HPE MSR1000 MSR2000 MSR3000 MSR4000- CMW710 …h20628. · 4 2. Debugging Fixes bugs. CMW710-R0305 P04 First release 2015-12-1 8 Release version Only support MSR3012 AC Router CMW710-R0305

HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P81 Release Notes

The information in this document is subject to change without notice. © Copyright [First Year] 2013, [Current Year] 2016 Hewlett Packard Enterprise Development LP

i

Contents

Version information ···········································································1

Version number ··························································································································· 1 Version history ···························································································································· 2 Hardware and software compatibility matrix ······················································································ 7 Upgrading restrictions and guidelines······························································································· 8

Hardware feature updates ··································································8

CMW710-R0306P81 ····················································································································· 8 CMW710-R0306P30 ····················································································································· 9 CMW710-R0306P07 ····················································································································· 9 CMW710-R0305P08 ····················································································································· 9 CMW710-R0305P04 ····················································································································· 9 CMW710-R0304P02 ····················································································································· 9 CMW710-R0304 ·························································································································· 9 CMW710-E0302P06 ····················································································································· 9 CMW710-E0102 ························································································································ 10

Software feature and command updates ············································· 10

MIB updates ·················································································· 10

Operation changes ········································································· 20

Restrictions and cautions ································································· 20

Open problems and workarounds ······················································ 21

List of resolved problems ································································· 21

Resolved problems in CMW710-R0306P81 ···················································································· 21 Resolved problems in CMW710-R0306P80 ···················································································· 22 Resolved problems in CMW710-R0306P70 ···················································································· 25 Resolved problems in CMW710-R0306P52 ···················································································· 27 Resolved problems in CMW710-R0306P30 ···················································································· 32 Resolved problems in CMW710-R0306P12 ···················································································· 35 Resolved problems in CMW710-R0306P11 ···················································································· 37 Resolved problems in CMW710-R0306P07 ···················································································· 39 Resolved problems in CMW710-R0305P08 ···················································································· 42 Resolved problems in CMW710-R0305P04 ···················································································· 48 Resolved problems in CMW710-R0305 ·························································································· 51 Resolved problems in CMW710-R0304P12 ···················································································· 53 Resolved problems in CMW710-R0304P04 ···················································································· 56 Resolved problems in CMW710-R0304P02 ···················································································· 62 Resolved problems in CMW710-R0304 ·························································································· 63 Resolved problems in CMW710-E0302P06 ····················································································· 64 Resolved problems in CMW710-E0102 ·························································································· 66 Resolved problems in CMW710-E0006P02 ····················································································· 66

Support and other resources····························································· 66

Accessing Hewlett Packard Enterprise Support················································································ 66 Documents ······························································································································· 66

Related documents ·············································································································· 67 Documentation feedback ······································································································ 68

Appendix A Feature list ··································································· 69

Hardware features ······················································································································ 69 Software features ······················································································································· 76

ii

Appendix B Upgrading software ························································ 80

Software types ·························································································································· 80 Upgrade methods ······················································································································ 80 Preparing for the upgrade ············································································································ 81 Centralized devices upgrading from the CLI ···················································································· 82

Saving the running configuration and verifying the storage space ················································· 82 Downloading the image file to the router ·················································································· 82 Specifying the startup image file ····························································································· 83 Rebooting and completing the upgrade ··················································································· 84

Distributed devices upgrading from the CLI ····················································································· 85 Display the slot number of the active MPU ··············································································· 85 Save the current configuration and verify the storge space ·························································· 85 Download the image file to the router ······················································································ 86 Specifying the startup image file ····························································································· 86 Reboot and completing the upgrade ······················································································· 88

Distributed devices ISSU ············································································································· 89 Disabling the standby MPU auto-update function ······································································· 90 Saving the running configuration and verifying the storage space ················································· 90 Downloading the upgrade image file to the router ······································································ 91 Upgrading the standby MPU ·································································································· 91 Upgrading the active MPU ···································································································· 93

Upgrading from the BootWare menu ······························································································ 95 Accessing the BootWare menu ······························································································ 95 Using TFTP/FTP to upgrade software through an Ethernet port ··················································· 97 Using XMODEM to upgrade software through the console port ·················································· 100

Managing files from the BootWare menu ······················································································ 104 Displaying all files ·············································································································· 105 Changing the type of a system software image ······································································· 105 Deleting files ···················································································································· 106

Handling software upgrade failures ······························································································ 107

Appendix C Handling console login password loss ······························ 107

Disabling password recovery capability ························································································ 107 Handling console login password loss ·························································································· 108

Examining the password recovery capability setting ································································· 109 Using the Skip Current System Configuration option ································································ 110 Using the Skip Authentication for Console Login option ···························································· 111 Using the Restore to Factory Default Configuration option························································· 111

iii

List of Tables

Table 1 Version history .................................................................................................................................................................... 2

Table 2 HPE product device numbers matrix ......................................................................................................................... 7

Table 3 Hardware and software compatibility matrix ......................................................................................................... 7

Table 4 MIB updates ...................................................................................................................................................................... 10

Table 5 MSR1000 specifications ................................................................................................................................................ 69

Table 6 MSR2000/MSR2000 TAA specifications ................................................................................................................. 69

Table 7 MSR3000/MSR3000 TAA specifications ................................................................................................................. 70

Table 8 MSR4000 specifications ................................................................................................................................................ 71

Table 9 MSR4000/MSR4000 TAA MPU Specification ........................................................................................................ 71

Table 10 MSR4000 SPU Specification ..................................................................................................................................... 71

Table 11 MSR2004-24 AC power module specifications ................................................................................................. 72

Table 12 MSR2004-48 DC power module specifications ................................................................................................ 72

Table 13 MSR3044/MSR3064/MSR4060/MSR4080 AC power module specifications ........................................ 72

Table 14 MSR3044/MSR3064/MSR4060/MSR4080 DC power module specifications ........................................ 72

Table 15 MSR3044/MSR3064/MSR4060/MSR4080 PoE power module specifications ...................................... 72

Table 16 MSR series routes Module List ................................................................................................................................ 72

Table 17 Sierra Modem Module and Host/card compatibility matrix........................................................................ 76

Table 18 MSR Series routers software features ................................................................................................................... 76

Table 19 Storage media ................................................................................................................................................................ 81

Table 20 BootWare menu options ............................................................................................................................................ 96

Table 21 Ethernet submenu options ....................................................................................................................................... 97

Table 22 Network parameter fields and shortcut keys ..................................................................................................... 98

Table 23 Serial submenu options .......................................................................................................................................... 100

Table 24 File Control submenu options .............................................................................................................................. 105

Table 25 BootWare options and password recovery capability compatibility matrix ....................................... 107

1

This document describes the features, restrictions and guidelines, open problems, and workarounds for version R0306P81. Before you use this version in a live network, back up the configuration and test the version to avoid software upgrade affecting your live network.

Use this document in conjunction with HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P81 Release Notes (Software Feature Changes) and the documents listed in “Related documents”

Version information

Version number

HPE Comware Software, Version 7.1.059, Release 0306P81

Please see the example below generated by the display version command:

<HPE> display version

HPE Comware Software, Version 7.1.059, Release 0306P81

Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP

HPE MSR3064 uptime is 0 weeks, 0 days, 0 hours, 2 minutes

Last reboot reason : User reboot

Boot image: cfa0:/msr3000-cmw710-boot-r0306p81.bin

Boot image version: 7.1.059P27, Release 0306P81

Compiled Mar 16 2016 16:00:00

System image: cfa0:/msr3000-cmw710-system-r0306p81.bin

System image version: 7.1.059, Release 0306P81

Compiled Mar 16 2016 16:00:00

Feature image(s) list:

cfa0:/msr3000-cmw710-security-r0306p81.bin, version: 7.1.059

Compiled Mar 16 2016 16:00:00

cfa0:/msr3000-cmw710-voice-r0306p81.bin, version: 7.1.059

Compiled Mar 16 2016 16:00:00

cfa0:/msr3000-cmw710-data-r0306p81.bin, version: 7.1.059

Compiled Mar 16 2016 16:00:00

CPU ID: 0x4

2G bytes DDR3 SDRAM Memory

8M bytes Flash Memory

PCB Version: 2.0

CPLD Version: 2.0

Basic BootWare Version: 1.60

Extended BootWare Version: 1.60

[SLOT 0]AUX (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 0]GE0/0 (Hardware)2.0, (Driver)1.0, (CPLD)2.0



[SLOT 0]CELLULAR0/0 (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 0]CELLULAR0/1 (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 6]HMIM-1CE3 (Hardware)2.0, (Driver)1.0, (CPLD)1.0

[SLOT 7]HMIM-2T1 (Hardware)3.0, (Driver)1.0, (CPLD)4.0

2

[SLOT 9]HMIM-4T1-F (Hardware)3.0, (Driver)1.0, (CPLD)3.0

Version history

Table 1 Version history

Version

number Last version

Release

date

Release

type Remarks

CMW710-R0306P81

CMW710-R0306P80

2016-12-01

Release version

MSR1000_2000_3000_4000 series, including MSR1003-8S and MSR3012 AC

Fixes bugs

CMW710-R0306P80

CMW710-R0306P70

2016-10-31

Release version


Fixes bugs

CMW710-R0306P70

CMW710-R0306P52

2016-09-28

Release version


Fixes bugs

CMW710-R0306P52

CMW710-R0306P30

2016-08-26

Release version


New feature:

1. MAC address recording in TCP packets

2. Configuring the leased line service for an ISDN BRI interface

3. LLDP PVID inconsistency check

Modified feature:

1. High encryption

2. OSPF

3. Policy-based routing

4. MIB objects

5. Setting ISP domain status

6. Excluding an attribute from portal protocol packets

7. NTP

8. Transceiver modules

9. E1POS

Fixes bugs

CMW710-R0306P30

CMW710-R0306P12

2016-06-08

Release version


New feature:

1. SIP compatibility

Modified feature:

1. OSPF performance

2.Telnet redirect

3.POS terminal access

4.License

5.IP performance optimization

Fixes bugs

3

CMW710-R0306P12

CMW710-R0306P11

2016-04-27

Release version


Modified feature:

1. Configuring an SSH user

2. AAA

3. Configuring a cellular interface for a 3G/4G modem

4. VXLAN

5. DHCP

Fixes bugs.

CMW710-R0306P11

CMW710-R0306P07

2016-04-13

Release version


New feature:

1. Voice VLAN

Modified feature:

1. MPLS QoS support for matching the EXP field

2. MPLS QoS support for marking the EXP field

3. Automatic configuration

Removed feature

1. Tinyproxy

Fixes bugs.

CMW710-R0306P07

CMW710-R0305P08

2016-03-16

Release version


New feature:

1. L2TP-based EAD

2. CFD configuration

Modified feature:

1. Support using dots in user profile name

2. Default size of the TCP receive and send buffer

3. Support for obtaining fan tray and power module vendor information through MIB

4. Supporting per-packet load sharing

5. Automatic configuration

6. Software image signature

Fixes bugs.

CMW710-R0305P08

CMW710-R0305P04

2016-01-10

Release version


New feature:

1. mGRE

2. Disabling transceiver module alarm

Modified feature:

1. Default user role

4

2. Debugging

Fixes bugs.

CMW710-R0305P04

First release 2015-12-18

Release version

Only support MSR3012 AC Router

CMW710-R0305P04

CMW710-R0305

2015-11-25

Release version

MSR1000_2000_3000_4000 series, including MSR1003-8S

New feature:

1. Public key management support for Suite B

2. PKI support for Suite B

3. IPsec support for Suite B

4. SSL support for Suite B

5. FIPS support for Suit B

6. SSH support for Suite B

7. Ignoring the first AS number of EBGP route updates for a peer or peer group

Modified feature:

1. Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces

2. Changing the maximum number of FIB table entries

3. Enabling CWMP

4. The logo of HP is changed to HPE

Fixes bugs.

CMW710-R0305 CMW710-R0304P12

2015-10-23

Release version


New feature:

1. IKE

Modified feature:

1. IPsec

Fixes bugs.

CMW710-R0304P12

CMW710-R0304P04

2015-09-15

Release version


New feature:

1. Including vendor information in PPP accounting requests

2. BFD for an aggregation group

Modified feature:

1. SSH username

2. IS-IS hello packet sending interval

3. MP-group interface numbering

Fixes bugs.

CMW710-R0304P04

CMW710-R0304P02

2015-08-18

Release version

Support MSR1000_2000_3000_4000 series, including MSR1003-8S

New feature:

1. Media Stream Control (MSC) logging

Modified feature:

5

1. ESP encryption algorithms

Fixes bugs.

CMW710-R0304P02

CMW710-R0304

2015-07-22

Release version

Support MSR1000_2000_3000_4000 series, including MSR1003-8S

New feature:

1. IMSI/SN binding authentication

2. Specifying a band for a 4G modem

3. CFD

4. Using tunnel interfaces as OpenFlow ports

5. NETCONF support for ACL filtering

6. Specifying a backup traffic processing unit

7. WAAS

8. Support for the MKI field in SRTP or SRTCP packets

9. SIP domain name

10. E&M logging

11. Add new cards

Modified feature:

1. Setting the global link-aggregation load-sharing mode

Fixes bugs.

CMW710-R0304 CMW710-E0302P06

2015-06-29

Release version

Support MSR1000_2000_3000_4000 series, added MSR1003-8S

New feature:

1. Setting the RTC version

2. Setting the maximum size of advertisement files

3. IRF

4. Frame Relay

5. EVI

6. VPLS

7. Multicast VPN support for inter-AS option B

Modified feature:

1. 802.1X redirect URL

2. Displaying information about NTP servers from the reference source to the primary NTP server

3. Saving, rolling back, and loading the configuration

4. Displaying information about SSH users

Removed feature

1. Displaying fabric utilization

Fixes bugs

CMW710-E0302P06

CMW710-E0102

2015-04-13

ESS version

Support MSR1000_2000_3000_4000 series

New feature:

1. Object policies

6

2. IPHC

3. Support of PPPoE server for IPv6

4. QSIG tunneling over SIP-T

5. Playout delay

6. BGP L2VPN support for NSR

7. BGP support for dynamic peers

8. ARP PnP

9. Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts

10. QoS soft forwarding

11. Filtering by application layer protocol status

12. ADVPN support for multicast forwarding

13. MPLS LDP support for IPv6

14. Port security

15. Customizable IVR

16. SRST

17. NEMO

18. Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation

19. Support for LLDP on CPOS interfaces

20. SMS-based automatic configuration

21. ARP attack protection

22. SIP support for VRF

Fixes bugs

CMW710-E0102 CMW710-E0006P02

2013-08-10

ESS version

Support MSR2000_3000_4000 series

New feature:

1. Portal authentication

2. MSDP

3. IPsec MIB and IKE MIB

4. PoE

5. CoPP software forwarding feature

6. Configuring MPLS LDP FRR

7. Enhanced routing features

8. Python

9. ATM

10. DHCP MIB

Fixes bugs.

CMW710-E0006P02

CMW710-E0006

2013-04-23

ESS version

Only support MSR3000_4000 series, not support MSR2000 series

Fixes bugs.

CMW710-E0006 First release 2013-01-28

ESS version None

7

Hardware and software compatibility matrix

CAUTION:

To avoid an upgrade failure, use Table 3 to verify the hardware and software compatibility before performing an upgrade.

Table 2 HPE product device numbers matrix

Product code HPE Product name

JG402A HPE MSR4080 Router Chassis

JG403A HPE MSR4060 Router Chassis

JG404A HPE MSR3064 Router

JG405A HPE MSR3044 Router

JG406A HPE MSR3024 AC Router

JG407A HPE MSR3024 DC Router

JG408A HPE MSR3024 PoE Router


JG410A HPE MSR3012 DC Router


JG412A HPE MSR4000 MPU-100 Main Processing Unit

JG413A HPE MSR4000 SPU-100 Service Processing Unit



JG875A HPE MSR1002-4 AC Router

JH060A HPE MSR1003-8S AC Router

JG861A HPE MSR3024 TAA-compliant AC Router

JG734A HPE MSR2004-24 AC Router

JG735A HPE MSR2004-48 Router

JG866A HPE MSR2003 TAA-compliant AC Router

JG869A HPE MSR4000 TAA-compliant MPU-100 Engine

JG409B HPE MSR3012 AC Router

Table 3 Hardware and software compatibility matrix

Item Specifications

Product family

MSR1000_MSR2000_MSR3000_MSR4000

Boot ROM version

MSR1002-4_MSR1003-8S: 250 or higher

MSR2003_MSR2004-24_MSR2004-48: 160 or higher

MSR3012_MSR3024_MSR3044_MSR3064: 160 or higher

MSR4060_MSR4080: MPU-100: 161 or higher

8

SPU-100/200: 140 or higher

Host software

Hardware software MD5 Check Sum File size

MSR1002-4_MSR1003-8S

MSR100X-CMW710-R0306P81.IPE

6e2a436a41b51b0d598f253caa4ae1ef

67,391,488 bytes

MSR2003_MSR2004-24_MSR2004-48

MSR2000-CMW710-R0306P81.IPE

9d5fbf77d4a2878aa1da072cd4120fda

74,107,904 bytes

MSR3012_MSR3024_MSR3044_MSR3064


64b0e7c133560318d06f7726123c4a71

57,016,320 bytes

MSR4060_MSR4080


9b1df8a19f4f498aa773116bb69152d6

118,542,336 bytes

iMC version

iMC BIMS 7.2 (E0402P02)

iMC EAD 7.2 (E0407)

iMC TAM 7.2 (E0407)

iMC UAM 7.2 (E0407)

iMC IVM 7.2 (E0402H02)

iMC MVM 7.2 (E0402P02)

iMC NTA 7.2 (E0402P02)

iMC PLAT 7.2 (E0403P04)

iMC QoSM 7.2 (E0403H01)

iMC RAM 7.2 (E0402)

iMC SHM 7.2 (E0402l01)

iMC UBA 7.2 (E0401P03)

iMC VFM 7.2 (E0403)

iNode version

iNode PC 7.2 (E0407)

Cards version

Cards Name Software Version CPLD or FPGA version

SIC-3G-HSPA 280 or higher 200 or higher

SIC-3G-CDMA 280 or higher 200 or higher

Upgrading restrictions and guidelines

1. After the software is upgraded from a version earlier than E0302P06 to E0302P06 or a later version, the unit of the VRRP preemption delay is changed from seconds to centiseconds.

2. To upgrade from R0305 to R0305P04 or a later version, you must first install the R0305H01 hot patch.

Hardware feature updates

CMW710-R0306P81

None.

9

CMW710-R0306P30

Add new hardware:

Add new card:

4-port 100BASE-FX/1000BASE-X(SFP) Ethernet L2/L3 SIC Module-RT-SIC-4GSWF

CMW710-R0306P07

Add new hardware:

SFP-GPON-SM-ONU

USB modem E3533

CMW710-R0305P08

Add new router:

HPE MSR3012 AC Router(JG409B)

Add new card:

1-port E1 / T1 Voice SIC Module(JH240A)

CMW710-R0305P04

The logo of HP is changed to HPE.

CMW710-R0304P02

Add new cards:

HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B)

HPE MSR 4G LTE SIC Mod for ATT (JG743B)

HPE MSR 4GLTE SIC Mod for Global (JG744B)

HPE MSR HSPA+/WCDMA SIC Module (JG929A)

CMW710-R0304

Add new router:

HPE MSR1003-8S AC Router

CMW710-E0302P06

Add new hardware:

8-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH169A)



10

8-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH172A)



8-port 100BASE-FX/1000BASE-X / 4-port 1000BASE-T (Combo) L2/L3 HMIM Module (JH238A)

CMW710-E0102

Add new hardware:

4-port 10/100 Mbps Ethernet L2 switching module-PoE card(SIC-4FSW-POE)

1-port ADSL over POTS SIC interface module (SIC-1ADSL)

1 port E1/CE1/PRI SIC interface module(SIC-1EPRI-V3)

9-port 10/100 Mbps Ethernet L2 switching module -PoE card (DSIC-9FSW-POE)

1-port 8-wire G.SHDSL (RJ45) DSIC Module

2-port 1000BASE-X HMIM Module (HMIM-2GEF)



24-port Gig-T Switch HMIM Module (HMIM-24GSW)

24-port Gig-T PoE Switch HMIM Module (HMIM-24GSW-POE)

1-port OC-3 / STM-1 CPOS HMIM Module (HMM-1CPOS)

2-port OC-3 / STM-1 CPOS HMIM Module (HMIM-2CPOS)

1-port OC-3c / STM-1c ATM SFP HMIM Module (HMIM-ATMOC3)

1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W)(need to config HMIM-Adapter)

SPU-300 service module

MSR3012-DC

MSR3024-DC

MSR3024-POE

300W DCPower(PSR300-12D2)

Support USB modem E303c and E3131

Software feature and command updates

For more information about the software feature and command update history, see HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P81 Release Notes (Software Feature Changes).

MIB updates

Table 4 MIB updates

Item MIB file Module Description

CMW710-R0306P81

New None None None

11

Modified None None None

CMW710-R0306P12

New None None None

Modified rfc1213.mib RFC1213-MIB Modified description of sysDescr and sysObjectID

CMW710-R0306P11

New None None None

Modified rfc1213.mib RFC1213-MIB Modified description of sysObjectID

CMW710-R0306P07

New None None None


CMW710-R0305P08

New None None None

Modified hh3c-3gmodem.mib HH3C-3GMODEM-MIB

Modified description of hh3cWirelessCardOnlineTable, hh3cWirelessCardModemMode, hh3cWirelessCardCurNetConn, hh3cWirelessCardOnlineTime, hh3cWirelessCardOnlineType, hh3cUIMInfoTable,hh3cUIMIndex, hh3cUIMStatus,hh3cUIMImsi, hh3c3GCdma1xRttBID, hh3c3GCdma1xRttSID, hh3c3GCdma1xRttNID, hh3c3GCdmaEvDoSubNetID, hh3c3GGsmMcc, hh3c3GGsmMnc, hh3cSmsSrcNumberBind, hh3cSmsTimeBind, hh3cSmsEncodeBind, hh3cSmsContentBind, hh3cSmsRxNotifSwitch and hh3cSmsRxNotification

CMW710-R0305P04

New None None None

Modified rfc1213.mib RFC1213-MIB

Modified description of sysDescr, sysContact, sysName and sysLocation, sysObjectID

CMW710-R0305

New None None None


12

CMW710-R0304P12

New None None None

Modified

rfc2925-disman-ping.mib DISMAN-PING-MIB Modified description of pingCtlTable

hh3c-nqa.mib HH3C-NQA-MIB Modified description of hh3cNqaCtlTable

hh3c-mplsext.mib HH3C-MPLSEXT-MIB Added hh3cMplsExtVpnStatsTable

CMW710-R0304

New None None None

Modified hh3c-transceiver-info.mib HH3C-TRANSCEIVER-INFO-MIB

Modified description of hh3cTransceiverCurTXPower and hh3cTransceiverCurRXPower

CMW710-E0302P06

New

hh3c-stack.mib HH3C-STACK-MIB Added HH3C-STACK-MIB

rfc5060-pim-std.mib PIM-STD-MIB Added PIM-STD-MIB

rfc5240-pim-bsr.mib PIM-BSR-MIB Added PIM-BSR-MIB

hh3c-qinqv2.mib HH3C-QINQV2-MIB Added

HH3C-QINQV2-MIB

rfc3019-ipv6-mld.mibs IPV6-MLD-MIB Added IPV6-MLD-MIB

hh3c-nqa.mib HH3C-NQA-MIB Added HH3C-NQA-MIB

hh3c-posa.mib HH3C-POSA-MIB Added HH3C-POSA-MIB

rfc1473-ppp-ip.mib PPP-IP-NCP-MIB Added PPP-IP-NCP-MIB

rfc1471-ppp-lcp.mib PPP-LCP-MIB Added PPP-LCP-MIB

hh3c-mp-v2.mib HH3C-MP-V2-MIB Added HH3C-MP-V2-MIB

hh3c-mplsext.mib HH3C-MPLSEXT-MIB Added HH3C-MPLSEXT-MIB

hh3c-mplste.mib HH3C-MPLSTE-MIB Added H3C-MPLSTE-MIB

rfc6445-mpls-frr-facility-std.mib

MPLS-FRR-FACILITY-STD-MIB

Added MPLS-FRR-FACILITY-STD-MIB

rfc6445-mpls-frr-general-std.mib

MPLS-FRR-GENERAL-STD-MIB

Added MPLS-FRR-GENERAL-STD-MIB

rfc3812-mpls-te-std.mib MPLS-TE-STD-MIB Added MPLS-TE-STD-MIB

rfc3970-te.mib TE-MIB Added TE-MIB

hh3c-transceiver-info.mib HH3C-TRANSCEIVER-INFO-MIB

Added HH3C-TRANSCEIVER-INFO-MIB

rfc5519-mgmd-std.mib MGMD-STD-MIB Added MGMD-STD-MIB

rfc4560-disman-traceroute.mib

DISMAN-TRACEROUTE-MIB

Added DISMAN-TRACEROUTE-MI

13

B

rfc2925-disman-ping.mib DISMAN-PING-MIB Added DISMAN-PING-MIB

rfc5603-pw-enet-std.mib PW-ENET-STD-MIB Added PW-ENET-STD-MIB

rfc5601-pw-std.mib PW-STD-MIB Added PW-STD-MIB

hh3c-snmp-ext.mib HH3C-SNMP-EXT-MIB Added HH3C-SNMP-EXT-MIB


hh3c-bfd-std.mib HH3C-BFD-STD-MIB Added HH3C-BFD-STD-MIB

hh3c-ppp-over-sonet.mib HH3C-PPP-OVER-SONET-MIB

Added HH3C-PPP-OVER-SONET-MIB

rfc3815-mpls-ldp-std.mib MPLS-LDP-STD-MIB Added MPLS-LDP-STD-MIB

rfc4382-mpls-l3vpn-std.mib MPLS-L3VPN-STD-MIB Added MPLS-L3VPN-STD-MIB

hh3c-license.mib HH3C-LICENSE-MIB Added HH3C-LICENSE-MIB

hh3c-tunnel.mib HH3C-TUNNEL-MIB Added HH3C-TUNNEL-MIB

rfc5643-ospfv3.mib OSPFV3-MIB Added OSPFV3-MIB

rfc2981-disman-event.mib DISMAN-EVENT-MIB Added DISMAN-EVENT-MIB

hh3c-pvst.mib HH3C-PVST-MIB Added HH3C-PVST-MIB

hh3c-evi.mib HH3C-EVI-MIB Added HH3C-EVI-MIB

hh3c-l2vpn.mib HH3C-L2VPN-MIB Added HH3C-L2VPN-MIB

Modified

rfc4444-isis.mib ISIS-MIB

Modified description of

isisSysLevelMinLSPGenInt

rfc1213.mib RFC1213-MIB

Modified description of sysDescr and sysObjectID; Modified TAA description of sysObjectID;

Modified index of ipv6InterfaceTable; Modified description of sysContact and sysLocation;

Modified Access of ipAddressStorageType.


Modified description of

isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex, isisCirc3WayEnabled, isisCircExtendedCircID,

isisISAdj3WayState 和

isisISAdjNbrExtendedCircID

rfc2465-ipv6.mib IPV6-MIB Modified description of

ipv6IfDescr

hh3c-splat-mstp.mib HH3C-LswMSTP-MIB Modified description of

hh3cdot1sStpForceVersi

14

on

rfc2933-igmp-std.mib IGMP-STD-MIB Modified description and

PDS of IGMP-STD-MIB

rfc2863-if.mib IF-MIB

Updated the rfc2863-if.mib from rfc2233-if.mib

hh3c-dns.mib HH3C-DNS-MIB Modified description of HH3C-DNS-MIB

hh3c-domain.mib H3C-DOMAIN-MIB Modified description of HH3C-DOMAIN-MIB

hh3c-sys-man.mib HH3C-SYS-MAN-MIB Modified example of hh3cSysBtmLoadTable

hh3c-config-man.mib HH3C-CONFIG-MAN-MIB

Modified description of hh3cCfgLogTerminalUser and hh3cCfgLogCmdSrcAddress

rfc2933-igmp-std.mib IGMP-STD-MIB

Modified description of igmpInterfaceQueryMaxResponseTime, igmpInterfaceRobustness, igmpInterfaceLastMembQueryIntvl, mldInterfaceQueryMaxResponseDelay, mldInterfaceRobustness, mldInterfaceLastListenQueryIntvl;

Modified PDS of igmpCacheAddress, igmpCacheIfIndex, igmpCacheSelf, mldCacheAddress, mldCacheIfIndex, mldCacheSelf

rfc2925-disman-ping.mib DISMAN-PING-MIB

Modified description of pingCtlIfIndex;

Added pingProbeFailed, pingTestFailed, pingTestCompleted, hh3cNqaProbeTimeOverThreshold, hh3cNqaJitterRTTOverThreshold, hh3cNqaProbeFailure, hh3cNqaJitterPacketLoss, hh3cNqaJitterSDOverThreshold, hh3cNqaJitterDSOverThreshold, hh3cNqaICPIFOverThreshold, hh3cNqaMOSOverThreshold

rfc4133-entity.mib ENTITY-MIB Modified description of entPhysicalAlias, entPhysicalAssetID

15

hh3c-if-ext.mib HH3C-IF-EXT-MIB Modified description of HH3C-IF-EXT-MIB

hh3c-config-man.mib HH3C-CONFIG-MAN-MIB Modified description of HH3C-CONFIG-MAN-MIB

hh3c-trng2.mib HH3C-TRNG2-MIB Modified description of HH3C-TRNG2-MIB

rfc2925-disman-ping.mib DISMAN-PING-MIB Modified description of pingCtlTable

hh3c-ntp.mib HH3C-NTP-MIB Modified description of hh3cNTPSystemMIB

hh3c-entrelation.mib HH3C-ENTRELATION-MIB Modified description of hh3cEntRelationTable

hh3c-entity-ext.mib HH3C-ENTITY-EXT-MIB

Added hh3cEntityExtCpuUsageRecoverThreshold, hh3cEntityExtMemSizeRev, hh3cEntityExtCpuUsageIn1Minute, hh3cEntityExtCpuUsageIn5Minutes,

hh3cEntityExtVoltageTable;

Modified description and relationship of hh3cEntityExtTemperatureThreshold,

Modified description of hh3cEntityExtTemperature.

hh3c-ssh.mib HH3C-SSH-MIB Added hh3cSTelnetServerEnable, hh3cSCPServerEnable

hh3c-lsw-dev-adm.mib HH3C-LSW-DEV-ADM-MIB

Added hh3cLswSlotMemRev, hh3cLswSlotPhyMemRev, hh3cLswSlotRunTime and hh3cLswSlotMemUsedRev


Added hh3cLswCpuTable

hh3c-3gmodem.mib HH3C-3GMODEM-MIB Added hh3cLteInfoTable

hh3c-trap.mib HH3C-TRAP-MIB Modified description of hh3cTrapConfigSwitch

rfc2863-if.mib IF-MIB Modified description of ifOutQLen

hh3c-ip-address.mib HH3C-IP-ADDRESS-MIB Added hh3cIpAddrFirstTrapTime

fc1471-ppp-lcp.mib PPP-LCP-MIB Modified description of pppLinkStatusBadFCSs

ieee8023-lag.mib IEEE8023-LAG-MIB Modified title of IEEE8023-LAG-MIB

hh3c-lag.mib HH3C-LAG-MIB Modified title of

16

HH3C-LAG-MIB

hh3c-domain.mib HH3C-DOMAIN-MIB Modified description of hh3cDomainDefault and hh3cDomainName

hh3c-if-ext.mib HH3C-IF-EXT-MIB Added hh3cIfOperStatus and hh3cIfDownTimes

rfc5603-pw-enet-std.mib PW-ENET-STD-MIB Modified pwEnetTable

rfc5602-pw-mpls-std.mib PW-MPLS-STD-MIB Modified the module of PW-MPLS-STD-MIB

rfc5603-pw-enet-std.mib PW-ENET-STD-MIB Modified the table of PW-ENET-STD-MIB

table hh3cPosParamTable HH3C-PPP-OVER-SONET-MIB

Only support POS interfaces

hh3c-acl.mib HH3C-ACL-MIB

Modified hh3cAclNumberGroupTable, hh3cPfilterApplyTable, hh3cPfilterAclGroupRunInfoTable, hh3cPfilterStatisticSumTable and added the hh3cAclNamedGroupTable, hh3cAclIPAclNamedBscTable, hh3cAclIPAclNamedAdvTable, hh3cAclNamedMACTable, hh3cAclIntervalTable hh3cAclNamedUserTable, hh3cPfilter2ApplyTable, hh3cPfilter2, hh3cPfilter2AclGroupRunInfoTable, hh3cPfilter2AclRuleRunInfoTable, hh3cPfilter2StatisticSumTable,

hh3cAclNamedGroupTable

hh3c-stack.mib HH3C-STACK-MIB Modified description of hh3cStackTopology

rfc2819-rmon.mib RMON-MIB Modified description of default value in RMON-MIB

rfc4502-rmon.mib RMON2-MIB Modified description of default value in RMON2-MIB

lldp-ext-dot1-v2.mib LLDP-EXT-DOT1-V2-MIB

Removed lldpXdot1dcbxConfigETSConfigurationTable

lldpXdot1dcbxConfigETSRecommendationTable

lldpXdot1dcbxConfigPFCTable

lldpXdot1dcbxConfigApplicationPriorityTable

lldpXdot1dcbxLocETSBasicConfigurationTable

lldpXdot1dcbxLocETSConPr

17

iorityAssignmentTable

lldpXdot1dcbxLocETSConTrafficClassBandwidthTable

lldpXdot1dcbxLocETSConTrafficSelectionAlgorithmTable

lldpXdot1dcbxLocETSRecoTrafficClassBandwidthTable

lldpXdot1dcbxLocETSRecoTrafficSelectionAlgorithmTable

lldpXdot1dcbxLocPFCBasicTable

lldpXdot1dcbxLocPFCEnableTable

lldpXdot1dcbxLocApplicationPriorityAppTable

lldpXdot1dcbxRemETSBasicConfigurationTable

lldpXdot1dcbxRemETSConPriorityAssignmentTable

lldpXdot1dcbxRemETSConTrafficClassBandwidthTable

lldpXdot1dcbxRemETSConTrafficSelectionAlgorithmTable

lldpXdot1dcbxRemETSRecoTrafficClassBandwidthTable

lldpXdot1dcbxRemETSRecoTrafficSelectionAlgorithmTable

lldpXdot1dcbxRemPFCBasicTable

lldpXdot1dcbxRemPFCEnableTable

lldpXdot1dcbxRemApplicationPriorityAppTable

lldpXdot1dcbxAdminETSBasicConfigurationTable

lldpXdot1dcbxAdminETSConPriorityAssignmentTable

lldpXdot1dcbxAdminETSConTrafficClassBandwidthTable

lldpXdot1dcbxAdminETSConTrafficSelectionAlgorithmTable

lldpXdot1dcbxAdminETSRecoTrafficClassBandwidthTable

lldpXdot1dcbxAdminETSRecoTrafficSelectionAlgorithmTable

18

lldpXdot1dcbxAdminPFCBasicTable

lldpXdot1dcbxAdminPFCEnableTable

lldpXdot1dcbxAdminApplicationPriorityAppTable

CMW710-E0102

New

rfc5060-pim-std.mib PIM-STD-MIB Added PIM-STD-MIB

rfc5240-pim-bsr.mib PIM-BSR-MIB Added PIM-BSR-MIB

hh3c-qinqv2.mib HH3C-QINQV2-MIB Added HH3C-QINQV2-MIB

rfc3019-ipv6-mld.mibs IPV6-MLD-MIB Added IPV6-MLD-MIB


Added hh3cLswSlotMemRev, hh3cLswSlotPhyMemRev, hh3cLswSlotRunTime and hh3cLswSlotMemUsedRev

hh3c-nqa.mib HH3C-NQA-MIB Added HH3C-NQA-MIB


Modified

rfc4444-isis.mib ISIS-MIB Modified description of isisSysLevelMinLSPGenInt

hh3c-entity-ext.mib HH3C-ENTITY-EXT-MIB

Modified description and relationship of hh3cEntityExtTemperatureThreshold

rfc1213.mib RFC1213-MIB Modified description of sysDescr and sysObjectID


Modified description of isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex, isisCirc3WayEnabled, isisCircExtendedCircID, isisISAdj3WayState and isisISAdjNbrExtendedCircID

rfc2465-ipv6.mib IPV6-MIB Modified description of ipv6IfDescr

hh3c-splat-mstp.mib HH3C-LswMSTP-MIB Modified description of hh3cdot1sStpForceVersion

rfc2933-igmp-std.mib IGMP-STD-MIB Modified description and PDS of nodes in IGMP-STD-MIB

rfc4133-entity.mib ENTITY-MIB Modified description and PDS of entPhysicalAlias and entPhysicalAssetID

hh3c-posa.mib HH3C-POSA-MIB Modified description of hh3cPosaFcmIdleTimeout

rfc2863-if.mib IF-MIB Updated the rfc2863-if.mib from rfc2233-if.mib

CMW710-E0102

New hh3c-ike-monitor.mib HH3C-IKE-MONITOR-MIB Added

19

HH3C-IKE-MONITOR-MIB

hh3c-ike-monitor.mib HH3C-IPSEC-MONITOR-V2-MIB

Added HH3C-IPSEC-MONITOR-V2-MIB

lldp-v2.mib LLDP-V2-MIB Added LLDP-V2-MIB

lldp-ext-dot1-v2.mib LLDP-EXT-DOT1-V2-MIB Added LLDP-EXT-DOT1-V2-MIB

lldp-ext-dot3-v2.mib LLDP-EXT-DOT3-V2-MIB Added LLDP-EXT-DOT3-V2-MIB

rfc2620-radius-acc-client.mib RADIUS-ACC-CLIENT-MIB

Added RADIUS-ACC-CLIENT-MIB

rfc2618-radius-auth-client.mib

RADIUS-AUTH-CLIENT-MIB

Added RADIUS-AUTH-CLIENT-MIB

hh3c-domain.mib HH3C-DOMAIN-MIB Added HH3C-DOMAIN-MIB

hh3c-domain.mib HH3C-DOMAIN-MIB Added HH3C-DOMAIN-MIB

hh3c-user.mib HH3C-USER-MIB Added HH3C-USER-MIB

hh3c-qos-capability.mib HH3C-QOS-CAPABILITY-MIB

Added HH3C-QOS-CAPABILITY-MIB

rfc3621-power-ethernet.mib POWER-ETHERNET-MIB Added POWER-ETHERNET-MIB

hh3c-power-eth-ext.mib HH3C-POWER-ETH-EXT-MIB

Added HH3C-POWER-ETH-EXT-MIB

rfc3814-mpls-ftn-std.mib MPLS-FTN-STD-MIB Added MPLS-FTN-STD-MIB

hh3c-dhcp4.mib HH3C-DHCP4-MIB Added HH3C-DHCP4-MIB

hh3c-dhcp-snoop2.mib HH3C-DHCP-SNOOP2-MIB

Added HH3C-DHCP-SNOOP2-MIB

rfc2662-adsl-line.mib ADSL-LINE-MIB Added ADSL-LINE-MIB

rfc2819-rmon.mib RMON-MIB Added RMON-MIB

rfc4502-rmon.mib RMON2-MIB Added RMON2-MIB

hh3c-rmon-ext2.mib HH3C-RMON-EXT2-MIB Added HH3C-RMON-EXT2-MIB

rfc5132-ipmcast.mib IPMCAST-MIB Added IPMCAST-MIB

Modified

hh3c-common-system.mib HH3C-COMMON-SYSTEM-MIB

Modified HH3C-COMMON-SYSTEM-MIB to V2.4

hh3c-splat-inf.mib HH3C-LswINF-MIB Modified HH3C-LswINF-MIB to V3.4

hh3c-infocenter.mib HH3C-INFO-CENTER-MIB

Added hh3cICLogbufferContTable in HH3C-INFO-CENTER-MIB


Added hh3cLswSlotPktBufFree, hh3cLswSlotPktBufInit, hh3cLswSlotPktBufMin and

20

hh3cLswSlotPktBufMiss in hh3cLswSlotTable

rfc2465-ipv6.mib IPV6-MIB Added ipv6RouteNumber, ipv6DiscardedRoutes and ipv6RouteTable

rfc2096-ip-forward.mib IP-FORWARD-MIB

Added inetCidrRouteNumber, inetCidrRouteDiscards and inetCidrRouteTable

hh3c-config-man.mib HH3C-CONFIG-MAN-MIB Modified the description of hh3cCfgRunModifiedLast

hh3c-cbqos2.mib HH3C-CBQOS2-MIB

Modified the description of hh3cCBQoSPolicyClassNextIndex and hh3cCBQoSPolicyClassCfgInfoTable,and deleted hh3cCBQoSRedirectCfgInfoTable and hh3cCBQoSMirrorIfCfgInfoTable

rfc3415-snmp-vacm.mib NMP-VIEW-BASED-ACM-MIB

Modified the description of vacmContextName

rfc1213.mib RFC1213-MIB Modified the description of ipNetToMediaIfIndex

rfc3415-snmp-vacm.mib SNMP-VIEW-BASED-ACM-MIB

Modified the description of vacmContextName

rfc2233-if.mib IF-MIB Modified the description of ifAlias

hh3c-common-system.mib HH3C-COMMON-SYSTEM-MIB

Modified the description of hh3cSysStatisticPeriod, hh3cSysSamplePeriod, hh3cSysTrapResendPeriod, hh3cSysTrapCollectionPeriod, hh3cSysSnmpPort, hh3cSysSnmpTrapPort, hh3cSysNetID, hh3cSysLastSampleTime.And Modified the PDS of hh3cSysNetID

rfc1213.mib RFC1213-MIB Modified the description of sysDescr and sysObjectID

Operation changes

None

Restrictions and cautions

1. HPE’s FXS not supporting call transfers from an analog phone to Lync Server.

21

Open problems and workarounds

None

List of resolved problems

Resolved problems in CMW710-R0306P81

201611090368

Symptom: The total number of error packets displayed on the network management software and that displayed from the CLI are different.

Condition: This symptom occurs when error packets uiAlignErrs and uiInDiscards are received.

201610280217

Symptom: The description command cannot be successfully executed when a PC running the Windows 10 operating system is used to configure the device.

Condition: This symptom might occur when the description command is executed on a PC running the Windows 10 operating system.

201611100317

Symptom: In a VXLAN network, the configured DSCP marking action does not take effect when a QoS policy for incoming packets is applied to the site-facing interface that hosts an AC.

Condition: This symptom occurs when a QoS policy for incoming packets is applied to the site-facing interface that hosts an AC in a VXLAN network.

201610280181

Symptom: Clients cannot log in to a device through IPv6 SSH and Telnet.

Condition: This symptom occurs when the following conditions are met:

The tcp syn-cookie enable command is executed.

The client is not connected to the device directly.

The device uses an IPv6 address.

201610280192

Symptom: L2TP clients go offline.

Condition: This symptom might occur when a user that uses an incorrect username or password sends authentication requests.

201609230618

Symptom: Traffic cannot be forwarded because ARP/ND entry issuing has failed.

Condition: This symptom might occur when a large number of ARP/ND entries are learned or age out.

201611170054

Symptom: The configuration on FXS interfaces gets lost and no call progress tone is played.

Condition: This symptom occurs when over three HMIM-16FXS modules are installed on the device.

22

201611080238

Symptom: AAA accounting fails because the device and the server use inconsistent session ID formats.

Condition: This symptom occurs when AAA authentication uses an old-version server whose accounting session ID format is incompatible with the ID format on the device.

201611070502

Symptom: CVE-2016-8858.

Condition: Vulnerability was reported in OpenSSH. A remote user can send specially crafted data during the key exchange process to trigger a flaw in kex_input_kexinit() and consume excessive memory on the target system. This can be exploited to consume up to 384 MB per connection.

201610260739

Symptom: In an MPLS over GRE network, the device acts as a P device, and packet loss occurs when two CE devices ping each other.

Condition: This symptom might occur when two CE devices are connected through a service provider network.

201610260505

Symptom: The memory usage of the device continues to increase.

Condition: This symptom occurs when a GRE tunnel with TCP MSS set forwards fragmented packets.

201611250487

Symptom: URL redirection configured for EAD assistant does not take effect.

Condition: None.


201609270202

Symptom: Long ping response delay occurs when no SIM card is installed in the SIC-3G module that uses the EM660 modem chip.

Condition: This symptom might occur if no SIM card is installed in the SIC-3G module that uses the EM660 modem chip.

201603110069

Symptom: When the speed is set to 100 Mbps for a fiber port that uses a 1000-Mbps transceiver module, the LED of the port turns yellow or off.

Condition: This symptom might occur if the speed is set to 100 Mbps for a fiber port that uses a 1000-Mbps transceiver module.

201609220199

Symptom: A 4G router cannot access an LNS through 3G dialup.

Condition: This symptom might occur if a 4G router accesses an LNS through 3G dialup.

201610170407

Symptom: When multicast VPN is configured on the router, a switching module does not forward packets that are received from a Layer 3 interface.

Condition: This symptom might occur if multicast VPN is configured on the router, and the incoming interface of traffic is a Layer 3 interface.

23

201610190490

Symptom: The router can be pinged only within a short period of time after startup.

Condition: This symptom might occur if the following conditions exist:

After negotiation, the speed and duplex mode of interfaces on an SIC-4FSW or SIC-9FSW module are set to 100 Mbps and half duplex.

The module receives Layer 3 packets between 61 and 1536 bytes long at 10 Mbps and forwards the packets through VLAN interfaces.

201607230235

Symptom: The router cannot operate correctly when multiple GRE tunnels and one IPsec over GRE tunnel are forwarding traffic.

Condition: This symptom might occur if multiple GRE tunnels and one IPsec over GRE tunnel are set up.

201607020116

Symptom: When a Telnet user logs in to the router by using a username longer than 253 bytes, memory might be exhausted, and the router might reboot unexpectedly.

Condition: This symptom might occur if SNMP and trap notifications are enabled, and a Telnet user logs in to the router by using a username longer than 253 bytes.

201606010250

Symptom: A voice VLAN-enabled Layer 2 interface fails to forward VLAN-tagged traffic.

Condition: This symptom might occur if the source MAC addresses of the received traffic belong to voice VLANs, but the VLAN tags are for non-voice VLANs.

201604280054

Symptom: QoS cannot correctly collect traffic statistics on an IRF fabric.

Condition: This symptom might occur if a rate limiting template is configured for portal users on an IRF fabric.

201609210481

Symptom: SSH login fails when accounting is enabled and no accounting server is specified.

Condition: This symptom might occur if SSH login is performed when accounting is enabled without any accounting server specified.

201609060727

Symptom: BFD MAD does not take effect on two connected IRF fabrics.

Condition: This symptom might occur if BFD MAD is configured on two connected IRF fabrics, and the IRF fabrics can receive BFD detection packets from each other.

201608110527

Symptom: PPPoE clients cannot come online if the PPPoE server uses the DHCP address pool of a local DHCP server for address assignment.

Condition: This symptom might occur if the PPPoE server uses the DHCP address pool of a local DHCP server for address assignment.

201607290325

Symptom: CVE-2016-1409

Condition: The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Cisco IOS XE 2.1 through 3.17S, IOS XR 2.0.0 through 5.3.2, and NX-OS allows remote attackers to cause a denial of service (packet-processing outage) via crafted ND messages, aka Bug ID CSCuz66542, as exploited in the wild in May 2016.

24

201604210076

Symptom: Execution of RSSI commands fails on a distributed router after the router reboots with a configuration file.

Condition: This symptom might occur if RSSI commands are executed on a distributed router that has rebooted with a configuration file.

201609220670

Symptom: The router cannot operate correctly when a Layer 3 interface is changed to a Layer 2 interface during traffic forwarding.

Condition: This symptom might occur if a Layer 3 interface is changed to a Layer 2 interface during traffic forwarding.

201607290311


Condition: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

201606280170

Symptom: PBR does not fake effect when it is configured after the router starts up without any configuration file.

Condition: This symptom might occur if PBR is configured after the router starts up without any configuration file.

201607250050

Symptom: RBAC does not define access control for the ip load-sharing local-first enable command.

Condition: This symptom might occur if the ip load-sharing local-first enable command is configured, and trace logs are displayed.

201610170025

Symptom: The router cannot provide services when IPsec is enabled.


a. IPsec is configured on the router.

b. Multiple data flows trigger IKE SA negotiations simultaneously, and the negotiations fail.

201609260311

Symptom: Incorrect PVST status causes broadcast storms.


A PVST-enabled VLAN is deleted.

The stpd process is restarted, or the stpd process restarts during patch installation.

201610180122

Symptom: When QoS policy nesting is configured on an interface, long ping response delay occurs.

Condition: This symptom might occur if QoS policy nesting is configured on an interface, and GTS is configured in the parent policy.

201609260288

Symptom: When global password control is enabled, an SSH user cannot log in after multiple login failures.

25

Condition: This symptom might occur if global password control is enabled, and an SSH user logs in repeatedly by using a correct username and an incorrect password.

201609230633

Symptom: Installation of a patch or devkit package takes more than 40 minutes or fails.

Condition: This symptom might occur if a patch or devkit package is installed.

201608030540

Symptom: The router cannot forward MPLS L3VPN traffic correctly after the vpn popgo command is executed.

Condition: This symptom might occur if MPLS L3VPN is configured on the router, and the vpn popgo command is executed.

201607290305


Condition: Curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.


201608120148

Symptom: The ICCID information for a 3G modem is not displayed in the display cellular command output.

Condition: None.

201608240033

Symptom: The diagnostic and monitoring (DM) feature is not available for ports on a SIC-4G-LTE card.

Condition: None.

201608190032

Symptom: Profile 3 cannot be used by 4G modem for dialup.

Condition: None.

201608290384

Symptom: The CPU usage of an MSR router reaches 50 percent and the delay of audio signals increases.

Condition: This symptom occurs if 12 concurrent calls exist on the MSR router.

201608250025

Symptom: LEDs on the 8GSW card installed in an MSR5660 device cannot operate correctly.

Condition: None.

201609060155

Symptom: Ports on an 8GEE card of an MSR router cannot forward traffic.

Condition: This symptom might occur if the 8GEE card is used in a VRRP network.

201609050247

Symptom: An MSR2004 router runs out of memory after a certain period of use.

26

Condition: This symptom occurs if a VLAN interface is created on the MSR3600 router and the actual forwarding speed of the VLAN interface is higher than the set speed 10 Mbps.

201608300072

Symptom: Portal authentication cannot correctly control user access to the network after users switch to different VLANs.

Condition: None.

201608290529


Condition: The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."

201607190451

Symptom: The CLI of an MSR router hangs.

Condition: This symptom occurs if the following conditions exist:

LLDP and 802.1X authentication are enabled on the MSR router.

A port is configured to be shut down upon receiving an illegal frame.

An IP phone fails 802.1X authentication and triggers intrusion protection.

201605200138

Symptom: An MSR router does not support EAD quick deployment. However, no error message is displayed when EAD quick deployment is configured on a 9FSW card installed in the router.

Condition: None.

201607190461

Symptom: An MSR router cannot work with a Cisco NX9000 switch in an IS-IS network.

Condition: None.

201608110387

Symptom: The BGP NSR status of a two-MPU router is not correct, and the status cannot recover.

Condition: This symptom occurs if the memory threshold is reached during an active/standby switchover.

201608160017

Symptom: Ports on the MSR device are always in loopback state.

Condition: This symptom occurs if an external loopback test is performed on a card configured with PPP.

201608090279

Symptom: No voices but only signals are exchanged in the channels for voice services.

Condition: This symptom occurs if PPP compression and VAD are used during satellite link switchover for VHF services.

201607260049

Symptom: The country mode for call progress tones does not take effect on a voice card of an MSR router.

27

Condition: This symptom occurs if call program tones are changed to non-default ones.

201607010523

Symptom: An MSR router in a full-mesh mGRE network reboots unexpectedly.

Condition: This symptom occurs if an aggregate interface is used as the mGRE tunnel interface and the port link modes of member ports in the aggregation group are changed.

201606280148

Symptom: In an MSR IRF fabric, errors exist in VLAN-instance mappings and STP status on ports cannot be correctly set.

Condition: This symptom occurs if the following conditions are met:

a. The spanning tree mode on the IRF fabric is PVST.

b. VLANs are created in the ascending order of VLAN IDs and then some VLANs are deleted. Or, VLANs are not created in the ascending order of VLAN IDs. For example, create VLAN 10 and then create 5.

c. An interface card on the IRF fabric is rebooted.

d. An IRF master/subordinate switchover occurs. Or, the STP process restarts because a patch is installed or uninstalled or an ISSU is performed.

201607180362

Symptom: The AAA NAS-ID profile configuration on an MSR router does not take effect after the router reboots.

Condition: This symptom occurs if the running configuration is saved and the router is rebooted.

201607190489

Symptom: Stream media services are interrupted, because NAT 444 does not create correct entries for RTSP traffic.

Condition: This symptom occurs if the service client instead of the server initiates the service negotiation.

201607280123

Symptom: Fast forwarding does not take effect on a one-armed MSR router.

Condition: This symptom occurs if the one-armed router uses the same Layer 3 interface to perform traffic forwarding. For example, VLAN-interface 361 is configured with a primary interface and secondary interfaces. Traffic arrives at VLAN-interface 361 and then is forwarded out of VLAN-interface 361.


201605260540

Symptom: After the APN-profile is configured, only the authentication mode is modified, but the configuration does not take effect.

Condition: None.

201606200046

Symptom: The device reboots unexpectedly.

Condition: This symptom occurs if the device acts as an SSL VPN gateway and the user logs into the device through the Web interface.

201606290087

Symptom: The device reboots because of memory leak.

28

Condition: This symptom occurs if the SIM card is absent or fails on the 4G interface.

201605300494

Symptom: 802.1X authentication on the SIC-4FSW/DSIC-9FSW cards fails. Layer 2/Layer 3 forwarding is performed without authentication.

Condition: This symptom occurs if the EAD assistant feature is configured on the SIC-4FSW/DSIC-9FSW cards.

201605060278

Symptom: The system fails to obtain the next startup configuration file through MIB.

Condition: None.

201603040253

Symptom: When both voice VLAN and MAC authentication are configured on an interface, MAC authentication is also performed for packets with OUI addresses.

Condition: None.

201605040492

Symptom: When an SSL client policy is configured, the configuration takes effect only after you disable SSL session renegotiation, save the configuration, and reboot the device.

Condition: None.

201604150420

Symptom: If the MAC address of data packets is learned in a voice VLAN, the packets are not forwarded.

Condition: This symptom occurs if the source MAC address of the data packets is an OUI address and the VLAN tag of the packets is not the voice VLAN.

201605260553

Symptom: The PIM process exits exceptionally.

Condition: This symptom occurs if the PIM DM mode is used to create 32K entries and an outgoing interface is configured as the multicast forwarding boundary.

201606070297

(1)Symptom: CVE-2016-2105

(1)Condition: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.


(2)Condition: Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.


(3)Condition: The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.


(4)Condition: The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

29


(5)Condition: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.


(6)Condition: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

201605200360

Symptom: A voice call fails.

Condition: This symptom occurs if the longest match is configured and the dialed number is a short number.

201605030252

Symptom: An L2TP user fails to come online through dialup.

Condition: This symptom occurs if the device acts as an LNS and the idle-timeout assigned by the AAA server is 0.

201606290046

Symptom: When the RADIUS server remotely assigns an address, you must configure an IKE address pool.

Condition: None.

201605030237

Symptom: When IKE local extended authentication and address authorization are configured, the configuration is an old version is incompatible with the configuration in a new version.

Condition: None.

201511200124

Symptom: An E1/T1 interface still processes RAI alarms when RAI detection is disabled on the interface.

Condition: None.

201606280531

Symptom: An HMIM-2/4/8E1T1 (-F) card fails to start up.

Condition: This symptom occurs if the device is powered off when the card updates the logic.

201607020231

Symptom: The device reboots unexpectedly because of memory exhaustion.

Condition: This symptom occurs if a user telnets to the device by using a username longer than 127 bytes.

201606290412

Symptom: An interface on which the maximum number of secure MAC addresses is limited goes down when forwarding traffic.

Condition: This symptom might occur if the maximum number of secure MAC addresses set on the interface is small.

201607010400

Symptom: The free-rule 1 source any configuration is added to the configuration file after the device reboots.

30

Condition: This symptom occurs if the device starts up with a .cfg startup configuration file.

201607010364

Symptom: Portal users can come online through an interface with portal authentication disabled, but the status of portal users is not correct.

Condition: None.

201607150110

Symptom: A busy error occurs when an asynchronous serial interface operating in flow mode reversely telnets to the device.

Condition: This symptom occurs if the asynchronous serial interface reversely telnets to the device when it is enabled with terminal service.

201607040302


(1)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending a spoofed packet with incorrect authentication data at a certain time.


