configure IKEv2 DPD in both IKEv2 profile view and system view, the IKEv2 DPD settings in
IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD
settings in system view apply.
To configure global IKEv2 DPD:
Step Command Remarks
92. Enter system view. system-view N/A
93. Configure global IKEv2 DPD.
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
By default, global DPD is disabled.
Configuring the IKEv2 NAT keepalive feature
Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT
keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the
device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
This feature takes effect after the device detects the NAT device.
To configure the IKEv2 NAT keepalive feature:
Step Command Remarks
94. Enter system view. system-view N/A
95. Set the IKEv2 NAT keepalive interval.
ikev2 nat-keepalive seconds By default, the IKEv2 NAT keepalive interval is 10 seconds.
Configuring IKEv2 address pools
To perform centralized management on remote users, an IPsec gateway can use an address pool to
assign private IP addresses to remote users.
You must use an IKEv2 address pool together with AAA authorization by specifying the IKEv2
address pool as an AAA authorization attribute. For more information about AAA authorization, see
"Configuring AAA."
To configure IKE address pools:
Step Command Remarks
96. Enter system view. system-view N/A
88
Step Command Remarks
97. Configure an IKEv2 IPv4 address pool.
ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]
By default, no IKEv2 IPv4 address pool exists.
98. Configure an IKEv2 IPv6 address pool.
ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len
By default, no IKEv2 IPv6 address pool exists.
Displaying and maintaining IKEv2
Execute display commands in any view and reset commands in user view.
Task Command
Display the IKEv2 proposal configuration. display ikev2 proposal [ name | default ]
Display the IKEv2 policy configuration. display ikev2 policy [ policy-name | default ]
Display the IKEv2 profile configuration. display ikev2 profile [ profile-name ]
Display the IKEv2 SA information.
display ikev2 sa [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ]
Display IKEv2 statistics. display ikev2 statistics
Delete IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.
reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]
Clear IKEv2 statistics. reset ikev2 statistics
Command reference
New command: aaa authorization
Use aaa authorization to enable IKEv2 AAA authorization.
Use undo aaa authorization to disable IKEv2 AAA authorization.
Syntax
aaa authorization domain domain-name username user-name
undo aaa authorization
Default
IKEv2 AAA authorization is disabled.
Views
IKEv2 profile view
89
Predefined user roles
network-admin
Parameters
domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The
ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following
requirements:
The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("),
colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at
sign (@).
The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn,
if-unkno, if-unknow, or if-unknown.
username user-name: Specifies the username used for requesting authorization attributes. The
username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:
The username cannot contain the domain name.
The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:),
asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
The username cannot be a, al, or all.
Usage guidelines
The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2
IPv4 address pool, from AAA.
IKEv2 uses the ISP domain and username to request authorization attributes. AAA uses the
authorization settings in the ISP domain to request the user's authorization attributes from the
remote AAA server or the local user database. After IKEv2 passes the username authentication, it
obtains the authorization attributes.
This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Enable AAA authorization. Specify the ISP domain name abc and the username test.
[Sysname-ikev2-profile-profile1] aaa authorization domain abc username test
Related commands
display ikev2 profile
New command: address
Use address to specify the IP address or IP address range of an IKEv2 peer.
Use undo address to restore the default.
90
Syntax
address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
undo address
Default
An IKEv2 peer's IP address or IP address range is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the IKEv2 peer.
mask: Specifies the subnet mask of the IPv4 address.
mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.
ipv6 ipv6-address: Specifies the IPv6 address of the IKEv2 peer.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
Usage guidelines
Both the initiator and the responder can look up an IKEv2 peer by IP address in IKEv2 negotiation.
The IP addresses of different IKEv2 peers in the same IKEv2 keychain cannot be the same.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the IKEv2 peer's IP address 3.3.3.3 with the subnet mask 255.255.255.0.
[Sysname-ikev2-keychain-key1-peer-peer1] address 3.3.3.3 255.255.255.0
Related commands
ikev2 keychain
peer
New command: authentication-method
Use authentication-method to specify the local or remote identity authentication method.
Use undo authentication-method to remove the local or remote identity authentication method.
91
Syntax
authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share |
rsa-signature }
undo authentication-method local
undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share |
rsa-signature }
Default
No local or remote identity authentication method is specified.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
local: Specifies the local identity authentication method.
remote: Specifies the remote identity authentication method.
dsa-signature: Specifies the DSA signatures as the identity authentication method.
ecdsa-signature: Specifies the ECDSA signatures as the identity authentication method.
pre-share: Specifies the pre-shared key as the identity authentication method.
rsa-signature: Specifies the RSA signatures as the identity authentication method.
Usage guidelines
The local and remote identity authentication methods must both be specified and they can be
different.
You can specify only one local identity authentication method. You can specify multiple remote
identity authentication methods by executing this command multiple times when there are multiple
remote ends whose authentication methods are unknown.
If you use RSA, DSA, or ECDSA signature authentication, you must specify PKI domains for
obtaining certificates. You can specify PKI domains by using the certificate domain command in
IKEv2 profile view. If you do not specify PKI domains in IKEv2 profile view, the PKI domains
configured by the pki domain command in system view will be used.
If you specify the pre-shared key method, you must specify a pre-shared key for the IKEv2 peer in
the keychain used by the IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
92
# Specify the pre-shared key and RSA signatures as the local and remote authentication methods,
respectively.
[Sysname-ikev2-profile-profile1] authentication local pre-share
[Sysname-ikev2-profile-profile1] authentication remote rsa-signature
# Specify the PKI domain genl as the PKI domain for obtaining certificates.
[Sysname-ikev2-profile-profile1] certificate domain genl
# Specify the keychain keychain1.
[Sysname-ikev2-profile-profile1] keychain keychain1
Related commands
display ikev2 profile
certificate domain (IKEv2 profile view)
keychain (IKEv2 profile view)
New command: certificate domain
Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.
Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2
negotiation.
Syntax
certificate domain domain-name [ sign | verify ]
undo certificate domain domain-name
Default
PKI domains configured in system view are used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
sign: Uses the local certificate in the PKI domain to generate a signature.
verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.
Usage guidelines
If you do not specify the sign or verify keyword, the PKI domain is used for both sign and verify
purposes. You can specify a PKI domain for each purpose by executing this command multiple times.
If you specify the same PKI domain for both purposes, the later configuration takes effect. For
example, if you execute certificate domain abc sign and certificate domain abc verify
successively, the PKI domain abc will be used only for verification.
93
If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain
for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you
must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI
domains, the PKI domains configured in system view will be used.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the PKI domain abc for signature. Specify the PKI domain def for verification.
[Sysname-ikev2-profile-profile1] certificate domain abc sign
[Sysname-ikev2-profile-profile1] certificate domain def verify
Related commands
authentication-method
pki domain
New command: config-exchange
Use config-exchange to enable the configuration exchange feature.
Use undo config-exchange to disable the configuration exchange feature.
Syntax
config-exchange { request | set { accept | send } }
undo config-exchange { request | set { accept | send } }
Default
Configuration exchange is disabled.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
request: Enables the device to send request messages carrying the configuration request payload
during the IKE_AUTH exchange.
set: Specifies the configuration set payload exchange.
accept: Enables the device to accept the configuration set payload carried in Info messages.
send: Enables the device to send Info messages carrying the configuration set payload.
94
Usage guidelines
The configuration exchange feature enables the local and remote ends to exchange configuration
data, such as gateway address, internal IP address, and route. The exchange includes data request
and response, and data push and response. The enterprise center can push IP addresses to
branches. The branches can request IP addresses, but the requested IP addresses cannot be used.
You can specify both request and set for the device.
If you specify request for the local end, the remote end will respond if it can obtain the requested
data through AAA authorization.
If you specify set send for the local end, you must specify set accept for the remote end.
The device with set send specified pushes an IP address after the IKEv2 SA is set up if it does not
receive any configuration request from the peer.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Enable the local end to add the configuration request payload to the request message of
IKE_AUTH exchange.
[Sysname-ikev2-profile-profile1] config-exchange request
Related commands
aaa authorization
configuration policy
display ikev2 profile
New command: description
Use description to configure a description for an IKE proposal.
Use undo description to restore the default.
Syntax
description text
undo description
Default
An IKE proposal does not have a description.
Views
IKE proposal view
Predefined user roles
network-admin
95
Parameters
text: Specifies a description, a case-sensitive string of 1 to 80 characters.
Usage guidelines
If multiple IKE proposals exist, you can use this command to configure different descriptions for them
to distinguish them.
Examples
# Configure the description test for the IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] description test
New command: display ike statistics
Use display ike statistics to display IKE statistics.
Syntax
display ike statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display IKE statistics.
<Sysname> display ike statistics
IKE statistics:
No matching proposal: 0
Invalid ID information: 0
Unavailable certificate: 0
Unsupported DOI: 0
Unsupported situation: 0
Invalid proposal syntax: 0
Invalid SPI: 0
Invalid protocol ID: 0
Invalid certificate: 0
Authentication failure: 0
Invalid flags: 0
Invalid message id: 0
Invalid cookie: 0
Invalid transform ID: 0
Malformed payload: 0
Invalid key information: 0
96
Invalid hash information: 0
Unsupported attribute: 0
Unsupported certificate type: 0
Invalid certificate authority: 0
Invalid signature: 0
Unsupported exchange type: 0
No available SA: 0
Retransmit timeout: 0
Not enough memory: 0
Enqueue fails: 0
New command: display ikev2 policy
Use display ikev2 policy to display the IKEv2 policy configuration.
Syntax
display ikev2 policy [ policy-name | default ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters.
default: Specifies the default IKEv2 policy.
Usage guidelines
If you do not specify any parameters, this command displays the configuration of all IKEv2 policies.
Examples
# Display the configuration of all IKEv2 policies.
<Sysname> display ikev2 policy
IKEv2 policy: 1
Priority: 100
Match local address: 1.1.1.1
Match local address ipv6: 1:1::1:1
Match VRF: vpn1
Proposal: 1
Proposal: 2
IKEv2 policy: default
Match local address: Any
Match VRF: Any
Proposal: default
97
Table 29 Command output
Field Description
IKEv2 policy Name of the IKEv2 policy.
Priority Priority of the IKEv2 policy.
Match local address IPv4 address to which the IKEv2 policy can be applied.
Match local address ipv6 IPv6 address to which the IKEv2 policy can be applied.
Match VRF VPN instance to which the IKEv2 policy can be applied.
Proposal IKEv2 proposal that the IKEv2 policy uses.
Related commands
ikev2 policy
New command: display ikev2 profile
Use display ikev2 profile to display the IKEv2 profile configuration.
Syntax
display ikev2 profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If
you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.
Examples
# Display the configuration of all IKEv2 profiles.
<Sysname> display ikev2 profile
IKEv2 profile: 1
Priority: 100
Match criteria:
Local address 1.1.1.1
Local address GigabitEthernet1/0/1
Local address 1:1::1:1
Remote identity address 3.3.3.3/32
VRF vrf1
Inside VRF: vrf1
Local identity: address 1.1.1.1
Local authentication method: pre-share
98
Remote authentication methods: pre-share
Keychain: Keychain1
Sign certificate domain:
Domain1
abc
Verify certificate domain:
Domain2
yy
SA duration: 500 seconds
DPD: Interval 32 secs, retry-interval 23 secs, periodic
Config exchange: request, set accept, set send
NAT keepalive: 10 seconds
AAA authorization: Domain domain1, username ikev2
Table 30 Command output
Field Description
IKEv2 profile Name of the IKEv2 profile.
Priority Priority of the IKEv2 profile.
Match criteria Criteria for looking up the IKEv2 profile.
Inside vrf Inside VPN instance.
Local identity ID of the local end.
Local authentication method Method that the local end uses for authentication.
Remote authentication methods Methods that the remote end uses for authentication.
Keychain IKEv2 keychain that the IKEv2 profile uses.
Sign certificate domain PKI domain used for signature generation.
Verify certificate domain PKI domain used for verifying the remote end's certificate.
SA duration Lifetime of the IKEv2 SA.
DPD
DPD settings:
Detection interval in seconds.
Retry interval in seconds.
Detection mode, on demand or periodically.
If DPD is disabled, this field displays Disabled.
Config exchange
Configuration exchange settings:
request—The local end sends request messages
carrying the configuration request payload during the IKE_AUTH exchange.
set accept—The local end accepts the configuration set
payload carried in Info messages.
set send—The local end sends Info messages carrying the configuration set payload.
NAT keepalive NAT keepalive interval in seconds.
AAA authorization
AAA authorization settings:
ISP domain name.
Username.
99
Related commands
ikev2 profile
New command: display ikev2 proposal
Use display ikev2 proposal to display the IKEv2 proposal configuration.
Syntax
display ikev2 proposal [ name | default ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.
default: Specifies the default IKEv2 proposal.
Usage guidelines
This command displays IKEv2 proposals in descending order of priorities. If you do not specify any
parameters, this command displays the configuration of all IKEv2 proposals.
Examples
# Display the configuration of all IKEv2 proposals.
<Sysname> display ikev2 proposal
IKEv2 proposal: 1
Encryption: 3DES-CBC, AES-CBC-128, AES-CTR-192, CAMELLIA-CBC-128
Integrity: MD5, SHA256, AES-XCBC
PRF: MD5, SHA256, AES-XCBC
DH group: MODP1024/Group 2, MODP1536/Group 5
IKEv2 proposal: default
Encryption: AES-CBC-128, 3DES-CBC
Integrity: SHA1, MD5
PRF: SHA1, MD5
DH group: MODP1536/Group 5, MODP1024/Group 2
Table 31 Command output
Field Description
IKEv2 proposal Name of the IKEv2 proposal.
Encryption Encryption algorithms that the IKEv2 proposal uses.
Integrity Integrity protection algorithms that the IKEv2 proposal uses.
100
Field Description
PRF PRF algorithms that the IKEv2 proposal uses.
DH group DH groups that the IKEv2 proposal uses.
Related commands
ikev2 proposal
New command: display ikev2 sa
Use display ikev2 sa to display the IKEv2 SA information.
Syntax
display ikev2 sa [ { count | local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
count:Displays the number of IKEv2 SAs.
local: Displays IKEv2 SA information for a local IP address.
remote: Displays IKEv2 SA information for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in an MPLS L3VPN
instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive
string of 1 to 31 characters. If you do not specify a VPN instance, this command displays information
about IKEv2 SAs for the public network.
verbose: Displays detailed information. If you do not specify this keyword, the command displays
the summary information.
tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument
specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.
Usage guidelines
If you do not specify any parameters, this command displays summary information about all IKEv2
SAs.
101
Examples
# Display summary information about all IKEv2 SAs.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
Table 32 Command output
Field Description
Tunnel ID ID of the IPsec tunnel to which the IKEv2 SA belongs.
Local Local IP address of the IKEv2 SA.
Remote Remote IP address of the IKEv2 SA.
Status
Status of the IKEv2 SA:
IN-NEGO (Negotiating)—The IKEv2 SA is under
negotiation.
EST (Established)—The IKEv2 SA has been set up.
DEL (Deleting)—The IKEv2 SA is about to be deleted.
# Display detailed information about all IKEv2 SAs.
<Sysname> display ikev2 sa verbose
Tunnel ID: 1
Local IP/Port: 1.1.1.1/500
Remote IP/Port: 1.1.1.2/500
Outside VRF: -
Inside VRF: -
Local SPI: 8f8af3dbf5023a00
Remote SPI: 0131565b9b3155fa
Local ID type: FQDN
Local ID: router_a
Remote ID type: FQDN
Remote ID: router_b
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: HMAC_MD5
102
PRF algorithm: HMAC_MD5
Encryption algorithm: AES-CBC-192
Life duration: 86400 secs
Remaining key duration: 85604 secs
Diffie-Hellman group: MODP1024/Group2
NAT traversal: Not detected
DPD: Interval 20 secs, retry interval 2 secs
Transmitting entity: Initiator
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID:2
Local next message ID: 0
Remote next message ID: 0
Pushed IP address: 192.168.1.5
Assigned IP address: 192.168.2.24
# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2 verbose
Tunnel ID: 1
Local IP/Port: 1.1.1.1/500
Remote IP/Port: 1.1.1.2/500
Outside VRF: -
Inside VRF: -
Local SPI: 8f8af3dbf5023a00
Remote SPI: 0131565b9b3155fa
Local ID type: FQDN
Local ID: router_a
Remote ID type: FQDN
Remote ID: router_b
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: HMAC_MD5
PRF algorithm: HMAC_MD5
Encryption algorithm: AES-CBC-192
Life duration: 86400 secs
Remaining key duration: 85604 secs
Diffie-Hellman group: MODP1024/Group2
NAT traversal: Not detected
DPD: Interval 30 secs, retry 10 secs
Transmitting entity: Initiator
103
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID: 2
Local next message ID: 0
Remote next message ID: 0
Pushed IP address: 192.168.1.5
Assigned IP address: 192.168.2.24
Table 33 Command output
Field Description
Tunnel ID ID of the IPsec tunnel to which the IKEv2 SA belongs.
Local IP/Port IP address and port number of the local security gateway.
Remote IP/Port IP address and port number of the remote security gateway.
Outside VRF
Name of the VPN instance to which the protected outbound data flow belongs.
If the protected outbound data flow belongs to the public network, this field displays a hyphen (-).
Inside VRF
Name of the VPN instance to which the protected inbound data flow belongs.
If the protected inbound data flow belongs to the public network, this field displays a hyphen (-).
Local SPI SPI that the local end uses.
Remote SPI SPI that the remote end uses.
Local ID type ID type of the local security gateway.
Local ID ID of the local security gateway.
Remote ID type ID type of the remote security gateway.
Remote ID ID of the remote security gateway.
Auth sign method Signature method that the IKEv2 proposal uses in authentication.
Auth verify method Verification method that the IKEv2 proposal uses in authentication.
Integrity algorithm Integrity protection algorithms that the IKEv2 proposal uses.
PRF algorithm PRF algorithms that the IKEv2 proposal uses.
Encryption algorithm Encryption algorithms that the IKEv2 proposal uses.
Life duration Lifetime of the IKEv2 SA, in seconds.
Remaining key duration Remaining lifetime of the IKEv2 SA, in seconds.
Diffie-Hellman group DH groups used in IKEv2 key negotiation.
NAT traversal Whether a NAT gateway is detected between the local and remote ends.
DPD
DPD settings:
Detection interval in seconds.
Retry interval in seconds.
104
Field Description
If DPD is disabled, this field displays Disabled.
Transmitting entity Role of the local end in IKEv2 negotiation, initiator or responder.
Local window Window size that the local end uses.
Remote window Window size that the remote end uses.
Local request message ID ID of the request message that the local end is about to send.
Remote request message ID ID of the request message that the remote end is about to send.
Local next message ID ID of the message that the local end expects to receive.
Remote next message ID ID of the message that the remote end expects to receive.
Pushed IP address IP address pushed to the local end by the remote end.
Assigned IP address IP address assigned to the remote end by the local end .
New command: display ikev2 statistics
Use display ikev2 statistics to display IKEv2 statistics.
Syntax
display ikev2 statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display IKEv2 statistics.
<Sysname> display ikev2 statistics
IKEv2 statistics:
Unsupported critical payload: 0
Invalid IKE SPI: 0
Invalid major version: 0
Invalid syntax: 0
Invalid message ID: 0
Invalid SPI: 0
No proposal chosen: 0
Invalid KE payload: 0
Authentication failed: 0
Single pair required: 0
TS unacceptable: 0
Invalid selectors: 0
105
Temporary failure: 0
No child SA: 0
Unknown other notify: 0
No enough resource: 0
Enqueue error: 0
No IKEv2 SA: 0
Packet error: 0
Other error: 0
Retransmit timeout: 0
DPD detect error: 0
Del child for IPsec message: 0
Del child for deleting IKEv2 SA: 0
Del child for receiving delete message: 0
New command: dh
Use dh to specify DH groups to be used in IKEv2 key negotiation.
Use undo group to restore the default.
Syntax
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *
undo dh
In FIPS mode:
dh { group14 | group24 | group19 | group20 } *
undo dh
Default
No DH group is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
group1: Uses the 768-bit Diffie-Hellman group.
group2: Uses the 1024-bit Diffie-Hellman group.
group5: Uses the 1536-bit Diffie-Hellman group.
group14: Uses the 2048-bit Diffie-Hellman group.
group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
106
group19: Uses the 256-bit ECP Diffie-Hellman group.
group20: Uses the 384-bit ECP Diffie-Hellman group.
Usage guidelines
A DH group with a higher group number provides higher security but needs more time for processing.
To achieve the best trade-off between processing performance and security, choose proper DH
groups for your network.
You must specify a minimum of one DH group for an IKEv2 proposal. Otherwise, the proposal is
incomplete and useless.
You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher
priority.
Examples
# Specify DH groups 1 for the IKEv2 proposal 1.
<Sysname> system-view
[Sysname] ikev2 proposal 1
[Sysname-ikev2-proposal-1] dh group1
Related commands
ikev2 proposal
New command: dpd
Use dpd to configure the IKEv2 DPD feature.
Use undo dpd to disable the IKEv2 DPD feature.
Syntax
dpd interval interval [ retry seconds ] { on-demand | periodic }
undo dpd interval
Default
IKEv2 DPD is disabled. The global IKEv2 DPD settings are used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5
seconds.
107
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and
has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. The on-demand mode is recommended when the
device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers,
use the periodic triggering mode, which consumes more bandwidth and CPU.
The triggering interval must be longer than the retry interval, so that the device will not trigger a new
round of DPD during a DPD retry.
