Security Configuration Commands

1. ACL Commands

2. RPL Commands

3. REF-RNFP Commands

4. SSH Commands

5. DHCP Snooping Commands

6. IP Source Guard Commands

7. VPDN Commands

8. IPSEC-IKE Commands

9. AAA Commands

10. RADIUS Commands

11. Web Authentication Commands

12. IPoE Commands

13. IP Group Commands

14. ANTI-PAP Commands

15. WEB-ADVERT Commands

16. Local-account Commands

17. Firewall Commands
Command Reference ACL Commands

1 ACL Commands

command ID table

ID Meaning

Number of access list. Range:

ID Standard IP ACL: 1 to 99, 1300 to 1999
Extended IP ACL: 100 to 199,2000 to 2699

name ACL name

sn ACL SN (products can be set according to the priority)

start-sn Start sequence number

inc-sn Sequence number increment

deny If matched, access is denied.

permit If matched, access is permitted.

Protocol number. For IPv6, this field can be IPv6, ICMP, TCP, UDP and
numbers 0 to 255. For IPv4, it can be one of EIGRP, GRE, IPINIP, IGMP,
port NOS, OSPF, ICMP, UDP, TCP,AHP, ESP, PCP, PIM and IP, or it can be
numbers 0 to 255 that represent the IP protocol. It is described when some
important protocols, such as ICMP, TCP and UDP, are listed individually.

interface idx Interface index

src Packet source IP address (host address or network address)

src-wildcard Source IP address wildcard. It can be discontinuous, for example, 0.255.0.32.

src-ipv6-pfix Source IPv6 network address or network type

dst-ipv6-pfix Destination IPv6 network address or network type

pfix-len Prefix mask length

src-ipv6-addr Source IPv6 address

dst-ipv6-addr Destination IPv6 address

dscp Differential service code point, and code point value. Range: 0 to 63

flow-label Flow label in the range 0 to 1048575

dst Packet destination IP address (host address or network address)

dst-wildcard Destination IP address wildcard. It can be discontinuous, such as 0.255.0.32

fragment Packet fragment filtering.

precedence Packet precedence value (0 to 7)

range The layer 4 port number range of the packet.

1-1
Command Reference ACL Commands

time-range tm-rng-name Time range of packet filtering, named tm-rng-name

tos Type of service (0 to 15)

cos Class of service (0-7)

cos inner cos COS of the packet tag

icmp-type ICMP message type (0 to 255)

icmp-code ICMP message type code (0 to 255)

icmp-message ICMP message type name (0 to 255)

Operator (lt-smaller, eq-equal, gt-greater, neq-unequal, range-range)

operator port[port] port indicates the port number. Dyadic operation needs two port numbers,
while other operators only need one port number

src-mac-addr Physical address of the source host

dst-mac-addr Physical address of the destination host

VID vid VLAN ID

VID inner vid VID of the tag

ethernet-type Ethernet protocol type. 0x value can be entered.

match-all tcpf Match all bits of the TCP flag.

established Match the RST or ACK bit of the TCP flag.

text Remark text

in Filter the incoming packets of the interface

out Filter the outgoing packets of the interface

rule: Hexadecimal value field; mask: Hexadecimal mask field

{rule mask offset}+ offset: Refer to the offset table
“+” sign indicates at least one group

log Output the matching syslog when the packet matches the ACL rule.

Letter Meaning Offset Letter Meaning Offset

A Destination MAC 0 O TTL field 34
B Source MAC 6 P Protocol number 35
C Data frame length field 12 Q IP check sum 36
D VLAN tag field 14 R Source IP address 38
DSAP (Destination Service
E 18 S Destination IP address 42
Access Point) field
SSAP (Source Service Access
F 19 T TCP source port 46
Point) field
G Ctrl field 20 U TCP destination port 48
H Org Code field 21 V Sequence number 50
I Encapsulated data type 24 W Confirmation field 54

1-2
Command Reference ACL Commands

IP header length and

J IP version number 26 XY 58
reserved bits
K TOS field 27 Z Resrved bits and flags bit 59
L Length of IP packet 28 a Windows size field 60
M ID 30 b Others 62
N Flags field 32

access-list

Use this command to create an access list to filter data packets. Use the no form of this command to
remove the specified access list.
Standard IP access list (1 to 99, 1300 to 1999)
access-list id { deny | permit } { source source-wildcard | host source | any } [ time-range tm-
range-name ]
Extended IP access list (100 to 199, 2000 to 2699)
access-list id { deny | permit } protocol { source source-wildcard | host source | any } { destination
destination-wildcard | host destination | any } [ time-range time-range-name ]
Extended expert ACLs of some important protocols:
Internet Control Message Protocol (ICMP)
access-list id { deny | permit } icmp [ VID [ out ] [ inner in ] ] { source source-wildcard | host source
| any } { any } { destination destination-wildcard | host destination | any } { any } [ [ icmp-type
[ icmp-code ] ] | [ icmp-message ] ] [ precedence precedence ] [ time-range time-range-name ]
Transmission Control Protocol (TCP)
 access-list id { deny | permit } tcp [ VID [ out ] [ inner in ] ] { source source-wildcard | host
Sourcesource | any } { any } [ operator[ eq port [| gt port ] ] | lt port | neq port | range lower
upper ] { destination destination-wildcard | host destination | any } { any } [ operator[ eq port [|
gt port ] ] [precedence precedence ] [| lt port | neq port | range lower upper ] [ time-range
time-range-name ]
User Datagram Protocol (UDP)
 access-list id { deny | permit } udp[ VID [ out ] [ inner in ] ] { source source –wildcard | host
source | any } { any } [ operator[ eq port [| gt port ] ] | lt port | neq port | range lower upper ]
{ destination destination-wildcard | host destination | any } { any } [ operator[ eq port [| gt
port ] ] [ precedence precedence ] [| lt port | neq port | range lower upper ] [ time-range time-
range-name ]

Parameter
Parameter Description
Description
id Access list number. The ranges available are 1 to 99, 100 to 199,
1300 to 1999, 2000 to 2699, 2700 to 2899, and 700 to 799.
deny If not matched, access is denied.
permit If matched, access is permitted.
source Specify the source IP address (host address or network address).
source-wildcard It can be discontinuous, for example, 0.255.0.32.

1-3
Command Reference ACL Commands

protocol IP protocol number. It can be one of EIGRP, GRE, IPINIP, IGMP,

NOS, OSPF, ICMP, UDP, TCP, and IP. It can also be a number
representing the IP protocol between 0 and 255. The important
protocols such as ICMP, TCP, and UDP are described separately.
destination Specify the destination IP address (host address or network
address).
destination-wildcard Wildcard of the destination IP address. It can be discontinuous, for
example, 0.255.0.32.
eq port Specify the packet priority.Port numner, ranging from 0 to 65535,
that is equal to the layer 4 port number.
gt port Port numner, ranging from 0 to 65535, that is larger than the layer 4
port number.
lt port Port numner, ranging from 0 to 65535, that is smaller than the layer
4 port number.
neq port Packet precedence value (0 to 7)Port numner, ranging from 0 to
65535, that is not equal to the layer 4 port number.
range Layer4 port number range of the packet.
lower Lower limit of the layer4 port number.
upper Upper limit of the layer4 port number.
time-range Time range of packet filtering
time-range-name Time range name of packet filtering
icmp-type ICMP message type (0 to 255)
icmp-code ICMP message type code (0 to 255)
icmp-message ICMP message type name

Defaults N/A

Command Global configuration mode.

Mode

Usage Guide To filter the data by using the access control list, you must first define a series of rule statements by
using the access list. You can use ACLs of the appropriate types according to the security needs:
The standard IP ACL (1 to 99, 1300 to 1999) only controls the source IP addresses.
The extended IP ACL (100 to 199, 2000 to 2699) can enforce strict control over the source and
destination IP addresses.
For the layer-3 routing protocols including the unicast routing protocol and multicast routing protocol,
the following parameters are not supported by the ACL: precedence precedence / range lower
upper / time-range time-range-name
The TCP Flag includes part or all of the following:
 urg
 ack
 psh
 rst
 syn

1-4
Command Reference ACL Commands

 fin

The packet precedence is as below:

 critical
 flash
 flash-override
 immediate
 internet
 network
 priority
 routine

The service types are as below:

 max-reliability
 max-throughput
 min-delay
 min-monetary-cost
 normal

The ICMP message types are as below:

 administratively-prohibited
 dod-host-prohibited
 dod-net-prohibited
 echo
 echo-reply
 fragment-time-exceeded
 general-parameter-problem
 host-isolated
 host-precedence-unreachable
 host-redirect
 host-tos-redirect
 host-tos-unreachable
 host-unknown
 host-unreachable
 information-reply
 information-request
 mask-reply
 mask-request
 mobile-redirect
 net-redirect
 net-tos-redirect
 net-tos-unreachable
 net-unreachable
 network-unknown

1-5
Command Reference ACL Commands

 no-room-for-option
 option-missing
 packet-too-big
 parameter-problem
 port-unreachable
 precedence-unreachable
 protocol-unreachable
 redirect
 device-advertisement
 device-solicitation
 source-quench
 source-route-failed
 time-exceeded
 timestamp-reply
 timestamp-request
 ttl-exceeded
 unreachable

The TCP ports are as follows. A port can be specified by port name and port number:
 chargen
 cmd
 daytime
 discard
 domain
 echo
 exec
 finger
 ftp
 ftp-data
 gopher
 hostname
 ident
 irc
 klogin
 kshell
 ldp
 login
 nntp
 pim-auto-rp
 pop2
 pop3
 smtp
 sunrpc
 syslog

1-6
Command Reference ACL Commands

 tacacs
 talk
 telnet
 time
 uucp
 whois
 www

The UDP ports are as follows. A UDP port can be specified by port name and port number.
 biff
 bootpc
 bootps
 discard
 dnsix
 domain
 echo
 isakmp
 mobile-ip
 nameserver
 netbios-dgm
 netbios-ns
 netbios-ss
 ntp
 pim-auto-rp
 rip
 snmp
 snmptrap
 sunrpc
 syslog
 tacacs
 talk
 tftp
 time
 who
 xdmcp

 To remove an ACL rule, enter ACL mode and run the no { sequence-number | permit | deny}
command.

Configuration 1. Example of the standard IP ACL

Examples The following basic IP ACL allows the packets whose source IP addresses are 192.168.1.64 -
192.168.1.127 to pass:
Ruijie (config)#access-list 1 permit 192.168.1.64 0.0.0.63
2. Example of the extended IP ACL
The following extended IP ACL allows the DNS messages and ICMP messages to pass:

1-7
Command Reference ACL Commands

Ruijie(config)#access-list 102 permit tcp any any eq domain

Ruijie(config)#access-list 102 permit udp any any eq domain
Ruijie(config)#access-list 102 permit icmp any any echo
Ruijie(config)#access-list 102 permit icmp any any echo-reply

Related
Command Description
Commands
show access-lists Show all the ACLs.

Platform N/A
Description

access-list list-remark

Use this command to write a helpful comment (remark) for an access list. Use the no form of this
command to remove the remark.
access-list id list-remark text
no access-list id list-remark

Parameter
Parameter Description
Description
Access list number.
id Standard IP ACL: 1 to 99, 1300 to 1999.
Extended IP ACL: 100 to 199. 2000 to 2699.
text Comment that describes the access list.

Defaults The access lists have no remarks by default.

Command Global configuration mode

Mode

Usage Guide You can use this command to write a helpful comment for a specified access list. If the specified
access list does not exist, the command will create the access list, then add remarks for the access
list.

Configuration The following example writes a comment of “this acl is to filter the host 192.168.4.12” for ACL100.
Examples Ruijie(config)# ip access-list extended 100
Ruijie(config)# access-list 100 list-remark this acl is to filter the host
192.168.4.12

Related
Command Description
Commands
Displays all access lists, including the remarks
show access- lists
for the access lists.

1-8
Command Reference ACL Commands

Displays the access list of a specified number,

show access-lists id
including the remarks for the access list.
Displays the access list of a specified name,
show access-lists name
including the remarks for the access list.

Platform
Description

access-list remark

Use this command to write a helpful comment (remark) for an entry in a numbered access list. Use
the no form of this command to remove the remark.
access-list id remark text
no access-list id remark text

Parameter
Parameter Description
Description
Access list number.
id Standard IP ACL: 1 to 99, 1300 to 1999.
Extended IP ACL: 100 to 199. 2000 to 2699.
text Comment that describes the access list entry.

Defaults The access list entries have no remarks by default.

Command Global configuration mode

Mode

Usage Guide You can use this command to write a helpful comment for an entry in a specified access list. If the
specified access list does not exist, the command will create the access list, then add remarks for
the access entry.

Configuration The following example writes a comment for an entry in ACL102.

Examples Ruijie(config)# access-list 102 remark deny-host-10.1.1.1

Related
Command Description
Commands
Displays all access lists, including the remarks
show access-lists
for the access list entries.
Displays the access list of a specified number,
show access-lists id
including the remarks for the access list entry.
Displays the access list of a specified name,
show access-lists name
including the remarks for the access list entry.

1-9
Command Reference ACL Commands

Platform
Description

clear access-list counters

Use this command to clear counters of packets matching the deny entries in ACLs.
clear access-list counters [id | name]

Parameter
Parameter Description
Description
Access list number
id  Standard IP ACL: 1-99, 1300-1999
 Extended IP ACL:100-199, 2000-2699
name Access list name

Defaults

Command Privileged EXEC mode

Mode

Usage Guide This command is used to clear the counters of packets matching the deny entries in ACLs.

Configuration The following example clears the packet matching counter of ACL No. 1:
Examples Before configuration:
Ruijie #show access-lists
ip access-list standard 1
10 deny host 50.1.1.2 (10 matches)
20 permit host 60.1.1.2 (15 matches)
(10 packets filtered)

After configuration:
Ruijie# end
Ruijie# clear access-list counters
Ruijie# show access-lists
ip access-list standard 1
10 deny host 50.1.1.2 (10 matches)
20 permit host 60.1.1.2 (15 matches)

Related
Command Description
Commands
deny Defines a deny ACL entry.
permit Defines a permits ACL entry.

1-10
Command Reference ACL Commands

Platform N/A
Description

clear counters access-list

Use this command to clear counters of packets matching ACLs.

clear counters access-list [ id | name ]

Parameter
Parameter Description
Description
Access list number.
Configurable range:
id
 Standard IP ACL: 1-99, 1300-1999
 Extended IP ACL:100-199, 2000-2699
name Access list name

Defaults

Command Privileged EXEC mode

Mode

Usage Guide This command is used to clear the counters of packets matching the specified or all ACLs.

Configuration The following example clears the packet matching counter of ACL No. 2100:
Examples Ruijie #show access-lists 2100
expert access-list extended 2100
10 permit ip host 192.168.3.55 host 192.168.99.6 (88 matches)
20 deny tcp any any eq login any any (33455 matches)
30 permit tcp any any (10 matches)

Ruijie# clear counters access-list 2700

Ruijie# show access-lists 2700
expert access-list extended 2700
10 permit ip host 192.168.3.55 host 192.168.99.6
20 deny tcp any any eq login any any
30 permit tcp any any

Related
Command Description
Commands
deny Defines a deny ACL entry.
permit Defines a permits ACL entry.