(2)Condition: Fixed vulnerability in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending spoofed packets from source IP addresses in a certain scenario.


(3)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service via a spoofed broadcast packet.

201605060581


(1)Condition: Fixed vulnerability in ntpd which attackers may be able to disable time synchronization by sending a crafted NTP packet to the NTP client.


(2)Condition: Fixed vulnerability in ntpd allows attackers to send special crafted broadcast packets to broadcast clients, which may cause the affected NTP clients to become out of sync over a longer period of time.


(3)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key.


(4)Condition: Fixed vulnerability when NTP is configured in broadcast mode, a man-in-the-middle attacker or a malicious client could replay packets received from the broadcast server to all (other) clients, which cause the time on affected clients to become out of sync over a longer period of time.

201605180120


(1)Condition: Fixed vulnerability where an off-path attacker can deny service to ntpd clients by demobilizing preemptable associations using spoofed crypto-NAK packets.


(2)Condition: Fixed vulnerability where an attacker can change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode.

31


(3)Condition: Fixed vulnerability in ntpd function allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by ntpd.


(4)Condition: Fixed vulnerability in ntpd allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering.


(5)Condition: Fixed vulnerability in ntpd will abort if an attempt is made to read an oversized value.


(6)Condition: Fixed vulnerability in ntpd that a remote attacker could use, to send a packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server.

201607140270

Symptom: A user fails to dial up by using a POS terminal.

Condition: This symptom occurs if the SoftX device sends an 18x response with an SDP, a 180 response without an SDP, and a 200 OK response without an SDP in order. The media of the devices is not connected, so fax or modem switchover fails.

201607080214

Symptom: When SIP session refresh using re-INVITE requests is enabled, calls are cut off at about 3 minutes.

Condition: This symptom might occur if SIP session refresh using re-INVITE requests is enabled.

201607130473

Symptom: When command accounting is enabled for a Telnet user that passes TACACS authentication, long command execution delay exists.

Condition: This symptom might occur if one of the following conditions exists:

The router does not have connectivity to the TACACS server.

The TACACS server does not respond to accounting requests.

The network has great latency.

201607140274

Symptom: Both the calling party and the called party are silent during a call established between the device and a SoftX device.

Condition: This symptom occurs if the SoftX device sends an 18x response with an SDP, a 180 response without an SDP, and a 200 OK response without an SDP in order. The media of the devices is not connected, so both parties cannot hear any voices.

201607120078

Symptom: When a TTY user logs in through an asynchronous serial interface of an SIC-16AS card, the user connection is not terminated after the idle timeout, the user cannot be forcibly logged off, and reverse Telnet is unavailable.


The flow mode is enabled for the asynchronous serial interface.

The undo shell command is not configured for the user line.

The interface goes down when receiving and sending data.

32

201608230032

Symptom: An MSR3012 router reboots unexpectedly.

Condition: This symptom might occur if an HMIM-8E1T1 card with CPLD version 7.0 is hot plugged into the MSR3012 router when the router is being powered on.


201603140497

Symptom: An MSR2003 router displays the message "Watchdog timeout ==MSR2003 Reboot with CW7 e0402l10" if GRE over IPsec runs on a subinterface and MPLS L3VPN settings are configured on the GRE tunnel interface.

Condition: This symptom might occur if GRE over IPsec runs on a subinterface and MPLS L3VPN settings are configured on the GRE tunnel interface.

201604200661

Symptom: When the full duplex mode is configured and the speed is set to 1000 Mbps for a Layer 2 interface on an SIC-4GSW card, the interface cannot come up or uses an incorrect duplex mode.

Condition: This symptom might occur if the full duplex mode is configured and the speed is set to 1000 Mbps for a Layer 2 interface on an SIC-4GSW card.

201604280272

Symptom: On a China Telecom 3G interface, when the EVDO mode is enabled, an hh3c3GRssiWeakSignalTrap notification for the CDMA-1x RTT mode is falsely generated. When the CDMA-1x RTT mode is enabled, an hh3c3GRssiWeakSignalTrap notification for the EVDO mode is falsely generated.

Condition: None.

201604220195

Symptom: Modem dialups fail on FXS, FXO, E&M, and BSV cards when modem pass-through and fax pass-through are enabled.

Condition: This symptom might occur if modem pass-through and fax pass-through are enabled.

201604220017

Symptom: When the receiving power and transmitting power of a transceiver module change, the corresponding values in the MIB are not updated on time.

Condition: None.

201603140402

Symptom: The router provides 4G dialup services to an LTE network with two LNSs. When the primary LNS fails, services are not switched to the standby LNS.

Condition: None.

201604260058

Symptom: The error packet suppression feature is removed.

Condition: None.

33

201605060432

Symptom: The format of POSA hello messages is incorrect, and the handshaking feature does not take effect.

Condition: None.

201512230234

Symptom: In a dynamic link aggregation group, an Ethernet subinterface is not Selected after certain operations are performed.

Condition: This symptom might occur if the following operations are performed:

a. Create a dynamic link aggregation group and assign an Ethernet subinterface to the group.

b. Delete the link aggregation group.

c. Re-create the link aggregation group and assign the Ethernet subinterface to the group.

201604110398

Symptom: CVE-2016-2842。

Condition: Fixed vulnerability in the doapr_outch function in crypto/bio/b_print.c, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string.

201603230025

Symptom(1): CVE-2016-0705。

Condition(1):Fixed vulnerability when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources.

Symptom(2): CVE-2016-0798

Condition(2): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt.


Condition(3): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference).


Condition(4): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service which could lead to memory allocation failure or memory leaks.


Condition(5): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g which makes it easier for local users to discover RSA keys leveraging cache-bank conflicts, aka a "CacheBleed" attack.

201603170257

Symptom(1): CVE-2016-0701:

Condition(1): The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.

Symptom(2): CVE-2015-3197。

34

Condition(2): ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

201605040142

Symptom: IKE SA setup fails because "Number of negotiating IKE SAs exceeded the limit" after certain operations are performed.

Condition: This symptom might occur if the IKE keychain settings at the two ends of an IKE SA are inconsistent and the IKE SA is repeatedly created and deleted.

201604260409

Symptom: IPv6 policy-based routing does not take effect.

Condition: None.

201604280185

Symptom: A device using non-standard protocols might drop the frames sent by the router when the frames are VLAN-tagged and 64-byte long (including padding and CRC).

Condition: None.

201604260624

Symptom: After a port goes down, the FIB entry for a direct route that contains the port is deleted after a delay of 20 seconds.

Condition: This symptom might occur if the router keeps forwarding traffic matching the direct route.

201604180578

Symptom: The router does not process R2 B3 messages and forwards a wrong B message to a PBX when receiving a SIP 410 message.

Condition: None.

201602180272

Symptom: An incorrect PSTN cause code is returned for an ISDN link down event.

Condition: None.

201605040146

Symptom: The undo mac-address dynamic mac-address vlan vlan-id command cannot delete a dynamic MAC address entry.

Condition: None.

201603220579

Symptom: An MFR subinterface cannot forward traffic if the PVC is deleted at one end of the link or the type of the PVC is modified from dynamic to static on the DTE.

Condition: This symptom might occur if the PVC of an MFR subinterface is deleted on one end of the link or the type of the PVC is modified from dynamic to static on the DTE.

201605100011

Symptom: NetStream has incorrect outgoing traffic statistics for an interface if the interface forwards traffic from an IP network to an MPLS network.

Condition: This symptom might occur if an interface forwards traffic from an IP network to an MPLS network.

35

201605160128

Symptom: The router sends a wrong Release Cause code in a no pickup call.

Condition: None.

201605130382

Symptom: An incorrect PSTN cause code results in an incorrect SIP status code.

Condition: None.

201604290522

Symptom: Mirrored packets from a Layer 3 mirroring source port might carry an incorrect IP version value.

Condition: None.

201603140262

Symptom: On an MSR4000 router, a GRE tunnel goes down because the router does not receive GRE keepalive responses from the peer.

Condition: This symptom might occur if the router can receive GRE keepalive requests from the peer, but no GRE keepalive responses are received.

201604090478

Symptom: On a voice VLAN-enabled Layer 2 port, MAC address entries of a non-voice VLAN age out even when the port constantly receives traffic of the non-voice VLAN.

Condition: None.

201605260501

Symptom: After the debugging physical card e1posdm calling command is executed in probe view, the undo form of the command does not take effect.

Condition: None.

201606060042

Symptom: A call is disconnected 30 seconds after a user places the call on hold.

Condition: This symptom occurs if the router does not send an RTCP message to the Lync server within 30 seconds.


201602290360

Symptom: After a .cfg configuration file is used to restore the configuration of the router, OSPF sessions that are not configured with a router ID do not use the global router ID.

Condition: This symptom might occur if a .cfg configuration file is used to restore the configuration of the router.

201604010161

Symptom: MAC address entries age out on a voice VLAN-enabled Layer 2 interface when the interface has been forwarding traffic to and from the corresponding MAC addresses.

Condition: This symptom might occur if voice VLAN is enabled on a Layer 2 interface.

201604130088

Symptom: On an MSR4000 router, interfaces remain in discarding state after spanning tree is globally enabled.

36

Condition: This symptom might occur if spanning tree is globally enabled on an MSR4000 router.

201604090420

Symptom: The QoS policy configuration issued by IMC contains incorrect parameters for the CAR action of a traffic behavior.

Condition: None.

201603050111

Symptom: After voice VLAN is enabled, and the router is rebooted, the priority of voice VLAN packets is incorrect.

Condition: This symptom might occur if voice VLAN is enabled, and the router is rebooted.

201512310070


Condition: Certificate verify crash with missing PSS parameter.


Condition: X509_ATTRIBUTE memory leak.


Condition: Race condition handling PSK identify hint.


Condition: Anon DH ServerKeyExchange with 0 p parameter.

201603160152

Symptom: Aggressive IKE negotiation fails for specific Android phones, for example, phones running Android 5.1.1.

Condition: This symptom might occur if the router authenticates specific Android phones.

201511160131

Symptom: POS terminal listening fails if the listening port or the adjacent ports are used by other applications.

Condition: This symptom might occur if the POS terminal listening port or the adjacent ports are used by other applications.

201604060109

Symptom: The 4G MIB is inaccessible.

Condition: None.

201604230042

Symptom: IMC SNMP cannot automatically discover LNS IP addresses.

Condition: None.

201603140262

Symptom: A GRE tunnel goes down unexpectedly.

Condition: This symptom might occur if the router and its peer send keepalive packets to each other, but the router does not receive any keepalive acknowledgment packet from the peer.

http://idms.h3c.com/Login?tabUrl=DefectDetail/Default/9cc7a4ff-2b0d-4e11-81d4-f8f83341cd82$tabTitle=201603140262

37


201602290064

Symptom: After the pre-shared key is modified, IKE negotiation fails, and the router displays the "2th byte of the structure ISAKMP Identification Payload must be 0" message.

Condition: This symptom might occur if the old pre-shared key is not deleted when the new key is set.

201602170270

Symptom: On a CDMA-1xRTT/CDMA-EVDO network, 3G VPDN access fails if the mode of the SIC-4G-LTE module is switched to 3G.

Condition: This symptom might occur if the mode of the SIC-4G-LTE module is switched to 3G.

201601260255

Symptom: After the router reboots, BFD sessions cannot be set up on subinterfaces that are in an aggregation group.

Condition: This symptom might occur if the router reboots.

201603150157

Symptom: IMC obtains incorrect packet statistics for Layer 2 interfaces on an MSR2004-24 router.

Condition: This symptom might occur if IMC reads the packet statistics on Layer 2 interfaces of an MSR2004-24 router.

201602260225

Symptom: An interface on an SIC-4/9FSW module cannot send broadcast traffic in its VLAN after certain operations are performed.


a. Enable STP globally, and form a loop on an interface of an SIC-4/9FSW module.

b. Remove the blocked interface from its VLAN.

c. Disable STP globally, and assign the interface to its original VLAN.

201602260270

Symptom: The router does not display the command execution result after AT commands are manually executed.

Condition: None.

201603110385

Symptom: The router does not send a trap message after a warm or cold reboot.

Condition: This symptom might occur if a warm or cold reboot is performed.

201603240091

Symptom: Dialup fails if a 4G module is operating in 3G mode.


a. Install a 4G SIM card in a 4G module.

b. Set the mode of the 4G module to 3G, and reboot the module.

38

201603100323

Symptom: When a portal preauthentication domain and MAC-based quick portal authentication are used together, authorization attributes in the preauthentication domain do not take effect on preauthentication users.

Condition: This symptom might occur if a portal preauthentication domain and MAC-based quick portal authentication are used together, and MAC-based quick portal authentication is triggered when preauthentication users access the network.

201601210332

Symptom: After a subcard is removed and the router is rebooted, the interface indexes for the subcard change in the MIB.

Condition: This symptom might occur if a subcard is removed and the router is rebooted.

201601180511

Symptom: When OpenFlow is enabled, application layer processing is slow and packet loss occurs.

Condition: This symptom might occur if OpenFlow is enabled.

201603290254

Symptom: The router reboots unexpectedly if it has 4 GB of memory.

Condition: This symptom might occur if the router has 4 GB of memory.

201602290118

Symptom: The route filtering settings of RIP processes running in VPNs are lost after the running configuration is saved and the router is rebooted.

Condition: This symptom might occur if one of the following operations is performed:

Upgrade the software and reboot the router.

Use a .cfg configuration file when rebooting the router.

201602260072

Symptom: An L2TP LAC does not have uplink traffic statistics for users.

Condition: None.

201602200075

Symptom: PPPoE clients fail to come online when the router acts as the PPPoE server if the DNS server IP address is an IPCP configuration option in IPCP negotiation.

Condition: This symptom might occur if the DNS server IP address is an IPCP configuration option in IPCP negotiation.

201602010352

Symptom: When network congestion occurs, high-priority packets are dropped on a CBQ-enabled MP link.

Condition: This symptom might occur if CBQ is configured for an MP link, and network congestion occurs.

201602150740

Symptom: 4G dialup fails if an APN profile specifies the username and password.

Condition: This symptom might occur if an APN profile specifies the username and password for 4G dialup.

201604060109

Symptom: No information can be obtained from the 4G MIB.

http://idms.h3c.com/Login?tabUrl=DefectDetail/Default/02df95ae-5c40-41d7-9b55-fea05bb48d61$tabTitle=201604060109

39

Condition: None.

201604070435

Symptom: An HMIM module might drop packets or stop forwarding traffic.

Condition: None.

201604130088

Symptom: When STP is globally enabled on a distributed router, the state of Layer 2 interfaces becomes discarding.

Condition: None.


201601190330

Symptom: The VPM light of the RT-SPU-100 module fails the equipment test.

Condition: None.

201601200375

Symptom: The GPS track curve reported by the router is inaccurate.

Condition: This symptom occurs when the 4G modem just starts to work.

201601220079

Symptom: Repeated satellite information is displayed when you view the 4G modem information.

Condition: None.

201512300275

Symptom: TACACS accounting configured at the CLI does not take effect.

Condition: This symptom occurs if the super command is used to obtain another user role.

201511270766

Symptom: The status of a Layer 2 aggregate interface is incorrect.

Condition: This symptom occurs if master/subordinate switchover is repeatedly performed for the router.

201601080547

Symptom: The configuration of an Ethernet subinterface is lost after it is assigned to an aggregation group.

Condition: This symptom occurs if the router reboots after the software is upgraded or the router is started by using a .cfg configuration file.

201601120609

Symptom: The user profile name cannot contain periods (.).

Condition: None.

201601130385

Symptom: The router reboots unexpectedly.

Condition: This symptom occurs if LDP receives abnormal TCP PDUs with the length field value 0 in the header.

http://idms.h3c.com/Login?tabUrl=DefectDetail/Default/1347c59d-3a77-458b-ba02-887e5ab1b988$tabTitle=201604070435

40

201601120436

Symptom: The CPU usage reaches 100% in the core where the LDP active process resides.


LDP NSR is configured. After the session comes up, active/standby switchover has occurred.

The number of messages that the session sends by using TCP is incorrectly counted.

201511260615


Condition: This symptom occurs if IPsec SAs and IKE SAs are repeatedly set up and deleted.

201511050564


Condition: This symptom occurs if IPsec protects OSPFv3 routes, and active/standby switchover is performed for the router.

201411190490

Symptom: An ADVPN tunnel fails to be established.

Condition: This symptom occurs if the ADVPN tunnel interface is bound to a VPN instance.

201510300470

Symptom: The operating mode configuration for an SIC-1VE1T1 module does not take effect.

Condition: This symptom occurs if the following operations are performed:

a. Configure the module to operate in T1 mode, and save the configuration.

b. Switch the operating mode to E1.

Reboot the router without saving the configuration.

201601270151

Symptom: The cable impedance of a CE1/PRI interface on an SIC-1VE1T1 module is set to 120 ohm, but the command output shows that the interface's cable impedance is 75 ohm.

Condition: This symptom might occur if the cable impedance of a CE1/PRI interface on an SIC-1VE1T1 module is set to 120 ohm.

201602030487

Symptom: A Layer 3 subinterface on an SIC-4/9FSW(P) module cannot forward traffic if the VLAN numbered with the subinterface number is not created.

Condition: This symptom might occur if a Layer 3 subinterface is created on an SIC-4/9FSW(P) module and the VLAN numbered with the subinterface number is not created.

201512110251

Symptom: The router does not have packet statistics for an aggregate interface that uses subinterfaces as members.

Condition: None.

201601240052

Symptom: MFR subinterfaces cannot be created.

Condition: None.

201512250041

Symptom: Modification of the service type for users in an ISP domain takes effect, but the router still displays the old configuration.

41

Condition: This symptom might occur if the service type for users in an ISP domain is modified.

201601280133

Symptom: The expired license of the router is reactivated, but some features are still unavailable after the router automatically loads the image file.

Condition: This symptom might occur if the expired license is reactivated.

201602240243

Symptom: The router might reboot unexpectedly after running for 497 days.

Condition: None.

201602010060

Symptom: RIP route filtering settings on the router are lost after the running configuration is saved and the router is rebooted.

Condition: This symptom might occur if one of the following operations is performed:

Upgrade the software and reboot the router.

Use a .cfg configuration file when rebooting the router.

201603090066

Symptom: An ADVPN tunnel cannot be set up if a loopback interface provides the tunnel source address and the physical tunnel outgoing interface is a NAT-enabled PPPoE dialer interface.

Condition: This symptom might occur if a loopback interface provides the tunnel source address and the physical tunnel outgoing interface is a NAT-enabled PPPoE dialer interface.

201603090064

Symptom: The DVPN service is interrupted during IPsec SA renegotiation.

Condition: This symptom might occur if the IPsec SA expires and IPsec SA renegotiation is performed.

201603020540

Symptom: The memory usage keeps rising if no ACL is specified for an IPsec policy template.

Condition: This symptom might occur if no ACL is specified for an IPsec policy template.

201601120419

Symptom: An NMS returns an error when it reads the 3G modem table from the MIB of the router.

Condition: This symptom might occur if two SIC-3G cards are installed on the router.

201601160235

Symptom: The router as a PPPoE server has duplicate PPPoE client information.

Condition: None.

201601180617

Symptom: The global DHCP address pool usage is incorrect.

Condition: None.

201601260049

Symptom: The router reboots unexpectedly when it receives GRE packets with the DF bit set.

Condition: This symptom might occur if the router receives GRE packets with the DF bit set.

201601190036

Symptom: The secondary IP addresses of a Virtual-Template interface are unavailable.

42

Condition: None.

201601210335

Symptom: The PPP IP segment match feature does not take effect if the user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured.

Condition: This symptom might occur if the user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured.

201602010492

Symptom: A VLAN interface cannot forward IPv6 traffic if a Layer 2 aggregate interface performs forwarding for the VLAN interface.

Condition: This symptom might occur if a Layer 2 aggregate interface performs forwarding for a VLAN interface.

201601210099

Symptom: When the FTP, SSH, Telnet, DNS, HTTP, or HTTPS service is enabled, 31 irrelevant TCP ports are also opened.

Condition: This symptom might occur if the FTP, SSH, Telnet, DNS, HTTP, or HTTPS service is enabled.

201601120047

Symptom: When execution of the description command in interface view fails because the specified description contains unsupported special characters, no prompt is displayed for the failure.

Condition: This symptom might occur if the description command specifies a description that contains unsupported special characters.

201601260439

Symptom: Memory leaks and the device reboots unexpectedly.

Condition: This symptom probably occurs if GRE tunnels/ADVPN tunnels are established over PPPoE and traffic are forwarded through these tunnels.


201512030136

Symptom: A nested QoS policy cannot classify traffic correctly.

Condition: This symptom occurs if QoS pre-classify is enabled for IPsec, and a nested QoS policy is configured to classify the encrypted traffic by using DSCP values.

201508060073

Symptom: GTS cannot well process bursty traffic, and traffic is not sent evenly. When a small burst size is configured, the traffic cannot reach the expected rate.

Condition: This symptom occurs if GTS is configured on an interface to shape traffic.

201512090619

Symptom: The system displays an invalid version notification when the software of a distributed router or an IRF fabric is upgraded from R0305P04.

Condition: This symptom occurs if one of the following conditions exists:

On the distributed router, the slot number of the active MPU is higher than the slot number of the standby MPU, and the software image is stored on the active MPU.

43

On the IRF fabric, the chassis number of the master IRF member router is higher than the chassis numbers of the subordinate IRF member routers, and the software image is stored on the master IRF member router.

201511200241

Symptom: HMIM-8GEE interface cards might stop sending packets.

Condition: This symptom might occur if interfaces on the HMIM-8GEE interface cards receive MPLS frames greater than 3072 bytes.

201509250085

Symptom: Operating modes do not take effect on interfaces on DSIC-1SHDSL-8W interface cards.

Condition: This symptom might occur if the DSIC-1SHDSL-8W interface cards are installed in the router together with other interface cards.

201512210405

Symptom: After a static MAC address entry is configured on the MSR2004, MAC address table synchronization fails and the static MAC address entry cannot be deleted from switching chips.

Condition: This symptom might occur if the MAC address in the static MAC address entry is the source MAC address of traffic.

201511050149

Symptom: Memory leak occurs.

Condition: This symptom occurs if the display debugging command is repeatedly executed.

201512230491

Symptom: A serial interface goes down and then comes up.

Condition: This symptom occurs if the following operations have been performed:

a. The operating mode of the serial interface is changed from synchronous to asynchronous.

b. A master/subordinate switchover occurs.

201511140166

Symptom: The system fails to display or clear statistics for FCM interfaces.

Condition: This symptom occurs if you do not specify an FCM interface when executing the display fcm statistics or reset fcm statistics command.

201512030136

Symptom: No traffic matches a child QoS policy.

Condition: This symptom occurs if the child QoS policy is nested in a parent QoS policy.

201508060073

Symptom: The download speed is slow when a QoS GTS action is configured.

Condition: This symptom occurs if you set a small CBS value for the QoS GTS action.

201511060514

Symptom: QoS queuing configuration cannot be modified on an interface on the MSR4000 after a master/subordinate switchover.

Condition: None.

201512110364

Symptom: The L2VE interface and L3VE interface display up state twice after a master/subordinate switchover.

44

Condition: None.

201512010186


Condition: Denial of Service by Spoofed Kiss-of-Death.


Condition: Denial of Service by Priming the Pump.


Condition: Denial of Service Long Control Packet Message.


Condition: NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability.

201507140251

Symptom: VRRPv3 does not support packet authentication. However, no error is displayed when packet authentication is configured for VRRPv3.

Condition: None.

201505270318

Symptom: No prompt is displayed when the router finishes downloading a file as an FTP client.

Condition: This symptom occurs if the downloaded file is greater than 2147483647 bytes.

201512300140

Symptom: NTP time synchronization fails between the router and a Cisco device with a time accuracy of 2

32.

Condition: This symptom occurs if NTP time synchronization occurs between the device and a Cisco device with a time accuracy of 2

32.

201507210022

Symptom: IPsec RRI cannot be implemented based on negotiated traffic flow in the IPsec VPN.

Condition: None.

201511260648

Symptom: Traffic cannot be forwarded through ADVPN tunnels.

Condition: This symptom occurs if ADVPN tunnels are established over an IPv6 network.

201511300165

Symptom: The results of tests that FIPS performs for 3DES and AES-wrap are unexpected.

Condition: None.

201507020257

Symptom: The DF bit setting in IPsec packets does not take effect.

Condition: This symptom occurs if the DF bit of IPsec packers is set on the source interface bound to an IPsec policy.

201512091595

Symptom: IKEv2 uses protocol number 5000 instead of 4500.

Condition: This symptom occurs if IKEv2 NAT traversal is configured.

201510080297

Symptom: The router fails to perform PPTP dial-up.

45

Condition: This symptom might occur if the router accesses the PPTP server through the NAT server.

201512100696

Symptom: The OpenFlow controller fails to discover the router during topology discovery.

Condition: This symptom occurs if the OpenFlow controller uses BDDP to perform topology discovery.

201509160400

Symptom: A user line cannot be configured by using the line number command.

Condition: This symptom occurs if you use the line number command to configure the user line.

201509180141

Symptom: In CWMP, a CPE fails to establish a connection to a server.

Condition: This symptom occurs if the CWMP connection interface belongs to a VPN instance.

201511040399

Symptom: The expected bandwidth configuration on a VLAN interface is lost.

Condition: This symptom occurs after two master/subordinate switchovers.

201512010078

Symptom: The boot-loader file command fails to specify a startup image file.

Condition: This symptom occurs if the startup image file resides on the standby MPU.

201510300441

Symptom: Unexpected page break occurs during faxing or fax negotiation fails.

Condition: This symptom occurs if multiple voice calls are established during faxing.

201512110328

Symptom: MAC address entries age out when they are configured not to age.

Condition: None.

201510160271

Symptom: The dual-stack PPPoE server that mainly provides IPv6 services exhausts IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv6 addresses assigned can log in.

Condition: This symptom occurs if two master/subordinate switchovers occur after IPv6 address exhaustion.

201510220524

Symptom: A logged-in PPPoE user cannot receive traffic.


Two routers form an IRF fabric.

The PPPoE user logs in through an IRF port.

The master device reboots.

201510130373

Symptom: A SIP call cannot be established.

Condition: This symptom occurs if the router receives an INVITE request without SDP information.

46

201507200041

Symptom: The VE1 PRI Layer 3 test fails.

Condition: This symptom occurs if the device receives a SETUP message in which the value of the cap. field is video.

201510160206

Symptom: The dual-stack PPPoE server that mainly provides IPv6 services has available IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv4 addresses assigned cannot log in.

Condition: None.

201509220301

Symptom: The Cellular process reboots unexpectedly.

Condition: This symptom occurs if the profile main command is executed on a cellular interface on the MSR4000.

201510230327

Symptom: If a PPPoE user logs in and then logs out, the CIR specified in the user profile for the user does not take effect.


Two routers form an IRF fabric.

The PPPoE user logs in through an IRF port.

The master device reboots.

201508100249

Symptom: No information is displayed after the display voice sip call command is executed on the MSR4000.

Condition: None.

201512180019

Symptom: The AC of an MPLS L2VPN cannot receive packets from a CE.

Condition: This symptom occurs if a Layer 3 aggregate subinterface is used as the AC of the MPLS L2VPN.

201511250428

Symptom: Settings of the answer-time, idle-time, and trade-time parameters cannot be deployed to interface cards related to POS terminal access.

Condition: This symptom occurs if you set the answer-time, idle-time, and trade-time parameters in system view.

201512010169

Symptom: An error occurs on an IRF physical interface after the router reboots and some operations are performed on the router.

Condition: This symptom occurs if two GigabitEthernet interfaces are used as IRF physical interfaces and one of the IRF physical interfaces goes down.

201512030468

Symptom: Packet filtering does not take effect on an Ethernet interface operating in bridge mode.

Condition: This symptom occurs if packet filtering is enabled on the Ethernet interface operating in bridge mode.

47

201511210055

Symptom: Interfaces on the HMIM-8GSW or HMIM-24GSW interface card receive a large number of ARP requests. Then, a packet statistics error occurs and the switching modules cannot operate correctly.

Condition: This symptom occurs if ARP snooping is enabled on interfaces on the HMIM-8GSW or HMIM-24GSW interface card.

201512180334

Symptom: The MSR2004-24 or MSR2004-48 router reboots unexpectedly.

Condition: This symptom occurs if the parameter of an SDK function on the switching chip of the router is null.

201511120124

Symptom: Packets are sent out of order.

Condition: This symptom occurs if packets are sent in per-flow mode.

201511270774

Symptom: A silent call is established after the called party goes off-hook.

Condition: This symptom occurs if the router uses the SIC-1VE1 or SIC-1VT1 voice card to initiate calls.

201512140104

Symptom: The mac-address max-mac-count command does not take effect, and no error message that the router does not support this command is displayed.

Condition: This symptom occurs if the mac-address max-mac-count command is executed on a Layer 2 aggregate interface.

201511300156

Symptom: The static IPv6 address binding feature does not take effect on an interface of the HMIM-8GSW interface card.

Condition: This symptom occurs if the static IPv6 address binding feature is configured on the interface of the HMIM-8GSW card.

201512100157

Symptom: Transceiver modules on the HMIM-8GSW interface card might fail the equipment test.

Condition: This symptom occurs if the equipment test is performed on the HMIM-8GSW interface card.

201511170229

Symptom: When a POS terminal hangs up, the FCM interface stays in up state and the FCM card becomes unavailable.

Condition: This symptom occurs if the router uses the FCM card for POS dial-up access and a large number of POS terminals repeatedly dial up.

201511250418

Symptom: The 3G chip MC8705 fails to update the firmware.

Condition: This symptom occurs if an MSR2004/4000 router is used to update the firmware of the 3G chip MC8705.

201510190389

Symptom: An L2TP tunnel cannot be established because the router performs strict check on packets with hidden AVPs.

48

Condition: This symptom occurs if the router acts as the L2TP LNS and receives packets with hidden AVPs sent by the LAC.

201510290199

Symptom: An L2TP user with a matching full username fails L2TP authentication. An L2TP tunnel cannot be established.

Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the ppp user attach-format imsi-sn split command.

201510290176

Symptom: An L2TP user whose authentication information does not contain an at sign (@) fails L2TP authentication. An L2TP tunnel cannot be established.

Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the ppp user accept-format imsi-sn split @ command.

201508190420

Symptom: Memory loss occurs after a voice interface card on the router reboots.

Condition: This symptom occurs if the CPU usage of the router reaches 100%.

201510160215

Symptom: The router acts as the PPPoE server and uses DHCPv6 to assign IPv6 addresses to hosts. No IPv6 addresses are displayed for PPPoE users in the display ppp access-user command output.

Condition: This symptom occurs if a master/subordinate switchover occurs after PPPoE users log in.

201511250195

Symptom: The MAC address entry for a VRRP group still exists on the router after the VRRP group is deleted.

Condition: This symptom occurs if you assign an IP address to the VRRP group and then delete the VRRP group.

201506180269

Symptom: The router stops sending packets when a POS terminal accesses the router.

Condition: This symptom might occur if the number of concurrent connections reaches 30 on the AM interface multiple times and configuration of the AM interface changes.

201511170159

Symptom: IPsec does not support SM4 algorithms.

Condition: None.


201510300500

Symptom: Packets are out of order if flow-based forwarding is enabled.

Condition: This symptom might occur if flow-based forwarding is enabled.

201510220351

Symptom: The IMSIs of some China Telecom 3G SIM cards cannot be correctly identified.

Condition: This symptom might occur if the Vodafone IMSIs are stored as the 3GPP IMSIs of the SIM cards.

49

201509300412

Symptom: The peer drops the ARP packets sent by the router if the ARP packets carry 802.1Q VLAN tags with the CFI bit set to 1.

Condition: This symptom might occur if the ARP packets carry 802.1Q VLAN tags with the CFI bit set to 1.

201509240177

Symptom: The router reboots unexpectedly if an HMIM-CNDE module is removed by using the remove command during the IPsec packet forwarding process.

Condition: This symptom might occur if an HMIM-CNDE module is removed by using the remove command during the IPsec packet forwarding process.

201510260569

Symptom: If port isolation is configured on both a Layer 2 aggregate interface and its member ports, the configuration fails on the aggregate interface or its member ports. Removal of the port isolation configuration also fails.

Condition: This symptom might occur if port isolation is configured on a Layer 2 aggregate interface and its member ports.

201509240346

Symptom: Channel configuration on radio interfaces is lost after a reboot.

Condition: None.

201509300064

Symptom: The traffic statistics for 3G/4G serial and Eth-channel interfaces are 0 in the MIB.

Condition: None.

201510300208

Symptom: The router cannot communicate with the peer if the router acts as the LNS to set up an L2TP tunnel to the peer by using a SIC-4FSW module.

Condition: This symptom might occur if the router acts as the LNS to set up an L2TP tunnel to the peer by using a SIC-4FSW module.

201511110304

Symptom: The router reboots unexpectedly if VLAN interfaces are created or deleted during the traffic forwarding process.

Condition: This symptom might occur if VLAN interfaces are created or deleted during the traffic forwarding process.

201508290046

Symptom: The CPU usage of the router rises if the router acts as a Telnet server and Telnet login to the router is aborted abnormally.

Condition: This symptom might occur if the router acts as a Telnet server and Telnet login to the router is aborted abnormally.

201509290092

Symptom: Telnet login with remote TACACS/RADIUS authentication fails.

Condition: This symptom might occur if Telnet login with remote TACACS/RADIUS authentication is performed.

201505130349

Symptom: Static NAT444 traffic does not trigger NAT444 user logging.

50

Condition: None.

201507070217

Symptom: ACL mismatches occur if a connection limit policy is applied to DS-Lite tunnels.

Condition: This symptom might occur if a connection limit policy is applied to DS-Lite tunnels.

201510200471

Symptom: The routing, multicast, authentication, and voice modules stop working, and incorrect information is displayed for the TRAP, NetStream, and DHCP modules.

Condition: This symptom might occur if the router has been running for more than seven months (214 days).

201508260173

Symptom: The time range status is incorrect if NTP is used.

Condition: This symptom might occur if NTP is used.

201510140128

Symptom: DDNS dynamic domain name update fails if the DDNS password contains forward slashes (/).

Condition: This symptom might occur if the DDNS password contains forward slashes (/).

201509160563

Symptom: The router reboots unexpectedly if the router acts as a PPPoE server and PPPoE users repeatedly come online and go offline.

Condition: This symptom might occur if the router acts as a PPPoE server and PPPoE users repeatedly come online and go offline.

201401100267

Symptom: PPP IPCP negotiation fails when a PPPoE client initiates a connection request to the router, and the VA interface goes up and comes down constantly.

Condition: This symptom might occur if NAT is performed for the PPPoE client, and IP address negotiation is enabled on the dialer interface.

201509170256

Symptom: Information about the last login is not displayed for a user that passes authentication.

Condition: None.

201507160359


Condition: If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages. May result in a segmentation fault or potentially, memory corruption.

Symptom:CVE-2015-1788

Condition: When processing an ECParameters structure OpenSSL enters an infinite loop. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates.


Condition: X509_cmp_time does not properly check the length of the ASN1_TIME string and/or accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs.


51

Condition: The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing.


Condition: If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.


Condition: When verifying a signedData message the CMS code can enter an infinite loop. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.

201510130373

Symptom: SIP calls cannot be placed if the router receives INVITE requests with no SDP information.

Condition: This symptom might occur if the router receives INVITE requests with no SDP information.

201507200041

Symptom: The router sends a SIP response message that contains an incorrect call release cause code if the router receives an INVITE request with SDP information that contains the video capability.

Condition: This symptom might occur if the router receives an INVITE request with SDP information that contains the video capability.

201508100249

Symptom: The display voice sip call command outputs nothing if an MSR4000 router is a single-chassis IRF fabric and uses the chassis number 2.

Condition: This symptom might occur if an MSR4000 router is a single-chassis IRF fabric and uses the chassis number 2.

201508190420

Symptom: Memory leaks occur if the voice card is rebooted at the CLI when the CPU usage is 100%.

Condition: This symptom might occur if the voice card is rebooted at the CLI when the CPU usage is 100%.

201510270033

Symptom: Upgrading the standby MPU of the MSR4000 router fails.

Condition: This symptom might occur if the active MPU only has an .ipe startup image file, and

the boot-loader command specifies the .ipe file for upgrading the standby MPU.

Resolved problems in CMW710-R0305

201509070388

Symptom: A fiber port cannot come up if a 100-Mbps optical transceiver module is installed in the port and the speed 100 command is executed on the port.

Condition: This symptom might occur if a 100-Mbps optical transceiver module is installed in the port and the speed 100 command is executed on the port.

52

201504130290

Symptom: Fax transmission fails if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission.

Condition: This symptom might occur if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission.

201509240046

Symptom: Some interfaces on the HMIM-8E1T1-F module cannot come up if the module is produced on 11 August 2015 or after that date.

Condition: This symptom might occur if the HMIM-8E1T1-F module is produced on 11 August 2015 or after that date.

201508040165

Symptom: Some transactions of POS terminals fail if TCP FIN packets contain transaction data.

Condition: This symptom might occur if TCP FIN packets contain transaction data.

201507150251

Symptom: Layer 3 aggregate interfaces cannot be created by using IMC.

Condition: This symptom might occur if IMC is used to create Layer 3 aggregate interfaces.

201508290021

Symptom: The CPU usage is high if the TCP maximum segment size is set to 1400 bytes.

Condition: This symptom might occur if the following operations have been performed:

a. Use the tcp mss command to set the TCP maximum segment size to 1400 bytes.

b. Save the configuration and reboot the router.

201508250213

Symptom: The delay in the result of the NQA ICMP jitter operation is much larger than the delay in the ping operation result.

Condition: This symptom might occur if the NQA ICMP jitter operation is performed.

201509140123

Symptom: The router cannot communicate with a Cisco device through the HDLC link between them.

Condition: This symptom might occur if the ip address slarp interval 1 command is executed on the Cisco device.

201508270343

Symptom: Tracert returns the destination IP address as the first hop if it is used on an L2TP over IPsec tunnel.

Condition: This symptom might occur if tracert is used on an L2TP over IPsec tunnel.

201510130060

Symptom: The signature algorithm does not support HMAC-SHA256 when a certificate request is made in non-FIPS mode.

Condition: This symptom might occur if the certificate request is made in non-FIPS mode.

201510200471

Symptom: The OSPF LSAs on the router do not age out. As a result, peers cannot learn routes from the router.

53

Condition: This symptom might occur if OSPF is enabled on the router, and the router has been operating for more than 210 days.

201507140154

Symptom: The router can be successfully logged in to by using a public key through SSH1, but RSA fails to encrypt the public key.

Condition: This symptom might occur if a public key and SSH are used to log in to the router.

201508280355

Symptom: The HDLC process does not respond if the display interface serial command is executed when the router receives ADDR_REQ packets.

Condition: This symptom might occur if the display interface serial command is executed when the router receives ADDR_REQ packets.

201509220038

Symptom: The router fails TACACS authentication for an incorrect password or invalid shared key if the TACACS server uses ACS V5.6 or later versions.

Condition: This symptom might occur if the TACACS server uses ACS V5.6 or later versions.


201507250134

Symptom: The router can be successfully logged in to by using an incorrect password.

Condition: This symptom might occur if remote TACACS authentication and NETCONF are used to log in to the router.

201508030326

Symptom: An interface goes down and the router reboots unexpectedly if PPPoE sessions are established on a large number of subinterfaces on the interface.

Condition: This symptom might occur if PPPoE sessions are established on a large number of subinterfaces on the interface.

201508030334

Symptom: The secondary RADIUS authentication/authorization server cannot be reconfigured if it has been deleted.

Condition: This symptom might occur if the secondary RADIUS authentication/authorization server is deleted and then reconfigured.

201506190329

Symptom: An interface on an HMIM-8GSWF module cannot communicate with the directly connected peer.

Condition: This symptom might occur if the port security mode of the interface is set to autoLearn, and the HMIM module is rebooted.

201507300171

Symptom: The router reboots unexpectedly if the RADIUS server sends a DM request to log off a user by session ID.

Condition: This symptom might occur if the RADIUS server sends a DM request to log off a user by session ID.

201505200410

Symptom: Matching packets are not assigned to the RTP queue.

54

Condition: This symptom might occur if the UDP port number of the packets is an odd number before byte order reversing.

201508030336

Symptom: The router reboots unexpectedly if the IPsec tunnels on the router have been forwarding traffic for a long period of time.

Condition: This symptom might occur if the IPsec tunnels on the router have been forwarding traffic for a long period of time.

201507270023

Symptom: The router chooses a dynamic address pool over a static address pool when the router processes DHCP INFORM packets sent by a client that uses an IP address in the static address pool.

Condition: This symptom might occur if the dynamic address pool contains all IP addresses of the static address pool.

201508120238

Symptom: When the router acts as a DHCP server, DHCP clients obtain IP addresses after a long delay.

Condition: This symptom might occur if the DHCP clients have errors and are moved from another network.

201508030441

Symptom: Routes configured by using the ppp ip-pool route command are lost after an IRF master/subordinate switchover.

Condition: This symptom might occur if an IRF master/subordinate switchover occurs.

201507160240

Symptom: IMC cannot display the rules of ACLs.

Condition: None.

201508130129

Symptom: The router does not prompt for LDP session reset after the LSR ID is modified, and then MPLS has status or forwarding errors.

Condition: This symptom might occur if the mpls lsr-id command is used to modify the LSR ID.

201508110265

Symptom: The FTP user is logged off after FTP finishes transferring files to the storage medium of the standby MPU.

Condition: This symptom might occur if FTP is used to transfer large files to the storage medium of the standby MPU.

201508110026

Symptom: The router reboots unexpectedly if the IPsec over L2TP tunnels on the router have been forwarding traffic for a long period of time.

Condition: This symptom might occur if the IPsec over L2TP tunnels on the router have been forwarding traffic for a long period of time.

201504210203

Symptom: A centralized IRF member router halts during reboot after its operating mode is changed from IRF to standalone.

Condition: This symptom might occur if the following operations have been performed on the router:

55

a. Save the configuration.

b. Shut down the IRF physical interfaces.

c. Change the operation mode from IRF to standalone after the IRF fabric splits.

201507090504

Symptom: When a PoE profile is configured, the router warns that the maximum PI power specified by using the poe max-power command is invalid even if the value is in the valid power range.

Condition: None.

201508120439

Symptom: The router reboots unexpectedly if the router is deleted from IMC.


The router connects to IMC through a tunnel and passes portal authentication.

The router is deleted from IMC after portal authentication.

201508050381

Symptom: MAC address check on a DHCP relay agent does not take effect after DHCP is disabled.

Condition: This symptom might occur if DHCP is disabled.

201507130082

Symptom: The router reboots unexpectedly if the HMIM-2/4/8GE module is repeatedly rebooted when the module receives traffic.

Condition: This symptom might occur if the HMIM-2/4/8GE module is repeatedly rebooted when the module receives traffic.

201508180093

Symptom: Two terminals in the same 3G or 4G network cannot communicate with each other.

Condition: This symptom might occur if the terminals are assigned the same network segment but different subnet masks.

201508240276

Symptom: The router does not display the legal banner before authentication when an SSH user logs in to the router.

Condition: None.

201508240106

Symptom: Some interfaces on the HMIM-2/4/8E1T1-F module cannot come up.

Condition: None.

201507300132

Symptom: Though the fixed Ethernet interfaces of the MSR2004 router are up, they cannot receive packets.

Condition: This symptom occurs after the MSR2004 router has been operating for a certain period of time.

201507240120

Symptom: Very rarely, the fixed GE0/1 or GE0/2 of MSR2004 router can't UP, and the interface can't receive and send the packets (this occurs in a very small percentage of BCM5221 chips).

Condition: None.

56

201508060025

Symptom: The settings of MP-group interfaces are incompatible after an MSR router is upgraded to E0302P06 or a later version.

Condition: This symptom occurs if an MSR router is upgraded to E0302P06 or a later version.

201507080421

Symptom: The display qos policy interface command outputs incorrect statistics.

Condition: This symptom might occur if MPLS forwarding, PPP IP header compression, and QoS CBQ are enabled on PPP interfaces of the router.

201506050279

Symptom: A POS transaction fails if it has multiple interaction messages.


POS terminal access is enabled on the router.

The background process of POS transactions requires that the messages of a transaction must have the same source TPDU.

201506030302

Symptom: Memory leakage occurs when the router is sending NetStream data packets.

Condition: This symptom might occur if NetStream is enabled on the router.

201507200403

Symptom: In the RADIUS packets that the router sends, '\000' is incorrectly added to the NAS-ID attribute.

Condition: This symptom might occur if RADIUS authentication is configured on the router.


201501200401

Symptom: RBAC cannot control access to the content filtering feature.

Condition: None.

201503020376

Symptom: Packets are dropped after a BGP GR process is completed.

Condition: This symptom occurs if both BFD and GR are enabled for BGP.

201507170124

Symptom: The MPLS ILM entry is not updated after the traffic processing unit is changed for an outgoing interface.

Condition: This symptom occurs if the traffic processing unit is changed for an outgoing interface.

201504190023

Symptom: The BGP process on the PE is stuck.


There is a large number of routes and many types of traffic.

The PE runs for a long time.

57

201507020251

Symptom: A PW is re-created after the L2VPN process is re-optimized by using the placement reoptimize command.

Condition: This symptom occurs if split horizon is enabled for the PW.

201506300136

Symptom: An interface on the SIC-4GSW card cannot ping the directly connected interface on the same subnet after the interface is changed to a Layer 3 interface.


a. Enable port security globally.

b. Configure port security on the interface operating as a Layer 2 interface.

c. Change the interface to a Layer 3 interface.

201505290258

Symptom: Subinterfaces cannot be created or deleted when there are more than 4000 subinterfaces on the router.


a. Perform an active/standby switchover.

b. Restart the standby MPU.

c. Change a main interface between Layer 2 mode and Layer 3 mode.

d. Bring up and shut down the main interface.

201507170043

Symptom: A router in an MPLS network reboots unexpectedly.

Condition: This symptom occurs if the public interface of the router goes down and comes up repeatedly.

201507030323

Symptom: Memory leaks.

Condition: This symptom occurs if NETCONF is used to download files for the FileSystem node.

201506190348

Symptom: The xmlcfgd process crashes.

Condition: This symptom occurs if the xmlcfgd process is accessed through XML when there is no Envelope namespace.

201506190151

Symptom: The router does not preferentially use static address allocation when receiving a DHCP-INFORM message from a client.


The client is bound to an IP address in a DHCP address pool.

Another DHCP address pool includes the IP address bound to the client.

201506100354

Symptom: The router configured with WAAS sends a receiving buffer size different from the set value to the peer device.

Condition: This symptom occurs if the receiving buffer size is modified.

58

201507020391

Symptom: The TTL of a static blacklist entry is different from the actual aging time.

Condition: This symptom occurs if the static blacklist entry is added after a master/subordinate switchover in an IRF fabric.

201505150461

Symptom: An interface cannot forward packets when it is up.

Condition: This symptom occurs if a large number of portal users come online and go offline through the interface.

201506100261

Symptom: ARP reply packets are forwarded through the trusted interface even if there is a match in the MAC address table.

Condition: This symptom occurs when ARP restricted forwarding is enabled.

201506120046

Symptom: The ToS bits in the outer IP header are not set to the same as the ToS bits in the inner header after IP packets are encapsulated with MPLS L3VPN or GRE.

Condition: This symptom occurs if IP packets are encapsulated with MPLS L3VPN or GRE.

201506230020

Symptom: A POS interface cannot forward packets that are greater than 2048 bytes.

Condition: None.

201504270304

Symptom: Only up to 256 ports can be specified in one nat server command.

Condition: None.

201503110416

Symptom: Assertion information is displayed and accounting stops when a user comes online.

Condition: This symptom occurs if the accounting quota-out redirect-url command is configured.

201411190412

Symptom: The tunnel source cannot return Packet Too Big messages for packets tunneled through an IPv6 over IPv4 tunnel.

Condition: This symptom occurs when fragmentation check is enabled for packets to be tunneled.

201503090076

Symptom: IPv4 addresses must be configured on the AFTR of a DS-Lite tunnel.

Condition: This symptom occurs when the AFTR of a DS-Lite tunnel is configured.

201507070230

Symptom: The router establishes calls slowly when using R2 signaling.

Condition: This symptom occurs if R2 signaling is used.

201505200402

Symptom: Too much log information is displayed after RTP packets are interrupted.

Condition: This symptom occurs if the network link fails after a call is established.

59

201505290049

Symptom: The hh3cTransceiver node does not return new information for a different transceiver module type.


a. Replace a transceiver module.

b. Walk the hh3cTransceiver node by using a MIB browser.

201506250411


Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request.


Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.

201411190504

Symptom: The number of packets in the ADVPN session statistics is a negative value.

Condition: This symptom occurs if the router forwards traffic for a long time.

201504140088

Symptoms: CVE-2015-0209

Condition: A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources.


Condition: DoS vulnerability in certificate verification operation. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.


Condition: Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected.

Symptoms:CVE-2015-0288

Condition: The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid.


Condition: The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing.


Condition: A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data.


Condition: A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message.

60

201505250363

Symptom: Services are interrupted for about 50 minutes after the router runs for a long time with traffic load.

Condition: This symptom might occur if the DH-Group2 algorithm is used in an IPsec VPN environment.

201507200433

Symptom: An interface on an MSR2004 router is up, but does not receive packets.


The router runs for a long time with traffic load.

The interface is configured with multiple features.

201506240472

Symptom: Of multiple EVI tunnels, only one tunnel can forward traffic.


The EVI tunnels have the same source IP address and the same destination IP address.

Each EVI tunnel is used for a different VLAN.

201506030356

Symptom: The feature images are not selected from the storage medium where the current boot and system images reside.

Condition: This symptom occurs if the router has multiple storage media.

201506230200

Symptom: The WAAS optimization effect is bad in per-flow load sharing mode.

Condition: None.

201507070433

Symptom: The peer port is up when the local fiber port is down.

Condition: This symptom occurs after the fiber port is changed from Layer 2 mode to Layer 3 mode.

201506250378

Symptom: An MSR3024 or MSR3044 router cannot forward 65-byte packets at wire speed when fast forwarding is enabled.

Condition: This symptom occurs if fast forwarding is enabled.

201506020161

Symptom: BGP neighbors flap after the IRF fabric is restarted.

Condition: This symptom occurs if a large number of BGP neighbors are established dynamically.

201507270061

Symptom: An aggregate interface with two or more member ports cannot ping the directly connected interface.

Condition: This symptom occurs after the aggregate interface is changed between Layer 2 mode and Layer 3 mode more than 20 times.

201507090496

Symptom: The ARP packets of one VLAN interface are sent out of a member port of another VLAN interface.

61

Condition: This symptom occurs if more than two VLANs exist and their VLAN interfaces are assigned IP addresses.

201504230195

Symptom: On an IRF fabric, assertion information is displayed and subordinate routers reboot when the IPv4 device is pinged from the IPv6 side.

Condition: This symptom occurs if the traffic processing unit for the AFT traffic of a VLAN interface is not on the same forwarding card as the member interfaces of the VLAN interface.

201506090049

Symptom: The FCM card behaves unexpectedly.

Condition: This symptom occurs if FCM subinterfaces are deleted through MIB.

201507070310

Symptom: The link layer protocol of a DTE interface goes down.

Condition: This symptom occurs if the clock selection mode is set to autonegotiation for the DTE interface.

201507010073

Symptom: The router reboots repeatedly after traffic statistics are cleared.


a. Perform an active/standby switchover for HDLC interfaces that forward Layer 3 IP traffic.

b. Configure NetStream.

c. Enable the application statistics feature by using the application statistics enable command.

201411030517

Symptom: Web redirection fails for a PPPoE user.

Condition: This symptom occurs if Web redirection parameters are assigned through RADIUS.

201503110069

Symptom: The VLAN ID sent to the RADIUS server is incorrect.

Condition: This symptom occurs if a QinQ PPPoE user comes online.

201503090276

Symptom: Users of a domain cannot be displayed or forcibly logged out.

Condition: This symptom occurs if the users come online without domain information.

201503110472

Symptom: Redirection fails after a PPPoE client issues a redirection attribute.

Condition: This symptom occurs if a PPPoE client issues a redirection attribute.

201503110566

Symptom: The redirection attribute issued through a COA message does not take effect.

Condition: This symptom occurs if the redirection attribute is issued through a COA message.

201507150201

Symptom: Assertion information appears when the pppoesd process is restarted on the L2TP LNS.

Condition: This symptom occurs if a user comes online in NAS-initiated tunneling mode.

62

201505190435

Symptom: Some BGP peers go down and come up after the router is rebooted.


The router is in an IRF fabric or is a distributed router in standalone mode.

The router has a large number of BGP peers.

201507200270

Symptom: An MSR1000 router reboots repeatedly.


a. Install a SIC-4SAE card into the router.

b. Send bidirectional traffic between the router and its peer device.


201505200131

Symptom: Voice services are interrupted during long calls.

Condition: This symptom might occur if E&M non-signaling mode and PCM pass-through are enabled.

201506290040

Symptom: On a single-MPU router, the fan speed does not increase when the CPU temperature keeps rising.

Condition: This symptom might occur if the router starts in high-temperature environments.

201505250288

Symptom: NQA TCP operations fail after the router runs for a period of time.

Condition: This symptom might occur if one of following conditions exists:

The interval between NQA probes is shorter than 10 milliseconds.

NQA operations are frequently performed over a long period of time.

201504230250

Symptom: The router displays garbled bandwidth usage-based load-sharing information for an aggregate interface.

Condition: This symptom might occur if bandwidth usage-based load-sharing is enabled on the aggregate interface.

201505250277

Symptom: OpenFlow cannot correctly send ARP packets to the SDN controller.


a. Save the running configuration and reboot the router.

b. Restore OpenFlow configuration by using an .mdb binary file.

201505150431

Symptom: 802.1X authentication fails.

Condition: This symptom might occur if the server issues VLAN IDs, but the length of the Tunnel-Private-Group-id attribute is not 6 bytes in RADIUS packets sent by the server.

63

201504230250

Symptom: Traffic forwarding is interrupted on the router.

Condition: This symptom might occur if portal users repeatedly come online and go offline over a long period of time when the router is forwarding traffic.

201506120253

Symptom: When the display qos policy interface command is executed for a VT interface configured with QoS policies, nothing is displayed or the console halts.

Condition: This symptom might occur if QoS policies are configured on the VT interface, and more than 2000 online PPPoE users exist on the interface.

201505140232

Symptom: An SD or CF card on the router is not accessible.

Condition: This symptom might occur if the SD or CF card stores more than 15000 files.

201505180304

Symptom: An IRF member router halts after a reboot if it is switched from the IRF mode to the standalone mode.

Condition: This symptom might occur if the following operations have been performed on the router:

a. Save the running configuration.

b. Shut down the IRF physical interfaces.

c. Switch the router to the standalone mode after the IRF fabric splits, and then reboot the router.

201505250207

Symptom: SIP source interface bindings do not take effect after the router reboots.


a. Configure SIP source interface bindings.

b. Save the running configuration and reboot the router.

201506230030

Symptom: When one of the E1 links on the router goes down, fast forwarding entries update slowly, and forwarding services are affected.


Multiple equal-cost E1 links are configured on the router.

PPP IP header compression is enabled on the serial interfaces for the E1 links.

The router is forwarding multiple data flows.

201506080129(CVE-2015-5434)

Symptoms: When an interface without MPLS enabled receives MPLS-labeled packets, the interface incorrectly forwards the MPLS-labeled packets to the next LSR by LFIB entry.

Condition: This symptom occurs when the interface does not have MPLS enabled and the interface receives MPLS-labeled packet that match the FIB entries.

Resolved problems in CMW710-R0304

201504210231


64

Condition: Authentication doesn't protect symmetric associations against DoS attacks.

201504230275

Symptom: A router replies with a re-INVITE message with the Referred-By header field after receiving a REFER request without the Referred-By header field from a Lync server.

Condition: This symptom occurs when a Lync server sends a REFER request without the Referred-By header field to the router.

201504230289

Symptom: A called phone rings once before going on-hook.


The calling router and called router use different codecs.

The called router connects to the called phone through a VE interface.

201505110326

Symptom: NATed packets fail to be forwarded after the original route becomes unavailable.

Condition: This symptom might occur if the interface used as the backup outgoing interface is not configured with NAT.

201505150401

Symptom: A router configured with IPsec fails to be authenticated by a Comware-V5-based peer device.

Condition: This symptom might occur if the router is configured with an IKE-based IPsec policy and the PFS feature is enabled for the IPsec policy.

Resolved problems in CMW710-E0302P06

201411280347

Symptom: When the MTU of a physical interface is configured greater than 1500 bytes, the interface still uses 1492 as the MTU.

Condition: This symptom occurs when the MTU of the physical interface bound to PPPoE is not 1500.