Examples
# Configure on-demand IKEv2 DPD. Set the DPD triggering interval to 10 seconds and the retry
interval to 5 seconds.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] dpd interval 10 retry 5 on-demand
Related commands
ikev2 dpd
New command: encryption
Use encryption to specify encryption algorithms for an IKEv2 proposal.
Use undo encryption to restore the default.
Syntax
In non-FIPS mode:
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 |
aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *
undo encryption
In FIPS mode:
encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } *
undo encryption
Default
No encryption algorithm is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
108
Parameters
3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.
aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.
aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key.
aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key.
aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key.
camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.
camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key.
camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key.
des-cbc: Specifies the DES algorithm in CBC mode, which uses a 56-bit key.
Usage guidelines
You must specify a minimum of one encryption algorithm for an IKEv2 proposal. Otherwise, the
proposal is incomplete and useless. You can specify multiple encryption algorithms for an IKEv2
proposal. An algorithm specified earlier has a higher priority.
Examples
# Specify the 168-bit 3DES algorithm in CBC mode as the encryption algorithm for the IKE proposal
prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption-algorithm 3des-cbc
Related commands
ikev2 proposal
New command: hostname
Use hostname to specify the host name of an IKEv2 peer.
Use undo hostname to restore the default.
Syntax
hostname name
undo hostname
Default
An IKEv2 peer's host name is not specified.
109
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 253 characters.
Usage guidelines
Only the initiator can look up an IKEv2 peer by host name in IKEv2 negotiation, and the initiator must
use an IPsec policy rather than an IPsec profile.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the host name test of the IKEv2 peer.
[Sysname-ikev2-keychain-key1-peer-peer1] hostname test
Related commands
ikev2 keychain
peer
New command: identity
Use identity to specify the ID of an IKEv2 peer.
Use undo identity to restore the default.
Syntax
identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string |
key-id key-id-string }
undo identity
Default
An IKEv2 peer's ID is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
110
Parameters
ipv4-address: Specifies the IPv4 address of the peer.
ipv6 ipv6-address: Specifies the IPv6 address of the peer.
fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive
string of 1 to 255 characters, such as www.test.com.
email email-string: Specifies the email address of the peer. The email-string argument is a
case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as
key-id key-id-string: Specifies the remote gateway's key ID. The key-id-string argument is a
case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing
proprietary types of identification.
Usage guidelines
Only the responder can look up an IKEv2 peer by ID in IKEv2 negotiation. The initiator does not know
the peer ID when initiating the IKEv2 negotiation, so it cannot use an ID for IKEv2 peer lookup.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the peer IPv4 address 1.1.1.2 as the ID of the IKEv2 peer.
[Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2
Related commands
ikev2 keychain
peer
New command: identity local
Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer
during IKEv2 negotiation.
Use undo identity local to restore the default.
Syntax
identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn
fqdn-name | key-id key-id-string }
undo identity local
111
Default
No local ID is specified. The IP address of the interface to which the IPsec policy is applied is used as
the local ID.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.
dn: Uses the DN in the local certificate as the local ID.
email email-string: Uses an email address as the local ID. The email-string argument is a
case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as
fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string
of 1 to 255 characters, such as www.test.com.
key-id key-id-string: Uses the device's key ID as the local ID. The key-id-string argument is a
case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing
proprietary types of identification.
Usage guidelines
Peers exchange local IDs for identifying each other in negotiation.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Use the IP address 2.2.2.2 as the local ID.
[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2
Related commands
peer
New command: ikev2 address-group
Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to
remote peers.
Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool.
Syntax
ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]
undo ikev2 address-group group-name
112
Default
No IKEv2 IPv4 address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a
case-insensitive string of 1 to 63 characters.
start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address
argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4
address.
mask: Specifies the IPv4 address mask.
mask-length: Specifies the length of the IPv4 address mask.
Usage guidelines
An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.
Examples
# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2,
and the mask 255.255.255.0.
<Sysname> system-view
[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0
# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2,
and the mask length 32.
<Sysname> system-view
[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 32
Related commands
address-group
New command: ikev2 cookie-challenge
Use ikev2 cookie-challenge to enable the cookie challenging feature.
Use undo ikev2 cookie-challenge to disable the cookie challenging feature.
Syntax
ikev2 cookie-challenge number
undo ikev2 cookie-challenge
Default
The cookie challenging feature is disabled.
113
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the threshold for triggering the cookie challenging feature. The value range for this
argument is 0 to 1000 half-open IKE SAs.
Usage guidelines
When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie
challenging mechanism. The responder generates a cookie and includes it in the response sent to
the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the
responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is
incorrect, the responder terminates the negotiation.
This feature can protect the responder against DoS attacks which aim to exhaust the responder's
system resources by using a large number of IKE_SA_INIT requests with forged source IP
addresses.
Examples
# Enable the cookie challenging feature and set the threshold to 450.
<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450
New command: ikev2 dpd
Use ikev2 dpd to configure the global IKEv2 DPD feature.
Use undo ikev2 dpd to disable the global IKEv2 DPD feature.
Syntax
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
undo ikev2 dpd interval
Default
The global IKEv2 DPD feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
114
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5
seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and
has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. The on-demand mode is recommended when the
device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers,
use the periodic triggering mode, which consumes more bandwidth and CPU.
The triggering interval must be longer than the retry interval, so that the device will not trigger a new
round of DPD during a DPD retry.
You can configure IKEv2 DPD in both IKEv2 profile view and system view. The IKEv2 DPD settings
in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD
settings in system view apply.
Examples
# Configure the device to trigger IKEv2 DPD if it has IPsec traffic to send and has not received any
IPsec packets from the peer for 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd interval 15 on-demand
# Configure the device to trigger IKEv2 DPD every 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd interval 15 periodic
Related commands
dpd (IKEv2 profile view)
New command: ikev2 ipv6-address-group
Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6
addresses to remote peers.
Use undo ikev2 ipv6-address-group to delete an IKEv2 IPv6 address pool.
Syntax
ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len
undo ikev2 ipv6-address-group group-name
Default
No IKEv2 IPv6 address pools exist.
Views
System view
115
Predefined user roles
network-admin
Parameters
group-name: Specifies a name for the IKEv2 IPv6 address pool. The group-name argument is a
case-insensitive string of 1 to 63 characters.
prefix prefix/prefix-len: Specifies an IPv6 prefix in the format of prefix/prefix length. The value range
for the prefix-len argument is 1 to 128.
assign-len assign-len: Specifies the assigned prefix length. The value range for the assign-len
argument is 0 to 128, and the value must be greater than or equal to prefix-len. The difference
between assign-len and prefix-len must be no more than 16.
Usage guidelines
Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the
IKEv2 IPv6 address pool. The peer can use the assigned IPv6 subnet to assign IPv6 addresses to
other devices.
IKEv2 IPv6 address pools cannot overlap with each other.
Examples
# Configure an IKEv2 IPv6 address pool with the name ipv6group, prefix 1:1::/64, and the assigned
prefix length 80.
<Sysname> system-view
[Sysname] ikev2 ipv6-address-group ipv6group prefix :1:1::/64 assign-len 80
Related commands
ipv6-address-group
New command: ikev2 keychain
Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing
IKEv2 keychain.
Use undo ikev2 keychain to delete an IKEv2 keychain.
Syntax
ikev2 keychain keychain-name
undo ikev2 keychain keychain-name
Default
No IKEv2 keychains exist.
Views
System view
Predefined user roles
network-admin
116
Parameters
keychain-name: Specifies a name for the IKEv2 keychain. The keychain name is a case-insensitive
string of 1 to 63 characters and cannot contain a hyphen (-).
Usage guidelines
An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. The
pre-shared key configured on both ends must be the same.
You can configure multiple IKEv2 peers in an IKEv2 keychain.
Examples
# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.
<Sysname> system-view
[Sysname] ikev2 keychain key1
[Sysname-ikev2-keychain-key1]
New command: ikev2 nat-keepalive
Use ikev2 nat-keepalive to set the NAT keepalive interval.
Use undo ikev2 nat-keepalive to restore the default.
Syntax
ikev2 nat-keepalive seconds
undo ikev2 nat-keepalive
Default
The NAT keepalive interval is 10 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
Usage guidelines
This command takes effect when the device resides in the private network behind a NAT device. The
device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that
the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ikev2 nat-keepalive 5
117
New command: ikev2 policy
Use ikev2 policy to create an IKEv2 policy and enter its view, or enter the view of an existing IKEv2
policy.
Use undo ikev2 policy to delete an IKEv2 policy.
Syntax
ikev2 policy policy-name
undo ikev2 policy policy-name
Default
An IKEv2 policy named default exists, which uses the default IKEv2 proposal and matches any local
addresses.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a name for the IKEv2 policy. The policy name is a case-insensitive string of 1
to 63 characters.
Usage guidelines
Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2
policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to
which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the
interface that receives the IKEv2 packet and the VPN instance to which the interface belongs. An
IKEv2 policy uses IKEv2 proposals to define the encryption algorithms, integrity protection
algorithms, PRF algorithms, and DH groups to be used for negotiation.
You can configure multiple IKEv2 policies. An IKEv2 policy must have a minimum of one IKEv2
proposal. Otherwise, the policy is incomplete.
If the initiator uses an IPsec policy that is bound to a source interface, the initiator looks up an IKEv2
policy by the IP address of the source interface.
You can set priorities to adjust the match order of IKEv2 policies that have the same match criteria.
If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the
default IKEv2 policy, nor modify it.
Examples
# Create an IKEv2 policy named policy1 and enter IKEv2 policy view.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1]
118
Related commands
display ikev2 policy
New command: ikev2 profile
Use ikev2 profile to create an IKEv2 profile and enter its view, or enter the view of an existing IKEv2
profile.
Use undo ikev2 profile to delete an IKEv2 profile.
Syntax
ikev2 profile profile-name
undo ikev2 profile profile-name
Default
No IKEv2 profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the IKEv2 profile. The profile name is a case-insensitive string of
1 to 63 characters.
Usage guidelines
An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity
information and authentication methods of the peers, and the matching criteria for profile lookup.
Examples
# Create an IKEv2 profile named profile1 and enter IKEv2 profile view.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1]
Related commands
display ikev2 profile
New command: ikev2 proposal
Use ikev2 proposal to create an IKEv2 proposal and enter its view, or enter the view of an existing
IKEv2 proposal.
Use undo ikev2 proposal to delete an IKEv2 proposal.
119
Syntax
ikev2 proposal proposal-name
undo ikev2 proposal proposal-name
Default
An IKEv2 proposal named default exists, which has the lowest priority and uses the following
settings:
In non-FIPS mode:
Encryption algorithm—AES-CBC-128 and 3DES.
Integrity protection algorithm—HMAC-SHA1 and HMAC-MD5.
PRF algorithm—HMAC-SHA1 and HMAC-MD5.
DH group—Group 5 and group 2.
In FIPS mode:
Encryption algorithm—AES-CBC-128 and AES-CTR-128.
Integrity protection algorithm—HMAC-SHA1 and HMAC-SHA256.
PRF algorithm—HMAC-SHA1 and HMAC-SHA256.
DH group—Group 14 and group 19.
Views
System view
Predefined user roles
network-admin
Parameters
proposal-name: Specifies a name for the IKEv2 proposal. The proposal name is a case-insensitive
string of 1 to 63 characters and cannot be default.
Usage guidelines
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the
encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups.
An IKEv2 proposal must have a minimum of one set of security parameters, including one encryption
algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
In an IKEv2 proposal, you can specify multiple parameters of the same type. The parameters of
different types combine and form multiple sets of security parameters. If you want to use only one set
of security parameters, configure only one set of security parameters for the IKEv2 proposal.
Examples
# Create an IKEv2 proposal named prop1. Specify the encryption algorithm AES-CBC-128, integrity
protection algorithm SHA1, PRF algorithm SHA1, and DH group 2.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption-algorithm aes-cbc-128
120
[Sysname-ikev2-proposal-prop1] authentication-algorithm sha1
[Sysname-ikev2-proposal-prop1] prf sha1
[Sysname-ikev2-proposal-prop1] dh group2
Related commands
encryption-algorithm
integrity
prf
dh
New command: inside-vrf
Use inside-vrf to specify an inside VPN instance.
Use undo inside-vrf to restore the default.
Syntax
inside-vrf vrf-name
undo inside-vrf
Default
No inside VPN instance is specified. The internal and external networks are in the same VPN
instance. The device forwards protected data to this VPN instance.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
vrf-name: Specifies the VPN instance to which the protected data belongs. The vrf-name argument
represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
This command determines where the device should forward received IPsec packets after it
de-encapsulates them. If you configure this command, the device looks for a route in the specified
VPN instance to forward the packets. If you do not configure this command, the internal and external
networks are in the same VPN instance. The device looks for a route in this VPN instance to forward
the packets.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the inside VPN instance vpn1.
121
[Sysname-ikev2-profile-profile1] inside-vrf vpn1
New command: integrity
Use integrity to specify integrity protection algorithms for an IKEv2 proposal.
Use undo integrity to restore the default.
Syntax
In non-FIPS mode:
integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo integrity
In FIPS mode:
integrity { sha1 | sha256 | sha384 | sha512 } *
undo integrity
Default
No integrity protection algorithm is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.
md5: Uses the HMAC-MD5 algorithm.
sha1: Uses the HMAC-SHA1 algorithm.
sha256: Uses the HMAC-SHA256 algorithm.
sha384: Uses the HMAC-SHA384 algorithm.
sha512: Uses the HMAC-SHA512 algorithm.
Usage guidelines
You must specify a minimum of one integrity protection algorithm for an IKEv2 proposal. Otherwise,
the proposal is incomplete and useless. You can specify multiple integrity protection algorithms for
an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
122
# Specify HMAC-SHA1 and HMAC-MD5 as the integrity protection algorithms, with HMAC-SHA1
preferred.
[Sysname-ikev2-proposal-prop1] integrity sha1 md5
Related commands
ikev2 proposal
New command: keychain
Use keychain to specify an IKEv2 keychain for pre-shared key authentication.
Use undo keychain to restore the default.
Syntax
keychain keychain-name
undo keychain
Default
No IKEv2 keychain is specified for an IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive
string of 1 to 63 characters and cannot contain a hyphen (-).
Usage guidelines
An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. You
can specify only one IKEv2 keychain for an IKEv2 profile.
You can specify the same IKEv2 keychain for different IKEv2 profiles.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the IKEv2 keychain keychain1.
[Sysname-ikev2-profile-profile1] keychain keychain1
Related commands
display ikev2 profile
ikev2 keychain
123
New command: match local (IKEv2 profile view)
Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be
applied.
Use undo match local to remove a local interface or a local IP address to which an IKEv2 profile can
be applied.
Syntax
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
undo match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
Default
An IKEv2 profile can be applied to any local interface or IP address.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
address: Specifies a local interface or IP address to which an IKEv2 profile can be applied.
interface-type interface-number: Specifies a local interface by its type and number. It can be any
Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Usage guidelines
Use this command to specify which address or interface can use the IKEv2 profile for IKEv2
negotiation. The interface is the interface that receives IKEv2 packets. The IP address is the IP
address of the interface that receives IKEv2 packets.
An IKEv2 profile configured earlier has a higher priority. To give an IKEv2 profile that is configured
later a higher priority, you can configure the priority command or this command for the profile. For
example, suppose you configured IKEv2 profile A before configuring IKEv2 profile B, and you
configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKEv2 profile
A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKEv2 profile B. For
the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKEv2 profile A is
preferred because IKEv2 profile A was configured earlier. To use IKEv2 profile B, you can use this
command to restrict the application scope of IKEv2 profile B to IPv4 address 3.3.3.3.
You can specify multiple applicable local interfaces or IP addresses for an IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
124
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Apply the IKEv2 profile profile1 to the interface whose IP address is 2.2.2.2.
[Sysname-ikev2-profile-profile1] match local address 2.2.2.2
Related commands
match remote
New command: match local address (IKEv2 policy view)
Use match local address to specify a local interface or a local address that an IKEv2 policy
matches.
Use undo match local address to remove a local interface or a local address that an IKEv2 policy
matches.
Syntax
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
undo match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
Default
No local interface or address is specified, and the IKEv2 policy matches any local interface or
address.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies a local interface by its type and number. It can be any
Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Usage guidelines
IKEv2 policies with this command configured are looked up before those that do not have this
command configured.
Examples
# Configure the IKEv2 policy policy1 to match the local address 3.3.3.3.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] match local address 3.3.3.3
125
Related commands
display ikev2 policy
match vrf
New command: match remote
Use match remote to configure a peer ID that an IKEv2 profile matches.
Use undo match remote to delete a peer ID that an IKEv2 profile matches.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ]
| range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range
low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask
|mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] |
range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id
key-id-string } }
Default
No matching peer ID is configured for an IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2
profile matching. The policy-name argument specifies a certificate-based access control policy by its
name, a case-insensitive string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified
information is configured on the peer by using the identity local command.
address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet
address as the peer ID for IKEv2 profile matching. The value range for the mask-length
argument is 0 to 32.
address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the
peer ID for IKEv2 profile matching. The end address must be higher than the start address.
address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet
address as the peer ID for IKEv2 profile matching. The value range for the prefix-length
argument is 0 to 128.
address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as
the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
126
fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The
fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The
email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by
RFC 822, such as [email protected].
key-id key-id-string: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The
key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a
vendor-specific string for doing proprietary types of identification.
Usage guidelines
The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a
match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. If you have
configured the match local address and match vrf commands, the IKEv2 profile must also match
the specified local interface or address and the specified VPN instance.
To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two
or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2
profile is selected for IKEv2 negotiation is unpredictable.
You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a
higher priority.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Configure the IKEv2 profile to match the peer ID that is the FQDN name www.test.com.
[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com
# Configure the IKEv2 profile to match the peer ID that is the IP address 10.1.1.1.
[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1
Related commands
identity local
match local address
match vrf
New command: match vrf (IKEv2 policy view)
Use match vrf to specify a VPN instance that an IKEv2 policy matches.
Use undo match vrf to restore the default.
Syntax
match vrf { name vrf-name | any }
undo match vrf
127
Default
No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public
network.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
any: Specifies the public network and all VPN instances.
Usage guidelines
Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2
policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to
which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the
interface that receives the IKEv2 packet and the VPN instance to which the interface belongs.
IKEv2 policies with this command configured are looked up before those that do not have this
command configured.
Examples
# Create an IKEv2 policy named policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
# Configure the IKEv2 policy to match the VPN instance vpn1.
[Sysname-ikev2-policy-policy1] match vrf name vpn1
Related commands
display ikev2 policy
match local address
New command: match vrf (IKEv2 profile view)
Use match vrf to specify a VPN instance for an IKEv2 profile.
Use undo match vrf to restore the default.
Syntax
match vrf { name vrf-name | any }
undo match vrf
Default
An IKEv2 profile belongs to the public network.
128
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
any: Specifies the public network and all VPN instances.
Usage guidelines
If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2
profile for IKEv2 negotiation. The VPN instance is the VPN instance to which the interface that
receives IKEv2 packets belongs. If you specify the any keyword, interfaces in any VPN instance can
use the IKEv2 profile for IKEv2 negotiation.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify vrf1 as the VPN instance that the IKEv2 profile belongs to.
[Sysname-ikev2-profile-profile1] match vrf name vrf1
Related commands
match remote
New command: nat-keepalive
Use nat-keepalive to set the NAT keepalive interval.
Use ikev2 nat-keepalive to restore the default.
Syntax
nat-keepalive seconds
undo nat-keepalive
Default
The NAT keepalive interval set in system view is used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
129
Usage guidelines
This command takes effect when the device resides in the private network behind a NAT device. The
device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that
the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the NAT keepalive interval to 1200 seconds.
[Sysname-ikev2-profile-profile1]nat-keepalive 1200
Related commands
display ikev2 profile
ikev2 nat-keepalive
New command: peer
Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer.
Use undo peer to delete an IKEv2 peer.
Syntax
peer name
undo peer name
Default
No IKEv2 peers exist.
Views
IKEv2 keychain view
Predefined user roles
network-admin
Parameters
name: Specifies a name for the IKEv2 peer. The peer name is a case-insensitive string of 1 to 63
characters.
Usage guidelines
An IKEv2 peer contains a pre-shared key and the criteria for looking up the peer. The criteria for peer
lookup include the peer's host name, IP address, IP address range, and ID. The IKEv2 negotiation
initiator uses the peer's host name, IP address, or IP address range to look up its peer. The
responder uses the peer's IP address, IP address range, or ID to look up its peer.
130
Examples
# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
Related commands
address
hostname
identity
ikev2 keychain
New command: pre-shared-key
Use pre-shared-key to configure a pre-shared key.
Use undo pre-shared-key to delete a pre-shared key.
Syntax
pre-shared-key [ local | remote ] { ciphertext | plaintext } string
undo pre-shared-key [ local | remote ]
Default
No pre-shared key exists.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
local: Specifies a pre-shared key for certificate signing.
remote: Specifies a pre-shared key for certificate authentication.
ciphertext: Specifies a pre-shared key in encrypted form.
plaintext: Specifies a pre-shared key in plaintext form. For security purposes, the key specified in
plaintext form will be stored in encrypted form.
string: Specifies the pre-shared key. The key is case sensitive. In non-FIPS mode, its plaintext form
is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters. In FIPS
mode, its plaintext form is a string of 15 to 128 characters and its encrypted form is a string of 15 to
201 characters.
131
Usage guidelines
If you specify the local or remote keyword, you configure an asymmetric key. If you specify neither
the local nor the remote keyword, you configure a symmetric key.
To delete a key by using the undo command, you must specify the correct key type. For example, if
you configure a key by using the pre-shared-key local command, you cannot delete the key by
using the undo pre-shared-key or undo pre-shared-key remote command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
On the initiator:
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Configure the symmetric plaintext pre-shared key 111-key.