Platform N/A
Description

1-11
Command Reference ACL Commands

deny

One or multiple deny conditions are used to determine whether to forward or discard the packet. In
ACL configuration mode, you can modify the existent ACL or configure according to the protocol
details.
1. Standard IP ACL
Use this command to add a standard IP ACL.
Use the no form of this command to remove a standard IP ACL.
[ sn ] deny { source source-wildcard | host source | any } [ time-range tm-range-name ]
no { sn | { deny { source source-wildcard | host source | any } [ time-range tm-range-name ] } }

Extended IP ACL
Use this command to add an extended IP ACL.
Use the no form of this command to remove an extended IP ACL.
[ sn ] deny protocol { source source-wildcard | host source | any } { destination destination-wildcard |
host destination | any } [ time-range time-range-name ]
no { sn | { deny { source source-wildcard | host source | any } { destination destination-wildcard |
host destination | any } [ time-range time-range-name ] } }

Extended IP ACLs of some important protocols:

 Internet Control Message Prot (ICMP)
[ sn ] deny icmp { source source-wildcard | host source | any } { destination destination-wildcard |
host destination | any } [ [ icmp-type [ icmp-code ] ] | [ icmp-message ] ] [ time-range time-range-
name ]
 Transmission Control Protocol (TCP)
[ sn ] deny tcp { source source-wildcard | host source | any } [ eq port | gt port | lt port | neq port |
range lower upper ] { destination destination-wildcard | host destination | any } [ eq port | gt port | lt
port | neq port | range lower upper ] [ time-range time-range-name ]
 User Datagram Protocol (UDP)
[ sn ] deny udp { source sourc-wildcard | host source | any } [ eq port | gt port | lt port | neq port |
range lower upper ] { destination destination-wildcard | host destination | any } [ eq port | gt port | lt
port | neq port | range lower upper ] [ time-range time-range-name ]

Parameter
Parameter Description
Description
sn ACL entry sequence number
prefix-length Prefix mask length
flow-label Flow label
Flow label value, within the range of 0 to 1048575.Specify the source
sourceflow-label
IP address (host address or network address).
source-wildcard It can be discontinuous, for example, 0.255.0.32.
For the IPv6, the field can be ipv6 | icmp | tcp | udp and number in
protocol
the range 0 to 255IP protocol number. It can be one of EIGRP, GRE,

1-12
Command Reference ACL Commands

IPINIP, IGMP, NOS, OSPF, ICMP, UDP, TCP, and IP. It can also be
a number representing the IP protocol between 0 and 255. The
important protocols such as ICMP, TCP, and UDP are described
separately.
Specify the destination IP address (host address or network
destination
address).
Wildcard of the destination IP address. It can be discontinuous, for
destination-wildcard
example, 0.255.0.32.
Port numner, ranging from 0 to 65535, that is equal to the layer 4
eq port
port number.
Port numner, ranging from 0 to 65535, that is larger than the layer 4
gt port
port number.
Port numner, ranging from 0 to 65535, that is smaller than the layer
lt port
4 port number.
Port numner, ranging from 0 to 65535, that is not equal to the layer 4
neq port
port number.
range Layer4 port number range of the packet.
lower Lower limit of the layer4 port number.
upper Upper limit of the layer4 port number.
time-range Time range of the packet filtering
time-range-name Time range name of the packet filtering
icmp-type ICMP message type (0 to 255)
icmp-code ICMP message type code (0 to 255)
icmp-message ICMP message type name

Defaults No entry

Command ACL configuration mode.

mode

Usage Guide Use this command to configure the filtering entry of ACLs in ACL configuration mode.

Configuration This example shows how to use the extended IP ACL. The purpose is to deny the host with the IP
Examples address 192.168.4.12 to provide services through the TCP port 100 and apply the ACL to Interface
GigabitEthernet 0/1. The configuration procedure is as below:
Ruijie(config)# ip access-list extended ip-ext-acl
Ruijie(config-ext-nacl)# deny tcp host 192.168.4.12 eq 100 any
Ruijie(config-ext-nacl)# end
Ruijie# show access-lists
ip access-list extended ip-ext-acl
10 deny tcp host 192.168.4.12 eq 100 any
Ruijie# configure terminal
Ruijie(config)#interface gigabitethernet 0/1
Ruijie(config-if)#ip access-group ip-ext-acl in

1-13
Command Reference ACL Commands

Ruijie(config-if)#

This example shows how to use the standard IP ACL. The purpose is to deny the host with the IP
address 192.168.4.12 and apply the rule to Interface gigabitethernet 1/1. The configuration
procedure is as below:
Ruijie(config)#ip access-list standard 34
Ruijie(config-ext-nacl)# deny host 192.168.4.12
Ruijie(config-ext-nacl)#end
Ruijie# show access-lists
ip access-list standard 34
10 deny host 192.168.4.12
Ruijie# configure terminal
Ruijie(config)# interface gigabitethernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)# ip access-group 34 in

Related
Command Description
Commands
Displays all access lists, including the remarks
show access-lists
for the access list entries.
Applies the extended IPv6 ACL on the
interface.Displays the access list of a specified
show access-lists id
number, including the remarks for the access
list entry.
Applies the IP ACL on the interface.Displays
show access-lists name the access list of a specified name, including
the remarks for the access list entry.

Platform N/A
Description

ip access-group

Use this command to apply a specific access list globally or to an interface. Use the no form of this
command to remove the access list from the interface.
ip access-group { id | name } { in | out } [ reflect ]
no ip access-group { id | name } { in | out } [ reflect ]

Parameter
Parameter Description
Description
IP access list or extended IP access list number:
id
1 to 199, 1300 to 2699
name Name of the IP ACL
in Filters the incoming packets of the interface.
out Filters the outgoing packets of the interface.

1-14
Command Reference ACL Commands

reflect Set a reflexive ACL.

Defaults No access list is applied on the interface by default.

Command Interface configuration mode.

mode

Usage Guide Use this command to control access to a specified interface globally.

Configuration The following example applies the ACL 120 on interface fastEthernet0/0 to filter the incoming
Examples packets:
Ruijie(config)# interface GigabitEthernet 0/0
Ruijie(config-if-GigabitEthernet 0/0)# ip access-group 120 in
Related
Command Description
Commands
access-list Defines an ACL.
show access-lists Displays all ACLs.

Platform N/A
Description

ip access-list

Use this command to create a standard IP access list or extended IP access list. Use the no form of
the command to remove the access list.
ip access-list { extended | standard } { id | name }
no ip access-list { extended | standard } { id | name }

Parameter
Parameter Description
Description
Access list number:
id Standard: 1 to 99, 1300 to 1999;
Extended: 100 to 199, 2000 to 2699.
name Name of the access list

Defaults N/A

Command Global configuration mode

mode

Usage Guide Configure a standard access list if you need to filter on source address only. If you want to filter on
anything other than source address, you need to create an extended access list.
Refer to deny or permit in the two modes. Use the show access-lists command to display the ACL
configurations.

1-15
Command Reference ACL Commands

Configuration The following example creates a standard access list named std-acl.
Examples Ruijie(config)# ip access-list standard std-acl
Ruijie(config-std-nacl)# show access-lists
ip access-list standard std-acl
Ruijie(config-std-nacl)#

The following example creates an extended ACL numbered 123:

Ruijie(config)# ip access-list extended 123
Ruijie(config-ext-nacl)# show access-lists
ip access-list extended 123

Related
Command Description
Commands
show access-lists Displays all ACLs.

Platform N/A
Description

ip access-list resequence

Use this command to resequence a standard or extended IP access list. Use the no form of this
command to restore the default order of access entries.
ip access-list resequence { id | name } start-sn inc-sn
no ip access-list resequence { id | name }

Parameter
Parameter Description
Description
IP access list number:
id Standard IP access list: 1 to 99, 1300 to 1999;
Extended IP access list: 100 to 199, 2000 to 2699.
name Name of the standard or extended IP access list
start-sn Start sequence number. Range: 1 to 2147483647
inc-sn Increment of the sequence number. Range: 1 to 2147483647

Defaults start-sn: 10
inc-sn: 10

Command Global configuration mode

mode

Usage Guide Use this command to change the order of the access entries.

1-16
Command Reference ACL Commands

Configuration The following example resequences entries of ACL1:

Examples Before the configuration:
Ruijie# show access-lists
ip access-list standard 1
10 permit host 192.168.4.12
20 deny any any

After the configuration:

Ruijie# config
Ruijie(config)# ip access-list resequence 1 21 43
Ruijie(config)# exit
Ruijie# show access-lists
ip access-list standard 1
21 permit host 192.168.4.12
64 deny any any

Related
Command Description
Commands
Displays all access lists, , including the
show access-lists
remarks for the access list entries.

Platform N/A
Description

ipv6 access-list

Use this command to create an IPv6 access list and to place the device in IPv6 access list
configuration mode. Use the no form of this command to remove the access list.
ipv6 access-list name
no ipv6 access-list name

Parameter
Parameter Description
Description
name Name of the IPv6 access list.

Defaults N/A

Command Global configuration mode

mode

Usage Guide To filter the IPv6 packets through the access list, you need to define an IPv6 access list by using the
ipv6 access-list command.

1-17
Command Reference ACL Commands

Configuration The following example creates an IPv6 access list named v6-acl:
Examples Ruijie(config)# ipv6 access-list v6-acl
Ruijie(config-ipv6-nacl)# end
Ruijie# show access-lists
ipv6 access-list extended v6-acl
Ruijie#

Related
Command Description
Commands
show access-lists Displays all access lists.

Platform N/A
Description

ipv6 access-list resequence

Use this command to resequence an IPv6 access list. Use the no form of this command to restore
the default order of access entries.
ipv6 access-list resequence name start-sn inc-sn
no ipv6 access-list resequence name

Parameter
Parameter Description
Description
name Name of the IPv6 access list
start-sn Start sequence number. Range: 1 to 2147483647
inc-sn Increment of the sequence number. Range: 1 to 2147483647

Defaults start-sn: 10
inc-sn: 10

Command Global configuration mode

mode

Usage Guide Use this command to change the order of the access entries.

Configuration The following example resequences entries of IPv6 access list “v6-acl”:
Examples Before the configuration:
Ruijie# show access-lists
ipv6 access-list v6-acl
10 permit ipv6 any any
20 deny ipv6 any any

After the configuration:

Ruijie# config

1-18
Command Reference ACL Commands

Ruijie(config)# ipv6 access-list resequence v6-acl 21 43

Ruijie(config)# exit
Ruijie# show access-lists
ipv6 access-list v6-acl
21 permit ipv6 any any
64 deny ipv6 any any

Related
Command Description
Commands
show access-lists Displays all access lists..

Platform N/A
Description

ipv6 traffic-filter

Use this command to apply an IPV6 access list on the specified interface. Use the no form of the
command to remove the IPv6 access list from the interface.
ipv6 traffic-filter name { in | out }
no ipv6 traffic-filter name { in | out }

Parameter
Parameter Description
Description
name Name of IPv6 access list
in Specifies filtering on inbound packets
out Specifies filtering on outbound packets

Defaults N/A

Command Interface configuration mode.

mode

Usage Guide Use this command to apply the IPv6 access list on a specified interface to filter the inbound or
outbound packets.

Configuration The following example applies the IPv6 access list named v6-acl to interface GigabitEthernet 0/1:
Examples Ruijie(config)# interface GigaEthernet 0/1
Ruijie(config-if-GigaEthernet 0/1)# ipv6 traffic-filter v6-acl in

Related
Command Description
Commands
show access-group Displays ACL configurations on the interface.

1-19
Command Reference ACL Commands

Platform N/A
Description

list-remark

Use this command to write a helpful comment (remark) for an access list. Use the no form of this
command to remove the remark.
list-remark text
no list-remark

Parameter
Parameter Description
Description
text Comment that describes the access list.

Defaults The access lists have no remarks by default.

Command ACL configuration mode

mode

Usage Guide You can use this command to write a helpful comment for a specified access list.

Configuration The following example writes a comment of “this acl is to filter the host 192.168.4.12” for ACL102.
Examples Ruijie(config)# ip access-list extended 102
Ruijie(config-ext-nacl)# list-remark this acl is to filter the host
192.168.4.12
Ruijie(config-ext-nacl)# show access-lists
ip access-list extended 102
deny ip host 192.168.4.12 any
1000 hits
this acl is to filter the host 192.168.4.12
Ruijie(config-ext-nacl)#

Related
Command Description
Commands
show access-lists Displays all access lists.
ip access-list Defines an IPv4 access list.
Adds a helpful comment for an access list in
access-list list remark
global configuration mode.

Platform N/A
Description

1-20
Command Reference ACL Commands

permit

One or multiple permit conditions are used to determine whether to forward or discard the packet. In
ACL configuration mode, you can modify the existent ACL or configure according to the protocol
details.
1. Standard IP ACL
Use this command to add a standard IP ACL.
Use the no form of this command to remove a standard IP ACL.
[ sn ] permit { source source-wildcard | host source | any | interface idx } [ time-range tm-range-
name]
no { sn | { permit { source source-wildcard | host source | any } [ time-range tm-range-name ] } }

2. Extended IP ACL
Use this command to add an extended IP ACL.
Use the no form of this command to remove an extended IP ACL.
[ sn ] permit protocol { source source-wildcard | host source | any } { destination destination-
wildcard [ precedence precedence] [ range lower upper ]| host destination | any } [ time-range
time-range-name ]
no { sn | { permit protocol { source source-wildcard | host source | any } { destination destination-
wildcard [ precedence precedence ] [ range lower upper ]| host destination | any } [ time-range
time-range-name ] } }

Extended IP ACLs of some important protocols:

Internet Control Message Protocol (ICMP)

[ sn ] permit icmp { source source-wildcard | host source | any } { destination destination-wildcard |
host destination | any } [ [ icmp-type [ icmp-code ] ] | [ icmp-message ] ] [ time-range time-range-
name ]
Transmission Control Protocol (TCP)
[ sn ] permit tcp { source source-wildcard | host Source | any } [ eq port | gt port | lt port | neq port |
range lower upper ] { destination destination-wildcard | host destination | any } [ eq port | gt port | lt
port | neq port | range lower upper ] [ time-range time-range-name ]
User Datagram Protocol (UDP)
[ sn ] permit udp { source source –wildcard | host source | any } [ eq port | gt port | lt port | neq port
| range lower upper ] { destination destination-wildcard | host destination | any } [ eq port | gt port | lt
port | neq port | range lower upper ] [ time-range time-range-name ]

3. Extended IPv6 ACL

Use this command to add an extended IPv6 ACL.
Use the no form of this command to remove an extended IPv6 ACL.
[ sn ] permit protocol { source source-wildcard | host source | any } { destination destination-
wildcard | host destination | any } [flow-label flow-label ] [ time-range time-range-name ]
no { sn | { permit protocol { source source-wildcard | host source | any } { destination destination-
wildcard | host destination | any } [flow-label flow-label ] [ time-range time-range-name ] } }

1-21
Command Reference ACL Commands

Parameter
Parameter Description
Description
sn ACL entry sequence number
source Specify the source IP address (host address or network address).
source-wildcard It can be discontinuous, for example, 0.255.0.32.
protocol IP protocol number. It can be one of EIGRP, GRE, IPINIP, IGMP,
NOS, OSPF, ICMP, UDP, TCP, and IP. It can also be a number
representing the IP protocol between 0 and 255. The important
protocols such as ICMP, TCP, and UDP are described separately.
destination Specify the destination IP address (host address or network
address).
destination-wildcard Wildcard of the destination IP address. It can be discontinuous, for
example, 0.255.0.32.
eq port Specify the packet priority.Port numner, ranging from 0 to 65535,
that is equal to the layer 4 port number.
gt port Port numner, ranging from 0 to 65535, that is larger than the layer 4
port number.
lt port Port numner, ranging from 0 to 65535, that is smaller than the layer
4 port number.
neq port Packet precedence value (0 to 7)Port numner, ranging from 0 to
65535, that is not equal to the layer 4 port number.
range Layer4 port number range of the packet.
lower Lower limit of the layer4 port number.
upper Upper limit of the layer4 port number.
time-range Time range of packet filtering
time-range-name Time range name of packet filtering
icmp-type ICMP message type (0 to 255)
icmp-code ICMP message type code (0 to 255)
icmp-message ICMP message type name
flow-label flow-label Flow label to be matched.

Defaults N/A

Command ACL configuration mode.

mode

Usage Guide Use this command to configure the permit conditions for the ACL in ACL configuration mode.