Workaround: For TPC application, modify the TCP MSS on the dialer or VT interface to avoid improper packet fragmentation.

201502020298

Symptom: On an IRF fabric formed by MSR4000 routers and configured with multichassis Layer 3 aggregation, after a master/subordinate switchover, all users that log in through Selected interfaces on the rebooted router are logged out.

Condition: This symptom occurs when the IRF fabric formed by MSR4000 routers acts as the PPPoE server and the multichassis Layer 3 aggregate interface is used to respond to PPPoE login request.

Workaround: None.

201502100609

Symptom: In an FR L2VPN with one end as an FR network and the other end as an Ethernet link, CEs cannot communicate.

Condition: This symptom occurs when one end of the FR L2VPN is an FR network and the other end is an Ethernet link.

Workaround: None.

65

201501290181

Symptom: When a L2VPN cross-connect is bound to a Layer 3 aggregate interface, receiving LACPDUs times out, and the aggregation group member ports flap frequently.

Condition: This symptom occurs when the L2VPN cross-connect is bound to a Layer 3 aggregate interface.

Workaround: None.

201501080118

Symptom: The VAM process reboots repeatedly.

Condition: This symptom occurs when the hub device also acts as the VAM server.

Workaround: Use a separate device as the VAM server.

201411140486

Symptom: Ping packets are lost on an eight-wire G.SHDSL.BIS EFM interface of the MSR router after the interface is shut down and then brought up.

Condition: This symptom might occur if the EFM interface is connected to a Cisco device.

201502150313

Symptom: Packet loss occurs on an interface that is configured with both policy nesting and CBQ.

Condition: This symptom might occur if the interface has been forwarding traffic at near wire rate for a long time.

201502030476

Symptom: The MSR router forwards some packets out of their incoming interface after an active/standby link switchover.

Condition: This symptom might occur if the active/standby link switchover occurs when the router is forwarding a large amount of traffic.

201502270045

Symptom: The serial communication protocol goes down and LCP packets are lost on a serial interface when it is processing bidirectional traffic during the T1 delay test.

Condition: This symptom might occur if the qos qmtoken 1 command is executed on the interface.

201503090250

Symptom: The MSR router does not update the media channel after it receives a re-INVITE message with only the c field updated.

Condition: This symptom might occur if the MSR router receives a re-INVITE message with only the c field updated.

201503160098

Symptom: CAR does not support the bandwidth percentage method.

Condition: This symptom might occur if CAR is configured by using the bandwidth percentage method.

201407180184

Symptom: A local PBR policy does not take effect when no other services are configured.

Condition: This symptom might occur if only a local PBR policy is configured on the router.

66

Resolved problems in CMW710-E0102

RTV7D000933

Symptom: The fragments can’t be filtered by ACL.

Condition: The fragments can’t be filtered by ACL when using fragment in the rule.

RTV7D000932

Symptom: The statuses of the router in the VRRP group are both Master when using MD5 authentication mode.

Condition: Using MD5 authentication mode.

Resolved problems in CMW710-E0006P02

CM13040119

Symptom: The devices testing failed for manufacture.

Condition: Test for manufacturing devices.

Support and other resources

Accessing Hewlett Packard Enterprise Support

For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:

www.hpe.com/assistance

To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website:

www.hpe.com/support/hpesc

Information to collect:

Technical support registration number (if applicable).

Product name, model or version, and serial number.

Operating system name and version.

Firmware version.

Error messages.

Product-specific reports and logs.

Add-on products or components.

Third-party products or components.

Documents

To find related documents, see the Hewlett Packard Enterprise Support Center website at http://www.hpe.com/support/hpesc.

Enter your product name or number and click Go. If necessary, select your product from the resulting list.

For a complete list of acronyms and their definitions, see HPE FlexNetwork technology acronyms.

http://www.hpe.com/assistance

http://www.hpe.com/support/hpesc

http://www.hpe.com/support/hpesc

67

Related documents

The following documents provide related information:

HPE FlexNetwork MSR2000 Routers Installation Guide



HPE FlexNetwork MSR2000 Routers Quick Start



HPE FlexNetwork MSR Router Series Interface Module Guide

HPE FlexNetwork MSR2000/3000/4000 Routers Compliance and Safety Manual

About the HPE FlexNetwork MSR Router Series Command References(V7)

HPE FlexNetwork MSR Router Series ACL and QoS Command Reference(V7)

HPE FlexNetwork MSR Router Series EVI Command Reference(V7)

HPE FlexNetwork MSR Router Series Fundamentals Command Reference(V7)

HPE FlexNetwork MSR Router Series High Availability Command Reference(V7)

HPE FlexNetwork MSR Router Series Interface Command Reference(V7)

HPE FlexNetwork MSR Router Series IP Multicast Command Reference(V7)

HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Command Reference(V7)

HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Command Reference(V7)

HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Command Reference(V7)

HPE FlexNetwork MSR Router Series Layer 3 - IP Services Command Reference(V7)

HPE FlexNetwork MSR Router Series MPLS Command Reference(V7)

HPE FlexNetwork MSR Router Series NEMO Command Reference(V7)

HPE FlexNetwork MSR Router Series Network Management and Monitoring Command Reference(V7)

HPE FlexNetwork MSR Router Series OAA Command Reference(V7)

HPE FlexNetwork MSR Router Series OpenFlow Command Reference(V7)

HPE FlexNetwork MSR Router Series Probe Command Reference(V7)

HPE FlexNetwork MSR Router Series Security Command Reference(V7)

HPE FlexNetwork MSR Router Series Virtual Technologies Command Reference(V7)

HPE FlexNetwork MSR Router Series Voice Command Reference(V7)

HPE FlexNetwork MSR Router Series WLAN Command Reference(V7)

About the HPE FlexNetwork MSR Router Series Configuration Guides(V7)

HPE FlexNetwork MSR Router Series ACL and QoS Configuration Guide(V7)

HPE FlexNetwork MSR Router Series EVI Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Fundamentals Configuration Guide(V7)

HPE FlexNetwork MSR Router Series High Availability Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Interface Configuration Guide(V7)

HPE FlexNetwork MSR Router Series IP Multicast Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Configuration Guide(V7)

68

HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Layer 3 - IP Services Configuration Guide(V7)

HPE FlexNetwork MSR Router Series MPLS Configuration Guide(V7)

HPE FlexNetwork MSR Router Series NEMO Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Network Management and Monitoring Configuration Guide(V7)

HPE FlexNetwork MSR Router Series OAA Configuration Guide(V7)

HPE FlexNetwork MSR Router Series OpenFlow Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Probe Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Security Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Virtual Technologies Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Voice Configuration Guide(V7)

HPE FlexNetwork MSR Router Series WLAN Configuration Guide(V7)

Documentation feedback

Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback ([email protected]). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

69

Appendix A Feature list

Hardware features

Table 5 MSR1000 specifications

Item MSR1002-4 MSR1003-8S

Console/AUX port 1 1

USB port 1 1

Gigabit Ethernet port 5 10

SFP port 1 N/A

Asynchronous/synchronous serial interface

1 N/A

Memory 512 MB DDR3 1 GB DDR3

Flash 256 MB 256 MB

SIC/DSIC slot 2 SIC slot (1 DSIC slot) 3 SIC slots (1 DSIC slot)

Dimensions (H × W × D)

(excluding rubber feet and mounting brackets)

44.2 × 360 × 300 mm (1.74 × 14.17 × 11.81 in)

44.2 × 360 × 300 mm (1.74 × 14.17 × 11.81 in)

AC power supply Rated voltage range: 90 VAC to 264 VAC @ 50 Hz/60 Hz

Rated voltage range: 90 VAC to 264 VAC @ 50 Hz/60 Hz

Rated power for AC power supply 30 W 30 W

Operating temperature 0°C to 45°C (32°F to 113°F) 0°C to 45°C (32°F to 113°F)

Relative humidity

(noncondensing) 5% to 90% 5% to 90%

Table 6 MSR2000/MSR2000 TAA specifications

Item MSR2003/MSR2003T

AA MSR2004-24 MSR2004-48

Console/AUX port 1 1 1

USB console port 1 - -

USB port 1 1 1

GE WAN port 2

GE LAN port - 3 3

SFP port - 1 -

Memory 1GB DDR3 1GB DDR3 1GB DDR3

Flash/CF 256MB Flash 256MB CF 256MB CF

SIC/DSIC slot

3 SIC slots

(Slots 1 and 2 can be used for a DSIC interface module by removing the slot divider.)

4 SIC slots 4 SIC slots

70

Dimensions (H × W × D)

(excluding rubber feet and mounting brackets)

360mm×305.3mm×44.2mm

440mm×363.5mm×44.2 440mm×403.5mm×44.2


DC power supply - - Rated voltage range:

-48V d.c.～-60V d.c

Maximum power for AC/DC power supply

54W 54W 150W

Operating temperature 0 ～ 45℃

Relative humidity

(noncondensing) 5% to 90%

Table 7 MSR3000/MSR3000 TAA specifications

Item MSR3012 MSR3024/MSR

3024 TAA MSR3044 MSR3064

CON/AUX ports 1

USB console ports 1

USB ports 2

Gigabit Ethernet ports 3

SIC/DSIC slots 2 SIC slots 4 SIC slots/2 DSIC slots

HMIM slots 1 2 4 6

VPM slots 1 1 2 2

Memory DDR3

1 GB/2 GB

DDR3

2 GB (default)

4 GB (maximum)

DDR3

2 GB (default)

4 GB (maximum)

CF card memory (inside)

256 MB (default)

CF card memory (outside)

- 4 GB (maximum)

CF card slot 0 1

Dimensions (H × W × D) (excluding rubber feet and mounting brackets)

44.2 × 440 × 484.3 mm

44.2 × 440 × 484.3 mm

88.1 × 440 × 480 mm

130.5 × 440 × 480 mm


DC power supply Rated voltage range: –48 VDC to –60 VDC

Maximum power for AC/DC power supply

125 W 125 W 300 W 300 W

Maximum power for PoE power supply

- 275 W 750 W 750 W

Maximum power for each PoE port

15.4 W

71

RPS power supply 800 W -

Power pluggable and buckup

- Dule power

Operating temperature 0°C to 45°C (32°F to 113°F)

Relative humidity

(noncondensing) 5% to 90%

Table 8 MSR4000 specifications

Item MSR4060 MSR4080

MPU slot 2

SPU slot 1

HMIM slot 6 8

Dimensions (H × W × D), excluding rubber feet and mounting brackets

175.1 × 440 × 480 mm 219.5 × 440 × 480 mm

Power pluggable and buckup

N+1 N+1

Operating temperature 0°C to 45°C (32°F to 113°F)

Operating humidity (noncondensing)

5% to 90%

Table 9 MSR4000/MSR4000 TAA MPU Specification

Item Specification

Console port 1

AUX port 1

GE management port 1

USB console port 1

USB port 1

Memory 2 GB DDR3 (default)

4 GB DDR3 (maximum)

CF card 512 MB (default)

4 GB (maximum)

CF card slot 1

Flash 8 MB

Table 10 MSR4000 SPU Specification

Item SPU-100 SPU-200&SPU-300

USB port 2

VPM slot 2

72

Combo 4

SFP+ port 0 1

Applicable router model MSR4060/MSR4080

Applicable MPU MPU-100

Table 11 MSR2004-24 AC power module specifications

Item Specification

Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz

Rated power 150 W

Table 12 MSR2004-48 DC power module specifications

Item Specification

Rated input voltage range –48 VDC to –60 VDC

Rated power 150 W

Table 13 MSR3044/MSR3064/MSR4060/MSR4080 AC power module specifications

Item Specification

Model PSR300-12A1


Max power 300 W

Table 14 MSR3044/MSR3064/MSR4060/MSR4080 DC power module specifications

Item Specification

Model PSR300-12D2

Rated input voltage range –48 VDC to –60 VDC

Max power 300 W

Table 15 MSR3044/MSR3064/MSR4060/MSR4080 PoE power module specifications

Item Specification

Model PSR750-A


Max power 750 W

Table 16 MSR series routes Module List

Module Description

SIC Ethernet interface modules:

4-port 10/100 Mbps Ethernet L2 switching module (RJ45) (SIC-4FSW)

73

1-port 10/100 Mbps Ethernet electrical SIC interface module (RJ45) (SIC-1FEA)

1-port 100 Mbps Ethernet electrical SIC interface module-SIC-1FEF

4-port 10/100 Mbps Ethernet L2 switching module-PoE card(SIC-4FSW-POE)

1-port 10/100/1000BASE-T(RJ45) and 100BASE-FX/1000BASE-X(SFP,Combo)Ethernet SIC module(RT-SIC-1GEC-V2(JG738A))

4-port 10/100/1000BASE-T Ethernet L2 switching electrical SIC interface module(RT-SIC-4GSW(JG739A))

4-port 10/100/1000BASE-T Ethernet L2 switching electrical SIC interface module-PoE(RT-SIC-4GSWP(JG740A))

4-port 100BASE-FX/1000BASE-X(SFP) Ethernet L2/L3 SIC Module-RT-SIC-4GSWF

WAN interface modules:

1-port enhanced synchronous/asynchronous serial SIC interface module (SIC-1SAE)

1-port fractional E1 SIC interface module (SIC-1E1-F-V3)

1-port E1/CE1/PRI SIC interface module (SIC-1EPRI)

1-port analog modem SIC interface module (SIC-1AM)

8-port asynchronous serial interface card (SIC-8AS)

16-port asynchronous serial interface card (SIC-16AS)

1-port ISDN BRI S/T interface card (SIC-1BS)

2-port fractional E1 interface module (SIC-2E1-F)

3G access module ( RT-SIC-3G-HSPA)

CDMA 2000 1x RTT/1x EV-DO Rev.0/1x EV-DO Rev.A 3G access module ( RT-SIC-3G-CDMA)

1-port ADSL over POTS SIC interface module (SIC-1ADSL)

1 port E1/CE1/PRI SIC interface module(SIC-1EPRI-V3)

4G LTE Verizon SIC module(RT-SIC-4G-LTE-V(JG742A))

4G LTE AT&T SIC module(SIC-4G-LTE-A(JG743A))

4G LTE Global SIC module(RT-SIC-4G-LTE-G(JG744A))

2-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-2SAE(JG736A))

4-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-4SAE(JG737A))

HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B)

HPE MSR 4G LTE SIC Mod for ATT (JG743B)

HPE MSR 4GLTE SIC Mod for Global (JG744B)

HPE MSR HSPA+/WCDMA SIC Module (JG929A)

Voice interface modules:

1-port voice module subscriber circuit SIC interface module (SIC-1FXS)

2-port voice module subscriber circuit SIC interface module (SIC-2FXS)

1-port voice module FXO SIC interface module (SIC-1FXO)

2-port voice module FXO SIC interface module (SIC-2FXO)

1-channel E1 voice SIC interface module (SIC-1VE1)

1-channel T1 voice SIC interface module (SIC-1VT1)

1-port ISDN BRI S/T voice interface card (SIC-1BSV)

2-port ISDN BRI S/T voice interface card (SIC-2BSV)

2-port voice subscriber circuit & 1-port voice AT0 analog trunk interface card-SIC-2FXS1FXO

1-port E1 / T1 Voice SIC Module(JH240A)

DSIC

9-port 10/100 Mbps Ethernet L2 switching module (RJ45) (DSIC-9FSW)

4-port voice subscriber circuit & 1-port voice AT0 analog trunk interface card (DSIC-4FXS1FXO)

9-port 10/100 Mbps Ethernet L2 switching module -PoE card (DSIC-9FSW-POE)

74

1-port 8-wire G.SHDSL (RJ45) DSIC Module

HMIM

Ethernet interface modules:

2-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-2GEE)






24-port Gig-T Switch HMIM Module (HMIM-24GSW)

24-port Gig-T PoE Switch HMIM Module (HMIM-24GSW-POE)

8-port 10/100/1000BASE-T(RJ45)+2-port100BASE-FX/1000BASE-X(SFP,Combo) Ethernet L2 switching HMIM module(RT-HMIM-8GSW(JG741A))

8-port 100BASE-FX/1000BASE-X / 4-port 1000BASE-T (Combo) L2/L3 HMIM Module (JH238A)


2 port CE1/PRI interface module (HMIM-2E1)



4-port fractional E1 interface module (HMIM-4E1-F)

8-port fractional E1 interface module (HMIM-8E1-F)

2 port CT1/PRI interface module (HMIM-2T1)

8 port CT1/PRI interface module (HMIM-8T1)

4-port fractional T1 interface module HMIM-4T1-F)

8-port fractional T1 interface module HMIM-8T1-F)

1-port T3/CT3 compatible interface module (HMIM-1CT3)

1-port T3/CT3 compatible interface module (HMIM-1CE3)

2 channel enhanced synchronous/asynchronous interface module (HMIM-2SAE)



8 port asynchronous serial interface panel (RJ45) (HMIM-8ASE)

16 port asynchronous serial interface panel (RJ45) (HMIM-16ASE)

1-port OC-3 / STM-1 CPOS HMIM Module (HMM-1CPOS)

2-port OC-3 / STM-1 CPOS HMIM Module (HMIM-2CPOS)

1-port OC-3c / STM-1c ATM SFP HMIM Module (HMIM-ATMOC3)








16-port voice module subscriber circuit interface board(HMIM-16FXS)

1 channel E1 voice HMIM interface module (HMIM-1VE1)

2 channel E1 voice HMIM interface module (HMIM-2VE1)

1 channel T1 voice HMIM interface module (HMIM-1VT1)

2 channel T1 voice HMIM interface module (HMIM-2VT1)

4-port voice module subscriber circuit interface board (HMIM-4FXS)

4-port voice module FXO interface module (HMIM-4FXO)

75

4 channel voice processing board E&M trunk interface module (HMIM-4EM)

VPM

128-channel voice processing module (RT-VPM2-128)



HMIM Adapter

0.5U MIM to HMIM adapter (HMIM Adapter)

1U MIM to HMIM adapter (HMIM Adapter-H)

MIM(need to config the HMIM-Adapter)

Ethernet interface modules:

1-port 10M100M Ethernet electrical MIM interface module (RJ45) (MIM-1FE)

2-port 10M/100M Ethernet electrical MIM interface module (RJ45) (MIM-2FE)

4-port 10M/100M Ethernet electrical MIM interface module (RJ45) (MIM-4FE)

1-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-1GBE)

2-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-2GBE)

1-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-1GEF)

2-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-2GEF)


2 channel enhanced synchronous/asynchronous interface module (MIM-2SAE)



8 port asynchronous serial interface panel (RJ45) (MIM-8ASE)

16 port asynchronous serial interface panel (RJ45) (MIM-16ASE)

1 port CE1/PRI interface module (MIM-1E1)



8 port E1 interface module (75ohm) (MIM-8E1 (75))

1-port fractional E1 interface module (MIM-1E1-F)



8 port E1 interface module (75ohm) (MIM-8E1 (75)-F)

2 port CT1/PRI interface module (MIM-2T1)

8 port T1 interface module (MIM-8T1)

2-port fractional T1 interface module MIM-2T1-F)



1-port T3/CT3 compatible interface module (MIM-1CT3-V2)

1-port T3/CT3 compatible interface module (MIM-1CE3-V2)

1-port SDH/SONET interface module (MIM-1POS-V2)

1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W)

HPE MSR OAP MIM Module with VMware vSphere (JG532A)


1 channel E1 voice MIM interface module (MIM-1VE1)

1 channel T1 voice MIM interface module (MIM-1VT1)

2 channel E1 voice MIM interface module (MIM-2VE1)

2 channel T1 voice MIM interface module (MIM-2VT1)

4-port voice module subscriber circuit interface board (MIM-4FXS)

2-port voice module FXO interface module (MIM-2FXO)

4-port voice module FXO interface module (MIM-4FXO)

8-port voice module FXS-FXO interface module (MIM-8FXS-8FXO)

4 channel voice processing board E&M trunk interface module (MIM-4EM)

76

4-port ISDN BRI S/T voice interface card (MIM-4BSV)

16-port voice module subscriber circuit interface board (MIM-16FXS)

Table 17 Sierra Modem Module and Host/card compatibility matrix

HPE description Product code Module name

HPE MSR 4G LTE SIC Mod for Verizon JG742A Sierra-MC7750

HPE MSR 4G LTE SIC Mod for ATT JG743A Sierra-MC7700

HPE MSR 4G LTE SIC Mod for Global JG744A Sierra-MC7710

CAUTION:

The support and restriction of modules on HPE FlexNetwork MSR Routers Interface Configuration Guide(V7), Appendix Purchase Guide.

Software features

Table 18 MSR Series routers software features

Category Features

LAN protocol:

ARP (proxy ARP, free ARP, authorization ARP)

Ethernet_II

Ethernet_SNAP

VLAN (PORT-BASED VLAN/MAC-BASED VLAN/VLAN-BASED PORT ISOLATE/ VOICE VLAN)

802.3x

LACP(802.3ad)

802.1p

802.1Q

802.1x

QinQ

RSTP(802.1w)

MSTP(802.1s)

GVRP

PORT MUTILCAST suppression

EVI

WAN protocols:

PPP

PPPoE Client

DCC, Dialer Watch

ISDN

Modem

3G Modem

FR

IP services

Fast forwarding (unicast/multicast)

TCP

UDP

77

IP Option

IP unnumber

Policy routing (unicast/multicast)

Non-IP services: Netstream

IP application

Ping and Trace

DHCP Server

DHCP Client

DNS client

DNS Static

NQA

IP Accounting

NTP

Telnet

TFTP Client

FTP Client

FTP Server

IP route

Static routing management

Dynamic routing protocols:

RIP

OSPF

BGP

IS-IS

Multicast routing protocols:

IGMP

PIM-DM

PIM-SM

MBGP

MSDP

Routing policy

MPLS

LDP

LSPM

MPLS TE

MPLS FW

MPLS/BGP VPN

VPLS

IPv6

IPv6 basic functions

IPv6 ND

IPv6 PMTU

IPv6 FIB

IPv6 ACL

IPv6 transition technologies

NAT-PT

IPv6 tunneling

6PE, 6VPE

IPv6 routing

IPv6 static routing management

Multicast routing protocols:

78

MLD

PIM-DM

PIM-SM

PIM-SSM

AAA

Local authentication

Radius

HWTacacs

LDAP

Firewall

ASPF

ACL

FILTER

Security

Port security

IPSec

PORTAL

L2TP

NAT/NAPT

PKI

RSA

SSH V1.5/2.0

URPF

GRE

Reliability

VRRP

Backup center

BFD

IRF

L2 QoS

LR

Flow-base QOS Policy

Port-Based Mirroring

Packet Remarking

Priority Mapping

Port Trust Mode

Port Priority

Flow Filter

FlowControl

ACL

Traffic supervision CAR (Committed Access Rate)

LR (Line Rate)

Congestion management

FIFO, PQ, CQ, WFQ, CBQ, RTPQ

Congestion avoidance

WRED/RED

Traffic shaping GTS (Generic Traffic Shaping)

Other QOS technologies

MPLS QOS

IPHC

Sub-interface QOS

79

Voice Interfaces

FXS

FXO

E&M

E1VI/T1VI

BSV

Voice Signaling R2

DSS1

SIP SIP

SIP Operation

Codec

G.711A law

G.711U law

G.723R53

G.723R63

G.729a

G.729R8

G.729bR8

Media Process RTP

Network management

SNMP V1/V2c/V3

MIB

SYSLOG

RMON

NETCONF

Local management

Command line management

License management

File system management

Auto-configure

Dual Image

User access management

Console interface login

AUX interface login

TTY interface login

Telnet (VTY) login

SSH login

FTP login

XMODEM

80

Appendix B Upgrading software This section describes how to upgrade system software while the router is operating normally or when the router cannot correctly start up.

Software types

The following software types are available:

Boot ROM image—A .bin file that comprises a basic section and an extended section. The basic section is the minimum code that bootstraps the system. The extended section enables hardware initialization and provides system management menus. You can use these menus to load application software and the startup configuration file or manage files when the device cannot correctly start up.

Comware image—Includes the following image subcategories:

Boot image—A .bin file that contains the Linux operating system kernel. It provides process management, memory management, file system management, and the emergency shell.

System image—A .bin file that contains the minimum feature modules required for device

operation and some basic features, including device management, interface management, configuration management, and routing. To have advanced features, you must purchase feature packages.

Feature package—Includes a set of advanced software features. Users purchase feature packages as needed.

Patch packages—Irregularly released packages for fixing bugs without rebooting the device. A patch package does not add new features or functions.

Comware software images that have been loaded are called "current software images." Comware images specified to load at the next startup are called "startup software images."

Boot ROM image, boot image, and system image are required for the system to work. These images might be released separately or as a whole in one .ipe package file. If an .ipe file is used, the system automatically decompresses the file, loads the .bin boot and system images and sets them as startup software images.

Upgrade methods

You can upgrade system software by using one of the following methods:

Upgrade method Remarks

Centralized devices upgrading from the CLI

You must reboot the router to complete the upgrade.

This method can interrupt ongoing network services.

Distributed devices upgrading from the CLI

You must reboot the router to complete the upgrade.

This method can interrupt ongoing network services.

Distributed devices ISSU This method upgrades the router with the least amount of downtime.

Managing files from the BootWare menu Use this method when the router cannot

correctly start up.

81

Preparing for the upgrade

Before you upgrade system software, complete the following tasks:

Set up the upgrade environment as shown in Table 20.

Configure routes to make sure that the router and the file server can reach each other.

Run a TFTP or FTP server on the file server.

Log in to the CLI of the router through the console port.

Copy the upgrade file to the file server and correctly set the working directory on the

TFTP or FTP server.

Make sure the upgrade has minimal impact on the network services. During the

upgrade, the router cannot provide any services.

IMPORTANT:

In the BootWare menu, if you choose to download files over Ethernet, the Ethernet port must be GE0 on an MSR2003, MSR2004-24, MSR2004-48, MSR3012, MSR3024, MSR3044, and MSR3064 router, and must be M-GE0 on an MSR4060 and MSR4080 router.

Table 19 Storage media

Model Storage medium Path Router Types

MSR2003 Flash flash:/ Centralized devices

MSR2004-24 Flash flash:/ Centralized devices

MSR2004-48 Flash flash:/ Centralized devices

MSR3012 CF card cfa0:/ Centralized devices





MSR4080 CF card cfa0:/ Distributed devices

Figure 1 Set up the upgrade environment

82

Centralized devices upgrading from the CLI

You can use the TFTP or FTP commands on the router to access the TFTP or FTP server to back up or download files.

Saving the running configuration and verifying the storage space

1. Save the running configuration

<HPE>save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

Validating file. Please wait...

Configuration is saved to device successfully.

<HPE>

2. Identify the system software image and configuration file names and verify that the flash has sufficient space for the new system software image.

<HPE>dir

Directory of flash:

0 drw- - Aug 15 2012 12:03:13 diagfile

1 -rw- 84 Aug 15 2012 12:17:59 ifindex.dat

2 drw- - Aug 15 2012 12:03:14 license

3 drw- - Aug 15 2012 12:03:13 logfile

4 -rw- 11418624 Dec 15 2011 09:00:00 msr2000-cmw710-boot-a0005.bin

5 -rw- 1006592 Dec 15 2011 09:00:00 msr2000-cmw710-data-a0005.bin

6 -rw- 10240 Dec 15 2011 09:00:00 msr2000-cmw710-security-a0005.bin

7 -rw- 24067072 Dec 15 2011 09:00:00 msr2000-cmw710-system-a0005.bin

8 -rw- 1180672 Dec 15 2011 09:00:00 msr2000-cmw710-voice-a0005.bin

9 drw- - Aug 15 2012 12:03:13 seclog

10 -rw- 1632 Aug 15 2012 12:18:00 startup.cfg

11 -rw- 25992 Aug 15 2012 12:18:00 startup.mdb

262144 KB total (223992 KB free)

<HPE>

Downloading the image file to the router

Using TFTP

Download the system software image file, for example, msr2000.ipe to the flash on the router.

<HPE>tftp 192.168.1.100 get msr2000.ipe

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 35.9M 100 35.9M 0 0 559k 0 0:01:05 0:01:05 --:--:-- 546k

<HPE>

83

Using FTP

1. From FTP client view, download the system software image file (for example, msr2000.ipe) to the CF card on the router.

ftp> get msr2000.ipe

msr2000.ipe already exists. Overwrite it? [Y/N]:y

227 Entering passive mode (192,168,1,100,5,20)

125 Using existing data connection

226 Closing data connection; File transfer successful.

37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)

[ftp]

2. Return to user view.

[ftp]quit

221 Service closing control connection

<HPE>

Specifying the startup image file

1. Specify the msr2000.ipe file as the main image file at the next reboot.

<HPE>boot-loader file flash:/msr2000.ipe main

Images in IPE:

msr2000-cmw710-boot-a0005.bin

msr2000-cmw710-system-a0005.bin

msr2000-cmw710-security-a0005.bin

msr2000-cmw710-voice-a0005.bin

msr2000-cmw710-data-a0005.bin

This command will set the main startup software images. Continue? [Y/N]:y

Add images to the device.

Successfully copied flash:/msr2000-cmw710-boot-a0005.bin to

flash:/msr2000-cmw710-boot-a0005.bin.

Successfully copied flash:/msr2000-cmw710-system-a0005.bin to

flash:/msr2000-cmw710-system-a0005.bin.

Successfully copied flash:/msr2000-cmw710-security-a0005.bin to

flash:/msr2000-cmw710-security-a0005.bin.

Successfully copied flash:/msr2000-cmw710-voice-a0005.bin to

flash:/msr2000-cmw710-voice-a0005.bin.

Successfully copied flash:/msr2000-cmw710-data-a0005.bin to

flash:/msr2000-cmw710-data-a0005.bin.

The images that have passed all examinations will be used as the main startup software

images at the next reboot on the device.

<HPE>

2. Verify that the file has been loaded.

84

<HPE> display boot-loader

Software images on the device:

Current software images:

flash:/msr2000-cmw710-boot-a0004.bin

flash:/msr2000-cmw710-system-a0004.bin

flash:/msr2000-cmw710-security-a0004.bin

flash:/msr2000-cmw710-voice-a0004.bin

flash:/msr2000-cmw710-data-a0004.bin

Main startup software images:

flash:/msr2000-cmw710-boot-a0005.bin

flash:/msr2000-cmw710-system-a0005.bin

flash:/msr2000-cmw710-security-a0005.bin

flash:/msr2000-cmw710-voice-a0005.bin

flash:/msr2000-cmw710-data-a0005.bin

Backup startup software images:

None

<HPE>

Rebooting and completing the upgrade

1. Reboot the router.

<HPE>reboot

Start to check configuration with next startup configuration file, please

wait.........DONE!

This command will reboot the device. Continue? [Y/N]:y

Now rebooting, please wait...

<HPE>

System is starting...

2. After the reboot is complete, verify that the system software image is correct.


HPE Comware Software, Version 7.1.042, Release 000702

Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.

HPE MSR2003 uptime is 0 weeks, 0 days, 13 hours, 23 minutes Last

reboot reason : User reboot

Boot image: flash:/msr2000-cmw710-boot-a0005.bin

Boot image version: 7.1.040, Alpha 0005

System image: flash:/msr2000-cmw710-system-a0005.bin

System image version: 7.1.040, Alpha 0005

CPU ID: 0x1



PCB Version: 3.0

CPLD Version: 1.0



[SLOT 0]AUX (Hardware)3.0 (Driver)1.0, (Cpld)1.0

[SLOT 0]GE0/0 (Hardware)3.0 (Driver)1.0, (Cpld)1.0

[SLOT 0]GE0/1 (Hardware)3.0 (Driver)1.0, (Cpld)1.0

85

[SLOT 0]CELLULAR0/0 (Hardware)3.0 (Driver)1.0, (Cpld)1.0

<HPE>

Distributed devices upgrading from the CLI

You can use the TFTP or FTP commands on the router to access the TFTP or FTP server to back up or download files.

Display the slot number of the active MPU

Perform the display device command in any view to display the slot number of the active MPU. By default, the standby MPU will automatically synchronize the image files from active MPU.

<HPE>display device

Slot No. Board Type Status Primary SubSlots

-----------------------------------------------------------------------------

0 MPU-100 Normal Master 0

1 MPU-100 Normal Standby 0

2 SPU-100 Normal N/A 10

<HPE>

Save the current configuration and verify the storge space

1. Perform the save command in any view to save the current configuration.

<HPE>save


Please input the file name(*.cfg)[cfa0:/startup.cfg]




<HPE>

2. Perform the dir command in user view to identify the system software image and configuration file names and verify that the CF card has sufficient space for the new system software image.

<HPE>dir

Directory of cfa0:

0 drw- - Jan 07 2013 14:02:12 diagfile

1 -rw- 307 Jan 22 2013 17:02:02 ifindex.dat

2 drw- - Jan 07 2013 14:02:12 license

3 drw- - Jan 22 2013 13:42:00 logfile

4 -rw- 21412864 Jan 22 2013 16:49:00 MSR4000-cmw710-boot-r0005p01.bin

5 -rw- 1123328 Jan 22 2013 16:50:30 MSR4000-cmw710-data-r0005p01.bin

6 -rw- 11264 Jan 22 2013 16:50:26 MSR4000-cmw710-security-r0005p01.bin

7 -rw- 45056000 Jan 22 2013 16:49:34 MSR4000-cmw710-system-r0005p01.bin

8 -rw- 2746368 Jan 22 2013 16:50:26 MSR4000-cmw710-voice-r0005p01.bin

9 drw- - Jan 07 2013 14:02:12 seclog

10 -rw- 2166 Jan 22 2013 17:02:02 startup.cfg

11 -rw- 34425 Jan 22 2013 17:02:02 startup.mdb


86

<HPE>

Download the image file to the router

Using TFTP

Perform the tftp get command in user view to download the system software image file, for example, msr4000.ipe to the CF card on the router.




45 67.0M 45 30.4M 0 0 792k 0 0:01:26 0:00:39 0:00:47 844k

100 67.0M 100 67.0M 0 0 772k 0 0:01:28 0:01:28 --:--:-- 745k

<HPE>

Using FTP

1. Perform the get command in FTP client view to download the system software image file msr4000.ipe to the CF card on the router.







[ftp]

2. Perform the quit command in FTP client view to return to user view.

[ftp]quit


<HPE>

Copy the image file to CF card root directory of the standby MPU

<HPE> copy msr4000.ipe slot1#cfa0:/

Copy cfa0:/msr4000.ipe to slot1#cfa0:/msr4000.ipe?[Y/N]:y

Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done.

Specifying the startup image file

1. Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the active MPU on slot 0 at the next reboot.

<HPE>boot-loader file flash:/msr4000.ipe slot 0 main

Images in IPE:








87


cfa0:/msr4000-cmw710-boot-a0005.bin.


cfa0:/msr4000-cmw710-system-a0005.bin.


cfa0:/msr4000-cmw710-security-a0005.bin.


cfa0:/msr4000-cmw710-voice-a0005.bin.


cfa0:/msr4000-cmw710-data-a0005.bin.



<HPE>

2. Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the standby MPU on slot 1 at the next reboot.

<HPE>boot-loader file flash:/msr4000.ipe slot 0 main

Images in IPE:









cfa0:/msr4000-cmw710-boot-a0005.bin.


cfa0:/msr4000-cmw710-system-a0005.bin.


cfa0:/msr4000-cmw710-security-a0005.bin.


cfa0:/msr4000-cmw710-voice-a0005.bin.


cfa0:/msr4000-cmw710-data-a0005.bin.



<HPE>

3. Perform the display boot-loader command in user view to verify that the file has been loaded.


Software images on slot 0:


cfa0:/MSR4000-cmw710-boot-a0004.bin

cfa0:/MSR4000-cmw710-system-a0004.bin

cfa0:/MSR4000-cmw710-security-a0004.bin

cfa0:/MSR4000-cmw710-voice-a0004.bin

cfa0:/MSR4000-cmw710-data-a0004.bin





88




None



cfa0:/MSR4000-cmw710-boot-r0005p01.bin

cfa0:/MSR4000-cmw710-system-r0005p01.bin

cfa0:/MSR4000-cmw710-security-r0005p01.bin

cfa0:/MSR4000-cmw710-voice-r0005p01.bin

cfa0:/MSR4000-cmw710-data-r0005p01.bin








None

Reboot and completing the upgrade

1. Perform the reboot command in user view to reboot the router.

<HPE>reboot

Start to check configuration with next startup configuration file, please

wait.........DONE!

This command will reboot the device. Continue? [Y/N]:y


<HPE>

System is starting..

2. After the reboot is complete, perform the display version command to verify that the system software image is correct.


HPE Comware Software, Version 7.1.042, Release 000702


HPE MSR4060 uptime is 0 weeks, 0 days, 11 hours, 49 minutes

Last reboot reason : Power on

Boot image: cfa0:/MSR4000-cmw710-boot-a0005.bin

Boot image version: 7.1.040, Alpha 0005

System image: cfa0:/MSR4000-cmw710-system-a0005.bin

System image version: 7.1.040, Alpha 0005

Feature image(s) list:

cfa0:/MSR4000-cmw710-security-a0005.bin, version: 7.1.040

cfa0:/MSR4000-cmw710-voice-a0005.bin, version: 7.1.040

cfa0:/MSR4000-cmw710-data-a0005.bin, version: 7.1.040

Slot 0: MPU-100 uptime is 0 week, 0 day, 1 hour, 20 minutes


CPU ID: 0x3

89



PCB Version: 2.0

CPLD Version: 1.0



[SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

Slot 1: MPU-100 uptime is 0 week, 0 day, 1 hour, 8 minutes

Last reboot reason : User reboot

CPU ID: 0x3



PCB Version: 2.0

CPLD Version: 1.0



[SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

Slot 2: SPU-100 uptime is 0 week, 0 day, 1 hour, 19 minutes


CPU ID: 0x5



PCB Version: 2.0

CPLD Version: 1.0



[SUBSLOT 0]GE2/0/0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0




[SUBSLOT 0]CELLULAR2/0/0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]CELLULAR2/0/1 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 1]HMIM-4SAE (Hardware)3.0 (Driver)1.0, (Cpld)4.0

Distributed devices ISSU

The In-Service Software Upgrade (ISSU) function enables software upgrade with the least amount of downtime.

To implement ISSU of a distributed device, use these guidelines:

Make sure the device has two MPUs.

Upgrade the standby MPU is upgraded first to form a new forwarding plane and a new control plane.

90

Upgrade the active MPU after the standby MPU operates correctly. The standby MPU will synchronize data and configuration from the active MPU and take over the forwarding and control functions.

Disabling the standby MPU auto-update function

When you upgrade the active MPU of a dual-MPU distributed device, the standby MPU auto-update function automatically upgrades the standby MPU by default. To use ISSU, you must disable the function.

To disable the standby MPU auto-update function:

1. View the roles of the MPUs.

<HPE>display device

Slot No. Board Type Status Primary SubSlots

-----------------------------------------------------------------------------

0 MPU-100 Normal Master 0

1 MPU-100 Normal Standby 0

2 SPU-100 Normal N/A 10

<HPE>

The output shows that the MPU in slot 0 is the active MPU.

2. Disable the standby MPU auto-update function.

<HPE>system-view

[Sysname]version check ignore

[Sysname]undo version auto-update enable

Saving the running configuration and verifying the storage space

1. Save the running configuration.

<HPE>save


Please input the file name(*.cfg)[cfa0:/startup.cfg]




<HPE>

2. Check the storage space.

<HPE>dir

Directory of cfa0:

0 drw- - Jan 07 2014 14:02:12 diagfile

1 -rw- 307 Jan 22 2014 17:02:02 ifindex.dat

2 drw- - Jan 07 2014 14:02:12 license

3 drw- - Jan 22 2014 13:42:00 logfile

4 -rw- 20050944 Jan 10 2014 09:06:48 msr4000-cmw710-boot-e010204.bin

5 -rw- 2001920 Jan 10 2014 09:08:28 msr4000-cmw710-data-e010204.bin

6 -rw- 11264 Jan 10 2014 09:08:18 msr4000-cmw710-security-e010204.bin

7 -rw- 61538304 Jan 10 2014 09:07:36 msr4000-cmw710-system-e010204.bin

8 -rw- 3232768 Jan 10 2014 09:08:22 msr4000-cmw710-voice-e010204.bin

9 drw- - Jan 07 2014 14:02:12 seclog

91

10 -rw- 2166 Jan 22 2014 17:02:02 startup.cfg

11 -rw- 34425 Jan 22 2014 17:02:02 startup.mdb


<HPE>

The output shows the CF card has 438688 KB of free storage space. If the CF card of your device is not sufficient for the upgrade image, delete unused files.

Downloading the upgrade image file to the router

Using TFTP

Download the upgrade image file (for example, msr4000.ipe) to the CF card on the router.




45 67.0M 45 30.4M 0 0 792k 0 0:01:26 0:00:39 0:00:47 844k

100 67.0M 100 67.0M 0 0 772k 0 0:01:28 0:01:28 --:--:-- 745k

<HPE>

Using FTP

1. From FTP client view, download the upgrade image file (for example, msr4000.ipe) to the CF card on the router.







[ftp]

2. Return to user view.

[ftp]quit


<HPE>

Copying the image file to the root directory of the CF card on the standby MPU

<HPE> copy msr4000.ipe slot1#cfa0:/

Copy cfa0:/msr4000.ipe to slot1#cfa0:/msr4000.ipe?[Y/N]:y

Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done.

Upgrading the standby MPU

1. Specify the msr4000.ipe file as the main startup image file for the standby MPU.

<HPE>boot-loader file msr4000.ipe slot 1 main

Verifying the IPE file and the images......Done.

HPE MSR4060 images in IPE:

msr4000-cmw710-boot-e010305.bin

msr4000-cmw710-system-e010305.bin

msr4000-cmw710-security-e010305.bin

92

msr4000-cmw710-voice-e010305.bin

msr4000-cmw710-data-e010305.bin


Add images to slot 1.

Decompressing file msr4000-cmw710-boot-e010305.bin to

slot1#cfa0:/msr4000-cmw710-boo

t-e010305.bin...............Done.

Decompressing file msr4000-cmw710-system-e010305.bin to

slot1#cfa0:/msr4000-cmw710-s

ystem-e010305.bin...............................................Done.

Decompressing file msr4000-cmw710-security-e010305.bin to

slot1#cfa0:/msr4000-cmw710

-security-e010305.bin...Done.

Decompressing file msr4000-cmw710-voice-e010305.bin to

slot1#cfa0:/msr4000-cmw710-vo

ice-e010305.bin....Done.

Decompressing file msr4000-cmw710-data-e010305.bin to

slot1#cfa0:/msr4000-cmw710-dat

a-e010305.bin...Done.

The images that have passed all examinations will be used as the main startup so

ftware images at the next reboot on slot 1.

2. Reboot the standby MPU.

<HPE>reboot slot 1

This command will reboot the specified slot, Continue? [Y/N]:y


3. After the standby MPU starts up, verify the startup image files.

<HPE>display boot-loader



cfa0:/msr4000-cmw710-boot-e010204.bin

cfa0:/msr4000-cmw710-system-e010204.bin

cfa0:/msr4000-cmw710-security-e010204.bin

cfa0:/msr4000-cmw710-voice-e010204.bin

cfa0:/msr4000-cmw710-data-e010204.bin
















93

















The output shows that the standby MPU is running the new images.

Upgrading the active MPU

1. Specify the msr4000.ipe file as the main startup image file for the active MPU.

<HPE>boot-loader file msr4000.ipe slot 0 main

Verifying the IPE file and the images......Done.

HPE MSR4060 images in IPE:

msr4000-cmw710-boot-e010305.bin

msr4000-cmw710-system-e010305.bin

msr4000-cmw710-security-e010305.bin

msr4000-cmw710-voice-e010305.bin

msr4000-cmw710-data-e010305.bin


Add images to slot 0.

Decompressing file msr4000-cmw710-boot-e010305.bin to

cfa0:/msr4000-cmw710-boot-e010

305.bin...............Done.

Decompressing file msr4000-cmw710-system-e010305.bin to

cfa0:/msr4000-cmw710-system-

e010305.bin..............................................Done.

Decompressing file msr4000-cmw710-security-e010305.bin to

cfa0:/msr4000-cmw710-secur

ity-e010305.bin...Done.

Decompressing file msr4000-cmw710-voice-e010305.bin to

cfa0:/msr4000-cmw710-voice-e0

10305.bin....Done.

Decompressing file msr4000-cmw710-data-e010305.bin to

cfa0:/msr4000-cmw710-data-e010

305.bin...Done.

The images that have passed all examinations will be used as the main startup so

ftware images at the next reboot on slot 0.

2. Reboot the active MPU.

94

<HPE>reboot slot 0

This command will reboot the specified slot, Continue? [Y/N]:y


The standby MPU takes over the forwarding and controlling functions before the active MPU reboots.

3. After the active MPU starts up, verify the startup image files.

<HPE>display boot-loader







































4. Perform the display boot-loader command in user view to verify that the file has been loaded.



95














None















None

Upgrading from the BootWare menu

You can use the following methods to upgrade software from the BootWare menu:

Using TFTP/FTP to upgrade software through an Ethernet port

Using XMODEM to upgrade software through the console port

Accessing the BootWare menu

1. Power on the router (for example, an HPE MSR 2003 router), and you can see the following information:


Press Ctrl+D to access BASIC-BOOTWARE MENU...

Booting Normal Extended BootWare

The Extended BootWare is self-decompressing....Done.

****************************************************************************

* *

* HPE MSR2003 BootWare, Version 1.20 *

96

* *

****************************************************************************


Compiled Date : Jun 22 2013

CPU ID : 0x1

Memory Type : DDR3 SDRAM

Memory Size : 1024MB

Flash Size : 2MB

Nand Flash size : 256MB

CPLD Version : 2.0

PCB Version : 3.0

BootWare Validating...

Press Ctrl+B to access EXTENDED-BOOTWARE MENU...

2. Press Ctrl + B to access the BootWare menu.

Password recovery capability is enabled.

Note: The current operating device is flash

Enter < Storage Device Operation > to select device.

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Restore to Factory Default Configuration |

|<6> Skip Current System Configuration |

|<7> BootWare Operation Menu |

|<8> Skip authentication for console login |

|<9> Storage Device Operation |

|<0> Reboot |

============================================================================

Ctrl+Z: Access EXTENDED ASSISTANT MENU

Ctrl+F: Format File System

Enter your choice(0-9):

Table 20 BootWare menu options

Item Description

<1> Boot System Boot the system software image.

<2> Enter Serial SubMenu Access the Serial submenu (see Table 23 ) for upgrading system software through the console port or changing the serial port settings.

<3> Enter Ethernet SubMenu Access the Ethernet submenu (see Table 21) for upgrading system software through an Ethernet port or changing Ethernet settings.

<4> File Control Access the File Control submenu (see Table 24) to retrieve and manage the files stored on the router.

97

<5> Restore to Factory Default Configuration

Delete the next-startup configuration files and load the factory-default configuration.

<6> Skip Current System Configuration

Start the router with the factory default configuration. This is a one-time operation and does not take effect at the next reboot. You use this option when you forget the console login password.

<7> BootWare Operation Menu

Access the BootWare Operation menu for backing up, restoring, or upgrading BootWare. When you upgrade the system software image, BootWare is automatically upgraded. HPE does not recommend upgrading BootWare separately. This document does not cover using the BootWare Operation menu.

<8> Skip authentication for console login Clear all the authentication schemes on the console port.

<9> Storage Device Operation Access the Storage Device Operation menu to manage storage devices. Using this option is beyond this chapter.

<0> Reboot Restart the router.

Using TFTP/FTP to upgrade software through an Ethernet port

1. Enter 3 in the BootWare menu to access the Ethernet submenu.

===============================<File CONTROL>===============================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Download Files(*.*) |

|<5> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================


Table 21 Ethernet submenu options

Item Description

<1> Download Application Program To SDRAM And Run

Download a system software image to the SDRAM and run the image.

<2> Update Main Image File Upgrade the main system software image.

<3> Update Backup Image File Upgrade the backup system software image.

<4> Download Files(*.*) Download a system software image to the Flash or CF card.

<5> Modify Ethernet Parameter Modify network settings.

<0> Exit To Main Menu Return to the BootWare menu.

2. Enter 5 to configure the network settings.

=========================<ETHERNET PARAMETER SET>=========================

|Note: '.' = Clear field. |

| '-' = Go to previous field. |

98

| Ctrl+D = Quit. |

==========================================================================

Protocol (FTP or TFTP) :ftp

Load File Name :msr2000.ipe

:

Target File Name :msr2000.ipe

:

Server IP Address :192.168.1.1

Local IP Address :192.168.1.100

Subnet Mask :255.255.255.0

Gateway IP Address :0.0.0.0

FTP User Name :user001

FTP User Password :********

Table 22 Network parameter fields and shortcut keys

Field Description

'.' = Clear field Press a dot (.) and then Enter to clear the setting for a field.

'-' = Go to previous field Press a hyphen (-) and then Enter to return to the previous field.

Ctrl+D = Quit Press Ctrl + D to exit the Ethernet Parameter Set menu.

Protocol (FTP or TFTP) Set the file transfer protocol to FTP or TFTP.

Load File Name Set the name of the file to be downloaded.

Target File Name Set a file name for saving the file on the router. By default, the target file name is the same as the source file name.

Server IP Address Set the IP address of the FTP or TFTP server. If a mask must be set, use a colon (:) to separate the mask length from the IP address. For example, 192.168.80.10:24.

Local IP Address Set the IP address of the router.

Subnet Mask Subnet Mask of the local IP address.

Gateway IP Address Set a gateway IP address if the router is on a different network than the server.

FTP User Name Set the username for accessing the FTP server. This username must be the same as configured on the FTP server. This field is not available for TFTP.

FTP User Password Set the password for accessing the FTP server. This password must be the same as configured on the FTP server. This field is not available for TFTP.

3. Select an option in the Ethernet submenu to upgrade a system software image. For

example, enter 2 to upgrade the main system software image.

Loading.....................................................................

............................................................................

............................................................................

.........................................Done.

37691392 bytes downloaded!

The file is exist,will you overwrite it? [Y/N]Y

Image file msr2000-cmw710-boot-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-boot-a0005.bin .............................

99

......Done.

Image file msr2000-cmw710-system-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-system-a0005.bin ...........................

.........................................Done.

Image file msr2000-cmw710-security-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-security-a0005.bin Done.

Image file msr2000-cmw710-voice-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-voice-a0005.bin ......Done.

Image file msr2000-cmw710-data-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-data-a0005.bin ..Done.

==========================<Enter Ethernet SubMenu>==========================






|<5> Modify Ethernet Parameter |


|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================


4. Enter 0 to return to the BootWare menu


|<1> Boot System |



|<4> File Control |

|<5> Modify BootWare Password |



|<8> Skip authentication for console login |


|<0> Reboot |

============================================================================


5. 1 to boot the system.

Loading the main image files...

Loading file flash:/msr2000-cmw710-system-a0005.bin..........................

Done.

Loading file flash:/msr2000-cmw710-boot-a0005.bin..............Done.

Image file flash:/msr2000-cmw710-boot-a0005.bin is self-decompressing.........

.....Done.

System image is starting...

Line aux0 is available.

100

Press ENTER to get started.

Using XMODEM to upgrade software through the console port

1. Enter 2 in the BootWare menu to access the Serial submenu.

===========================<Enter Serial SubMenu>===========================






|<5> Modify Serial Interface Parameter |


============================================================================


Table 23 Serial submenu options

Item Description

<1> Download Application Program To SDRAM And Run

Download an application to SDRAM through the serial port and run the program.

<2> Update Main Image File Upgrade the main system software image.

<3> Update Backup Image File Upgrade the backup system software image.

<4>Download Files(*.*) Download a system software image to the Flash or CF card.

<5> Modify Serial Interface Parameter Modify serial port parameters


2. Select an appropriate baud rate for the console port. For example, enter 5 to select 115200 bps.

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default)* |

|<2> 19200 |

|<3> 38400 |

|<4> 57600 |

|<5> 115200 |

|<0> Exit |

============================================================================


The following messages appear:

Baudrate has been changed to 115200 bps.

Please change the terminal's baudrate to 115200 bps, press ENTER when ready.

101

NOTE:

Typically the size of a .bin file is over 10 MB. Even at 115200 bps, the download takes about 30 minutes.

3. Select Call > Disconnect in the HyperTerminal window to disconnect the terminal from the router.

Figure 2 Disconnect the terminal connection

NOTE:

If the baud rate of the console port is 9600 bps, jump to step 9.

4. Select File > Properties, and in the Properties dialog box, click Configure.

Figure 3 Properties dialog box

5. Select 115200 from the Bits per second list and click OK.

102

Figure 4 Modify the baud rate

6. Select Call > Call to reestablish the connection.

Figure 5 Reestablish the connection

7. Press Enter.

The following menu appears:

The current baudrate is 115200 bps

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default) |

|<2> 19200 |

|<3> 38400 |

|<4> 57600 |

|<5> 115200* |

|<0> Exit |

============================================================================


103

8. Enter 0 to return to the Serial submenu.









============================================================================


9. Select an option from options 2 to 3 to upgrade a system software image. For example,

enter 2 to upgrade the main system software image.

Please Start To Transfer File, Press <Ctrl+C> To Exit.

Waiting ...CCCCC

10. Select Transfer > Send File in the HyperTerminal window.

Figure 6 Transfer menu

11. In the dialog box that appears, click Browse to select the source file, and select Xmodem from the Protocol list.

Figure 7 File transmission dialog box

12. Click Send. The following dialog box appears:

104

Figure 8 File transfer progress

13. When the Serial submenu appears after the file transfer is complete, enter 0 at the

prompt to return to the BootWare menu.

Download successfully!

37691392 bytes downloaded!

Input the File Name:main.bin

Updating File flash:/main.bin..............................................

.....................................................Done!









============================================================================


14. Enter 1 in the BootWare menu to boot the system.

15. If you are using a download rate other than 9600 bps, change the baud rate of the terminal to 9600 bps. If the baud rate has been set to 9600 bps, skip this step.

Managing files from the BootWare menu

To change the type of a system software image, retrieve files, or delete files, enter 4 in the BootWare menu.

The File Control submenu appears:

==============================<File CONTROL>==============================

|Note:the operating device is cfa0 |

105

|<1> Display All File(s) |

|<2> Set Image File type |

|<3> Set Bin File type |

|<4> Set Configuration File type |

|<5> Delete File |

|<6> Copy File |


==========================================================================


Table 24 File Control submenu options

Item Description

<1> Display All File Display all files.

<2> Set Image File type Change the type of a system software image (.ipe).

<3> Set Bin File type Change the type of a system software image (.bin).

<4> Set Configuration File type Change the type of a configuration file.

<5> Delete File Delete files.

<6> Copy File Copy File


Displaying all files

To display all files, enter 1 in the File Control submenu:

Display all file(s) in flash:

'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED

============================================================================

|NO. Size(B) Time Type Name |

|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |

|2 25992 Aug/15/2012 12:18:00 N/A flash:/startup.mdb |

|3 1632 Aug/15/2012 12:18:00 M flash:/startup.cfg |

|4 84 Aug/15/2012 12:17:59 N/A flash:/ifindex.dat |

|5 11029 Aug/15/2012 13:31:16 N/A flash:/logfile/logfile1.log |

|6 17 Aug/16/2012 07:47:24 N/A flash:/.pathfile |

|7 1006592 Aug/16/2012 07:44:16 M flash:/msr2000-cmw710-data-a0005.bin|

|8 815 Aug/15/2012 12:03:14 N/A flash:/license/DeviceID.did |

|9 1180672 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-voice-a0005. bin|

|10 10240 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-security-a0005.bin|

|11 24067072 Aug/16/2012 07:44:10 M flash:/msr2000-cmw710-system-a0005.bin|

|12 11418624 Aug/16/2012 07:44:05 M flash:/msr2000-cmw710-boot-a0005.bin|

============================================================================

Changing the type of a system software image

System software image file attributes include main (M), and backup (B). You can store only one main image, and one backup image on the router. A system software image can have any combination of the M, and B attributes. If the file attribute you are assigning has been assigned to an image, the

106

assignment removes the attribute from that image. The image is marked as N/A if it has only that attribute.

To change the type of a system software image:

1. Enter 2 in the File Control submenu.


============================================================================



|0 Exit |

============================================================================

Enter file No:1

2. Enter the number of the file you are working with, and press Enter.

Modify the file attribute:

==========================================================================

|<1> +Main |

|<2> +Backup |

|<0> Exit |

==========================================================================


3. Enter a number in the range of 1 to 4 to add or delete a file attribute for the file.

Set the file attribute success!

Deleting files

When storage space is insufficient, you can delete obsolete files to free up storage space.