[Sysname-ikev2-keychain-key1-peer-peer1] pre-shared-key plaintext 111-key
[Sysname-ikev2-keychain-key1-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keychain-key1] peer peer2
# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-a
and the key for certificate authentication is 111-key-b.
[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a
[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b
On the responder:
# Create an IKEv2 keychain named telecom.
<Sysname> system-view
[Sysname] ikev2 keychain telecom
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-telecom] peer peer1
# Configure the symmetric plaintext pre-shared key 111-key.
[Sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key
[Sysname-ikev2-keychain-telecom-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keychain-telecom] peer peer2
# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-b
and the key for certificate authentication is 111-key-a.
[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key local plaintext
111-key-b
[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key remote plaintext
111-key-a
132
Related commands
ikev2 keychain
peer
New command: prf
Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal.
Use undo prf to restore the default.
Syntax
In non-FIPS mode:
prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo prf
In FIPS mode:
prf { sha1 | sha256 | sha384 | sha512 } *
undo prf
Default
An IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.
md5: Uses the HMAC-MD5 algorithm.
sha1: Uses the HMAC-SHA1 algorithm.
sha256: Uses the HMAC-SHA256 algorithm.
sha384: Uses the HMAC-SHA384 algorithm.
sha512: Uses the HMAC-SHA512 algorithm.
Usage guidelines
You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a
higher priority.
Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
133
# Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred.
[Sysname-ikev2-proposal-prop1] prf sha1 md5
Related commands
ikev2 proposal
integrity
New command: priority (IKEv2 policy view)
Use priority to set a priority for an IKEv2 policy.
Use undo priority to restore the default.
Syntax
priority priority
undo priority
Default
The priority of an IKEv2 policy is 100.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
priority: Specifies the priority of the IKEv2 policy, in the range of 1 to 65535. A smaller number
represents a higher priority.
Usage guidelines
The priority set by this command can only be used to adjust the match order of IKEv2 policies.
Examples
# Set the priority to 10 for the IKEv2 policy policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] priority 10
Related commands
display ikev2 policy
New command: priority (IKEv2 profile view)
Use priority to set a priority for an IKEv2 profile.
Use undo priority to restore the default.
134
Syntax
priority priority
undo priority
Default
The priority of an IKEv2 profile is 100.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535. A smaller number
represents a higher priority.
Usage guidelines
The priority set by this command can only be used to adjust the match order of IKEv2 profiles.
Examples
# Set the priority to 10 for the IKEv2 profile profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] priority 10
New command: proposal
Use proposal to specify an IKEv2 proposal for an IKEv2 policy.
Use undo proposal to remove an IKEv2 proposal from an IKEv2 policy.
Syntax
proposal proposal-name
undo proposal proposal-name
Default
No IKEv2 proposal is specified for an IKEv2 policy.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63
characters.
135
Usage guidelines
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a
higher priority.
Examples
# Specify the IKEv2 proposal proposal1 for the IKEv2 policy policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] proposal proposal1
Related commands
display ikev2 policy
ikev2 proposal
New command: reset ikev2 sa
Use reset ikev2 sa to delete IKEv2 SAs.
Syntax
reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]
Views
User view
Predefined user roles
network-admin
Parameters
local: Deletes IKEv2 SAs for a local IP address.
remote: Deletes IKEv2 SAs for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Deletes IKEv2 SAs in an MPLS L3VPN instance. The
vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31
characters. If you do not specify a VPN instance, this command deletes IKEv2 SAs for the public
network.
tunnel tunnel-id: Deletes IKEv2 SAs for an IPsec tunnel. The tunnel-id argument specifies an IPsec
tunnel by its ID in the range of 1 to 2000000000.
fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers'
responses. If you do not specify this keyword, the device notifies the peers of the deletion and
deletes IKEv2 SAs after it receives the peers' responses.
136
Usage guidelines
Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.
If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs
negotiated through the IKEv2 SAs.
Examples
# Display information about IKEv2 SAs.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating EST: Established, DEL: Deleting
# Delete the IKEv2 SA whose remote IP address is 1.1.1.2.
<Sysname> reset ikev2 sa remote 1.1.1.2
# Display information about IKEv2 SAs again. Verify that the IKEv2 SA is deleted.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating EST: Established, DEL: Deleting
Related commands
display ikev2 sa
New command: reset ikev2 statistics
Use reset ikev2 statistics to clear IKEv2 statistics.
Syntax
reset ikev2 statistics
Views
Any view
Predefined user roles
network-admin
Examples
# Clear IKEv2 statistics.
<Sysname> reset ikev2 statistics
137
New command: sa duration
Use sa duration to set the IKEv2 SA lifetime.
Use undo sa duration to restore the default.
Syntax
sa duration seconds
undo sa duration
Default
The IKEv2 SA lifetime is 86400 seconds.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.
Usage guidelines
An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot
of negotiation time. However, the longer the lifetime, the higher the possibility that attackers collect
enough information and initiate attacks.
Two peers can have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation.
The peer with a shorter lifetime always initiates the rekeying.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the IKEv2 SA lifetime to 1200 seconds.
[Sysname-ikev2-profile-profile1] sa duration 1200
Related commands
display ikev2 profile
New command: esn enable
Use esn enable to enable the Extended Sequence Number (ESN) feature.
Use undo esn enable to disable the ESN feature.
Syntax
esn enable [ both ]
138
undo esn enable
Default
ESN is disabled.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
both: Specifies IPsec to support both extended sequence number and traditional sequence number.
If you do not specify this keyword, IPsec only supports extended sequence number.
Usage guidelines
The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents
the sequence number space from being exhausted when large volumes of data are transmitted at
high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does
not need to be renegotiated.
This feature must be enabled at both the initiator and the responder.
Examples
# Enable the ESN feature in the IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esn enable
Related commands
display ipsec transform-set
New command: ikev2-profile
Use ikev2-profile to specify an IKEv2 profile for an IPsec policy or IPsec policy template.
Use undo ikev2-profile to restore the default.
Syntax
ikev2-profile profile-name
undo ikev2-profile
Default
No IKEv2 profile is specified.
Views
IPsec policy view, IPsec policy template view
139
Predefined user roles
network-admin
Parameters
profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The IKEv2 profile specified for an IPsec policy or IPsec policy template defines the parameters used
for IKEv2 negotiation.
You can specify only one IKEv2 profile for an IPsec policy or IPsec policy template. On the initiator,
an IKEv2 profile is required. On the responder, an IKEv2 profile is optional. If you do not specify an
IKEv2 profile, the responder can use any IKEv2 profile for negotiation.
Examples
# Specify the IKEv2 profile profile1 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ikev2-profile profile1
Related commands
display ipsec ipv6-policy
display ipsec policy
ikev2 profile
New command: tfc enable
Use tfc enable to enable the Traffic Flow Confidentiality (TFC) padding feature.
Use undo tfc enable to disable the TFC padding feature.
Syntax
tfc enable
undo tfc enable
Default
TFC padding is disabled.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Usage guidelines
The TFC padding feature can hide the length of the original packet, and might affect the packet
encapsulation and de-encapsulation performance. This feature takes effect on UDP packets
140
encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel
mode.
Examples
# Enable TFC padding for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable
Related commands
display ipsec ipv6-policy
display ipsec policy
Modified command: ah authentication-algorithm
Old syntax
In non-FIPS mode:
ah authentication-algorithm { md5 | sha1 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm sha1
undo ah authentication-algorithm
New syntax
In non-FIPS mode:
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo ah authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm.
sha256: Specifies the HMAC-SHA256 algorithm.
sha384: Specifies the HMAC-SHA384 algorithm.
sha512: Specifies the HMAC-SHA512 algorithm.
141
Modified command: display ipsec { ipv6-policy | policy }
Syntax
display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]
Views
Any view
Change description
The following fields were added to the command output:
Traffic Flow Confidentiality—Whether Traffic Flow Confidentiality (TFC) padding is enabled.
IKEv2 profile—IKEv2 profile used by the IPsec policy.
Modified command: display ipsec { ipv6-policy-template |
policy-template }
Syntax
display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ]
Views
Any view
Change description
The following fields were added to the command output:
Traffic Flow Confidentiality—Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Selector mode—Data flow protection mode of the IPsec policy template.
Local address—Local end IP address of the IPsec tunnel.
IKEv2 profile—IKEv2 profile used by the IPsec policy template.
SA idle time—Idle timeout of the IPsec SA, in seconds.
Modified command: display ipsec sa
Syntax
display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy }
policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]
Views
Any view
Change description
The following fields were added to the command output:
142
Extended Sequence Number enable—Whether Extended Sequence Number (ESN) is
enabled.
Traffic Flow Confidentiality enable—Whether Traffic Flow Confidentiality (TFC) padding is
enabled.
Inside VRF—VPN instance to which the protected data flow belongs.
The following values were added to the Perfect Forward Secrecy field:
dh-group19—256-bit ECP Diffie-Hellman group.
dh-group20—384-bit ECP Diffie-Hellman group.
Modified command: display ipsec transform-set
Syntax
display ipsec transform-set [ transform-set-name ]
Views
Any view
Change description
The following fields were added to the command output:
ESN—Whether Extended Sequence Number (ESN) is enabled.
PFS—Perfect Forward Secrecy (PFS) configuration.
Modified command: display ipsec tunnel
Syntax
display ipsec tunnel { brief | count | tunnel-id tunnel-id }
Views
Any view
Change description
The following values were added to the Perfect Forward Secrecy field of the command output:
dh-group19—256-bit ECP Diffie-Hellman group.
dh-group20—384-bit ECP Diffie-Hellman group.
Modified command: esp authentication-algorithm
Old syntax
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 | sm3 } *
143
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm sha1
undo esp authentication-algorithm
New syntax
In non-FIPS mode:
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo esp authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm.
sha256: Specifies the HMAC-SHA256 algorithm.
sha384: Specifies the HMAC-SHA384 algorithm.
sha512: Specifies the HMAC-SHA512 algorithm.
Modified command: esp encryption-algorithm
Old syntax
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null }
*
undo esp encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*
undo esp encryption-algorithm
New syntax
In non-FIPS mode:
144
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |
aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |
gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *
undo esp encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192
| aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*
undo esp encryption-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-ctr-128: Uses the AES algorithm with a 128-bit key in CTR mode. This keyword is available
only for IKEv2.
aes-ctr-192: Uses the AES algorithm with a 192-bit key in CTR mode. This keyword is available
only for IKEv2.
aes-ctr-256: Uses the AES algorithm with a 256-bit key in CTR mode. This keyword is available
only for IKEv2.
camellia-cbc-128: Uses the Camellia algorithm with a 128-bit key in CBC mode. This keyword
is available only for IKEv2.
camellia-cbc-192: Uses the Camellia algorithm with a 192-bit key in CBC mode. This keyword
is available only for IKEv2.
camellia-cbc-256: Uses the Camellia algorithm with a 256-bit key in CBC mode. This keyword
is available only for IKEv2.
gmac-128: Uses the GMAC algorithm with a 128-bit key. This keyword is available only for
IKEv2.
gmac-192: Uses the GMAC algorithm with a 192-bit key. This keyword is available only for
IKEv2.
gmac-256: Uses the GMAC algorithm with a 256-bit key. This keyword is available only for
IKEv2.
gcm-128: Uses the GCM algorithm with a 128-bit key. This keyword is available only for IKEv2.
gcm-192: Uses the GCM algorithm with a 192-bit key. This keyword is available only for IKEv2.
gcm-256: Uses the GCM algorithm with a 256-bit key. This keyword is available only for IKEv2.
145
Modified command: pfs
Old syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }
undo pfs
In FIPS mode:
pfs dh-group14
undo pfs
New syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 |
dh-group24 }
undo pfs
In FIPS mode:
pfs { dh-group14 | dh-group19 | dh-group20 | dh-group24 }
undo pfs
Views
IPsec transform set view
Change description
The following keywords were added:
dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
Modified command: pre-shared-key
Old syntax
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
| hostname host-name } key { cipher cipher-key | simple simple-key }
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname host-name }
New syntax
In non-FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
| hostname host-name } key { cipher cipher-key | simple simple-key }
146
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname host-name }
In FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
| hostname host-name } key [ cipher cipher-key ]
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname host-name }
Views
IKE keychain view
Change description
After modification, if you do not specify the cipher cipher-key option, you specify a plaintext
pre-shared key in interactive mode. The key is a case-sensitive string of 15 to 128 characters, and it
must contain uppercase and lowercase letters, digits, and special characters other than the question
mark (?). In non-FIPS mode, this command does not support configuring a pre-shared key in
interactive mode.
Modified command: authentication-algorithm
Old syntax
In non-FIPS mode:
authentication-algorithm { md5 | sha | sm3 }
undo authentication-algorithm
In FIPS mode:
authentication-algorithm sha
undo authentication-algorithm
New syntax
In non-FIPS mode:
authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 | sm3 }
undo authentication-algorithm
In FIPS mode:
authentication-algorithm { sha| sha256 | sha384 | sha512 }
undo authentication-algorithm
Views
IKE proposal view
147
Change description
The following keywords were added:
sha256: Specifies the HMAC-SHA256 algorithm.
sha384: Specifies the HMAC-SHA384 algorithm.
sha512: Specifies the HMAC-SHA512 algorithm.
New feature: SSL support for Suite B
Configuring Suite B in SSL
Suite B contains a set of encryption and authentication algorithms that meet high security
requirements.
In this software version, Suite B is available in SSL. In addition, a new command was added to
display the algorithm version number on the device.
Command reference
New command: display crypto version
Use display crypto version to display the algorithm version number.
Syntax
display crypto version
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
The algorithm version number identifies a suite of cryptographic algorithms.
Examples
# Display the algorithm version number.
<Sysname> display crypto version
7.1.886
148
Table 1 Command output
Field Description
7.1.1.886
Version number information, in the format of 7.1.X.
7.1 represents Comware V700R001, and X represents the algorithm version number.
New command: ssl version disable
Use ssl version disable to disable SSL protocol versions on the device.
Use undo ssl version disable enable SSL protocol versions on the device.
Syntax
In non-FIPS mode:
ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable
undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable
In FIPS mode:
ssl version { tls1.0 | tls1.1 } * disable
undo ssl version { tls1.0 | tls1.1 } * disable
Default
In non-FIPS mode, the device supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
In FIPS mode, the device supports TLS 1.0, TLS 1.1, and TLS 1.2.
Views
System view
Predefined user roles
network-admin
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
Usage guidelines
Use this command to disable SSL 3.0, TLS 1.0, and TLS 1.1 on the device to enhance system
security.
An SSL client always uses the SSL protocol version specified for it (by using the version
command), whether you disable the SSL protocol version or not.
An SSL server supports only TLS 1.2 after SSL 3.0, TLS 1.0, and TLS 1.1 are disabled.
149
Disabling an SSL protocol version on the device does not affect the availability of earlier SSL protocol
versions. For example, if you execute the ssl version tls1.1 disable command, TLS 1.1 is disabled
but TLS 1.0 is still available.
In FIPS mode, the device does not support SSL 3.0.
Examples
# Disable SSL 3.0 on the device.
<Sysname> system-view
[Sysname] ssl version ssl3.0 disable
# Disable TLS 1.0 on the device.
<Sysname> system-view
[Sysname] ssl version tls1.0 disable
New command: ssl renegotiation disable
Use ssl renegotiation disable to disable SSL session renegotiation.
Use undo ssl renegotiation disable to restore the default.
Syntax
ssl renegotiation disable
undo ssl renegotiation disable
Default
SSL session renegotiation is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The SSL session renegotiation feature enables the SSL client and server to reuse a previously
negotiated SSL session for an abbreviated handshake.
Disabling session renegotiation causes more computational overhead to the system but it can avoid
potential risks. Disable SSL session renegotiation only when explicitly required.
Examples
#Disable SSL session renegotiation.
<Sysname> system-view
[Sysname] ssl renegotiation disable
150
Modified command: version
Old syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 }
undo version
In FIPS mode:
version tls1.0
undo version
New syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }
undo version
In FIPS mode:
version { tls1.0 | tls1.1 | tls1.2 }
undo version
Views
SSL client policy view
Change description
The following keywords were added:
tls1.1: Specifies TLS 1.0 for the SSL client policy.
tls1.2: Specifies TLS 1.2 for the SSL client policy.
Modified command: ciphersuite
Old syntax
In non-FIPS mode:
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha } *
undo ciphersuite
In FIPS mode:
151
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha
| rsa_aes_256_cbc_sha } *
undo ciphersuite
New syntax
In non-FIPS mode:
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha256 |
dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha256 |
ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_256_cbc_sha384 |
ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_gcm_sha384 |
ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 |
ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 } *
undo ciphersuite
In FIPS mode:
cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 |
rsa_aes_256_cbc_sha256 | ecdhe_rsa_aes_128_cbc_sha256 |
ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_128_gcm_sha256 |
ecdhe_rsa_aes_256_gcm_sha384 | ecdhe_ecdsa_aes_128_cbc_sha256 |
ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_128_gcm_sha256 |
ecdhe_ecdsa_aes_256_gcm_sha384 } *
undo ciphersuite
Views
SSL server policy view
Change description
The following keywords were added:
rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption
algorithm 128-bit AES CBC , and the MAC algorithm SHA256.
rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption
algorithm 256-bit AES CBC, and the MAC algorithm SHA256.
dhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data
encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data
encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE RSA, the
data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
152
ecdhe_rsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE RSA, the
data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE RSA, the
data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE RSA, the
data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE ECDSA,
the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE ECDSA,
the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE ECDSA,
the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE ECDSA,
the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.
Modified command: prefer-cipher
Old syntax
In non-FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha }
undo prefer-cipher
In FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha }
undo prefer-cipher
New syntax
In non-FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha256 |
dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha256 |
ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_256_cbc_sha384 |
ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_gcm_sha384 |
153
ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 |
ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 }
undo prefer-cipher
In FIPS mode:
prefer-cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 |
rsa_aes_256_cbc_sha256| ecdhe_rsa_aes_128_cbc_sha256 |
ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_128_gcm_sha256 |
ecdhe_rsa_aes_256_gcm_sha384 | ecdhe_ecdsa_aes_128_cbc_sha256 |
ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_128_gcm_sha256 |
ecdhe_ecdsa_aes_256_gcm_sha384 }
undo prefer-cipher
Views
SSL client policy view
Change description
The following keywords were added:
rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption
algorithm 128-bit AES CBC , and the MAC algorithm SHA256.
rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption
algorithm 256-bit AES CBC, and the MAC algorithm SHA256.
dhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data
encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data
encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE RSA, the
data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_rsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE RSA, the
data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE RSA, the
data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE RSA, the
data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE ECDSA,
the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE ECDSA,
the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE ECDSA,
the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.
154
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE ECDSA,
the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.
New feature: FIPS support for Suit B
Configuring Suite B in FIPS
Suite B contains a set of encryption and authentication algorithms that meet high security
requirements.
In this software version, new FIPS commands were added to support Suite B.
Command reference
New command: fips rng random size filename
Use fips rng random size filename to generate a random number and save it to a file.
Syntax
fips rng random size random-size filename filename
Views
Probe view
Predefined user roles
network-admin
Parameters
random-size: Specifies the random number size in the range of 1 to 1000000 bytes.
filename: Specifies the name of the file to save the random number. The file name is a
case-insensitive string.
Usage guidelines
Use this command in FIPS mode to generate a random number and save it to a file.
Examples
# Generate a 100000-byte random number and save it to a file named out.bin.
<Sysname> system-view
[Sysname-probe] fips rng random size 100000 filename out.bin
Generating random number. Please wait...
Random number saved to file successfully.
155
New command: fips rng random size round rate-statistics
Use fips rng random size round rate-statistics to calculate the average rate at which random
numbers are generated.
Syntax
fips rng random size random-size round round rate-statistics
Views
Probe view
Predefined user roles
network-admin
Parameters
random-size: Specifies the random number size in the range of 1 to 1000000 bytes.
round: Specifies the number of random number generations, in the range of 3 to 10.
Usage guidelines
Use this command in FIPS mode to calculate the average rate at which random numbers are
generated.
Examples
# Generate five 100000-byte random numbers and calculate the average rate at which the random
numbers are generated.
<Sysname> system-view
[Sysname-probe] fips rng random size 100000 round 5 rate-statistics
Random number generated successfully.
Rate: 5000 bytes/s
Rate: 5100 bytes/s
Rate: 4900 bytes/s
Rate: 4800 bytes/s
Rate: 52000 bytes/s
Average rate: 5000 bytes/s
New command: fips rng entropy size filename
Use fips rng entropy size filename to generate a random number entropy and save it to a file.
Syntax
fips rng entropy size entropy-size filename filename
Views
Probe view
Predefined user roles
network-admin
156
Parameters
entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.
filename: Specifies the name of the file to save the random number entropy. The file name is a
case-insensitive string.
Usage guidelines
Use this command in FIPS mode to generate a random number entropy and save it to a file.
Examples
# Generate a 100000-byte random number entropy and save it to a file named out.bin.
<Sysname> system-view
[Sysname-probe] fips rng entropy size 100000 filename out.bin
Generating random number entropy. Please wait...
Entropy saved to file successfully.
New command: fips rng entropy size round rate-statistics
Use fips rng entropy size round rate-statistics to calculate the average rate at which random
number entropies are generated.
Syntax
fips rng entropy size entropy-size round round rate-statistics
Views
Probe view
Predefined user roles
network-admin
Parameters
entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.
round: Specifies the number of random number entropy generations, in the range of 3 to 10.
Usage guidelines
Use this command in FIPS mode to calculate the average rate at which random number entropies
are generated.
Examples
# Generate five 100000-byte random number entropies and calculate the average rate at which the
random number entropies are generated.