Configuration This example shows how to use the extended IP ACL. The purpose is to permit the host with the IP
Examples address 192.168.4.12 to provide services through the TCP port 100 and apply the ACL to interface
gigabitethernet 1/1. The configuration procedure is as below:
Ruijie(config)# ip access-list extended 102
Ruijie(config-ext-nacl)# permit tcp host 192.168.4.12 eq 100 any
Ruijie(config-ext-nacl)# end

1-22
Command Reference ACL Commands

Ruijie# show access-lists

ip access-list extended 102
10 permit tcp host 192.168.4.12 eq 100 any
Ruijie#configure terminal
Ruijie(config)#interface gigabitethernet 1/1
Ruijie(config-if)#ip access-group 102 in
Ruijie(config-if)#

This example shows how to use the standard IP ACL. The purpose is to permit the host with the IP
address 192.168.4.12 and apply the ACL to interface gigabitethernet 1/1. The configuration
procedure is as below:
Ruijie(config)#ip access-list standard std-acl
Ruijie(config-std-nacl)#permit host 192.168.4.12
Ruijie(config-std-nacl)#end
Ruijie# show access-lists
ip access-list standard std-acl
10 permit host 192.168.4.12
Ruijie#configure terminal
Ruijie(config)# interface gigabitethernet 1/1
Ruijie(config-if)# ip access-group std-acl in

Related
Command Description
Commands
show access-lists Displays all access lists.
Applies the extended IPv6 access list to the
ipv6 traffic-filter
interface.
ip access-group Applies the IP access list to the interface.
ip access-list Defines an IP access list.
ipv6 access-list Defines an extended IPv6 access list.
deny Defines the deny access entry.

Platform N/A
Description

remark

Use this command to write a helpful comment (remark) for an entry in the access list. Use the no
form of this command to remove the remark.
remark text
no remark

Parameter
Parameter Description
Description
text Comment that describes the access entry.

1-23
Command Reference ACL Commands

Defaults The access entries have no remarks.

Command ACL configuration mode.

mode

Usage Guide Use this command to write a helpful comment for an access entry.
Up to 100 characters are allowed in the remark.
Two identical access entry remarks in one access list is not allowed.
Removing an access entry may delete the remark for it as well.

Configuration The following example writes remarks for the entry in extended IP access list 102.
Examples Ruijie(config)# ip access-list extended 102
Ruijie(config-ext-nacl)# remark first_remark
Ruijie(config-ext-nacl)# permit tcp 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0
Ruijie(config-ext-nacl)# remark second_remark
Ruijie(config-ext-nacl)# permit tcp 3.3.3.3 0.0.0.0 4.4.4.4 0.0.0.0
Ruijie(config-ext-nacl)# end
Ruijie#

Related
Command Description
Commands
show access-lists Displays all access lists.
ip access-list Defines an IP access list.

Platform N/A
Description

show access-group

Use this command to display the access list applied to the interface.
show access-group [ interface interface-name ] | [wlan wlan-id]

Parameter
Parameter Description
Description
interface Interface-name Interface name
wlan wlan-id WLAN ID

Defaults N/A

Command Privileged EXEC mode

mode

1-24
Command Reference ACL Commands

Usage Guide Use this command to display the access list configuration on the specified interface. If no interface is
specified, access list configuration on all interfaces is displayed.

Configuration The following example displays interfaces where the access list is applied and the directions of these
Examples lists.
Ruijie# show access-group
ip access-list standard ipstd3 in
Applied On interface GigabitEthernet 0/1.
ip access-list standard ipstd4 out
Applied On interface GigabitEthernet 0/2.
ip access-list extended 101 in
Applied On interface GigabitEthernet 0/3.
ip access-list extended 102 in
Applied On interface GigabitEthernet 0/8.

The following example displays whether any ACL is applied to the interface GigabitEthernet 0/3 and
the directions of the ACL.
Ruijie# show access-group interface GigabitEthernet 0/3
ip access-list extended 101
Applied On interface GigabitEthernet 0/3 in.

Related
Command Description
Commands
ip access-group Applies the IP access list to the interface.
mac access-group Applies the MAC access list to the interface.
expert access-group Applies the expert access list to the interface.
ipv6 traffic-filter Applies the IPv6 access list to the interface.

Platform N/A
Description

show access-lists

Use this command to display all access lists or the specified access list.
show access-lists [ id | name ] [ summary ]

Parameter
Parameter Description
Description
id Access list number
name Name of the IP access list
summary Access list summary

Defaults N/A

1-25
Command Reference ACL Commands

Command Global configuration mode

mode

Usage Guide Use this command to display the specified access list. If no access list number or name is specified, all
the access lists are displayed.

Configuration The following example displays the ACL named “n_acl”.

Examples Ruijie# show access-lists n_acl
ip access-list standard n_acl
Ruijie# show access-lists 102
ip access-list extended 102

The following example displays configurations of all ACLs.

Ruijie# show access-lists
ip access-list standard n_acl
ip access-list extended 2397
10 deny ospf any any
20 deny 112 any any
30 deny icmp any any
40 deny udp any eq domain any
50 deny tcp any any eq www
60 deny tcp any any eq 443
1000 permit ip any any
list-remark Local-Anti-attack

ipv6 access-list extended v6-acl

petmit ipv6 ::192.168.4.12 any (100 matches)
deny any any (9 matches)
Related
Command Description
Commands
ip access-list Defines an IP access list.
ipv6 access-list Defines an extended IPv6 access list.

Platform N/A
Description

show ip access-group

Use this command to display the standard and extended IP access lists on the interface.
show ip access-group [ interface interface ] | [ wlan wlan-id ]

Parameter
Parameter Description
Description
interface Interface name

1-26
Command Reference ACL Commands

wlan-id WLAN ID

Defaults N/A

Command Privileged EXEC mode

mode

Usage Guide Use this command to display the standard and extended IP access lists configured on the interface.
If no interface is specified, the standard and extended IP access lists on all interfaces are displayed.

Configuration Ruijie# show ip access-group interface gigabitethernet 0/1

Examples ip access-group aaa in
Applied On interface GigabitEthernet 0/1.

Related
Command Description
Commands
ip access-list Defines an IP access list.

Platform N/A
Description

show ipv6 traffic-filter

Use this command to display the IPv6 access list on the interface.
show ipv6 traffic-filter [ interface interface-name ]

Parameter
Parameter Description
Description
Interface-name Interface name

Defaults -

Command Privileged EXEC mode

mode

Usage Guide Use this command to display the IPv6 access list configured on the interface. If no interface is
specified, the IPv6 access lists on all interfaces are displayed.

Configuration Ruijie# show ipv6 traffic-filter interface gigabitethernet 0/4

Examples ipv6 access-group v6 in
Applied On interface GigabitEthernet 0/4.

Related
Command Description
Commands

1-27
Command Reference ACL Commands

ipv6 access-list Defines an IPv6 access list.

Platform N/A
Description

1-28
Command Reference RPL Commands

2 RPL Commands

reverse-path

Enable the RPL module.

reverse-path

Disable the RPL module.

no reverse-path

Restore default settings.

default reverse-path

Parameter
Parameter Description
Description
N/A N/A

Defaults By default, the RPL module is disabled.

Command Interface configuration mode

Mode

Default Level 14

Usage Guide Run the reverse-path command to enable the RPL module on an interface so that it can return new
data flows along the same path where the data flows are sent. Use the no form of this command to
disable the RPL module. The command is only applicable to new data flows.

Configuration 1. Enable the RPL module.

Example Ruijie(config-if-GigabitEthernet 0/1)# reverse-path

2. Disable the RPL module.

Ruijie(config-if-GigabitEthernet 0/1)# no reverse-path

Verification Run the show running-config command to check whether the RPL module is enabled.

2-1
Command Reference REF-RNFP Commands

3 REF-RNFP Commands

acpp

Configure ACPP.
acpp bw-rate rate bw-burst-rate burst-rate [ log ]

Disable ACPP.
no acpp

Restore the default configuration.

default acpp

Parameter
Parameter Description
Description
Indicates rate limit. The unit is pps. The value ranges from 4050 to
rate
999999.
Indicates burst rate limit. The unit is pps. The value ranges from the
burst-rate
rate limit to its 50 times. The upper limit is 60000.
log Prints logs by the console.

Defaults ACPP is disabled.

Command control-plane configuration mode. The function can be configured on the three sub-interfaces.
Mode  Data sub-interface
 Manage sub-interafce
 Protocol sub-interface

Default Level 14

Usage Guide To configure ACPP, run the acpp command in control-plane configuration mode.

Configuration 1. Set the rate of data traffic to 5000 pps and allowable burst rate to 6000 pps.
Example Ruijie(config)# control-plane data
Ruijie(config-cp)# acpp bw-rate 5000 bw-burst-rate 6000

Verification 1. Run the show ef-rnfp acpp { data | manage | protocol } command to check whether ACPP is
enabled as well as the packet loss status.

Prompt 1. If no ACPP policy is configured on a sub-interface, when the no acpp or default acpp operation is
performed, a prompt will be displayed, indicating that the delete operation failed.
Ruijie(config)# control-plane manage

3-1
Command Reference REF-RNFP Commands

Ruijie(config-cp)# no acpp
EF-RNFP: delete acpp rule failed
Ruijie(config-cp)# default acpp
EF-RNFP: delete acpp rule failed

anti-arp-spoof

Configure ARP attack detection.

anti-arp-spoof [ scan arp-num ]

Disable ARP attack detection.

no anti-arp-spoof [ scan arp-num ]

Restore the default configuration.

default anti-arp-spoof [ scan arp-num ]

Parameter
Parameter Description
Description
anti-arp-spoof Enables ARP attack detection.
Configures the ARP scanning value, ranging from 10 to 30 with the
arp-num
unit of pps. The default value is 20.

Defaults The function is disabled.

Command control-plane configuration mode

Mode

Default Level 14

Usage Guide If ARP anti-attack is enabled and this command is configured, the device is capable of identifying ARP
spoofing. It considers that ARP spoofing occurs and adds the hosts to the ARP spoofing suspect list
in the event of the following cases: A host conducts ARP scanning on the entire network (more than
200 ARP request packets are transmitted within 10s); the MAC address of a host maps to multiple IP
addresses; the MAC address attempted to be updated based on an ARP request packet is different
from the existing MAC address.

Configuration 1. Enable ARP attack detection and set the ARP scanning threshold to 30.
Example Ruijie(config)# control-plane
Ruijie(config-cp)# anti-arp-spoof
Ruijie(config-cp)# anti-arp-spoof 30

Verification 1. Run the show ef-rnfp anti-arp-spoof command to check whether the function is enabled.
Run the show arp-suspect command to display the ARP spoofing suspect list.

3-2
Command Reference REF-RNFP Commands

Platform
Description

arp-car

Configure ARP-CAR.
arp-car packet_rate_per_group [ log ]

Disable ARP-CAR.
no arp-car

Restore the default configuration.

default arp-car

Parameter
Parameter Description
Description
Indicates the ARP-CAR rate limit value. The unit is pps. The value
packet_rate_per_group
ranges from 1 to 20.
log Prints logs by the console.

Defaults ARP-CAR is disabled.

Command control-plane configuration mode. The function can be configured only on the manage sub-interface.
Mode

Default Level 14

Usage Guide To configure Glean-CAR to rate the limit of received ARP packets, run the arp-car command in control-
plane configuration mode.

Configuration 1. Limit the rate to 10 pps on the manage sub-interface for ARP traffic initiated by users (sources) who
Example are in the same group according to the hash algorithm.
Ruijie(config)# control-plane manage
Ruijie(config-cp)# arp-car 10

Verification 1. Run the show ef-rnfp arp-car command to check whether ARP-CAR is enabled as well as the
packet loss status.

Prompt 1. If no Glean-CAR policy is configured on the data sub-interface, when the no or default operation is
performed, a prompt will be displayed, indicating that the delete operation failed.
Ruijie(config)# control-plane data
Ruijie(config-cp)# no glean-car
EF-RNFP: delete glean-car rule failed
Ruijie(config-cp)# default glean-car

3-3
Command Reference REF-RNFP Commands

EF-RNFP: delete glean-car rule failed

attack threshold

Configure the attack confirmation threshold.

attack threshold drop-num

Delete the attack confirmation threshold.

no attack threshold

Restore the default configuration.

default attack threshold

Parameter
Parameter Description
Description
Indicates the packet loss rate threshold for judging whether an
drop-num
attack occurs. The value ranges from 100 pps to 100,000 pps.

Defaults The attack threshold is 500 pps.

Command control-plane configuration mode

Mode

Default Level 14

Usage Guide When the packet loss per second reaches this value, the device considers that attacks occur on the
network. If the network environment is complicated, set this threshold to a larger value.

Configuration 1. Set the attack judgment threshold to 1000.

Example Ruijie(config)# control-plane
Ruijie(config-cp)# attack threshold 1000

Verification 1. Run the show run command to display the attack threshold.

clear attack-info history

Clear historical attack records.

clear attack-info history

Parameter
Parameter Description
Description
history Indicates historical attack records.

3-4
Command Reference REF-RNFP Commands

Defaults N/A

Command Privileged EXEC mode

Mode

Default Level 14

Configuration 1. Clear the history.

Example Ruijie# clear attack-info history

Verification 1. Run the show attack-info history command to display the attack history.

Prompt The following prompt is displayed if the history is cleared successfully.

Ruijie# clear attack-info history
The history attack record has been cleared!

control-plane

Enter the control-plane configuration mode.

control-plane [ protocol | manage | data ]

Parameter
Parameter Description
Description
protocol Enters the protocol sub-interface.
manage Enters the manage sub-interface.
data Enters the data sub-interface.
N/A Configure local anti-attack parameters globally.

Defaults N/A

Command Global configuration mode

Mode

Default Level 14

Usage Guide Different rules need to be configured on different sub-interfaces. Therefore, you need to enter a
specific sub-interface to configure different rate limit rules.

Configuration 1. Enter the protocol sub-interface.

Example Ruijie(config)# control-plane protocol
Ruijie(config-cp)#

3-5
Command Reference REF-RNFP Commands

ef-rnfp enable

Enable local anti-attack.

ef-rnfp enable

Disable local anti-attack.

no ef-rnfp enable

Restore the default configuration.

default ef-rnfp enable

Parameter
Parameter Description
Description
enable Indicates the function switch.

Defaults The function is disabled.

Command control-plane configuration mode

Mode

Default Level 14

Usage Guide To enable device anti-attack, run the ef-rnfp enable command. The anti-attack function is enabled
only after this command is run.
If no policy is configured on all sub-interfaces, the system automatically generates the default rate limit
policy.

Configuration 1. Enable the anti-attack function.

Example Ruijie(config)# control-plane
Ruijie(config-cp)# ef-rnfp enable

Verification 1. Run the show run command to check whether the local anti-attack is enabled.

glean-car

Configure Glean-CAR.
glean-car packet_rate_per_group [ log ]

Disable Glean-CAR.
no glean-car

Restore the default configuration.

default glean-car

3-6
Command Reference REF-RNFP Commands

Parameter
Parameter Description
Description
packet_rate_per_group Indicates the Glean-CAR rate limit value. The unit is pps.
log Prints logs by the console.

Defaults Glean-CAR is disabled.

Command control-plane configuration mode. The function can be configured only on the data sub-interface.
Mode

Default Level 14

Usage Guide To configure Glean-CAR to rate the limit of traffic that is matched to the directly connected route after
routing but whose destination IP address is not resolved, run the glean-car command in control-plane
configuration mode.

Configuration 1. Set the rate limit to 10 pps for the traffic that is initiated by users (sources), who are in the same
Example group according to the hash algorithm, and is matched to the Glean adjacency.
Ruijie(config)# control-plane data
Ruijie(config-cp)# glean-car 10

Verification Run the show ef-rnfp arp-car command to check whether Glean-CAR is enabled as well as the
packet loss status.