To delete files:

1. Enter 5 in the File Control submenu.

Deleting the file in cfa0:


Deleting the file in flash:


============================================================================



|2 25992 Aug/15/2012 12:18:00 N/A flash:/startup.mdb |

|3 1632 Aug/15/2012 12:18:00 M flash:/startup.cfg |

|4 84 Aug/15/2012 12:17:59 N/A flash:/ifindex.dat |

|5 11029 Aug/15/2012 13:31:16 N/A flash:/logfile/logfile1.log |

|6 17 Aug/16/2012 07:47:24 N/A flash:/.pathfile |

|7 1006592 Aug/16/2012 07:44:16 M flash:/msr2000-cmw710-data-a0005.bin|

|8 815 Aug/15/2012 12:03:14 N/A flash:/license/DeviceID.did |

|9 1180672 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-voice-a0005. bin|

|10 10240 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-security-a0005.bin|

|11 24067072 Aug/16/2012 07:44:10 M flash:/msr2000-cmw710-system-a0005.bin|

|12 11418624 Aug/16/2012 07:44:05 M flash:/msr2000-cmw710-boot-a0005.bin|

0 Exit

Enter file No.:

2. Enter the number of the file to delete.

107

3. When the following prompt appears, enter Y.

The file you selected is flash:/msr2000-cmw710-security-a0005.bin,Delete it?

[Y/N]Y

Deleting...Done.

Handling software upgrade failures If a software upgrade fails, the system runs the old software version. To handle a software failure:

1. Check the physical ports for a loose or incorrect connection.

2. If you are using the console port for file transfer, check the HyperTerminal settings (including the baud rate and data bits) for any wrong setting.

3. Check the file transfer settings:

If XMODEM is used, you must set the same baud rate for the terminal as for the

console port.

If TFTP is used, you must enter the same server IP addresses, file name, and

working directory as set on the TFTP server.

If FTP is used, you must enter the same FTP server IP address, source file name,

working directory, and FTP username and password as set on the FTP server.

4. Check the FTP or TFTP server for any incorrect setting.

5. Check that the storage device has sufficient space for the upgrade file.

6. If the message “Something is wrong with the file” appears, check the file for file corruption.

Appendix C Handling console login password loss

Disabling password recovery capability

Password recovery capability controls console user access to the device configuration and SDRAM from BootWare menus.

If password recovery capability is enabled, a console user can access the device configuration without authentication to configure new passwords.

If password recovery capability is disabled, console users must restore the factory-default configuration before they can configure new passwords. Restoring the factory-default configuration deletes the next-startup configuration files.

To enhance system security, disable password recovery capability.

Table 25 summarizes options whose availability varies with the password recovery capability setting.

Table 25 BootWare options and password recovery capability compatibility matrix

BootWare menu

option

Password

recovery

enabled

Password

recovery

disabled

Tasks that can be performed

Download Image Program To SDRAM And Run

Yes No Load and run Comware software images in SDRAM.

108

Skip Authentication for Console Login

Yes No Enable console login without authentication.

Skip Current System Configuration

Yes No Load the factory-default configuration without deleting the next-startup configuration files.

Restore to Factory Default Configuration

No Yes Delete the next-startup configuration files and load the factory-default configuration.

To disable password recovery capability:

Step Command Remarks

1. Enter system view. system-view N/A

2. Disable password recovery capability.

undo password-recovery enable By default, password recovery capability is enabled.

When password recovery capability is disabled, you cannot downgrade the device software to a version that does not support the capability through the BootWare menus. You can do so at the CLI, but the BootWare menu password configured becomes effective again.

Handling console login password loss

CAUTION:

Handling console login password loss causes service outage.

The method for handling console login password loss depends on the password recovery capability setting (see Figure 9).

Figure 9 Handling console login password loss

Password recovery

capability enabled?

Yes No

Save the running configuration

Skip Authentication

for Console Login

Reboot the router

Configure new passwords

in system view

Console login password lost

Reboot the router to access

EXTENDED-BOOTWARE menu

Skip Current System

Configuration

Restore to Factory Default

Configuration

109

Examining the password recovery capability setting

1. Reboot the router.


Press Ctrl+D to access BASIC-BOOTWARE MENU...

Press Ctrl+T to start heavy memory test

Booting Normal Extended BootWare........

The Extended BootWare is self-decompressing....Done.

****************************************************************************

* *

* HPE MSR3000 BootWare, Version 1.20 *

* *

****************************************************************************


Compiled Date : May 13 2013

CPU ID : 0x2

Memory Type : DDR3 SDRAM

Memory Size : 2048MB

BootWare Size : 1024KB

Flash Size : 8MB

cfa0 Size : 247MB

CPLD Version : 2.0

PCB Version : 2.0

BootWare Validating...

Press Ctrl+B to access EXTENDED-BOOTWARE MENU...

2. Press Ctrl + B within three seconds after the "Press Ctrl+B to access EXTENDED-BOOTWARE MENU..." prompt message appears.

3. Read the password recovery capability setting information displayed before the EXTEND-BOOTWARE menu.

Password recovery capability is enabled.

Note: The current operating device is cfa0



|<1> Boot System |



|<4> File Control |




|<8> Skip Authentication for Console Login |


|<0> Reboot |

110

============================================================================

Ctrl+Z: Access EXTEND ASSISTANT MENU



Using the Skip Current System Configuration option

1. Reboot the router to access the EXTEND-BOOTWARE menu, and then enter 6.

The current mode is password recovery.




|<1> Boot System |



|<4> File Control |






|<0> Reboot |

============================================================================



Enter your choice(0-9): 6

After the configuration skipping flag is set successfully, the following message appears:

Flag Set Success.

2. When the EXTEND-BOOTWARE menu appears again, enter 1 to reboot the router.

The router starts up with the factory-default configuration without deleting the next-startup configuration files.

3. To use the configuration in a next-startup configuration file, load the file in system view.

<HPE> system-view

[HPE] configuration replace file cfa0:/startup.cfg

Current configuration will be lost, save current configuration? [Y/N]:n

Info: Now replacing the current configuration. Please wait...

Info: Succeeded in replacing current configuration with the file startup.cfg.

4. Configure a new console login authentication mode and a new console login password.

In the following example, the console login authentication mode is password and the authentication password is 123456. For security purposes, the password is always saved in

ciphertext, whether you specify the simple or cipher keyword for the set authentication

password command.

<HPE> system-view

[HPE] line aux 0

[HPE-line-aux0] authentication-mode password

[HPE-line-aux0] set authentication password simple 123456

111

Use the line aux 0 command on an MSR2000 or MSR 3000 routers. The console port and the

AUX port are the same physical port.

Use the line console 0 command on an MSR4000 routers. An MSR4000 router has a separate

console port.

5. To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file.

[HPE-line-aux0] save

Using the Skip Authentication for Console Login option

1. Reboot the router to access the EXTEND-BOOTWARE menu, and then enter 8.

The current mode is password recovery.




|<1> Boot System |



|<4> File Control |






|<0> Reboot |

============================================================================




The router deletes the console login authentication configuration commands from the main next-startup configuration file. After the operation is completed, the following message appears:

Clear Image Password Success!


The router starts up with the main next-startup configuration file.

3. Configure a console login authentication mode and a new console login password. See "Configure a new console login authentication mode and a new console login password.Configure a new console login authentication mode and a new console login password."

4. To make the setting take effect after a reboot, save the running configuration to the next-startup configuration file.

[HPE-line-aux0] save

Using the Restore to Factory Default Configuration option

CAUTION:

Using the Restore to Factory Default Configuration option deletes both the main and backup next-configuration files.

112

1. Reboot the router to access the EXTEND-BOOTWARE menu, and enter 5.

The current mode is no password recovery.




|<1> Boot System |



|<4> File Control |






|<0> Reboot |

============================================================================




2. At the prompt for confirmation, enter Y.

The router deletes its main and backup next-startup configuration files and restores the factory-default configuration.

The current mode is no password recovery. The configuration files will be

deleted, and the system will start up with factory defaults, Are you sure to

continue?[Y/N]Y

Setting...Done.


The router starts up with the factory-default configuration.

4. Configure a new console login authentication mode and a new console login password. See "Configure a new console login authentication mode and a new console login password.Configure a new console login authentication mode and a new console login password.".

5. To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file.

[HPE] save

1

HPE MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P81

Software Feature Changes

The information in this document is subject to change without notice. © Copyright [First Year]2013, [Current Year] 2016 Hewlett Packard Enterprise Development LP

i

Contents

Release 0306P81 ··········································································· 13

Release 0306P80 ··········································································· 13

Release 0306P70 ··········································································· 13

Release 0306P52 ··········································································· 13

New feature: MAC address recording in TCP packets ···························· 14

Configuring MAC address recording in TCP packets ········································································· 14 Command reference ··················································································································· 14

New command: tcp mac-record enable ···················································································· 14 New command: tcp mac-record local ······················································································ 15

New feature: Configuring the leased line service for an ISDN BRI interface 16

Configuring the leased line service for an ISDN BRI interface ····························································· 16 Command reference ··················································································································· 16

New command: isdn leased-line ····························································································· 16

New feature: LLDP PVID inconsistency check ······································ 17

Disabling LLDP PVID inconsistency check ······················································································ 17 Command reference ··················································································································· 18

lldp ignore-pvid-inconsistency ································································································ 18

Modified feature: High encryption ······················································ 18

Feature change description ··································································································· 18

Modified feature: OSPF ··································································· 19

Feature change description ·········································································································· 19 Command reference ··················································································································· 19

Modified command: OSPF ···································································································· 19

Modified feature: Policy-based routing ················································ 19

Feature change description ·········································································································· 19 Command reference ··················································································································· 19

New command: apply remark-vpn ·························································································· 19

Modified feature: MIB objects ···························································· 20

Feature change description ·········································································································· 20

Modified feature: Setting ISP domain status ········································· 21

Feature change description ·········································································································· 21 Command changes ···················································································································· 21

Modified command: state ······································································································ 21 New command: state block time-range name ··········································································· 21

Modified feature: Excluding an attribute from portal protocol packets ········· 22

Excluding an attribute from portal protocol packets ··········································································· 22 Command reference ··················································································································· 23

New command: exclude-attribute ··························································································· 23 Modified command: display portal server ················································································· 24

Modified feature: NTP ····································································· 25


Modified command: ntp-service authentication-keyid ·································································· 25 Modified command: sntp authentication-keyid ··········································································· 25

ii

Modified feature: Transceiver modules················································ 26


Modified feature: E1POS ································································· 26


Release 0306P30 ··········································································· 26

New feature: SIP compatibility ·························································· 26

Configuring SIP compatibility ········································································································ 26 Command reference ··················································································································· 27

sip-compatible ···················································································································· 27

Modified feature: OSPF performance optimization ································· 28


Modified command: spf-schedule-interval ················································································ 28 Modified command: transmit-pacing ························································································ 29

Modified feature: Telnet redirect ························································ 29


Modified feature: POS terminal access ··············································· 29


Modified command: posa auto-stop-service enable ···································································· 29

Modified feature: License ································································· 30


Modified feature: IP performance optimization ······································ 30


New command: tcp mac-record enable ···················································································· 30 New command: tcp mac-record local ······················································································ 31

Release 0306P12 ··········································································· 32

Modified feature: Configuring an SSH user ·········································· 32


Modified feature: AAA ····································································· 32


New command: authorization ike ···························································································· 32

Modified feature: Configuring a cellular interface for a 3G/4G modem ········ 33


New command: rssi ············································································································· 34

Modified feature: VXLAN ································································· 35


Modified feature: DHCP ··································································· 35


New command: dhcp server reply-exclude-option60 ·································································· 35

iii

Release 0306P11 ··········································································· 36

New feature: Voice VLAN ································································ 36

Configuring a voice VLAN ············································································································ 36 Configuring a port to operate in automatic voice VLAN assignment mode ······································ 36 Configuring a port to operate in manual voice VLAN assignment mode ········································· 37 Enabling LLDP for automatic IP phone discovery ······································································ 38 Configuring LLDP to advertise a voice VLAN ············································································ 39 Configuring CDP to advertise a voice VLAN ············································································· 39 Displaying and maintaining voice VLANs ················································································· 39

Command reference ··················································································································· 40

Modified feature: MPLS QoS support for matching the EXP field ·············· 40

Matching the EXP field in the second MPLS label ············································································ 40 Command reference ··················································································································· 40

New command: if-match second-mpls-exp ··············································································· 40

Modified feature: MPLS QoS support for marking the EXP field ················ 41

Marking the EXP field in the second MPLS label ·············································································· 41 Command reference ··················································································································· 41

New command: remark second-mpls-exp ················································································ 41

Modified feature: Automatic configuration ············································ 42


Removed feature: Tinyproxy ····························································· 42

Feature change description ·········································································································· 42 Removed command ··················································································································· 42

http-proxy ·························································································································· 42

Release 0306P07 ··········································································· 43

New feature: L2TP-based EAD ························································· 43

Enabling L2TP-based EAD ·········································································································· 43 Command reference ··················································································································· 44

ppp access-control enable ···································································································· 44 display ppp access-control interface ······················································································· 44

New feature: CFD configuration························································· 45

Configuring CFD configuration ······································································································ 45 Command reference ··················································································································· 46

Modified feature: Support using dots in user profile name ······················· 46


Modified command: user-profile ····························································································· 47

Modified feature: Default size of the TCP receive and send buffer ············ 47


Modified command: tcp window ····························································································· 47

Modified feature: Support for obtaining fan tray and power module vendor information through MIB ·································································· 48


Modified feature: Supporting per-packet load sharing ····························· 48


iv

Modified command: ip load-sharing mode ················································································ 48

Modified feature: Automatic configuration ············································ 49


Modified feature: Software image signature ········································· 49


Modified command: display install active ·················································································· 50 Modified command: display install backup ················································································ 50 Modified command: display install committed ··········································································· 51 Modified command: display install inactive ··············································································· 51 Modified command: display install ipe-info ················································································ 52 Modified command: display install package ·············································································· 52 Modified command: display install which ·················································································· 53

Release 0305P08 ··········································································· 53

New feature: mGRE ········································································ 54

Overview ·································································································································· 54 mGRE operation scheme ······································································································ 54 mGRE operation procedure ··································································································· 54 mGRE support for NAT traversal ···························································································· 57

mGRE configuration task list ········································································································ 57 Configuring an mGRE tunnel ········································································································ 57 Configuring routing ····················································································································· 58 Configuring IPsec for an mGRE tunnel ··························································································· 59 Displaying and maintaining mGRE ································································································ 59 Command reference ··················································································································· 60

New command: display mgre session ····················································································· 60 New command: display nhrp map ··························································································· 63 New command: display nhrp statistics ····················································································· 65 New command: nhrp authentication ························································································ 67 New command: nhrp holdtime ······························································································· 68 New command: nhrp network-id ····························································································· 69 New command: nhrp nhs ······································································································ 69 New command: reset mgre session ························································································ 70 New command: reset mgre statistics ······················································································· 71 New command: reset nhrp statistics ························································································ 71

New feature: Disabling transceiver module alarm ·································· 72

Configuring Disabling transceiver module alarm ··············································································· 72 Command reference ··················································································································· 72

New command: transceiver phony-alarm-disable ······································································· 72

Modified feature: Default user role ····················································· 73


Modified command: role default-role enable ············································································· 73

Modified feature: Debugging ····························································· 74


Modified command: debugging ······························································································ 74

Release 0305P04 ··········································································· 74

New feature: Public key management support for Suite B ······················· 75

Configuring Suite B in public key management ················································································ 75 Command reference ··················································································································· 75

Modified command: public-key local create ·············································································· 75

v

New feature: PKI support for Suite B ·················································· 76

Configuring Suite B in PKI ··········································································································· 76 Command reference ··················································································································· 76

Modified command: public-key ecdsa ······················································································ 76

New feature: IPsec support for Suite B ················································ 77

Overview ·································································································································· 77 IKEv2 negotiation process····································································································· 77 New features in IKEv2 ·········································································································· 78 Protocols and standards ······································································································· 79

IKEv2 configuration task list ········································································································· 79 Configuring an IKEv2 profile ········································································································· 80 Configuring an IKEv2 policy ········································································································· 83 Configuring an IKEv2 proposal ····································································································· 84 Configuring an IKEv2 keychain ····································································································· 85 Configure global IKEv2 parameters ······························································································· 86

Enabling the cookie challenging feature ··················································································· 86 Configuring the IKEv2 DPD feature ························································································· 86 Configuring the IKEv2 NAT keepalive feature ··········································································· 87 Configuring IKEv2 address pools ···························································································· 87

Displaying and maintaining IKEv2 ································································································· 88 Command reference ··················································································································· 88

New command: aaa authorization··························································································· 88 New command: address ······································································································· 89 New command: authentication-method ···················································································· 90 New command: certificate domain ·························································································· 92 New command: config-exchange ···························································································· 93 New command: description ··································································································· 94 New command: display ike statistics ······················································································· 95 New command: display ikev2 policy ························································································ 96 New command: display ikev2 profile ······················································································· 97 New command: display ikev2 proposal ···················································································· 99 New command: display ikev2 sa ·························································································· 100 New command: display ikev2 statistics ·················································································· 104 New command: dh············································································································· 105 New command: dpd ··········································································································· 106 New command: encryption ·································································································· 107 New command: hostname··································································································· 108 New command: identity ······································································································ 109 New command: identity local ······························································································· 110 New command: ikev2 address-group ···················································································· 111 New command: ikev2 cookie-challenge ················································································· 112 New command: ikev2 dpd ··································································································· 113 New command: ikev2 ipv6-address-group ·············································································· 114 New command: ikev2 keychain ···························································································· 115 New command: ikev2 nat-keepalive ······················································································ 116 New command: ikev2 policy ································································································ 117 New command: ikev2 profile ································································································ 118 New command: ikev2 proposal ···························································································· 118 New command: inside-vrf ···································································································· 120 New command: integrity ····································································································· 121 New command: keychain ···································································································· 122 New command: match local (IKEv2 profile view) ····································································· 123 New command: match local address (IKEv2 policy view) ·························································· 124 New command: match remote ····························································································· 125 New command: match vrf (IKEv2 policy view) ········································································· 126 New command: match vrf (IKEv2 profile view) ········································································ 127 New command: nat-keepalive ······························································································ 128 New command: peer ·········································································································· 129 New command: pre-shared-key ··························································································· 130 New command: prf ············································································································ 132

vi

New command: priority (IKEv2 policy view) ············································································ 133 New command: priority (IKEv2 profile view) ············································································ 133 New command: proposal ···································································································· 134 New command: reset ikev2 sa ····························································································· 135 New command: reset ikev2 statistics ····················································································· 136 New command: sa duration ································································································· 137 New command: esn enable ································································································· 137 New command: ikev2-profile ······························································································· 138 New command: tfc enable ··································································································· 139 Modified command: ah authentication-algorithm ······································································ 140 Modified command: display ipsec { ipv6-policy | policy } ···························································· 141 Modified command: display ipsec { ipv6-policy-template | policy-template } ·································· 141 Modified command: display ipsec sa ····················································································· 141 Modified command: display ipsec transform-set ······································································ 142 Modified command: display ipsec tunnel ················································································ 142 Modified command: esp authentication-algorithm ···································································· 142 Modified command: esp encryption-algorithm ········································································· 143 Modified command: pfs ······································································································ 145 Modified command: pre-shared-key ······················································································ 145 Modified command: authentication-algorithm ·········································································· 146

New feature: SSL support for Suite B ··············································· 147

Configuring Suite B in SSL ········································································································· 147 Command reference ················································································································· 147

New command: display crypto version ··················································································· 147 New command: ssl version disable ······················································································· 148 New command: ssl renegotiation disable ··············································································· 149 Modified command: version ································································································· 150 Modified command: ciphersuite ···························································································· 150 Modified command: prefer-cipher ························································································· 152

New feature: FIPS support for Suit B ················································ 154

Configuring Suite B in FIPS ········································································································ 154 Command reference ················································································································· 154

New command: fips rng random size filename ········································································ 154 New command: fips rng random size round rate-statistics ························································· 155 New command: fips rng entropy size filename ········································································ 155 New command: fips rng entropy size round rate-statistics ························································· 156 New command: fips kdf ······································································································ 157 New command: fips algorithm verify param ············································································ 157 Modified command: fips self-test ·························································································· 158

New feature: SSH support for Suite B ··············································· 158

Configuring SSH based on Suite B algorithms ··············································································· 158 Specifying a PKI domain for the SSH server ··········································································· 158 Establishing a connection to an Stelnet server based on Suite B ················································ 159 Establishing a connection to an SFTP server based on Suite B ·················································· 160 Establishing a connection to an SCP server based on Suite B ··················································· 160 Specifying algorithms for SSH2 ···························································································· 161

Command reference ················································································································· 162 New command: display ssh2 algorithm ·················································································· 162 New command: ssh server pki-domain ·················································································· 163 New command: scp ipv6 suite-b ··························································································· 164 New command: scp suite-b ································································································· 166 New command: sftp ipv6 suite-b ··························································································· 168 New command: sftp suite-b ································································································· 170 New command: ssh2 ipv6 suite-b ························································································· 172 New command: ssh2 suite-b ······························································································· 174 New command: ssh2 algorithm cipher ··················································································· 176 New command: ssh2 algorithm key-exchange ········································································ 177 New command: ssh2 algorithm mac ····················································································· 178 New command: ssh2 algorithm public-key ·············································································· 179

vii

Modified command: display ssh server ·················································································· 180 Modified command: ssh user ······························································································· 181 Modified command: scp ······································································································ 182 Modified command: scp ipv6 ······························································································· 185 Modified command: sftp ······································································································ 188 Modified command: sftp ipv6 ······························································································· 191 Modified command: ssh2 ···································································································· 194 Modified command: ssh2 ipv6 ······························································································ 197 New command: fips kdf ssh ································································································· 200

New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group ·················································································· 201

Configuring Ignoring the first AS number of EBGP route updates for a peer or peer group ····················· 201 Command reference ················································································································· 201

peer ignore-first-as ············································································································ 201

Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces ··············································································· 203

Feature change description ········································································································ 203 Command changes ·················································································································· 205

Modified command: lacp mode ···························································································· 205 Modified command: lacp period short ···················································································· 205 Modified command: link-aggregation port-priority ····································································· 205 Modified command: port link-aggregation group ······································································ 205

Modified feature: Changing the maximum number of FIB table entries ····· 206


Modified feature: Enabling CWMP ··················································· 207


Modified command: cwmp enable························································································· 207

Release 0305 ·············································································· 207

New feature: IKE ·········································································· 208


New command: IKEv2 command ·························································································· 208

Modified feature: IPsec ·································································· 208


Modified command: ah authentication-algorithm ······································································ 208 New command: esn enable ································································································· 209 Modified command: esp authentication-algorithm ···································································· 210 Modified command: esp encryption-algorithm ········································································· 211 Modified command: pfs ······································································································ 212 New command: tfc enable ··································································································· 213 Modified command: public-key local create ············································································ 214 Modified command: public-key ecdsa ···················································································· 214

Release 0304P12 ········································································· 215

New feature: Including vendor information in PPP accounting requests ··· 215

Configuring Including vendor information in PPP accounting requests ················································ 215 Command reference ················································································································· 215

pppoe-server account-vendor ······························································································ 215

viii

New feature: BFD for an aggregation group ······································· 216

Configuring BFD for an aggregation group ···················································································· 216 Configuration restrictions and guidelines ················································································ 217 Configuration procedure ····································································································· 217

Command reference ················································································································· 217 link-aggregation bfd ipv4 ····································································································· 217

Modified feature: SSH username ····················································· 218


Modified command: ssh user ······························································································· 219

Modified feature: IS-IS hello packet sending interval ···························· 219


Modified command: isis timer hello ······················································································· 220

Modified feature: MP-group interface numbering ································· 220


Modified command: interface mp-group ················································································· 220 Modified command: display interface mp-group ······································································· 220 Modified command: ppp mp mp-group ·················································································· 221 Modified command: reset counters interface mp-group ····························································· 221

Release 0304P04 ········································································· 221

New feature: Media Stream Control (MSC) logging ······························ 221

Command reference ················································································································· 222 sip log enable ··················································································································· 222

Modified feature: ESP encryption algorithms ······································ 222


Modified command: esp encryption-algorithm ········································································· 223

Release 0304P02 ········································································· 223

New feature: IMSI/SN binding authentication ······································ 224

Command reference ················································································································· 224 ppp lcp imsi accept ············································································································ 224 ppp lcp imsi request ··········································································································· 224 ppp lcp imsi string·············································································································· 225 ppp lcp sn accept ·············································································································· 226 ppp lcp sn request ············································································································· 226 ppp lcp sn string ················································································································ 227 ppp user accept-format imsi-sn split ······················································································ 228 ppp user attach-format imsi-sn split······················································································· 229 ppp user replace ··············································································································· 229

New feature: Specifying a band for a 4G modem ································ 230

Command reference ················································································································· 230 lte band ··························································································································· 230

New feature: CFD ········································································ 231

New feature: Using tunnel interfaces as OpenFlow ports ······················ 231

New feature: NETCONF support for ACL filtering ································ 231

Command reference ················································································································· 232 netconf soap http acl ·········································································································· 232

ix

netconf soap https acl ········································································································ 233

New feature: Specifying a backup traffic processing unit ······················· 234

Specifying a backup traffic processing unit ···················································································· 234 Command reference ················································································································· 234

service standby ················································································································· 234

New feature: WAAS ······································································ 234

Configuring WAAS ··················································································································· 234 Command reference ················································································································· 234

New feature: Support for the MKI field in SRTP or SRTCP packets ········· 234

Command reference ················································································································· 235 mki ································································································································· 235

New feature: SIP domain name ······················································· 235

Command reference ················································································································· 236 sip-domain ······················································································································· 236

New feature: E&M logging ······························································ 236

Command reference ················································································································· 236 em log enable ··················································································································· 236

Modified feature: Setting the global link-aggregation load-sharing mode ·· 237


Modified command: link-aggregation global load-sharing mode ·················································· 237

Release 0304 ·············································································· 238

New feature: Setting the RTC version ··············································· 238

Configuring Setting the RTC version ···························································································· 238 Command reference ················································································································· 239

rta rtc version ··················································································································· 239

New feature: Setting the maximum size of advertisement files ··············· 240

Configuring the maximum size of advertisement files ······································································ 240 Command reference ················································································································· 240

New feature: IRF ·········································································· 240

Configuring IRF ······················································································································· 240 Command reference ················································································································· 240

New feature: Frame Relay ····························································· 240

Configuring Frame Relay ··········································································································· 240 Command reference ················································································································· 240

New feature: EVI ·········································································· 241

Configuring EVI ······················································································································· 241 Command reference ················································································································· 241

New feature: VPLS ······································································· 241

Configuring VPLS ···················································································································· 241 Command reference ················································································································· 241

New feature: Multicast VPN support for inter-AS option B ····················· 241

Configuring Multicast VPN support for inter-AS option B ·································································· 241 Command reference ················································································································· 241

Modified feature: 802.1X redirect URL ·············································· 242


x

Modified command: dot1x ead-assistant url ············································································ 242

Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server ···················································· 242


Modified command: display ntp-service trace ·········································································· 242

Modified feature: Saving, rolling back, and loading the configuration ······· 243


Modified feature: Displaying information about SSH users ···················· 243


Modified command: display ssh user-information ····································································· 244

Removed feature: Displaying fabric utilization ····································· 244

Feature change description ········································································································ 244 Removed command ················································································································· 244

display fabric utilization ······································································································· 244

ESS 0302P06 ·············································································· 244

New feature: Object policies ··························································· 246

Configuring Object policies ········································································································ 246 Command reference ················································································································· 247

New feature: IPHC ······································································· 247

Configuring IPHC ····················································································································· 247 Command reference ················································································································· 247

New feature: Support of PPPoE server for IPv6 ·································· 247

Configuring Support of PPPoE server for IPv6 ··············································································· 247 Command reference ················································································································· 247

New feature: QSIG tunneling over SIP-T ··········································· 247

Configuring QSIG tunneling over SIP-T ························································································ 247 Command reference ················································································································· 248

New feature: Playout delay ····························································· 248

Configuring Playout delay ·········································································································· 248 Command reference ················································································································· 248

New feature: BGP L2VPN support for NSR ········································ 248

Configuring BGP L2VPN support for NSR ····················································································· 248 Command reference ················································································································· 248

New feature: BGP support for dynamic peers ····································· 249

Configuring BGP support for dynamic peers ·················································································· 249 Command reference ················································································································· 249

New feature: ARP PnP ·································································· 249

Configuring ARP PnP ··············································································································· 249 Command reference ················································································································· 249

New feature: Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts ·················································································· 250

Configuring Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts ······················ 250 Command reference ················································································································· 250

xi

New feature: QoS soft forwarding ···················································· 250

Configuring QoS soft forwarding ································································································· 250 Command reference ················································································································· 251

New feature: Filtering by application layer protocol status ····················· 251

Configuring Filtering by application layer protocol status ·································································· 251 Command reference ················································································································· 251

New feature: ADVPN support for multicast forwarding ·························· 251

Configuring ADVPN support for multicast forwarding ······································································ 251 Command reference ················································································································· 251

New feature: MPLS LDP support for IPv6 ·········································· 252

Configuring MPLS LDP support for IPv6 ······················································································· 252 Command reference ················································································································· 252

New feature: Port security ······························································ 252

Configuring Port security ··········································································································· 252 Command reference ················································································································· 253

New feature: Customizable IVR ······················································· 253

Configuring Customizable IVR ···································································································· 253 Command reference ················································································································· 253

New feature: SRST ······································································· 253

Configuring SRST ···················································································································· 253 Command reference ················································································································· 253

New feature: NEMO ······································································ 254

Configuring NEMO ··················································································································· 254 Command reference ················································································································· 254

New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation······················································· 254

Configuring Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation ········· 254 Command reference ················································································································· 254

New feature: Support for LLDP on CPOS interfaces ···························· 255

Configuring Support for LLDP on CPOS interfaces ········································································· 255 Command reference ················································································································· 255

New feature: SMS-based automatic configuration ······························· 255

Configuring SMS-based automatic configuration ············································································ 255 Command reference ················································································································· 255

New feature: ARP attack protection ·················································· 255

Configuring ARP attack protection ······························································································· 255 Command reference ················································································································· 256

New feature: SIP support for VRF ···················································· 256

Configuring SIP support for VRF ································································································· 256 Configuration guidelines ····································································································· 256 Configuration procedure ····································································································· 256

Command reference ················································································································· 256 vpn-instance ····················································································································· 256

ESS 0102 ··················································································· 257

New feature: Portal authentication ··················································· 258

Command reference ················································································································· 258

xii

New feature: MSDP ······································································ 258

Configuring MSDP ··················································································································· 258 Command reference ················································································································· 259

New feature: IPsec MIB and IKE MIB ··············································· 259

New feature: PoE ········································································· 259

Configuring PoE ······················································································································ 259 Command reference ················································································································· 260

New feature: CoPP software forwarding feature ·································· 260

Configuring CoPP ···················································································································· 260 Command reference ················································································································· 260

control-plane ···················································································································· 260 control-plane management ·································································································· 261 qos apply policy (interface view, control plane view) ································································· 261

New feature: Configuring MPLS LDP FRR ········································· 263

Configuring MPLS LDP FRR ······································································································ 263 Command reference ················································································································· 263

igp sync delay ··················································································································· 263 igp sync delay on-restart ····································································································· 265 mpls ldp igp sync disable ···································································································· 266

New feature: Enhanced routing features ············································ 266

Configuring enhanced routing features ························································································· 266 Command reference ················································································································· 267

non-stop-routing ················································································································ 267 ip route-static fast-reroute auto ···························································································· 267 import-route (RIP view) ······································································································· 268 import-route (OSPF view) ··································································································· 269 import-route (IS-IS view) ····································································································· 271 import-route (BGP view) ····································································································· 273 import-route (RIPng view) ··································································································· 275 import-route (OSPFv3 view) ································································································ 276 ipv6 import-route (IPv6 IS-IS view)························································································ 278

New feature: Python ····································································· 279

Using Python··························································································································· 279 Command reference ················································································································· 280

New feature: ATM ········································································ 280

Configuring ATM ······················································································································ 280 Command reference ················································································································· 280

New feature: DHCP MIB ································································ 280

DHCP MIB ······························································································································ 280 Command reference ················································································································· 280

if-match ··························································································································· 280

ESS 0006P02 ·············································································· 282

13

Release 0306P81

None.

Release 0306P80

None.

Release 0306P70

None.

Release 0306P52

This release has the following changes:

New feature: MAC address recording in TCP packets

New feature: Configuring the leased line service for an ISDN BRI interface

New feature: LLDP PVID inconsistency check

Modified feature: High encryption

Modified feature: OSPF

Modified feature: Policy-based routing

Modified feature: MIB objects

Modified feature: Setting ISP domain status

Modified feature: Excluding an attribute from portal protocol packets

Modified feature: NTP

Modified feature: Transceiver modules

Modified feature: E1POS

14

New feature: MAC address recording in

TCP packets

Configuring MAC address recording in TCP

packets

The router supports to add an option in each TCP packet sent from the terminal user to record the

MAC address of the terminal user.

Command reference

New command: tcp mac-record enable

Use tcp mac-record enable to enable the MAC address recording in TCP packets.

Use undo tcp mac-record to restore the default.

Syntax

tcp mac-record enable

undo mac-record

Default

The MAC address recording in TCP packets is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to add an option in each TCP packet to record MAC addresses.

Examples

# Enable the MAC address recording in TCP packets on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] tcp mac-record enable

Related commands

tcp mac-record local

15

New command: tcp mac-record local

Use tcp mac-record local to specify the MAC address of the local device for MAC address

recording.

Use undo tcp mac-record local to restore the default.

Syntax

tcp mac-record local mac-address

undo tcp mac-record local

Default

The MAC address of the local device for MAC address recording is not specified.

Parameters

mac-address: Specifies the MAC address of the local device. This MAC address cannot be all 0s,

broadcast MAC address or multicast MAC address.

Views

System view


network-admin

Usage guidelines

This command is typically configured on the access devices that connect to terminal users, and is

used together with the tcp mac-record enable command.

With these two commands configured, the device adds options to each TCP packet to record the

specified MAC address of itself, and the MAC address of the terminal user.

Examples

# Specify the MAC address of the local device as 0102-0304-0506.


[Sysname] tcp mac-record local 0102-0304-0506

Related commands


16

New feature: Configuring the leased line

service for an ISDN BRI interface

Configuring the leased line service for an ISDN BRI interface

ISDN leased lines are implemented by establishing semi-permanent connections. This requires the

PBXs of your telecommunication service provider to provide leased lines and be connected to the

remote device.

To configure the leased line service for an ISDN BRI interface:



4. Enter ISDN BRI interface view.

interface bri interface-number N/A

5. Configure the leased line service for the ISDN BRI interface.

isdn leased-line [ B1 | B2 | 128 ] By default, the leased line service is not configured for an ISDN BRI interface.

Command reference

New command: isdn leased-line

Use isdn leased-line [ B1 | B2 | 128 ] to configure the leased line service for an ISDN BRI interface.

Use undo isdn leased-line [ B1 | B2 | 128 ] to remove the leased line service configuration for an

ISDN BRI interface.

Syntax

isdn leased-line [ B1 | B2 | 128 ]

undo isdn leased-line [ B1 | B2 | 128 ]

Default

The leased line service is not configured for an ISDN BRI interface.

Views

ISDN BRI interface view


network-admin

network-operator

17

Parameters

B1: Uses channel B1 as a 64-kbps leased line.

B2: Uses channel B2 as a 64-kbps leased line.

128: Combines channels B1 and B2 into a 128-kbps leased line.

Usage guidelines

The isdn leased-line command without any keywords configures both the B1 and B2 channels as

64-kbps leased lines.

The undo isdn leased-line command without any keywords removes the leased line service

configuration from the specified BRI interface.

You can directly switch an ISDN BRI interface from 64-kbps leased line service to 128-kbps leased

line service, or vice versa.

This command is not available on BSV interfaces.

Examples

# Combine channels B1 and B2 on BRI 2/1 to provide a 128-kbps leased line.


[Sysname] interface bri 2/1

[Sysname-Bri2/1] isdn leased-line 128

New feature: LLDP PVID inconsistency

check

Disabling LLDP PVID inconsistency check

By default, when the system receives an LLDP packet, it compares the PVID value contained in

packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log

message will be printed to notify the user.

You can disable PVID inconsistency check if different PVIDs are required on a link.

To disable LLDP PVID inconsistency check:



7. Disable LLDP PVID inconsistency check.

lldp ignore-pvid-inconsistency By default, LLDP PVID inconsistency check is enabled.

18

Command reference

lldp ignore-pvid-inconsistency

Use lldp ignore-pvid-inconsistency to disable LLDP PVID inconsistency check.

Use undo lldp ignore-pvid-inconsistency to enable LLDP PVID inconsistency check.

Syntax

lldp ignore-pvid-inconsistency

undo lldp ignore-pvid-inconsistency

Default

LLDP PVID inconsistency check is enabled.

Views

System view

Default command level

network-admin

Usage guidelines

By default, when the system receives an LLDP packet, it compares the PVID value contained in

packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log

message will be printed to notify the user.

You can disable PVID inconsistency check if different PVIDs are required on a link.

Examples

# Disable LLDP PVID inconsistency check.


[Sysname] lldp ignore-pvid-inconsistency

Modified feature: High encryption

Feature change description

In this release, the HPE router does not require a license to support high encryption. It operates in

high encryption mode by default.

19

Modified feature: OSPF


The device can automatically obtain a router ID from an OSPF interface.

Command reference

Modified command: OSPF

Old syntax

ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] *

undo ospf [ process-id ]

New syntax

ospf [ process-id | router-id { auto-select | router-id } | vpn-instance vpn-instance-name ] *

undo ospf [ process-id ] [ router-id ]

Views

System view

Change description

The auto-select keyword was added to the command for the device to automatically obtain a router

ID from an OSPF interface.

Modified feature: Policy-based routing


The apply remark-vpn command was newly added. You can execute this command in policy node

view or IPv6 policy node view to mark the VPN instance for matching packets.

Command reference

New command: apply remark-vpn

Use apply remark-vpn to mark the VPN instance for matching packets.

Use undo apply remark-vpn to restore the default.

20

Syntax

apply remark-vpn

undo apply remark-vpn

Default

The VPN instance is not marked for matching packets.

Views

Policy node view


network-admin

Usage guidelines

The apply access-vpn vpn-instance command is used to forward matching packets in a specified

VPN instance. To make the VPN instance known to the service modules, use the apply remark-vpn

command to mark the VPN instance in the packets.

This command must be used together with the apply access-vpn vpn-instance command.

This command marks a VPN instance in a packet only when the packet is forwarded in the VPN

instance specified by the apply access-vpn vpn-instance command.

Examples

# Mark VPN instance vpn1 for packets that match ACL 3000.


[Sysname] policy-based-route aaa permit node 10

[Sysname-pbr-aaa-10] if-match acl 3000

[Sysname-pbr-aaa-10] apply access-vpn vpn-instance vpn1

[Sysname-pbr-aaa-10] apply remark-vpn

Modified feature: MIB objects


The startup2Net object in the hh3c-config-man.mib was modified to specify the startup configure

file. The description for the startup object was changed accordingly.

21

Modified feature: Setting ISP domain

status


An ISP domain can be blocked based on time ranges.

Command changes

Modified command: state

Old syntax

state { active | block }

New syntax

state { active | block [ time-range ] [ offline ] }

Views

ISP domain view

Change description

The time-range and offline keywords were added to this command.

time-range: Blocks the ISP domain based on time ranges. If you do not specify this keyword, the ISP

domain is in blocked state until you manually set the state to active.

offline: Logs off all online users when the ISP domain state changes from active to blocked.

New command: state block time-range name

Use state block time-range name to specify a time range during which an ISP domain is in blocked

state.

Use undo state block time-range name to remove a time range or all time ranges during which an

ISP domain is in blocked state.

Syntax

state block time-range name time-range-name

undo state block time-range { all | name time-range-name }

Default

No time ranges are specified to block an ISP domain.

Views

ISP domain view

22


network-admin

Parameters

time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters.

The name must start with a letter and cannot be the word all.

all: Removes all time ranges.

Usage guidelines

An ISP domain is blocked during the specified time ranges only when the ISP domain is set to be

blocked based on time ranges. To block an ISP domain based on time ranges, use the state block

time-range command.

Execute this command multiple times to specify multiple time ranges during which an ISP domain is

blocked.

Examples

# Specify ISP domain test to be blocked during time ranges t1 and t2.


[Sysname] domain test

[Sysname-isp-test] state block time-range name t1

[Sysname-isp-test] state block time-range name t2

Modified feature: Excluding an attribute

from portal protocol packets

Excluding an attribute from portal protocol packets

Support of the portal authentication server for portal protocol attributes varies by the server type. If

the device sends the portal authentication server a packet that contains an attribute unsupported by

the server, the device and the server cannot communicate.

To address this issue, you can configure portal protocol packets to not carry the attributes

unsupported by the portal authentication server.

To exclude an attribute from portal protocol packets:



9. Enter portal authentication server view.

portal server server-name N/A

10. Exclude an attribute from portal protocol packets.

exclude-attribute number { ack-auth | ntf-logout | ack-logout }

By default, no attributes are excluded from portal protocol packets.

23

Command reference

New command: exclude-attribute

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

exclude-attribute number { ack-auth | ntf-logout | ack-logout }

undo exclude-attribute number { ack-auth | ntf-logout | ack-logout }

Default

No attributes are excluded from portal protocol packets.

Views

Portal authentication server view


network-admin

Parameters

number: Specifies an attribute by its number in the range of 1 to 255.

ack-auth: Excludes the attribute from ACK_AUTH packets.

ntf-logout: Excludes the attribute from NTF_LOGOUT packets.

ack-logout: Excludes the attribute from ACK_LOGOUT packets.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. If

the device sends the portal authentication server a packet that contains an attribute unsupported by

the server, the device and the server cannot communicate.

To address this issue, you can configure this command to exclude the unsupported attributes from

specific portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple

types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).

Table 1 describes all attributes of the portal protocol.

Table 1 Portal attributes

Name Number Description

UserName 1 Username of the user to be authenticated.

PassWord 2 Plaintext password submitted by the user.

24

Name Number Description

Challenge 3 Random challenge for CHAP authentication.

ChapPassWord 4 CHAP password encrypted by MD5.

TextInfo 5

The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.

The attribute value can be a string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.

UpLinkFlux 6 Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.

DownLinkFlux 7 Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.

Port 8 Port information, a string excluding the end character '\0'.

IP-Config 9

This attribute has different meanings in different types of packets.

The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP.

The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.

Examples

# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.


[Sysname] portal server pts

[Sysname-portal-server-pts] exclude-attribute 6 ack-auth

Related commands

display portal server

Modified command: display portal server

Syntax

display portal server [ server-name ]

Views

Any view

Change description

The Exclude-attribute field was added to the output of this command.

25

Modified feature: NTP


NTP can use advanced ACLs to filter packets by source and destination IP addresses.

Command changes

Modified command: ntp-service authentication-keyid

Old syntax

ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value

New syntax

ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value [ acl

ipv4-acl-number | ipv6 acl ipv6-acl-number ] *

Views

System view

Change description

The acl ipv4-acl-number and ipv6 acl ipv6-acl-number options were added to the command.

Modified command: sntp authentication-keyid

Old syntax

sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value

New syntax

sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value [ acl

ipv4-acl-number | ipv6 acl ipv6-acl-number ] *

Views

System view

Change description

The acl ipv4-acl-number and ipv6 acl ipv6-acl-number options were added to the command.

26

Modified feature: Transceiver modules


The names of SFP-GE-LH70-SM1550 and SFP-GE-LH70-SM1550-D transceiver modules were

changed to SFP-GE-LH80-SM1550 and SFP-GE-LH80-SM1550-D, respectively. Their transmission

distance was increased from 70 km (43.50 miles) to 80 km (49.71 miles).

Modified feature: E1POS


This release added support for displaying the modem negotiation rate of E1POS by using the debug

command.

Release 0306P30


New feature: SIP compatibility

Modified feature: OSPF performance optimization

Modified feature: Telnet redirect

Modified feature: POS terminal access

Modified feature: License

Modified feature: IP performance optimization

New feature: SIP compatibility

Configuring SIP compatibility

If a third-party device does not implement SIP in strict accordance with the RFC standard, you can

configure SIP compatibility for the router to interoperate with the third-party device.

With the sip-compatible t38 command configured, the router excludes :0 from the following SDP

parameters in the originated re-INVITE messages:

27

T38FaxTranscodingJBIG.

T38FaxTranscodingMMR.

T38FaxFillBitRemoval.

With the sip-compatible x-param command configured, the router adds SDP description

information (a=X-fax and a=X-modem) for fax pass-through and modem pass-through in the

originated re-INVITE messages.

To configure SIP compatibility:



12. Enter voice view. voice-setup N/A

13. Enter SIP view. sip N/A

14. Configure SIP compatibility. sip-compatible { t38 | x-param } By default, SIP compatibility is not configured.

Command reference

sip-compatible

Use sip-compatible to configure SIP compatibility with a third-party device.

Use undo sip-compatible to restore the default.

Syntax

sip-compatible { t38 | x-param }

undo sip-compatible { t38 | x-param }

Default

SIP compatibility is not configured.

Views

SIP view


network-admin

Parameters

t38: Configures SIP compatibility for standard T.38 fax. With this keyword specified, the router

excludes :0 from the following SDP parameters in the originated re-INVITE messages:

T38FaxTranscodingJBIG.

T38FaxTranscodingMMR.

T38FaxFillBitRemoval.

28

This keyword is required when the router interoperates with a third-party softswitch device to

exchange T.38 fax messages.

x-param: Configures SIP compatibility for fax pass-through and modem pass-through. With this

keyword specified, the router adds SDP description information for fax pass-through and modem

pass-through to outgoing re-INVITE messages. This keyword is required when the router

interoperates with a third-party softswitch device to perform fax pass-through and modem

pass-through.

Usage guidelines

The t38 and x-param keywords can be both configured to interoperate with a third-party softswitch

device.

Examples

# Configure SIP compatibility for standard T.38 fax.


[Sysname] voice-setup

[Sysname-voice] sip

[Sysname-voice-sip] sip-compatible t38

Modified feature: OSPF performance

optimization


You can set a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds.

The value range for the LSU packet sending interval was changed to 0 to 1000 milliseconds.

Command changes

Modified command: spf-schedule-interval

Old syntax

spf-schedule-interval { maximum-interval [ minimum-interval [ incremental-interval ] ] }

New syntax

spf-schedule-interval { maximum-interval [ minimum-interval [ incremental-interval ] ] | millisecond

interval }

Views

OSPF view

29

Change description

The millisecond interval argument was added to the command. You can specify this argument to set

a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds.

Modified command: transmit-pacing

Syntax

transmit-pacing interval interval count count

Views

OSPF view

Change description

Before modification: The value range for the interval argument was 10 to 1000 milliseconds.

After modification: The value range for the interval argument is 0 to 1000 milliseconds.

Modified feature: Telnet redirect


Authentication was added on MSR 3000 series routers for Telnet redirect users.

Logging was added for Telnet redirect login events and Telnet redirect exit events.

Modified feature: POS terminal access


The posa auto-stop-service enable command added the function of setting the access interfaces

for all E1POS terminal templates to reply with busy tones when all FEPs are unreachable.

Command changes

Modified command: posa auto-stop-service enable

Syntax

posa auto-stop-service enable

Views

System view

30

Change description

Before modification, this command enables automatic shutdown of the listening ports for TCP-based

POS terminal templates when all FEPs that correspond to TCP-based POS application templates

are unreachable. When any of the FEPs becomes reachable, the router automatically opens the

listening ports for all TCP-based POS terminal templates.

After modification, this command enables the router to automatically perform the following

operations when all FEPs that correspond to TCP-based POS application templates are

unreachable:

Shuts down the listening ports for all TCP-based POS terminal templates.

Sets the access interfaces for all E1POS terminal templates to reply with busy tones.

When any of the FEPs becomes reachable, the router automatically performs the following

operations:

Opens the listening ports for all TCP-based POS terminal templates.

Disables busy tone for all E1POS terminal templates.

Modified feature: License


The device uses high encryption algorithms by default and does not require a license.

Modified feature: IP performance

optimization


The device supports recording MAC addresses in TCP packets. You can also configure the device to

record the MAC address of the local device in TCP packets.

Command changes

New command: tcp mac-record enable

Use tcp mac-record enable to enable MAC address recording in TCP packets.

Use undo tcp mac-record enable to disable MAC address recording in TCP packets.

Syntax


31

undo tcp mac-record enable

Default

MAC address recording in TCP packets is disabled.

Views

Interface view


network-admin

Usage guidelines

This feature records the MAC address of the packet originator in a TCP option. When an attack

occurs, the administrator can quickly locate the attack source according to the recorded MAC

addresses.

Examples

# Enable MAC address recording in TCP packets on GigabitEthernet 1/0/1.


[Sysname] interface GigabitEthernet 0/1

[Sysname-GigabitEthernet0/1] tcp mac-record enable

New command: tcp mac-record local

Use tcp mac-record local to record the MAC address of the local device in TCP packets.

Use undo tcp mac-record local to restore the default.

Syntax

tcp mac-record local mac-address

undo tcp mac-record local

Default

The destination MAC address is recorded.

Views

System view


network-admin

Parameters

mac-address: Specifies the MAC address of the local device. The MAC address cannot be all 0s,

broadcast MAC address, or multicast MAC address.

Usage guidelines

To make this command take effect, you must enable MAC address recording in TCP packets by

using the tcp mac-record enable command.

32

Examples

# Record the MAC address of the local device 0605-0403-0201 in TCP packets.


[Sysname] tcp mac-record local 0605-0403-0201

Release 0306P12


Modified feature: Configuring an SSH user

Modified feature: AAA

Modified feature: Configuring a cellular interface for a 3G/4G modem

Modified feature: VXLAN

Modified feature: DHCP

Modified feature: Configuring an SSH user


Starting from this software version, the device checks the username validity when an SSH user is

created.

Modified feature: AAA


Starting from this software version, you can configure the authorization method for IKE extended

authentication.

Command changes

New command: authorization ike

Use authorization ike to configure the authorization method for IKE extended authentication.

Use undo authorization ike to restore the default.

Syntax

In non-FIPS mode:

33

authorization ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization ike

In FIPS mode:

authorization ike { local | radius-scheme radius-scheme-name [ local ] }

undo authorization ike

Default

The default authorization method for the ISP domain is used for IKE extended authentication.

Views

ISP domain view


network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive

string of 1 to 32 characters.

Examples

# In ISP domain test, perform local authorization for IKE extended authentication.



[Sysname-isp-test] authorization ike local

# In ISP domain test, use RADIUS scheme rd as the primary authorization method and local

authorization as the backup authorization method for IKE extended authentication.



[Sysname-isp-test] authorization ike radius-scheme rd local

Modified feature: Configuring a cellular

interface for a 3G/4G modem


In this release, you can set the RSSI thresholds for a 3G/4G modem.

34

Command changes

New command: rssi

Use rssi to set the RSSI thresholds for a 3G/4G modem.

Use undo rssi to restore the default.

Syntax

rssi { gsm | 1xrtt | evdo | lte } { low lowthreshold | medium mediumthreshold } *

undo rssi { gsm | 1xrtt | evdo | lte } [ low | medium ]

Default

The lower and upper thresholds for a 3G/4G modem are –150 dBm and 0 dBm, respectively.

Views

Cellular interface view


network-admin

Parameters

1xrtt: Specifies the 1xRTT mode.

evdo: Specifies the EVDO mode.

gsm: Specifies the GSM mode.

lte: Specifies the LTE mode.

low lowthreshold: Specifies the lower RSSI threshold value in the range of 0 to 150, which represent

a lower RSSI threshold in the range of –150 dBm to 0 dBm. The value of lowthreshold cannot be

smaller than the value of mediumthreshold because the system automatically adds a negative sign

to the RSSI thresholds.

medium mediumthreshold: Specifies the upper RSSI threshold value in the range of 0 to 150, which

represent an upper RSSI threshold in the range of –150 dBm to 0 dBm.

Usage guidelines

The device performs the following operations based on the actual RSSI of the 3G/4G modem:

Sends a trap that indicates high RSSI when the RSSI exceeds the upper threshold.

Sends a trap that indicates normal RSSI when the RSSI is between the lower threshold and

upper threshold (included).

Sends a trap that indicates low RSSI when the RSSI drops to or below the lower threshold.

Sends a trap that indicates low RSSI every 10 minutes when the RSSI remains equal to or

smaller than the lower threshold.

To view the RSSI change information for a 3G/4G modem, use the display cellular command.

35

Examples

# Set the lower threshold for a 3G/4G modem in GSM mode to –110 dBm.


[Sysname] interface cellular 0/0

[Sysname-Cellular0/0] rssi gsm low 110

Modified feature: VXLAN


This release added support for QoS in the outbound direction of VXLAN tunnel interfaces.

Command changes

None.

Modified feature: DHCP


Starting from this software version, you can configure the DHCP server to send DHCP replies that do

not contain Option 60.

Command changes

New command: dhcp server reply-exclude-option60

Use dhcp server reply-exclude-option60 to configure the DHCP server to send DHCP replies that

do not contain Option 60.

Use undo dhcp server reply-exclude-option60 to restore the default.

Syntax

dhcp server reply-exclude-option60

undo dhcp server reply-exclude-option60

Default

The DHCP server sends DHCP replies containing Option 60.

Views

System view

36


network-admin

Example

# Configure the DHCP server to send DHCP replies that do not contain Option 60.


[Sysname] dhcp server reply-exclude-option6

Release 0306P11


New feature: Voice VLAN

Modified feature: MPLS QoS support for matching the EXP field

Modified feature: MPLS QoS support for marking the EXP field

Modified feature: Automatic configuration

Removed feature: Tinyproxy

New feature: Voice VLAN

Configuring a voice VLAN

Configuring a port to operate in automatic voice VLAN assignment mode



16. (Optional.) Set the voice VLAN aging timer.

voice-vlan aging minutes By default, the aging timer of a voice VLAN is 1440 minutes.

17. (Optional.) Enable the voice VLAN security mode.

voice-vlan security enable By default, the voice VLAN security mode is enabled.

18. (Optional.) Add an OUI address for voice packet identification.

voice-vlan mac-address oui mask oui-mask [ description text ]

By default, system default OUI addresses exist.

37


19. Enter interface view.

Enter Layer 2 Ethernet interface view: interface interface-type

interface-number

Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number

Enter S-channel interface view: interface s-channel interface-number.channel-id

Enter S-channel aggregate interface view: interface schannel-aggregation interface-number:channel-id

Enter Layer 2 RPR logical interface view: interface rpr-bridge interface-number

N/A

20. Set the link type of the port.

Set the port link type to trunk: port link-type trunk

Set the port link type to hybrid: port link-type hybrid

N/A

21. Configure the port to operate in automatic voice VLAN assignment mode.

voice-vlan mode auto By default, the automatic voice VLAN assignment mode is enabled.

22. Enable the voice VLAN feature on the port.

voice-vlan vlan-id enable

By default, the voice VLAN feature is disabled.

Before you execute this command, make sure the specified VLAN already exists.

Configuring a port to operate in manual voice VLAN

assignment mode



24. (Optional.) Enable the voice VLAN security mode.

voice-vlan security enable By default, the voice VLAN security mode is enabled.

25. (Optional.) Add an OUI address for voice packet identification.

voice-vlan mac-address oui mask oui-mask [ description text ]

By default, system default OUI addresses exist.

38


26. Enter interface view.

Enter Layer 2 Ethernet interface view: interface interface-type interface-number

Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number

Enter S-channel interface view: interface s-channel

interface-number.channel-id

Enter S-channel aggregate interface view: interface schannel-aggregation interface-number:channel-id

Enter Layer 2 RPR logical interface view: interface rpr-bridge interface-number

N/A

27. Configure the port to operate in manual voice VLAN assignment mode.

undo voice-vlan mode auto By default, a port operates in automatic voice VLAN assignment mode.

28. Set the link type of the port.

Set the port link type to access: port link-type access

Set the port link type to trunk: port link-type trunk

Set the port link type to hybrid: port link-type hybrid

By default, each port is an access port.

29. Assign the access, trunk, or hybrid port to the voice VLAN.

For the access port: port access vlan vlan-id

For the trunk port: port trunk permit vlan { vlan-id-list | all }

For the hybrid port: port hybrid vlan vlan-id-list { tagged | untagged }

After you assign an access port to the voice VLAN, the voice VLAN becomes the PVID of the port.

30. (Optional.) Configure the voice VLAN as the PVID of the trunk or hybrid port.

For the trunk port: port trunk pvid vlan vlan-id

For the hybrid port: port hybrid pvid vlan vlan-id

This step is required for untagged incoming voice traffic and prohibited for tagged incoming voice traffic.

31. Enable the voice VLAN feature on the port.

voice-vlan vlan-id enable

By default, the voice VLAN feature is disabled.

Before you execute this command, make sure the specified VLAN already exists.

Enabling LLDP for automatic IP phone discovery



33. Enable LLDP for automatic IP phone discovery.

voice-vlan track lldp By default, LLDP for automatic IP phone discovery is disabled.