<Sysname> system-view
[Sysname-probe]fips rng entropy size 100000 round 5 rate-statistics
Entropy generated successfully.
Rate: 5000 bytes/s
Rate: 5100 bytes/s
Rate: 4900 bytes/s
Rate: 4800 bytes/s
157
Rate: 52000 bytes/s
Average rate: 5000 bytes/s
New command: fips kdf
Use fips kdf to derive a key from an import file and save it to an export file.
Syntax
fips kdf { ikev1 { dsa | psk } | ikev2 | tls } import inputfile export outputfile
Views
Probe view
Predefined user roles
network-admin
Usage guidelines
Use this command in FIPS mode to derive a key for the third-party to determine whether the key
meets the CC/FIPS authentication requirements.
Examples
# Derive an ikev1 pre-shared key from an import file named ikev1_psk.req and save the key to an
export file named ikev1_psk.rsp.
<Sysname> system-view
[Sysname-probe] fips kdf ikev1 psk import ikev1_psk.req export ikev1_psk.rsp
New command: fips algorithm verify param
Use fips algorithm verify param to execute an algorithm test vector and generate a result file.
Syntax
fips algorithm verify param param
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command in FIPS mode to execute an algorithm test vector and generate a result file for the
third-party to verify the result.
Examples
# Execute the DSA2 test vector in a file named 01-HP-MPC8544/DSA2/req/PQGGen.req, and
generate a result file named 01-HP-MPC8544/DSA2/resp/PQGGen.rsp.
<Sysname> system-view
158
[Sysname] fips algorithm verify fips_dssvs pqg 01-HP-MPC8544/DSA2/req/PQGGen.req
01-HP-MPC8544/DSA2/resp/PQGGen.rsp
Modified command: fips self-test
Syntax
fips self-test
Views
System view
Change description
Self-tests were added for the following algorithms:
3DES.
ECDH.
Random number generator (RNG).
GCM.
GMAC.
New feature: SSH support for Suite B
Configuring SSH based on Suite B algorithms
Suite B contains a set of encryption and authentication algorithms that meet high security
requirements. Table 2 lists all algorithms in Suite B.
The SSH server and client support using the X.509v3 certificate for identity authentication in
compliance with the algorithm, negotiation, and authentication specifications defined in RFC 6239.
Table 2 Suite B algorithms
Security
level
Key exchange
algorithm
Encryption algorithm
and HMAC algorithm Public key algorithm
128-bit ecdh-sha2-nistp256 AEAD_AES_128_GCM x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
192-bit ecdh-sha2-nistp384 AEAD_AES_256_GCM x509v3-ecdsa-sha2-nistp384
Both ecdh-sha2-nistp256
ecdh-sha2-nistp384
AEAD_AES_128_GCM
AEAD_AES_256_GCM
x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
Specifying a PKI domain for the SSH server
The PKI domain specified for the SSH server has the following functions:
159
The SSH server uses the PKI domain to send its certificate to the client in the key exchange
stage.
The SSH server uses the PKI domain to authenticate the client's certificate if no PKI domain is
specified for the client authentication by using the ssh user command.
To specify a PKI domain for the SSH server:
Step Command Remarks
99. Enter system view. system-view N/A
100. Specify a PKI domain for the SSH server.
ssh server pki-domain domain-name
By default, no PKI domain is specified for the SSH server.
Establishing a connection to an Stelnet server based on Suite
B
Task Command Remarks
Establish a connection to an Stelnet server based on Suite B.
Establish a connection to an IPv4 Stelnet server based on Suite B: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ip ip-address } ] *
Establish a connection to an IPv6 Stelnet server based on Suite B: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ipv6 ipv6-address } ] *
Available in user view.
The client cannot establish connections to both IPv4 and IPv6 Stelnet servers.
160
Establishing a connection to an SFTP server based on Suite
B
Task Command Remarks
Establish a connection to an SFTP server based on Suite B.
Establish a connection to an IPv4 SFTP server based on Suite B: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number | ip ip-address } ] *
Establish a connection to an IPv6 SFTP server based on Suite B: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 ipv6-address } ] *
Available in user view.
The client cannot establish connections to both IPv4 and IPv6 SFTP servers.
Establishing a connection to an SCP server based on Suite B
Task Command Remarks
Establish a connection to an SCP server based on Suite B.
Establish a connection to an IPv4 SCP server based on Suite B: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip ip-address } ] *
Establish a connection to an IPv6 SCP server based on Suite B: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ipv6 ipv6-address } ] *
Available in user view.
The client cannot establish connections to both IPv4 and IPv6 SCP servers.
161
Specifying algorithms for SSH2
Perform this task to specify the following types of algorithms that the SSH2 client and server use for
algorithm negotiation during the Stelnet, SFTP, or SCP session establishment:
Key exchange algorithms.
Public key algorithms.
Encryption algorithms.
MAC algorithms.
If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The
client uses the specified algorithms to initiate the negotiation, and the server uses the matching
algorithms to negotiate with the client.
If multiple algorithms of the same type are specified, the algorithm specified earlier has a higher
priority during negotiation.
Specifying key exchange algorithms for SSH2
Step Command Remarks
101. Enter system view. system-view N/A
102. Specify key exchange algorithms for SSH2.
In non-FIPS mode: ssh2 algorithm key-exchange { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *
In FIPS mode: ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *
By default, SSH2 uses the key exchange algorithms ecdh-sha2-nistp256, ecdh-sha2-nistp384, dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 in descending order of priority for algorithm negotiation.
Specifying public key algorithms for SSH2
Step Command Remarks
103. Enter system view. system-view N/A
104. Specify public key algorithms for SSH2.
In non-FIPS mode: ssh2 algorithm public-key { dsa | ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } *
In FIPS mode: ssh2 algorithm public-key { ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 }
*
By default, SSH2 uses the public key algorithms x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, ecdsa, rsa, and dsa in descending order of priority for algorithm negotiation.
162
Specifying encryption algorithms for SSH2
Step Command Remarks
105. Enter system view. system-view N/A
106. Specify encryption algorithms for SSH2.
In non-FIPS mode: ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } *
In FIPS mode: ssh2 algorithm cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } *
By default, SSH2 uses the encryption algorithms aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm, aes256-gcm, aes128-cbc, 3des-cbc, aes256-cbc, and des-cbc in descending order of priority for algorithm negotiation.
Specifying MAC algorithms for SSH2
Step Command Remarks
107. Enter system view. system-view N/A
108. Specify MAC algorithms for SSH2.
In non-FIPS mode: ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *
In FIPS mode: ssh2 algorithm mac { sha1 | sha1-96 | sha2-256 | sha2-512 } *
By default, SSH2 uses the MAC algorithms sha2-256, sha2-512, sha1, md5, sha1-96, and md5-96
in descending order of priority for algorithm negotiation.
Command reference
New command: display ssh2 algorithm
Use display ssh2 algorithm to display algorithms used by SSH2 in the algorithm negotiation stage.
Syntax
display ssh2 algorithm
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display algorithms used by SSH2 in the algorithm negotiation stage.
<Sysname> display ssh2 algorithm
163
Key exchange algorithms : ecdh-sha2-nistp256 ecdh-sha2-nistp384 dh-group-exchange-sha1
dh-group14-sha1 dh-group1-sha1
Public key algorithms : x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 ecdsa rsa
dsa
Encryption algorithms : aes128-ctr aes192-ctr aes256-ctr aes128-gcm aes256-gcm
aes128-cbc 3des-cbc aes256-cbc des-cbc
MAC algorithms : sha2-256 sha2-512 sha1 md5 sha1-96 md5-96
Table 3 Command output
Field Description
Key exchange algorithms Key exchange algorithms in descending order of priority for algorithm negotiation.
Public key algorithms Public key algorithms in descending order of priority for algorithm negotiation.
Encryption algorithms Encryption algorithms in descending order of priority for algorithm negotiation.
MAC algorithms MAC algorithms in descending order of priority for algorithm negotiation.
Related commands
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm mac
ssh2 algorithm public-key
New command: ssh server pki-domain
Use ssh server pki-domain to specify a PKI domain for the SSH server.
Use undo ssh server pki-domain to delete the PKI domain of the SSH server.
Syntax
ssh server pki-domain domain-name
undo ssh server pki-domain
Default
No PKI domain is specified for an SSH server.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters,
excluding the characters listed in Table 4.
164
Table 4 Invalid characters for a PKI domain name
Character name Symbol Character name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
Examples
# Specify the PKI domain serverpkidomain for the SSH server.
<Sysname> system-view
[Sysname] ssh server pki-domain serverpkidomain
New command: scp ipv6 suite-b
Use scp ipv6 suite-b to establish a connection to an IPv6 SCP server based on Suite B algorithms
and transfer files with the server.
Syntax
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source
{ interface interface-type interface-number | ipv6 ipv6-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253
characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for SCP
packets. Specify this option when the server uses a link-local address to provide the SCP service for
the client. The specified output interface on the SCP client must have a link-local address.
get: Downloads the file.
put: Uploads the file.
165
source-file-name: Specifies the name of the source file.
destination-file-name: Specifies the name of the target file. If you do not specify this argument, the
target file uses the same file name as the source file.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is
specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
Table 6.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name
argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 5.
Table 5 Invalid characters for a PKI domain name
Character name Symbol Character name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 5.
prefer-compress: Specifies the preferred compression algorithm for data compression between the
server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the
device automatically selects a source address for IPv6 SCP packets in compliance with RFC 3484.
For successful SCP connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv6 address of the loopback interface as the source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
166
Usage guidelines
Table 6 Suite B algorithms
Security
level
Key exchange
algorithm
Encryption algorithm
and HMAC algorithm Public key algorithm
128-bit ecdh-sha2-nistp256 AEAD_AES_128_GCM x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
192-bit ecdh-sha2-nistp384 AEAD_AES_256_GCM x509v3-ecdsa-sha2-nistp384
Both ecdh-sha2-nistp256
ecdh-sha2-nistp384
AEAD_AES_128_GCM
AEAD_AES_256_GCM
x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
If the client and the server have negotiated to use certificate authentication, the client must verify the
server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to
save the server's public key before authentication. If you do not specify the server's PKI domain, the
client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Use the 192-bit Suite B algorithms to establish a connection to the SCP sever 2000::1 and
download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI
domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> scp ipv6 2000::1 get abc.txt suite-b 192-bit pki-domain clientpkidomain
server-pki-domain serverpkidomain
New command: scp suite-b
Use scp suite-b to establish a connection to an SCP server based on Suite B algorithms and
transfer files with the server.
Syntax
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain
domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip
ip-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253
characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
167
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
get: Downloads the file.
put: Uploads the file.
source-file-name: Specifies the name of the source file.
destination-file-name: Specifies the name of the target file. If you do not specify this argument, the
target file uses the same file name as the source file.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is
specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
Table 6.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name
argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 7.
Table 7 Invalid characters for a PKI domain name
Character name Symbol Character name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 7.
prefer-compress: Specifies the preferred compression algorithm for data compression between the
server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
source: Specifies a source IP address or source interface for SCP packets. By default, the device
uses the primary IPv4 address of the output interface in the routing entry as the source address of
SCP packets. For successful SCP connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv4 address of the loopback interface as the source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
IPv4 address of this interface is the source IPv4 address of the SCP packets.
168
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the
server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to
save the server's public key before authentication. If you do not specify the server's PKI domain, the
client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Use the 128-bit Suite B algorithms to establish a connection to the SCP sever 200.1.1.1 and
download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI
domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> scp 200.1.1.1 get abc.txt suite-b 128-bit pki-domain clientpkidomain
server-pki-domain serverpkidomain
New command: sftp ipv6 suite-b
Use sftp ipv6 suite-b to establish a connection to an IPv6 SFTP server based on Suite B algorithms
and enter SFTP client view.
Syntax
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ]
[ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number |
ipv6 ipv6-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253
characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6
SFTP packets. Specify this option when the server uses a link-local address to provide the SFTP
service for the client. The specified output interface on the SFTP client must have a link-local
address.
169
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is
specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
Table 6.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name
argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 8.
Table 8 Invalid characters for a PKI domain name
Character name Symbol Character name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 8.
prefer-compress: Specifies the preferred compression algorithm for data compression between the
server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the
transmission priority of the packet.
source: Specifies a source IP address or source interface for IPv6 SFTP packets. By default, the
device automatically selects a source address for IPv6 SFTP packets in compliance with RFC 3484.
For successful IPv6 SFTP connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv6 address of the loopback interface as the source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
IPv6 address of this interface is the source IP address of the IPv6 SFTP packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the
server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
170
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to
save the server's public key before authentication. If you do not specify the server's PKI domain, the
client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Use the 192-bit Suite B algorithms to establish a connection to the SFTP sever 2000::1. Specify
the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain,
respectively.
<Sysname> sftp ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain
serverpkidomain
New command: sftp suite-b
Use sftp suite-b to establish a connection to an IPv4 SFTP server based on Suite B algorithms and
enter SFTP client view.
Syntax
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp
dscp-value | source { interface interface-type interface-number | ip ip-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253
characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is
specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
Table 6.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name
argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 9.
171
Table 9 Invalid characters for a PKI domain name
Character name Symbol Character name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 9.
prefer-compress: Specifies the preferred compression algorithm for data compression between the
server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the
transmission priority of the packet.
source: Specifies a source IP address or source interface for the SFTP packets. By default, the
device uses the primary IPv4 address of the output interface in the routing entry as the source
address of SFTP packets. For successful SFTP connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv4 address of the loopback interface as the source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
primary IPv4 address of this interface is the source IPv4 address of the SFTP packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the
server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to
save the server's public key before authentication. If you do not specify the server's PKI domain, the
client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Use the 128-bit Suite B algorithms to establish a connection to the SFTP sever 10.1.1.2. Specify
the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain,
respectively.
<Sysname> sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain
serverpkidomain
172
New command: ssh2 ipv6 suite-b
Use ssh2 ipv6 suite-b to establish a connection to an IPv6 Stelnet server based on Suite B
algorithms.
Syntax
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ]
[ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type
interface-number | ipv6 ipv6-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253
characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SSH
packets. Specify this option when the server uses a link-local address to provide the Stelnet service
for the client. The specified output interface on the Stelnet client must have a link-local address.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is
specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
Table 6.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name
argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 10.
Table 10 Invalid characters for a PKI domain name
Character name Symbol Character name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
173
Character name Symbol Character name Symbol
Vertical bar | Quotation marks "
Colon : Apostrophe '
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 10.
prefer-compress: Specifies the preferred compression algorithm for data compression between the
server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv6 SSH packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the
transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a
tilde (~).
source: Specifies a source IP address or source interface for IPv6 SSH packets. By default, the
device automatically selects a source address for IPv6 SSH packets in compliance with RFC 3484.
For successful IPv6 Stelnet connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv6 address of the loopback interface as the source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
IPv6 address of this interface is the source IP address of the IPv6 SSH packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the
server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to
save the server's public key before authentication. If you do not specify the server's PKI domain, the
client uses the PKI domain of its own certificate to verify the server's certificate.
The combination of an escape character and a dot (.) works as an escape sequence. This escape
sequence is typically used to quickly terminate an SSH connection when the server reboots or
malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have
entered other characters or performed operations in a line, enter the escape sequence in the next
line. HPE recommends that you use the default escape character (~). Do not use any character in
SSH usernames as the escape character.
174
Examples
# Use the 192-bit Suite B algorithms to establish a connection to the Stelnet sever 2000::1. Specify
the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain,
respectively.
<Sysname> ssh2 ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain
serverpkidomain
New command: ssh2 suite-b
Use ssh2 suite-b to establish a connection to an IPv4 Stelnet server based on Suite B algorithms.
Syntax
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp
dscp-value | escape character | source { interface interface-type interface-number | ip ip-address } ]
*
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253
characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is
specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
Table 6.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name
argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 11.
Table 11 Invalid characters for a PKI domain name
Character name Symbol Character name Symbol
Tilde ~ Dot .
175
Character name Symbol Character name Symbol
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 11.
prefer-compress: Specifies the preferred compression algorithm for data compression between the
server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the
transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a
tilde (~).
source: Specifies a source IP address or source interface for SSH packets. By default, the device
uses the primary IPv4 address of the output interface in the routing entry as the source address of
SSH packets. For successful Stelnet connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv4 address of the loopback interface as the source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
primary IPv4 address of this interface is the source IPv4 address of the SSH packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the
server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to
save the server's public key before authentication. If you do not specify the server's PKI domain, the
client uses the PKI domain of its own certificate to verify the server's certificate.
The combination of an escape character and a dot (.) works as an escape sequence. This escape
sequence is typically used to quickly terminate an SSH connection when the server reboots or
malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have
entered other characters or performed operations in a line, enter the escape sequence in the next
176
line. HPE recommends that you use the default escape character (~). Do not use any character in
SSH usernames as the escape character.
Examples
# Use the 128-bit Suite B algorithms to establish a connection to the SFTP sever 3.3.3.3. Specify the
client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain,
respectively.
<Sysname> ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain
serverpkidomain
New command: ssh2 algorithm cipher
Use ssh2 algorithm cipher to specify encryption algorithms for SSH2.
Use undo ssh2 algorithm cipher to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr
| aes256-ctr | aes128-gcm | aes256-gcm } *
undo ssh2 algorithm cipher
In FIPS mode:
ssh2 algorithm cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } *
undo ssh2 algorithm cipher
Default
SSH2 uses the encryption algorithms aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm,
aes256-gcm, aes128-cbc, 3des-cbc, aes256-cbc, and des-cbc in descending order of priority for
algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
3des-cbc: Specifies the encryption algorithm 3des-cbc. Support for this keyword depends on the
device model.
aes128-cbc: Specifies the encryption algorithm aes128-cbc.
aes256-cbc: Specifies the encryption algorithm aes256-cbc.
des-cbc: Specifies the encryption algorithm des-cbc.
177
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Usage guidelines
If you specify the encryption algorithms, SSH2 uses only the specified algorithms for algorithm
negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm 3des-cbc as the encryption algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm cipher 3des-cbc
Related commands
display ssh2 algorithm
ssh2 algorithm key-exchange
ssh2 algorithm mac
ssh2 algorithm public-key
New command: ssh2 algorithm key-exchange
Use ssh2 algorithm key-exchange to specify key exchange algorithms for SSH2.
Use undo ssh2 algorithm key-exchange to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm key-exchange { dh-group-exchange-sha1 | dh-group1-sha1 |
dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *
undo ssh2 algorithm key-exchange
In FIPS mode:
ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 }
*
undo ssh2 algorithm key-exchange
Default
SSH2 uses the key exchange algorithms ecdh-sha2-nistp256, ecdh-sha2-nistp384,
dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 in descending order of priority
for algorithm negotiation.
178
Views
System view
Predefined user roles
network-admin
Parameters
dh-group-exchange-sha1: Specifies the key exchange algorithm
diffie-hellman-group-exchange-sha1.
dh-group1-sha1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
dh-group14-sha1: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
Usage guidelines
If you specify the key exchange algorithms, SSH2 uses only the specified algorithms for algorithm
negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm dh-group1-sha1 as the key exchange algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm key-exchange dh-group1-sha1
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm mac
ssh2 algorithm public-key
New command: ssh2 algorithm mac
Use ssh2 algorithm mac to specify MAC algorithms for SSH2.
Use undo ssh2 algorithm mac to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *
undo ssh2 algorithm mac
In FIPS mode:
ssh2 algorithm mac { sha1 | sha1-96 | sha2-256 | sha2-512 } *
undo ssh2 algorithm mac
179
Default
SSH2 uses the MAC algorithms sha2-256, sha2-512, sha1, md5, sha1-96, and md5-96 in
descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
md5: Specifies the HMAC algorithm hmac-md5.
md5-96: Specifies the HMAC algorithm hmac-md5-96.
sha1: Specifies the HMAC algorithm hmac-sha1.
sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
sha2-256: Specifies the HMAC algorithm hmac-sha2-256.
sha2-512: Specifies the HMAC algorithm hmac-sha2-512.
Usage guidelines
If you specify the MAC algorithms, SSH2 uses only the specified algorithms for algorithm negotiation.
The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm md5 as the MAC algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm mac md5
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm public-key
New command: ssh2 algorithm public-key
Use ssh2 algorithm public-key to specify public key algorithms for SSH2.
Use undo ssh2 algorithm public-key to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm public-key { dsa | ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } *
180
undo ssh2 algorithm public-key
In FIPS mode:
ssh2 algorithm public-key { ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } *
undo ssh2 algorithm public-key
Default
SSH2 uses the public key algorithms x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384,
ecdsa, rsa, and dsa in descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
dsa: Specifies the public key algorithm dsa.
ecdsa: Specifies the public key algorithm ecdsa.
rsa: Specifies the public key algorithm rsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384.
Usage guidelines
If you specify the public key algorithms, SSH2 uses only the specified algorithms for algorithm
negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm dsa as the public key algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm public-key dsa
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm mac
Modified command: display ssh server
Syntax
display ssh server { session | status }
181
Views
Any view
Change description
In the command output, the SSH Server PKI domain name field was added to represent the PKI
domain of the SSH server.
Modified command: ssh user
Old syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type
{ password | { any | password-publickey | publickey } assign { pki-domain domain-name |
publickey keyname } }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type
{ password | password-publickey assign { pki-domain domain-name | publickey keyname } }
undo ssh user username
New syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type
{ password | { any | password-publickey | publickey } [ assign { pki-domain domain-name |
publickey keyname } ] }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type
{ password | password-publickey [ assign { pki-domain domain-name | publickey keyname } ] }
undo ssh user username
Views
System view
Change description
Before modification: The options assign { pki-domain domain-name | publickey keyname } are
required for verifying the client.