Prompt 1. If no Glean-CAR policy is configured on the data sub-interface, when the no or default operation is
performed, a prompt will be displayed, indicating the delete operation failed.
Ruijie(config)# control-plane data
Ruijie(config-cp)# no glean-car
EF-RNFP: delete glean-car rule failed
Ruijie(config-cp)# default glean-car
EF-RNFP: delete glean-car rule failed

management-interface

Configure Management Plane Protection (MPP).

management-interface interface allow { ftp | http | ssh | snmp | telnet | tftp } [ log ]

Disable MPP on an interface.

no management-interface interface

Restore the default configuration.

default management-interface

3-7
Command Reference REF-RNFP Commands

Parameter
Parameter Description
Description
interface Specifies the management interface.
ftp Specifies the management interfaces that accept FTP.
http Specifies the management interfaces that accept HTTP.
ssh Specifies the management interfaces that accept SSH.
snmp Specifies the management interfaces that accept SNMP.
telnet Specifies the management interfaces that accept Telnet.
tftp Specifies the management interfaces that accept TFTP.
log Prints logs by the console.

Defaults The MPP function is disabled.

Command control-plane configuration mode. The function can be configured only on the manage sub-interface.
Mode

Default Level 14

Usage Guide MPP allows administrators to specify one or multiple interfaces as the inband management interfaces
(receiving management packets and forwarding normal services). After MPP is enabled, only specified
inband management interfaces are allowed to receive management packets of a specified protocol.
To configure MPP, run the management-interface command in control-plane configuration mode.

Configuration 1. Specify Port Gi0/0 as the inband management interface, and allow only the interface to receive the
Example Telnet and SNMP protocol packets.
Ruijie(config)# control-plane manage
Ruijie(config-cp)# management-interface gi 0/0 allow snmp telnet

Verification 1. Run the show ef-rnfp mpp command to check whether MPP is enabled or disabled as well as the
packet loss status.

Prompt 1. If no MPP policy is configured on the manage sub-interface, when the no operation is performed, a
prompt will be displayed, indicating that the delete operation failed.
Ruijie(config)# control-plane manage
Ruijie(config-cp)# no management-interface gi 0/1
EF-RNFP: delete mpp rule failed

port-filter

Configure Port-Filter.
port-filter [ log ]

Disable Port-Filter.
no port-filter

3-8
Command Reference REF-RNFP Commands

Restore the default configuration.

default port-filter

Parameter
Parameter Description
Description
port-filter Enable Port-Filter.
log Prints logs by the console.

Defaults Port-Filter is disabled.

Command control-plane configuration mode. The function can be configured only on the manage sub-interface.
Mode

Default Level 14

Usage Guide The Port-Filter function can filter out local illegitimate transport-layer packets, of which the destination
port is not enabled locally. To configure Port-Filter, run the port-filter command in control-plane
configuration mode.

Configuration 1. Enable the Port-Filter function on the manage sub-interface:

Example Ruijie(config)# control-plane manage
Ruijie(config-cp)# port-filter

Verification 1. Run the show ef-rnfp port-filter command to check whether Port-Filter is enabled as well as the
packet loss status.

Prompt 1. If no Port-Filter policy is configured on the data sub-interface, when the no or default operation is
performed, a prompt will be displayed, indicating that the delete operation failed.
Ruijie(config)# control-plane manage
Ruijie(config-cp)# no port-filter
EF-RNFP: delete port-filter rule failed
Ruijie(config-cp)# default port-filter
EF-RNFP: delete port-filter rule failed

scpp

Configure SCPP to conduct traffic differentiation and rate limit on each type of traffic according to
policies: connection limit, semi-connection control, and traffic bandwidth limit.
scpp list acl_no { [ bw-rate rate bw-burst-rate burst-rate ] [ conn-create-rate create-rate conn-
create-burst-rate create-burst-rate ] [ conn-total num ] } [ log ]

Disable SCPP.
no scpp list acl_no

3-9
Command Reference REF-RNFP Commands

Restore the default configuration.

default scpp

Parameter
Parameter Description
Description
Indicates the match policy. Matched traffic is differentiated and the
acl_no
rate is limited.
bw-rate rate bw-burst-rate
Configures the rate limit and burst rate limit. The unit is pps.
burst-rate
conn-create-rate create-rate Configures the new connection rate and burst new connection rate.
conn-create-burst-rate
create-burst-rate
conn-total num Configures the allowable total number of connections.
log Indicates whether logs are recorded.

Defaults The SCPP function is disabled.

Command control-plane configuration mode. The function can be configured on the three sub-interfaces.
Mode  Data sub-interface
 Manage sub-interafce
 Protocol sub-interface

Default Level 14

Usage Guide
N/A

Configuration On the manage sub-interface, for TCP protocol packet traffic initiated from the 192.168.52.0 network
Example segment to the local mange sub-interface, set the rate limit to 100 pps, allowable burst rate limit to 150
pps, allowable total number of connections to 30, number of new connections per second to 5, and
number of burst new connections per second to 7.
Ruijie(config)# access-list 100 permit tcp 192.168.52.0 0.0.0.255 any
Ruijie(config)# control-plane manage
Ruijie(config-cp)# scpp list 100 bw-rate 100 bw-burst-rate 150 conn-
create-rate 5 conn-create-burst-rate 7 conn-total 30

Verification 1. Run the show ef-rnfp scpp manage command to check whether SCPP is enabled on the manage
sub-interface as well as the packet loss status.

Prompt 1. If no SCPP policy for the Access Control List (ACL) is configured on the sub-interface, an error will
be displayed during deletion.
Ruijie(config)# control-plane manage
Ruijie(config-cp)# no scpp list 200

3-10
Command Reference REF-RNFP Commands

EF-RNFP: delete scpp rule failed

Common
Errors

security deny

Forbid users to telnet to the device and access the Web page of the device.
security deny { { lan | wan } { tcp | udp } port port-number [ comment comment-string ] | lan-ping |
lan-snmp | lan-ssh | lan-telnet | lan-web | vpn-telnet-ssh-web | wan-ping | wan-snmp | wan-ssh
| wan-telnet | wan-web }

Disable the function.

no security deny { { lan | wan } { tcp | udp } port port-number [ comment comment-string ] | lan-
ping | lan-snmp | lan-ssh | lan-telnet | lan-web | vpn-telnet-ssh-web | wan-ping | wan-snmp |
wan-ssh | wan-telnet | wan-web }

Restore the default configuration.

default security deny { { lan | wan } { tcp | udp } port port-number [ comment comment-string ] |
lan-ping | lan-snmp | lan-ssh | lan-telnet | lan-web | vpn-telnet-ssh-web | wan-ping | wan-snmp |
wan-ssh | wan-telnet | wan-web }

Parameter
Parameter Description
Description
lan Forbids intranet users to access the TCP or UDP ports of the device.
wan Forbids extrarnet users to access the TCP or UDP ports of the device.
tcp Forbids users to access the TCP port of the device.
udp Forbids users to access the UDP port of the device.
port port-number Forbids users to access ports numbered from 1 to 65535.
comment comment-string Adds a remark.
lan-ping Forbids intranet users to ping the device.
lan-web Forbids intranet users to access the Web page of the device.
wan-ping Forbids extranet users to ping the device.
wan-web Forbids extranet users to access the Web page of the device.
lan-telnet Forbids intranet users to telnet to the device.
lan-ssh Forbids intranet users to log in to the device in SSH mode.
lan-snmp Forbids the intranet server to manage the device over SNMP.
wan-telnet Forbids intranet users to telnet to the device.
wan-ssh Forbids intranet users to log in to the device in SSH mode.
wan-snmp Forbids the extranet server to manage the device over SNMP.
vpn-telnet-ssh-web Forbids VPN users to telnet to the device, log in to the device in SSH
mode, or access the device via the Web page.

3-11
Command Reference REF-RNFP Commands

Defaults The function is disabled.

Command control-plane configuration mode

Mode

Default Level 14

Usage Guide For common Ping and Web attack behaviors in the network, the function forbids intranet/extranet users
to ping the device or access the Web page of the device, with no need to use ACLs, delivering great
flexibility and convenience. The no option in this command can be used to delete related configuration.

Configuration 1. Forbid intranet PCs to ping the device.

Example Ruijie(config)# control-plane
Ruijie(config-cp)# security deny lan-ping

2. Forbid intranet PCs to log in to the Web page of the device.

Ruijie(config)# control-plane
Ruijie(config-cp)# security deny lan-web

3. Forbid the intranet server to manage the device over SNMP.

Ruijie(config)# control-plane
Ruijie(config-cp)# security deny lan-snmp

4. Forbid intranet PCs to log in to the Web page of the device.

Ruijie(config)# control-plane
Ruijie(config-cp)# security deny lan-telnet

Verification 1. Run the show run command to display the related configuration.

Platform
N/A
Description

security web permit

Configure whitelisted users.

security web permit low-ip-address [ high-ip-address ]

Delete whitelisted users.

no security web permit low-ip-address [ high-ip-address ]

Restore the default configuration.

default security web permit low-ip-address [ high-ip-address ]

3-12
Command Reference REF-RNFP Commands

Parameter
Parameter Description
Description
Indicates the allowable IP address or the start IP address of the
low-ip-address
allowable IP address range.
high-ip-address Indicates the end IP address of the allowable IP address range.

Defaults The function is disabled.

Command control-plane configuration mode

Mode

Default Level 14

Usage Guide If a user configures security deny to deny Web access but needs to allow some specified IP addresses
to access the Web page of the device, the user can run this command to add allowable IP addresses
to the web permit IP whitelist. This command specifies the IP addresses that are allowed to access
the Web page of the device (regardless of the local anti-attack rate limit and deny command).

Configuration 1. Configure the IP address range 192.168.1.2-192.168.1.100 as whitelisted users.

Example Ruijie(config)# control-plane
Ruijie(config-cp)# security web permit 192.168.1.2 192.168.1.100

Verification 1. Run the show ef-rnfp web-permit-ip command to display the configured whitelisted users.

show arp-suspect

Display the ARP spoofing suspect list.

show arp-suspect

Parameter
Parameter Description
Description
arp-suspect Displays the hosts added to the ARP spoofing suspect list.

Command Privileged EXEC mode, global configuration mode, interface configuration mode
Mode

Default Level 14

Usage Guide Run this command to display the list of ARP spoofing suspects detected by the device.

Configuration 1. Display the list of ARP spoofing suspects detected by the device.
Example Ruijie# show arp-suspect
IP address MAC address
1.1.1.1 00d0.1234.5678

3-13
Command Reference REF-RNFP Commands

Field description:
Field Description
IP address Indicates the IP address of an ARP spoofing suspect.
MAC address Indicates the MAC address of an ARP spoofing suspect.

Prompt N/A

show attack-info

Display attack information about the device.

show attack-info { current | history }

Parameter
Parameter Description
Description
current Displays current attack information about the system.
history Displays historical attack information about the system.

Command Privileged EXEC mode, global configuration mode, interface configuration mode
Mode

Default Level 14

Usage Guide Run this command to check whether the device is being attacked as well as the attack history.

Configuration 1. Display attack information about the device.

Example Ruijie# show attack-info history
System attack record at 1970-1-5 15:37:4, System in attack 8s
ALL: 1514 packets, 141600 bytes
PROTOCOL packets bytes
ARP 2 120
UDP 1512 141480
TOP4 IP attack:
IP packets bytes interface
172.18.3.58 1500 138000 Gi0/1
100.100.100.73 10 2982 Gi0/1
10.10.3.1 2 120 Gi0/1
172.18.3.81 2 498 Gi0/1

System attack record at 1970-1-5 15:30:10, System in attack 6s

ALL: 259 packets, 25015 bytes
PROTOCOL packets bytes
ARP 3 180
UDP 256 24835
TOP4 IP attack:

3-14
Command Reference REF-RNFP Commands

IP packets bytes interface

172.18.3.69 250 23000 Gi0/1
100.100.100.73 4 1291 Gi0/1
172.18.3.110 3 180 Gi0/1
172.18.3.22 2 544 Gi0/1

show ef-rnfp

Display information about local anti-attack .

show ef-rnfp { acpp { data | manage | protocol } | scpp { data | manage | protocol } | glean-car |
arp-car | port-filter | mpp | all | web-permit-ip | anti-arp-spoof }

Parameter
Parameter Description
Description
acpp Displays ACPP configuration and packet loss status.
data Displays packet loss status of the data sub-interface.
manage Displays packet loss status of the manage sub-interface.
protocol Displays packet loss status of the protocol sub-interface.
scpp Displays SCPP configuration and packet loss status.
glean-car Displays Glean-CAR configuration and packet loss status.
port-filter Displays Port-Filter configuration and packet loss status.
mpp Displays MPP configuration and packet loss status.
all Displays the ACPP, SCPP, Glean-CAR, Port-Filter, and MPP
configuration and packet loss status on the three sub-interfaces.
web-permit-ip Displays the local anti-attack whitelist.
anti-arp-spoof Displays the configuration for ARP spoofing suspect detection.

Command Privileged EXEC mode, global configuration mode, interface configuration mode
Mode

Default Level 14

Usage Guide Run this command to display the packet loss status and configuration.

Configuration 1. Display the ARP-CAR packet loss information.

Example Ruijie# show ef-rnfp arp-car
ARP CAR information:
Manage subinterface: enable
RULE:
allow packet rate per source: 10(pps)
log: off
STATISTIC:
dropped 17000657 packets

3-15
Command Reference REF-RNFP Commands

Field description:
Field Description
enable Enables the function.
allow packet rate per source: x(pps) Indicates that the allowable ARP rate of each
source IP address is x.
log Indicates whether logs are recorded.
dropped xxx packets Indicates the number of lost packets.

3-16
Command Reference SSH Commands

4 SSH Commands

crypto key generate

Use this command to generate a public key to the SSH server.

crypto key generate { rsa | dsa | ecc }

Parameter Parameter Description

Description rsa Generates an RSA key.
dsa Generates a DSA key.
ecc Generates an ECC key.

Defaults By default, the SSH server does not generate a public key.

Command Global configuration mode

Mode

Usage Guide When you need to enable the SSH SERVER service, use this command to generate a public key on
the SSH server and enable the SSH SERVER service by command enable service ssh-server at
the same time. SSH 1 uses the RSA key; SSH 2 uses the RSA or DSA key. Therefore, if a RSA key
has been generated, both SSH1 and SSH2 can use it. If only a DSA key is generated, only SSH2
can use it.

 Only DSA/RSA authentication is available for one connection. Also, the key algorithm may
differ in different client. Thus, it is recommended to generate both RSA and DSA keys so as to
ensure connection with the portal server.

 RSA has a minimum modulus of 512 bits and a maximum modulus of 2,048 bits; DSA has a
minimum modulus of 360 bits and a maximum modulus of 2,048 bits. For some clients like SCP
clients, a 768-bit or more key is required. Thus, it is recommended to generate the key of 768
bits or more.

 The size of an ECC host key is 256, 384 or 512 bits. It is 512 bits by default.

 A key can be deleted by using the no crypto key generate command. The no crypto key
zeroize command is not available.

Configuration The following example generates an RSA key to the SSH server.
Examples Ruijie# configure terminal
Ruijie(config)# crypto key generate rsa

Related Command Description

Commands show ip ssh Displays the current status of the SSH server.

4-1
Command Reference SSH Commands

Deletes DSA and RSA keys and disables the SSH server
crypto key zeroize { rsa | dsa }
function.

Platform N/A
Description

crypto key zeroize

Use this command to delete a public key to the SSH server.

crypto key zeroize { rsa | dsa | ecc }

Parameter Parameter Description

Description rsa Deletes the RSA key.
dsa Deletes the DSA key.
ecc Deletes the ECC key.

Defaults N/A

Command Global configuration mode

Mode

Usage Guide This command deletes the public key to the SSH server. After the key is deleted, the SSH server
state becomes DISABLE. If you want to disable the SSH server, run the no enable service ssh-
server command.