39

Configuring LLDP to advertise a voice VLAN

For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones

through LLDP-MED TLVs.

To configure LLDP to advertise a voice VLAN:



35. Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

N/A

36. Configure an advertised voice VLAN ID.

lldp tlv-enable med-tlv network-policy vlan-id

By default, no advertised voice VLAN ID is configured.

Configuring CDP to advertise a voice VLAN

If an IP phone supports CDP but does not support LLDP, it sends CDP packets to the device to

request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period,

it sends out untagged voice packets. These untagged voice packets cannot be differentiated from

other types of packets.

You can configure CDP compatibility on the device to enable it to perform the following operations:

Receive and identify CDP packets from the IP phone.

Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.

After receiving the advertised VLAN information, the IP phone starts automatic voice VLAN

configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.

To configure CDP to advertise a voice VLAN:



38. Enable CDP compatibility. lldp compliance cdp By default, CDP compatibility is disabled.

39. Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

N/A

40. Configure CDP-compatible LLDP to operate in TxRx mode.

lldp compliance admin-status cdp txrx

By default, CDP-compatible LLDP operates in disable mode.

41. Configure an advertised voice VLAN ID.

cdp voice-vlan vlan-id By default, no advertised voice VLAN ID is configured.

Displaying and maintaining voice VLANs

Execute display commands in any view.

40

Task Command

Display the voice VLAN state. display voice-vlan state

Display OUI addresses on a device. display voice-vlan mac-address

Command reference

The following commands were added:

display voice-vlan mac-address.

display voice-vlan state.

voice-vlan aging.

voice-vlan enable.

voice-vlan mac-address.

voice-vlan mode auto.

voice-vlan security enable.

voice-vlan track lldp.

For more information about these commands, see H3C MSR Series Routers Layer 2—LAN

Switching Command Reference(V7).

Modified feature: MPLS QoS support for

matching the EXP field

Matching the EXP field in the second MPLS label

In this release, MPLS QoS supports matching the EXP fields in both the topmost (first) MPLS label

and the second MPLS label.

Command reference

New command: if-match second-mpls-exp

Use if-match second-mpls-exp to define a criterion to match the EXP field in the second MPLS

label.

Use undo if-match second-mpls-exp to delete the match criterion.

Syntax

if-match [ not ] second-mpls-exp exp-value&<1-8>

undo if-match [ not ] second-mpls-exp exp-value&<1-8>

41

Default

No criterion is defined to match the EXP field in the second MPLS label.

Views

Traffic class view


network-admin

Parameters

not: Matches packets not conforming to the specified criterion.

exp-value&<1-8>: Specifies a space-separated list of up to eight EXP values. The value range for

the exp-value argument is 0 to 7. If the same MPLS EXP value is specified multiple times, the system

considers them as one. If a packet matches one of the defined MPLS EXP values, it matches the

if-match clause.

Examples

# Define a criterion to match packets with EXP value 3 or 4 in the second MPLS label.


[Sysname] traffic classifier database

[Sysname-classifier-database] if-match second-mpls-exp 3 4

Modified feature: MPLS QoS support for

marking the EXP field

Marking the EXP field in the second MPLS label

In this release, MPLS QoS supports marking the EXP fields in both the topmost (first) MPLS label

and the second MPLS label.

Command reference

New command: remark second-mpls-exp

Use remark second-mpls-exp to configure an EXP value marking action for the second MPLS label

in a traffic behavior.

Use undo remark second-mpls-exp to delete the action.

Syntax

remark second-mpls-exp second-mpls-exp-value

undo remark second-mpls-exp second-mpls-exp-value

42

Default

No EXP value marking action for the second MPLS label is configured in a traffic behavior.

Views

Traffic behavior view


network-admin

Parameters

second-mpls-exp-value: Specifies an EXP value for the second MPLS label, in the range of 0 to 7.

Examples

# Define a traffic behavior to mark packets with EXP value 3 for the second MPLS label.


[Sysname] traffic behavior b1

[Sysname-behavior-b1] remark second-mpls-exp 3



In this release, you can set the maximum retry attempts for automatic configuration. The device will

retry obtaining the settings until the retry attempts reach the limit. If you set the maximum retry

attempts to 0, the device does not perform a retry when encountering an automatic configuration

failure.

Removed feature: Tinyproxy


Support for the tinyproxy feature was removed.

Removed command

http-proxy

Syntax

http-proxy

undo http-proxy

43

Views

System view

Release 0306P07


New feature: L2TP-based EAD

New feature: CFD configuration

Modified feature: Support using dots in user profile name

Modified feature: Default size of the TCP receive and send buffer

Modified feature: Support for obtaining fan tray and power module vendor information through MIB

Modified feature: Supporting per-packet load sharing


Modified feature: Software image signature

New feature: L2TP-based EAD

Enabling L2TP-based EAD

EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD

authentication can access network resources. PPP users that fail EAD authentication can only

access the resources in the quarantine areas.

EAD uses the following procedure:

1. The iNode client uses L2TP to access the LNS. After the client passes the PPP authentication,

the CAMS/IMC server assigns isolation ACLs to the LNS. The LNS uses the isolation ACLs to

filter incoming packets.

2. After the IPCP negotiation, the LNS sends the IP address of the CAMS/IMC server to the iNode

client. The server IP address is permitted by the isolation ACLs.

3. The CAMS/IMC sever authenticates the iNode client and performs security check for the iNode

client. If the iNode client passes security check, the CAMS/IMC server assigns security ACLs

for the iNode client to the LNS. The iNode client can access network resources.

To enable L2TP-based EAD:



43. Create a VT interface and enter its view

interface virtual-template virtual-template-number

N/A

44


44. Enable L2TP-based EAD. ppp access-control enable By default, L2TP-based EAD is disabled.

Command reference

ppp access-control enable

Use ppp access-control enable to enable L2TP-based EAD.

Use undo ppp access-control enable to disable L2TP-based EAD.

Syntax

ppp access-control enable

undo ppp access-control enable

Default

L2TP-based EAD is disabled.

Views

VT interface view


network-admin

Usage guidelines

This command does not apply to VA interfaces that already existed in the VT interface. It only applies

to newly created VA interfaces.

Different ACLs are required for different users if the VT interface is used as the access interface for

the LNS.

After L2TP-based EAD is enabled, the LNS transparently passes CAMS/IMC packets to the iNode

client to inform the client of EAD server information, such as the IP address.

Examples

# Enable L2TP-based EAD.


[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] ppp access-control enable

display ppp access-control interface

Use display ppp access-control interface to display access control information for VA interfaces

on a VT interface.

Syntax

display ppp access-control interface { interface-type interface-number | interface-name }

45

Views

Any view


network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

interface-name: Specifies an interface by its name.

Examples

# Display access control information for VA interfaces on VT interface 2.

<Sysname> display ppp access-control interface virtual-template 2

Interface: Virtual-Template2:0

User Name: mike

In-bound Policy: acl 3000

Totally 0 packets, 0 bytes, 0% permitted,

Totally 0 packets, 0 bytes, 0% denied.

Interface: Virtual-Template2:1

User Name: tim

In-bound Policy: acl 3001

Totally 0 packets, 0 bytes, 0% permitted,

Totally 0 packets, 0 bytes, 0% denied.

Table 1 Command output

Field Description

Interface VA interface that the PPP user accesses.

User Name Username of the PPP user.

In-bound Policy Security ACLs for the PPP user.

Totally x packets, x bytes, x% permitted Total number, data rate, and pass percentage of permitted packets.

Totally x packets, x bytes, x% denied Total number, data rate, and reject percentage of denied packets.

New feature: CFD configuration

Configuring CFD configuration

Configuring a two-way DM continuity test.

Setting the delay thresholds in a two-way DM continuity test.

46

Configuring a one-way packet loss continuity test.

Setting the packet loss ratio thresholds in a one-way packet loss continuity test.

Setting the time that a blocked port must wait before it comes up in a one-way packet loss

continuity test.

Configuring a bit error continuity test.

Setting the error packet ratio thresholds in a bit error continuity test.

Displaying two-way DM continuity test results.

Displaying one-way packet loss continuity test results.

Setting the test mode and action for triggering port association.

Displaying bit error test results.

Command reference

cfd dm two-way continual

cfd dm two-way threshold

cfd slm continual

cfd slm threshold

cfd slm port-trigger up-delay

cfd tst continual

cfd tst threshold

display cfd dm two-way history

display cfd slm history

cfd port-trigger

display cfd tst history

See HPE FlexNetwork MSR Router Series Command References(V7).

Modified feature: Support using dots in

user profile name


In this release, the user profile name supports using dots (.).

47

Command changes

Modified command: user-profile

Syntax

user-profile profile-name

undo user-profile profile-name

Views

System view

Change description

Before modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid

characters are letters, digits, and underscores (_), and the name must start with an English letter.

After modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid

characters are letters, digits, underscores (_), and dots (.), and the name must start with an English

letter.

Modified feature: Default size of the TCP

receive and send buffer


The default value for the TCP receive and send buffer size was changed to 63 KB.

To set the TCP buffer size:



46. Set the TCP receive and send buffer size.

tcp window window-size By default, the TCP receive and send buffer size is 63 KB.

Command changes

Modified command: tcp window

Syntax

tcp window window-size

undo tcp window

48

Views

System view

Change description

Before modification: The default value for the window-size argument was 64 KB.

After modification: The default value for the window-size argument is 63 KB.

Modified feature: Support for obtaining fan tray and power module vendor information through MIB


In this release, the device supports obtaining fan tray and power module vendor information through

MIB.

Command changes

None

Modified feature: Supporting per-packet load sharing


The per-packet keyword was added to the ip load-sharing mode command to support per-packet

load sharing.

Command changes

Modified command: ip load-sharing mode

Old syntax

Centralized devices:

ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ]

Centralized IRF devices–Distributed devices–In standalone mode:

ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] [ slot

slot-number ]

49

Distributed devices–In IRF mode:

ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] [ chassis

chassis-number slot slot-number ]

New syntax


ip load-sharing mode { per-flow [ [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }


ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }


ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }

Views

System view

Change description

The per-packet keyword was added to the ip load-sharing mode command to support per-packet

load sharing.



A limit was added to the number of automatic configuration attempts. If the device fails to be

automatically configured within the limit, the device quits the automatic configuration process.

Command changes

None

Modified feature: Software image signature


A field was added to output from a set of display commands to display software image signature

information.

50

Command changes

Modified command: display install active

Syntax


display install active [ verbose ]


display install active [ slot slot-number ] [ verbose ]


display install active [ chassis chassis-number slot slot-number ] [ verbose ]

Views

Any view

Change description

The Software image signature field was added to display software image signature information.


Field Description

Software image signature

Signature for the software image:

HP—For software images of the HP version.

HP-US—For software images of the HP US version.

HPE—For software images of the HPE version.

Modified command: display install backup

Syntax


display install backup [ verbose ]


display install backup [ slot slot-number ] [ verbose ]


display install backup [ chassis chassis-number slot slot-number ] [ verbose ]

Views

Any view

Change description


51


Field Description






Modified command: display install committed

Syntax


display install committed [ verbose ]


display install committed [ slot slot-number ] [ verbose ]


display install committed [ chassis chassis-number slot slot-number ] [ verbose ]

Views

Any view

Change description



Field Description






Modified command: display install inactive

Syntax


display install inactive [ verbose ]


display install inactive [ slot slot-number ] [ verbose ]


display install inactive [ chassis chassis-number slot slot-number ] [ verbose ]

52

Views

Any view

Change description



Field Description






Modified command: display install ipe-info

Syntax

display install ipe-info ipe-filename

Views

Any view

Change description



Field Description






Modified command: display install package

Syntax

display install package { filename | all } [ verbose ]

Views

Any view

Change description


53


Field Description






Modified command: display install which

Syntax


display install which { component name | file filename }


display install which { component name | file filename } [ slot slot-number ]

Distributed devices–In standalone mode:


display install which { component name | file filename } [ chassis chassis-number slot

slot-number ]

Views

Any view

Change description



Field Description






Release 0305P08


New feature: mGRE

New feature: Disabling transceiver module alarm

54

Modified feature: Default user role

Modified feature: Debugging

New feature: mGRE

Overview

Multipoint Generic Routing Encapsulation (mGRE) is a dynamic VPN technology that uses the Next

Hop Resolution Protocol (NHRP).

Traditional GRE tunnels for a VPN are static and require manual configuration and maintenance,

resulting in poor extensibility. If branches of an enterprise accesses the public network by using

dynamic IP addresses, it is difficult to set GRE tunnels between the branches.

mGRE can dynamically establish tunnels for the branches, because NHRP can map the private IP

address of a branch to its public IP address.

mGRE operation scheme

An mGRE network uses the client/server model. It has the following types of nodes:

NHS—NHRP server, the hub device in the mGRE network. The NHS is the routing information

exchange center. It is also the data forwarding center in a NHS-NHC network.

NHC—NHRP client, a spoke device in the mGRE network. Typically, it is the gateway of a

branch network. An NHC does not forward data received from other mGRE nodes.

mGRE obtains dynamic public addresses of NHCs through their private addresses to establish

mGRE tunnels and forward packets. The public address is the IP address of the interface connected

to the Internet. The private address is the IP address of the mGRE tunnel interface.

An NHC registers its public and private addresses with the NHS and it registers its public address

whenever the public address changes. An NHC obtains the current public address of a peer NHC

from the NHS through NHRP, so the two NHCs can establish an mGRE tunnel over the Internet.

mGRE operation procedure

The mGRE operation includes the following phases:

Registration.

Tunnel establishment.

Route learning and packet forwarding.

Registration

As shown in Figure 10, the registration process is as follows:

55

1. The NHC sends a registration request to the NHS.

2. After the NHS receives the request, it performs the NHRP packet authentication key and GRE

key matching. If both keys are matched, registration succeeds. The NHS sends a registration

success message to the NHC.

Figure 10 Registration process

Tunnel establishment

mGRE networks support the following types of networking:

Full-mesh network—NHCs can establish tunnels between each other for direct

communication. The NHS acts as the routing information exchange center.

Figure 11 Full-mesh network

NHS-NHC network—NHCs cannot establish tunnels between each other. Instead, they

establish tunnels with the NHS. The NHS forwards data for the NHCs. The NHS acts as both

the routing information exchange center and the data forwarding center.

NHC NHS

1) Registration request

2) Registration acknowledgment

Site 1 Site 2

NHS

NHC 1

Public network

NHC 2

Data

NHS-N

HC

NHS-N

HC

NHC-NHC

56

Figure 12 NHS-NHC network

A mGRE tunnel is as established as follows:

NHC-NHS tunnel establishment process:

An NHC-NHS tunnel is established in the registration process. During registration, the

NHC-NHS tunnel is in initialization state. After registration succeeds, the NHC-NHS tunnel is in

success state.

An NHC-NHS tunnel is permanent. An NHC can establish permanent tunnels to any number of

NHSs.

NHC-NHC tunnel establishment process:

a. In a full-mesh network, when an NHC receives a data packet but finds no tunnel for

forwarding the packet, the NHC (initiator) sends an address resolution request to the NHS.

b. After receiving the request, the NHS looks up the local NHRP mapping table to find the peer

NHC (responder) and forwards the request to the peer NHC.

c. After receiving the request, the peer NHC creates a temporary tunnel and sends an address

resolution response to the initiator.

An NHC-NHC tunnel is dynamic. If no data is exchanged within the NHC-NHC tunnel idle

timeout, the tunnel will be deleted.

Route learning and packet forwarding

mGRE nodes learn private routes by using dynamic routing protocols.

Dynamic routing must be configured for all private networks and mGRE tunnel interfaces to ensure

IP connectivity among the private networks. From the perspective of private networks, an mGRE

tunnel is a link that connects different private networks. A dynamic routing protocol discovers

neighbors and updates routes over mGRE tunnels, and establishes a routing table.

Site 1 Site 2

NHS

NHC 1

Public network

NHC 2

Dat

aData

NHS-N

HC

NHS-N

HC

57

When an NHC receives a packet destined for a remote private network, it performs the following

operations:

1. Searches the routing table for the next hop address to the target private network.

2. Looks up the local NHRP mapping table to obtain the public address that corresponds to the

next hop address.

3. Uses the public address as the tunnel destination address to encapsulate the packet.

4. Sends the encapsulated packet to the peer NHC over the mGRE tunnel.

mGRE support for NAT traversal

An NHC-NHC tunnel can traverse a NAT gateway. The tunnel can be established when the tunnel

initiator, receiver, or both ends reside behind the NAT gateway.

mGRE configuration task list

To set up an mGRE network, first configure the NHSs and then the NHCs.

IMPORTANT:

The device can act only as an NHC. It cannot act as an NHS.

To configure mGRE on an NHC:

Tasks at a glance

(Required.)

Configuring an mGRE tunnel

(Required.) Configuring routing

(Optional.) Configuring IPsec for an mGRE tunnel

Configuring an mGRE tunnel

The public address of an NHC can be statically configured or dynamically assigned. The private

address of an NHC must be statically configured.

For more information about tunnel interfaces, see tunneling configuration in Layer 3—IP Services

Configuration Guide. For more information about the interface tunnel, source, and tunnel dfbit

enable commands and other commands for a tunnel interface, see tunneling commands in Layer

3—IP Services Command Reference.

To configure an mGRE tunnel:

58



48. Create an mGRE tunnel interface and enter tunnel interface view.

interface tunnel number mode mgre

By default, no tunnel interfaces exist.

49. Configure a private address for the tunnel interface.

ip address ip-address { mask | mask-length } [ sub ]

By default, no private address is configured for a tunnel interface.

50. Configure a source address or source interface for the tunnel interface.

source { ip-address | interface-type interface-number }

By default, no source address or source interface is configured for a tunnel interface.

If you specify a source address, it is used as the source IP address of tunneled packets.

If you specify a source interface, the primary IP address of this interface is used as the source IP address of tunneled packets.

51. Configure an NHRP packet authentication key.

nhrp authentication [ cipher | simple ] string

By default, no NHRP packet authentication key is configured. NHRP nodes do not authenticate NHRP packets received from each other.

52. Configure an NHRP network ID for the mGRE tunnel.

nhrp network-id number By default, an mGRE tunnel does not have an NHRP network ID.

53. Configure the holdtime for NHRP mapping entries.

nhrp holdtime seconds By default, the holdtime of NHRP mapping entries is 7200 seconds.

54. Configure an NHS private-to-public address mapping.

nhrp nhs nhs-address nbma nbma-address

By default, no NHS private-to-public address mappings are configured.

55. (Optional.) Configure a GRE key for the tunnel interface.

gre key key

By default, no GRE key is configured for an mGRE tunnel interface.

You must configure the same GRE key or configure no key on both ends of a tunnel.

On the device, you must configure different GRE keys for mGRE tunnel interfaces that have the same source address or source interface.

For more information about the GRE key, see GRE in Layer 3—IP Services Configuration Guide.

56. (Optional.) Set the DF bit for tunneled packets.

tunnel dfbit enable By default, the DF bit is not set. Tunneled packets can be fragmented for forwarding.

Configuring routing

mGRE clients support dynamic routing protocols of OSPF, RIP, and BGP.

When you configure routing for mGRE client, following these restrictions and guidelines:

59

When OSPF is used, specify the OSPF interface network type as broadcast in a full-mesh

network and as p2mp in a NHS-NHC network.

Full-mesh networks do not support RIP. NHS-NHC networks must use the RIP-2 multicast

mode and disable the split horizon feature for NHS nodes.

When BGP is used, configure routing polices to ensure the following:

In a full-mesh network, ensure that the local NHC learns a route to the remote private

network, and the route's next hop address is the address of the remote NHC.

In an NHS-NHC network, ensure that the local NHC learns a route to the remote private

network, and the route's next hop address is the address of the NHS.

For more information about OSPF, RIP, BGP, and routing policy configuration, see Layer 3—IP

Routing Configuration Guide.

Configuring IPsec for an mGRE tunnel

The device supports protecting mGRE tunnel data and control packets by using IPsec profiles.

To configure IPsec for an mGRE tunnel:

1. Configure an IPsec transform set to specify the security protocol, authentication and encryption

algorithms, and encapsulation type.

2. Configure an IKE-based IPsec profile.

3. Apply the IKE-based IPsec profile to the mGRE tunnel interface.

For more information about IPsec configuration, see "Configuring IPsec."

Displaying and maintaining mGRE

Execute display commands in any view and reset commands in user view.

Task Command

Display information about NHRP mapping entries. display nhrp map [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]

Display NHRP packet statistics for tunnel interfaces. display nhrp statistics [ interface tunnel interface-number ]

Display mGRE session information. display mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]

Clear NHRP packet statistics for tunnel interfaces. reset nhrp statistics [ interface tunnel inteface-number ]

Reset mGRE sessions. reset mgre session [ interface tunnel interface-number [ peer ipv4-address ] ]

Clear mGRE session statistics. reset mgre statistics [ interface tunnel interface-number [ peer ipv4-address ] ]

60

Command reference

New command: display mgre session

Use display mgre session to display mGRE session information.

Syntax

display mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]

Views

Any view


network-admin

network-operator

Parameters

interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range

of 0 to 4095. If you do not specify this option, the command displays mGRE session information for

all mGRE tunnel interfaces.

peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command

displays all mGRE session information for the specified mGRE tunnel interface.

verbose: Displays detailed information about IPv4 mGRE sessions. If you do not specify this

keyword, the command displays brief information about mGRE sessions.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all mGRE

sessions on all tunnel interfaces.

Examples

# Display brief information about all mGRE sessions.

<Sysname> display mgre session

Interface : Tunnel1

Number of sessions: 2

Peer NBMA address Peer protocol address Type State State duration

10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01

10.0.1.4 192.168.180.137 C-C Establishing 00:30:02

# Display brief information about mGRE sessions on the specified tunnel interface.

<Sysname> display mgre session interface tunnel 1

Interface : Tunnel1



10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01

10.0.1.4 192.168.180.137 C-C Establishing 00:30:02

61

# Display brief information about the mGRE session with the specified peer address.

<Sysname> display mgre session interface tunnel 1 peer 10.0.0.3

Interface : Tunnel1



10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01


Field Description

Interface Name of the mGRE tunnel interface.

Number of sessions Total number of mGRE sessions on the tunnel interface.

Peer NBMA address Public address of the peer.

Peer protocol address IP address of the peer tunnel interface.

Type

mGRE session type:

C-S—The local end is an NHC, and the peer end is the NHS.

C-C—The local end is an NHC, and the peer end is an NHC.

UNKNOWN—The local end is an NHC, and the peer end type is unknown.

State

mGRE session state:

Succeeded.

Establishing.

State duration Duration of the current session state, in the format of hh:mm:ss.

# Display detailed information about all IPv4 mGRE sessions.

<Sysname> display mgre session verbose

Interface : Tunnel1

Link protocol : GRE


Peer NBMA address : 10.0.1.3

Peer protocol address: 192.168.180.136

Session type : C-S

State : Succeeded

State duration : 00:30:01

Input : 2201 packets, 218 data packets, 3 control packets

2191 multicasts, 0 errors

Output: 2169 packets, 2168 data packets, 1 control packets




Session type : C-S

State : Succeeded



62




Interface : Tunnel2

Link protocol : IPsec-GRE

SA's SPI :

Inbound : 187199087 (0xb286e6f) [ESP]

Outbound: 3562274487 (0xd453feb7) [ESP]



Peer protocol Aaddress: 192.168.181.137

Behind NAT : No

Session type : C-C

SA's SPI :

Inbound : 187199087 (0xb286e6f) [ESP]

Outbound: 3562274487 (0xd453feb7) [ESP]

State : Establishing






# Display detailed information about IPv4 mGRE sessions on interface Tunnel1.

<Sysname> display mgre session interface tunnel 1 verbose

Interface : Tunnel1

Link protocol : GRE




Behind NAT : No

Session type : C-C

State : Succeeded






# Display detailed information about the mGRE session with the peer public address 202.12.12.12.

<Sysname> display mgre session peer 202.12.12.12 verbose

Interface : Tunnel1

Link protocol : GRE




Session type : C-S

State : Succeeded

63







Field Description

Interface Name of the mGRE tunnel interface.

Link protocol

Encapsulation protocol used by the mGRE tunnel:

GRE.

IPsec-GRE.

Number of sessions Total number of mGRE sessions on the tunnel interface.

Peer NBMA address Public address of the peer.

Peer protocol address IP address of the peer tunnel interface.

SA's SPI SPI of the inbound and outbound SAs. This field is available when the mGRE tunnel is carried over IPsec.

Behind NAT Whether the peer NHC has traversed a NAT device.

Session type

mGRE session type:

C-S—The local end is an NHC, and the peer end is

the NHS.

C-C—The local end is an NHC, and the peer end is an NHC.

State

mGRE session state:

Succeeded.

Establishing.

State duration Duration of the current session state, in the format of hh:mm:ss.

Input

Statistics on received packets:

packets—Total number of packets.

data packets—Number of data packets.

control packets—Number of control packets.

multicasts—Number of multicast packets.

errors—Number of error packets.

Output

Statistics on received packets:

packets—Total number of packets.

data packets—Number of data packets.

control packets—Number of control packets.

multicasts—Number of multicast packets.

errors—Number of error packets.

New command: display nhrp map

Use display nhrp map to display information about NHRP mapping entries.

64

Syntax

display nhrp map [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]

Views

Any view


network-admin

network-operator

Parameters


of 0 to 4095. If you do not specify this option, the command displays NHRP mapping table

information for all mGRE tunnel interfaces.


displays NHRP mapping entries for all peers.

verbose: Displays detailed information about NHRP mapping entries. If you do not specify this

keyword, the command displays brief information about NHRP mapping entries.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all NHRP

mapping entries.

Examples

# Display brief information about all NHRP mapping entries.

<Sysname> display nhrp map

Destination/mask Next hop NBMA address Type Interface

172.16.1.1/32 172.16.1.1 105.112.100.4 cached Tunnel0

172.16.1.2/32 172.16.1.2 105.112.100.92 cached Tunnel0

# Display detailed information about all NHRP mapping entries.

<Sysname> display nhrp map verbose

Interface : Tunnel0

Destination/mask : 172.16.1.1/32

Next hop : 172.16.1.1

Creation time : 00:38:44

Expiration time : 01:21:15

Type : cached

Flags : unique, up, used

NBMA address : 105.112.100.4

Interface : Tunnel0

Destination/mask : 172.16.1.2/32

Next hop : 172.16.1.2

Creation time : 00:25:53

Expiration time : 01:34:06

65

Type : cached

Flags : unique, up, used, ipsec

NBMA address : 105.112.100.92


Field Description

Destination/mask Destination tunnel interface address and mask of the mapping entry.

Nexthop Next hop address to reach the destination network.

Creation time Period of time for which the mapping entry has been created.

Expiration time Period of time in which the mapping entry will expire.

Type

Mapping entry type:

static—The entry is statically configured.

cached—The entry is dynamically obtained.

Incomplete—The entry is dynamic and incomplete.

Flags

Mapping entry flags:

unique—The mapping entry in the registration

request cannot be overwritten by a mapping entry that has the same protocol address and different public addresses. A client can register the new entry with the server only after the mapping entry on the server expires.

used—This mapping entry is used for packet forwarding.

up—Packets can be forwarded.

ipsec—IPsec negotiation succeeded. Packets will be protected by IPsec.

init—Initialization state.

New command: display nhrp statistics

Use display nhrp statistics to display NHRP packet statistics for a tunnel interface.

Syntax

display nhrp statistics [ interface tunnel interface-number ]

Views

Any view


network-admin

network-operator

Parameters


of 0 to 4095. If you do not specify this option, the command displays NHRP packet statistics for all

tunnel interfaces.

66

Examples

# Display NHRP packet statistics.

<Sysname> display nhrp statistics

Tunnel0:

NHRP packets sent : 815

Resolution requests : 15

Resolution replies : 1

Registration requests : 0

Registration replies : 797

Purge requests : 2

Purge replies : 0

Error indications : 0

Traffic indications : 0

NHRP packets received : 1453





Purge requests : 0

Purge replies : 0



Tunnel1:


Resolution Requests : 0




Purge requests : 0

Purge replies : 0








Purge requests : 0

Purge replies : 0



# Display NHRP packet statistics for the specified tunnel interface.

<Sysname> display nhrp statistics interface tunnel 0

Tunnel0:

67






Purge requests : 2

Purge replies : 0








Purge requests : 0

Purge replies : 0



New command: nhrp authentication

Use nhrp authentication to configure an NHRP packet authentication key.

Use undo nhrp authentication to restore the default.

Syntax

nhrp authentication { cipher | simple } string

undo nhrp authentication

Default

No NHRP packet authentication key is configured. NHRP nodes do not authenticate NHRP packets

received from each other.

Views

mGRE tunnel interface view


network-admin

Parameters

cipher: Specifies an authentication key in encrypted form.

simple: Specifies an authentication key in plaintext form. For security purposes, the key specified in

plaintext form will be stored in encrypted form.

string: Specifies the key string. Its plaintext form is a case-sensitive string of 1 to 8 characters. Its

encrypted form is a case-sensitive string of 1 to 41 characters.

68

Usage guidelines

After an NHRP packet authentication key is configured for a tunnel interface, the tunnel interface

adds the key in packets sent to the peer. The tunnel interface also uses the key to authenticate

NHRP packets it receives. If a packet fails the authentication, the packet will be dropped.

For mGRE tunnels to be established successfully, configure the same NHRP authentication key for

all NHCs and servers in the same mGRE network.

Examples

# On interface Tunnel1, set the NHRP packet authentication key to 123456.


[Sysname] interface tunnel 1 mode mgre

[Sysname-Tunnel1] nhrp authentication simple 123456

Related commands

interface tunnel (Layer 3—IP Services Command Reference)

New command: nhrp holdtime

Use nhrp holdtime to configure the holdtime for NHRP mapping entries.

Use undo nhrp holdtime to restore the default.

Syntax

nhrp holdtime seconds

undo nhrp holdtime

Default

The holdtime of NHRP mapping entries is 7200 seconds.

Views



network-admin

Parameters

seconds: Specifies the holdtime in the range of 1 to 65535 seconds.

Usage guidelines

After the holdtime is configured, the local NHRP holdtime carried in outgoing packets is updated to

the configured holdtime.

Examples

# On interface Tunnel1, set the holdtime of NHRP mapping entries to 600 seconds



[Sysname-Tunnel1] nhrp holdtime 600

69

Related commands


New command: nhrp network-id

Use nhrp network-id to configure an NHRP network ID for an mGRE tunnel.

Use undo nhrp network-id to delete the NHRP network ID of an mGRE tunnel.

Syntax

nhrp network-id number

undo nhrp network-id

Default

An mGRE tunnel does not have an NHRP network ID.

Views



network-admin

Parameters

number: Specifies an NHRP network ID in the range of 1 to 4294967295.

Usage guidelines

A network ID is only locally significant. You can configure different NHRP network IDs for different

tunnel interfaces on the device. The NHC and server can have different NHRP network IDs.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the NHRP network ID to 10 for mGRE tunnel interface Tunnel1.



[Sysname-Tunnel1] nhrp network-id 10

Related commands


New command: nhrp nhs

Use nhrp nhs to configure an NHS private-to-public address mapping.

Use undo nhrp nhs to delete an NHS private-to-public address mapping.

Syntax

nhrp nhs nhs-address nbma nbma-address

70

undo nhrp nhs nhs-address nbma nbma-address

Default

No NHS private-to-public address mappings are configured.

Views



network-admin

Parameters

nhs-address: Specifies the private address of an NHS.

nbma-address: Specifies the public address (NBMA address) of the NHS.

Usage guidelines

You can configure multiple NHSs for redundancy. If multiple NHSs are configured, NHCs register

with all the NHSs.

Examples

# On interface Tunnel1, configure the NHS private address as 1.1.1.1 and public address as

120.1.1.120.



[Sysname-Tunnel1] nhrp nhs 1.1.1.1 nbma 120.1.1.120

Related commands


New command: reset mgre session

Use reset mgre session to reset dynamic mGRE sessions.

Syntax

reset mgre session [ interface tunnel interface-number [ peer ipv4-address ] ]

Views

User view


network-admin

Parameters


of 0 to 4095. If you do not specify this option, the command resets dynamic mGRE sessions for all

mGRE tunnel interfaces.


resets all dynamic mGRE sessions for the specified mGRE tunnel interface.

71

Usage guidelines

If you do not specify any parameters, this command resets all dynamic mGRE sessions. When an

mGRE session is reset, the NHC reregisters with the NHS.

Examples

# Reset the mGRE sessions on interface Tunnel1.

<Sysname> reset mgre session interface tunnel 1

# Reset the mGRE session with peer address 202.12.12.12 on interface Tunnel1.

<Sysname> reset mgre session interface tunnel 1 peer 202.12.12.12

Related commands

display mgre session

New command: reset mgre statistics

Use reset mgre statistics to clear mGRE session statistics.

Syntax

reset mgre statistics [ interface tunnel interface-number [ peer ipv4-address ] ]

Views

User view


network-admin

Parameters


of 0 to 4095. If you do not specify this option, the command clears mGRE session statistics for all



clears statistics about all mGRE sessions on the specified mGRE tunnel interface.

Examples

# Clear statistics about mGRE sessions on interface Tunnel1.

<Sysname> reset mgre statistics interface tunnel 1

# Clear statistics about the mGRE session with peer public address 192.168.1.200 on interface

Tunnel1.

<Sysname> reset mgre statistics interface tunnel 1 peer 192.168.1.200

New command: reset nhrp statistics

Use reset nhrp statistics to clear NHRP packet statistics.

72

Syntax

reset nhrp statistics [ interface tunnel interface-number ]

Views

User view


network-admin

Parameters


of 0 to 4095. If you do not specify this option, the command clears NHRP packet statistics for all


Examples

# Clear NHRP packet statistics for interface Tunnel1.

<Sysname> reset nhrp statistics interface tunnel 1

Related commands

display nhrp statistics

New feature: Disabling transceiver module

alarm

Configuring Disabling transceiver module alarm

The device regularly checks transceiver modules for their vendor information. If a transceiver module

does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to

prompt you to replace the module. This feature enables you to suppress the traps and logs.

Command reference

New command: transceiver phony-alarm-disable

Use transceiver phony-alarm-disable to disable the transceiver module alarm feature.

Use undo transceiver phony-alarm-disable to restore the default.

Syntax

transceiver phony-alarm-disable

undo transceiver phony-alarm-disable

73

Default

The transceiver module alarm feature is enabled.

Views

System view


network-admin

Usage guidelines

The device regularly checks transceiver modules for their vendor information. If a transceiver module

does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to

prompt you to replace the module. To suppress the traps and alarms, execute this command.

Examples

#Disable the transceiver module alarm feature.


[Sysname] transceiver phony-alarm-disable

Modified feature: Default user role


The default user role can be changed. The role-name argument was added to the role default-role

enable command for specifying a user role as the default user role.

Command changes

Modified command: role default-role enable

Old syntax

role default-role enable

undo role default-role enable

New syntax

role default-role enable [ role-name ]

undo role default-role enable

Views

System view

Change description

Before modification: The default user role is network-operator.

74

After modification: The role-name argument was added to specify any user role that exists in the

system as the default user role. The argument is a case-sensitive string of 1 to 63 characters. If you

do not specify this argument, the default user role is network-operator.

Modified feature: Debugging


The all keyword and the timeout time option were removed from the debugging command. You can

no longer use the command to enable debugging for all modules at the same time or automatically

disable debugging for all modules after a specific period of time.

Command changes

Modified command: debugging

Old syntax

debugging { all [ timeout time ] | module-name [ option ] }

undo debugging { all | module-name [ option ] }

New syntax

debugging module-name [ option ]

undo debugging module-name [ option ]

Views

User view

Change description

The following parameters were removed from the debugging command:

all: Enables debugging for all modules.

timeout time: Specifies the timeout time for the debugging all command. The system

automatically executes the undo debugging all command after the timeout time. The time

argument is in the range of 1 to 1440 minutes. If you do not specify a timeout time, you must

manually execute the undo debugging all command to disable debugging for all modules.

Release 0305P04


New feature: Public key management support for Suite B

75

New feature: PKI support for Suite B

New feature: IPsec support for Suite B

New feature: SSL support for Suite B

New feature: FIPS support for Suit B

New feature: SSH support for Suite B

New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group

Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces

Modified feature: Changing the maximum number of FIB table entries

Modified feature: Enabling CWMP

New feature: Public key management

support for Suite B

Configuring Suite B in public key management

Suite B contains a set of encryption and authentication algorithms that meet high security

requirements.

In this software version, Suite B is available in public key management. Support for new elliptic curve

algorithms was added for generating ECDSA key pairs.

Command reference

Modified command: public-key local create

Old syntax

public-key local create { dsa | ecdsa | rsa } [ name key-name ]

New syntax

public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1] | rsa } [ name

key-name ]

Views

System view

Change description

Before modification: The secp192r1 curve was used to generate the ECDSA key pair by default. No

other elliptic curve algorithms were available.

76

After modification: You can specify the elliptic curve used to generate the ECDSA key pair. The

following elliptic curve algorithms are available:

secp192r1: Uses the secp192r1 curve to generate a 192-bit ECDSA key pair. The secp192r1

curve is used by default.

secp256r1: Uses the secp256r1 curve to generate a 256-bit ECDSA key pair.

secp384r1: Uses the secp384r1 curve to generate a 384-bit ECDSA key pair.

New feature: PKI support for Suite B

Configuring Suite B in PKI


requirements. PKI commands were modified to support Suite B.

Command reference

Modified command: public-key ecdsa

Old syntax

public-key ecdsa name key-name

undo public-key

New syntax

public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1]

undo public-key

Views

PKI domain view

Change description

Before modification: The secp192r1 curve was used to generate the ECDSA key pair by default. No

other elliptic curve algorithms were available.

After modification: You can specify the elliptic curve used to generate the ECDSA key pair. The

following elliptic curve algorithms are available:

secp192r1: Uses the secp192r1 curve to generate the key pair. The secp192r1 curve is used

by default.

secp256r1: Uses the secp256r1 curve to generate the key pair.


77

New feature: IPsec support for Suite B


requirements. IPsec provide stronger protection by supporting Suite B and IKEv2.

Overview

Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1,

IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable

identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger

protection against attacks and higher key exchange ability and needs less message exchanges than

IKEv1.

IKEv2 negotiation process

Compared with IKEv1, IKEv2 simplifies the negotiation process and is much more efficient.

IKEv2 defines three types of exchanges: initial exchanges, CREATE_CHILD_SA exchange, and

INFORMATIONAL exchange.

As shown in Figure 13, IKEv2 uses two exchanges during the initial exchange process:

IKE_SA_INIT and IKE_AUTH, each with two messages.

IKE_SA_INIT exchange—Negotiates IKE SA parameters and exchanges keys.

IKE_AUTH exchange—Authenticates the identity of the peer and establishes IPsec SAs.

After the four-message initial exchanges, IKEv2 sets up one IKE SA and one pair of IPsec SAs. For

IKEv1 to set up one IKE SA and one pair of IPsec SAs, it must go through two phases that use a

minimum of six messages.

To set up one more pair of IPsec SAs within the IKE SA, IKEv2 goes on to perform an additional

two-message exchange—the CREATE_CHILD_SA exchange. One CREATE_CHILD_SA exchange

creates one pair of IPsec SAs. IKEv2 also uses the CREATE_CHILD_SA exchange to rekey IKE

SAs and Child SAs.

IKEv2 uses the INFORMATIONAL exchange to convey control messages about errors and

notifications.

78

Figure 13 IKEv2 Initial exchange process

New features in IKEv2

DH guessing

In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to

use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the

responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is

finished. If the guess is wrong, the responder responds with an INVALID_KE_PAYLOAD message

that contains the DH group that it wants to use. The initiator then uses the DH group selected by the

responder to reinitiate the IKE_SA_INIT exchange. The DH guessing mechanism allows for more

flexible DH group configuration and enables the initiator to adapt to different responders.

Cookie challenging

Messages for the IKE_SA_INIT exchange are in plain text. An IKEv1 responder cannot confirm the

validity of the initiators and must maintain half-open IKE SAs, which makes the responder

susceptible to DoS attacks. An attacker can send a large number of IKE_SA_INIT requests with

forged source IP addresses to the responder, exhausting the responder's system resources.

IKEv2 introduces the cookie challenging mechanism to prevent such DoS attacks. When an IKEv2

responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging

mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If

the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder

considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the

responder terminates the negotiation.

The cookie challenging mechanism automatically stops working when the number of half-open IKE

SAs drops below the threshold.

Initiator’s policy and key

information

Peer 1 Peer 2

Confirmed policy and

key information

Initiator’s identity,

authentication data, and

IPsec proposals

Responder’s identity,

authentication data, and

IPsec proposals

Authenticate the

identity and

negotiate IPsec

SAs

Negotiate

algorithms and

generate the key

Perform ID and exchange

authentication and

negotiate IPsec SAs

Search for a

matched policy and

generate the key

Receive the

policy and

generate the key

Send the local

IKE policy and

key info

Perform ID and exchange

authentication and

negotiate IPsec SAs

ID exchange,

authentication,

IPsec SA setup

SA exchange,

key exchange

79

IKEv2 SA rekeying

For security purposes, both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the

lifetime expires. An IKEv1 SA lifetime is negotiated. An IKEv2 SA lifetime, in contrast, is configured. If

two peers are configured with different lifetimes, the peer with the shorter lifetime always initiates the

SA rekeying. This mechanism reduces the possibility that two peers will simultaneously initiate a

rekeying. Simultaneous rekeying results in redundant SAs and SA status inconsistency on the two

peers.

IKEv2 message retransmission

Unlike IKEv1 messages, IKEv2 messages appear in request/response pairs. IKEv2 uses the

Message ID field in the message header to identify the request/response pair. If an initiator sends a

request but receives no response with the same Message ID value within a specific period of time,

the initiator retransmits the request.

It is always the IKEv2 initiator that initiates the retransmission, and the retransmitted message must

use the same Message ID value.

Protocols and standards

RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)

RFC 4306, Internet Key Exchange (IKEv2) Protocol

RFC 4718, IKEv2 Clarifications and Implementation Guidelines

RFC 2412, The OAKLEY Key Determination Protocol

RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2)

IKEv2 configuration task list

Determine the following parameters prior to IKEv2 configuration:

The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms,

integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide

different levels of protection. A stronger algorithm means better resistance to decryption of

protected data but requires more resources. Typically, the longer the key, the stronger the

algorithm.

The local and remote identity authentication methods.

To use the pre-shared key authentication method, you must determine the pre-shared key.

To use the RSA digital signature authentication method, you must determine the PKI

domain for the local end to use. For information about PKI, see "Configuring PKI."

To configure IKEv2, perform the following tasks:

80

Tasks at a glance Remarks

(Required.) Configuring an IKEv2 profile N/A

(Required.) Configuring an IKEv2 policy N/A

(Optional.) Configuring an IKEv2 proposal If you specify an IKEv2 proposal in an IKEv2 policy, you must configure the IKEv2 proposal.

Configuring an IKEv2 keychain Required when either end or both ends use the pre-shared key authentication method.

Configure global IKEv2 parameters

(Optional.) Enabling the cookie challenging feature

(Optional.) Configuring the IKEv2 DPD feature

(Optional.) Configuring the IKEv2 NAT keepalive feature

(Optional.) Configuring IKEv2 address pools

The cookie challenging feature takes effect only on IKEv2 responders.

Configuring an IKEv2 profile

An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an

IKEv2 profile, perform the following tasks:

1. Specify the local and remote identity authentication methods.

The local and remote identity authentication methods must both be specified and they can be

different. You can specify only one local identity authentication method and multiple remote

identity authentication methods.

2. Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:

To use digital signature authentication, configure a PKI domain.

To use pre-shared key authentication, configure an IKEv2 keychain.

3. Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2

negotiation:

For digital signature authentication, the device can use an ID of any type. If the local ID is an

IP address that is different from the IP address in the local certificate, the device uses the

FQDN as the local ID. The FQDN is the device name configured by using the sysname

command.

For pre-shared key authentication, the device can use an ID of any type other than the DN.

4. Configure peer IDs.

The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a

match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2

profiles will be compared in descending order of their priorities.

5. Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to

the specified interface or IP address. For this task, specify the local address configured in IPsec

policy or IPsec policy template view (using the local-address command). If no local address is

configured, specify the IP address of the interface that uses the IPsec policy.

81

6. Specify a priority number for the IKEv2 profile. To determine the priority of an IKEv2 profile:

a. First, the device examines the existence of the match local command. An IKEv2 profile

with the match local command configured has a higher priority.

b. If a tie exists, the device compares the priority numbers. An IKEv2 profile with a smaller

priority number has a higher priority.

c. If a tie still exists, the device prefers an IKEv2 profile configured earlier.

7. Specify a VPN instance for the IKEv2 profile. The IKEv2 profile is used for IKEv2 negotiation

only on the interfaces that belong to the VPN instance.

8. Configure the IKEv2 SA lifetime.

The local and remote ends can use different IKEv2 SA lifetimes. They do not negotiate the

lifetime. The end with a smaller SA lifetime will initiate an SA negotiation when the lifetime

expires.

9. Configure IKEv2 DPD to detect dead IKEv2 peers. You can also configure this feature in

system view. If you configure IKEv2 DPD in both views, the IKEv2 DPD settings in IKEv2 profile

view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in

system view apply.

10. Specify an inside VPN instance. This setting determines where the device should forward

received IPsec packets after it de-encapsulates them. If you specify an inside VPN instance,

the device looks for a route in the specified VPN instance to forward the packets. If you do not

specify an inside VPN instance, the internal and external networks are in the same VPN

instance. The device looks for a route in this VPN instance to forward the packets.

11. Configure the NAT keepalive interval.

Configure this task when the device is behind a NAT gateway. The device sends NAT keepalive

packets regularly to its peer to prevent the NAT session from being aged because of no

matching traffic.

12. Enable the configuration exchange feature.

The configuration exchange feature enables the local and remote ends to exchange

configuration data, such as gateway address, internal IP address, and route. The exchange

includes data request and response, and data push and response.

This feature typically applies to scenarios where branches and the headquarters communicate

through virtual tunnels.

This feature enables the IPsec gateway at a branch to send IP address requests to the IPsec

gateway at the headquarters. When the headquarters receives the request, it sends an IP

address to the branch in the response packet. The headquarters can also actively push an IP

address to the branch. The branch uses the allocated IP address as the IP address of the virtual

tunnel to communicate with the headquarters.

13. Enable AAA authorization.

82

The AAA authorization feature enables IKEv2 to request authorization attributes, such as the

IKEv2 address pool, from AAA. IKEv2 uses the address pool to assign IP addresses to remote

users. For more information about AAA authorization, see "Configuring AAA."

To configure an IKEv2 profile:



58. Create an IKEv2 profile and enter IKEv2 profile view.

ikev2 profile profile-name By default, no IKEv2 profiles exist.

59. Configure the local and remote identity authentication methods.

authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature }

By default, no local or remote identity authentication method is configured.

60. Specify a keychain. keychain keychain-name

By default, no keychain is specified for an IKEv2 profile.

Perform this task when the pre-shared key authentication method is specified.

61. Specify a PKI domain. certificate domain domain-name [ sign | verify ]

By default, the device uses PKI domains configured in system view.

Perform this task when the digital signature authentication method is specified.

62. Configure the local ID.

identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn fqdn-name | key-id key-id-string }

By default, no local ID is configured, and the device uses the IP address of the interface where the IPsec policy applies as the local ID.

63. Configure peer IDs.

match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }

By default, no peer ID is configured.

You must configure a minimum of one peer ID on each of the two peers.

64. (Optional.) Specify the local interface or IP address to which the IKEv2 profile can be applied.

match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }

By default, an IKEv2 profile can be applied to any local interface or IP address.

65. (Optional.) Specify a priority for the IKEv2 profile.

priority priority By default, the priority of an IKEv2 profile is 100.

66. (Optional.) Specify a VPN instance for the IKEv2 profile.

match vrf { name vrf-name | any } By default, an IKEv2 profile belongs to the public network.

67. (Optional.) Set the IKEv2 SA lifetime for the IKEv2 profile.

sa duration seconds By default, the IKEv2 SA lifetime is 86400 seconds.

83

68. (Optional.) Configure the DPD feature for the IKEv2 profile.

dpd interval interval [ retry seconds ] { on-demand | periodic }

By default, DPD is disabled for an IKEv2 profile. The global DPD settings in system view are used. If DPD is also disabled in system view, the device does not perform DPD.

69. (Optional.) Specify an inside VPN instance for the IKEv2 profile.

inside-vrf vrf-name

By default, no inside VPN instance is specified for an IKEv2 profile. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.

70. (Optional.) Set the IKEv2 NAT keepalive interval.

nat-keepalive seconds By default, the global IKEv2 NAT keepalive setting is used.

71. (Optional.) Enable the configuration exchange feature.

config-exchange { request | set { accept | send } }

By default, all configuration exchange options are disabled.

72. (Optional.) Enable AAA authorization.

aaa authorization domain domain-name username user-name

By default, AAA authorization is disabled for IKEv2.

Configuring an IKEv2 policy

During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP

address of the local security gateway as the matching criterion.

If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of

the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an

incomplete proposal, the IKE_SA_INIT exchange fails.

If no IKEv2 policy is configured, IKEv2 uses the system default IKEv2 policy default.

The device matches IKEv2 policies in the descending order of their priorities. To determine the

priority of an IKEv2 policy:

1. First, the device examines the existence of the match local address command. An IKEv2

policy with the match local address command configured has a higher priority.

2. If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority

number has a higher priority.

3. If a tie still exists, the device prefers an IKEv2 policy configured earlier.

To configure an IKEv2 policy:



74. Create an IKEv2 policy and enter IKEv2 policy view.

ikev2 policy policy-name By default, an IKEv2 policy named default exists.

75. Specify the local interface or address used for IKEv2 policy matching.

match local address { interface-type interface-number | { { ipv4-address | ipv6 ipv6-address } } }

By default, no local interface or address is used for IKEv2 policy matching, and the policy matches any local interface or address.

84

76. Specify a VPN instance for IKEv2 policy matching.

match vrf { name vrf-name | any }

By default, no VPN instance is specified for IKEv2 policy matching. The IKEv2 policy matches all local addresses in the public network.

77. Specify an IKEv2 proposal for the IKEv2 policy.

proposal proposal-name By default, no IKEv2 proposal is specified for an IKEv2 policy.

78. Specify a priority for the IKEv2 policy.

priority priority By default, the priority of an IKEv2 policy is 100.

Configuring an IKEv2 proposal

An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the

encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm

specified earlier has a higher priority.

A complete IKEv2 proposal must have at least one set of security parameters, including one

encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a

higher priority.

To configure an IKEv2 proposal:



80. Create an IKEv2 proposal and enter IKEv2 proposal view.

ikev2 proposal proposal-name

By default, an IKEv2 proposal named default exists.

In non-FIPS mode, the default proposal uses the following settings:

Encryption algorithms AES-CBC-128 and 3DES.

Integrity protection algorithms HMAC-SHA1 and HMAC-MD5.

PRF algorithms HMAC-SHA1 and HMAC-MD5.

DH groups 2 and 5.

In FIPS mode, the default proposal uses the following settings:

Encryption algorithms AES-CBC-128 and AES-CTR-128.

Integrity protection algorithms HMAC-SHA1 and HMAC-SHA256.

PRF algorithms HMAC-SHA1 and HMAC-SHA256.

DH groups 14 and 19.

81. Specify the encryption algorithms.

In non-FIPS mode:

encryption { 3des-cbc |

By default, an IKEv2 proposal does not have any encryption algorithms.

85

aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *

In FIPS mode:

encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } *

82. Specify the integrity protection algorithms.

In non-FIPS mode:

integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

In FIPS mode:

integrity { sha1 | sha256 | sha384 | sha512 } *

By default, an IKEv2 proposal does not have any integrity protection algorithms.

83. Specify the PRF algorithms.

In non-FIPS mode:

prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

In FIPS mode:

prf { sha1 | sha256 | sha384 | sha512 } *

By default, an IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.

84. Specify the DH groups.

In non-FIPS mode:

dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *

In FIPS mode:

dh { group14 | group24 | group19 | group20 } *

By default, an IKEv2 proposal does not have any DH groups.

Configuring an IKEv2 keychain

An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation.

An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an

asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host

name, IP address or address range, or ID).

An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching

criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the

matching criterion to search for a peer.

To configure an IKEv2 keychain:



86. Create an IKEv2 keychain and enter IKEv2 keychain view.

ikev2 keychain keychain-name By default, no IKEv2 keychains exist.

86

87. Create an IKEv2 peer and enter IKEv2 peer view.

peer name By default, no IKEv2 peers exist.

88. Configure the information for identifying the IKEv2 peer.

To configure a host name for the peer: hostname host-name

To configure a host IP address or address range for the peer: address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

To configure an ID for the peer: identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string }

By default, no hostname, host IP address, address range, or identity information is configured for an IKEv2 peer.

You must configure different IP addresses/address ranges for different peers.

89. Configure a pre-shared key for the peer.

pre-shared-key [ local | remote ] { ciphertext | plaintext } string

By default, an IKEv2 peer does not have a pre-shared key.

Configure global IKEv2 parameters

Enabling the cookie challenging feature

Enable cookie challenging on responders to protect them against DoS attacks that use a large

number of source IP addresses to forge IKE_SA_INIT requests.

To enable cookie challenging:



91. Enable cookie challenging. ikev2 cookie-challenge number By default, IKEv2 cookie challenging is disabled..

Configuring the IKEv2 DPD feature

IKEv2 DPD detects dead IKEv2 peers in periodic or on-demand mode.

Periodic DPD—Verifies the liveness of an IKEv2 peer by sending DPD messages at regular

intervals.

On-demand DPD—Verifies the liveness of an IKEv2 peer by sending DPD messages before

sending data.

87

Before the device sends data, it identifies the time interval for which the last IPsec packet

has been received from the peer. If the time interval exceeds the DPD interval, it sends a

DPD message to the peer to detect its liveliness.

If the device has no data to send, it never sends DPD messages.

If you configure IKEv2 DPD in both IKEv2 profile view and system view, the IKEv2 DPD settings in

IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD

settings in system view apply.

To configure global IKEv2 DPD:



93. Configure global IKEv2 DPD.

ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }

By default, global DPD is disabled.

Configuring the IKEv2 NAT keepalive feature

Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT

keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the

device.

The NAT keepalive interval must be shorter than the NAT session lifetime.

This feature takes effect after the device detects the NAT device.

To configure the IKEv2 NAT keepalive feature:



95. Set the IKEv2 NAT keepalive interval.

ikev2 nat-keepalive seconds By default, the IKEv2 NAT keepalive interval is 10 seconds.

Configuring IKEv2 address pools

To perform centralized management on remote users, an IPsec gateway can use an address pool to

assign private IP addresses to remote users.

You must use an IKEv2 address pool together with AAA authorization by specifying the IKEv2

address pool as an AAA authorization attribute. For more information about AAA authorization, see

"Configuring AAA."

To configure IKE address pools:



88


97. Configure an IKEv2 IPv4 address pool.

ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]

By default, no IKEv2 IPv4 address pool exists.

98. Configure an IKEv2 IPv6 address pool.

ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len

By default, no IKEv2 IPv6 address pool exists.

Displaying and maintaining IKEv2

Execute display commands in any view and reset commands in user view.

Task Command

Display the IKEv2 proposal configuration. display ikev2 proposal [ name | default ]

Display the IKEv2 policy configuration. display ikev2 policy [ policy-name | default ]

Display the IKEv2 profile configuration. display ikev2 profile [ profile-name ]

Display the IKEv2 SA information.

display ikev2 sa [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ]

Display IKEv2 statistics. display ikev2 statistics

Delete IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.

reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]

Clear IKEv2 statistics. reset ikev2 statistics

Command reference

New command: aaa authorization

Use aaa authorization to enable IKEv2 AAA authorization.

Use undo aaa authorization to disable IKEv2 AAA authorization.

Syntax

aaa authorization domain domain-name username user-name

undo aaa authorization

Default

IKEv2 AAA authorization is disabled.

Views

IKEv2 profile view

89


network-admin

Parameters

domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The

ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following

requirements:

The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("),

colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at

sign (@).

The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn,

if-unkno, if-unknow, or if-unknown.

username user-name: Specifies the username used for requesting authorization attributes. The

username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:

The username cannot contain the domain name.

The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:),

asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).

The username cannot be a, al, or all.

Usage guidelines

The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2

IPv4 address pool, from AAA.

IKEv2 uses the ISP domain and username to request authorization attributes. AAA uses the

authorization settings in the ISP domain to request the user's authorization attributes from the

remote AAA server or the local user database. After IKEv2 passes the username authentication, it

obtains the authorization attributes.

This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.

Examples

# Create an IKEv2 profile named profile1.


[Sysname] ikev2 profile profile1

# Enable AAA authorization. Specify the ISP domain name abc and the username test.

[Sysname-ikev2-profile-profile1] aaa authorization domain abc username test

Related commands

display ikev2 profile

New command: address

Use address to specify the IP address or IP address range of an IKEv2 peer.