After modification: The options assign { pki-domain domain-name | publickey keyname } are
optional for verifying the client.
182
Modified command: scp
Old syntax
In non-FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher
{ 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex
{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |
des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ publickey keyname | source
{ interface interface-type interface-number | ip ip-address } ] *
In FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |
aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source
{ interface interface-type interface-number | ip ip-address } ] *
New syntax
In non-FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |
dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |
aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |
aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type
interface-number | ip ip-address } ] *
In FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |
prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |
prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type interface-number | ip
ip-address } ] *
183
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the
public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct
local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's
certificate. The domain-name argument represents the PKI domain name, a
case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain,
the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character
name Symbol
Character
name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
184
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS
mode.
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
185
After modification: The default is sha2-256.
Modified command: scp ipv6
Old syntax
In non-FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa }
| prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac
{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |
prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |
sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6
ipv6-address } ] *
In FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key rsa |
prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |
sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac
{ sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number |
ipv6 ipv6-address } ] *
New syntax
In non-FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa
| rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name }
| prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |
aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } | source
{ interface interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa | rsa
| { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
186
prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type
interface-number | ipv6 ipv6-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the
public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct
local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's
certificate. The domain-name argument represents the PKI domain name, a
case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain,
the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character
name Symbol
Character
name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
187
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS
mode.
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
188
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
Modified command: sftp
Old syntax
In non-FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |
prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac
{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |
prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |
sha1-96 } ] * [ dscp dscp-value | publickey keyname | source { interface interface-type
interface-number | ip ip-address} ] *
In FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa |
prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |
sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac
{ sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip
ip-address } ] *
New syntax
In non-FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa |
{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |
aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } ] * [ dscp dscp-value | { public-key keyname | server-pki-domain
domain-name } | source { interface interface-type interface-number | ip ip-address } ] *
In FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa | rsa |
{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
189
prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type
interface-number | ip ip-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the
public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct
local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's
certificate. The domain-name argument represents the PKI domain name, a
case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain,
the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character
name Symbol
Character
name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
190
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS
mode.
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
191
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
Modified command: sftp ipv6
Old syntax
In non-FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des |
aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex
{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |
des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publickey
keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |
aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source
{ interface interface-type interface-number | ipv6 ipv6-address } ] *
New syntax
In non-FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |
dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |
aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |
aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ dscp dscp-value | { public-key keyname | server-pki-domain domain-name } | source { interface
interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
192
aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |
prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |
prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6
ipv6-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the
public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct
local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's
certificate. The domain-name argument represents the PKI domain name, a
case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain,
the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character
name Symbol
Character
name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
193
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS
mode.
194
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
Modified command: ssh2
Old syntax
In non-FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |
prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac
{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |
prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |
sha1-96 } ] * [ dscp dscp-value | escape character | publickey keyname | source { interface
interface-type interface-number | ip ip-address } ] *
In FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa |
prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |
sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac
{ sha1 | sha1-96 } ] * [ escape character | publickey keyname | source { interface interface-type
interface-number | ip ip-address } ] *
New syntax
In non-FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa |
{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |
aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type interface-number | ip
ip-address } ] *
In FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa | rsa |
{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
195
prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ escape character | { public-key keyname | server-pki-domain domain-name } | source
{ interface interface-type interface-number | ip ip-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the
public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct
local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's
certificate. The domain-name argument represents the PKI domain name, a
case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain,
the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character
name Symbol
Character
name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
196
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS
mode.
197
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
Modified command: ssh2 ipv6
Old syntax
In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des |
aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex
{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |
des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | escape
character | publickey keyname | source { interface interface-type interface-number | ipv6
ipv6-address } ] *
In FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |
aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ escape character | publickey
keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *
New syntax
In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |
dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |
aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |
aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name }
| source { interface interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
198
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |
prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |
prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ escape character | { public-key
keyname | server-pki-domain domain-name } | source { interface interface-type interface-number
| ipv6 ipv6-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the
public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct
local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's
certificate. The domain-name argument represents the PKI domain name, a
case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain,
the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character
name Symbol
Character
name Symbol
Tilde ~ Dot .
Asterisk * Left angle bracket <
Backslash \ Right angle bracket >
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
199
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
200
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS
mode.
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
New command: fips kdf ssh
Use fips kdf ssh to generate a validation file in SSH Key Derivation Function (KDF) test.
Syntax
fips kdf ssh import single-request-file export validation-file
Views
Probe view
Predefined user roles
network-admin
Parameters
import single-request-file: Specifies the name of the single request file generated by CAVS.
export validation-file: Specifies a name for the validation file to be generated.
Usage guidelines
SSH gets parameters from the single request file and sends them to the key derivation module. After
the key derivation module returns the calculation result, SSH stores the calculation result in the
validation file.
Examples
# Specify ssh.req and ssh.txt as the single request file and the validation file, respectively.
<Sysname> system-view
[Sysname] probe
[Sysname-probe] fips ssh kdf import ssh.req export ssh.txt
201
New feature: Ignoring the first AS number
of EBGP route updates for a peer or peer
group
Configuring Ignoring the first AS number of EBGP
route updates for a peer or peer group
By default, BGP checks the first AS number of a received EBGP route update. If the first AS number
is neither the AS number of the BGP peer nor a private AS number, the BGP router disconnects the
BGP session to the peer.
To ignore the first AS number of EBGP route updates for a peer or peer group:
Step Command Remarks
109. Enter system view. system-view N/A
110. Enter BGP instance view or BGP-VPN instance view.
Enter BGP instance view: bgp as-number
Enter BGP-VPN instance view:
a. bgp as-number
b. ip vpn-instance
vpn-instance-name
N/A
111. Configure BGP to ignore the first AS number of EBGP route updates for a peer or peer group.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ignore-first-as
By default, BGP checks the first AS number of EBGP route updates.
Command reference
peer ignore-first-as
Use peer ignore-first-as to configure BGP to ignore the first AS number of EBGP route updates for
a peer or peer group.
Use undo peer ignore-first-as to restore the default.
Syntax
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ignore-first-as
undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] }
ignore-first-as
202
Default
BGP checks the first AS number of a received EBGP route update.
Views
BGP instance view
BGP-VPN instance view
Predefined user roles
network-admin
Parameters
group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The
peer group must have created.
ipv4-address: Specifies a peer by its IPv4 address. The peer must have been created.
mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and
mask-length arguments together to specify a subnet. If you specify a subnet, BGP ignores the first
AS number of EBGP route updates for all dynamic peers in the subnet.
ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.
prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and
prefix-length arguments together to specify a subnet. If you specify a subnet, BGP ignores the first
AS number of EBGP route updates for all dynamic peers in the subnet.
Usage guidelines
By default, BGP checks the first AS number of a received EBGP route update. If the first AS number
is neither the AS number of the BGP peer nor a private AS number, the BGP router disconnects the
BGP session to the peer.
The peer ignore-first-as command takes effect only on routes received after the configuration of the
command. After you configure the undo peer ignore-first-as command, BGP requests the EBGP
peer or peer group to resend the routes.
Examples
# In BGP instance view, configure BGP to ignore the first AS number of EBGP route updates for the
peer group test.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] peer test ignore-first-as
203
Modified feature: Support for Ethernet link
aggregation on Layer 3 Ethernet
subinterfaces
Feature change description
Layer 3 Ethernet subinterfaces can be assigned to Layer 3 aggregation groups. The following
commands are supported in Layer 3 Ethernet subinterface view:
lacp mode
lacp period short
link-aggregation port-priority
port link-aggregation group
To configure a Layer 3 static aggregation group:
Step Command Remarks
112. Enter system view. system-view N/A
113. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.
114. Return to system view. quit N/A
115. Assign an interface or subinterface to the specified Layer 3 aggregation group.
a. Enter Layer 3 Ethernet interface or subinterface view: interface interface-type { interface-number | interface-number.subnumber }
b. Assign the interface or subinterface to the specified Layer 3 aggregation group: port link-aggregation group number
Repeat these two substeps to assign more Layer 3 Ethernet interfaces or subinterfaces to the aggregation group.
To configure a Layer 3 dynamic aggregation group:
Step Command Remarks
116. Enter system view. system-view N/A
204
Step Command Remarks
117. Set the system LACP priority.
lacp system-priority system-priority
By default, the system LACP priority is 32768.
Changing the system LACP priority might affect the aggregation states of the ports in the dynamic aggregation group.
118. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.
119. Configure the aggregation group to operate in dynamic mode.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.
120. Return to system view. quit N/A
121. Assign an interface or subinterface to the specified Layer 3 aggregation group.
a. Enter Layer 3 Ethernet interface or subinterface view: interface interface-type { interface-number | interface-number.subnumber }
b. Assign the interface or subinterface to the specified Layer 3 aggregation group: port link-aggregation group number
Repeat these two substeps to assign more Layer 3 Ethernet interfaces or subinterfaces to the aggregation group.
122. Set the LACP operating mode for the interface or subinterface.
Set the LACP operating mode to passive: lacp mode passive
Set the LACP operating mode to active: undo lacp mode
By default, LACP is operating in active mode.
123. Set the port priority for the interface or subinterface.
link-aggregation port-priority port-priority
The default setting is 32768.
124. Set the short LACP timeout interval (3 seconds) for the interface or subinterface.
lacp period short
By default, the long LACP timeout interval (90 seconds) is used by the interface or subinterface.
To avoid traffic interruption during an ISSU, do not set the short LACP timeout interval before performing the ISSU. For more information about ISSU, see Fundamentals Configuration Guide.
205
Command changes
Modified command: lacp mode
Syntax
lacp mode passive
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view
Change description
Layer 3 Ethernet subinterface view was added.
Modified command: lacp period short
Syntax
lacp period short
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view
Change description
Layer 3 Ethernet subinterface view was added.
Modified command: link-aggregation port-priority
Syntax
link-aggregation port-priority port-priority
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view
Change description
Layer 3 Ethernet subinterface view was added.
Modified command: port link-aggregation group
Syntax
port link-aggregation group number
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view
206
Change description
Layer 3 Ethernet subinterface view was added.
A Layer 3 Ethernet subinterface can belong to only one aggregation group.
You cannot create subinterfaces on a Layer 3 Ethernet interface that is in an aggregation group. You
cannot assign a Layer 3 Ethernet interface that contains subinterfaces to an aggregation group.
When you assign a Layer 3 Ethernet subinterface to an aggregation group, follow these restrictions
and guidelines:
As a best practice, configure the VLAN termination commands on the subinterface first if VLAN
termination is required. VLAN termination configuration on the subinterface cannot be modified
after the subinterface is assigned to an aggregation group.
Make sure the VLAN termination configuration is the same on all Layer 3 Ethernet
subinterfaces when you assign the subinterfaces to the same aggregation group.
When you configure the vlan-type dot1q vid vlan-id-list [ loose ] command on a subinterface
to be assigned a dynamic aggregation group, make sure the vlan-id-list argument specifies only
one VLAN ID.
You cannot assign Layer 3 Ethernet interfaces and Layer 3 Ethernet subinterfaces to the same
aggregation group.
You cannot create aggregate subinterfaces on a Layer 3 aggregate interface whose corresponding
aggregation group uses Layer 3 Ethernet subinterfaces as member ports. You cannot assign Layer 3
Ethernet subinterfaces to an aggregation group whose corresponding aggregate interface has
aggregate subinterfaces.
Modified feature: Changing the maximum
number of FIB table entries
Feature change description
The maximum number of FIB entries that MSR2003 supports for the IPv4 public network is changed
to 300000.
The maximum number of FIB entries that MSR2003 supports for the IPv6 public network is changed
to 300000.
Command changes
None
207
Modified feature: Enabling CWMP
Feature change description
The default CWMP status was changed from disabled to enabled.
To enable CWMP:
Step Command Remarks
125. Enter system view. system-view N/A
126. Enter CWMP view. cwmp N/A
127. Enable CWMP. cwmp enable By default, CWMP is enabled.
Command changes
Modified command: cwmp enable
Syntax
cwmp enable
undo cwmp enable
Views
CWMP view
Change description
Before modification: CWMP is disabled by default.
After modification: CWMP is enabled by default.
Release 0305
This release has the following changes:
New feature: IKE
Modified feature: IPsec
208
New feature: IKE
Feature change description
IKEv2 was added.
For more information about IKEv2 configuration guide, see the following HPE FlexNetwork MSR
Routers Security Configuration Guide(V7).
Command changes
New command: IKEv2 command
For more information about IKEv2 commands, see the following HPE FlexNetwork MSR Routers
Security Command Reference(V7).
Modified feature: IPsec
Feature change description
IPsecv3 was Modified.
Command changes
Modified command: ah authentication-algorithm
Old syntax
In non-FIPS mode:
ah authentication-algorithm { md5 | sha1 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm sha1
undo ah authentication-algorithm
New syntax
In non-FIPS mode:
209
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo ah authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.
This keyword is available only for IKEv2.
sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key. This keyword is
available only for IKEv2.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. This keyword is
available only for IKEv2.
sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. This keyword is
available only for IKEv2.
New command: esn enable
Use esn enable to enable the Extended Sequence Number (ESN) feature.
Use undo esn enable to disable ESN.
Syntax
esn enable [ both ]
undo esn enable
Default
ESN is disabled.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters both: Specifies IPsec to support both extended sequence number and traditional sequence number.
If you do not specify this keyword, IPsec only supports extended sequence number.
210
Usage guidelines
The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents
the sequence number space from being exhausted when large volumes of data are transmitted at
high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does
not need to be renegotiated.
This feature must be enabled at both the initiator and the responder.
Examples
# Enable ESN in the IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esn enable
Related commands
display ipsec transform-set
Modified command: esp authentication-algorithm
Old syntax
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm sha1
undo esp authentication-algorithm
New syntax
In non-FIPS mode:
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo esp authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.
This keyword is available only for IKEv2.
211
sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key. This keyword is
available only for IKEv2.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. This keyword is
available only for IKEv2.
sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. This keyword is
available only for IKEv2.
Modified command: esp encryption-algorithm
Old syntax
Low encryption:
esp encryption-algorithm des-cbc
undo esp encryption-algorithm
High encryption (in non-FIPS mode):
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null
| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 } *
undo esp encryption-algorithm
High encryption (in FIPS mode):
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*
undo esp encryption-algorithm
New syntax
Low encryption:
esp encryption-algorithm des-cbc
undo esp encryption-algorithm
High encryption (in non-FIPS mode):
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |
aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |
gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm1-cbc-128 |
sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *
undo esp encryption-algorithm
High encryption (in FIPS mode):
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192
| aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*
undo esp encryption-algorithm
212
Views
IPsec transform set view
Change description
The following keywords were added:
aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword
is available only for IKEv2.
aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword
is available only for IKEv2.
aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key. This keyword
is available only for IKEv2.
camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.
This keyword is available only for IKEv2.
camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key.
This keyword is available only for IKEv2.
camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key.
This keyword is available only for IKEv2.
gmac-128: Specifies the GMAC algorithm, which uses a 128-bit key. This keyword is available
only for IKEv2.
gmac-192: Specifies the GMAC algorithm, which uses a 192-bit key. This keyword is available
only for IKEv2.
gmac-256: Specifies the GMAC algorithm, which uses a 256-bit key. This keyword is available
only for IKEv2.
gcm-128: Specifies the GCM algorithm, which uses a 128-bit key. This keyword is available
only for IKEv2.
gcm-192: Specifies the GCM algorithm, which uses a 192-bit key. This keyword is available
only for IKEv2.
gcm-256: Specifies the GCM algorithm, which uses a 256-bit key. This keyword is available
only for IKEv2.
sm4-cbc: Specifies SM4 algorithm in CBC mode, which uses a 128-bit key.
Modified command: pfs
Old syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }
undo pfs
In FIPS mode:
213
pfs dh-group14
undo pfs
New syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 |
dh-group20 }
undo pfs
In FIPS mode:
pfs { dh-group14 | dh-group19 | dh-group20 }
undo pfs
Views
IPsec transform set view
Change description
The following keywords were added:
dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
New command: tfc enable
Use tfc enable to enable the Traffic Flow Confidentiality (TFC) padding feature.
Use undo tfc enable to disable TFC padding.
Syntax
tfc enable
undo tfc enable
Default
TFC padding is disabled.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Usage guidelines
The TFC padding feature can hide the length of the original packet and might affect the packet
encapsulation and de-encapsulation performance. This feature takes effect on UDP packets
214
encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel
mode.
Examples
# Enable TFC padding for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable
Related commands
display ipsec ipv6-policy
display ipsec policy
Modified command: public-key local create
Old syntax
public-key local create { dsa | ecdsa | rsa } [ name key-name ]
New syntax
public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name
key-name ]
Views
System view
Change description
The following keywords were added:
secp192r1: Uses the secp192r1 curve to create a 192-bit ECDSA key pair. The secp192r1
curve is used by default.
secp256r1: Uses the secp256r1 curve to create a 256-bit ECDSA key pair.
secp384r1: Uses the secp384r1 curve to create a 384-bit ECDSA key pair.
Modified command: public-key ecdsa
Old syntax
public-key ecdsa name key-name
New syntax
public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 ]
Views
PKI domain view
Change description
The following keywords were added:
215
secp192r1: Uses the secp192r1 curve to generate the key pair.
secp256r1: Uses the secp256r1 curve to generate the key pair.
secp384r1: Uses the secp384r1 curve to generate the key pair.
Release 0304P12
This release has the following changes:
New feature: Including vendor information in PPP accounting requests
New feature: BFD for an aggregation group
Modified feature: SSH username
Modified feature: IS-IS hello packet sending interval
Modified feature: MP-group interface numbering
New feature: Including vendor information
in PPP accounting requests
Configuring Including vendor information in PPP
accounting requests
This feature enables vendor information to be included in PPP accounting requests.
Command reference
pppoe-server account-vendor
Use pppoe-server account-vendor to include vendor information in PPP accounting requests.
Use undo pppoe-server account-vendor to exclude vendor information from PPP accounting
requests.
Syntax
pppoe-server account-vendor { adsl-forum | cn-telecom }
undo pppoe-server account-vendor { adsl-forum | cn-telecom }
Default
Vendor information is not included in PPP accounting requests.
216
Views
Ethernet interface view
Ethernet subinterface view
Predefined user roles
network-admin
Parameters
adsl-forum: Specifies the ADSL forum vendor information.
cn-telecom: Specifies the China Telecom vendor information.
Examples
# Include China Telecom vendor information in the PPP accounting requests.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname–GigabitEthernet2/0/1] pppoe-server account-vendor cn-telecom
New feature: BFD for an aggregation
group
Configuring BFD for an aggregation group
BFD for Ethernet link aggregation can monitor member link status in an aggregation group. After you
enable BFD on an aggregate interface, each Selected port in the aggregation group establishes a
BFD session with its peer port. BFD operates differently depending on the aggregation modes.
BFD for static aggregation—When BFD detects a link failure, BFD notifies the Ethernet link
aggregation module that the peer port is unreachable. The local port is placed in Unselected
state. The BFD session between the local and peer ports remains, and the local port keeps
sending BFD packets. When the link is recovered, the local port receives BFD packets from the
peer port, and BFD notifies the Ethernet link aggregation module that the peer port is reachable.
The local port is placed in Selected state again. This mechanism ensures that the local and
peer ports of a static aggregate link have the same aggregation state.
BFD for dynamic aggregation—When BFD detects a link failure, BFD notifies the Ethernet
link aggregation module that the peer port is unreachable. BFD clears the session and stops
sending BFD packets. When the link is recovered and the local port is placed in Selected state
again, the local port establishes a new session with the peer port. BFD notifies the Ethernet link
aggregation module that the peer port is reachable. Because BFD provides fast failure
detection, the local and peer systems of a dynamic aggregate link can negotiate the
aggregation state of their member ports faster.
For more information about BFD, see High Availability Configuration Guide.
217
Configuration restrictions and guidelines
When you enable BFD for an aggregation group, follow these restrictions and guidelines:
Make sure the source and destination IP addresses are consistent at two ends of an aggregate
link. For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1 destination
2.2.2.2 on the local end, execute link-aggregation bfd ipv4 source 2.2.2.2 destination
1.1.1.1 on the peer end. The source and destination IP addresses cannot be the same.
The BFD parameters configured on an aggregate interface take effect on all BFD sessions in
the aggregation group. BFD sessions for link aggregation do not support the echo packet mode
and the Demand mode.
HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled
aggregate interface.
Make sure the number of member ports in a BFD-enabled aggregation group is not larger than
the number of BFD sessions supported by the device. Otherwise, this command might cause
some Selected ports in the aggregation group to change to the Unselected state.
Configuration procedure
To enable BFD for an aggregation group:
Step Command Remarks
Enter system view. system-view N/A
Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
N/A
Enable BFD for the aggregation group.
link-aggregation bfd ipv4 source ip-address destination ip-address
By default, BFD is disabled for an aggregation group.
Command reference
link-aggregation bfd ipv4
Use link-aggregation bfd ipv4 to enable BFD for an aggregation group.
Use undo link-aggregation bfd to disable BFD for an aggregation group.
Syntax
link-aggregation bfd ipv4 source ip-address destination ip-address
undo link-aggregation bfd
Default
BFD is disabled for an aggregation group.
218
Views
Layer 3 aggregate interface view
Predefined user roles
network-admin
Parameters
source ip-address: Specifies the unicast source IP address of BFD sessions. The source IP address
cannot be 0.0.0.0.
destination ip-address: Specifies the unicast destination IP address of BFD sessions. The
destination IP address cannot be 0.0.0.0.