Configuration The following example deletes a RSA key to the SSH server.
Examples Ruijie# configure terminal
Ruijie(config)# crypto key zeroize rsa

Related Command Description

Commands show ip ssh Displays the current status of the SSH server.
crypto key generate { rsa | dsa } Generates DSA and RSA keys.

Platform N/A
Description

disconnect ssh

Use this command to disconnect the established SSH connection.

disconnect ssh [ vty ] session-id

Parameter Parameter Description

Description vty Established VTY connection

4-2
Command Reference SSH Commands

session-id ID of the established SSH connection, in the range from 0 to 35

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide You can disconnect a SSH connection by entering the ID of the SSH connection or disconnect a
SSH connection by entering the specified VTY connection ID. Only connections of the SSH type can
be disconnected.

Configuration The following example disconnects the established SSH connection by specifying the SSH session
Examples ID.
Ruijie# disconnect ssh 1
The following example disconnects the established SSH connection by specifying the VTY session
ID.
Ruijie# disconnect ssh vty 1

Related Command Description

Commands show ssh Displays the information about the established SSH connection.
clear line vty line_number Disconnects the current VTY connection.

Platform N/A
Description

ip scp server enable

Use this command to enable the SCP server function on a network device.
Use the no form of this command to restore the default setting.
ip scp server enable
no ip scp server enable

Parameter Parameter Description

Description N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide Secure Copy (SCP) enables an authenticated user to transfer files to/from a remote device in an
encrypted way, with high security and guarantee.

4-3
Command Reference SSH Commands

Configuration The following example enables the SCP server function.

Examples Ruijie# configure terminal
Ruijie(config)# ip scp server enable

Related Command Description

Commands show ip ssh Displays the current status of the SSH server.

Platform N/A
Description

ip scp server topdir

Use this command to configure the transmission path for uploading files to or downloading files from
the SCP server.
ip scp server topdir { flash:/path | sata0:/path | tmp:/path | usb0:/path | usb1:/path }

Use the no form of this command to restore the file transmission path of the SCP server to default.
no ip scp server topdir

Parameter Parameter Description

Description flash: Selects the file transmission path from the extended flash space. The
default transmission path for file upload and download is flash:/.
sata0: Selects the file transmission path from the hard disk. This option is
supported only when the device has the Serial Advanced
Technology Attachment (SATA) partition.
tmp: Sets the file transmission path to tmp/vsd/.
usb0: Selects the file transmission path from Universal Serial Bus (USB)
disk 0. This option is supported only when the device has one USB
port with an extended USB flash drive inserted.
usb1: Selects the file transmission path from Universal Serial Bus (USB)
disk 1. This option is supported only when the device has two USB
ports with two extended USB flash drives inserted.

Defaults The default transmission path for file upload and download is flash:/.

Command Global configuration mode

Mode

Usage Guide This command is used to configure the transmission path for uploading and downloading files.

Configuration The following example sets the transmission path tmp:/dir for uploading files to and downloading
Examples files from the SCP server.
Ruijie# configure terminal
Ruijie(config)# ip scp server topdir tmp:/dir

4-4
Command Reference SSH Commands

Platform For the NBR6120-E, NBR6205-E, NBR6205-E V2, NBR6210-E, NBR6210-E V2, and NBR6215-E, no
Description SATA hard drive is configured upon delivery. For the NBR6205-E, NBR6205-E V2, NBR6210-E,
NBR6210-E V2, and NBR6215-E, SATA hard drives can be separately purchased and installed.

ip ssh access-class

Use this command to set the ACL filtering of the SSH server.
ip ssh access-class { access-list-number | access-list-name }

Use the no form of this command to delete the ACL filtering of the SSH server.
no ip ssh access-class

Parameter Parameter Description

Description access-list-number The ACL number and the number range is configurable. The
standard ACL number ranges are 1 to 99 and 1,300 to 1,999. The
extended ACL number ranges are 100 to 199 and 2,000 to 2,699.
access-list-name An ACL name.

Defaults N/A

Command Global configuration mode

Mode

Usage Guide Run this command to perform ACL filtering for all connections to the SSH server. In line mode, ACL
filtering is performed only for specific lines. However, ACL filtering rules of the SSH are effective to
all SSH connections.

Configuration The following example performs the ACL filtering named testv4 for all connections to the SSH
Examples server.
Ruijie# configure terminal
Ruijie(config)# ip ssh access-class testv4

Platform For the NBR6120-E, NBR6205-E, NBR6205-E V2, NBR6210-E, NBR6210-E V2, and NBR6215-E, no
Description SATA hard drive is configured upon delivery. For the NBR6205-E, NBR6205-E V2, NBR6210-E,
NBR6210-E V2, and NBR6215-E, SATA hard drives can be separately purchased and installed.

ip ssh authentication-retries

Use this command to set the authentication retry times of the SSH server.
Use the no form of this command to restore the default setting.
ip ssh authentication-retries retry-times
no ip ssh authentication-retries

4-5
Command Reference SSH Commands

Parameter Parameter Description

Description retry-times Authentication retry times, ranging from 0 to 5

Defaults The default is 3.

Command Global configuration mode

Mode

Usage Guide User authentication is considered failed if authentication is not successful when the configured
authentication retry times on the SSH server is exceeded. Use the show ip ssh command to display
the configuration of the SSH server

Configuration The following example sets the authentication retry times to 2.

Examples Ruijie# configure terminal
Ruijie(config)# ip ssh authentication-retries 2

Related Command Description

Commands show ip ssh Displays the current status of the SSH server.

Platform N/A
Description

ip ssh cipher-mode

Use this command to set the SSH server encryption mode.

Use the no form of this command to restore the default setting.
ip ssh cipher-mode { cbc | ctr | others }
no ip ssh cipher-mode
Parameter Parameter Description
Description Encryption mode: CBC (Cipher Block Chaining)
cbc Encryption algorithm: DES-CBC, 3DES-CBC, AES-128-CBC, AES-
192-CBC, AES-256-CBC, Blow fish-CBC
Encryption mode: CTR (Counter)
ctr
Encryption algorithm: AES128-CTR, AES192-CTR, AES256-CTR
Encryption mode: Others
others
Encryption algorithm: RC4

Defaults All encryption modes are supported by default.

Command Global configuration mode

Mode

Usage Guide This command is used to set the SSH server encryption mode.

4-6
Command Reference SSH Commands

For Ruijie Networks, the SSHv1 server supports DES-CBC, 3DES-CBC, and Blowfish-CBC; the
SSHv2 server supports AES128-CTR, AES192-CTR, AES256-CTR, DES-CBC, 3DES-CBC, AES-
128-CBC, AES-192-CBC, AES-256-CBC, Blowfish-CBC, and RC4. All these algorithms can be
grouped into CBC, CTR and Other as shown above.
With the advancement of cryptography study, CBC and Others encryption modes are proved to
easily decipher. It is recommended to enable the CTR mode to raise assurance for organizations
and enterprises demanding high security.

Configuration The following example enables CTR encryption mode.

Examples Ruijie# configure terminal
Ruijie(config)# ip ssh cipher-mode ctr

Platform N/A
Description

ip ssh dh-exchange min-len

Use this command to configure the minimum length of SSH Server key exchange algorithm. Use the
no form of this command to restore the default setting.
ip ssh dh-exchange min-len { 1024 | 2048 }
no ip ssh dh-exchange min-len
Parameter Parameter Description
Description 1024 The minimum length is 1024 bytes.
2048 The minimum length is 2048 bytes.

Defaults The minimum length is 2048 bytes by default.

Command Global configuration mode

Mode

Usage Guide Run the command to configure the minimum length of SSH Server key exchange algorithm.

Configuration The following example sets minimum length of SSH Server key exchange algorithm to 1024 bytes.
Examples Ruijie# configure terminal
Ruijie(config)# ip ssh dh-exchange min-len 1024
Verification Run the show ip ssh command to display the minumum length of SSH Server key exchange
algorithm.

Platform N/A
Description

4-7
Command Reference SSH Commands

ip ssh hmac-algorithm

Use this command to set the algorithm for message authentication.

Use the no form of this command to restore the default setting.
ip ssh hmac-algorithm { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512}
no ip ssh hmac-algorithm
Parameter Parameter Description
Description md5 MD5 algorithm
md5-96 MD5-96 algorithm
sha1 SHA1 algorithm
sha1-96 SHA1-96 algorithm
sha2-256 SHA2-256 algorithm
sha2-512 SHA2-512 algorithm

Defaults SSHv1: all the algorithms are not supported.

SSHv2: all the algorithms are supported.

Command Global configuration mode

Mode

Usage Guide Ruijie SSHv1 servers do not support algorithms for message authentication.
For Ruijie Networks, the SSHv1 server does not support message authentication algorithms; the
SSHv2 server supports MD5, MD5-96, SHA1, and SHA1-96 algorithms. Set the algorithm on your
demand.

Configuration The following example sets the algorithm for message authentication to SHA1.
Examples Ruijie# configure terminal
Ruijie(config)# ip ssh hmac-algorithm sha1

Platform N/A
Description

ip ssh key-exchange

Use this command to configure support for DH key exchange method on the SSH server.
Use the no form of this command to restore the default setting.
ip ssh key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 }
no ip ssh key-exchange

Parameter Parameter Description

Description Indicates the configuration of diffie-hellman-group-exchange-sha1
dh_group_exchange_sha1 for key exchange. The key has 2,048 bytes, which cannot be
edited.

4-8
Command Reference SSH Commands

Indicates the configuration of diffie-hellman-group14-sha1 for key

dh_group14_sha1
exchange. The key has 2,048 bytes.
Indicates the configuration of diffie-hellman-group1-sha1 for key
dh_group1_sha1
exchange. The key has 1,024 bytes.
Indicates the configuration of ecdh_sha2_nistp256 for key
ecdh_sha2_nistp256
exchange The key has 256 bytes.
Indicates the configuration of ecdh_sha2_nistp384 for key
ecdh_sha2_nistp384
exchange The key has 384 bytes.
Indicates the configuration of ecdh_sha2_nistp521 for key
ecdh_sha2_nistp521
exchange The key has 521 bytes.

Defaults By default, the SSHv1 server does not support any DH key exchange algorithm, the SSHv2 server
supports six kinds of key exchange methods, including diffie-hellman-group-exchange-sha1, diffie-
hellman-group14-sha1, ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521 and
sm2dh_sm3.

Command Global configuration mode

Mode

Usage Guide This command is used to configure support for DH key exchange method on the SSH server.
The SSHv1 server does not support any DH key exchange algorithm. The SSHv2 server supports the
following DH key exchange algorithms: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-
sha1, ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521 and sm2dh_sm3. Users can
select the DH key excahnge methods based on their own needs.

Configuration The following example configures the support for diffie-hellman-group14-sha1.

Examples Ruijie# configure terminal
Ruijie(config)# ip ssh key-exchange dh_group14_sha1

Platform N/A
Description

ip ssh peer

Use this command to associate the public key file and the user name on the client. During client
login authentication, you can specify a public key file based on the user name.
Use the no form of this command to restore the default setting.
ip ssh peer username public-key { rsa | dsa | ecc } filename
no ip ssh peer username public-key { rsa | dsa | ecc } filename
Parameter Parameter Description
Description username User name
filename Name of a public key file
rsa The public key is a RSA key

4-9
 Command Reference SSH Commands

dsa The public key is a DSA key

ecc The public key is an ECC key

Defaults N/A

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example sets RSA and DSA key files associated with user test.
Examples Ruijie# configure terminal
Ruijie(config)# ip ssh peer test public-key rsa flash:rsa.pub
Ruijie(config)# ip ssh peer test public-key dsa flash:dsa.pub

Related Command Description

Commands show ip ssh Displays the current status of the SSH server.

Platform N/A
Description

ip ssh port

Use this command to set a monitoring port ID for the SSH server.
ip ssh port port

Use either of the following commands to restore the monitoring port ID of the SSH server to the default value.
no ip ssh port
ip ssh port 22

Parameter Parameter Description

Description port Monitoring port ID of the SSH server. The value ranges from 1025 to 65535.

Defaults N/A

Command Global configuration mode

Mode

Default Level 14

Usage Guide N/A

Configuratio The following example sets the monitoring port ID of the SSH server to 10000.
n Examples Ruijie# configure terminal

4-10
 Command Reference SSH Commands

Ruijie(config)# ip ssh port 10000

Verification Run the show ip ssh command to display the configured monitoring port ID of the SSH server.

Prompts 1. If the required port ID is the same as the current value, a prompt is displayed, indicating that the current
port ID is the required value.
Ruijie(config)# ip ssh port 22
% SSH tcp-port has been 22

2. If a port in the monitoring state is configured as the monitoring port of the SSH server, a prompt is displayed,
indicating that the port is already in the monitoring state and you are required to set another port ID, and the
SSH server still uses the previous port ID.
Ruijie(config)# ip ssh port 10000
% SSH open tcp-port(10000) failed, please use another tcp-port, otherwise the
system will use the old tcp-port(22)!

3. If a monitoring error occurs after a monitoring port ID is configured for the SSH server, a port ID configuration
failure prompt is displayed.
Ruijie(config)# ip ssh port 10000
% SSH change to tcp-port(10000) fail!

4. If a port ID is configured successfully, a port ID configuration success prompt is displayed.

Ruijie(config)# ip ssh port 10000
% SSH change to tcp-port(10000) success!

ip ssh source-interface

Use this command to specify a source interface for the SSH client. Use the no form of this command
to remove the setting.
ip ssh source-interface interface-name
no ip ssh source-interface

Parameter Parameter Description

Description Specifies a source interface for the SSH client, indicating that the
interface-name
SSH client takes the interface IP address as its source address.

Defaults The IP address of the interface that sends the SSH packet is taken as its source address by default.

Command Global configuration mode

Mode

Usage Guide This command is used to specify the IP address of the specified interface as the source address of
the SSH client.

4-11
Command Reference SSH Commands

Configuration The following example specifies the IP address of interface Loopback 1 as the source address of the
Examples global SSH session.
Ruijie(config)# ip ssh source-interface Loopback 1

Platform N/A
Description

ip ssh time-out

Use this command to set the authentication timeout for the SSH server.
Use the no form of this command to restore the default setting.
ip ssh time-out time
no ip ssh time-out

Parameter Parameter Description

Description Authentication timeout, in the range from 1 to 120 in the unit of
time
seconds

Defaults The default is 120 seconds.

Command Global configuration mode

Mode

Usage Guide The authentication is considered timeout and failed if the authentication is not successful within 120
seconds starting from receiving a connection request. Use the show ip ssh command to display the
configuration of the SSH server.

Configuration The following example sets the timeout value to 100 seconds.
Examples Ruijie# configure terminal
Ruijie(config)# ip ssh time-out 100

Related Command Description

Commands show ip ssh Displays the current status of the SSH server.

Platform N/A
Description

ip ssh version

Use this command to set the version of the SSH server.

Use the no form of this command to restore the default setting.
ip ssh version { 1 | 2 }
no ip ssh version

4-12
Command Reference SSH Commands

Parameter Parameter Description

Description 1 Supports the SSH1 client connection request.
2 Supports the SSH2 client connection request.

Defaults SSH1 and SSH2 are compatible by default.

Command Global configuration mode

Mode

Usage Guide This command is used to configure the SSH connection protocol version supported by SSH server.
By default, the SSH server supports SSH1 and SSH2. If Version 1 or 2 is set, only the SSH client of
this version can connect to the SSH server. Use the show ip ssh command to display the current
status of SSH server.

Configuration The following example sets the version of the SSH server.
Examples Ruijie# configure terminal
Ruijie(config)# ip ssh version 2

Related Command Description

Commands show ip ssh Displays the current status of the SSH server.