Use undo address to restore the default.

90

Syntax

address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

undo address

Default

An IKEv2 peer's IP address or IP address range is not specified.

Views

IKEv2 peer view


network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the IKEv2 peer.

mask: Specifies the subnet mask of the IPv4 address.

mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.

ipv6 ipv6-address: Specifies the IPv6 address of the IKEv2 peer.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

Usage guidelines

Both the initiator and the responder can look up an IKEv2 peer by IP address in IKEv2 negotiation.

The IP addresses of different IKEv2 peers in the same IKEv2 keychain cannot be the same.

Examples

# Create an IKEv2 keychain named key1.


[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Specify the IKEv2 peer's IP address 3.3.3.3 with the subnet mask 255.255.255.0.

[Sysname-ikev2-keychain-key1-peer-peer1] address 3.3.3.3 255.255.255.0

Related commands

ikev2 keychain

peer

New command: authentication-method

Use authentication-method to specify the local or remote identity authentication method.

Use undo authentication-method to remove the local or remote identity authentication method.

91

Syntax

authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share |

rsa-signature }

undo authentication-method local

undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share |

rsa-signature }

Default

No local or remote identity authentication method is specified.

Views

IKEv2 profile view


network-admin

Parameters

local: Specifies the local identity authentication method.

remote: Specifies the remote identity authentication method.

dsa-signature: Specifies the DSA signatures as the identity authentication method.

ecdsa-signature: Specifies the ECDSA signatures as the identity authentication method.

pre-share: Specifies the pre-shared key as the identity authentication method.

rsa-signature: Specifies the RSA signatures as the identity authentication method.

Usage guidelines

The local and remote identity authentication methods must both be specified and they can be

different.

You can specify only one local identity authentication method. You can specify multiple remote

identity authentication methods by executing this command multiple times when there are multiple

remote ends whose authentication methods are unknown.

If you use RSA, DSA, or ECDSA signature authentication, you must specify PKI domains for

obtaining certificates. You can specify PKI domains by using the certificate domain command in

IKEv2 profile view. If you do not specify PKI domains in IKEv2 profile view, the PKI domains

configured by the pki domain command in system view will be used.

If you specify the pre-shared key method, you must specify a pre-shared key for the IKEv2 peer in

the keychain used by the IKEv2 profile.

Examples




92

# Specify the pre-shared key and RSA signatures as the local and remote authentication methods,

respectively.

[Sysname-ikev2-profile-profile1] authentication local pre-share

[Sysname-ikev2-profile-profile1] authentication remote rsa-signature

# Specify the PKI domain genl as the PKI domain for obtaining certificates.

[Sysname-ikev2-profile-profile1] certificate domain genl

# Specify the keychain keychain1.

[Sysname-ikev2-profile-profile1] keychain keychain1

Related commands


certificate domain (IKEv2 profile view)

keychain (IKEv2 profile view)

New command: certificate domain

Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.

Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2

negotiation.

Syntax

certificate domain domain-name [ sign | verify ]

undo certificate domain domain-name

Default

PKI domains configured in system view are used.

Views

IKEv2 profile view


network-admin

Parameters

domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.

sign: Uses the local certificate in the PKI domain to generate a signature.

verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.

Usage guidelines

If you do not specify the sign or verify keyword, the PKI domain is used for both sign and verify

purposes. You can specify a PKI domain for each purpose by executing this command multiple times.

If you specify the same PKI domain for both purposes, the later configuration takes effect. For

example, if you execute certificate domain abc sign and certificate domain abc verify

successively, the PKI domain abc will be used only for verification.

93

If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain

for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you

must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI

domains, the PKI domains configured in system view will be used.

Examples




# Specify the PKI domain abc for signature. Specify the PKI domain def for verification.

[Sysname-ikev2-profile-profile1] certificate domain abc sign

[Sysname-ikev2-profile-profile1] certificate domain def verify

Related commands

authentication-method

pki domain

New command: config-exchange

Use config-exchange to enable the configuration exchange feature.

Use undo config-exchange to disable the configuration exchange feature.

Syntax

config-exchange { request | set { accept | send } }

undo config-exchange { request | set { accept | send } }

Default

Configuration exchange is disabled.

Views

IKEv2 profile view


network-admin

Parameters

request: Enables the device to send request messages carrying the configuration request payload

during the IKE_AUTH exchange.

set: Specifies the configuration set payload exchange.

accept: Enables the device to accept the configuration set payload carried in Info messages.

send: Enables the device to send Info messages carrying the configuration set payload.

94

Usage guidelines

The configuration exchange feature enables the local and remote ends to exchange configuration

data, such as gateway address, internal IP address, and route. The exchange includes data request

and response, and data push and response. The enterprise center can push IP addresses to

branches. The branches can request IP addresses, but the requested IP addresses cannot be used.

You can specify both request and set for the device.

If you specify request for the local end, the remote end will respond if it can obtain the requested

data through AAA authorization.

If you specify set send for the local end, you must specify set accept for the remote end.

The device with set send specified pushes an IP address after the IKEv2 SA is set up if it does not

receive any configuration request from the peer.

Examples




# Enable the local end to add the configuration request payload to the request message of

IKE_AUTH exchange.

[Sysname-ikev2-profile-profile1] config-exchange request

Related commands

aaa authorization

configuration policy


New command: description

Use description to configure a description for an IKE proposal.

Use undo description to restore the default.

Syntax

description text

undo description

Default

An IKE proposal does not have a description.

Views

IKE proposal view


network-admin

95

Parameters

text: Specifies a description, a case-sensitive string of 1 to 80 characters.

Usage guidelines

If multiple IKE proposals exist, you can use this command to configure different descriptions for them

to distinguish them.

Examples

# Configure the description test for the IKE proposal 1.


[Sysname] ike proposal 1

[Sysname-ike-proposal-1] description test

New command: display ike statistics

Use display ike statistics to display IKE statistics.

Syntax

display ike statistics

Views

Any view


network-admin

network-operator

Examples

# Display IKE statistics.

<Sysname> display ike statistics

IKE statistics:

No matching proposal: 0

Invalid ID information: 0

Unavailable certificate: 0

Unsupported DOI: 0

Unsupported situation: 0

Invalid proposal syntax: 0

Invalid SPI: 0

Invalid protocol ID: 0

Invalid certificate: 0

Authentication failure: 0

Invalid flags: 0

Invalid message id: 0

Invalid cookie: 0

Invalid transform ID: 0

Malformed payload: 0

Invalid key information: 0

96

Invalid hash information: 0

Unsupported attribute: 0

Unsupported certificate type: 0

Invalid certificate authority: 0

Invalid signature: 0

Unsupported exchange type: 0

No available SA: 0

Retransmit timeout: 0

Not enough memory: 0

Enqueue fails: 0

New command: display ikev2 policy

Use display ikev2 policy to display the IKEv2 policy configuration.

Syntax

display ikev2 policy [ policy-name | default ]

Views

Any view


network-admin

network-operator

Parameters

policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters.

default: Specifies the default IKEv2 policy.

Usage guidelines

If you do not specify any parameters, this command displays the configuration of all IKEv2 policies.

Examples

# Display the configuration of all IKEv2 policies.

<Sysname> display ikev2 policy

IKEv2 policy: 1

Priority: 100

Match local address: 1.1.1.1

Match local address ipv6: 1:1::1:1

Match VRF: vpn1

Proposal: 1

Proposal: 2

IKEv2 policy: default

Match local address: Any

Match VRF: Any

Proposal: default

97


Field Description

IKEv2 policy Name of the IKEv2 policy.

Priority Priority of the IKEv2 policy.

Match local address IPv4 address to which the IKEv2 policy can be applied.

Match local address ipv6 IPv6 address to which the IKEv2 policy can be applied.

Match VRF VPN instance to which the IKEv2 policy can be applied.

Proposal IKEv2 proposal that the IKEv2 policy uses.

Related commands

ikev2 policy

New command: display ikev2 profile

Use display ikev2 profile to display the IKEv2 profile configuration.

Syntax

display ikev2 profile [ profile-name ]

Views

Any view


network-admin

network-operator

Parameters

profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If

you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.

Examples

# Display the configuration of all IKEv2 profiles.

<Sysname> display ikev2 profile

IKEv2 profile: 1

Priority: 100

Match criteria:

Local address 1.1.1.1

Local address GigabitEthernet1/0/1

Local address 1:1::1:1

Remote identity address 3.3.3.3/32

VRF vrf1

Inside VRF: vrf1

Local identity: address 1.1.1.1

Local authentication method: pre-share

98

Remote authentication methods: pre-share

Keychain: Keychain1

Sign certificate domain:

Domain1

abc

Verify certificate domain:

Domain2

yy

SA duration: 500 seconds

DPD: Interval 32 secs, retry-interval 23 secs, periodic

Config exchange: request, set accept, set send

NAT keepalive: 10 seconds

AAA authorization: Domain domain1, username ikev2


Field Description

IKEv2 profile Name of the IKEv2 profile.

Priority Priority of the IKEv2 profile.

Match criteria Criteria for looking up the IKEv2 profile.

Inside vrf Inside VPN instance.

Local identity ID of the local end.

Local authentication method Method that the local end uses for authentication.

Remote authentication methods Methods that the remote end uses for authentication.

Keychain IKEv2 keychain that the IKEv2 profile uses.

Sign certificate domain PKI domain used for signature generation.

Verify certificate domain PKI domain used for verifying the remote end's certificate.

SA duration Lifetime of the IKEv2 SA.

DPD

DPD settings:

Detection interval in seconds.

Retry interval in seconds.

Detection mode, on demand or periodically.

If DPD is disabled, this field displays Disabled.

Config exchange

Configuration exchange settings:

request—The local end sends request messages

carrying the configuration request payload during the IKE_AUTH exchange.

set accept—The local end accepts the configuration set

payload carried in Info messages.

set send—The local end sends Info messages carrying the configuration set payload.

NAT keepalive NAT keepalive interval in seconds.

AAA authorization

AAA authorization settings:

ISP domain name.

Username.

99

Related commands

ikev2 profile

New command: display ikev2 proposal

Use display ikev2 proposal to display the IKEv2 proposal configuration.

Syntax

display ikev2 proposal [ name | default ]

Views

Any view


network-admin

network-operator

Parameters

name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.

default: Specifies the default IKEv2 proposal.

Usage guidelines

This command displays IKEv2 proposals in descending order of priorities. If you do not specify any

parameters, this command displays the configuration of all IKEv2 proposals.

Examples

# Display the configuration of all IKEv2 proposals.

<Sysname> display ikev2 proposal

IKEv2 proposal: 1

Encryption: 3DES-CBC, AES-CBC-128, AES-CTR-192, CAMELLIA-CBC-128

Integrity: MD5, SHA256, AES-XCBC

PRF: MD5, SHA256, AES-XCBC

DH group: MODP1024/Group 2, MODP1536/Group 5

IKEv2 proposal: default

Encryption: AES-CBC-128, 3DES-CBC

Integrity: SHA1, MD5

PRF: SHA1, MD5

DH group: MODP1536/Group 5, MODP1024/Group 2


Field Description

IKEv2 proposal Name of the IKEv2 proposal.

Encryption Encryption algorithms that the IKEv2 proposal uses.

Integrity Integrity protection algorithms that the IKEv2 proposal uses.

100

Field Description

PRF PRF algorithms that the IKEv2 proposal uses.

DH group DH groups that the IKEv2 proposal uses.

Related commands

ikev2 proposal

New command: display ikev2 sa

Use display ikev2 sa to display the IKEv2 SA information.

Syntax

display ikev2 sa [ { count | local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance

vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ]

Views

Any view


network-admin

network-operator

Parameters

count：Displays the number of IKEv2 SAs.

local: Displays IKEv2 SA information for a local IP address.

remote: Displays IKEv2 SA information for a remote IP address.

ipv4-address: Specifies a local or remote IPv4 address.

ipv6 ipv6-address: Specifies a local or remote IPv6 address.

vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in an MPLS L3VPN

instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive

string of 1 to 31 characters. If you do not specify a VPN instance, this command displays information

about IKEv2 SAs for the public network.

verbose: Displays detailed information. If you do not specify this keyword, the command displays

the summary information.

tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument

specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.

Usage guidelines

If you do not specify any parameters, this command displays summary information about all IKEv2

SAs.

101

Examples

# Display summary information about all IKEv2 SAs.

<Sysname> display ikev2 sa

Tunnel ID Local Remote Status

--------------------------------------------------------------------

1 1.1.1.1/500 1.1.1.2/500 EST

2 2.2.2.1/500 2.2.2.2/500 EST

Status:

IN-NEGO: Negotiating, EST: Established, DEL: Deleting

# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.

<Sysname> display ikev2 sa remote 1.1.1.2


--------------------------------------------------------------------

1 1.1.1.1/500 1.1.1.2/500 EST

Status:

IN-NEGO: Negotiating, EST: Established, DEL: Deleting


Field Description

Tunnel ID ID of the IPsec tunnel to which the IKEv2 SA belongs.

Local Local IP address of the IKEv2 SA.

Remote Remote IP address of the IKEv2 SA.

Status

Status of the IKEv2 SA:

IN-NEGO (Negotiating)—The IKEv2 SA is under

negotiation.

EST (Established)—The IKEv2 SA has been set up.

DEL (Deleting)—The IKEv2 SA is about to be deleted.

# Display detailed information about all IKEv2 SAs.

<Sysname> display ikev2 sa verbose

Tunnel ID: 1

Local IP/Port: 1.1.1.1/500

Remote IP/Port: 1.1.1.2/500

Outside VRF: -

Inside VRF: -

Local SPI: 8f8af3dbf5023a00

Remote SPI: 0131565b9b3155fa

Local ID type: FQDN

Local ID: router_a

Remote ID type: FQDN

Remote ID: router_b

Auth sign method: Pre-shared key

Auth verify method: Pre-shared key

Integrity algorithm: HMAC_MD5

102

PRF algorithm: HMAC_MD5

Encryption algorithm: AES-CBC-192

Life duration: 86400 secs

Remaining key duration: 85604 secs

Diffie-Hellman group: MODP1024/Group2

NAT traversal: Not detected

DPD: Interval 20 secs, retry interval 2 secs

Transmitting entity: Initiator

Local window: 1

Remote window: 1

Local request message ID: 2

Remote request message ID:2

Local next message ID: 0

Remote next message ID: 0

Pushed IP address: 192.168.1.5

Assigned IP address: 192.168.2.24

# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.

<Sysname> display ikev2 sa remote 1.1.1.2 verbose

Tunnel ID: 1

Local IP/Port: 1.1.1.1/500

Remote IP/Port: 1.1.1.2/500

Outside VRF: -

Inside VRF: -

Local SPI: 8f8af3dbf5023a00

Remote SPI: 0131565b9b3155fa

Local ID type: FQDN

Local ID: router_a

Remote ID type: FQDN

Remote ID: router_b

Auth sign method: Pre-shared key

Auth verify method: Pre-shared key

Integrity algorithm: HMAC_MD5

PRF algorithm: HMAC_MD5

Encryption algorithm: AES-CBC-192

Life duration: 86400 secs

Remaining key duration: 85604 secs

Diffie-Hellman group: MODP1024/Group2

NAT traversal: Not detected

DPD: Interval 30 secs, retry 10 secs

Transmitting entity: Initiator

103

Local window: 1

Remote window: 1

Local request message ID: 2

Remote request message ID: 2

Local next message ID: 0

Remote next message ID: 0

Pushed IP address: 192.168.1.5

Assigned IP address: 192.168.2.24


Field Description

Tunnel ID ID of the IPsec tunnel to which the IKEv2 SA belongs.

Local IP/Port IP address and port number of the local security gateway.

Remote IP/Port IP address and port number of the remote security gateway.

Outside VRF

Name of the VPN instance to which the protected outbound data flow belongs.

If the protected outbound data flow belongs to the public network, this field displays a hyphen (-).

Inside VRF

Name of the VPN instance to which the protected inbound data flow belongs.

If the protected inbound data flow belongs to the public network, this field displays a hyphen (-).

Local SPI SPI that the local end uses.

Remote SPI SPI that the remote end uses.

Local ID type ID type of the local security gateway.

Local ID ID of the local security gateway.

Remote ID type ID type of the remote security gateway.

Remote ID ID of the remote security gateway.

Auth sign method Signature method that the IKEv2 proposal uses in authentication.

Auth verify method Verification method that the IKEv2 proposal uses in authentication.

Integrity algorithm Integrity protection algorithms that the IKEv2 proposal uses.

PRF algorithm PRF algorithms that the IKEv2 proposal uses.

Encryption algorithm Encryption algorithms that the IKEv2 proposal uses.

Life duration Lifetime of the IKEv2 SA, in seconds.

Remaining key duration Remaining lifetime of the IKEv2 SA, in seconds.

Diffie-Hellman group DH groups used in IKEv2 key negotiation.

NAT traversal Whether a NAT gateway is detected between the local and remote ends.

DPD

DPD settings:

Detection interval in seconds.

Retry interval in seconds.

104

Field Description

If DPD is disabled, this field displays Disabled.

Transmitting entity Role of the local end in IKEv2 negotiation, initiator or responder.

Local window Window size that the local end uses.

Remote window Window size that the remote end uses.

Local request message ID ID of the request message that the local end is about to send.

Remote request message ID ID of the request message that the remote end is about to send.

Local next message ID ID of the message that the local end expects to receive.

Remote next message ID ID of the message that the remote end expects to receive.

Pushed IP address IP address pushed to the local end by the remote end.

Assigned IP address IP address assigned to the remote end by the local end .

New command: display ikev2 statistics

Use display ikev2 statistics to display IKEv2 statistics.

Syntax

display ikev2 statistics

Views

Any view


network-admin

network-operator

Examples

# Display IKEv2 statistics.

<Sysname> display ikev2 statistics

IKEv2 statistics:

Unsupported critical payload: 0

Invalid IKE SPI: 0

Invalid major version: 0

Invalid syntax: 0

Invalid message ID: 0

Invalid SPI: 0

No proposal chosen: 0

Invalid KE payload: 0

Authentication failed: 0

Single pair required: 0

TS unacceptable: 0

Invalid selectors: 0

105

Temporary failure: 0

No child SA: 0

Unknown other notify: 0

No enough resource: 0

Enqueue error: 0

No IKEv2 SA: 0

Packet error: 0

Other error: 0

Retransmit timeout: 0

DPD detect error: 0

Del child for IPsec message: 0

Del child for deleting IKEv2 SA: 0

Del child for receiving delete message: 0

New command: dh

Use dh to specify DH groups to be used in IKEv2 key negotiation.

Use undo group to restore the default.

Syntax

In non-FIPS mode:

dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *

undo dh

In FIPS mode:

dh { group14 | group24 | group19 | group20 } *

undo dh

Default

No DH group is specified for an IKEv2 proposal.

Views

IKEv2 proposal view


network-admin

Parameters

group1: Uses the 768-bit Diffie-Hellman group.




group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.

106

group19: Uses the 256-bit ECP Diffie-Hellman group.

group20: Uses the 384-bit ECP Diffie-Hellman group.

Usage guidelines

A DH group with a higher group number provides higher security but needs more time for processing.

To achieve the best trade-off between processing performance and security, choose proper DH

groups for your network.

You must specify a minimum of one DH group for an IKEv2 proposal. Otherwise, the proposal is

incomplete and useless.

You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher

priority.

Examples

# Specify DH groups 1 for the IKEv2 proposal 1.


[Sysname] ikev2 proposal 1

[Sysname-ikev2-proposal-1] dh group1

Related commands

ikev2 proposal

New command: dpd

Use dpd to configure the IKEv2 DPD feature.

Use undo dpd to disable the IKEv2 DPD feature.

Syntax

dpd interval interval [ retry seconds ] { on-demand | periodic }

undo dpd interval

Default

IKEv2 DPD is disabled. The global IKEv2 DPD settings are used.

Views

IKEv2 profile view


network-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.

retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5

seconds.

107

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and

has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. The on-demand mode is recommended when the

device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers,

use the periodic triggering mode, which consumes more bandwidth and CPU.

The triggering interval must be longer than the retry interval, so that the device will not trigger a new

round of DPD during a DPD retry.

Examples

# Configure on-demand IKEv2 DPD. Set the DPD triggering interval to 10 seconds and the retry

interval to 5 seconds.



[Sysname-ikev2-profile-profile1] dpd interval 10 retry 5 on-demand

Related commands

ikev2 dpd

New command: encryption

Use encryption to specify encryption algorithms for an IKEv2 proposal.

Use undo encryption to restore the default.

Syntax

In non-FIPS mode:

encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 |

aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *

undo encryption

In FIPS mode:

encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } *

undo encryption

Default

No encryption algorithm is specified for an IKEv2 proposal.

Views

IKEv2 proposal view


network-admin

108

Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.

aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.



aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key.



camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.



des-cbc: Specifies the DES algorithm in CBC mode, which uses a 56-bit key.

Usage guidelines

You must specify a minimum of one encryption algorithm for an IKEv2 proposal. Otherwise, the

proposal is incomplete and useless. You can specify multiple encryption algorithms for an IKEv2

proposal. An algorithm specified earlier has a higher priority.

Examples

# Specify the 168-bit 3DES algorithm in CBC mode as the encryption algorithm for the IKE proposal

prop1.


[Sysname] ikev2 proposal prop1

[Sysname-ikev2-proposal-prop1] encryption-algorithm 3des-cbc

Related commands

ikev2 proposal

New command: hostname

Use hostname to specify the host name of an IKEv2 peer.

Use undo hostname to restore the default.

Syntax

hostname name

undo hostname

Default

An IKEv2 peer's host name is not specified.

109

Views

IKEv2 peer view


network-admin

Parameters

name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 253 characters.

Usage guidelines

Only the initiator can look up an IKEv2 peer by host name in IKEv2 negotiation, and the initiator must

use an IPsec policy rather than an IPsec profile.

Examples






# Specify the host name test of the IKEv2 peer.

[Sysname-ikev2-keychain-key1-peer-peer1] hostname test

Related commands

ikev2 keychain

peer

New command: identity

Use identity to specify the ID of an IKEv2 peer.

Use undo identity to restore the default.

Syntax

identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string |

key-id key-id-string }

undo identity

Default

An IKEv2 peer's ID is not specified.

Views

IKEv2 peer view


network-admin

110

Parameters

ipv4-address: Specifies the IPv4 address of the peer.

ipv6 ipv6-address: Specifies the IPv6 address of the peer.

fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive

string of 1 to 255 characters, such as www.test.com.

email email-string: Specifies the email address of the peer. The email-string argument is a

case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as

[email protected].

key-id key-id-string: Specifies the remote gateway's key ID. The key-id-string argument is a

case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing

proprietary types of identification.

Usage guidelines

Only the responder can look up an IKEv2 peer by ID in IKEv2 negotiation. The initiator does not know

the peer ID when initiating the IKEv2 negotiation, so it cannot use an ID for IKEv2 peer lookup.

Examples






# Specify the peer IPv4 address 1.1.1.2 as the ID of the IKEv2 peer.

[Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2

Related commands

ikev2 keychain

peer

New command: identity local

Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer

during IKEv2 negotiation.

Use undo identity local to restore the default.

Syntax

identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn

fqdn-name | key-id key-id-string }

undo identity local

111

Default

No local ID is specified. The IP address of the interface to which the IPsec policy is applied is used as

the local ID.

Views

IKEv2 profile view


network-admin

Parameters

address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.

dn: Uses the DN in the local certificate as the local ID.

email email-string: Uses an email address as the local ID. The email-string argument is a

case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as

[email protected].

fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string

of 1 to 255 characters, such as www.test.com.

key-id key-id-string: Uses the device's key ID as the local ID. The key-id-string argument is a

case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing

proprietary types of identification.

Usage guidelines

Peers exchange local IDs for identifying each other in negotiation.

Examples




# Use the IP address 2.2.2.2 as the local ID.

[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2

Related commands

peer

New command: ikev2 address-group

Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to

remote peers.

Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool.

Syntax

ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]

undo ikev2 address-group group-name

112

Default

No IKEv2 IPv4 address pools exist.

Views

System view


network-admin

Parameters

group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a

case-insensitive string of 1 to 63 characters.

start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address

argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4

address.

mask: Specifies the IPv4 address mask.

mask-length: Specifies the length of the IPv4 address mask.

Usage guidelines

An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.

Examples

# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2,

and the mask 255.255.255.0.


[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0

# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2,

and the mask length 32.


[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 32

Related commands

address-group

New command: ikev2 cookie-challenge

Use ikev2 cookie-challenge to enable the cookie challenging feature.

Use undo ikev2 cookie-challenge to disable the cookie challenging feature.

Syntax

ikev2 cookie-challenge number

undo ikev2 cookie-challenge

Default

The cookie challenging feature is disabled.

113

Views

System view


network-admin

Parameters

number: Specifies the threshold for triggering the cookie challenging feature. The value range for this

argument is 0 to 1000 half-open IKE SAs.

Usage guidelines

When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie

challenging mechanism. The responder generates a cookie and includes it in the response sent to

the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the

responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is

incorrect, the responder terminates the negotiation.

This feature can protect the responder against DoS attacks which aim to exhaust the responder's

system resources by using a large number of IKE_SA_INIT requests with forged source IP

addresses.

Examples

# Enable the cookie challenging feature and set the threshold to 450.


[Sysname] ikev2 cookie-challenge 450

New command: ikev2 dpd

Use ikev2 dpd to configure the global IKEv2 DPD feature.

Use undo ikev2 dpd to disable the global IKEv2 DPD feature.

Syntax

ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }

undo ikev2 dpd interval

Default

The global IKEv2 DPD feature is disabled.

Views

System view


network-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.

114

retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5

seconds.

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and

has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. The on-demand mode is recommended when the

device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers,

use the periodic triggering mode, which consumes more bandwidth and CPU.

The triggering interval must be longer than the retry interval, so that the device will not trigger a new

round of DPD during a DPD retry.

You can configure IKEv2 DPD in both IKEv2 profile view and system view. The IKEv2 DPD settings

in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD

settings in system view apply.

Examples

# Configure the device to trigger IKEv2 DPD if it has IPsec traffic to send and has not received any

IPsec packets from the peer for 15 seconds.


[Sysname] ikev2 dpd interval 15 on-demand

# Configure the device to trigger IKEv2 DPD every 15 seconds.


[Sysname] ikev2 dpd interval 15 periodic

Related commands

dpd (IKEv2 profile view)

New command: ikev2 ipv6-address-group

Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6

addresses to remote peers.

Use undo ikev2 ipv6-address-group to delete an IKEv2 IPv6 address pool.

Syntax

ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len

undo ikev2 ipv6-address-group group-name

Default

No IKEv2 IPv6 address pools exist.

Views

System view

115


network-admin

Parameters

group-name: Specifies a name for the IKEv2 IPv6 address pool. The group-name argument is a

case-insensitive string of 1 to 63 characters.

prefix prefix/prefix-len: Specifies an IPv6 prefix in the format of prefix/prefix length. The value range

for the prefix-len argument is 1 to 128.

assign-len assign-len: Specifies the assigned prefix length. The value range for the assign-len

argument is 0 to 128, and the value must be greater than or equal to prefix-len. The difference

between assign-len and prefix-len must be no more than 16.

Usage guidelines

Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the

IKEv2 IPv6 address pool. The peer can use the assigned IPv6 subnet to assign IPv6 addresses to

other devices.

IKEv2 IPv6 address pools cannot overlap with each other.

Examples

# Configure an IKEv2 IPv6 address pool with the name ipv6group, prefix 1:1::/64, and the assigned

prefix length 80.


[Sysname] ikev2 ipv6-address-group ipv6group prefix :1:1::/64 assign-len 80

Related commands

ipv6-address-group

New command: ikev2 keychain

Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing

IKEv2 keychain.

Use undo ikev2 keychain to delete an IKEv2 keychain.

Syntax

ikev2 keychain keychain-name

undo ikev2 keychain keychain-name

Default

No IKEv2 keychains exist.

Views

System view


network-admin

116

Parameters

keychain-name: Specifies a name for the IKEv2 keychain. The keychain name is a case-insensitive

string of 1 to 63 characters and cannot contain a hyphen (-).

Usage guidelines

An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. The

pre-shared key configured on both ends must be the same.

You can configure multiple IKEv2 peers in an IKEv2 keychain.

Examples

# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.



[Sysname-ikev2-keychain-key1]

New command: ikev2 nat-keepalive

Use ikev2 nat-keepalive to set the NAT keepalive interval.

Use undo ikev2 nat-keepalive to restore the default.

Syntax

ikev2 nat-keepalive seconds

undo ikev2 nat-keepalive

Default

The NAT keepalive interval is 10 seconds.

Views

System view


network-admin

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.

Usage guidelines

This command takes effect when the device resides in the private network behind a NAT device. The

device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that

the peer can access the device.


Examples

# Set the NAT keepalive interval to 5 seconds.


[Sysname] ikev2 nat-keepalive 5

117

New command: ikev2 policy

Use ikev2 policy to create an IKEv2 policy and enter its view, or enter the view of an existing IKEv2

policy.

Use undo ikev2 policy to delete an IKEv2 policy.

Syntax

ikev2 policy policy-name

undo ikev2 policy policy-name

Default

An IKEv2 policy named default exists, which uses the default IKEv2 proposal and matches any local

addresses.

Views

System view


network-admin

Parameters

policy-name: Specifies a name for the IKEv2 policy. The policy name is a case-insensitive string of 1

to 63 characters.

Usage guidelines

Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2

policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to

which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the

interface that receives the IKEv2 packet and the VPN instance to which the interface belongs. An

IKEv2 policy uses IKEv2 proposals to define the encryption algorithms, integrity protection

algorithms, PRF algorithms, and DH groups to be used for negotiation.

You can configure multiple IKEv2 policies. An IKEv2 policy must have a minimum of one IKEv2

proposal. Otherwise, the policy is incomplete.

If the initiator uses an IPsec policy that is bound to a source interface, the initiator looks up an IKEv2

policy by the IP address of the source interface.

You can set priorities to adjust the match order of IKEv2 policies that have the same match criteria.

If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the

default IKEv2 policy, nor modify it.

Examples

# Create an IKEv2 policy named policy1 and enter IKEv2 policy view.


[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1]

118

Related commands

display ikev2 policy

New command: ikev2 profile

Use ikev2 profile to create an IKEv2 profile and enter its view, or enter the view of an existing IKEv2

profile.

Use undo ikev2 profile to delete an IKEv2 profile.

Syntax

ikev2 profile profile-name

undo ikev2 profile profile-name

Default

No IKEv2 profiles exist.

Views

System view


network-admin

Parameters

profile-name: Specifies a name for the IKEv2 profile. The profile name is a case-insensitive string of

1 to 63 characters.

Usage guidelines

An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity

information and authentication methods of the peers, and the matching criteria for profile lookup.

Examples

# Create an IKEv2 profile named profile1 and enter IKEv2 profile view.



[Sysname-ikev2-profile-profile1]

Related commands


New command: ikev2 proposal

Use ikev2 proposal to create an IKEv2 proposal and enter its view, or enter the view of an existing

IKEv2 proposal.

Use undo ikev2 proposal to delete an IKEv2 proposal.

119

Syntax

ikev2 proposal proposal-name

undo ikev2 proposal proposal-name

Default

An IKEv2 proposal named default exists, which has the lowest priority and uses the following

settings:

In non-FIPS mode:

Encryption algorithm—AES-CBC-128 and 3DES.

Integrity protection algorithm—HMAC-SHA1 and HMAC-MD5.

PRF algorithm—HMAC-SHA1 and HMAC-MD5.

DH group—Group 5 and group 2.

In FIPS mode:

Encryption algorithm—AES-CBC-128 and AES-CTR-128.

Integrity protection algorithm—HMAC-SHA1 and HMAC-SHA256.

PRF algorithm—HMAC-SHA1 and HMAC-SHA256.

DH group—Group 14 and group 19.

Views

System view


network-admin

Parameters

proposal-name: Specifies a name for the IKEv2 proposal. The proposal name is a case-insensitive

string of 1 to 63 characters and cannot be default.

Usage guidelines

An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the

encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups.

An IKEv2 proposal must have a minimum of one set of security parameters, including one encryption

algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

In an IKEv2 proposal, you can specify multiple parameters of the same type. The parameters of

different types combine and form multiple sets of security parameters. If you want to use only one set

of security parameters, configure only one set of security parameters for the IKEv2 proposal.

Examples

# Create an IKEv2 proposal named prop1. Specify the encryption algorithm AES-CBC-128, integrity

protection algorithm SHA1, PRF algorithm SHA1, and DH group 2.



[Sysname-ikev2-proposal-prop1] encryption-algorithm aes-cbc-128

120

[Sysname-ikev2-proposal-prop1] authentication-algorithm sha1

[Sysname-ikev2-proposal-prop1] prf sha1

[Sysname-ikev2-proposal-prop1] dh group2

Related commands

encryption-algorithm

integrity

prf

dh

New command: inside-vrf

Use inside-vrf to specify an inside VPN instance.

Use undo inside-vrf to restore the default.

Syntax

inside-vrf vrf-name

undo inside-vrf

Default

No inside VPN instance is specified. The internal and external networks are in the same VPN

instance. The device forwards protected data to this VPN instance.

Views

IKEv2 profile view


network-admin

Parameters

vrf-name: Specifies the VPN instance to which the protected data belongs. The vrf-name argument

represents the VPN instance name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

This command determines where the device should forward received IPsec packets after it

de-encapsulates them. If you configure this command, the device looks for a route in the specified

VPN instance to forward the packets. If you do not configure this command, the internal and external

networks are in the same VPN instance. The device looks for a route in this VPN instance to forward

the packets.

Examples




# Specify the inside VPN instance vpn1.

121

[Sysname-ikev2-profile-profile1] inside-vrf vpn1

New command: integrity

Use integrity to specify integrity protection algorithms for an IKEv2 proposal.

Use undo integrity to restore the default.

Syntax

In non-FIPS mode:

integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

undo integrity

In FIPS mode:

integrity { sha1 | sha256 | sha384 | sha512 } *

undo integrity

Default

No integrity protection algorithm is specified for an IKEv2 proposal.

Views

IKEv2 proposal view


network-admin

Parameters

aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.

md5: Uses the HMAC-MD5 algorithm.

sha1: Uses the HMAC-SHA1 algorithm.




Usage guidelines

You must specify a minimum of one integrity protection algorithm for an IKEv2 proposal. Otherwise,

the proposal is incomplete and useless. You can specify multiple integrity protection algorithms for

an IKEv2 proposal. An algorithm specified earlier has a higher priority.

Examples

# Create an IKEv2 proposal named prop1.



122

# Specify HMAC-SHA1 and HMAC-MD5 as the integrity protection algorithms, with HMAC-SHA1

preferred.

[Sysname-ikev2-proposal-prop1] integrity sha1 md5

Related commands

ikev2 proposal

New command: keychain

Use keychain to specify an IKEv2 keychain for pre-shared key authentication.

Use undo keychain to restore the default.

Syntax

keychain keychain-name

undo keychain

Default

No IKEv2 keychain is specified for an IKEv2 profile.

Views

IKEv2 profile view


network-admin

Parameters

keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive

string of 1 to 63 characters and cannot contain a hyphen (-).

Usage guidelines

An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. You

can specify only one IKEv2 keychain for an IKEv2 profile.

You can specify the same IKEv2 keychain for different IKEv2 profiles.

Examples




# Specify the IKEv2 keychain keychain1.

[Sysname-ikev2-profile-profile1] keychain keychain1

Related commands


ikev2 keychain

123

New command: match local (IKEv2 profile view)

Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be

applied.

Use undo match local to remove a local interface or a local IP address to which an IKEv2 profile can

be applied.

Syntax


undo match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }

Default

An IKEv2 profile can be applied to any local interface or IP address.

Views

IKEv2 profile view


network-admin

Parameters

address: Specifies a local interface or IP address to which an IKEv2 profile can be applied.

interface-type interface-number: Specifies a local interface by its type and number. It can be any

Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

Usage guidelines

Use this command to specify which address or interface can use the IKEv2 profile for IKEv2

negotiation. The interface is the interface that receives IKEv2 packets. The IP address is the IP

address of the interface that receives IKEv2 packets.

An IKEv2 profile configured earlier has a higher priority. To give an IKEv2 profile that is configured

later a higher priority, you can configure the priority command or this command for the profile. For

example, suppose you configured IKEv2 profile A before configuring IKEv2 profile B, and you

configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKEv2 profile

A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKEv2 profile B. For

the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKEv2 profile A is

preferred because IKEv2 profile A was configured earlier. To use IKEv2 profile B, you can use this

command to restrict the application scope of IKEv2 profile B to IPv4 address 3.3.3.3.

You can specify multiple applicable local interfaces or IP addresses for an IKEv2 profile.

Examples


124



# Apply the IKEv2 profile profile1 to the interface whose IP address is 2.2.2.2.

[Sysname-ikev2-profile-profile1] match local address 2.2.2.2

Related commands

match remote

New command: match local address (IKEv2 policy view)

Use match local address to specify a local interface or a local address that an IKEv2 policy

matches.

Use undo match local address to remove a local interface or a local address that an IKEv2 policy

matches.

Syntax


undo match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }

Default

No local interface or address is specified, and the IKEv2 policy matches any local interface or

address.

Views

IKEv2 policy view


network-admin

Parameters

interface-type interface-number: Specifies a local interface by its type and number. It can be any

Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

Usage guidelines

IKEv2 policies with this command configured are looked up before those that do not have this

command configured.

Examples

# Configure the IKEv2 policy policy1 to match the local address 3.3.3.3.



[Sysname-ikev2-policy-policy1] match local address 3.3.3.3

125

Related commands


match vrf

New command: match remote

Use match remote to configure a peer ID that an IKEv2 profile matches.

Use undo match remote to delete a peer ID that an IKEv2 profile matches.

Syntax

match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ]

| range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range

low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }

undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask

|mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] |

range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id

key-id-string } }

Default

No matching peer ID is configured for an IKEv2 profile.

Views

IKEv2 profile view


network-admin

Parameters

certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2

profile matching. The policy-name argument specifies a certificate-based access control policy by its

name, a case-insensitive string of 1 to 31 characters.

identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified

information is configured on the peer by using the identity local command.

address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet

address as the peer ID for IKEv2 profile matching. The value range for the mask-length

argument is 0 to 32.

address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the

peer ID for IKEv2 profile matching. The end address must be higher than the start address.

address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet

address as the peer ID for IKEv2 profile matching. The value range for the prefix-length

argument is 0 to 128.

address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as

the peer ID for IKEv2 profile matching. The end address must be higher than the start address.

126

fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The

fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The

email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by

RFC 822, such as [email protected].

key-id key-id-string: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The

key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a

vendor-specific string for doing proprietary types of identification.

Usage guidelines

The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a

match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. If you have

configured the match local address and match vrf commands, the IKEv2 profile must also match

the specified local interface or address and the specified VPN instance.

To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two

or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2

profile is selected for IKEv2 negotiation is unpredictable.

You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a

higher priority.

Examples




# Configure the IKEv2 profile to match the peer ID that is the FQDN name www.test.com.

[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com

# Configure the IKEv2 profile to match the peer ID that is the IP address 10.1.1.1.

[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1

Related commands

identity local

match local address

match vrf

New command: match vrf (IKEv2 policy view)

Use match vrf to specify a VPN instance that an IKEv2 policy matches.

Use undo match vrf to restore the default.

Syntax


undo match vrf

http://www.test.com/

127

Default

No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public

network.

Views

IKEv2 policy view


network-admin

Parameters

name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

any: Specifies the public network and all VPN instances.

Usage guidelines

Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2

policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to

which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the

interface that receives the IKEv2 packet and the VPN instance to which the interface belongs.

IKEv2 policies with this command configured are looked up before those that do not have this

command configured.

Examples

# Create an IKEv2 policy named policy1.



# Configure the IKEv2 policy to match the VPN instance vpn1.

[Sysname-ikev2-policy-policy1] match vrf name vpn1

Related commands


match local address

New command: match vrf (IKEv2 profile view)

Use match vrf to specify a VPN instance for an IKEv2 profile.

Use undo match vrf to restore the default.

Syntax


undo match vrf

Default

An IKEv2 profile belongs to the public network.

128

Views

IKEv2 profile view


network-admin

Parameters

name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

any: Specifies the public network and all VPN instances.

Usage guidelines

If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2

profile for IKEv2 negotiation. The VPN instance is the VPN instance to which the interface that

receives IKEv2 packets belongs. If you specify the any keyword, interfaces in any VPN instance can

use the IKEv2 profile for IKEv2 negotiation.

Examples




# Specify vrf1 as the VPN instance that the IKEv2 profile belongs to.

[Sysname-ikev2-profile-profile1] match vrf name vrf1

Related commands

match remote

New command: nat-keepalive

Use nat-keepalive to set the NAT keepalive interval.

Use ikev2 nat-keepalive to restore the default.

Syntax

nat-keepalive seconds

undo nat-keepalive

Default

The NAT keepalive interval set in system view is used.

Views

IKEv2 profile view


network-admin

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.

129

Usage guidelines

This command takes effect when the device resides in the private network behind a NAT device. The

device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that

the peer can access the device.


Examples




# Set the NAT keepalive interval to 1200 seconds.

[Sysname-ikev2-profile-profile1]nat-keepalive 1200

Related commands


ikev2 nat-keepalive

New command: peer

Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer.

Use undo peer to delete an IKEv2 peer.

Syntax

peer name

undo peer name

Default

No IKEv2 peers exist.

Views

IKEv2 keychain view


network-admin

Parameters

name: Specifies a name for the IKEv2 peer. The peer name is a case-insensitive string of 1 to 63

characters.

Usage guidelines

An IKEv2 peer contains a pre-shared key and the criteria for looking up the peer. The criteria for peer

lookup include the peer's host name, IP address, IP address range, and ID. The IKEv2 negotiation

initiator uses the peer's host name, IP address, or IP address range to look up its peer. The

responder uses the peer's IP address, IP address range, or ID to look up its peer.

130

Examples

# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.





Related commands

address

hostname

identity

ikev2 keychain

New command: pre-shared-key

Use pre-shared-key to configure a pre-shared key.

Use undo pre-shared-key to delete a pre-shared key.

Syntax

pre-shared-key [ local | remote ] { ciphertext | plaintext } string

undo pre-shared-key [ local | remote ]

Default

No pre-shared key exists.

Views

IKEv2 peer view


network-admin

Parameters

local: Specifies a pre-shared key for certificate signing.

remote: Specifies a pre-shared key for certificate authentication.

ciphertext: Specifies a pre-shared key in encrypted form.

plaintext: Specifies a pre-shared key in plaintext form. For security purposes, the key specified in

plaintext form will be stored in encrypted form.

string: Specifies the pre-shared key. The key is case sensitive. In non-FIPS mode, its plaintext form

is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters. In FIPS

mode, its plaintext form is a string of 15 to 128 characters and its encrypted form is a string of 15 to

201 characters.

131

Usage guidelines

If you specify the local or remote keyword, you configure an asymmetric key. If you specify neither

the local nor the remote keyword, you configure a symmetric key.

To delete a key by using the undo command, you must specify the correct key type. For example, if

you configure a key by using the pre-shared-key local command, you cannot delete the key by

using the undo pre-shared-key or undo pre-shared-key remote command.


Examples

On the initiator:






# Configure the symmetric plaintext pre-shared key 111-key.

[Sysname-ikev2-keychain-key1-peer-peer1] pre-shared-key plaintext 111-key

[Sysname-ikev2-keychain-key1-peer-peer1] quit



# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-a

and the key for certificate authentication is 111-key-b.

[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a

[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b

On the responder:

# Create an IKEv2 keychain named telecom.


[Sysname] ikev2 keychain telecom


[Sysname-ikev2-keychain-telecom] peer peer1

# Configure the symmetric plaintext pre-shared key 111-key.

[Sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key

[Sysname-ikev2-keychain-telecom-peer-peer1] quit


[Sysname-ikev2-keychain-telecom] peer peer2

# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-b

and the key for certificate authentication is 111-key-a.

[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key local plaintext

111-key-b

[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key remote plaintext

111-key-a

132

Related commands

ikev2 keychain

peer

New command: prf

Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal.

Use undo prf to restore the default.

Syntax

In non-FIPS mode:

prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

undo prf

In FIPS mode:

prf { sha1 | sha256 | sha384 | sha512 } *

undo prf

Default

An IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.

Views

IKEv2 proposal view


network-admin

Parameters

aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.

md5: Uses the HMAC-MD5 algorithm.





Usage guidelines

You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a

higher priority.

Examples

# Create an IKEv2 proposal named prop1.



133

# Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred.

[Sysname-ikev2-proposal-prop1] prf sha1 md5

Related commands

ikev2 proposal

integrity

New command: priority (IKEv2 policy view)

Use priority to set a priority for an IKEv2 policy.

Use undo priority to restore the default.

Syntax

priority priority

undo priority

Default

The priority of an IKEv2 policy is 100.

Views

IKEv2 policy view


network-admin

Parameters

priority: Specifies the priority of the IKEv2 policy, in the range of 1 to 65535. A smaller number

represents a higher priority.

Usage guidelines

The priority set by this command can only be used to adjust the match order of IKEv2 policies.

Examples

# Set the priority to 10 for the IKEv2 policy policy1.



[Sysname-ikev2-policy-policy1] priority 10

Related commands


New command: priority (IKEv2 profile view)

Use priority to set a priority for an IKEv2 profile.

Use undo priority to restore the default.

134

Syntax

priority priority

undo priority

Default

The priority of an IKEv2 profile is 100.

Views

IKEv2 profile view


network-admin

Parameters

priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535. A smaller number

represents a higher priority.

Usage guidelines

The priority set by this command can only be used to adjust the match order of IKEv2 profiles.

Examples

# Set the priority to 10 for the IKEv2 profile profile1.



[Sysname-ikev2-profile-profile1] priority 10

New command: proposal

Use proposal to specify an IKEv2 proposal for an IKEv2 policy.

Use undo proposal to remove an IKEv2 proposal from an IKEv2 policy.

Syntax

proposal proposal-name

undo proposal proposal-name

Default

No IKEv2 proposal is specified for an IKEv2 policy.

Views

IKEv2 policy view


network-admin

Parameters

proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63

characters.

135

Usage guidelines

You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a

higher priority.

Examples

# Specify the IKEv2 proposal proposal1 for the IKEv2 policy policy1.



[Sysname-ikev2-policy-policy1] proposal proposal1

Related commands


ikev2 proposal

New command: reset ikev2 sa

Use reset ikev2 sa to delete IKEv2 SAs.

Syntax

reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance

vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]

Views

User view


network-admin

Parameters

local: Deletes IKEv2 SAs for a local IP address.

remote: Deletes IKEv2 SAs for a remote IP address.

ipv4-address: Specifies a local or remote IPv4 address.

ipv6 ipv6-address: Specifies a local or remote IPv6 address.

vpn-instance vpn-instance-name: Deletes IKEv2 SAs in an MPLS L3VPN instance. The

vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31

characters. If you do not specify a VPN instance, this command deletes IKEv2 SAs for the public

network.

tunnel tunnel-id: Deletes IKEv2 SAs for an IPsec tunnel. The tunnel-id argument specifies an IPsec

tunnel by its ID in the range of 1 to 2000000000.

fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers'

responses. If you do not specify this keyword, the device notifies the peers of the deletion and

deletes IKEv2 SAs after it receives the peers' responses.

136

Usage guidelines

Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.

If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs

negotiated through the IKEv2 SAs.

Examples

# Display information about IKEv2 SAs.



--------------------------------------------------------------------

1 1.1.1.1/500 1.1.1.2/500 EST

2 2.2.2.1/500 2.2.2.2/500 EST

Status:

IN-NEGO: Negotiating EST: Established, DEL: Deleting

# Delete the IKEv2 SA whose remote IP address is 1.1.1.2.

<Sysname> reset ikev2 sa remote 1.1.1.2

# Display information about IKEv2 SAs again. Verify that the IKEv2 SA is deleted.



--------------------------------------------------------------------

2 2.2.2.1/500 2.2.2.2/500 EST

Status:

IN-NEGO: Negotiating EST: Established, DEL: Deleting

Related commands

display ikev2 sa

New command: reset ikev2 statistics

Use reset ikev2 statistics to clear IKEv2 statistics.

Syntax

reset ikev2 statistics

Views

Any view


network-admin

Examples

# Clear IKEv2 statistics.

<Sysname> reset ikev2 statistics

137

New command: sa duration

Use sa duration to set the IKEv2 SA lifetime.

Use undo sa duration to restore the default.

Syntax

sa duration seconds

undo sa duration

Default

The IKEv2 SA lifetime is 86400 seconds.

Views

IKEv2 profile view


network-admin

Parameters

seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.

Usage guidelines

An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot

of negotiation time. However, the longer the lifetime, the higher the possibility that attackers collect

enough information and initiate attacks.

Two peers can have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation.

The peer with a shorter lifetime always initiates the rekeying.

Examples




# Set the IKEv2 SA lifetime to 1200 seconds.

[Sysname-ikev2-profile-profile1] sa duration 1200

Related commands


New command: esn enable

Use esn enable to enable the Extended Sequence Number (ESN) feature.

Use undo esn enable to disable the ESN feature.

Syntax

esn enable [ both ]

138

undo esn enable

Default

ESN is disabled.

Views

IPsec transform set view


network-admin

Parameters

both: Specifies IPsec to support both extended sequence number and traditional sequence number.

If you do not specify this keyword, IPsec only supports extended sequence number.

Usage guidelines

The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents

the sequence number space from being exhausted when large volumes of data are transmitted at

high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does

not need to be renegotiated.

This feature must be enabled at both the initiator and the responder.

Examples

# Enable the ESN feature in the IPsec transform set tran1.


[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esn enable

Related commands

display ipsec transform-set

New command: ikev2-profile

Use ikev2-profile to specify an IKEv2 profile for an IPsec policy or IPsec policy template.

Use undo ikev2-profile to restore the default.

Syntax

ikev2-profile profile-name

undo ikev2-profile

Default

No IKEv2 profile is specified.

Views

IPsec policy view, IPsec policy template view

139


network-admin

Parameters

profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The IKEv2 profile specified for an IPsec policy or IPsec policy template defines the parameters used

for IKEv2 negotiation.

You can specify only one IKEv2 profile for an IPsec policy or IPsec policy template. On the initiator,

an IKEv2 profile is required. On the responder, an IKEv2 profile is optional. If you do not specify an

IKEv2 profile, the responder can use any IKEv2 profile for negotiation.

Examples

# Specify the IKEv2 profile profile1 for the IPsec policy policy1.


[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] ikev2-profile profile1

Related commands

display ipsec ipv6-policy

display ipsec policy

ikev2 profile

New command: tfc enable

Use tfc enable to enable the Traffic Flow Confidentiality (TFC) padding feature.

Use undo tfc enable to disable the TFC padding feature.

Syntax

tfc enable

undo tfc enable

Default

TFC padding is disabled.

Views

IPsec policy view, IPsec policy template view


network-admin

Usage guidelines

The TFC padding feature can hide the length of the original packet, and might affect the packet

encapsulation and de-encapsulation performance. This feature takes effect on UDP packets

140

encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel

mode.

Examples

# Enable TFC padding for the IPsec policy policy1.



[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable

Related commands



Modified command: ah authentication-algorithm

Old syntax

In non-FIPS mode:

ah authentication-algorithm { md5 | sha1 | sm3 } *

undo ah authentication-algorithm

In FIPS mode:

ah authentication-algorithm sha1


New syntax

In non-FIPS mode:

ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *


In FIPS mode:

ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *


Views


Change description

The following keywords were added:

aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm.

sha256: Specifies the HMAC-SHA256 algorithm.



141

Modified command: display ipsec { ipv6-policy | policy }

Syntax

display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]

Views

Any view

Change description

The following fields were added to the command output:

Traffic Flow Confidentiality—Whether Traffic Flow Confidentiality (TFC) padding is enabled.

IKEv2 profile—IKEv2 profile used by the IPsec policy.

Modified command: display ipsec { ipv6-policy-template |

policy-template }

Syntax

display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ]

Views

Any view

Change description


Traffic Flow Confidentiality—Whether Traffic Flow Confidentiality (TFC) padding is enabled.

Selector mode—Data flow protection mode of the IPsec policy template.

Local address—Local end IP address of the IPsec tunnel.

IKEv2 profile—IKEv2 profile used by the IPsec policy template.

SA idle time—Idle timeout of the IPsec SA, in seconds.

Modified command: display ipsec sa

Syntax

display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy }

policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]

Views

Any view

Change description


142

Extended Sequence Number enable—Whether Extended Sequence Number (ESN) is

enabled.

Traffic Flow Confidentiality enable—Whether Traffic Flow Confidentiality (TFC) padding is

enabled.

Inside VRF—VPN instance to which the protected data flow belongs.

The following values were added to the Perfect Forward Secrecy field:

dh-group19—256-bit ECP Diffie-Hellman group.


Modified command: display ipsec transform-set

Syntax

display ipsec transform-set [ transform-set-name ]

Views

Any view

Change description


ESN—Whether Extended Sequence Number (ESN) is enabled.

PFS—Perfect Forward Secrecy (PFS) configuration.

Modified command: display ipsec tunnel

Syntax

display ipsec tunnel { brief | count | tunnel-id tunnel-id }

Views

Any view

Change description

The following values were added to the Perfect Forward Secrecy field of the command output:



Modified command: esp authentication-algorithm

Old syntax

In non-FIPS mode:

esp authentication-algorithm { md5 | sha1 | sm3 } *

143

undo esp authentication-algorithm

In FIPS mode:

esp authentication-algorithm sha1


New syntax

In non-FIPS mode:

esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *


In FIPS mode:

esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *


Views


Change description


aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm.




Modified command: esp encryption-algorithm

Old syntax

In non-FIPS mode:

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null }

*

undo esp encryption-algorithm

In FIPS mode:

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*


New syntax

In non-FIPS mode:

144

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |

aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |

gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *


In FIPS mode:

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192

| aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*


Views


Change description


aes-ctr-128: Uses the AES algorithm with a 128-bit key in CTR mode. This keyword is available

only for IKEv2.


only for IKEv2.


only for IKEv2.

camellia-cbc-128: Uses the Camellia algorithm with a 128-bit key in CBC mode. This keyword

is available only for IKEv2.





gmac-128: Uses the GMAC algorithm with a 128-bit key. This keyword is available only for

IKEv2.


IKEv2.


IKEv2.

gcm-128: Uses the GCM algorithm with a 128-bit key. This keyword is available only for IKEv2.



145

Modified command: pfs

Old syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }

undo pfs

In FIPS mode:

pfs dh-group14

undo pfs

New syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 |

dh-group24 }

undo pfs

In FIPS mode:

pfs { dh-group14 | dh-group19 | dh-group20 | dh-group24 }

undo pfs

Views


Change description


dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.


Modified command: pre-shared-key

Old syntax

pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

| hostname host-name } key { cipher cipher-key | simple simple-key }

undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address

[ prefix-length ] } | hostname host-name }

New syntax

In non-FIPS mode:


| hostname host-name } key { cipher cipher-key | simple simple-key }

146



In FIPS mode:


| hostname host-name } key [ cipher cipher-key ]



Views

IKE keychain view

Change description

After modification, if you do not specify the cipher cipher-key option, you specify a plaintext

pre-shared key in interactive mode. The key is a case-sensitive string of 15 to 128 characters, and it

must contain uppercase and lowercase letters, digits, and special characters other than the question

mark (?). In non-FIPS mode, this command does not support configuring a pre-shared key in

interactive mode.

Modified command: authentication-algorithm

Old syntax

In non-FIPS mode:

authentication-algorithm { md5 | sha | sm3 }

undo authentication-algorithm

In FIPS mode:

authentication-algorithm sha


New syntax

In non-FIPS mode:

authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 | sm3 }


In FIPS mode:

authentication-algorithm { sha| sha256 | sha384 | sha512 }


Views

IKE proposal view

147

Change description





New feature: SSL support for Suite B

Configuring Suite B in SSL


requirements.

In this software version, Suite B is available in SSL. In addition, a new command was added to

display the algorithm version number on the device.

Command reference

New command: display crypto version

Use display crypto version to display the algorithm version number.

Syntax

display crypto version

Views

Any view


network-admin

network-operator

Usage guidelines

The algorithm version number identifies a suite of cryptographic algorithms.

Examples

# Display the algorithm version number.

<Sysname> display crypto version

7.1.886

148


Field Description

7.1.1.886

Version number information, in the format of 7.1.X.

7.1 represents Comware V700R001, and X represents the algorithm version number.

New command: ssl version disable

Use ssl version disable to disable SSL protocol versions on the device.

Use undo ssl version disable enable SSL protocol versions on the device.