Usage guidelines
Make sure the source and destination IP addresses are consistent at two ends of an aggregate link.
For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1 destination 2.2.2.2 on the
local end, execute link-aggregation bfd ipv4 source 2.2.2.2 destination 1.1.1.1 on the peer end.
The source and destination IP addresses cannot be the same.
The BFD parameters configured on an aggregate interface take effect on all BFD sessions in the
aggregation group. BFD sessions for link aggregation do not support the echo packet mode and the
Demand mode.
HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled
aggregate interface.
Make sure the number of member ports in a BFD-enabled aggregation group is not larger than the
number of BFD sessions supported by the device. Otherwise, this command might cause some
Selected ports in the aggregation group to change to the Unselected state.
Examples
# Enable BFD for Layer 3 aggregation group 1, and specify the source and destination IP addresses
as 1.1.1.1 and 2.2.2.2 for BFD sessions.
<Sysname> system-view
[Sysname] interface route-aggregation 1
[Sysname-Route-Aggregation1] link-aggregation bfd ipv4 source 1.1.1.1 destination 2.2.2.2
Modified feature: SSH username
Feature change description
In this release, an SSH username cannot be a, al, all, or include the following characters:
\ | / : * ? < >
The at sign (@) can only be used in the username format pureusername@domain when the
username contains an ISP domain name.
219
Command changes
Modified command: ssh user
Syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password
| { any | password-publickey | publickey } assign { pki-domain domain-name | publickey
keyname } }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password
| password-publickey assign { pki-domain domain-name | publickey keyname } }
undo ssh user username
Views
System view
Change description
Before modification: The username argument is a case-insensitive string of 1 to 80 characters. If the
username contains an ISP domain name, use the format pureusername@domain.
After modification: The username argument is a case-insensitive string of 1 to 80 characters,
excluding a, al, all, and the following characters:
\ | / : * ? < >
The at sign (@) can only be used in the username format pureusername@domain when the
username contains an ISP domain name.
Modified feature: IS-IS hello packet
sending interval
Feature change description
The value range of the interval for sending hello packets was changed to 1 to 255 seconds.
220
Command changes
Modified command: isis timer hello
Syntax
isis timer hello seconds [ level-1 | level-2 ]
undo isis timer hello [ level-1 | level-2 ]
Views
Interface view
Change description
The value range for the seconds argument was changed to 1 to 255 seconds.
Modified feature: MP-group interface
numbering
Feature change description
In this release, the numbering for MP-group interfaces is changed.
Command changes
Modified command: interface mp-group
Syntax
interface mp-group mp-number
Views
System view
Change description
MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.
Modified command: display interface mp-group
Syntax
display interface [ mp-group [ interface-number ] ] [ brief [ description | down ] ]
221
Views
Any view
Change description
MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.
Modified command: ppp mp mp-group
Syntax
ppp mp mp-group mp-number
Views
Interface view
Change description
MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.
Modified command: reset counters interface mp-group
Syntax
reset counters interface [ mp-group [ interface-number ] ]
Views
Interface view
Change description
MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.
Release 0304P04
This release has the following changes:
New feature: Media Stream Control (MSC) logging
Modified feature: ESP encryption algorithms
New feature: Media Stream Control (MSC)
logging
This feature enables the router to generate MSC logs and send the logs to the information center.
222
Command reference
sip log enable
Use sip log enable to enable Media Stream Control (MSC) logging.
Use undo sip log enable to disable MSC logging.
Syntax
sip log enable
undo sip log enable
Default
MSC logging is disabled.
Views
Voice view
Predefined user roles
network-admin
Usage guidelines
This command enables the router to generate MSC logs and send the logs to the information center.
The information center outputs the logs to a destination according to an output rule. For more
information about the information center, see Network Management and Monitoring Configuration
Guide.
MSC logging is used for auditing purposes.
Examples
# Enable MSC logging.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip log enable
Modified feature: ESP encryption
algorithms
Feature change description
Support for the CBC-mode SM4 algorithm was added for high encryption in non-FIPS mode.
223
Command changes
Modified command: esp encryption-algorithm
Old Syntax
High encryption (in non-FIPS mode):
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null
| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 } *
New Syntax
High encryption (in non-FIPS mode):
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null
| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *
Views
IPsec transform set view
Change description
The sm4-cbc keyword was added to support the CBC-mode SM4 algorithm, which uses a 128-bit
key.
Release 0304P02
This release has the following changes:
New feature: IMSI/SN binding authentication
New feature: Specifying a band for a 4G modem
New feature: CFD
New feature: Using tunnel interfaces as OpenFlow ports.
New feature: NETCONF support for ACL filtering
New feature: Specifying a backup traffic processing unit
New feature: WAAS
New feature: Support for the MKI field in SRTP or SRTCP packets
New feature: SIP domain name
New feature: E&M logging
Modified feature: Setting the global link-aggregation load-sharing mode
224
New feature: IMSI/SN binding
authentication
This feature enables the device to include the IMSI/SN information in the LCP authentication
information.
Command reference
ppp lcp imsi accept
Use ppp lcp imsi accept to enable the client to accept the IMSI binding authentication requests
from the LNS.
Use undo ppp lcp imsi accept to restore the default.
Syntax
ppp lcp imsi accept
undo ppp lcp imsi accept
Default
The client declines the IMSI binding authentication requests from the LNS.
Views
Interface view
Predefined user roles
network-admin
Examples
# Enable the client to accept the IMSI binding authentication requests from the LNS.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp imsi accept
Related commands
ppp lcp imsi request
ppp lcp imsi string
ppp lcp imsi request
Use ppp lcp imsi request to enable the LNS to initiate IMSI binding authentication requests.
Use undo ppp lcp imsi request to restore the default.
225
Syntax
ppp lcp imsi request
undo ppp lcp imsi request
Default
The LNS does not initiate IMSI binding authentication requests.
Views
Interface view
Predefined user roles
network-admin
Examples
# Enable the LNS to initiate IMSI binding authentication requests.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp imsi request
Related commands
ppp lcp imsi accept
ppp lcp imsi string
ppp lcp imsi string
Use ppp lcp imsi string imsi-info to configure the IMSI information on the client.
Use undo ppp lcp imsi string to delete the IMSI information on the client.
Syntax
ppp lcp imsi string imsi-info
undo ppp lcp imsi string
Default
The client automatically obtains the IMSI information from its SIM card.
Views
Interface view
Predefined user roles
network-admin
Parameters
string imsi-info: Specifies the IMSI information, a case-sensitive string of 1 to 31 characters.
Examples
# Configure the IMSI information as imsi1.
<Sysname> system-view
226
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp imsi string imsi1
Related commands
ppp lcp imsi request
ppp lcp imsi accept
ppp lcp sn accept
Use ppp lcp sn accept to enable the client to accept the SN binding authentication requests from
the LNS.
Use undo ppp lcp sn accept to restore the default.
Syntax
ppp lcp sn accept
undo ppp lcp sn accept
Default
The client declines the SN binding authentication requests from the LNS.
Views
Interface view
Predefined user roles
network-admin
Examples
# Enable the client to accept the SN binding authentication requests from the LNS.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp sn accept
Related commands
ppp lcp sn request
ppp lcp sn string
ppp lcp sn request
Use ppp lcp sn request to enable the LNS to initiate SN binding authentication requests.
Use undo ppp lcp sn request to restore the default.
Syntax
ppp lcp sn request
undo ppp lcp sn request
227
Default
The LNS does not initiate SN binding authentication requests.
Views
Interface view
Predefined user roles
network-admin
Examples
# Enable the LNS to initiate SN binding authentication requests.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp imsi request
Related commands
ppp lcp sn accept
ppp lcp sn string
ppp lcp sn string
Use ppp lcp sn string sn-info to configure the SN information on the client.
Use undo ppp lcp sn string to delete the SN information on the client.
Syntax
ppp lcp sn string sn-info
undo ppp lcp sn string
Default
The client automatically obtains the SN information from its SIM card.
Views
Interface view
Predefined user roles
network-admin
Parameters
string sn-info: Specifies the SN information, a case-sensitive string of 1 to 31 characters.
Examples
# Configure the SN information as sn1.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp sn string sn1
228
Related commands
ppp lcp sn request
ppp lcp sn accept
ppp user accept-format imsi-sn split
Use ppp user accept-format imsi-sn split splitchart to configure the separator for the received
authentication information.
Use undo ppp user accept-format to restore the default.
Syntax
ppp user accept-format imsi-sn split splitchart
undo ppp user accept-format
Default
No separator is configured for the received authentication information.
Views
Interface view
Predefined user roles
network-admin
Parameters
splitchart: Specifies the separator. The separator contains one character, and it can be a letter, a digit,
or any sign other than the at sign (@), slash (/), and backslash (\).
Usage guidelines
By default, the authentication information contains only the client username. If you include the IMSI
or SN information in the authentication information, you need to configure the separator to separate
different types of information.
If no IMSI/SN information is received from the peer during the authentication process, the IMSI/SN
information split from the received authentication information is used.
Examples
# Configure the pound sign (#) as the separator for the authentication information.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp user accept-format imsi-sn split #
Related commands
ppp lcp sn request
ppp lcp imsi request
ppp lcp sn accept
ppp lcp imsi accept
229
ppp user attach-format imsi-sn split
Use ppp user attach-format imsi-sn split splitchart to configure the separator for the sent
authentication information.
Use undo ppp user attach-format to restore the default.
Syntax
ppp user attach-format imsi-sn split splitchart
undo ppp user attach-format
Default
No separator is configured for the sent authentication information.
Views
Interface view
Predefined user roles
network-admin
Parameters
splitchart: Specifies the separator. The separator contains one character, and it can be a letter, a digit,
or any sign other than the at sign (@), slash (/), and backslash (\).
Usage guidelines
By default, the authentication information contains only the client username. If you include the IMSI
or SN information in the authentication information, you need to configure the separator to separate
different types of information.
Examples
# Configure the pound sign (#) as the separator for the sent authentication information.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp user attach-format imsi-sn split #
Related commands
ppp lcp sn request
ppp lcp imsi request
ppp lcp sn accept
ppp lcp imsi accept
ppp user replace
Use ppp user replace to replace the client username with the IMSI or SN information for
authentication.
230
Use undo ppp user replace to restore the default.
Syntax
ppp user replace { imsi | sn }
undo ppp user replace
Default
The client username is used for authentication.
Views
Interface view
Predefined user roles
network-admin
Examples
# Replace the client username with the IMSI information for authentication.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp user replace imsi
Related commands
ppp user accept-format imsi-sn split
ppp user attach-format imsi-sn split
New feature: Specifying a band for a 4G
modem
You can specify a band for a 4G modem.
Command reference
lte band
Use ite band to specify a band for a 4G modem.
Use undo lte band to restore the default.
Syntax
lte band band-number
undo lte band
Default
The default setting varies by 4G modem model.
231
Views
Cellular interface view
Predefined user roles
network-admin
Parameters
band-number: Specifies a band for a 4G modem. The available bands vary by modem model.
Usage guidelines
This command is supported only on the following 4G modems:
Sierra MC7354 and MC7304.
Long Sung U8300C, U8300W, and U8300.
WNC DM11-2.
Examples
# Specify band 3 for Cellular 1/0.
<Sysname> system-view
[Sysname] controller cellular 1/0
[Sysname-Controller-Cellular1/0]lte band 3
New feature: CFD
The router supports the CFD feature.
New feature: Using tunnel interfaces as
OpenFlow ports
The MSR1000 routers support using tunnel interfaces as OpenFlow ports.
New feature: NETCONF support for ACL
filtering
The feature enables the device to use an ACL to filter NETCONF over SOAP traffic.
232
Command reference
netconf soap http acl
Use netconf soap http acl to apply an ACL to NETCONF over SOAP over HTTP traffic.
Use undo netconf soap http acl to remove the application.
Syntax
netconf soap http acl { acl-number | name acl-name }
undo netconf soap http acl
Default
No ACL is applied to NETCONF over SOAP over HTTP traffic.
Views
System view
Predefined user roles
network-admin
Parameters
acl-number: Specifies an ACL by its number in the range of 2000 to 2999.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string
of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The
specified ACL must be an IPv4 basic ACL that has already been created.
Usage guidelines
This command is not available in FIPS mode.
If you execute this command multiple times, the most recent configuration takes effect.
Only NETCONF clients permitted by the applied ACL can access the device through SOAP over
HTTP.
Examples
# Use ACL 2001 to allow only NETCONF clients in the subnet 10.10.0.0/16 to access the device
through SOAP over HTTP.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] netconf soap http acl 2001
233
netconf soap https acl
Use netconf soap https acl to apply an ACL to NETCONF over SOAP over HTTPS traffic.
Use undo netconf soap https acl to remove the application.
Syntax
netconf soap https acl { acl-number | name acl-name }
undo netconf soap https acl
Default
No ACL is applied to NETCONF over SOAP over HTTPS traffic.
Views
System view
Predefined user roles
network-admin
Parameters
acl-number: Specifies an ACL by its number in the range of 2000 to 2999.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string
of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The
specified ACL must be an IPv4 basic ACL that has already been created.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Only NETCONF clients permitted by the applied ACL can access the device through SOAP over
HTTPS.
Examples
# Use ACL 2001 to allow only NETCONF clients in the subnet 10.10.0.0/16 to access the device
through SOAP over HTTPS.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] netconf soap https acl 2001
234
New feature: Specifying a backup traffic
processing unit
Specifying a backup traffic processing unit
This release added support for specifying a backup traffic unit for an interface.
Command reference
service standby
For more information about this command, see HPE FlexNetwork MSR Command References(V7).
New feature: WAAS
Configuring WAAS
This release added support for the Wide Area Application Services (WAAS) feature in the DATA
image on the following router series:
MSR1000.
MSR3000.
MSR4000.
Command reference
For more information about WAAS commands, see HPE FlexNetwork MSR Routers Layer 3 - IP
Services Command Reference(V7).
New feature: Support for the MKI field in
SRTP or SRTCP packets
This feature enables the router to add the MKI field to outgoing SRTP or SRTCP packets. You can
set the length of the MKI field.
235
Command reference
mki
Use mki to add the MKI field to outgoing SRTP or SRTCP packets and set the length of the MKI field.
Use undo mki to restore the default.
Syntax
mki mki-length
undo mki
Default
Outgoing SRTP or SRTCP packets do not carry the MKI field.
Views
SIP view
Predefined user roles
network-admin
Parameters
mki-length: Specifies the length of the MKI field, in the range of 1 to 128 bits.
Usage guidelines
This command takes effect only when SRTP is the media stream protocol for SIP calls. To specify
SRTP as the medial stream protocol for SIP calls, use the srtp command.
Examples
# Add the MKI field to outgoing SRTP or SRTCP packets and set the length of the MKI field to 1 bit.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip
[Sysname-voice-sip] mki 1
New feature: SIP domain name
This feature enables the router to populate the CONTACT header field of outgoing SIP packets with
the router's SIP domain name.
236
Command reference
sip-domain
Use sip-domain to populate the CONTACT header field of outgoing SIP packets with the router's
SIP domain name.
Use undo sip-domain to restore the default.
Syntax
sip-domain domain-name
undo sip-domain
Default
The router populates the CONTACT header field of an outgoing SIP packet with the IP address of the
outgoing interface.
Views
SIP view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the SIP domain name, a case-insensitive string of 1 to 31 characters. Valid
characters are letters, digits, underscore (_), hyphen (-), and dot (.).
Examples
# Populate the CONTACT header field of outgoing SIP packets with the SIP domain name abc.com.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip
[Sysname-voice-sip] sip-domain abc.com
New feature: E&M logging
This feature enables the router to generate E&M logs.
Command reference
em log enable
Use em log enable to enable E&M logging.
237
Use undo em log enable to disable E&M logging.
Syntax
em log enable
undo em log enable
Default
E&M logging is disabled.
Views
Voice view
Predefined user roles
network-admin
Usage guidelines
This command enables the router to generate E&M logs.
Examples
# Enable E&M logging.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] em log enable
Modified feature: Setting the global
link-aggregation load-sharing mode
Feature change description
The bandwidth-usage keyword was added to the link-aggregation global load-sharing mode
command. You can set the global load-sharing mode to load share traffic based on bandwidth usage.
Command changes
Modified command: link-aggregation global load-sharing
mode
Old syntax
link-aggregation global load-sharing mode { destination-ip | destination-mac |
destination-port | mpls-label1 | source-ip | source-mac | source-port } *
undo link-aggregation global load-sharing mode
238
New syntax
link-aggregation global load-sharing mode { bandwidth-usage | destination-ip |
destination-mac | destination-port | mpls-label1 | source-ip | source-mac | source-port } *
undo link-aggregation global load-sharing mode
Views
System view
Change description
The bandwidth-usage keyword was added. You can specify this keyword to set the global load
sharing mode to load share traffic based on bandwidth usage.
Release 0304
This release has the following changes:
New feature: Setting the RTC version
New feature: Setting the maximum size of advertisement files
New feature: IRF
New feature: Frame Relay
New feature: EVI
New feature: VPLS
New feature: Multicast VPN support for inter-AS option B
Modified feature: 802.1X redirect URL
Modified feature: Displaying information about NTP servers from the reference source to the primary
NTP server
Modified feature: Saving, rolling back, and loading the configuration
Modified feature: Displaying information about SSH users
Removed feature: Displaying fabric utilization
New feature: Setting the RTC version
Configuring Setting the RTC version
The RTC protocol has the following versions: Version 3 and Version 5. Comware V3-based routers
support only Version 3. Comware V5- or Comware V7-based routers support both Version 3 and
Version 5.
239
To set the RTC version:
Step Command Remarks
128. Enter system view. system-view N/A
129. Configure the RTC version. rta rtc version { v3 | v5 } By default, the router uses Version 5.
Command reference
rta rtc version
Use rta rtc version to set the RTC version.
Use undo rta rtc version to o restore the default.
Syntax
rta rtc version { v3 | v5 }
undo rta rtc version
Default
The router uses RTC Version 5.
Views
System view
Predefined user roles
network-admin
Parameters
V3: Sets the RTC version to Version 3.
V5: Sets the RTC version to Version 5.
Usage guidelines
Comware V5/V7-based routers support both RTC Version 3 and Version 5. Comware V3-based
routers support only RTC Version 3.
For a Comware V5/V7-based router to communicate with a Comware V3-based, set the RTC version
to Version 3 on the Comware V5/V7-based router.
For Comware V5/V7-based routers to communicate each other, set the RTC version on the routers
to the same version.
Examples
# Set the RTC version to Version 3.
<Sysname> system-view
[Sysname] rta rtc version v3
240
New feature: Setting the maximum size of
advertisement files
Configuring the maximum size of advertisement
files
You can set the maximum size of advertisement files sent to wireless clients to 10 MB when the
clients access the wireless network.
Command reference
None
New feature: IRF
Configuring IRF
See HP MSR Router Series Virtual Technologies Configuration Guide (V7).
Command reference
See HPE FlexNetwork MSR Router Virtual Technologies Command Reference(V7).
New feature: Frame Relay
Configuring Frame Relay
See HPE FlexNetwork MSR Routers Layer 2 - WAN Configuration Guide(V7).
Command reference
See HPE FlexNetwork MSR Routers Layer 2 - WAN Command Reference(V7).
241
New feature: EVI
Configuring EVI
See HPE FlexNetwork MSR Router EVI Configuration Guide (V7).
Command reference
See HPE FlexNetwork MSR Router EVI Command Reference(V7).
New feature: VPLS
Configuring VPLS
See HPE FlexNetwork MSR Routers MPLS Configuration Guide(V7).
Command reference
See HPE FlexNetwork MSR Routers MPLS Command Reference(V7).
New feature: Multicast VPN support for
inter-AS option B
Configuring Multicast VPN support for inter-AS
option B
See HPE FlexNetwork MSR Routers IP Multicast Configuration Guide(V7).
Command reference
See HPE FlexNetwork MSR Routers IP Multicast Command Reference(V7).
242
Modified feature: 802.1X redirect URL
Feature change description
The value range for the url-string argument was changed to 1 to 256 characters for the dot1x
ead-assistant url command.
Command changes
Modified command: dot1x ead-assistant url
Syntax
dot1x ead-assistant url url-string
Views
System view
Change description
Before modification: The value range for the url-string argument is 1 to 64 characters.
After modification: The value range for the url-string argument is 1 to 256 characters.
Modified feature: Displaying information
about NTP servers from the reference
source to the primary NTP server
Feature change description
The source interface-type interface-number option was added to the display ntp-service trace
command.
Command changes
Modified command: display ntp-service trace
Old syntax
dot1x ead-assistant url url-string
243
New syntax
display ntp-service trace [ source interface-type interface-number ]
Views
Any view
Change description
The source interface-type interface-number option was added to the display ntp-service trace
command.
Modified feature: Saving, rolling back, and
loading the configuration
Feature change description
The following configuration guidelines were added when you use NETCONF to save, roll back, or
load the configuration:
The save, rollback, and load operations supplement NETCONF requests. Performing the
operations might consume a lot of system resources.
Multiple users are allowed to simultaneously perform the save, rollback, or load operation, but
the result returned to each user might be inconsistent with the user request. Do not perform the
save, rollback, or load operation when a lot of users are performing the operation.
Command changes
None
Modified feature: Displaying information
about SSH users
Feature change description
In this release, the display ssh user-information command does not display the public key name
for an SSH user that uses password authentication.
244
Command changes
Modified command: display ssh user-information
Syntax
display ssh user-information [ username ]
Views
Any view
Change description
Before modification: The User-public-key-name field in the command output displays null for an
SSH user that uses password authentication.
After modification: The User-public-key-name field in the command output is blank for an SSH user
that uses password authentication.