Platform N/A
Description

ipv6 ssh access-class

Use this command to set the IPv6 ACL filtering of the SSH server.
ipv6 ssh access-class accessv6-list-name

Use the no form of this command to delete the IPv6 ACL filtering of the SSH server.
no ipv6 ssh access-class

Parameter
Parameter Description
Description
accessv6-list-name An IPv6 ACL name.

Defaults N/A

Command Global configuration mode

Mode

4-13
Command Reference SSH Commands

Usage Guide Run this command to perform IPv6 ACL filtering for all connections to the SSH server. In line mode,
IPv6 ACL filtering is performed only for specific lines. However, IPv6 ACL filtering rules of the SSH
are effective to all SSH connections.

Configuration The following example performs the IPv6 ACL filtering named testv6 for all connections to the SSH
Examples server.
Ruijie# configure terminal
Ruijie(config)# ipv6 ssh access-class testv6
Platform N/A
Description

show crypto key mypubkey

Use this command to display the information about the public key part of the public key to the SSH
server.
show crypto key mypubkey { rsa | dsa | ecc }

Parameter Parameter Description

Description rsa Displays the RSA key.
dsa Displays the DSA key.
ecc Displays the ECC key.

Defaults N/A

Command Privileged EXEC mode/Global configuration mode

Mode

Usage Guide This command is used to show the information about the public key part of the generated public key
on the SSH server, including key generation time, key name, contents in the public key part, etc.

Configuration The following example displays the information about the public key part of the public key to the SSH
Examples server.
Ruijie(config)#show crypto key mypubkey rsa
% Key pair was generated at: 7:1:25 UTC Jan 16 2013
Key name: RSA1 private
Usage: SSH Purpose Key
Key is not exportable.
Key Data:
AAAAAwEA AQAAAEEA 2m6H/J+2 xOMLW5MR 8tOmpW1I XU1QItVN mLdR+G7O
Q10kz+4/
/IgYR0ge 1sZNg32u dFEifZ6D zfLySPqC MTWLfw==

% Key pair was generated at: 7:1:25 UTC Jan 16 2013

Key name: RSA private

4-14
Command Reference SSH Commands

Usage: SSH Purpose Key

Key is not exportable.
Key Data:
AAAAAwEA AQAAAEEA 0E5w2H0k v744uTIR yZBd/7AM 8pLItnW3 XH3LhEEi
BbZGZvn3
LEYYfQ9s pgYL0ZQf S0s/GY0X gJOMsc6z i8OAkQ==

Related Command Description

Commands crypto key generate { rsa | dsa | ecc } Generates DSA and RSA keys.

Platform N/A
Description

show ip ssh

Use this command to display the information of the SSH server.

show ip ssh

Parameter Parameter Description

Description N/A N/A

Defaults N/A

Command Privileged EXEC mode/Global configuration mode

Mode

Usage Guide This command is used to display the information of the SSH server, including version, enablement
state, authentication timeout, and authentication retry times.

If no key is generated for the SSH server, the SSH version is still unavailable even if this SSH version
has been configured.

Configuration The following example displays the information of the SSH server.
Examples Ruijie# show ip ssh
SSH Disable - version 2.0
please enable service ssh-server
SSH Port: 22
SSH Cipher Mode: ctr
SSH HMAC Algorithm: sha1
Authentication timeout: 120 secs
Authentication retries: 3
SSH SCP Server: disabled
SSH Key-exchange: dh_group_exchange_sha1 dh_group14_sha1

4-15
Command Reference SSH Commands

Related Command Description

Commands ip ssh version {1 | 2} Configures the version for the SSH server.
ip ssh time-out time Sets the authentication timeout for the SSH server.
ip ssh authentication-retries Sets the authentication retry times for the SSH server.

Platform N/A
Description

show ssh

Use this command to display the information about the established SSH connection.
show ssh

Parameter Parameter Description

Description N/A N/A

Defaults N/A

Command Privileged EXEC mode/Global configuration mode

Mode

Usage Guide This command is used to display the information about the established SSH connection, including
VTY number of connection, SSH version, encryption algorithm, message authentication algorithm,
connection status, and user name.

Configuration The following example displays the information about the established SSH connection:
Examples Ruijie#show ssh
Connection Version Encryption Hmac Compress State
Username
0 1.5 blowfish zlib Session started test
1 2.0 aes256-cbc hmac-sha1 zlib Session started
test
Field Description
Field Description
Connection VTY number
Version SSH version
Encryption Encryption algorithm
Hmac Message authentication algorithm
Compress Compress algorithm
State Connection state
Username Username

Command Description

4-16
Command Reference SSH Commands

Related N/A N/A

Commands

Platform N/A
Description

4-17
Command Reference DHCP Snooping Commands

5 DHCP Snooping Commands

clear ip dhcp snooping binding

Use this command to delete the dynamic user information from the DHCP Snooping binding
database.
clear ip dhcp snooping binding [ ip ] [ mac ] [ vlan vlan-id ] [ interface interface-id | wlan wlan-id ]

Parameter
Parameter Description
Description
mac Specifies the user MAC address to be cleared.
vlan-id Specifies the ID of the VLAN to be cleared.
ip Specifies the IP address to be cleared.
interface-id Specifies the ID of the interface to be cleared.
wlan-id Specifies the ID of the WLAN to be cleared.

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide Use this command to clear the current dynamic user information from the DHCP Snooping binding
database.

 After this command is used, all the DHCP clients connecting interfaces with IP Source Guard
function enabled should request IP addresses again, or they cannot access network.

Configuration The following example clears the dynamic database information from the DHCP Snooping binding
Examples database.
Ruijie# clear ip dhcp snooping binding
Ruijie# show ip dhcp snooping binding
Total number of bindings: 0
MacAddress IpAddress Lease(sec) Type VLAN Interface
---------- ---------- ---------- -------- ---- ---------

Related
Command Description
Commands
Displays the information of the DHCP
show ip dhcp snooping binding
Snooping binding database.

Platform N/A
Description

5-1
Command Reference DHCP Snooping Commands

ip dhcp snooping

Use this command to enable the DHCP Snooping function globally.

Use the no form of this command to restore the default setting.
ip dhcp snooping
no ip dhcp snooping

Parameter
Parameter Description
Description
N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide The show ip dhcp snooping command is used to display whether the DHCP Snooping function is
enabled.

Configuration The following example enables the DHCP Snooping function.

Examples Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping
Ruijie(config)# end

Related
Command Description
Commands
Displays the configuration information of DHCP
show ip dhcp snooping
Snooping.
ip dhcp snooping vlan Configures DHCP Snooping enabled VLAN.

Platform N/A
Description

ip dhcp snooping bootp-bind

Use this command to enable DHCP Snooping BOOTP-bind function.

Use the no form of this command to restore the default setting.
ip dhcp snooping bootp-bind
no ip dhcp snooping bootp-bind

Parameter
Parameter Description
Description
N/A N/A

5-2
Command Reference DHCP Snooping Commands

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide By default, the DHCP Snooping only forwards BOOTP packets. With this function enabled, it can
Snoop BOOTP packets. After the BOOTP client requests an address successfully, the DHCP
Snooping adds the BOOTP user to the static binding database.

Configuration The following example enables the DHCP Snooping BOOTP-bind function.
Examples Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping bootp-bind
Ruijie(config)# end

Related
Command Description
Commands
show ip dhcp snooping Displays the DHCP Snooping configuration.

Platform N/A
Description

ip dhcp snooping check-giaddr

Use this command to enable DHCP Snooping to support the function of processing Relay requests.
Use the no form of this command to restore the default setting.
ip dhcp snooping check-giaddr
no ip dhcp snooping check-giaddr

Parameter
Parameter Description
Description
N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide After the feature is enabled, services using DHCP Snooping binding entries generated based on
Relay requests, such as IP Source Guard/802.1x authentication, cannot be deployed. Otherwise,
users fail to access the Internet.
After the feature is enabled, the ip dhcp snooping verify mac-address command cannot be used.
Otherwise, DHCP Relay requests will be discarded and as a result, users fail to obtain addresses.

5-3
Command Reference DHCP Snooping Commands

Configuration The following example enables DHCP Snooping to support the function of processing Relay
Examples requests.
Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping check-giaddr
Ruijie(config)# end

Related
Command Description
Commands
Displays the configuration information of the
show ip dhcp snooping
DHCP Snooping.

Platform N/A
Description

ip dhcp snooping database

Use this command to configure file backup of the DHCP Snooping binding database.
Use the no form of this command to restore the default setting.
ip dhcp snooping database sata0 [interval time]
no ip dhcp snooping database sata0

Parameter
Parameter Description
Description
Indicates the interval of storing the database in the unit of second.
time
The range is from 10s to 86,400s. The default value is 300s.

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide After this feature is enabled, the DHCP Snooping database can be written to the backup file of a
specified type. In this way, users are able to resume communication immediately after restart of the
device.

Configuration The following example sets configures file backup of the DHCP Snooping binding database with the
Examples default interval.
Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping database sata0
Ruijie(config)# end

5-4
Command Reference DHCP Snooping Commands

Related
Command Description
Commands
Displays the configuration information of the
show ip dhcp snooping
DHCP Snooping.
show run Displays the current backup mode.

Platform For the NBR6120-E, NBR6205-E, NBR6205-E V2, NBR6210-E, NBR6210-E V2, and NBR6215-E,
Description no SATA hard drive is configured upon delivery. For the NBR6205-E, NBR6205-E V2, NBR6210-E,
NBR6210-E V2, and NBR6215-E, SATA hard drives can be separately purchased and installed.

ip dhcp snooping database write-delay

Use this command to configure the switch to write the dynamic user information of the DHCP
Snooping binding database into the flash periodically.
Use the no form of this command to restore the default setting.
ip dhcp snooping database write-delay time
no ip dhcp snooping database write-delay

Parameter
Parameter Description
Description
The interval at which the system writes the dynamic user information
time of the DHCP Snooping database into the flash, in the range from 600
to 86,400 in the unit of seconds

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide This function writes user information into flash in case of loss after restart. In that case, users need
to obtain IP addresses again for normal communication.

 Too fast writing will reduce flash durability.

Configuration The following example sets the interval at which the switch writes the user information into the flash
Examples to 3,600 seconds.
Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping database write-delay 3600
Ruijie(config)# end

Related
Command Description
Commands

5-5
Command Reference DHCP Snooping Commands

Displays the configuration information of the

show ip dhcp snooping
DHCP Snooping.

Platform N/A
Description

ip dhcp snooping database write-to-flash

Use this command to write the dynamic user information of the DHCP binding database into flash in
real time.
ip dhcp snooping database write-to-flash

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Global configuration mode

Mode

Usage Guide This command is used to write the dynamic user information of the DHCP binding database into
flash in real time.

Configuration The following example writes the dynamic user information of the DHCP binding database into flash.
Examples Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping database write-to-flash
Ruijie(config)# end

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

ip dhcp snooping information option

Use this command to add option82 to the DHCP request message.

Use the no form of this command to restore the default setting.
ip dhcp snooping information option [ standard-format ]
no ip dhcp snooping information option [ standard-format ]

5-6
Command Reference DHCP Snooping Commands

Parameter
Parameter Description
Description
standard-format The option82 uses the standard format.

Defaults This function is disabled by default,

Command Global configuration mode

Mode

Usage Guide This command adds option82 to the DHCP request messages based on which the DHCP server
assigns IP addresses.
By default, this function is in extended mode.

 DHCP Relay function adds option82 by default. Therefore, it is unnecessary to enable functions
of DHCP Snooping option82 and DHCP Relay at the same time.

Configuration The following example adds option82 to the DHCP request message.
Examples Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping information option
Ruijie(config)# end

Related
Command Description
Commands
show ip dhcp snooping Displays the DHCP Snooping configuration.

Platform N/A
Description

ip dhcp snooping information option format remote-id

Use this command to set the option82 sub-option remote-id as the customized character string.
Use the no form of this command to restore the default setting.
ip dhcp snooping information option format remote-id { string ascii-string | hostname }
no ip dhcp snooping information option format remote-id

Parameter
Parameter Description
Description
The content of the option82 remote-id extension format is
string ascii-string
customized character string.
hostname The content of the option82 remote-id extension format hostname

Defaults This function is disabled by default.

5-7
Command Reference DHCP Snooping Commands

Command Global configuration mode

Mode

Usage Guide This command sets the remote-id in the option82 to be added to the DHCP request message as the
customized character string. The DHCP server will assign the IP address according to the option82
information.

Configuration The following example adds the option82 into the DHCP request packets with the content of remote-
Examples id as hostname.
Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping information option format remote-id
hostname

Related
Command Description
Commands
N/A N/A

Notification When the length of ascii-string exceeds 63 characters, the following prompt is displayed.
% Failed to execute command, because of "Remote-ID string cannot exceed 63
characters".

Platform N/A
Description

ip dhcp snooping monitor

Use this command to enable DHCP Snooping monitoring.

Use the no form of this command to restore the default setting.
ip dhcp snooping monitor
no ip dhcp snooping monitor

Parameter
Parameter Description
Description
N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide After the feature is enabled, DHCP Snooping generates binding entries according to the interaction
process by copying DHCP packets. It, however, does not check the validity of packets.

5-8
Command Reference DHCP Snooping Commands

Configuration The following example enables DHCP Snooping monitoring.

Examples Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping monitor
Ruijie(config)# end

Related
Command Description
Commands
N/A N/A

Platform If the DHCP Snooping monitoring is enabled in global configuration mode, DCHP Snooping cannot
Notification be configured.
% Failed to execute command, because of "Conflict with DHCP snooping
monitor".

Platform N/A
Description

ip dhcp snooping suppression

Use this command to set the port to be the suppression status.

Use the no form of this command to restore the default setting.
ip dhcp snooping suppression
no ip dhcp snooping suppression

Parameter
Parameter Description
Description
N/A N/A

Defaults This function is disabled by default.

Command Interface configuration mode/WLAN security configuration mode

Mode

Usage Guide This command denies all DHCP request messages under the port, that is, all the users under the
port are prohibited to request IP addresses through DHCP.
This command is only supported on Layer 2 switch interfaces and aggregate ports (APs).

Configuration The following example sets fastethernet 0/2 and WLAN 1 to be in the suppression status.
Examples Ruijie# configure terminal
Ruijie(config)# interface fastEthernet 0/2
Ruijie(config-if)# ip dhcp snooping suppression
Ruijie(config-if)# end
Ruijie# configure terminal
Ruijie(config)# wlansec 1

5-9
Command Reference DHCP Snooping Commands

Ruijie(config-wlansec)# ip dhcp snooping suppression

Ruijie(config-if-wlansec)# end

Related
Command Description
Commands
show ip dhcp snooping Displays the DHCP Snooping configuration.

Platform N/A
Description

ip dhcp snooping verify mac-address

Use this command to check whether the source MAC address of the DHCP request message
matches against the client addr field of the DHCP message.
Use the no form of this command to restore the default setting.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address

Parameter
Parameter Description
Description
N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide Use this command to check the source MAC address of the DHCP request message. If the MAC
address in the link-layer header is different from the CHADDR (Client MAC Address), the check
fails ,and the packets will be discarded.

Configuration The following example enables the check of the source MAC address of the DHCP request
Examples message.
Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping verify mac-address
Ruijie(config)# end

Related
Command Description
Commands
show ip dhcp snooping Displays the DHCP Snooping configuration.

Platform N/A
Description

5-10
Command Reference DHCP Snooping Commands

ip dhcp snooping vlan

Use this command to enable DHCP Snooping for the specific VLAN.
Use the no form of this command to restore the default setting.
ip dhcp snooping vlan {vlan-rng | { vlan-min [ vlan-max ] } }
no ip dhcp snooping vlan {vlan-rng | { vlan-min [ vlan-max ] } }

Parameter
Parameter Description
Description
vlan-rng VLAN range of effective DHCP Snooping
vlan-min Minimum VLAN of effective DHCP Snooping
vlan-max Maximum VLAN of effective DHCP Snooping

Defaults By default, once the DHCP Snooping is enabled globally, it takes effect for all VLANs.