Syntax

In non-FIPS mode:

ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable

undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable

In FIPS mode:

ssl version { tls1.0 | tls1.1 } * disable

undo ssl version { tls1.0 | tls1.1 } * disable

Default

In non-FIPS mode, the device supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

In FIPS mode, the device supports TLS 1.0, TLS 1.1, and TLS 1.2.

Views

System view


network-admin

Parameters

ssl3.0: Specifies SSL 3.0.

tls1.0: Specifies TLS 1.0.

tls1.1: Specifies TLS 1.1.

Usage guidelines

Use this command to disable SSL 3.0, TLS 1.0, and TLS 1.1 on the device to enhance system

security.

An SSL client always uses the SSL protocol version specified for it (by using the version

command), whether you disable the SSL protocol version or not.

An SSL server supports only TLS 1.2 after SSL 3.0, TLS 1.0, and TLS 1.1 are disabled.

149

Disabling an SSL protocol version on the device does not affect the availability of earlier SSL protocol

versions. For example, if you execute the ssl version tls1.1 disable command, TLS 1.1 is disabled

but TLS 1.0 is still available.

In FIPS mode, the device does not support SSL 3.0.

Examples

# Disable SSL 3.0 on the device.


[Sysname] ssl version ssl3.0 disable

# Disable TLS 1.0 on the device.


[Sysname] ssl version tls1.0 disable

New command: ssl renegotiation disable

Use ssl renegotiation disable to disable SSL session renegotiation.

Use undo ssl renegotiation disable to restore the default.

Syntax

ssl renegotiation disable

undo ssl renegotiation disable

Default

SSL session renegotiation is enabled.

Views

System view


network-admin

Usage guidelines

The SSL session renegotiation feature enables the SSL client and server to reuse a previously

negotiated SSL session for an abbreviated handshake.

Disabling session renegotiation causes more computational overhead to the system but it can avoid

potential risks. Disable SSL session renegotiation only when explicitly required.

Examples

#Disable SSL session renegotiation.


[Sysname] ssl renegotiation disable

150

Modified command: version

Old syntax

In non-FIPS mode:

version { ssl3.0 | tls1.0 }

undo version

In FIPS mode:

version tls1.0

undo version

New syntax

In non-FIPS mode:

version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

undo version

In FIPS mode:

version { tls1.0 | tls1.1 | tls1.2 }

undo version

Views

SSL client policy view

Change description


tls1.1: Specifies TLS 1.0 for the SSL client policy.

tls1.2: Specifies TLS 1.2 for the SSL client policy.

Modified command: ciphersuite

Old syntax

In non-FIPS mode:

ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |

exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |

rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |

rsa_rc4_128_sha } *

undo ciphersuite

In FIPS mode:

151

ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha

| rsa_aes_256_cbc_sha } *

undo ciphersuite

New syntax

In non-FIPS mode:

ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |



rsa_rc4_128_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha256 |

dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha256 |

ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_256_cbc_sha384 |

ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_gcm_sha384 |

ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 |

ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 } *

undo ciphersuite

In FIPS mode:

cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 |

rsa_aes_256_cbc_sha256 | ecdhe_rsa_aes_128_cbc_sha256 |

ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_128_gcm_sha256 |

ecdhe_rsa_aes_256_gcm_sha384 | ecdhe_ecdsa_aes_128_cbc_sha256 |

ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_128_gcm_sha256 |

ecdhe_ecdsa_aes_256_gcm_sha384 } *

undo ciphersuite

Views

SSL server policy view

Change description


rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption

algorithm 128-bit AES CBC , and the MAC algorithm SHA256.


algorithm 256-bit AES CBC, and the MAC algorithm SHA256.

dhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data

encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.



ecdhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE RSA, the

data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.

152



ecdhe_rsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE RSA, the

data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.



ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE ECDSA,

the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.



ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE ECDSA,

the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.



Modified command: prefer-cipher

Old syntax

In non-FIPS mode:

prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |



rsa_rc4_128_sha }

undo prefer-cipher

In FIPS mode:


rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha }

undo prefer-cipher

New syntax

In non-FIPS mode:




rsa_rc4_128_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha256 |

dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha256 |

ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_256_cbc_sha384 |

ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_gcm_sha384 |

153

ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 |

ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 }

undo prefer-cipher

In FIPS mode:

prefer-cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 |

rsa_aes_256_cbc_sha256| ecdhe_rsa_aes_128_cbc_sha256 |

ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_128_gcm_sha256 |

ecdhe_rsa_aes_256_gcm_sha384 | ecdhe_ecdsa_aes_128_cbc_sha256 |

ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_128_gcm_sha256 |

ecdhe_ecdsa_aes_256_gcm_sha384 }

undo prefer-cipher

Views

SSL client policy view

Change description



algorithm 128-bit AES CBC , and the MAC algorithm SHA256.


algorithm 256-bit AES CBC, and the MAC algorithm SHA256.



















154



New feature: FIPS support for Suit B

Configuring Suite B in FIPS


requirements.

In this software version, new FIPS commands were added to support Suite B.

Command reference

New command: fips rng random size filename

Use fips rng random size filename to generate a random number and save it to a file.

Syntax

fips rng random size random-size filename filename

Views

Probe view


network-admin

Parameters

random-size: Specifies the random number size in the range of 1 to 1000000 bytes.

filename: Specifies the name of the file to save the random number. The file name is a

case-insensitive string.

Usage guidelines

Use this command in FIPS mode to generate a random number and save it to a file.

Examples

# Generate a 100000-byte random number and save it to a file named out.bin.


[Sysname-probe] fips rng random size 100000 filename out.bin

Generating random number. Please wait...

Random number saved to file successfully.

155

New command: fips rng random size round rate-statistics

Use fips rng random size round rate-statistics to calculate the average rate at which random

numbers are generated.

Syntax

fips rng random size random-size round round rate-statistics

Views

Probe view


network-admin

Parameters

random-size: Specifies the random number size in the range of 1 to 1000000 bytes.

round: Specifies the number of random number generations, in the range of 3 to 10.

Usage guidelines

Use this command in FIPS mode to calculate the average rate at which random numbers are

generated.

Examples

# Generate five 100000-byte random numbers and calculate the average rate at which the random

numbers are generated.


[Sysname-probe] fips rng random size 100000 round 5 rate-statistics

Random number generated successfully.

Rate: 5000 bytes/s

Rate: 5100 bytes/s

Rate: 4900 bytes/s

Rate: 4800 bytes/s

Rate: 52000 bytes/s

Average rate: 5000 bytes/s

New command: fips rng entropy size filename

Use fips rng entropy size filename to generate a random number entropy and save it to a file.

Syntax

fips rng entropy size entropy-size filename filename

Views

Probe view


network-admin

156

Parameters

entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.

filename: Specifies the name of the file to save the random number entropy. The file name is a

case-insensitive string.

Usage guidelines

Use this command in FIPS mode to generate a random number entropy and save it to a file.

Examples

# Generate a 100000-byte random number entropy and save it to a file named out.bin.


[Sysname-probe] fips rng entropy size 100000 filename out.bin

Generating random number entropy. Please wait...

Entropy saved to file successfully.

New command: fips rng entropy size round rate-statistics

Use fips rng entropy size round rate-statistics to calculate the average rate at which random

number entropies are generated.

Syntax

fips rng entropy size entropy-size round round rate-statistics

Views

Probe view


network-admin

Parameters

entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.

round: Specifies the number of random number entropy generations, in the range of 3 to 10.

Usage guidelines

Use this command in FIPS mode to calculate the average rate at which random number entropies

are generated.

Examples

# Generate five 100000-byte random number entropies and calculate the average rate at which the

random number entropies are generated.


[Sysname-probe]fips rng entropy size 100000 round 5 rate-statistics

Entropy generated successfully.

Rate: 5000 bytes/s

Rate: 5100 bytes/s

Rate: 4900 bytes/s

Rate: 4800 bytes/s

157

Rate: 52000 bytes/s

Average rate: 5000 bytes/s

New command: fips kdf

Use fips kdf to derive a key from an import file and save it to an export file.

Syntax

fips kdf { ikev1 { dsa | psk } | ikev2 | tls } import inputfile export outputfile

Views

Probe view


network-admin

Usage guidelines

Use this command in FIPS mode to derive a key for the third-party to determine whether the key

meets the CC/FIPS authentication requirements.

Examples

# Derive an ikev1 pre-shared key from an import file named ikev1_psk.req and save the key to an

export file named ikev1_psk.rsp.


[Sysname-probe] fips kdf ikev1 psk import ikev1_psk.req export ikev1_psk.rsp

New command: fips algorithm verify param

Use fips algorithm verify param to execute an algorithm test vector and generate a result file.

Syntax

fips algorithm verify param param

Views

System view


network-admin

Usage guidelines

Use this command in FIPS mode to execute an algorithm test vector and generate a result file for the

third-party to verify the result.

Examples

# Execute the DSA2 test vector in a file named 01-HP-MPC8544/DSA2/req/PQGGen.req, and

generate a result file named 01-HP-MPC8544/DSA2/resp/PQGGen.rsp.


158

[Sysname] fips algorithm verify fips_dssvs pqg 01-HP-MPC8544/DSA2/req/PQGGen.req

01-HP-MPC8544/DSA2/resp/PQGGen.rsp

Modified command: fips self-test

Syntax

fips self-test

Views

System view

Change description

Self-tests were added for the following algorithms:

3DES.

ECDH.

Random number generator (RNG).

GCM.

GMAC.

New feature: SSH support for Suite B

Configuring SSH based on Suite B algorithms


requirements. Table 2 lists all algorithms in Suite B.

The SSH server and client support using the X.509v3 certificate for identity authentication in

compliance with the algorithm, negotiation, and authentication specifications defined in RFC 6239.

Table 2 Suite B algorithms

Security

level

Key exchange

algorithm

Encryption algorithm

and HMAC algorithm Public key algorithm

128-bit ecdh-sha2-nistp256 AEAD_AES_128_GCM x509v3-ecdsa-sha2-nistp256

x509v3-ecdsa-sha2-nistp384


Both ecdh-sha2-nistp256

ecdh-sha2-nistp384

AEAD_AES_128_GCM

AEAD_AES_256_GCM



Specifying a PKI domain for the SSH server

The PKI domain specified for the SSH server has the following functions:

159

The SSH server uses the PKI domain to send its certificate to the client in the key exchange

stage.

The SSH server uses the PKI domain to authenticate the client's certificate if no PKI domain is

specified for the client authentication by using the ssh user command.

To specify a PKI domain for the SSH server:



100. Specify a PKI domain for the SSH server.

ssh server pki-domain domain-name

By default, no PKI domain is specified for the SSH server.

Establishing a connection to an Stelnet server based on Suite

B

Task Command Remarks

Establish a connection to an Stelnet server based on Suite B.

Establish a connection to an IPv4 Stelnet server based on Suite B: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ip ip-address } ] *

Establish a connection to an IPv6 Stelnet server based on Suite B: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ipv6 ipv6-address } ] *

Available in user view.

The client cannot establish connections to both IPv4 and IPv6 Stelnet servers.

160

Establishing a connection to an SFTP server based on Suite

B


Establish a connection to an SFTP server based on Suite B.

Establish a connection to an IPv4 SFTP server based on Suite B: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number | ip ip-address } ] *

Establish a connection to an IPv6 SFTP server based on Suite B: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 ipv6-address } ] *


The client cannot establish connections to both IPv4 and IPv6 SFTP servers.

Establishing a connection to an SCP server based on Suite B


Establish a connection to an SCP server based on Suite B.

Establish a connection to an IPv4 SCP server based on Suite B: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip ip-address } ] *

Establish a connection to an IPv6 SCP server based on Suite B: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ipv6 ipv6-address } ] *


The client cannot establish connections to both IPv4 and IPv6 SCP servers.

161

Specifying algorithms for SSH2

Perform this task to specify the following types of algorithms that the SSH2 client and server use for

algorithm negotiation during the Stelnet, SFTP, or SCP session establishment:

Key exchange algorithms.

Public key algorithms.

Encryption algorithms.

MAC algorithms.

If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The

client uses the specified algorithms to initiate the negotiation, and the server uses the matching

algorithms to negotiate with the client.

If multiple algorithms of the same type are specified, the algorithm specified earlier has a higher

priority during negotiation.

Specifying key exchange algorithms for SSH2



102. Specify key exchange algorithms for SSH2.

In non-FIPS mode: ssh2 algorithm key-exchange { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *

In FIPS mode: ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *

By default, SSH2 uses the key exchange algorithms ecdh-sha2-nistp256, ecdh-sha2-nistp384, dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 in descending order of priority for algorithm negotiation.

Specifying public key algorithms for SSH2



104. Specify public key algorithms for SSH2.

In non-FIPS mode: ssh2 algorithm public-key { dsa | ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } *

In FIPS mode: ssh2 algorithm public-key { ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 }

*

By default, SSH2 uses the public key algorithms x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, ecdsa, rsa, and dsa in descending order of priority for algorithm negotiation.

162

Specifying encryption algorithms for SSH2



106. Specify encryption algorithms for SSH2.

In non-FIPS mode: ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } *

In FIPS mode: ssh2 algorithm cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } *

By default, SSH2 uses the encryption algorithms aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm, aes256-gcm, aes128-cbc, 3des-cbc, aes256-cbc, and des-cbc in descending order of priority for algorithm negotiation.

Specifying MAC algorithms for SSH2



108. Specify MAC algorithms for SSH2.

In non-FIPS mode: ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *

In FIPS mode: ssh2 algorithm mac { sha1 | sha1-96 | sha2-256 | sha2-512 } *

By default, SSH2 uses the MAC algorithms sha2-256, sha2-512, sha1, md5, sha1-96, and md5-96

in descending order of priority for algorithm negotiation.

Command reference

New command: display ssh2 algorithm

Use display ssh2 algorithm to display algorithms used by SSH2 in the algorithm negotiation stage.

Syntax

display ssh2 algorithm

Views

Any view


network-admin

network-operator

Examples

# Display algorithms used by SSH2 in the algorithm negotiation stage.

<Sysname> display ssh2 algorithm

163

Key exchange algorithms : ecdh-sha2-nistp256 ecdh-sha2-nistp384 dh-group-exchange-sha1

dh-group14-sha1 dh-group1-sha1

Public key algorithms : x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 ecdsa rsa

dsa

Encryption algorithms : aes128-ctr aes192-ctr aes256-ctr aes128-gcm aes256-gcm

aes128-cbc 3des-cbc aes256-cbc des-cbc

MAC algorithms : sha2-256 sha2-512 sha1 md5 sha1-96 md5-96


Field Description

Key exchange algorithms Key exchange algorithms in descending order of priority for algorithm negotiation.

Public key algorithms Public key algorithms in descending order of priority for algorithm negotiation.

Encryption algorithms Encryption algorithms in descending order of priority for algorithm negotiation.

MAC algorithms MAC algorithms in descending order of priority for algorithm negotiation.

Related commands

ssh2 algorithm cipher

ssh2 algorithm key-exchange

ssh2 algorithm mac

ssh2 algorithm public-key

New command: ssh server pki-domain

Use ssh server pki-domain to specify a PKI domain for the SSH server.

Use undo ssh server pki-domain to delete the PKI domain of the SSH server.

Syntax

ssh server pki-domain domain-name

undo ssh server pki-domain

Default

No PKI domain is specified for an SSH server.

Views

System view


network-admin

Parameters

domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters,

excluding the characters listed in Table 4.

164

Table 4 Invalid characters for a PKI domain name

Character name Symbol Character name Symbol

Tilde ~ Dot .

Asterisk * Left angle bracket <

Backslash \ Right angle bracket >

Vertical bar | Quotation marks "

Colon : Apostrophe '

Examples

# Specify the PKI domain serverpkidomain for the SSH server.


[Sysname] ssh server pki-domain serverpkidomain

New command: scp ipv6 suite-b

Use scp ipv6 suite-b to establish a connection to an IPv6 SCP server based on Suite B algorithms

and transfer files with the server.

Syntax

scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source

{ interface interface-type interface-number | ipv6 ipv6-address } ] *

Views

User view


network-admin

Parameters

server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253

characters.

port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.

The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to

31 characters.

-i interface-type interface-number: Specifies an output interface by its type and number for SCP

packets. Specify this option when the server uses a link-local address to provide the SCP service for

the client. The specified output interface on the SCP client must have a link-local address.

get: Downloads the file.

put: Uploads the file.

165

source-file-name: Specifies the name of the source file.

destination-file-name: Specifies the name of the target file. If you do not specify this argument, the

target file uses the same file name as the source file.

suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is

specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see

Table 6.

128-bit: Specifies the 128-bit Suite B security level.


pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name

argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding

the characters listed in Table 5.



Tilde ~ Dot .





server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.

The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31

characters, excluding the characters listed in Table 5.

prefer-compress: Specifies the preferred compression algorithm for data compression between the

server and the client. By default, compression is not supported.

zlib: Specifies the compression algorithm zlib.

source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the

device automatically selects a source address for IPv6 SCP packets in compliance with RFC 3484.

For successful SCP connections, use one of the following methods:

Specify the loopback interface as the source interface.

Specify the IPv6 address of the loopback interface as the source IPv6 address.

interface interface-type interface-number: Specifies a source interface by its type and number. The

IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets.

ipv6 ipv6-address: Specifies a source IPv6 address.

166

Usage guidelines

Table 6 Suite B algorithms

Security

level

Key exchange

algorithm

Encryption algorithm

and HMAC algorithm Public key algorithm




Both ecdh-sha2-nistp256

ecdh-sha2-nistp384

AEAD_AES_128_GCM

AEAD_AES_256_GCM



If the client and the server have negotiated to use certificate authentication, the client must verify the

server's certificate. For the client to correctly get the server's certificate, you must specify the server's

PKI domain on the client by using the server-pki-domain domain-name option. The client uses the

CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to

save the server's public key before authentication. If you do not specify the server's PKI domain, the

client uses the PKI domain of its own certificate to verify the server's certificate.

Examples

# Use the 192-bit Suite B algorithms to establish a connection to the SCP sever 2000::1 and

download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI

domain as clientpkidomain and serverpkidomain, respectively.

<Sysname> scp ipv6 2000::1 get abc.txt suite-b 192-bit pki-domain clientpkidomain

server-pki-domain serverpkidomain

New command: scp suite-b

Use scp suite-b to establish a connection to an SCP server based on Suite B algorithms and

transfer files with the server.

Syntax

scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name

[ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain

domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip

ip-address } ] *

Views

User view


network-admin

Parameters


characters.


167



31 characters.

get: Downloads the file.

put: Uploads the file.

source-file-name: Specifies the name of the source file.

destination-file-name: Specifies the name of the target file. If you do not specify this argument, the

target file uses the same file name as the source file.



Table 6.








Tilde ~ Dot .











source: Specifies a source IP address or source interface for SCP packets. By default, the device

uses the primary IPv4 address of the output interface in the routing entry as the source address of

SCP packets. For successful SCP connections, use one of the following methods:




IPv4 address of this interface is the source IPv4 address of the SCP packets.

168

ip ip-address: Specifies a source IPv4 address.

Usage guidelines







Examples

# Use the 128-bit Suite B algorithms to establish a connection to the SCP sever 200.1.1.1 and

download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI

domain as clientpkidomain and serverpkidomain, respectively.

<Sysname> scp 200.1.1.1 get abc.txt suite-b 128-bit pki-domain clientpkidomain

server-pki-domain serverpkidomain

New command: sftp ipv6 suite-b

Use sftp ipv6 suite-b to establish a connection to an IPv6 SFTP server based on Suite B algorithms

and enter SFTP client view.

Syntax

sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ]

[ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number |

ipv6 ipv6-address } ] *

Views

User view


network-admin

Parameters


characters.




31 characters.

-i interface-type interface-number: Specifies an output interface by its type and number for IPv6

SFTP packets. Specify this option when the server uses a link-local address to provide the SFTP

service for the client. The specified output interface on the SFTP client must have a link-local

address.

169



Table 6.








Tilde ~ Dot .











dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets. The value range for the

dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the

transmission priority of the packet.

source: Specifies a source IP address or source interface for IPv6 SFTP packets. By default, the

device automatically selects a source address for IPv6 SFTP packets in compliance with RFC 3484.

For successful IPv6 SFTP connections, use one of the following methods:




IPv6 address of this interface is the source IP address of the IPv6 SFTP packets.


Usage guidelines




170




Examples

# Use the 192-bit Suite B algorithms to establish a connection to the SFTP sever 2000::1. Specify

the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain,

respectively.

<Sysname> sftp ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain

serverpkidomain

New command: sftp suite-b

Use sftp suite-b to establish a connection to an IPv4 SFTP server based on Suite B algorithms and

enter SFTP client view.

Syntax

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp

dscp-value | source { interface interface-type interface-number | ip ip-address } ] *

Views

User view


network-admin

Parameters


characters.




31 characters.



Table 6.






171



Tilde ~ Dot .











dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the



source: Specifies a source IP address or source interface for the SFTP packets. By default, the

device uses the primary IPv4 address of the output interface in the routing entry as the source

address of SFTP packets. For successful SFTP connections, use one of the following methods:




primary IPv4 address of this interface is the source IPv4 address of the SFTP packets.


Usage guidelines







Examples

# Use the 128-bit Suite B algorithms to establish a connection to the SFTP sever 10.1.1.2. Specify


respectively.

<Sysname> sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain

serverpkidomain

172

New command: ssh2 ipv6 suite-b

Use ssh2 ipv6 suite-b to establish a connection to an IPv6 Stelnet server based on Suite B

algorithms.

Syntax

ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ]

[ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type

interface-number | ipv6 ipv6-address } ] *

Views

User view


network-admin

Parameters


characters.

port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.



31 characters.

-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SSH

packets. Specify this option when the server uses a link-local address to provide the Stelnet service

for the client. The specified output interface on the Stelnet client must have a link-local address.



Table 6.








Tilde ~ Dot .



173










dscp dscp-value: Specifies the DSCP value in the IPv6 SSH packets. The value range for the



escape character: Specifies a case-sensitive escape character. By default, the escape character is a

tilde (~).

source: Specifies a source IP address or source interface for IPv6 SSH packets. By default, the

device automatically selects a source address for IPv6 SSH packets in compliance with RFC 3484.

For successful IPv6 Stelnet connections, use one of the following methods:




IPv6 address of this interface is the source IP address of the IPv6 SSH packets.


Usage guidelines







The combination of an escape character and a dot (.) works as an escape sequence. This escape

sequence is typically used to quickly terminate an SSH connection when the server reboots or

malfunctions.

For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have

entered other characters or performed operations in a line, enter the escape sequence in the next

line. HPE recommends that you use the default escape character (~). Do not use any character in

SSH usernames as the escape character.

174

Examples

# Use the 192-bit Suite B algorithms to establish a connection to the Stelnet sever 2000::1. Specify


respectively.

<Sysname> ssh2 ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain

serverpkidomain

New command: ssh2 suite-b

Use ssh2 suite-b to establish a connection to an IPv4 Stelnet server based on Suite B algorithms.

Syntax

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp

dscp-value | escape character | source { interface interface-type interface-number | ip ip-address } ]

*

Views

User view


network-admin

Parameters


characters.

port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.



31 characters.



Table 6.








Tilde ~ Dot .

175












dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets. The value range for the



escape character: Specifies a case-sensitive escape character. By default, the escape character is a

tilde (~).

source: Specifies a source IP address or source interface for SSH packets. By default, the device

uses the primary IPv4 address of the output interface in the routing entry as the source address of

SSH packets. For successful Stelnet connections, use one of the following methods:




primary IPv4 address of this interface is the source IPv4 address of the SSH packets.


Usage guidelines







The combination of an escape character and a dot (.) works as an escape sequence. This escape

sequence is typically used to quickly terminate an SSH connection when the server reboots or

malfunctions.

For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have

entered other characters or performed operations in a line, enter the escape sequence in the next

176

line. HPE recommends that you use the default escape character (~). Do not use any character in

SSH usernames as the escape character.

Examples

# Use the 128-bit Suite B algorithms to establish a connection to the SFTP sever 3.3.3.3. Specify the

client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain,

respectively.

<Sysname> ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain

serverpkidomain

New command: ssh2 algorithm cipher

Use ssh2 algorithm cipher to specify encryption algorithms for SSH2.

Use undo ssh2 algorithm cipher to restore the default.

Syntax

In non-FIPS mode:

ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr

| aes256-ctr | aes128-gcm | aes256-gcm } *

undo ssh2 algorithm cipher

In FIPS mode:

ssh2 algorithm cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } *

undo ssh2 algorithm cipher

Default

SSH2 uses the encryption algorithms aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm,

aes256-gcm, aes128-cbc, 3des-cbc, aes256-cbc, and des-cbc in descending order of priority for

algorithm negotiation.

Views

System view


network-admin

Parameters

3des-cbc: Specifies the encryption algorithm 3des-cbc. Support for this keyword depends on the

device model.

aes128-cbc: Specifies the encryption algorithm aes128-cbc.

aes256-cbc: Specifies the encryption algorithm aes256-cbc.

des-cbc: Specifies the encryption algorithm des-cbc.

177

aes128-ctr: Specifies the encryption algorithm aes128-ctr.



aes256-gcm: Specifies the encryption algorithm aes256-gcm.


Usage guidelines

If you specify the encryption algorithms, SSH2 uses only the specified algorithms for algorithm

negotiation. The algorithm specified earlier has a higher priority during negotiation.

Examples

# Specify the algorithm 3des-cbc as the encryption algorithm for SSH2.


[Sysname] ssh2 algorithm cipher 3des-cbc

Related commands



ssh2 algorithm mac


New command: ssh2 algorithm key-exchange

Use ssh2 algorithm key-exchange to specify key exchange algorithms for SSH2.

Use undo ssh2 algorithm key-exchange to restore the default.

Syntax

In non-FIPS mode:

ssh2 algorithm key-exchange { dh-group-exchange-sha1 | dh-group1-sha1 |

dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *

undo ssh2 algorithm key-exchange

In FIPS mode:

ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 }

*

undo ssh2 algorithm key-exchange

Default

SSH2 uses the key exchange algorithms ecdh-sha2-nistp256, ecdh-sha2-nistp384,

dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 in descending order of priority

for algorithm negotiation.

178

Views

System view


network-admin

Parameters

dh-group-exchange-sha1: Specifies the key exchange algorithm

diffie-hellman-group-exchange-sha1.

dh-group1-sha1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

dh-group14-sha1: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.


Usage guidelines

If you specify the key exchange algorithms, SSH2 uses only the specified algorithms for algorithm


Examples

# Specify the algorithm dh-group1-sha1 as the key exchange algorithm for SSH2.


[Sysname] ssh2 algorithm key-exchange dh-group1-sha1

Related commands



ssh2 algorithm mac


New command: ssh2 algorithm mac

Use ssh2 algorithm mac to specify MAC algorithms for SSH2.

Use undo ssh2 algorithm mac to restore the default.

Syntax

In non-FIPS mode:

ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *

undo ssh2 algorithm mac

In FIPS mode:

ssh2 algorithm mac { sha1 | sha1-96 | sha2-256 | sha2-512 } *

undo ssh2 algorithm mac

179

Default

SSH2 uses the MAC algorithms sha2-256, sha2-512, sha1, md5, sha1-96, and md5-96 in

descending order of priority for algorithm negotiation.

Views

System view


network-admin

Parameters

md5: Specifies the HMAC algorithm hmac-md5.

md5-96: Specifies the HMAC algorithm hmac-md5-96.

sha1: Specifies the HMAC algorithm hmac-sha1.

sha1-96: Specifies the HMAC algorithm hmac-sha1-96.



Usage guidelines

If you specify the MAC algorithms, SSH2 uses only the specified algorithms for algorithm negotiation.

The algorithm specified earlier has a higher priority during negotiation.

Examples

# Specify the algorithm md5 as the MAC algorithm for SSH2.


[Sysname] ssh2 algorithm mac md5

Related commands





New command: ssh2 algorithm public-key

Use ssh2 algorithm public-key to specify public key algorithms for SSH2.

Use undo ssh2 algorithm public-key to restore the default.

Syntax

In non-FIPS mode:

ssh2 algorithm public-key { dsa | ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } *

180

undo ssh2 algorithm public-key

In FIPS mode:

ssh2 algorithm public-key { ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } *

undo ssh2 algorithm public-key

Default

SSH2 uses the public key algorithms x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384,

ecdsa, rsa, and dsa in descending order of priority for algorithm negotiation.

Views

System view


network-admin

Parameters

dsa: Specifies the public key algorithm dsa.

ecdsa: Specifies the public key algorithm ecdsa.

rsa: Specifies the public key algorithm rsa.

x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp256.

x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384.

Usage guidelines

If you specify the public key algorithms, SSH2 uses only the specified algorithms for algorithm


Examples

# Specify the algorithm dsa as the public key algorithm for SSH2.


[Sysname] ssh2 algorithm public-key dsa

Related commands




ssh2 algorithm mac

Modified command: display ssh server

Syntax

display ssh server { session | status }

181

Views

Any view

Change description

In the command output, the SSH Server PKI domain name field was added to represent the PKI

domain of the SSH server.

Modified command: ssh user

Old syntax

In non-FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type

{ password | { any | password-publickey | publickey } assign { pki-domain domain-name |

publickey keyname } }

undo ssh user username

In FIPS mode:


{ password | password-publickey assign { pki-domain domain-name | publickey keyname } }


New syntax

In non-FIPS mode:


{ password | { any | password-publickey | publickey } [ assign { pki-domain domain-name |

publickey keyname } ] }


In FIPS mode:


{ password | password-publickey [ assign { pki-domain domain-name | publickey keyname } ] }


Views

System view

Change description

Before modification: The options assign { pki-domain domain-name | publickey keyname } are

required for verifying the client.

After modification: The options assign { pki-domain domain-name | publickey keyname } are

optional for verifying the client.

182

Modified command: scp

Old syntax

In non-FIPS mode:


[ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher

{ 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex

{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |

des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ publickey keyname | source

{ interface interface-type interface-number | ip ip-address } ] *

In FIPS mode:


[ destination-file-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |

aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher

{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source


New syntax

In non-FIPS mode:


[ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |

prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |

dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |

aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |

aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *

[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type

interface-number | ip ip-address } ] *

In FIPS mode:


[ destination-file-name ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |


prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |

prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher

{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |

prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |

server-pki-domain domain-name } | source { interface interface-type interface-number | ip

ip-address } ] *

183

Views

User view

Change description


Keywords for specifying PKI domains used in certificate verification:

pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the

public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or

x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct

local certificate.

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's

certificate. The domain-name argument represents the PKI domain name, a

case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain,

the client uses the PKI domain of its own certificate to verify the server's certificate.

The PKI domain name cannot contain characters in the following table:

Character

name Symbol

Character

name Symbol

Tilde ~ Dot .





Keywords for specifying the publickey algorithms used in publickey authentication:


x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp256.



Keywords for specifying the preferred client-to-server encryption algorithms:






Keywords for specifying the preferred client-to-server HMAC algorithms:

sha2-256: Specifies the HMAC algorithm sha2-256.


184

Keywords for specifying the preferred key exchange algorithms:



The following keywords were modified:

Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.


The des keyword was changed to des-cbc.

Keywords for the preferred key exchange algorithm prefer-kex:

The dh-group-exchange keyword was changed to dh-group-exchange-sha1.

The dh-group1 keyword was changed to dh-group1-sha1.


Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:





The default settings for the following algorithms were changed:

For the preferred client-to-server encryption algorithm prefer-ctos-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

For the preferred key exchange algorithm prefer-kex:

Before modification: The default is dh-group-exchange in non-FIPS mode and is

dh-group14 in FIPS mode.

After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS

mode.

For the preferred server-to-client encryption algorithm prefer-stoc-cipher:



For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:


185


Modified command: scp ipv6

Old syntax

In non-FIPS mode:


interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa }

| prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac

{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |

prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |

sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6

ipv6-address } ] *

In FIPS mode:


interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key rsa |

prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |

sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac

{ sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number |

ipv6 ipv6-address } ] *

New syntax

In non-FIPS mode:


interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa

| rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name }

| prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |

aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |

md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |

dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |

prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } | source


In FIPS mode:


interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa | rsa

| { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |

prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |

sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |

186

prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *


interface-number | ipv6 ipv6-address } ] *

Views

User view

Change description






local certificate.






Character

name Symbol

Character

name Symbol

Tilde ~ Dot .

















187

































mode.



188





Modified command: sftp

Old syntax

In non-FIPS mode:

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |

prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac



sha1-96 } ] * [ dscp dscp-value | publickey keyname | source { interface interface-type

interface-number | ip ip-address} ] *

In FIPS mode:

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa |



{ sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip

ip-address } ] *

New syntax

In non-FIPS mode:

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa |

{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |

prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |






sha2-256 | sha2-512 } ] * [ dscp dscp-value | { public-key keyname | server-pki-domain

domain-name } | source { interface interface-type interface-number | ip ip-address } ] *

In FIPS mode:

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa | rsa |





189





Views

User view

Change description






local certificate.






Character

name Symbol

Character

name Symbol

Tilde ~ Dot .

















190

































mode.



191





Modified command: sftp ipv6

Old syntax

In non-FIPS mode:

sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des |

aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex


des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publickey

keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *

In FIPS mode:


interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |


{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source


New syntax

In non-FIPS mode:


interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |








[ dscp dscp-value | { public-key keyname | server-pki-domain domain-name } | source { interface

interface-type interface-number | ipv6 ipv6-address } ] *

In FIPS mode:


interface-number ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |



192




prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |

server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6

ipv6-address } ] *

Views

User view

Change description






local certificate.






Character

name Symbol

Character

name Symbol

Tilde ~ Dot .















193



































mode.

194







Modified command: ssh2

Old syntax

In non-FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |

prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac



sha1-96 } ] * [ dscp dscp-value | escape character | publickey keyname | source { interface

interface-type interface-number | ip ip-address } ] *

In FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa |



{ sha1 | sha1-96 } ] * [ escape character | publickey keyname | source { interface interface-type


New syntax

In non-FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa |


prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |






sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname |

server-pki-domain domain-name } | source { interface interface-type interface-number | ip

ip-address } ] *

In FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa | rsa |


195






[ escape character | { public-key keyname | server-pki-domain domain-name } | source


Views

User view

Change description






local certificate.






Character

name Symbol

Character

name Symbol

Tilde ~ Dot .















196



































mode.

197







Modified command: ssh2 ipv6

Old syntax

In non-FIPS mode:

ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des |

aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex


des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | escape

character | publickey keyname | source { interface interface-type interface-number | ipv6

ipv6-address } ] *

In FIPS mode:


interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |


{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ escape character | publickey

keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *

New syntax

In non-FIPS mode:


interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |








[ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name }

| source { interface interface-type interface-number | ipv6 ipv6-address } ] *

In FIPS mode:

198


interface-number ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |






prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ escape character | { public-key

keyname | server-pki-domain domain-name } | source { interface interface-type interface-number

| ipv6 ipv6-address } ] *

Views

User view

Change description






local certificate.






Character

name Symbol

Character

name Symbol

Tilde ~ Dot .












199



































200




mode.







New command: fips kdf ssh

Use fips kdf ssh to generate a validation file in SSH Key Derivation Function (KDF) test.

Syntax

fips kdf ssh import single-request-file export validation-file

Views

Probe view


network-admin

Parameters

import single-request-file: Specifies the name of the single request file generated by CAVS.

export validation-file: Specifies a name for the validation file to be generated.

Usage guidelines

SSH gets parameters from the single request file and sends them to the key derivation module. After

the key derivation module returns the calculation result, SSH stores the calculation result in the

validation file.

Examples

# Specify ssh.req and ssh.txt as the single request file and the validation file, respectively.


[Sysname] probe

[Sysname-probe] fips ssh kdf import ssh.req export ssh.txt

201

New feature: Ignoring the first AS number

of EBGP route updates for a peer or peer

group

Configuring Ignoring the first AS number of EBGP

route updates for a peer or peer group

By default, BGP checks the first AS number of a received EBGP route update. If the first AS number

is neither the AS number of the BGP peer nor a private AS number, the BGP router disconnects the

BGP session to the peer.

To ignore the first AS number of EBGP route updates for a peer or peer group:



110. Enter BGP instance view or BGP-VPN instance view.

Enter BGP instance view: bgp as-number

Enter BGP-VPN instance view:

a. bgp as-number

b. ip vpn-instance

vpn-instance-name

N/A

111. Configure BGP to ignore the first AS number of EBGP route updates for a peer or peer group.

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ignore-first-as

By default, BGP checks the first AS number of EBGP route updates.

Command reference

peer ignore-first-as

Use peer ignore-first-as to configure BGP to ignore the first AS number of EBGP route updates for

a peer or peer group.

Use undo peer ignore-first-as to restore the default.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ignore-first-as

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] }

ignore-first-as

202

Default

BGP checks the first AS number of a received EBGP route update.

Views

BGP instance view

BGP-VPN instance view


network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The

peer group must have created.

ipv4-address: Specifies a peer by its IPv4 address. The peer must have been created.

mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and

mask-length arguments together to specify a subnet. If you specify a subnet, BGP ignores the first

AS number of EBGP route updates for all dynamic peers in the subnet.

ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and

prefix-length arguments together to specify a subnet. If you specify a subnet, BGP ignores the first

AS number of EBGP route updates for all dynamic peers in the subnet.

Usage guidelines

By default, BGP checks the first AS number of a received EBGP route update. If the first AS number

is neither the AS number of the BGP peer nor a private AS number, the BGP router disconnects the

BGP session to the peer.

The peer ignore-first-as command takes effect only on routes received after the configuration of the

command. After you configure the undo peer ignore-first-as command, BGP requests the EBGP

peer or peer group to resend the routes.

Examples

# In BGP instance view, configure BGP to ignore the first AS number of EBGP route updates for the

peer group test.


[Sysname] bgp 100

[Sysname-bgp-default] peer test ignore-first-as

203

Modified feature: Support for Ethernet link

aggregation on Layer 3 Ethernet

subinterfaces


Layer 3 Ethernet subinterfaces can be assigned to Layer 3 aggregation groups. The following

commands are supported in Layer 3 Ethernet subinterface view:

lacp mode

lacp period short

link-aggregation port-priority

port link-aggregation group

To configure a Layer 3 static aggregation group:



113. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.

interface route-aggregation interface-number

When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.

114. Return to system view. quit N/A

115. Assign an interface or subinterface to the specified Layer 3 aggregation group.

a. Enter Layer 3 Ethernet interface or subinterface view: interface interface-type { interface-number | interface-number.subnumber }

b. Assign the interface or subinterface to the specified Layer 3 aggregation group: port link-aggregation group number

Repeat these two substeps to assign more Layer 3 Ethernet interfaces or subinterfaces to the aggregation group.

To configure a Layer 3 dynamic aggregation group:



204


117. Set the system LACP priority.

lacp system-priority system-priority

By default, the system LACP priority is 32768.

Changing the system LACP priority might affect the aggregation states of the ports in the dynamic aggregation group.

118. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.


When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.

119. Configure the aggregation group to operate in dynamic mode.

link-aggregation mode dynamic

By default, an aggregation group operates in static mode.

120. Return to system view. quit N/A

121. Assign an interface or subinterface to the specified Layer 3 aggregation group.

a. Enter Layer 3 Ethernet interface or subinterface view: interface interface-type { interface-number | interface-number.subnumber }

b. Assign the interface or subinterface to the specified Layer 3 aggregation group: port link-aggregation group number

Repeat these two substeps to assign more Layer 3 Ethernet interfaces or subinterfaces to the aggregation group.

122. Set the LACP operating mode for the interface or subinterface.

Set the LACP operating mode to passive: lacp mode passive

Set the LACP operating mode to active: undo lacp mode

By default, LACP is operating in active mode.

123. Set the port priority for the interface or subinterface.

link-aggregation port-priority port-priority

The default setting is 32768.

124. Set the short LACP timeout interval (3 seconds) for the interface or subinterface.

lacp period short

By default, the long LACP timeout interval (90 seconds) is used by the interface or subinterface.

To avoid traffic interruption during an ISSU, do not set the short LACP timeout interval before performing the ISSU. For more information about ISSU, see Fundamentals Configuration Guide.

205

Command changes

Modified command: lacp mode

Syntax

lacp mode passive

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view

Change description

Layer 3 Ethernet subinterface view was added.

Modified command: lacp period short

Syntax

lacp period short

Views


Change description


Modified command: link-aggregation port-priority

Syntax

link-aggregation port-priority port-priority

Views


Change description


Modified command: port link-aggregation group

Syntax

port link-aggregation group number

Views


206

Change description


A Layer 3 Ethernet subinterface can belong to only one aggregation group.

You cannot create subinterfaces on a Layer 3 Ethernet interface that is in an aggregation group. You

cannot assign a Layer 3 Ethernet interface that contains subinterfaces to an aggregation group.

When you assign a Layer 3 Ethernet subinterface to an aggregation group, follow these restrictions

and guidelines:

As a best practice, configure the VLAN termination commands on the subinterface first if VLAN

termination is required. VLAN termination configuration on the subinterface cannot be modified

after the subinterface is assigned to an aggregation group.

Make sure the VLAN termination configuration is the same on all Layer 3 Ethernet

subinterfaces when you assign the subinterfaces to the same aggregation group.

When you configure the vlan-type dot1q vid vlan-id-list [ loose ] command on a subinterface

to be assigned a dynamic aggregation group, make sure the vlan-id-list argument specifies only

one VLAN ID.

You cannot assign Layer 3 Ethernet interfaces and Layer 3 Ethernet subinterfaces to the same

aggregation group.

You cannot create aggregate subinterfaces on a Layer 3 aggregate interface whose corresponding

aggregation group uses Layer 3 Ethernet subinterfaces as member ports. You cannot assign Layer 3

Ethernet subinterfaces to an aggregation group whose corresponding aggregate interface has

aggregate subinterfaces.

Modified feature: Changing the maximum

number of FIB table entries


The maximum number of FIB entries that MSR2003 supports for the IPv4 public network is changed

to 300000.

The maximum number of FIB entries that MSR2003 supports for the IPv6 public network is changed

to 300000.

Command changes

None

207

Modified feature: Enabling CWMP


The default CWMP status was changed from disabled to enabled.

To enable CWMP:



126. Enter CWMP view. cwmp N/A

127. Enable CWMP. cwmp enable By default, CWMP is enabled.

Command changes

Modified command: cwmp enable

Syntax

cwmp enable

undo cwmp enable

Views

CWMP view

Change description

Before modification: CWMP is disabled by default.

After modification: CWMP is enabled by default.

Release 0305


New feature: IKE

Modified feature: IPsec

208

New feature: IKE


IKEv2 was added.

For more information about IKEv2 configuration guide, see the following HPE FlexNetwork MSR

Routers Security Configuration Guide(V7).

Command changes

New command: IKEv2 command

For more information about IKEv2 commands, see the following HPE FlexNetwork MSR Routers

Security Command Reference(V7).

Modified feature: IPsec


IPsecv3 was Modified.

Command changes

Modified command: ah authentication-algorithm

Old syntax

In non-FIPS mode:

ah authentication-algorithm { md5 | sha1 | sm3 } *


In FIPS mode:

ah authentication-algorithm sha1


New syntax

In non-FIPS mode:

209

ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *


In FIPS mode:

ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *


Views


Change description


aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.

This keyword is available only for IKEv2.

sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key. This keyword is

available only for IKEv2.





New command: esn enable

Use esn enable to enable the Extended Sequence Number (ESN) feature.

Use undo esn enable to disable ESN.

Syntax

esn enable [ both ]

undo esn enable

Default

ESN is disabled.

Views



network-admin

Parameters both: Specifies IPsec to support both extended sequence number and traditional sequence number.

If you do not specify this keyword, IPsec only supports extended sequence number.

210

Usage guidelines

The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents

the sequence number space from being exhausted when large volumes of data are transmitted at

high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does

not need to be renegotiated.

This feature must be enabled at both the initiator and the responder.

Examples

# Enable ESN in the IPsec transform set tran1.


[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esn enable

Related commands

display ipsec transform-set

Modified command: esp authentication-algorithm

Old syntax

In non-FIPS mode:

esp authentication-algorithm { md5 | sha1 | sm3 } *


In FIPS mode:

esp authentication-algorithm sha1


New syntax

In non-FIPS mode:

esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *


In FIPS mode:

esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *


Views


Change description


aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.


211








Old syntax

Low encryption:

esp encryption-algorithm des-cbc


High encryption (in non-FIPS mode):

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null

| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 } *


High encryption (in FIPS mode):

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*


New syntax

Low encryption:

esp encryption-algorithm des-cbc



esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |

aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |

gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm1-cbc-128 |

sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *


High encryption (in FIPS mode):

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192

| aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*


212

Views


Change description


aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword












gmac-128: Specifies the GMAC algorithm, which uses a 128-bit key. This keyword is available

only for IKEv2.


only for IKEv2.


only for IKEv2.

gcm-128: Specifies the GCM algorithm, which uses a 128-bit key. This keyword is available

only for IKEv2.


only for IKEv2.


only for IKEv2.

sm4-cbc: Specifies SM4 algorithm in CBC mode, which uses a 128-bit key.

Modified command: pfs

Old syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }

undo pfs

In FIPS mode:

213

pfs dh-group14

undo pfs

New syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 |

dh-group20 }

undo pfs

In FIPS mode:

pfs { dh-group14 | dh-group19 | dh-group20 }

undo pfs

Views


Change description




New command: tfc enable

Use tfc enable to enable the Traffic Flow Confidentiality (TFC) padding feature.

Use undo tfc enable to disable TFC padding.

Syntax

tfc enable

undo tfc enable

Default

TFC padding is disabled.

Views

IPsec policy view

IPsec policy template view


network-admin

Usage guidelines

The TFC padding feature can hide the length of the original packet and might affect the packet

encapsulation and de-encapsulation performance. This feature takes effect on UDP packets

214

encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel

mode.

Examples

# Enable TFC padding for the IPsec policy policy1.



[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable

Related commands



Modified command: public-key local create

Old syntax

public-key local create { dsa | ecdsa | rsa } [ name key-name ]

New syntax

public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name

key-name ]

Views

System view

Change description


secp192r1: Uses the secp192r1 curve to create a 192-bit ECDSA key pair. The secp192r1

curve is used by default.

secp256r1: Uses the secp256r1 curve to create a 256-bit ECDSA key pair.

secp384r1: Uses the secp384r1 curve to create a 384-bit ECDSA key pair.

Modified command: public-key ecdsa

Old syntax

public-key ecdsa name key-name

New syntax

public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 ]

Views

PKI domain view

Change description


215




Release 0304P12


New feature: Including vendor information in PPP accounting requests

New feature: BFD for an aggregation group

Modified feature: SSH username

Modified feature: IS-IS hello packet sending interval

Modified feature: MP-group interface numbering

New feature: Including vendor information

in PPP accounting requests

Configuring Including vendor information in PPP

accounting requests

This feature enables vendor information to be included in PPP accounting requests.

Command reference

pppoe-server account-vendor

Use pppoe-server account-vendor to include vendor information in PPP accounting requests.

Use undo pppoe-server account-vendor to exclude vendor information from PPP accounting

requests.

Syntax

pppoe-server account-vendor { adsl-forum | cn-telecom }

undo pppoe-server account-vendor { adsl-forum | cn-telecom }

Default

Vendor information is not included in PPP accounting requests.

216

Views

Ethernet interface view

Ethernet subinterface view


network-admin

Parameters

adsl-forum: Specifies the ADSL forum vendor information.

cn-telecom: Specifies the China Telecom vendor information.

Examples

# Include China Telecom vendor information in the PPP accounting requests.


[Sysname] interface gigabitethernet 2/0/1

[Sysname–GigabitEthernet2/0/1] pppoe-server account-vendor cn-telecom

New feature: BFD for an aggregation

group

Configuring BFD for an aggregation group

BFD for Ethernet link aggregation can monitor member link status in an aggregation group. After you

enable BFD on an aggregate interface, each Selected port in the aggregation group establishes a

BFD session with its peer port. BFD operates differently depending on the aggregation modes.

BFD for static aggregation—When BFD detects a link failure, BFD notifies the Ethernet link

aggregation module that the peer port is unreachable. The local port is placed in Unselected

state. The BFD session between the local and peer ports remains, and the local port keeps

sending BFD packets. When the link is recovered, the local port receives BFD packets from the

peer port, and BFD notifies the Ethernet link aggregation module that the peer port is reachable.

The local port is placed in Selected state again. This mechanism ensures that the local and

peer ports of a static aggregate link have the same aggregation state.

BFD for dynamic aggregation—When BFD detects a link failure, BFD notifies the Ethernet

link aggregation module that the peer port is unreachable. BFD clears the session and stops

sending BFD packets. When the link is recovered and the local port is placed in Selected state

again, the local port establishes a new session with the peer port. BFD notifies the Ethernet link

aggregation module that the peer port is reachable. Because BFD provides fast failure

detection, the local and peer systems of a dynamic aggregate link can negotiate the

aggregation state of their member ports faster.

For more information about BFD, see High Availability Configuration Guide.

217

Configuration restrictions and guidelines

When you enable BFD for an aggregation group, follow these restrictions and guidelines:

Make sure the source and destination IP addresses are consistent at two ends of an aggregate

link. For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1 destination

2.2.2.2 on the local end, execute link-aggregation bfd ipv4 source 2.2.2.2 destination

1.1.1.1 on the peer end. The source and destination IP addresses cannot be the same.

The BFD parameters configured on an aggregate interface take effect on all BFD sessions in

the aggregation group. BFD sessions for link aggregation do not support the echo packet mode

and the Demand mode.

HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled

aggregate interface.

Make sure the number of member ports in a BFD-enabled aggregation group is not larger than

the number of BFD sessions supported by the device. Otherwise, this command might cause

some Selected ports in the aggregation group to change to the Unselected state.

Configuration procedure

To enable BFD for an aggregation group:


Enter system view. system-view N/A

Enter Layer 3 aggregate interface view.


N/A

Enable BFD for the aggregation group.

link-aggregation bfd ipv4 source ip-address destination ip-address

By default, BFD is disabled for an aggregation group.

Command reference

link-aggregation bfd ipv4

Use link-aggregation bfd ipv4 to enable BFD for an aggregation group.

Use undo link-aggregation bfd to disable BFD for an aggregation group.

Syntax

link-aggregation bfd ipv4 source ip-address destination ip-address

undo link-aggregation bfd

Default

BFD is disabled for an aggregation group.

218

Views

Layer 3 aggregate interface view


network-admin

Parameters

source ip-address: Specifies the unicast source IP address of BFD sessions. The source IP address

cannot be 0.0.0.0.

destination ip-address: Specifies the unicast destination IP address of BFD sessions. The

destination IP address cannot be 0.0.0.0.

Usage guidelines

Make sure the source and destination IP addresses are consistent at two ends of an aggregate link.

For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1 destination 2.2.2.2 on the

local end, execute link-aggregation bfd ipv4 source 2.2.2.2 destination 1.1.1.1 on the peer end.

The source and destination IP addresses cannot be the same.

The BFD parameters configured on an aggregate interface take effect on all BFD sessions in the

aggregation group. BFD sessions for link aggregation do not support the echo packet mode and the

Demand mode.

HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled

aggregate interface.

Make sure the number of member ports in a BFD-enabled aggregation group is not larger than the

number of BFD sessions supported by the device. Otherwise, this command might cause some

Selected ports in the aggregation group to change to the Unselected state.

Examples

# Enable BFD for Layer 3 aggregation group 1, and specify the source and destination IP addresses

as 1.1.1.1 and 2.2.2.2 for BFD sessions.


[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] link-aggregation bfd ipv4 source 1.1.1.1 destination 2.2.2.2

Modified feature: SSH username


In this release, an SSH username cannot be a, al, all, or include the following characters:

\ | / : * ? < >

The at sign (@) can only be used in the username format pureusername@domain when the

username contains an ISP domain name.

219

Command changes

Modified command: ssh user

Syntax

In non-FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password

| { any | password-publickey | publickey } assign { pki-domain domain-name | publickey

keyname } }


In FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password

| password-publickey assign { pki-domain domain-name | publickey keyname } }


Views

System view

Change description

Before modification: The username argument is a case-insensitive string of 1 to 80 characters. If the

username contains an ISP domain name, use the format pureusername@domain.

After modification: The username argument is a case-insensitive string of 1 to 80 characters,

excluding a, al, all, and the following characters:

\ | / : * ? < >

The at sign (@) can only be used in the username format pureusername@domain when the

username contains an ISP domain name.

Modified feature: IS-IS hello packet

sending interval


The value range of the interval for sending hello packets was changed to 1 to 255 seconds.

220

Command changes

Modified command: isis timer hello

Syntax

isis timer hello seconds [ level-1 | level-2 ]

undo isis timer hello [ level-1 | level-2 ]

Views

Interface view

Change description

The value range for the seconds argument was changed to 1 to 255 seconds.

Modified feature: MP-group interface

numbering


In this release, the numbering for MP-group interfaces is changed.

Command changes

Modified command: interface mp-group

Syntax

interface mp-group mp-number

Views

System view

Change description

MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.

Modified command: display interface mp-group

Syntax

display interface [ mp-group [ interface-number ] ] [ brief [ description | down ] ]

221

Views

Any view

Change description


Modified command: ppp mp mp-group

Syntax

ppp mp mp-group mp-number

Views

Interface view

Change description


Modified command: reset counters interface mp-group

Syntax

reset counters interface [ mp-group [ interface-number ] ]

Views

Interface view

Change description


Release 0304P04


New feature: Media Stream Control (MSC) logging

Modified feature: ESP encryption algorithms

New feature: Media Stream Control (MSC)

logging

This feature enables the router to generate MSC logs and send the logs to the information center.

222

Command reference

sip log enable

Use sip log enable to enable Media Stream Control (MSC) logging.

Use undo sip log enable to disable MSC logging.

Syntax

sip log enable

undo sip log enable

Default

MSC logging is disabled.

Views

Voice view


network-admin

Usage guidelines

This command enables the router to generate MSC logs and send the logs to the information center.

The information center outputs the logs to a destination according to an output rule. For more

information about the information center, see Network Management and Monitoring Configuration

Guide.

MSC logging is used for auditing purposes.

Examples

# Enable MSC logging.



[Sysname-voice] sip log enable

Modified feature: ESP encryption

algorithms


Support for the CBC-mode SM4 algorithm was added for high encryption in non-FIPS mode.

223

Command changes


Old Syntax



| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 } *

New Syntax



| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *

Views


Change description

The sm4-cbc keyword was added to support the CBC-mode SM4 algorithm, which uses a 128-bit

key.

Release 0304P02


New feature: IMSI/SN binding authentication

New feature: Specifying a band for a 4G modem

New feature: CFD

New feature: Using tunnel interfaces as OpenFlow ports.

New feature: NETCONF support for ACL filtering

New feature: Specifying a backup traffic processing unit

New feature: WAAS

New feature: Support for the MKI field in SRTP or SRTCP packets

New feature: SIP domain name

New feature: E&M logging

Modified feature: Setting the global link-aggregation load-sharing mode

224

New feature: IMSI/SN binding

authentication

This feature enables the device to include the IMSI/SN information in the LCP authentication

information.

Command reference

ppp lcp imsi accept

Use ppp lcp imsi accept to enable the client to accept the IMSI binding authentication requests

from the LNS.

Use undo ppp lcp imsi accept to restore the default.

Syntax

ppp lcp imsi accept

undo ppp lcp imsi accept

Default

The client declines the IMSI binding authentication requests from the LNS.

Views

Interface view


network-admin

Examples

# Enable the client to accept the IMSI binding authentication requests from the LNS.



[Sysname-Virtual-Template1] ppp lcp imsi accept

Related commands

ppp lcp imsi request

ppp lcp imsi string


Use ppp lcp imsi request to enable the LNS to initiate IMSI binding authentication requests.

Use undo ppp lcp imsi request to restore the default.

225

Syntax


undo ppp lcp imsi request

Default

The LNS does not initiate IMSI binding authentication requests.

Views

Interface view


network-admin

Examples

# Enable the LNS to initiate IMSI binding authentication requests.



[Sysname-Virtual-Template1] ppp lcp imsi request

Related commands

ppp lcp imsi accept

ppp lcp imsi string

ppp lcp imsi string

Use ppp lcp imsi string imsi-info to configure the IMSI information on the client.

Use undo ppp lcp imsi string to delete the IMSI information on the client.

Syntax

ppp lcp imsi string imsi-info

undo ppp lcp imsi string

Default

The client automatically obtains the IMSI information from its SIM card.

Views

Interface view


network-admin

Parameters

string imsi-info: Specifies the IMSI information, a case-sensitive string of 1 to 31 characters.

Examples

# Configure the IMSI information as imsi1.


226


[Sysname-Virtual-Template1] ppp lcp imsi string imsi1

Related commands


ppp lcp imsi accept

ppp lcp sn accept

Use ppp lcp sn accept to enable the client to accept the SN binding authentication requests from

the LNS.