Removed feature: Displaying fabric
utilization
Feature change description
The device does not support displaying switching fabric channel usage on interface cards.
Removed command
display fabric utilization
Syntax
In standalone mode:
display fabric utilization [ slot slot-number ]
In IRF mode:
display fabric utilization [ chassis chassis-number slot slot-number ]
Views
Any view
ESS 0302P06
245
This release has the following changes:
New feature: Object policies
New feature: IPHC
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Support of PPPoE server for IPv6
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: QSIG tunneling over SIP-T
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Playout delay
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: BGP L2VPN support for NSR
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: BGP support for dynamic peers
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ARP PnP
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: QoS soft forwarding
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Filtering by application layer protocol status
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ADVPN support for multicast forwarding
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
246
New feature: MPLS LDP support for IPv6
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Port security
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Customizable IVR
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: SRST
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: NEMO
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Support for LLDP on CPOS interfaces
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: SMS-based automatic configuration
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ARP attack protection
New feature: SIP support for VRF
New feature: Object policies
Configuring Object policies
A zone pair has a source security zone and a destination security zone. ASPF uses zone pairs to
identify the data flows to be examined. ASPF examines only received first data packets.
247
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: IPHC
Configuring IPHC
The device supports PPP IPHC and frame relay IPHC.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Support of PPPoE server for
IPv6
Configuring Support of PPPoE server for IPv6
On IPv6 networks, PPP negotiates only the IPv6 interface identifier instead of the IPv6 address and
IPv6 DNS server address during IPv6CP negotiation.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: QSIG tunneling over SIP-T
Configuring QSIG tunneling over SIP-T
QSIG tunneling over SIP-T tunnels QSIG messages across a SIP network by encapsulating them in
SIP message bodies. This feature enables ISDN networks to communicate over a SIP network.
248
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Playout delay
Configuring Playout delay
By buffering incoming voice packets with different delay times for a period of time (playout delay
time), the receiver can smoothly play out the voice packets to the codec. By configuring playout delay,
you can prevent delay variation (jitter) from affecting voice quality.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: BGP L2VPN support for NSR
Configuring BGP L2VPN support for NSR
The active BGP process backs up BGP peers and routing information to the standby BGP process
only when BGP NSR is enabled.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
249
New feature: BGP support for dynamic
peers
Configuring BGP support for dynamic peers
The dynamic BGP peer feature enables BGP to establish dynamic BGP peer relationships with
devices in a network. BGP accepts connection requests from the network. After a device in the
network initiates a connection request, BGP establishes a dynamic peer relationship with the device.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ARP PnP
Configuring ARP PnP
The ARP plug and play (PnP) feature allows end users to access the gateway without changing their
IP addresses on subnets different from the subnet where the gateway resides.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
250
New feature: Support of Syslog for DNS
and support of customlog&userlog for
IPv6 hosts
Configuring Support of Syslog for DNS and
support of customlog&userlog for IPv6 hosts
The two flow log export destinations (information center and log host) are mutually exclusive. Only
one export destination can be used at a time. If you configure both export destinations, the flow logs
are exported to the information center and are not exported to the log host.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: QoS soft forwarding
Configuring QoS soft forwarding
Configuring PQ: You can define a set of assignment rules in a PQ list and then apply the PQ list
to an interface or PVC.
Configuring CQ: You can configure a CQ list that contains up to 16 queues. The CQ list
specifies the following information:
The queue where a packet is placed in.
The maximum length of each queue.
The number of bytes sent from the queue during a cycle of round robin scheduling.
Configuring RTPQ.
Configuring packet information pre-extraction: To process the original IP packets with QoS on
the physical interface for a tunnel interface, configure packet information pre-extraction on the
tunnel interface.
251
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Filtering by application layer
protocol status
Configuring Filtering by application layer protocol
status
ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323,
HTTP, SCCP, SIP, and SMTP. ASPF drops packets with invalid protocol status.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ADVPN support for multicast
forwarding
Configuring ADVPN support for multicast
forwarding
After NBMA mode is enabled on an ADVPN tunnel interface, the interface forwards multicast data
only to spokes that need the data.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
252
New feature: MPLS LDP support for IPv6
Configuring MPLS LDP support for IPv6
LDP can operate on a pure IPv4 or IPv6 network or a network where IPv4 and IPv6 coexist. LDP
operates similarly on IPv4 and IPv6 networks.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Port security
Configuring Port security
MAC move—This feature allows 802.1X or MAC authenticated users to move from a port to
another port on the device. The authentication session is deleted from the first port, and the
users are reauthenticated on the new port.
SNMP notifications for port security—This feature allows the port security module to
generate SNMP notifications to report important events.
MAC authentication delay—When both 802.1X authentication and MAC authentication are
enabled on a port, you can delay MAC authentication so that 802.1X authentication is
preferentially triggered. If no 802.1X authentication is triggered or 802.1X authentication fails
within the delay period, the port continues to process MAC authentication.
VLAN assignment—Both the 802.1X and MAC authentication features support VLAN
assignment for users.
ACL assignment—Both the 802.1X and MAC authentication features support ACL assignment
for users. You can specify an authorization ACL for a user to control the user's access to
network resources. After the user passes authentication, the authentication server (local or
remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for
this user.
802.1X EAD assistant—This feature allows unauthenticated 802.1X users to access the free
IP. The feature also enables the device to redirect a user who is seeking to access the network
to a specific URL on the free IP. For example, you can use this feature to redirect the user to the
EAD client software download page.
253
802.1X SmartOn—This feature was developed to support the NEC 802.1X client. The device
performs SmartOn authentication before 802.1X authentication. If a user fails SmartOn
authentication, the device stops 802.1X authentication for the user.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Customizable IVR
Configuring Customizable IVR
Interactive voice response (IVR) is extensively used in voice communications. The IVR system
enables you to customize interactive operations and humanize other services. If a subscriber dials
an IVR access number, the IVR system plays the prerecorded voice prompts to direct the subscriber
about how to proceed.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: SRST
Configuring SRST
SRST provides call handling for a branch office when the branch office loses connectivity to the
central voice server or the WAN connection is down. An SRST router in the branch office takes over
to manage calls to ensure that local phones can make and receive calls. When the WAN connection
is restored, call handling reverts back to the central voice server.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
254
New feature: NEMO
Configuring NEMO
As an extension of MIP, network mobility (NEMO) enables a node to retain the same IP address and
maintain application connectivity when the node travels across networks. It allows
location-independent routing of IP datagrams on the Internet. A mobile router is a router that
operates as a mobile node connecting the mobile network and the home agent.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Support of MFR and FR for
L2VPN, FR QoS, and FR compression and
fragmentation
Configuring Support of MFR and FR for L2VPN,
FR QoS, and FR compression and fragmentation
Frame Relay supports MPLS L2VPN and can then communicate with other networks through MPLS
L2VPN. As a result, Layer 2 data can be transparently transmitted between Frame Relay networks
through an MPLS or IP network.
When FRTS is disabled, only FR interface queues are in effect. The predefined FR PVC queues take
effect only when FRTS is enabled.
The Frame Relay compression feature can compress Frame Relay packets to save bandwidth,
reduce the network load, and improve the transmission efficiency for data in the Frame Relay
network. The Frame Relay fragmentation feature can divide a large Frame Relay packet into several
small packets, so that large packets can be transmitted over a low-speed link with a low delay.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
255
New feature: Support for LLDP on CPOS
interfaces
Configuring Support for LLDP on CPOS interfaces
LLDP is supported on CPOS interfaces.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: SMS-based automatic
configuration
Configuring SMS-based automatic configuration
Support for SMS-based automatic configuration. With SMS-based automatic configuration, the
device can connect to an IMC server over a 3G or 4G network to obtain a configuration file.
To initiate SMS-based automatic configuration process, the administrator can use a cell phone or the
IMC server to send a short message to the device. The IMC server sends short messages to devices
through an SMS gateway. This feature can be used when the devices to be configured are widely
distributed and there are 3G or 4G networks available for wireless communication.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ARP attack protection
Configuring ARP attack protection
None
256
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: SIP support for VRF
Configuring SIP support for VRF
This feature enables a PE device to provide SIP services for a VPN instance. To enable this feature,
you can associate the VPN instance with SIP on the PE device. The PE device uses the interface
bound to the VPN instance as the source for sending SIP signaling and media streams.
Configuration guidelines
When you enable SIP support for VRF, follow these guidelines:
You cannot associate a VPN instance with SIP or remove the association when a SIP service
such as calling, registration, subscription, or the keepalive function is being used.
The VPN instance to associate with SIP must be already created.
Configuration procedure
To enable SIP support for VRF:
Step Command Remarks
Enter system view. system-view N/A
Create a VPN instance. ip vpn-instance vpn-instance-name
By default, no VPN instance exists.
Enter voice view. voice-setup N/A
Enter SIP view. sip N/A
Associate a VPN instance with SIP.
vpn-instance vpn-instance-name By default, no VPN instance is associated with SIP.
Command reference
vpn-instance
Use vpn-instance to associate a VPN instance with SIP.
257
Use undo vpn-instance to remove the association.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
No VPN instance is associated with SIP.
Views
SIP view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31
characters.
Usage guidelines
The VPN instance to associate with SIP must be already created.
You cannot associate a VPN instance or remove the association when a SIP service is being used.
Examples
# Associate the VPN instance vpn-voice with SIP.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip
[Sysname-voice-sip] vpn-instance vpn-voice
Related commands
ip binding vpn-instance (MPLS Command Reference)
ip vpn-instance (MPLS Command Reference)
ESS 0102
This release has the following changes:
New feature: Portal authentication
New feature: MSDP
New feature: IPsec MIB and IKE MIB
New feature: PoE
New feature: CoPP software forwarding feature
New feature: Configuring MPLS LDP FRR
New feature: Enhanced routing features
258
New feature: Python
New feature: ATM
New feature: DHCP MIB
New feature: Portal authentication
Portal authentication controls user access to the Internet. Portal authenticates a user by the
username and password the user enters on a portal authentication page. Therefore, portal
authentication is also known as Web authentication. When portal authentication is deployed on a
network, an access device redirects unauthenticated users to the website provided by a portal Web
server. The users can access the resources provided by the website. If the users want to access the
Internet, they must pass authentication on the website.
Portal authentication is classified into the following types:
Active authentication—Users visit the authentication website provided by the portal Web
server and enter their username and password for authentication.
Forced authentication—Users visit other websites and are redirected to the portal
authentication website for authentication.
Portal authentication flexibly imposes access control on the access layer and vital data entries. It has
the following advantages:
Replaces client software with convenient authentication pages.
Provides ISPs with diversified management choices and extended functions. For example, the
ISPs can place advertisements, provide community services, and publish information on the
authentication page.
Supports multiple authentication modes. For example, re-DHCP authentication implements a
flexible address assigning scheme and saves public IP addresses. Cross-subnet authentication
can authenticate users reside in subnets different from the access device.
The device support portal 2.0 and portal 3.0.
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: MSDP
Configuring MSDP
MSDP is an inter-domain multicast solution that addresses the interconnection of PIM-SM domains.
It discovers multicast source information in other PIM-SM domains.
259
In the basic PIM-SM mode, a multicast source registers only with the RP in the local PIM-SM domain,
and the multicast source information in each domain is isolated. As a result, both of the following
occur:
The RP obtains the source information only within the local domain.
A multicast distribution tree is built only within the local domain to deliver multicast data locally.
MSDP enables the RPs of different PIM-SM domains to share their multicast source information. The
local RP can then join the SPT rooted at the multicast source across the PIM-SM domains. This
allows multicast data to be transmitted among different domains.
With MSDP peer relationships established between appropriate routers in the network, the RPs of
different PIM-SM domains are interconnected with one another. These MSDP peers exchange
source active (SA) messages, so that the multicast source information is shared among these
domains.
For more information about configuring MSDP, see "MSDP Configuration Guide" in HPE
FlexNetwork MSR Configuration Guides(V7).
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: IPsec MIB and IKE MIB
IPsec-Monitor-MIB (HH3C-IPSEC-MONITOR-V2-MIB) monitors IPsec tunnels. NMS can use this
MIB to obtain IPsec tunnel information, including algorithms, gateway addresses, and tunnel
statistics. Except the trap function, all nodes of this MIB are read only.
Ike-Monitor-MIB (HH3C-IKE-MONITOR-MIB) monitors IKE tunnels. NMS can use this MIB to obtain
IKE tunnel information.
For more information, see the MIB companion document.
New feature: PoE
Configuring PoE
IEEE 802.3af-compliant power over Ethernet (PoE) enables a power sourcing equipment (PSE) to
supply power to powered devices (PDs) through Ethernet interfaces over twisted pair cables.
Examples of PDs include IP telephones, wireless APs, portable chargers, card readers, Web
cameras, and data collectors. A PD can also use a different power source from the PSE at the same
time for power redundancy.
260
For more information about configuring PoE, see "PoE Configuration Guide" in HPE FlexNetwork
MSR Configuration Guides(V7).
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: CoPP software forwarding
feature
Configuring CoPP
If the rate of packets sent to the control plane exceeds the processing capabilities of the control
plane (for example, when the device is suffering DoS attacks), the normal packets sent to the control
plane cannot be promptly processed, thus affecting the normal operation of protocols.
To protect the management interface against DoS attacks, which will cause service interruption, you
must perform traffic policing for the management interface.
CoPP allows you to perform traffic policing for the control plane or management interface control
plane. By default, the predefined QoS parameters are configured for packets of each protocol sent to
the control plane. Also, you can apply a user-defined QoS policy to the control plane to filter and
rate-limit the packets sent to the control plane. This makes sure the control plane can correctly
receive, transmit, and process packets.
Command reference
control-plane
Use control-plane to enter control plane view.
Syntax
MSR2000 / MSR3000:
control-plane
MSR4000:
control-plane slot slot-number
Views
System view
261
Predefined user roles
network-admin
Examples
# (MSR2000 / MSR3000.) Enter control plane view.
<Sysname> system-view
[Sysname] control-plane
[Sysname-cp]
# (MSR4000.) Enter control plane view of the card in slot 3.
<Sysname> system-view
[Sysname] control-plane slot 3
[Sysname-cp-slot3]
control-plane management
IMPORTANT:
A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane.
Use control-plane management to enter management interface control plane view.
Syntax
control-plane management
Views
System view
Predefined user roles
network-admin
Examples
# Enter management interface control plane view.
<Sysname> system-view
[Sysname] control-plane management
[Sysname-cp-management]
qos apply policy (interface view, control plane view)
IMPORTANT:
A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane.
Use qos apply policy to apply a QoS policy to an interface, a control plane.
Use undo qos apply policy to remove a QoS policy from an interface, a control plane.
262
Syntax
qos apply policy policy-name { inbound | outbound }
undo qos apply policy policy-name { inbound | outbound }
Default
No QoS policy is applied to an interface, a control plane, or a management interface control plane.
Views
Interface view, control plane view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.
inbound: Applies the QoS policy to the incoming traffic of an interface, a control plane, or a
management interface control plane.
outbound: Applies the QoS policy to the outgoing traffic of an interface.
Usage guidelines
To successfully apply a QoS policy to an interface, make sure the total bandwidth assigned to AF and
EF queues in the QoS policy is smaller than the available bandwidth of the interface. If you modify
the available bandwidth of the interface to a value smaller the total bandwidth for AF and EF queues,
the applied QoS policy is removed. For a QoS policy to be applied in the inbound direction, the
referenced traffic behaviors cannot be configured with any of the commands queue af, queue ef,
queue wfq, and gts.
When you apply a QoS policy to an interface, follow these guidelines:
You can apply a QoS policy configured with various QoS actions (such as remark, car, gts,
queue af, queue ef, queue wfq, and wred) to common physical interfaces.
An inbound QoS policy cannot contain a GTS action or any of these queuing actions queue ef,
queue af, or queue wfq.
Examples
# Apply the QoS policy named USER1 to the outgoing traffic of GigabitEthernet 0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 0/1
[Sysname-GigabitEthernet0/1] qos apply policy USER1 outbound
263
New feature: Configuring MPLS LDP FRR
Configuring MPLS LDP FRR
A link or router failure on a path can cause packet loss until LDP completes LSP establishment on the
new path. LDP FRR enables fast rerouting to minimize the failover time. LDP FRR bases on IP FRR
and is enabled automatically after IP FRR is enabled.
Figure 1 Network diagram for LDP FRR
In Figure 1, configure IP FRR on LSR A by using IGP to calculate or specify a backup next hop. LDP
creates a primary LSP and a backup LSP according to the primary route and the backup route
calculated by IGP. When the primary LSP operates correctly, it forwards the MPLS packets. When
the primary LSP fails, LDP directs packets to the backup LSP.
When packets are forwarded through the backup LSP, IGP calculates the optimal path based on the
new network topology. When IGP route convergence occurs, LDP establishes a new LSP according
to the optimal path. If a new LSP is not established after IGP route convergence, traffic forwarding
might be interrupted. Therefore, HPE recommends that you enable LDP IGP synchronization to work
with LDP FRR to reduce the traffic interruption time.
Command reference
igp sync delay
Use igp sync delay to configure the delay for LDP to notify IGP of the LDP convergence completion.
Use undo igp sync delay to restore the default.
Syntax
igp sync delay time
undo igp sync delay
LSR A
LSR C
LSR B
Primary LSP
Bac
kup
LSP B
ackup LSP
264
Default
LDP immediately notifies IGP of the LDP convergence completion.
Views
LDP view
Predefined user roles
network-admin
Parameters
time: Specifies the notification delay in the range of 5 to 300 seconds.
Usage guidelines
LDP convergence on a link is completed when the followings occur:
The local device establishes an LDP session to at least one peer, and the LDP session is
already in Operation state.
The local device has distributed the label mappings to at least one peer.
MPLS traffic forwarding might be interrupted in one of the following scenarios:
When the peer uses the Ordered label distribution control mode, the local device needs to wait
for a label mapping from its downstream LSR after the LDP session goes into Operation state.
If LDP immediately notifies IGP of the LDP convergence completion when the label mapping
from downstream is not received, MPLS traffic forwarding might be interrupted.
When a large number of label mappings are distributed from downstream, if LDP immediately
notifies IGP of the LDP convergence completion, label advertisement might not be finished, and
MPLS traffic forwarding is interrupted.
In these scenarios, you must use this command to configure the notification delay. When LDP
convergence on a link is completed, LDP waits a delay time to notify IGP of the LDP convergence
completion to reduce the traffic interruption time.
Examples
# Configure the notification delay as 30 seconds.
<Sysname> system-view
[Sysname] mpls ldp
[Sysname-ldp] igp sync delay 30
Related commands
igp sync delay on-restart
mpls ldp igp sync disable
mpls ldp sync (IS-IS view)
mpls ldp sync (OSPF view/OSPF area view)
265
igp sync delay on-restart
Use igp sync delay on-restart to configure the maximum delay for LDP to notify IGP of the LDP IGP
synchronization status after an LDP restart or an active/standby switchover occurs.
Use undo igp sync delay on-restart to restore the default.
Syntax
igp sync delay on-restart time
undo igp sync delay on-restart
Default
The maximum notification delay is 90 seconds.
Views
LDP view
Predefined user roles
network-admin
Parameters
time: Specifies the maximum notification delay in the range of 60 to 600 seconds.
Usage guidelines
After LDP restarts or an active/standby switchover occurs, LDP convergence begins after a period of
time. If LDP immediately notifies IGP of all the current LDP IGP synchronization status, and updates
the status after LDP convergence, IGP might frequently process the status, and the cost might
increase.
The notification delay mechanism for an LDP restart or an active/standby switchover provides a
notification delay of LDP process levels. When LDP restarts or an active/standby switchover occurs,
this mechanism enables LDP to wait a period of time till LDP recovers to the status before the restart
or switchover, and then notify IGP of the LDP IGP synchronization status in bulk. If LDP does not
recover to the status before the restart or switchover when the maximum delay set by this command
expires, LDP immediately notifies IGP of the LDP IGP synchronization status in bulk.
Examples
# Configure the maximum notification delay as 300 seconds.
<Sysname> system-view
[Sysname] mpls ldp
[Sysname-ldp] igp sync delay on-restart 300
Related commands
igp sync delay
mpls ldp igp sync disable
mpls ldp sync (IS-IS view)
mpls ldp sync (OSPF view/OSPF area view)
266
mpls ldp igp sync disable
Use mpls ldp igp sync disable to disable LDP IGP synchronization on an interface.
Use undo mpls ldp igp sync disable to restore the default.
Syntax
mpls ldp igp sync disable
undo mpls ldp igp sync disable
Default
LDP IGP synchronization is enabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
After you enable LDP IGP synchronization for IGP, for example, an OSPF area or an IS-IS process,
LDP IGP synchronization is enabled on the OSPF interfaces and IS-IS interfaces. To disable LDP
IGP synchronization on an interface, execute the mpls ldp igp sync disable command on that
interface.
Examples
# Enable LDP IGP synchronization on GigabitEthernet 0/1.
<Sysname> System-view
[Sysname] interface gigabitethernet 0/1
[Sysname-GigabitEthernet0/1] mpls ldp igp sync disable
Related commands
mpls ldp sync (IS-IS view)
mpls ldp sync (OSPF view/OSPF area view)
New feature: Enhanced routing features
Configuring enhanced routing features
This release supports RIB NSR, IPv4 static route FRR, direct route redistribution, and RFC4382 MIB
(MPLS-L3VPN-STD-MIB).
267
Command reference
non-stop-routing
Use non-stop-routing to enable RIB NSR to back up routing information.
Use undo non-stop-routing to restore the default.
Syntax
non-stop-routing
undo non-stop-routing
Default
RIB NSR is disabled.