Command Global configuration mode

Mode

Usage Guide Use this command to enable DHCP Snooping for specified VLANs globally.

Configuration The following example enables the DHCP Snooping function in VLAN 1000.
Examples Ruijie# configure terminal
Ruijie(config)# ip dhcp snooping vlan 1000
Ruijie(config)# end

Related
Command Description
Commands
ip dhcp snooping Enables DHCP Snooping globally.

Platform N/A
Description

renew ip dhcp snooping database

Use this command to import the information in current backup file to the DHCP Snooping binding
database manually as needed.
renew ip dhcp snooping database

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

5-11
Command Reference DHCP Snooping Commands

Command Privileged EXEC mode

Mode

Usage Guide This command is used to import the backup file information to the DHCP Snooping database in real
time.

 Records out of lease time and repeated will be neglected.

Configuration The following example imports the backup file information to the DHCP Snooping database.
Examples Ruijie# renew ip dhcp snooping database

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show ip dhcp snooping

Use this command to display the DHCP Snooping configuration.

show ip dhcp snooping

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the DHCP Snooping configuration.

Examples Ruijie# show ip dhcp snooping
Switch DHCP snooping status :ENABLE
Verification of hwaddr field status :DISABLE
DHCP snooping database write-delay time: 0 seconds
DHCP snooping option 82 status: ENABLE
DHCP snooping Support Bootp bind status: ENABLE
Interface Trusted Rate
limit(pps)

5-12
Command Reference DHCP Snooping Commands

------------------------ ---------------- -------

---------
GigabitEthernet 0/4 YES unlimited
Default No
Field Description
Switch DHCP snooping status Whether the DHCP Snooping is enabled.
Verification of hwaddr field status Whether the detection of source MAC of DHCP
snooping is enabled.
DHCP snooping database write-delay time Interval of writing backup files.
DHCP snooping option 82 status Whether the option 82 is added to the DHCP
request pakcets.
DHCP snooping Support Bootp bind status Whether the Bootp binding supported by DHCP
Snooping is enabled.
Interface Interface name.
Trusted Whether the interface is a trusted port.
Rate limit Rate limit for the DHCP packets sent by the
interface.

Related
Command Description
Commands
ip dhcp snooping Enables the DHCP Snooping globally.
Enables the check of source MAC address of
ip dhcp snooping verify mac-address
DHCP Snooping packets.
Sets the interval of writing user information to
ip dhcp snooping write-delay
FLASH periodically.
ip dhcp snooping information option Adds option82 to the DHCP request message.
Enables the DHCP Snooping bootp bind
ip dhcp snooping bootp-bind
function.
ip dhcp snooping trust Sets the port as a trust port.

Platform N/A
Description

show ip dhcp snooping binding

Use this command to display the information of the DHCP Snooping binding database.
show ip dhcp snooping binding

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

5-13
Command Reference DHCP Snooping Commands

Command Privileged EXEC mode

Mode

Usage Guide This command is used to display all the information of the DHCP Snooping binding database.

Configuration 1: The following example displays the information of the DHCP Snooping binding database.
Examples Ruijie# show ip dhcp snooping binding
Total number of bindings: 1
NO. MACADDRESS IPADDRESS LEASE(SEC) TYPE VLAN
INTERFACE
----- ------------------ --------------- ------------ ------------- -----
--------------------
1 0000.0000.0001 1.1.1.1 78128 DHCP-Snooping 1
GigabitEthernet 0/1
2 0000.0000.0002 2.2.2.2 78111 DHCP-Snooping 1 WLAN
1

Parameter Description

Total number of bindings The total number of bindings in the DHCP

Snooping database.
NO. The record order.
MacAddress The MAC address of the user.
IpAddress The IP address of the user.
Lease(sec) The lease time of the record.
Type The record type.
VLAN The VLAN where the user belongs.
Interface The user’s connection interface. It can be a either
a wired access interface or wireless access
WLAN.

Related
Command Description
Commands
Adds the static user information to the DHCP
ip dhcp snooping binding
Snooping database.
Clears the dynamic user information from the
clear ip dhcp snooping binding
DHCP Snooping binding database.

Platform N/A
Description

5-14
Command Reference IP Source Guard Commands

6 IP Source Guard Commands

ip source binding

Use this command to add static user information to IP source address binding database.
Use the no form of this command to delete static user information from IP source address binding
database.
ip source binding mac-address { vlan vlan-id } ip-address { interface interface-id | wlan wlan-id |
ip-mac | ip-only }
no ip source binding mac-address { vlan vlan-id } ip-address { interface interface-id | wlan wlan-id
| ip-mac | ip-only }

Parameter
Parameter Description
Description
mac-address Adds user MAC address statically.
vlan-id Adds user VLAN ID statically.
ip-address Adds user IP address statically.
interface-id Adds user interface ID statically.
wlan wlan-id Add user WLAN ID statically.
ip-mac The global binding type is IP+MAC
ip-only The global binding type is IP only.

Defaults No static address is added by default.

Command Global configuration mode

Mode

Usage Guide This command allows specific clients to go through IP source guard detection instead of DHCP.
This command is supported on the wired L2 switching port, AP port, sub interface and WLAN.
This command enables global binding for IP source guard so that specific clients will get detected on
all interfaces.

 A static IPv6 source binding is valid either on wired and WLAN interfaces or in global
configuration mode.

A new binding will overwrite the old one sharing the same configuration.

Configuration The following example adds the interface Id and WLAN ID of static users.
Examples Ruijie# configure terminal
Ruijie(config)# ip source binding 0000.0000.0001 vlan 1 1.1.1.1 interface
GigabitEthernet 0/1
Ruijie(config)# ip source binding 0000.0000.0002 vlan 1 1.1.1.2 wlan 1
Ruijie(config)# end

6-1
Command Reference IP Source Guard Commands

The following example adds static user information based on IP-MAC binding.
Ruijie# configure terminal
Ruijie(config)# ip source binding 0000.0000.0001 vlan 1 1.1.1.1 ip-mac
Ruijie(config)# end

The following example adds static user information based on IP binding.

Ruijie# configure terminal
Ruijie(config)# ip source binding 0000.0000.0001 vlan 1 1.1.1.1 ip-only
Ruijie(config)# end

Related
Command Description
Commands
Displays the binding information of IP source
show ip source binding
address and database.

Platform N/A
Description

ip verify source

Use this command to enable IP Source Guard function on the interface.

Use the no form of this command to restore the default setting.
ip verify source [ port-security ]
no ip verify source

Parameter
Parameter Description
Description
port-security Configures IP Source Guard to do IP+MAC-based detection.

Defaults This function is disabled by default.

Command Interface configuration mode/WLAN security configuration mode

Mode

Usage Guide This command enables IP Source Guard function on the interface to do IP-based or IP+MAC-based
detection.
This command is supported on the wired L2 switching port, AP port, sub interface and WLAN.
IP Source Guard takes effect only on DHCP Snooping untrusted port. In other words, IP Source
Guard does not take effect when configuring it on Trust port or the port which is not controlled by
DHCP Snooping.

Configuration
The following example enables IP-based IP Source Guard function.
Examples

6-2
Command Reference IP Source Guard Commands

Ruijie# configure terminal

Ruijie(config)# interface GigabitEthernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)# ip verify source
Ruijie(config-if-GigabitEthernet 0/1)# end
Ruijie(config)# wlansec 1
Ruijie(config-wlansec)# ip verify source
Ruijie(config-wlansec)# end

The following example enables IP+MAC-based IP Source Guard function.

Ruijie# configure terminal
Ruijie(config)# interface GigabitEthernet 0/2
Ruijie(config-if-GigabitEthernet 0/2)# ip verify source port-security
Ruijie(config-if)# end
Ruijie(config)# wlansec 2
Ruijie(config-wlansec)# ip verify source port-security
Ruijie(config-wlansec)# end

Related
Command Description
Commands
Displays user filtering entry of IP Source
show ip verify source
Guard.

Platform N/A
Description

ip verify source exclude-vlan

Use this command to exclude a VLAN from the IP source guard configuration on the port.
Use the no form of this command to restore the function.
ip verify source exclude-vlan vlan-id
no ip verify source exclude-vlan vlan-id

Parameter
Parameter Description
Description
vlan-id The ID of VLAN excluded from the IP source guard configuration.

Defaults This function is disabled by default.

Command Interface configuration mode/WLAN security configuration mode

Mode

Usage Guide This command is used to exclude a VLAN from the IP source guard configuration. IP packets in this
VLAN are forwarded without being checked and filtered.
Once the IP source guard function is disabled, the excluded VLAN is cleared automatically.

6-3
Command Reference IP Source Guard Commands

This command is supported on the wired L2 switching port, AP port, sub interface and WLAN.

 Only when the IP source guard configuration is enabled on the port can a VLAN be excluded.

Configuration The following example configuration configures the IP source guard configuration for the port and
Examples excludes a VLAN.
Ruijie# configure terminal
Ruijie(config)# interface GigabitEthernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)# ip verify source
Ruijie(config-if-GigabitEthernet 0/1)# ip verify exclude-vlan 1
Ruijie(config-if)# end
Ruijie(config)# wlansec 1
Ruijie(config-wlansec)# ip verify source
Ruijie(config-wlansec)# ip verify exclude-vlan 1
Ruijie(config-wlansec)# end

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show ip source binding

Use this command to display the binding information of IP source addresses and database.
show ip source binding [ ip-address ] [ mac-address ] [ dhcp-snooping ] [ static ] [ vlan vlan-id ]
[ interface interface-id ] [wlan wlan-id]

Parameter
Parameter Description
Description
ip-address Displays user binding information of corresponding IP.
mac-address Displays user binding information of corresponding MAC.
dhcp-snooping Displays binding information of dynamic user.
static Displays binding information of static user.
vlan-id Displays user binding information of corresponding VLAN.
interface-id Displays user binding information of corresponding interface.
wlan-id Displays user information bound with the corresponding WLAN.

Defaults N/A

Command Privileged EXEC mode

Mode

6-4
Command Reference IP Source Guard Commands

Usage Guide N/A

Configuration
The following example displays the binding information of IP source guard addresses and database.
Examples
Ruijie# show ip source binding static
Ruijie#show ip source binding static
Total number of bindings: 5
NO. MACADDRESS IPADDRESS LEASE(SEC) TYPE VLAN
INTERFACE
----- ------------------ --------------- ------------ ------------- -----
--------------------
1 0001.0002.0001 1.2.3.2 Infinite Static 1 Global
2 0001.0002.0002 1.2.3.3 Infinite Static 1
GigabitEthernet 0/5
3 0001.0002.0003 1.2.3.4 Infinite Static 1 Global
4 0001.0002.0004 1.2.3.5 Infinite Static 1 Global
5 0001.0002.0005 1.2.3.6 Infinite Static 1 WLAN 1

Related
Command Description
Commands
ip source binding Sets the binding static user.

Platform N/A
Description

show ip verify source

Use this command to display user filtering entry of IP Source Guard.

show ip verify source [ interface interface-id ] [wlan wlan-id]

Parameter
Parameter Description
Description
interface-id Displays user filtering entry of corresponding interface.
wlan-id Displays user filtering entry of corresponding WLAN.

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide If IP Source Guard is not enabled on the corresponding interface, the printing information will be
shown on the terminal as: “IP source guard is not configured on the interface FastEthernet 0/10”
Now, IP Source Guard supports the following filtering modes:
inactive-restrict-off: the IP Source Guard is disabled on bound interfaces.

6-5
Command Reference IP Source Guard Commands

inactive--not-apply: the IP Source Guard cannot adds bound entries into filtering entries for system
errors.
active: the IP Source Guard is active.

Configuration The following example displays user filtering entry of IP Source Guard.
Examples Ruijie # show ip verify source
Total number of bindings: 7
NO. INTERFACE FILTERTYPE FILTERSTATUS IPADDRESS
MACADDRESS VLAN TYPE
----- -------------------- ----------- --------------------- ------------
--- --------------- -------- -------------
1 Global IP+MAC Inactive-not-apply 192.168.0.127
0001.0002.0003 1 Static
2 GigabitEthernet 0/5 IP-ONLY Active 1.2.3.4
0001.0002.0004 1 DHCP-Snooping
3 Global IP-ONLY Active 1.2.3.7
0001.0002.0007 1 Static
4 Global IP+MAC Active 1.2.3.6
0001.0002.0006 1 Static
5 GigabitEthernet 0/1 UNSET Inactive-restrict-off 1.2.3.9
0001.0002.0009 1 DHCP-Snooping
6 GigabitEthernet 0/5 IP-ONLY Active Deny-All
7 WLAN 1 IP-ONLY Active Deny-ALL

Related
Command Description
Commands
ip verify source Sets IP Source Guard on the interface.

Platform N/A
Description

6-6
Command Reference VPDN Commands

7 VPDN Commands

accept dialin

Use this command to set the tunnel work mode to dial-in acceptance.
accept-dialin

Use the no form of this command to restore the default configuration of the system.
no accept-dialin

Parameter
Parameter Description
Description
N/A N/A

Defaults No tunnel work mode is set for the system by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide No tunnel work mode is set for a VPDN-group by default. You must set the tunnel work mode first, and
then set the tunnel work protocol and bound virtual template interface. The effective configuration or
change of this command will immediately cause active and forcible disconnection of existing relevant
tunnels.

Configuratio #Set the tunnel work mode to dial-in acceptance.

n Example Ruijie(config)#vpdn-group 1
Ruijie(config-vpdn)#accept-dialin
Ruijie(config-vpdn-acc-in)#

Verification Run the show running-config command to check whether the tunnel work mode is dial-in
acceptance.

Common The effective configuration or change of this command will immediately cause active and forcible
Error disconnection of existing relevant tunnels.

authentication (L2TP)

Use this command to enable tunnel authentication.

authentication

7-1
Command Reference VPDN Commands

Use the no form of this command to restore the default configuration of the system.
no authentication

Parameter
Parameter Description
Description
N/A N/A

Defaults Tunnel authentication is disabled by default.

Command L2TP-class interface configuration mode

Mode

Default Level 14

Usage Guide You can enable or disable tunnel authentication as required.

Configuratio #Enable tunnel authentication.

n Example Ruijie(config)#l2tp-class 1
Ruijie(config-l2tp-class)#authentication
Ruijie(config-l2tp-class)#

Verification Run the show running-config command to check whether tunnel authentication is enabled.

clear vpdn log

Use this command to clear user online/offline information in log files.

clear vpdn log

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command clears user online/offline information in log files.

Configuratio #Clear user online/offline information in log files.

n Example Ruijie# show vpdn log

7-2
Command Reference VPDN Commands

Username IP State Online time Offline

time
user-1 100.1.1.2 out 2014-11-16-14:09:04 2014-
11-16-14:29:26
user-2 100.1.2.2 out 2014-11-16-15:09:05 2014-
11-16-16:09:27
Ruijie# clear vpdn log
Ruijie#
Ruijie# show vpdn log
%No vpdn logs.
Ruijie#

clear vpdn tunnel

Use this command to forcibly clear a specified tunnel.

clear vpdn tunnel [ { l2tp | pptp } [ id locid ] | [ remote-host-name ] ]

Parameter
Parameter Description
Description
l2tp Indicates an L2TP tunnel.
pptp Indicates a PPTP tunnel.
remote-host-name Indicates the peer host name of a tunnel.
locid Indicates the ID of the tunnel to be deleted.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command forcibly clears a specified tunnel. If no parameter is set, all existing tunnels (including
PPTP and L2TP tunnels) are forcibly cleared. If only a tunnel protocol is specified, the tunnels of the
tunnel protocol are forcibly cleared. If a tunnel protocol and the peer host name of a tunnel are
specified, tunnels whose peer host name matches the host name among tunnels of the tunnel protocol
are forcibly cleared.
The ID of the tunnel to be deleted is tunID displayed after the show vpdn command is executed.