Use undo ppp lcp sn accept to restore the default.

Syntax

ppp lcp sn accept

undo ppp lcp sn accept

Default

The client declines the SN binding authentication requests from the LNS.

Views

Interface view


network-admin

Examples

# Enable the client to accept the SN binding authentication requests from the LNS.



[Sysname-Virtual-Template1] ppp lcp sn accept

Related commands

ppp lcp sn request

ppp lcp sn string

ppp lcp sn request

Use ppp lcp sn request to enable the LNS to initiate SN binding authentication requests.

Use undo ppp lcp sn request to restore the default.

Syntax

ppp lcp sn request

undo ppp lcp sn request

227

Default

The LNS does not initiate SN binding authentication requests.

Views

Interface view


network-admin

Examples

# Enable the LNS to initiate SN binding authentication requests.



[Sysname-Virtual-Template1] ppp lcp imsi request

Related commands

ppp lcp sn accept

ppp lcp sn string

ppp lcp sn string

Use ppp lcp sn string sn-info to configure the SN information on the client.

Use undo ppp lcp sn string to delete the SN information on the client.

Syntax

ppp lcp sn string sn-info

undo ppp lcp sn string

Default

The client automatically obtains the SN information from its SIM card.

Views

Interface view


network-admin

Parameters

string sn-info: Specifies the SN information, a case-sensitive string of 1 to 31 characters.

Examples

# Configure the SN information as sn1.



[Sysname-Virtual-Template1] ppp lcp sn string sn1

228

Related commands

ppp lcp sn request

ppp lcp sn accept

ppp user accept-format imsi-sn split

Use ppp user accept-format imsi-sn split splitchart to configure the separator for the received

authentication information.

Use undo ppp user accept-format to restore the default.

Syntax

ppp user accept-format imsi-sn split splitchart

undo ppp user accept-format

Default

No separator is configured for the received authentication information.

Views

Interface view


network-admin

Parameters

splitchart: Specifies the separator. The separator contains one character, and it can be a letter, a digit,

or any sign other than the at sign (@), slash (/), and backslash (\).

Usage guidelines

By default, the authentication information contains only the client username. If you include the IMSI

or SN information in the authentication information, you need to configure the separator to separate

different types of information.

If no IMSI/SN information is received from the peer during the authentication process, the IMSI/SN

information split from the received authentication information is used.

Examples

# Configure the pound sign (#) as the separator for the authentication information.



[Sysname-Virtual-Template1] ppp user accept-format imsi-sn split #

Related commands

ppp lcp sn request


ppp lcp sn accept

ppp lcp imsi accept

229

ppp user attach-format imsi-sn split

Use ppp user attach-format imsi-sn split splitchart to configure the separator for the sent

authentication information.

Use undo ppp user attach-format to restore the default.

Syntax

ppp user attach-format imsi-sn split splitchart

undo ppp user attach-format

Default

No separator is configured for the sent authentication information.

Views

Interface view


network-admin

Parameters

splitchart: Specifies the separator. The separator contains one character, and it can be a letter, a digit,

or any sign other than the at sign (@), slash (/), and backslash (\).

Usage guidelines

By default, the authentication information contains only the client username. If you include the IMSI

or SN information in the authentication information, you need to configure the separator to separate

different types of information.

Examples

# Configure the pound sign (#) as the separator for the sent authentication information.



[Sysname-Virtual-Template1] ppp user attach-format imsi-sn split #

Related commands

ppp lcp sn request


ppp lcp sn accept

ppp lcp imsi accept

ppp user replace

Use ppp user replace to replace the client username with the IMSI or SN information for

authentication.

230

Use undo ppp user replace to restore the default.

Syntax

ppp user replace { imsi | sn }

undo ppp user replace

Default

The client username is used for authentication.

Views

Interface view


network-admin

Examples

# Replace the client username with the IMSI information for authentication.



[Sysname-Virtual-Template1] ppp user replace imsi

Related commands

ppp user accept-format imsi-sn split

ppp user attach-format imsi-sn split

New feature: Specifying a band for a 4G

modem

You can specify a band for a 4G modem.

Command reference

lte band

Use ite band to specify a band for a 4G modem.

Use undo lte band to restore the default.

Syntax

lte band band-number

undo lte band

Default

The default setting varies by 4G modem model.

231

Views

Cellular interface view


network-admin

Parameters

band-number: Specifies a band for a 4G modem. The available bands vary by modem model.

Usage guidelines

This command is supported only on the following 4G modems:

Sierra MC7354 and MC7304.

Long Sung U8300C, U8300W, and U8300.

WNC DM11-2.

Examples

# Specify band 3 for Cellular 1/0.


[Sysname] controller cellular 1/0

[Sysname-Controller-Cellular1/0]lte band 3

New feature: CFD

The router supports the CFD feature.

New feature: Using tunnel interfaces as

OpenFlow ports

The MSR1000 routers support using tunnel interfaces as OpenFlow ports.

New feature: NETCONF support for ACL

filtering

The feature enables the device to use an ACL to filter NETCONF over SOAP traffic.

232

Command reference

netconf soap http acl

Use netconf soap http acl to apply an ACL to NETCONF over SOAP over HTTP traffic.

Use undo netconf soap http acl to remove the application.

Syntax

netconf soap http acl { acl-number | name acl-name }

undo netconf soap http acl

Default

No ACL is applied to NETCONF over SOAP over HTTP traffic.

Views

System view


network-admin

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 2999.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string

of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The

specified ACL must be an IPv4 basic ACL that has already been created.

Usage guidelines

This command is not available in FIPS mode.


Only NETCONF clients permitted by the applied ACL can access the device through SOAP over

HTTP.

Examples

# Use ACL 2001 to allow only NETCONF clients in the subnet 10.10.0.0/16 to access the device

through SOAP over HTTP.


[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] netconf soap http acl 2001

233

netconf soap https acl

Use netconf soap https acl to apply an ACL to NETCONF over SOAP over HTTPS traffic.

Use undo netconf soap https acl to remove the application.

Syntax

netconf soap https acl { acl-number | name acl-name }

undo netconf soap https acl

Default

No ACL is applied to NETCONF over SOAP over HTTPS traffic.

Views

System view


network-admin

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 2999.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string

of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The

specified ACL must be an IPv4 basic ACL that has already been created.

Usage guidelines


Only NETCONF clients permitted by the applied ACL can access the device through SOAP over

HTTPS.

Examples

# Use ACL 2001 to allow only NETCONF clients in the subnet 10.10.0.0/16 to access the device

through SOAP over HTTPS.


[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] netconf soap https acl 2001

234

New feature: Specifying a backup traffic

processing unit

Specifying a backup traffic processing unit

This release added support for specifying a backup traffic unit for an interface.

Command reference

service standby

For more information about this command, see HPE FlexNetwork MSR Command References(V7).

New feature: WAAS

Configuring WAAS

This release added support for the Wide Area Application Services (WAAS) feature in the DATA

image on the following router series:

MSR1000.

MSR3000.

MSR4000.

Command reference

For more information about WAAS commands, see HPE FlexNetwork MSR Routers Layer 3 - IP

Services Command Reference(V7).

New feature: Support for the MKI field in

SRTP or SRTCP packets

This feature enables the router to add the MKI field to outgoing SRTP or SRTCP packets. You can

set the length of the MKI field.

235

Command reference

mki

Use mki to add the MKI field to outgoing SRTP or SRTCP packets and set the length of the MKI field.

Use undo mki to restore the default.

Syntax

mki mki-length

undo mki

Default

Outgoing SRTP or SRTCP packets do not carry the MKI field.

Views

SIP view


network-admin

Parameters

mki-length: Specifies the length of the MKI field, in the range of 1 to 128 bits.

Usage guidelines

This command takes effect only when SRTP is the media stream protocol for SIP calls. To specify

SRTP as the medial stream protocol for SIP calls, use the srtp command.

Examples

# Add the MKI field to outgoing SRTP or SRTCP packets and set the length of the MKI field to 1 bit.



[Sysname-voice] sip

[Sysname-voice-sip] mki 1

New feature: SIP domain name

This feature enables the router to populate the CONTACT header field of outgoing SIP packets with

the router's SIP domain name.

236

Command reference

sip-domain

Use sip-domain to populate the CONTACT header field of outgoing SIP packets with the router's

SIP domain name.

Use undo sip-domain to restore the default.

Syntax

sip-domain domain-name

undo sip-domain

Default

The router populates the CONTACT header field of an outgoing SIP packet with the IP address of the

outgoing interface.

Views

SIP view


network-admin

Parameters

domain-name: Specifies the SIP domain name, a case-insensitive string of 1 to 31 characters. Valid

characters are letters, digits, underscore (_), hyphen (-), and dot (.).

Examples

# Populate the CONTACT header field of outgoing SIP packets with the SIP domain name abc.com.



[Sysname-voice] sip

[Sysname-voice-sip] sip-domain abc.com

New feature: E&M logging

This feature enables the router to generate E&M logs.

Command reference

em log enable

Use em log enable to enable E&M logging.

237

Use undo em log enable to disable E&M logging.

Syntax

em log enable

undo em log enable

Default

E&M logging is disabled.

Views

Voice view


network-admin

Usage guidelines

This command enables the router to generate E&M logs.

Examples

# Enable E&M logging.



[Sysname-voice] em log enable

Modified feature: Setting the global

link-aggregation load-sharing mode


The bandwidth-usage keyword was added to the link-aggregation global load-sharing mode

command. You can set the global load-sharing mode to load share traffic based on bandwidth usage.

Command changes

Modified command: link-aggregation global load-sharing

mode

Old syntax

link-aggregation global load-sharing mode { destination-ip | destination-mac |

destination-port | mpls-label1 | source-ip | source-mac | source-port } *

undo link-aggregation global load-sharing mode

238

New syntax

link-aggregation global load-sharing mode { bandwidth-usage | destination-ip |

destination-mac | destination-port | mpls-label1 | source-ip | source-mac | source-port } *

undo link-aggregation global load-sharing mode

Views

System view

Change description

The bandwidth-usage keyword was added. You can specify this keyword to set the global load

sharing mode to load share traffic based on bandwidth usage.

Release 0304


New feature: Setting the RTC version

New feature: Setting the maximum size of advertisement files

New feature: IRF

New feature: Frame Relay

New feature: EVI

New feature: VPLS

New feature: Multicast VPN support for inter-AS option B

Modified feature: 802.1X redirect URL

Modified feature: Displaying information about NTP servers from the reference source to the primary

NTP server

Modified feature: Saving, rolling back, and loading the configuration

Modified feature: Displaying information about SSH users

Removed feature: Displaying fabric utilization

New feature: Setting the RTC version

Configuring Setting the RTC version

The RTC protocol has the following versions: Version 3 and Version 5. Comware V3-based routers

support only Version 3. Comware V5- or Comware V7-based routers support both Version 3 and

Version 5.

239

To set the RTC version:



129. Configure the RTC version. rta rtc version { v3 | v5 } By default, the router uses Version 5.

Command reference

rta rtc version

Use rta rtc version to set the RTC version.

Use undo rta rtc version to o restore the default.

Syntax

rta rtc version { v3 | v5 }

undo rta rtc version

Default

The router uses RTC Version 5.

Views

System view


network-admin

Parameters

V3: Sets the RTC version to Version 3.

V5: Sets the RTC version to Version 5.

Usage guidelines

Comware V5/V7-based routers support both RTC Version 3 and Version 5. Comware V3-based

routers support only RTC Version 3.

For a Comware V5/V7-based router to communicate with a Comware V3-based, set the RTC version

to Version 3 on the Comware V5/V7-based router.

For Comware V5/V7-based routers to communicate each other, set the RTC version on the routers

to the same version.

Examples

# Set the RTC version to Version 3.


[Sysname] rta rtc version v3

240

New feature: Setting the maximum size of

advertisement files

Configuring the maximum size of advertisement

files

You can set the maximum size of advertisement files sent to wireless clients to 10 MB when the

clients access the wireless network.

Command reference

None

New feature: IRF

Configuring IRF

See HP MSR Router Series Virtual Technologies Configuration Guide (V7).

Command reference

See HPE FlexNetwork MSR Router Virtual Technologies Command Reference(V7).

New feature: Frame Relay

Configuring Frame Relay

See HPE FlexNetwork MSR Routers Layer 2 - WAN Configuration Guide(V7).

Command reference

See HPE FlexNetwork MSR Routers Layer 2 - WAN Command Reference(V7).

241

New feature: EVI

Configuring EVI

See HPE FlexNetwork MSR Router EVI Configuration Guide (V7).

Command reference

See HPE FlexNetwork MSR Router EVI Command Reference(V7).

New feature: VPLS

Configuring VPLS

See HPE FlexNetwork MSR Routers MPLS Configuration Guide(V7).

Command reference

See HPE FlexNetwork MSR Routers MPLS Command Reference(V7).

New feature: Multicast VPN support for

inter-AS option B

Configuring Multicast VPN support for inter-AS

option B

See HPE FlexNetwork MSR Routers IP Multicast Configuration Guide(V7).

Command reference

See HPE FlexNetwork MSR Routers IP Multicast Command Reference(V7).

242

Modified feature: 802.1X redirect URL


The value range for the url-string argument was changed to 1 to 256 characters for the dot1x

ead-assistant url command.

Command changes

Modified command: dot1x ead-assistant url

Syntax

dot1x ead-assistant url url-string

Views

System view

Change description

Before modification: The value range for the url-string argument is 1 to 64 characters.

After modification: The value range for the url-string argument is 1 to 256 characters.

Modified feature: Displaying information

about NTP servers from the reference

source to the primary NTP server


The source interface-type interface-number option was added to the display ntp-service trace

command.

Command changes

Modified command: display ntp-service trace

Old syntax

dot1x ead-assistant url url-string

243

New syntax

display ntp-service trace [ source interface-type interface-number ]

Views

Any view

Change description

The source interface-type interface-number option was added to the display ntp-service trace

command.

Modified feature: Saving, rolling back, and

loading the configuration


The following configuration guidelines were added when you use NETCONF to save, roll back, or

load the configuration:

The save, rollback, and load operations supplement NETCONF requests. Performing the

operations might consume a lot of system resources.

Multiple users are allowed to simultaneously perform the save, rollback, or load operation, but

the result returned to each user might be inconsistent with the user request. Do not perform the

save, rollback, or load operation when a lot of users are performing the operation.

Command changes

None

Modified feature: Displaying information

about SSH users


In this release, the display ssh user-information command does not display the public key name

for an SSH user that uses password authentication.

244

Command changes

Modified command: display ssh user-information

Syntax

display ssh user-information [ username ]

Views

Any view

Change description

Before modification: The User-public-key-name field in the command output displays null for an

SSH user that uses password authentication.

After modification: The User-public-key-name field in the command output is blank for an SSH user

that uses password authentication.

Removed feature: Displaying fabric

utilization


The device does not support displaying switching fabric channel usage on interface cards.

Removed command

display fabric utilization

Syntax

In standalone mode:

display fabric utilization [ slot slot-number ]

In IRF mode:

display fabric utilization [ chassis chassis-number slot slot-number ]

Views

Any view

ESS 0302P06

245


New feature: Object policies

New feature: IPHC

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Support of PPPoE server for IPv6


References(V7).

New feature: QSIG tunneling over SIP-T


References(V7).

New feature: Playout delay


References(V7).

New feature: BGP L2VPN support for NSR


References(V7).

New feature: BGP support for dynamic peers


References(V7).

New feature: ARP PnP


References(V7).

New feature: Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts


References(V7).

New feature: QoS soft forwarding


References(V7).

New feature: Filtering by application layer protocol status


References(V7).

New feature: ADVPN support for multicast forwarding


References(V7).

246

New feature: MPLS LDP support for IPv6


References(V7).

New feature: Port security


References(V7).

New feature: Customizable IVR


References(V7).

New feature: SRST


References(V7).

New feature: NEMO


References(V7).

New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation


References(V7).

New feature: Support for LLDP on CPOS interfaces


References(V7).

New feature: SMS-based automatic configuration


References(V7).

New feature: ARP attack protection

New feature: SIP support for VRF

New feature: Object policies

Configuring Object policies

A zone pair has a source security zone and a destination security zone. ASPF uses zone pairs to

identify the data flows to be examined. ASPF examines only received first data packets.

247

Command reference


References(V7).

New feature: IPHC

Configuring IPHC

The device supports PPP IPHC and frame relay IPHC.

Command reference


References(V7).

New feature: Support of PPPoE server for

IPv6

Configuring Support of PPPoE server for IPv6

On IPv6 networks, PPP negotiates only the IPv6 interface identifier instead of the IPv6 address and

IPv6 DNS server address during IPv6CP negotiation.

Command reference


References(V7).

New feature: QSIG tunneling over SIP-T

Configuring QSIG tunneling over SIP-T

QSIG tunneling over SIP-T tunnels QSIG messages across a SIP network by encapsulating them in

SIP message bodies. This feature enables ISDN networks to communicate over a SIP network.

248

Command reference


References(V7).

New feature: Playout delay

Configuring Playout delay

By buffering incoming voice packets with different delay times for a period of time (playout delay

time), the receiver can smoothly play out the voice packets to the codec. By configuring playout delay,

you can prevent delay variation (jitter) from affecting voice quality.

Command reference


References(V7).

New feature: BGP L2VPN support for NSR

Configuring BGP L2VPN support for NSR

The active BGP process backs up BGP peers and routing information to the standby BGP process

only when BGP NSR is enabled.

Command reference


References(V7).

249

New feature: BGP support for dynamic

peers

Configuring BGP support for dynamic peers

The dynamic BGP peer feature enables BGP to establish dynamic BGP peer relationships with

devices in a network. BGP accepts connection requests from the network. After a device in the

network initiates a connection request, BGP establishes a dynamic peer relationship with the device.

Command reference


References(V7).

New feature: ARP PnP

Configuring ARP PnP

The ARP plug and play (PnP) feature allows end users to access the gateway without changing their

IP addresses on subnets different from the subnet where the gateway resides.

Command reference


References(V7).

250

New feature: Support of Syslog for DNS

and support of customlog&userlog for

IPv6 hosts

Configuring Support of Syslog for DNS and

support of customlog&userlog for IPv6 hosts

The two flow log export destinations (information center and log host) are mutually exclusive. Only

one export destination can be used at a time. If you configure both export destinations, the flow logs

are exported to the information center and are not exported to the log host.

Command reference


References(V7).

New feature: QoS soft forwarding

Configuring QoS soft forwarding

Configuring PQ: You can define a set of assignment rules in a PQ list and then apply the PQ list

to an interface or PVC.

Configuring CQ: You can configure a CQ list that contains up to 16 queues. The CQ list

specifies the following information:

The queue where a packet is placed in.

The maximum length of each queue.

The number of bytes sent from the queue during a cycle of round robin scheduling.

Configuring RTPQ.

Configuring packet information pre-extraction: To process the original IP packets with QoS on

the physical interface for a tunnel interface, configure packet information pre-extraction on the

tunnel interface.

251

Command reference


References(V7).

New feature: Filtering by application layer

protocol status

Configuring Filtering by application layer protocol

status

ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323,

HTTP, SCCP, SIP, and SMTP. ASPF drops packets with invalid protocol status.

Command reference


References(V7).

New feature: ADVPN support for multicast

forwarding

Configuring ADVPN support for multicast

forwarding

After NBMA mode is enabled on an ADVPN tunnel interface, the interface forwards multicast data

only to spokes that need the data.

Command reference


References(V7).

252

New feature: MPLS LDP support for IPv6

Configuring MPLS LDP support for IPv6

LDP can operate on a pure IPv4 or IPv6 network or a network where IPv4 and IPv6 coexist. LDP

operates similarly on IPv4 and IPv6 networks.

Command reference


References(V7).

New feature: Port security

Configuring Port security

MAC move—This feature allows 802.1X or MAC authenticated users to move from a port to

another port on the device. The authentication session is deleted from the first port, and the

users are reauthenticated on the new port.

SNMP notifications for port security—This feature allows the port security module to

generate SNMP notifications to report important events.

MAC authentication delay—When both 802.1X authentication and MAC authentication are

enabled on a port, you can delay MAC authentication so that 802.1X authentication is

preferentially triggered. If no 802.1X authentication is triggered or 802.1X authentication fails

within the delay period, the port continues to process MAC authentication.

VLAN assignment—Both the 802.1X and MAC authentication features support VLAN

assignment for users.

ACL assignment—Both the 802.1X and MAC authentication features support ACL assignment

for users. You can specify an authorization ACL for a user to control the user's access to

network resources. After the user passes authentication, the authentication server (local or

remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for

this user.

802.1X EAD assistant—This feature allows unauthenticated 802.1X users to access the free

IP. The feature also enables the device to redirect a user who is seeking to access the network

to a specific URL on the free IP. For example, you can use this feature to redirect the user to the

EAD client software download page.

253

802.1X SmartOn—This feature was developed to support the NEC 802.1X client. The device

performs SmartOn authentication before 802.1X authentication. If a user fails SmartOn

authentication, the device stops 802.1X authentication for the user.

Command reference


References(V7).

New feature: Customizable IVR

Configuring Customizable IVR

Interactive voice response (IVR) is extensively used in voice communications. The IVR system

enables you to customize interactive operations and humanize other services. If a subscriber dials

an IVR access number, the IVR system plays the prerecorded voice prompts to direct the subscriber

about how to proceed.

Command reference


References(V7).

New feature: SRST

Configuring SRST

SRST provides call handling for a branch office when the branch office loses connectivity to the

central voice server or the WAN connection is down. An SRST router in the branch office takes over

to manage calls to ensure that local phones can make and receive calls. When the WAN connection

is restored, call handling reverts back to the central voice server.

Command reference


References(V7).

254

New feature: NEMO

Configuring NEMO

As an extension of MIP, network mobility (NEMO) enables a node to retain the same IP address and

maintain application connectivity when the node travels across networks. It allows

location-independent routing of IP datagrams on the Internet. A mobile router is a router that

operates as a mobile node connecting the mobile network and the home agent.

Command reference


References(V7).

New feature: Support of MFR and FR for

L2VPN, FR QoS, and FR compression and

fragmentation

Configuring Support of MFR and FR for L2VPN,

FR QoS, and FR compression and fragmentation

Frame Relay supports MPLS L2VPN and can then communicate with other networks through MPLS

L2VPN. As a result, Layer 2 data can be transparently transmitted between Frame Relay networks

through an MPLS or IP network.

When FRTS is disabled, only FR interface queues are in effect. The predefined FR PVC queues take

effect only when FRTS is enabled.

The Frame Relay compression feature can compress Frame Relay packets to save bandwidth,

reduce the network load, and improve the transmission efficiency for data in the Frame Relay

network. The Frame Relay fragmentation feature can divide a large Frame Relay packet into several

small packets, so that large packets can be transmitted over a low-speed link with a low delay.

Command reference


References(V7).

255

New feature: Support for LLDP on CPOS

interfaces

Configuring Support for LLDP on CPOS interfaces

LLDP is supported on CPOS interfaces.

Command reference


References(V7).

New feature: SMS-based automatic

configuration

Configuring SMS-based automatic configuration

Support for SMS-based automatic configuration. With SMS-based automatic configuration, the

device can connect to an IMC server over a 3G or 4G network to obtain a configuration file.

To initiate SMS-based automatic configuration process, the administrator can use a cell phone or the

IMC server to send a short message to the device. The IMC server sends short messages to devices

through an SMS gateway. This feature can be used when the devices to be configured are widely

distributed and there are 3G or 4G networks available for wireless communication.

Command reference


References(V7).

New feature: ARP attack protection

Configuring ARP attack protection

None

256

Command reference


References(V7).

New feature: SIP support for VRF

Configuring SIP support for VRF

This feature enables a PE device to provide SIP services for a VPN instance. To enable this feature,

you can associate the VPN instance with SIP on the PE device. The PE device uses the interface

bound to the VPN instance as the source for sending SIP signaling and media streams.

Configuration guidelines

When you enable SIP support for VRF, follow these guidelines:

You cannot associate a VPN instance with SIP or remove the association when a SIP service

such as calling, registration, subscription, or the keepalive function is being used.

The VPN instance to associate with SIP must be already created.

Configuration procedure

To enable SIP support for VRF:


Enter system view. system-view N/A

Create a VPN instance. ip vpn-instance vpn-instance-name

By default, no VPN instance exists.

Enter voice view. voice-setup N/A

Enter SIP view. sip N/A

Associate a VPN instance with SIP.

vpn-instance vpn-instance-name By default, no VPN instance is associated with SIP.

Command reference

vpn-instance

Use vpn-instance to associate a VPN instance with SIP.

257

Use undo vpn-instance to remove the association.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

No VPN instance is associated with SIP.

Views

SIP view


network-admin

Parameters

vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31

characters.

Usage guidelines

The VPN instance to associate with SIP must be already created.

You cannot associate a VPN instance or remove the association when a SIP service is being used.

Examples

# Associate the VPN instance vpn-voice with SIP.



[Sysname-voice] sip

[Sysname-voice-sip] vpn-instance vpn-voice

Related commands

ip binding vpn-instance (MPLS Command Reference)

ip vpn-instance (MPLS Command Reference)

ESS 0102


New feature: Portal authentication

New feature: MSDP

New feature: IPsec MIB and IKE MIB

New feature: PoE

New feature: CoPP software forwarding feature

New feature: Configuring MPLS LDP FRR

New feature: Enhanced routing features

258

New feature: Python

New feature: ATM

New feature: DHCP MIB

New feature: Portal authentication

Portal authentication controls user access to the Internet. Portal authenticates a user by the

username and password the user enters on a portal authentication page. Therefore, portal

authentication is also known as Web authentication. When portal authentication is deployed on a

network, an access device redirects unauthenticated users to the website provided by a portal Web

server. The users can access the resources provided by the website. If the users want to access the

Internet, they must pass authentication on the website.

Portal authentication is classified into the following types:

Active authentication—Users visit the authentication website provided by the portal Web

server and enter their username and password for authentication.

Forced authentication—Users visit other websites and are redirected to the portal

authentication website for authentication.

Portal authentication flexibly imposes access control on the access layer and vital data entries. It has

the following advantages:

Replaces client software with convenient authentication pages.

Provides ISPs with diversified management choices and extended functions. For example, the

ISPs can place advertisements, provide community services, and publish information on the

authentication page.

Supports multiple authentication modes. For example, re-DHCP authentication implements a

flexible address assigning scheme and saves public IP addresses. Cross-subnet authentication

can authenticate users reside in subnets different from the access device.

The device support portal 2.0 and portal 3.0.

Command reference

See HPE FlexNetwork MSR Command References(V7).

New feature: MSDP

Configuring MSDP

MSDP is an inter-domain multicast solution that addresses the interconnection of PIM-SM domains.

It discovers multicast source information in other PIM-SM domains.

259

In the basic PIM-SM mode, a multicast source registers only with the RP in the local PIM-SM domain,

and the multicast source information in each domain is isolated. As a result, both of the following

occur:

The RP obtains the source information only within the local domain.

A multicast distribution tree is built only within the local domain to deliver multicast data locally.

MSDP enables the RPs of different PIM-SM domains to share their multicast source information. The

local RP can then join the SPT rooted at the multicast source across the PIM-SM domains. This

allows multicast data to be transmitted among different domains.

With MSDP peer relationships established between appropriate routers in the network, the RPs of

different PIM-SM domains are interconnected with one another. These MSDP peers exchange

source active (SA) messages, so that the multicast source information is shared among these

domains.

For more information about configuring MSDP, see "MSDP Configuration Guide" in HPE

FlexNetwork MSR Configuration Guides(V7).

Command reference


New feature: IPsec MIB and IKE MIB

IPsec-Monitor-MIB (HH3C-IPSEC-MONITOR-V2-MIB) monitors IPsec tunnels. NMS can use this

MIB to obtain IPsec tunnel information, including algorithms, gateway addresses, and tunnel

statistics. Except the trap function, all nodes of this MIB are read only.

Ike-Monitor-MIB (HH3C-IKE-MONITOR-MIB) monitors IKE tunnels. NMS can use this MIB to obtain

IKE tunnel information.

For more information, see the MIB companion document.

New feature: PoE

Configuring PoE

IEEE 802.3af-compliant power over Ethernet (PoE) enables a power sourcing equipment (PSE) to

supply power to powered devices (PDs) through Ethernet interfaces over twisted pair cables.

Examples of PDs include IP telephones, wireless APs, portable chargers, card readers, Web

cameras, and data collectors. A PD can also use a different power source from the PSE at the same

time for power redundancy.

260

For more information about configuring PoE, see "PoE Configuration Guide" in HPE FlexNetwork

MSR Configuration Guides(V7).

Command reference


New feature: CoPP software forwarding

feature

Configuring CoPP

If the rate of packets sent to the control plane exceeds the processing capabilities of the control

plane (for example, when the device is suffering DoS attacks), the normal packets sent to the control

plane cannot be promptly processed, thus affecting the normal operation of protocols.

To protect the management interface against DoS attacks, which will cause service interruption, you

must perform traffic policing for the management interface.

CoPP allows you to perform traffic policing for the control plane or management interface control

plane. By default, the predefined QoS parameters are configured for packets of each protocol sent to

the control plane. Also, you can apply a user-defined QoS policy to the control plane to filter and

rate-limit the packets sent to the control plane. This makes sure the control plane can correctly

receive, transmit, and process packets.

Command reference

control-plane

Use control-plane to enter control plane view.

Syntax

MSR2000 / MSR3000:

control-plane

MSR4000:

control-plane slot slot-number

Views

System view

261


network-admin

Examples

# (MSR2000 / MSR3000.) Enter control plane view.


[Sysname] control-plane

[Sysname-cp]

# (MSR4000.) Enter control plane view of the card in slot 3.


[Sysname] control-plane slot 3

[Sysname-cp-slot3]

control-plane management

IMPORTANT:

A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane.

Use control-plane management to enter management interface control plane view.

Syntax

control-plane management

Views

System view


network-admin

Examples

# Enter management interface control plane view.


[Sysname] control-plane management

[Sysname-cp-management]

qos apply policy (interface view, control plane view)

IMPORTANT:

A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane.

Use qos apply policy to apply a QoS policy to an interface, a control plane.

Use undo qos apply policy to remove a QoS policy from an interface, a control plane.

262

Syntax

qos apply policy policy-name { inbound | outbound }

undo qos apply policy policy-name { inbound | outbound }

Default

No QoS policy is applied to an interface, a control plane, or a management interface control plane.

Views

Interface view, control plane view


network-admin

Parameters

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

inbound: Applies the QoS policy to the incoming traffic of an interface, a control plane, or a

management interface control plane.

outbound: Applies the QoS policy to the outgoing traffic of an interface.

Usage guidelines

To successfully apply a QoS policy to an interface, make sure the total bandwidth assigned to AF and

EF queues in the QoS policy is smaller than the available bandwidth of the interface. If you modify

the available bandwidth of the interface to a value smaller the total bandwidth for AF and EF queues,

the applied QoS policy is removed. For a QoS policy to be applied in the inbound direction, the

referenced traffic behaviors cannot be configured with any of the commands queue af, queue ef,

queue wfq, and gts.

When you apply a QoS policy to an interface, follow these guidelines:

You can apply a QoS policy configured with various QoS actions (such as remark, car, gts,

queue af, queue ef, queue wfq, and wred) to common physical interfaces.

An inbound QoS policy cannot contain a GTS action or any of these queuing actions queue ef,

queue af, or queue wfq.

Examples

# Apply the QoS policy named USER1 to the outgoing traffic of GigabitEthernet 0/1.


[Sysname] interface gigabitethernet 0/1

[Sysname-GigabitEthernet0/1] qos apply policy USER1 outbound

263

New feature: Configuring MPLS LDP FRR

Configuring MPLS LDP FRR

A link or router failure on a path can cause packet loss until LDP completes LSP establishment on the

new path. LDP FRR enables fast rerouting to minimize the failover time. LDP FRR bases on IP FRR

and is enabled automatically after IP FRR is enabled.

Figure 1 Network diagram for LDP FRR

In Figure 1, configure IP FRR on LSR A by using IGP to calculate or specify a backup next hop. LDP

creates a primary LSP and a backup LSP according to the primary route and the backup route

calculated by IGP. When the primary LSP operates correctly, it forwards the MPLS packets. When

the primary LSP fails, LDP directs packets to the backup LSP.

When packets are forwarded through the backup LSP, IGP calculates the optimal path based on the

new network topology. When IGP route convergence occurs, LDP establishes a new LSP according

to the optimal path. If a new LSP is not established after IGP route convergence, traffic forwarding

might be interrupted. Therefore, HPE recommends that you enable LDP IGP synchronization to work

with LDP FRR to reduce the traffic interruption time.

Command reference

igp sync delay

Use igp sync delay to configure the delay for LDP to notify IGP of the LDP convergence completion.

Use undo igp sync delay to restore the default.

Syntax

igp sync delay time

undo igp sync delay

LSR A

LSR C

LSR B

Primary LSP

Bac

kup

LSP B

ackup LSP

264

Default

LDP immediately notifies IGP of the LDP convergence completion.

Views

LDP view


network-admin

Parameters

time: Specifies the notification delay in the range of 5 to 300 seconds.

Usage guidelines

LDP convergence on a link is completed when the followings occur:

The local device establishes an LDP session to at least one peer, and the LDP session is

already in Operation state.

The local device has distributed the label mappings to at least one peer.

MPLS traffic forwarding might be interrupted in one of the following scenarios:

When the peer uses the Ordered label distribution control mode, the local device needs to wait

for a label mapping from its downstream LSR after the LDP session goes into Operation state.

If LDP immediately notifies IGP of the LDP convergence completion when the label mapping

from downstream is not received, MPLS traffic forwarding might be interrupted.

When a large number of label mappings are distributed from downstream, if LDP immediately

notifies IGP of the LDP convergence completion, label advertisement might not be finished, and

MPLS traffic forwarding is interrupted.

In these scenarios, you must use this command to configure the notification delay. When LDP

convergence on a link is completed, LDP waits a delay time to notify IGP of the LDP convergence

completion to reduce the traffic interruption time.

Examples

# Configure the notification delay as 30 seconds.


[Sysname] mpls ldp

[Sysname-ldp] igp sync delay 30

Related commands

igp sync delay on-restart

mpls ldp igp sync disable

mpls ldp sync (IS-IS view)

mpls ldp sync (OSPF view/OSPF area view)

265

igp sync delay on-restart

Use igp sync delay on-restart to configure the maximum delay for LDP to notify IGP of the LDP IGP

synchronization status after an LDP restart or an active/standby switchover occurs.

Use undo igp sync delay on-restart to restore the default.

Syntax

igp sync delay on-restart time

undo igp sync delay on-restart

Default

The maximum notification delay is 90 seconds.

Views

LDP view


network-admin

Parameters

time: Specifies the maximum notification delay in the range of 60 to 600 seconds.

Usage guidelines

After LDP restarts or an active/standby switchover occurs, LDP convergence begins after a period of

time. If LDP immediately notifies IGP of all the current LDP IGP synchronization status, and updates

the status after LDP convergence, IGP might frequently process the status, and the cost might

increase.

The notification delay mechanism for an LDP restart or an active/standby switchover provides a

notification delay of LDP process levels. When LDP restarts or an active/standby switchover occurs,

this mechanism enables LDP to wait a period of time till LDP recovers to the status before the restart

or switchover, and then notify IGP of the LDP IGP synchronization status in bulk. If LDP does not

recover to the status before the restart or switchover when the maximum delay set by this command

expires, LDP immediately notifies IGP of the LDP IGP synchronization status in bulk.

Examples

# Configure the maximum notification delay as 300 seconds.


[Sysname] mpls ldp

[Sysname-ldp] igp sync delay on-restart 300

Related commands

igp sync delay




266


Use mpls ldp igp sync disable to disable LDP IGP synchronization on an interface.

Use undo mpls ldp igp sync disable to restore the default.

Syntax


undo mpls ldp igp sync disable

Default

LDP IGP synchronization is enabled on an interface.

Views

Interface view


network-admin

Usage guidelines

After you enable LDP IGP synchronization for IGP, for example, an OSPF area or an IS-IS process,

LDP IGP synchronization is enabled on the OSPF interfaces and IS-IS interfaces. To disable LDP

IGP synchronization on an interface, execute the mpls ldp igp sync disable command on that

interface.

Examples

# Enable LDP IGP synchronization on GigabitEthernet 0/1.

<Sysname> System-view

[Sysname] interface gigabitethernet 0/1

[Sysname-GigabitEthernet0/1] mpls ldp igp sync disable

Related commands



New feature: Enhanced routing features

Configuring enhanced routing features

This release supports RIB NSR, IPv4 static route FRR, direct route redistribution, and RFC4382 MIB

(MPLS-L3VPN-STD-MIB).

267

Command reference

non-stop-routing

Use non-stop-routing to enable RIB NSR to back up routing information.

Use undo non-stop-routing to restore the default.

Syntax

non-stop-routing

undo non-stop-routing

Default

RIB NSR is disabled.

Views

RIB IPv4 address family view, RIB IPv6 address family view


network-admin

Examples

# Enable NSR for the RIB IPv4 address family.


[Sysname] rib

[Sysname-rib] address-family ipv4

[Sysname-rib-ipv4] non-stop-routing

ip route-static fast-reroute auto

Use ip route-static fast-reroute auto to configure static route FRR to automatically select a backup

next hop.

Use undo ip route-static fast-reroute auto to disable static route FRR.

Syntax

ip route-static fast-reroute auto

undo ip route-static fast-reroute auto

Default

Static route FRR is disabled.

Views

System view

268


network-admin

Examples

# Configure static route FRR to automatically select a backup next hop.


[Sysname] ip route-static fast-reroute auto

import-route (RIP view)

Use import-route to enable route redistribution from another routing protocol.

Use undo import-route to disable route redistribution.

Syntax

import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |

route-policy route-policy-name | tag tag ] *

undo import-route protocol [ process-id | all-processes ]

Default

RIP does not redistribute routes from any other routing protocol.

Views

RIP view


network-admin

Parameters

protocol: Specifies a routing protocol from which RIP redistributes routes. It can be bgp, direct, isis,

ospf, rip, or static.

process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. This argument is

available only when the protocol is isis, rip, or ospf.

all-processes: Enables route redistribution from all the processes of the specified protocol. This

keyword takes effect only when the protocol is rip, ospf, or isis.

allow-ibgp: Allows redistribution of IBGP routes. This keyword is available when the protocol

argument is set to bgp.

allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing

protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the

allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule

defined in the routing policy does not conflict with the allow-direct keyword. For example, if you

specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.

Otherwise, the allow-direct keyword does not take effect.

cost cost: Specifies a cost for redistributed routes, in the range of 0 to 16. The default cost is 0.

269

route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to

63 characters.

tag tag: Specifies a tag for marking redistributed routes, in the range of 0 to 65535. The default is 0.

Usage guidelines

The import-route bgp command redistributes only EBGP routes. The import-route bgp allow-ibgp

command additionally redistributes IBGP routes and might cause routing loops. Therefore, use it

with caution.

This command redistributes only active routes. To view route state information, use the display ip

routing-table protocol command.

The undo import-route protocol all-processes command removes only the configuration made by

the import-route protocol all-processes command, instead of the configuration made by the

import-route protocol process-id command.

Examples

# Redistribute static routes into RIP, and set the cost for redistributed routes to 4.


[Sysname] rip 1

[Sysname-rip-1] import-route static cost 4

Related commands

default cost

import-route (OSPF view)

Use import-route to redistribute AS-external routes from another routing protocol.

Use undo import-route to disable route redistribution from another routing protocol.

Syntax


nssa-only | route-policy route-policy-name | tag tag | type type ] *


Default

OSPF does not redistribute AS-external routes from any other routing protocol.

Views

OSPF view


network-admin

Parameters

protocol: Redistributes routes from the specified protocol, which can be bgp, direct, isis, ospf, rip,

or static.

270

process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. It is available

only when the protocol is rip, ospf, or isis.

all-processes: Redistributes routes from all the processes of the specified routing protocol. This


allow-ibgp: Redistributes IBGP routes. It is available only when the protocol is bgp.







cost cost: Specifies a route cost in the range of 0 to 16777214. The default is 1.

nssa-only: Limits the route advertisement to the NSSA area by setting the P-bit of Type-7 LSAs to 0.

By default, the P-bit of Type-7 LSAs is set to 1. If the router acts as both an ASBR and an ABR and

FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is

set to 0. This keyword applies to NSSA routers.

route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The

route-policy-name argument is a case-sensitive string of 1 to 63 characters.

tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. The default is 1.

type type: Specifies a cost type, 1 or 2. The default is 2.

Usage guidelines

This command redistributes routes destined for other ASs from another protocol. AS external routes

include the following types:

Type-1 external route

Type-2 external route

A Type-1 external route has high reliability. Its cost is comparable with the cost of OSPF internal

routes. The cost from an OSPF router to a Type-1 external route's destination equals the cost from

the router to the ASBR plus the cost from the ASBR to the external route's destination.

A Type-2 external route has low credibility. OSPF considers the cost from the ASBR to the

destination of a Type-2 external route is much bigger than the cost from the ASBR to an OSPF

internal router. The cost from an internal router to a Type-2 external route's destination equals the

cost from the ASBR to the Type-2 external route's destination.

The import-route command cannot redistribute default external routes.

The import-route bgp command redistributes only EBGP routes. Because the import-route bgp

allow-ibgp command redistributes both EBGP and IBGP routes and might cause routing loops, use

it with caution.

271

Only active routes can be redistributed. To view information about active routes, use the display ip

routing-table protocol command.




The import-route nssa-only command redistributes AS-external routes in Type-7 LSAs only into

the NSSA area.

Examples

# Redistribute routes from RIP process 40 and specify the type, tag, and cost as 2, 33, and 50 for

redistributed routes.


[Sysname] ospf 100

[Sysname-ospf-100] import-route rip 40 type 2 tag 33 cost 50

Related commands

default-route-advertise (OSPF view)

import-route (IS-IS view)

Use import-route to redistribute routes from another routing protocol or another IS-IS process.

Use undo import-route to remove the redistribution.

Syntax


cost-type { external | internal } | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name |

tag tag ] *


Default

No route redistribution is configured.

Views

IS-IS view


network-admin

Parameters

protocol: Redistributes routes from a routing protocol, which can be BGP, direct, IS-IS, OSPF, RIP, or

static.

process-id: Specifies a process by its ID in the range of 1 to 65535. It is available only when the

protocol is isis, ospf, or rip.

272



allow-ibgp: Allows redistribution of IBGP routes. It is available when the protocol is BGP.







cost: Specifies a cost for redistributed routes, which is in the range of 0 to 4261412864.

For the styles of narrow, narrow-compatible, and compatible, the cost is in the range of 0 to

63.

For the styles of wide and wide-compatible, the cost is in the range of 0 to 4261412864.

cost-type { external | internal }: Specifies the cost type. The internal type indicates internal routes,

and the external type indicates external routes. If external is specified, the cost of a redistributed

route is added by 64 to make internal routes take priority over external routes. The type is external

by default. The keywords are available only when the cost type is narrow, narrow-compatible, or

compatible.

level-1: Redistributes routes into the Level-1 routing table.

level-1-2: Redistributes routes into both Level-1 and Level-2 routing tables.

level-2: Redistributes routes into the Level-2 routing table. If no level is specified, the routes are

redistributed into the Level-2 routing table by default.

route-policy route-policy-name: Redistributes only routes matching the specified routing policy. The


tag tag: Specifies a tag value for marking redistributed routes, in the range of 1 to 4294967295.

Usage guidelines

IS-IS takes all the redistributed routes as external routes to destinations outside the IS-IS routing

domain.

The effective cost depends on the cost style. For the styles of narrow, narrow-compatible, and

compatible, the cost is in the range of 0 to 63. If the cost is more than 63, 63 is used. For the style of

wide or wide-compatible, the configured value is the effective value.

This import-route command cannot redistribute default routes. The command redistributes only

active routes. To display route state information, use the display ip routing-table protocol

command.

The import-route bgp command redistributes only EBGP routes.

The import-route bgp allow-ibgp command redistributes both EBGP and IBGP routes. Because

this command might cause routing loops, use it with caution.

273




Examples

# Redistribute static routes into IS-IS, and set the cost for redistributed routes to 15.


[Sysname] isis 1

[Sysname-isis-1] import-route static cost 15

Related commands

import-route limit

import-route (BGP view)

Use import-route to enable BGP to redistribute routes from an IGP protocol.

Use undo import-route to disable route redistribution from an IGP protocol.

Syntax

In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view:

import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy

route-policy-name ] * ]


In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view:

import-route protocol [ process-id [ allow-direct | med med-value | route-policy

route-policy-name ] * ]

undo import-route protocol [ process-id ]

Default

BGP does not redistribute IGP routes.

Views

BGP IPv4 unicast address family view, BGP-VPN IPv4 unicast address family view, BGP IPv6

unicast address family view, BGP-VPN IPv6 unicast address family view


network-admin

Parameters

protocol: Redistributes routes from a specified IGP protocol. In BGP IPv4 unicast address family

view/BGP-VPN IPv4 unicast address family view, it can be direct, isis, ospf, rip, or static. In BGP

IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view, it can be direct, isisv6,

ospfv3, ripng, or static.

274

process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. In BGP IPv4

unicast address family view/BGP-VPN IPv4 unicast address family view, it is available only when the

protocol is isis, ospf, or rip. In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast

address family view, it is available only when the protocol is isisv6, ospfv3, or ripng.

all-processes: Redistributes routes from all the processes of the specified IGP protocol. This

keyword takes effect only when the protocol is isis, ospf, or rip.







med med-value: Specifies a MED value for redistributed routes, in the range of 0 to 4294967295. If

no MED is specified, the metric of a redistributed route is used as its MED.


63 characters, to filter redistributed routes or set route attributes for redistributed routes.

Usage guidelines

The import-route command cannot redistribute default IGP routes. To redistribute default IGP

routes, use the default-route imported command together with the import-route command.

Only active routes can be redistributed. You can use the display ip routing-table protocol or

display ipv6 routing-table protocol command to view route state information.

The ORIGIN attribute of routes redistributed by the import-route command is INCOMPLETE.

Examples

# In BGP IPv4 unicast address family view, redistribute routes from RIP process 1, and set the MED

value for redistributed routes to 100.


[Sysname] bgp 100

[Sysname-bgp] address-family ipv4 unicast

[Sysname-bgp-ipv4] import-route rip 1 med 100

# In BGP-VPN IPv4 unicast address family view, redistribute routes from RIP process 1, and

reference a routing policy imprt to exclude route 1.1.1.0/24 from route redistribution.


[Sysname] ip prefix-list imprt deny 1.1.1.0 24

[Sysname] ip prefix-list imprt permit 0.0.0.0 0 less-equal 32

[Sysname] route-policy imprt permit node 0

[Sysname-route-policy-imprt-0] if-match ip address prefix-list imprt

[Sysname-route-policy-imprt-0] quit

[Sysname] bgp 100

[Sysname-bgp] ip vpn-instance vpn1

[Sysname-bgp-vpn1] address-family ipv4 unicast

[Sysname-bgp-ipv4-vpn1] import-route rip 1 route-policy imprt

275

# In BGP IPv6 unicast address family view, redistribute routes from RIP process 1.


[Sysname] bgp 100

[Sysname-bgp] address-family ipv6 unicast

[Sysname-bgp-ipv6] import-route ripng

# In BGP-VPN IPv6 unicast address family view, redistribute routes from RIP process 1.


[Sysname] bgp 100

[Sysname-bgp] ip vpn-instance vpn1

[Sysname-bgp-vpn1] address-family ipv6 unicast

[Sysname-bgp-ipv6-vpn1] import-route ripng

Related commands

display ip routing-table protocol

display ipv6 routing-table protocol

import-route (RIPng view)

Use import-route to redistribute routes from another routing protocol.


Syntax

import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | route-policy

route-policy-name ] *

undo import-route protocol [ process-id ]

Default

RIPng does not redistribute routes from another routing protocol.

Views

RIPng view


network-admin

Parameters

protocol: Specifies a routing protocol from which RIPng redistributes routes. It can be bgp4+, direct,

isisv6, ospfv3, ripng, or static.

process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. This argument is

available only when the protocol is isisv6, ospfv3, or ripng.

allow-ibgp: Allows redistribution of IBGP routes. This keyword is available when the protocol

argument is set to bgp4+.



276





cost cost: Specifies a metric for redistributed routes, in the range of 0 to 16. The default metric is 0.


63 characters.

Usage guidelines

The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+

allow-ibgp command redistributes both EBGP and IBGP routes.

Examples

# Redistribute routes from IPv6 IS-IS process 7 into RIPng and set the metric for redistributed routes

to 7.


[Sysname] ripng 100

[Sysname-ripng-100] import-route isisv6 7 cost 7

import-route (OSPFv3 view)

Use import-route to redistribute routes.


Syntax


nssa-only | route-policy route-policy-name | tag tag | type type ] *


Default

OSPFv3 route redistribution is disabled.

Views

OSPFv3 view


network-admin

Parameters

protocol: Redistributes routes from the specified routing protocol, which can be bgp4+, direct,

isisv6, ospfv3, ripng, or static.

process-id: Specifies the process ID of a routing protocol, in the range of 1 to 65536. It defaults to 1.

This argument takes effect only when the protocol is isisv6, ospfv3, or ripng.

277


keyword takes effect only when the protocol is ripng, ospfv3, or isisv6.

allow-ibgp: Redistributes IBGP routes. It is available only when the protocol is bgp4+.







cost cost: Specifies a cost for redistributed routes, in the range of 1 to 16777214. The default is 1.

nssa-only: Limits the route advertisement to the NSSA area by setting the P-bit of Type-7 LSAs to 0.

By default, the P-bit of Type-7 LSAs is set to 1. If the router acts as both an ASBR and an ABR and

FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is

set to 0. This keyword applies to NSSA routers.

route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The


tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. If this option is

not specified, no tag is contained in advertised LSAs by default.

type type: Specifies the type for redistributed routes, 1 or 2. The default is 2.

Usage guidelines

An external route is a route to a destination outside the OSPFv3 AS. External routes types are as

follows:

A Type-1 external route has high reliability. Its cost is comparable with the cost of OSPFv3

internal routes. The cost from an OSPFv3 router to a Type-1 external route's destination equals

the cost from the router to the ASBR plus the cost from the ASBR to the external route's

destination.

A Type-2 external route has low credibility, so OSPFv3 considers the cost from the ASBR to a

Type-2 external route is much bigger than the cost from the ASBR to an OSPFv3 internal router.

The cost from an internal router to a Type-2 external route's destination equals the cost from the

ASBR to the Type-2 external route's destination.

The import-route command cannot redistribute default routes.


allow-ibgp command redistributes both EBGP and IBGP routes, and might cause routing loops.

Therefore, use it with caution.

The import-route nssa-only command redistributes AS-external routes in Type-7 LSAs only into

the NSSA area.

278

Examples

# Configure OSPFv3 process 1 to redistribute routes from RIPng and specify the type as type 2 and

cost as 50.


[Sysname] ospfv3

[Sysname-ospfv3-1] import-route ripng 10 type 2 cost 50

# Configure OSPFv3 process 100 to redistribute the routes discovered by OSPFv3 process 160.


[Sysname] ospfv3 100

[Sysname-ospfv3-100] import-route ospfv3 160

ipv6 import-route (IPv6 IS-IS view)

Use ipv6 import-route to enable IPv6 IS-IS to redistribute routes from another routing protocol.

Use undo ipv6 import-route to disable route redistribution.

Syntax

ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | [ level-1 |

level-1-2 | level-2 ] | route-policy route-policy-name| tag tag ] *

undo ipv6 import-route protocol [ process-id ]

Default

IPv6 does not redistribute routes from any other routing protocol.

Views

IS-IS view


network-admin

Parameters

protocol: Redistributes routes from the specified routing protocol, which can be direct, static, ripng,

isisv6, bgp4+, or ospfv3.

process-id: Specifies a process by its ID in the range of 1 to 65535. It is available only when the

protocol is ripng, isisv6, or ospfv3.







cost cost: Specifies a cost for redistributed routes, in the range of 0 to 4261412864.


279

level-1-2: Redistributes routes into Level-1 and Level-2 routing tables.



63 characters, to filter redistributed routes.

tag tag: Specifies an administrative tag for marking redistributed routes, in the range of 1 to

4294967295.

allow-ibgp: Allows redistribution of IBGP routes. This keyword is available only when the protocol is

bgp4+.

Usage guidelines

IPv6 IS-IS considers redistributed routes as AS-external routes.

You can specify a cost and a level for redistributed routes.


allow-ibgp command redistributes both EBGP and IBGP routes, and might cause routing loops.

Therefore, use it with caution.

Examples

# Configure IPv6 IS-IS to redistribute static routes and set the cost for redistributed routes to 15.


[Sysname] isis 1

[Sysname-isis-1] ipv6 import-route static cost 15

New feature: Python

Using Python

Python is an easy to learn, powerful programming language. It has efficient high-level data structures

and a simple but effective approach to object-oriented programming. Python's elegant syntax and

dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid

application development in many areas on most platforms.

Comware V7 provides a built-in Python interpreter that supports the following items:

Python 2.7 commands.

Python 2.7 standard API.

Comware V7 extended API.

Python scripts. You can use a Python script to configure the system automatically.

To use Python 2.7 commands and the APIs, you must enter the Python shell.

280

Command reference


New feature: ATM

Configuring ATM

Asynchronous Transfer Mode (ATM) is a technology based on packet transmission mode while

incorporating the high-speed of circuit transmission mode. ATM was adopted as the transmission

and switching mode for broadband ISDN by the ITU-T in June 1992. Due to its flexibility and support

for multimedia services, ATM is regarded as core broadband technology.

As defined by the ITU-T, data is encapsulated in cells in ATM. Each ATM cell is 53 bytes in length, of

which the first five bytes contain cell header information and the last 48 bytes contain payload. The

major function of the cell header is to identify virtual connection. In addition, it can be used to carry

limited flow control, congestion control, and error control information.

Command reference


New feature: DHCP MIB

DHCP MIB

The MIB supports HH3C-DHCP4-MIB and HH3C-DHCP-SNOOP2-MIB. For more information about

MIB nodes, see the MIB companion document.

Command reference

if-match

Use if-match to configure a match rule for a DHCP user class.

Use undo if-match to remove the match rule for a DHCP user class.

281

Syntax

if-match rule rule-number option option-code [ hex hex-string [ mask mask | offset offset length

length ] ]

undo if-match rule rule-number

Syntax

No match rule is configured for the DHCP user class.

Views

DHCP user class view


network-admin

Parameters

rule rule-number: Assigns the match rule an ID in the range of 1 to 16. A smaller ID represents a

higher match priority.

option option-code: Matches a DHCP option by a number in the range of 1 to 254.

hex hex-string: Matches the specified string in the option, which must be a hex string of even

numbers in the range of 2 to 256. If you do not specify the hex-string argument, the DHCP server

only checks whether the specified option exists in the received packets.

mask mask: Specifies the mask used to match the option content. The mask argument is a hex

string of even numbers in the range of 2 to 256. The length of mask must be the same as that of

hex-string.

offset offset: Specifies the offset to match the option, in the range of 0 to 254 bytes. If you do not

specify the offset argument, the server matches the entire option with the rule.

length length: Matches the specified length of the option, in the range of 1 to 128 bytes. The

specified length must be the same as the hex-string length.

Usage guidelines

You can configure multiple match rules for a DHCP user class. Each match rule is uniquely identified

by a rule ID. Different match rules can include the same option code, but they cannot have the exact

same matching criteria.

The DHCP server matches DHCP requests against the match rules. A DHCP client matches a DHCP

user class when its request matches one of the specified match rules.

The match operation follows these guidelines:

If only the option-code argument is specified in the rule, packets containing the option match the

rule.

If only the option-code and hex-string arguments are specified in the rule, packets that have the

specified hex string in the specified option match the rule.

282

If the option-code, hex-string, offset and length arguments are specified in the rule, packets

match the rule as long as their content from offset+1 bit to offset+length bit in the specified

option is the same as the specified hex string.

If the option-code, hex-string, and mask arguments are specified in the rule, the DHCP server

ANDs the content from the first bit to the mask-1 bit in the specified option with the mask, and

then compares the result with the result of the AND operation between hex-string and mask. If

the two results are the same, the received packet matches the rule.

Examples

# Configure match rule 1 to match DHCP requests that contain Option 82 for DHCP user class

contain-option82.


[Sysname] dhcp class contain-option82

[Sysname-dhcp-class-contain-option82] if-match rule 1 option 82

# Configure match rule 2 to match DHCP requests that contain Option 82 whose first three bytes is

0x13ae92 for DHCP user class exam.


[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 2 option 82 hex 13ae92 offset 0 length 3

# Configure match rule 3 to match DHCP requests that contain Option 82 whose highest bit of the

fourth byte is 1 for DHCP user class exam.


[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 3 option 82 hex 00000080 mask 00000080

Related commands

dhcp class

ESS 0006P02

None