Views
RIB IPv4 address family view, RIB IPv6 address family view
Predefined user roles
network-admin
Examples
# Enable NSR for the RIB IPv4 address family.
<Sysname> system-view
[Sysname] rib
[Sysname-rib] address-family ipv4
[Sysname-rib-ipv4] non-stop-routing
ip route-static fast-reroute auto
Use ip route-static fast-reroute auto to configure static route FRR to automatically select a backup
next hop.
Use undo ip route-static fast-reroute auto to disable static route FRR.
Syntax
ip route-static fast-reroute auto
undo ip route-static fast-reroute auto
Default
Static route FRR is disabled.
Views
System view
268
Predefined user roles
network-admin
Examples
# Configure static route FRR to automatically select a backup next hop.
<Sysname> system-view
[Sysname] ip route-static fast-reroute auto
import-route (RIP view)
Use import-route to enable route redistribution from another routing protocol.
Use undo import-route to disable route redistribution.
Syntax
import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |
route-policy route-policy-name | tag tag ] *
undo import-route protocol [ process-id | all-processes ]
Default
RIP does not redistribute routes from any other routing protocol.
Views
RIP view
Predefined user roles
network-admin
Parameters
protocol: Specifies a routing protocol from which RIP redistributes routes. It can be bgp, direct, isis,
ospf, rip, or static.
process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. This argument is
available only when the protocol is isis, rip, or ospf.
all-processes: Enables route redistribution from all the processes of the specified protocol. This
keyword takes effect only when the protocol is rip, ospf, or isis.
allow-ibgp: Allows redistribution of IBGP routes. This keyword is available when the protocol
argument is set to bgp.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing
protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule
defined in the routing policy does not conflict with the allow-direct keyword. For example, if you
specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a cost for redistributed routes, in the range of 0 to 16. The default cost is 0.
269
route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to
63 characters.
tag tag: Specifies a tag for marking redistributed routes, in the range of 0 to 65535. The default is 0.
Usage guidelines
The import-route bgp command redistributes only EBGP routes. The import-route bgp allow-ibgp
command additionally redistributes IBGP routes and might cause routing loops. Therefore, use it
with caution.
This command redistributes only active routes. To view route state information, use the display ip
routing-table protocol command.
The undo import-route protocol all-processes command removes only the configuration made by
the import-route protocol all-processes command, instead of the configuration made by the
import-route protocol process-id command.
Examples
# Redistribute static routes into RIP, and set the cost for redistributed routes to 4.
<Sysname> system-view
[Sysname] rip 1
[Sysname-rip-1] import-route static cost 4
Related commands
default cost
import-route (OSPF view)
Use import-route to redistribute AS-external routes from another routing protocol.
Use undo import-route to disable route redistribution from another routing protocol.
Syntax
import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |
nssa-only | route-policy route-policy-name | tag tag | type type ] *
undo import-route protocol [ process-id | all-processes ]
Default
OSPF does not redistribute AS-external routes from any other routing protocol.
Views
OSPF view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from the specified protocol, which can be bgp, direct, isis, ospf, rip,
or static.
270
process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. It is available
only when the protocol is rip, ospf, or isis.
all-processes: Redistributes routes from all the processes of the specified routing protocol. This
keyword takes effect only when the protocol is rip, ospf, or isis.
allow-ibgp: Redistributes IBGP routes. It is available only when the protocol is bgp.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing
protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule
defined in the routing policy does not conflict with the allow-direct keyword. For example, if you
specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a route cost in the range of 0 to 16777214. The default is 1.
nssa-only: Limits the route advertisement to the NSSA area by setting the P-bit of Type-7 LSAs to 0.
By default, the P-bit of Type-7 LSAs is set to 1. If the router acts as both an ASBR and an ABR and
FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is
set to 0. This keyword applies to NSSA routers.
route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The
route-policy-name argument is a case-sensitive string of 1 to 63 characters.
tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. The default is 1.
type type: Specifies a cost type, 1 or 2. The default is 2.
Usage guidelines
This command redistributes routes destined for other ASs from another protocol. AS external routes
include the following types:
Type-1 external route
Type-2 external route
A Type-1 external route has high reliability. Its cost is comparable with the cost of OSPF internal
routes. The cost from an OSPF router to a Type-1 external route's destination equals the cost from
the router to the ASBR plus the cost from the ASBR to the external route's destination.
A Type-2 external route has low credibility. OSPF considers the cost from the ASBR to the
destination of a Type-2 external route is much bigger than the cost from the ASBR to an OSPF
internal router. The cost from an internal router to a Type-2 external route's destination equals the
cost from the ASBR to the Type-2 external route's destination.
The import-route command cannot redistribute default external routes.
The import-route bgp command redistributes only EBGP routes. Because the import-route bgp
allow-ibgp command redistributes both EBGP and IBGP routes and might cause routing loops, use
it with caution.
271
Only active routes can be redistributed. To view information about active routes, use the display ip
routing-table protocol command.
The undo import-route protocol all-processes command removes only the configuration made by
the import-route protocol all-processes command, instead of the configuration made by the
import-route protocol process-id command.
The import-route nssa-only command redistributes AS-external routes in Type-7 LSAs only into
the NSSA area.
Examples
# Redistribute routes from RIP process 40 and specify the type, tag, and cost as 2, 33, and 50 for
redistributed routes.
<Sysname> system-view
[Sysname] ospf 100
[Sysname-ospf-100] import-route rip 40 type 2 tag 33 cost 50
Related commands
default-route-advertise (OSPF view)
import-route (IS-IS view)
Use import-route to redistribute routes from another routing protocol or another IS-IS process.
Use undo import-route to remove the redistribution.
Syntax
import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |
cost-type { external | internal } | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name |
tag tag ] *
undo import-route protocol [ process-id | all-processes ]
Default
No route redistribution is configured.
Views
IS-IS view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from a routing protocol, which can be BGP, direct, IS-IS, OSPF, RIP, or
static.
process-id: Specifies a process by its ID in the range of 1 to 65535. It is available only when the
protocol is isis, ospf, or rip.
272
all-processes: Redistributes routes from all the processes of the specified routing protocol. This
keyword takes effect only when the protocol is rip, ospf, or isis.
allow-ibgp: Allows redistribution of IBGP routes. It is available when the protocol is BGP.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing
protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule
defined in the routing policy does not conflict with the allow-direct keyword. For example, if you
specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost: Specifies a cost for redistributed routes, which is in the range of 0 to 4261412864.
For the styles of narrow, narrow-compatible, and compatible, the cost is in the range of 0 to
63.
For the styles of wide and wide-compatible, the cost is in the range of 0 to 4261412864.
cost-type { external | internal }: Specifies the cost type. The internal type indicates internal routes,
and the external type indicates external routes. If external is specified, the cost of a redistributed
route is added by 64 to make internal routes take priority over external routes. The type is external
by default. The keywords are available only when the cost type is narrow, narrow-compatible, or
compatible.
level-1: Redistributes routes into the Level-1 routing table.
level-1-2: Redistributes routes into both Level-1 and Level-2 routing tables.
level-2: Redistributes routes into the Level-2 routing table. If no level is specified, the routes are
redistributed into the Level-2 routing table by default.
route-policy route-policy-name: Redistributes only routes matching the specified routing policy. The
route-policy-name argument is a case-sensitive string of 1 to 63 characters.
tag tag: Specifies a tag value for marking redistributed routes, in the range of 1 to 4294967295.
Usage guidelines
IS-IS takes all the redistributed routes as external routes to destinations outside the IS-IS routing
domain.
The effective cost depends on the cost style. For the styles of narrow, narrow-compatible, and
compatible, the cost is in the range of 0 to 63. If the cost is more than 63, 63 is used. For the style of
wide or wide-compatible, the configured value is the effective value.
This import-route command cannot redistribute default routes. The command redistributes only
active routes. To display route state information, use the display ip routing-table protocol
command.
The import-route bgp command redistributes only EBGP routes.
The import-route bgp allow-ibgp command redistributes both EBGP and IBGP routes. Because
this command might cause routing loops, use it with caution.
273
The undo import-route protocol all-processes command removes only the configuration made by
the import-route protocol all-processes command, instead of the configuration made by the
import-route protocol process-id command.
Examples
# Redistribute static routes into IS-IS, and set the cost for redistributed routes to 15.
<Sysname> system-view
[Sysname] isis 1
[Sysname-isis-1] import-route static cost 15
Related commands
import-route limit
import-route (BGP view)
Use import-route to enable BGP to redistribute routes from an IGP protocol.
Use undo import-route to disable route redistribution from an IGP protocol.
Syntax
In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view:
import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy
route-policy-name ] * ]
undo import-route protocol [ process-id | all-processes ]
In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view:
import-route protocol [ process-id [ allow-direct | med med-value | route-policy
route-policy-name ] * ]
undo import-route protocol [ process-id ]
Default
BGP does not redistribute IGP routes.
Views
BGP IPv4 unicast address family view, BGP-VPN IPv4 unicast address family view, BGP IPv6
unicast address family view, BGP-VPN IPv6 unicast address family view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from a specified IGP protocol. In BGP IPv4 unicast address family
view/BGP-VPN IPv4 unicast address family view, it can be direct, isis, ospf, rip, or static. In BGP
IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view, it can be direct, isisv6,
ospfv3, ripng, or static.
274
process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. In BGP IPv4
unicast address family view/BGP-VPN IPv4 unicast address family view, it is available only when the
protocol is isis, ospf, or rip. In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast
address family view, it is available only when the protocol is isisv6, ospfv3, or ripng.
all-processes: Redistributes routes from all the processes of the specified IGP protocol. This
keyword takes effect only when the protocol is isis, ospf, or rip.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing
protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule
defined in the routing policy does not conflict with the allow-direct keyword. For example, if you
specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
med med-value: Specifies a MED value for redistributed routes, in the range of 0 to 4294967295. If
no MED is specified, the metric of a redistributed route is used as its MED.
route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to
63 characters, to filter redistributed routes or set route attributes for redistributed routes.
Usage guidelines
The import-route command cannot redistribute default IGP routes. To redistribute default IGP
routes, use the default-route imported command together with the import-route command.
Only active routes can be redistributed. You can use the display ip routing-table protocol or
display ipv6 routing-table protocol command to view route state information.
The ORIGIN attribute of routes redistributed by the import-route command is INCOMPLETE.
Examples
# In BGP IPv4 unicast address family view, redistribute routes from RIP process 1, and set the MED
value for redistributed routes to 100.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp] address-family ipv4 unicast
[Sysname-bgp-ipv4] import-route rip 1 med 100
# In BGP-VPN IPv4 unicast address family view, redistribute routes from RIP process 1, and
reference a routing policy imprt to exclude route 1.1.1.0/24 from route redistribution.
<Sysname> system-view
[Sysname] ip prefix-list imprt deny 1.1.1.0 24
[Sysname] ip prefix-list imprt permit 0.0.0.0 0 less-equal 32
[Sysname] route-policy imprt permit node 0
[Sysname-route-policy-imprt-0] if-match ip address prefix-list imprt
[Sysname-route-policy-imprt-0] quit
[Sysname] bgp 100
[Sysname-bgp] ip vpn-instance vpn1
[Sysname-bgp-vpn1] address-family ipv4 unicast
[Sysname-bgp-ipv4-vpn1] import-route rip 1 route-policy imprt
275
# In BGP IPv6 unicast address family view, redistribute routes from RIP process 1.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp] address-family ipv6 unicast
[Sysname-bgp-ipv6] import-route ripng
# In BGP-VPN IPv6 unicast address family view, redistribute routes from RIP process 1.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp] ip vpn-instance vpn1
[Sysname-bgp-vpn1] address-family ipv6 unicast
[Sysname-bgp-ipv6-vpn1] import-route ripng
Related commands
display ip routing-table protocol
display ipv6 routing-table protocol
import-route (RIPng view)
Use import-route to redistribute routes from another routing protocol.
Use undo import-route to disable route redistribution.
Syntax
import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | route-policy
route-policy-name ] *
undo import-route protocol [ process-id ]
Default
RIPng does not redistribute routes from another routing protocol.
Views
RIPng view
Predefined user roles
network-admin
Parameters
protocol: Specifies a routing protocol from which RIPng redistributes routes. It can be bgp4+, direct,
isisv6, ospfv3, ripng, or static.
process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. This argument is
available only when the protocol is isisv6, ospfv3, or ripng.
allow-ibgp: Allows redistribution of IBGP routes. This keyword is available when the protocol
argument is set to bgp4+.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing
protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
276
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule
defined in the routing policy does not conflict with the allow-direct keyword. For example, if you
specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a metric for redistributed routes, in the range of 0 to 16. The default metric is 0.
route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to
63 characters.
Usage guidelines
The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+
allow-ibgp command redistributes both EBGP and IBGP routes.
Examples
# Redistribute routes from IPv6 IS-IS process 7 into RIPng and set the metric for redistributed routes
to 7.
<Sysname> system-view
[Sysname] ripng 100
[Sysname-ripng-100] import-route isisv6 7 cost 7
import-route (OSPFv3 view)
Use import-route to redistribute routes.
Use undo import-route to disable route redistribution.
Syntax
import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |
nssa-only | route-policy route-policy-name | tag tag | type type ] *
undo import-route protocol [ process-id | all-processes ]
Default
OSPFv3 route redistribution is disabled.
Views
OSPFv3 view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from the specified routing protocol, which can be bgp4+, direct,
isisv6, ospfv3, ripng, or static.
process-id: Specifies the process ID of a routing protocol, in the range of 1 to 65536. It defaults to 1.
This argument takes effect only when the protocol is isisv6, ospfv3, or ripng.
277
all-processes: Redistributes routes from all the processes of the specified routing protocol. This
keyword takes effect only when the protocol is ripng, ospfv3, or isisv6.
allow-ibgp: Redistributes IBGP routes. It is available only when the protocol is bgp4+.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing
protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule
defined in the routing policy does not conflict with the allow-direct keyword. For example, if you
specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a cost for redistributed routes, in the range of 1 to 16777214. The default is 1.
nssa-only: Limits the route advertisement to the NSSA area by setting the P-bit of Type-7 LSAs to 0.
By default, the P-bit of Type-7 LSAs is set to 1. If the router acts as both an ASBR and an ABR and
FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is
set to 0. This keyword applies to NSSA routers.
route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The
route-policy-name argument is a case-sensitive string of 1 to 63 characters.
tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. If this option is
not specified, no tag is contained in advertised LSAs by default.
type type: Specifies the type for redistributed routes, 1 or 2. The default is 2.
Usage guidelines
An external route is a route to a destination outside the OSPFv3 AS. External routes types are as
follows:
A Type-1 external route has high reliability. Its cost is comparable with the cost of OSPFv3
internal routes. The cost from an OSPFv3 router to a Type-1 external route's destination equals
the cost from the router to the ASBR plus the cost from the ASBR to the external route's
destination.
A Type-2 external route has low credibility, so OSPFv3 considers the cost from the ASBR to a
Type-2 external route is much bigger than the cost from the ASBR to an OSPFv3 internal router.
The cost from an internal router to a Type-2 external route's destination equals the cost from the
ASBR to the Type-2 external route's destination.
The import-route command cannot redistribute default routes.
The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+
allow-ibgp command redistributes both EBGP and IBGP routes, and might cause routing loops.
Therefore, use it with caution.
The import-route nssa-only command redistributes AS-external routes in Type-7 LSAs only into
the NSSA area.
278
Examples
# Configure OSPFv3 process 1 to redistribute routes from RIPng and specify the type as type 2 and
cost as 50.
<Sysname> system-view
[Sysname] ospfv3
[Sysname-ospfv3-1] import-route ripng 10 type 2 cost 50
# Configure OSPFv3 process 100 to redistribute the routes discovered by OSPFv3 process 160.
<Sysname> system-view
[Sysname] ospfv3 100
[Sysname-ospfv3-100] import-route ospfv3 160
ipv6 import-route (IPv6 IS-IS view)
Use ipv6 import-route to enable IPv6 IS-IS to redistribute routes from another routing protocol.
Use undo ipv6 import-route to disable route redistribution.
Syntax
ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | [ level-1 |
level-1-2 | level-2 ] | route-policy route-policy-name| tag tag ] *
undo ipv6 import-route protocol [ process-id ]
Default
IPv6 does not redistribute routes from any other routing protocol.
Views
IS-IS view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from the specified routing protocol, which can be direct, static, ripng,
isisv6, bgp4+, or ospfv3.
process-id: Specifies a process by its ID in the range of 1 to 65535. It is available only when the
protocol is ripng, isisv6, or ospfv3.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing
protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule
defined in the routing policy does not conflict with the allow-direct keyword. For example, if you
specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a cost for redistributed routes, in the range of 0 to 4261412864.
level-1: Redistributes routes into the Level-1 routing table.
279
level-1-2: Redistributes routes into Level-1 and Level-2 routing tables.
level-2: Redistributes routes into the Level-2 routing table.
route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to
63 characters, to filter redistributed routes.
tag tag: Specifies an administrative tag for marking redistributed routes, in the range of 1 to
4294967295.
allow-ibgp: Allows redistribution of IBGP routes. This keyword is available only when the protocol is
bgp4+.
Usage guidelines
IPv6 IS-IS considers redistributed routes as AS-external routes.
You can specify a cost and a level for redistributed routes.
The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+
allow-ibgp command redistributes both EBGP and IBGP routes, and might cause routing loops.
Therefore, use it with caution.
Examples
# Configure IPv6 IS-IS to redistribute static routes and set the cost for redistributed routes to 15.
<Sysname> system-view
[Sysname] isis 1
[Sysname-isis-1] ipv6 import-route static cost 15
New feature: Python
Using Python
Python is an easy to learn, powerful programming language. It has efficient high-level data structures
and a simple but effective approach to object-oriented programming. Python's elegant syntax and
dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid
application development in many areas on most platforms.
Comware V7 provides a built-in Python interpreter that supports the following items:
Python 2.7 commands.
Python 2.7 standard API.
Comware V7 extended API.
Python scripts. You can use a Python script to configure the system automatically.
To use Python 2.7 commands and the APIs, you must enter the Python shell.
280
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: ATM
Configuring ATM
Asynchronous Transfer Mode (ATM) is a technology based on packet transmission mode while
incorporating the high-speed of circuit transmission mode. ATM was adopted as the transmission
and switching mode for broadband ISDN by the ITU-T in June 1992. Due to its flexibility and support
for multimedia services, ATM is regarded as core broadband technology.
As defined by the ITU-T, data is encapsulated in cells in ATM. Each ATM cell is 53 bytes in length, of
which the first five bytes contain cell header information and the last 48 bytes contain payload. The
major function of the cell header is to identify virtual connection. In addition, it can be used to carry
limited flow control, congestion control, and error control information.
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: DHCP MIB
DHCP MIB
The MIB supports HH3C-DHCP4-MIB and HH3C-DHCP-SNOOP2-MIB. For more information about
MIB nodes, see the MIB companion document.
Command reference
if-match
Use if-match to configure a match rule for a DHCP user class.
Use undo if-match to remove the match rule for a DHCP user class.
281
Syntax
if-match rule rule-number option option-code [ hex hex-string [ mask mask | offset offset length
length ] ]
undo if-match rule rule-number
Syntax
No match rule is configured for the DHCP user class.
Views
DHCP user class view
Predefined user roles
network-admin
Parameters
rule rule-number: Assigns the match rule an ID in the range of 1 to 16. A smaller ID represents a
higher match priority.
option option-code: Matches a DHCP option by a number in the range of 1 to 254.
hex hex-string: Matches the specified string in the option, which must be a hex string of even
numbers in the range of 2 to 256. If you do not specify the hex-string argument, the DHCP server
only checks whether the specified option exists in the received packets.
mask mask: Specifies the mask used to match the option content. The mask argument is a hex
string of even numbers in the range of 2 to 256. The length of mask must be the same as that of
hex-string.
offset offset: Specifies the offset to match the option, in the range of 0 to 254 bytes. If you do not
specify the offset argument, the server matches the entire option with the rule.
length length: Matches the specified length of the option, in the range of 1 to 128 bytes. The
specified length must be the same as the hex-string length.
Usage guidelines
You can configure multiple match rules for a DHCP user class. Each match rule is uniquely identified
by a rule ID. Different match rules can include the same option code, but they cannot have the exact
same matching criteria.
The DHCP server matches DHCP requests against the match rules. A DHCP client matches a DHCP
user class when its request matches one of the specified match rules.
The match operation follows these guidelines:
If only the option-code argument is specified in the rule, packets containing the option match the
rule.
If only the option-code and hex-string arguments are specified in the rule, packets that have the
specified hex string in the specified option match the rule.
282
If the option-code, hex-string, offset and length arguments are specified in the rule, packets
match the rule as long as their content from offset+1 bit to offset+length bit in the specified
option is the same as the specified hex string.
If the option-code, hex-string, and mask arguments are specified in the rule, the DHCP server
ANDs the content from the first bit to the mask-1 bit in the specified option with the mask, and
then compares the result with the result of the AND operation between hex-string and mask. If
the two results are the same, the received packet matches the rule.
Examples
# Configure match rule 1 to match DHCP requests that contain Option 82 for DHCP user class
contain-option82.
<Sysname> system-view
[Sysname] dhcp class contain-option82
[Sysname-dhcp-class-contain-option82] if-match rule 1 option 82
# Configure match rule 2 to match DHCP requests that contain Option 82 whose first three bytes is
0x13ae92 for DHCP user class exam.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 2 option 82 hex 13ae92 offset 0 length 3
# Configure match rule 3 to match DHCP requests that contain Option 82 whose highest bit of the
fourth byte is 1 for DHCP user class exam.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 3 option 82 hex 00000080 mask 00000080
Related commands
dhcp class
ESS 0006P02
None