Configuratio #Clear all existing L2TP tunnels.

n Example Ruijie# show vpdn
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/
VPDN Group
1 1 BLIZZARD est 192.168.12.213 1701 1 1
LocID RemID TunID Username, Intf/

7-3
Command Reference VPDN Commands

State Last Chg Vcid, Circuit

1 1 1 ms,Vi1 est
00:46:30
%No active PPTP tunnels
Ruijie# clear vpdn tunnel l2tp
Ruijie#
%UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
%CHANGED: Interface Virtual-Access1, changed state to administratively
down
Ruijie# show vpdn
%No active L2TP tunnels
%No active PPTP tunnels
Ruijie#

encapsulation (L2TP)

Use this command to set the data encapsulation mode for tunnels.
encapsulation l2tpv2

Parameter
Parameter Description
Description
l2tpv2 Transmits tunnel data via L2TP specified in RFC2661.

Defaults No data encapsulation mode is set for tunnels by default.

Command Pseudowire-class interface configuration mode

Mode

Default Level 14

Usage Guide On a pseudowire-class interface, set tunnel data transmission parameters only after setting the tunnel
data encapsulation mode.

Configuratio #Set the tunnel data encapsulation mode to L2TPv2.

n Example Ruijie(config)# pseudowire-class pw
Ruijie(config-pw-class)#encapsulation l2tpv2
Ruijie(config-pw-class)#

Verification Run the show running-config command to display the data encapsulation mode of tunnels.

7-4
Command Reference VPDN Commands

force-local-chap

Use this command to forcibly perform complete PPP authentication. When the client triggers the L2TP
Access Concentrator (LAC) to start dialup, the LAC serves as the proxy of the L2TP Network Server
(LNS) to authenticate the client. This command is used to re-authenticate the client after an L2TP
tunnel is established. This command is available only on the LNS.
force-local-chap

Use the no form of this command to restore the default configuration of the system.
no force-local-chap

Parameter
Parameter Description
Description
N/A N/A

Defaults The LNS does not need to re-authenticate the client by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide Configure this command only after configuring the vpdn enable command.

Configuratio #Configure PPP CHAP re-authentication for tunnels.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# force-local-chap
Ruijie(config-vpdn)#

Verification Run the show running-config command to check whether the LNS conducts authentication on the
client.

force-local-lcp

Use this command to forcibly perform complete PPP authentication. When the client triggers the LAC
to dial up, the LAC serves as the proxy of the LNS to authenticate the client. This command is used to
re-conduct LCP negotiation for the client after an L2TP tunnel is established. This command is
available only on the LNS.
force-local-lcp

Use the no form of this command to restore the default configuration of the system.
no force-local-lcp

7-5
Command Reference VPDN Commands

Parameter
Parameter Description
Description
N/A N/A

Defaults The LNS does not need to re-conduct LCP negotiation for the client by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide Configure this command only after configuring the vpdn enable command.

Configuratio #Configure PPP LCP re-authentication for tunnels.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# force-local-lcp
Ruijie(config-vpdn)#

Verification Run the show running-config command to check whether negotiation is conducted for the client.

hello

Use this command to set the transmission interval of Hello messages transmitted to keep L2TP tunnels
alive.
hello interval

Use the no form of this command to restore the default configuration of the system.
no hello

Parameter
Parameter Description
Description
Indicates the transmission interval of Hello messages in seconds.
interval
The value range is from 1 to 1,000.

Defaults The default transmission interval of Hello messages is 60 seconds.

Command L2TP-class interface configuration mode

Mode

Default Level 14

Usage Guide You can set the transmission interval of Hello messages based on the network environment, to check
whether an L2TP tunnel is still available. If the network is stable and reliable, set the transmission

7-6
Command Reference VPDN Commands

interval
of Hello messages to a relatively large value.

Configuratio #Set the transmission interval of Hello messages to 120 seconds.

n Example Ruijie(config)# l2tp-class 1
Ruijie(config-l2tp-class)# hello 120
Ruijie(config-l2tp-class)#

Verification Run the show running-config command to display the transmission interval of Hello messages.

hostname (L2TP)

Use this command to set the local host name of an L2TP tunnel.
hostname local-hostname-string

Use the no form of this command to restore the default configuration of the system.
no hostname

Parameter
Parameter Description
Description
local-hostname-string Indicates the local host name of a tunnel.

Defaults The system uses the router name as the local host name of a tunnel by default.

Command L2TP-class interface configuration mode

Mode

Default Level 14

Usage Guide You can set the local host name of a tunnel as required to identify the tunnel. Any effective change on
the local host name of a tunnel will cause active and forcible disconnection of the L2TP tunnel.

Configuratio #Set the local host name of a tunnel to LAC.

n Example Ruijie(config)# l2tp-class 1
Ruijie(config-l2tp-class)# hostname LAC
Ruijie(config-l2tp-class)#

Verification Run the show running-config command to display the local host name of the tunnel.

ip dfbit set

Use this command to disable tunnel data fragmentation for transmission.

ip dfbit set

7-7
Command Reference VPDN Commands

Use the no form of this command to restore the default configuration of the system.
no ip dfbit set

Parameter
Parameter Description
Description

N/A N/A

Defaults The system allows tunnel data fragmentation for transmission by default.

Command Pseudowire-class interface configuration mode

Mode

Default Level 14

Usage Guide You can allow tunnel data fragmentation for transmission as required. Any effective change on the
configuration of tunnel data fragmentation will immediately affect transmission of tunnel data but will
not cause forcible disconnection of the L2TP tunnel.
To run this command, you need to excute the encapsulation l2tpv2 command first.

Configuratio #Disable tunnel data fragmentation for transmission.

n Example Ruijie(config)# pseudowire-class pw
Ruijie(config-pw-class)# encapsulation l2tpv2
Ruijie(config-pw-class)# ip dfbit set
Ruijie(config-pw-class)#

Verification Run the show running-config command to check whether tunnel data is fragmented for transmission.

ip local interface

Use this command to set the local (source) interface and the outgoing interface used by a tunnel.
ip local interface interface-name [ out-interface outintf-name ]

Use the no form of this command to restore the default configuration of the system.
no ip local interface interface-name

Parameter
Parameter Description
Description
interface-name Indicates the name of a local interface.
outintf-name Indicates the name of an outgoing interface.

Defaults The local (source) interface used by a tunnel is not specified by default.

7-8
Command Reference VPDN Commands

Command Pseudowire-class interface configuration mode

Mode

Default Level 14

Usage Guide You can specify a network interface on a router as the local (source) interface of a tunnel. Any effective
change on the configuration of the local (source) interface of a tunnel will cause active and forcible
disconnection of the L2TP tunnel.
To run this command, you need to excute the encapsulation l2tpv2 command first.

Configuratio # Set the local (source) interface of a tunnel to GigabitEthernet 0/1.

n Example Ruijie(config)# pseudowire-class pw
Ruijie(config-pw-class)# encapsulation l2tpv2
Ruijie(config-pw-class)# ip local interface gigabitethernet 0/1
Ruijie(config-pw-class)#
# Set the local (source) interface of a tunnel to GigabitEthernet 0/3 and the outgoing interface to
GigabitEthernet 0/3.
Ruijie(config)# pseudowire-class pw
Ruijie(config-pw-class)# ip local interface GigabitEthernet 0/3 out-
interface GigabitEthernet 0/3
Ruijie(config-pw-class)#

Verification Run the show running-config command to display the local (source) interface and the outgoing
interface of the tunnel.

ip precedence

Use this command to set the precedence field in the IP header of tunnel packets.
ip precedence { precedence-value | critical | flash | flash-override | immediate | internet | network
| priority | routine }

Use the no form of this command to restore the default configuration of the system.
no ip precedence

Parameter
Parameter Description
Description
Indicates the value of the precedence field. The value range is from 0
precedence-value
to 7.
critical Indicates that the value of the precedence field is 5.
flash Indicates that the value of the precedence field is 3.
flash-override Indicates that the value of the precedence field is 4.
immediate Indicates that the value of the precedence field is 2.
internet Indicates that the value of the precedence field is 6.
network Indicates that the value of the precedence field is 7.

7-9
Command Reference VPDN Commands

priority Indicates that the value of the precedence field is 1.

routine Indicates that the value of the precedence field is 0.

Defaults The default value of the precedence field in the IP header of tunnel packets is 0.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide Use this command if you need to set the priority of tunnel data. Effective configuration of this command
will immediately affect transmission of tunnel data, but will not cause active or forcible disconnection
of relevant tunnels.

Configuratio #Set the priority of tunnel data to 7.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# ip precedence 7
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the precedence field in the IP header of tunnel
packets.

ip tos

Use this command to set the type of service (TOS) field in the IP header of tunnel packets.
ip tos { tos-value | max-reliability | max-throughput | min-delay | min- monetary-cost | normal |
reflect }

Use the no form of this command to restore the default configuration of the system.
no ip tos

Parameter
Parameter Description
Description
Indicates the value of the TOS field. The value range is from 0 to
tos-value
15.
max-reliability Indicates that the value of the TOS field is 2.
max-throughput Indicates that the value of the TOS field is 4.
min-delay Indicates that the value of the TOS field is 8.
min-monetary-cost Indicates that the value of the TOS field is 1.
normal Indicates that the value of the TOS field is 0.
Uses the TOS field in IP data packets carried by a tunnel as the
reflect
TOS field in the IP header of tunnel packets.

7-10
Command Reference VPDN Commands

Defaults The default value of the TOS field in the IP header of tunnel packets is 0.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide Use this command if you need to set the TOS of tunnel data. Effective configuration of this command
will immediately affect transmission of tunnel data, but will not cause active or forcible disconnection
of relevant tunnels.

Configuratio #Set the TOS of tunnel data to min-delay.

n Example Ruijie(config-vpdn)# ip tos min-delay
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the TOS field in the IP header of tunnel data.

ip ttl

Use this command to set the time to live (TTL) field in the IP header of tunnel packets.
ip ttl ttl-value

Use the no form of this command to restore the default configuration of the system.
no ip ttl

Parameter
Parameter Description
Description
Indicates the value of the TTL field. The value range is from 1 to
ttl-value
255.

Defaults The TTL field in the IP header of tunnel packets is set to 255 by default.

Command Pseudowire-class interface configuration mode

Mode

Default Level 14

Usage Guide You can set the TTL field in the IP header of tunnel packets as required. Any effective change on the
configuration of the TTL field in the IP header of tunnel data will immediately affect transmission of
tunnel data but will not cause forcible disconnection of the L2TP tunnel.
To run this command, you need to execute the encapsulation l2tpv2 command first.

7-11
Command Reference VPDN Commands

Configuratio #Set the TTL field in the IP header of tunnel packets to 253.
n Example Ruijie(config)# pseudowire-class pw
Ruijie(config-pw-class)# encapsulation l2tpv2
Ruijie(config-pw-class)# ip ttl 253
Ruijie(config-pw-class)#

Verification Run the show running-config command to check whether the TTL field in the IP header of tunnel
packets is set.

l2tp ip udp checksum

Use this command to calculate and fill in the UDP checksum field for L2TP tunnel packets.
l2tp ip udp checksum

Use the no form of this command to restore the default configuration of the system.
no l2tp ip udp checksum

Parameter
Parameter Description
Description
N/A N/A

Defaults The UDP checksum field used in L2TP tunnel packets is null (that is, zero) by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You can set whether to calculate and fill in the UDP checksum field used in L2TP tunnel packets as
required. This command is available only after the protocol l2tp or protocol any command is
configured.

Configuratio #Specify the UDP checksum field in L2TP tunnel packets.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol any
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# l2tp ip udp checksum
Ruijie(config-vpdn)#

Verification Run the show running-config command to check whether the UDP checksum field is used in L2TP
data packets.

7-12
Command Reference VPDN Commands

l2tp tunnel authentication

Use this command to enable tunnel authentication.

l2tp tunnel authentication

Use the no form of this command to restore the default configuration of the system.
no l2tp tunnel authentication

Parameter
Parameter Description
Description
N/A N/A

Defaults Tunnel authentication is disabled by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You can enable or disable tunnel authentication as required. Any effective change on the configuration
of the tunnel authentication function will cause active and forcible disconnection of relevant L2TP
tunnels. This command is available only after the protocol l2tp or protocol any command is
configured.

Configuratio #Enable tunnel authentication.

n Example Ruijie(config)#
Ruijie(config)#vpdn-group 1
Ruijie(config-vpdn)#accept-dialin
Ruijie(config-vpdn-acc-in)#protocol any
Ruijie(config-vpdn-acc-in)#exit
Ruijie(config-vpdn)#l2tp tunnel authentication
Ruijie(config-vpdn)#

Verification Run the show running-config command to check whether tunnel authentication is enabled.

l2tp tunnel avp-hidden-compatible

Use this command to enable RFC2661-compliant AVP Hidden parsing algorithm. The system supports
Cisco AVP hiding parsing algorithm by default.
l2tp tunnel avp-hidden-compatible-co

Use the no form of this command to restore the default configuration of the system.
no l2tp tunnel avp-hidden-compatible

7-13
Command Reference VPDN Commands

Parameter
Parameter Description
Description
N/A N/A

Defaults The system adopts Cisco AVP hiding parsing algorithm by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You can enable or disable the RFC2661-compliant AVP hiding parsing algorithm as required. If two
AVP hiding parsing algorithms need to be supported, you can configure multiple VPDN-groups. The
configuration of this command does not affect the current L2TP tunnel.
This command is displayed after the protocol l2tp command or the protocol any command is run.

Configuratio #Enable RFC2661-compliant AVP hiding parsing algorithm.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol any
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# l2tp tunnel avp-hidden-compatible
Ruijie(config-vpdn)#

Verification Run the show running-config command to check whether the system supports the RFC2661-
compliant AVP hiding parsing algorithm.

l2tp tunnel force_ipsec

Use this command to configure the forcible IPSec packet encryption check. After this command is
configured, only packets encrypted via IPSec can pass through VPDN tunnels.
l2tp tunnel force_ipsec

Use the no form of this command to restore the default configuration of the system.
no l2tp tunnel force_ipsec

Parameter
Parameter Description
Description
N/A N/A

Defaults The forcible IPSec packet encryption check is disabled by default.

7-14
Command Reference VPDN Commands

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You can enable or disable the forcible IPSec packet encryption check as required. Any effective
change on the configuration of the forcible IPSec packet encryption check will cause active and forcible
disconnection of relevant L2TP tunnels.
This command is displayed after the protocol l2tp command or the protocol any command is run.

Configuratio #Enable the forcible IPSec packet encryption check.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol any
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# l2tp tunnel force_ipsec
Ruijie(config-vpdn)#

Verification Run the show running-config command to check whether packets must be encrypted before they
are transmitted through VPDN tunnels.

l2tp tunnel hello

Use this command to set the transmission interval of Hello messages transmitted to keep a tunnel
alive.
l2tp tunnel hello interval

Use the no form of this command to restore the default configuration of the system.
no l2tp tunnel hello

Parameter
Parameter Description
Description
interval Indicates the transmission interval of Hello messages in seconds.

Defaults The default transmission interval of Hello messages is 60 seconds.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You can set the transmission interval of Hello messages based on requirements and the network
environment. Any effective change on the transmission interval of Hello messages of a tunnel will
cause active and forcible disconnection of the L2TP tunnel.

7-15
Command Reference VPDN Commands

This command is displayed after the protocol l2tp command or the protocol any command is run.

Configuratio #Set the transmission interval of Hello messages to 30 seconds.

n Example Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol any
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# l2tp tunnel hello 30
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the transmission interval of Hello messages
transmitted to keep the tunnel alive.

l2tp tunnel password

Use this command to set the tunnel authentication password.

l2tp tunnel password password-string

Use the no form of this command to clear the tunnel authentication password.
no l2tp tunnel password

Parameter
Parameter Description
Description
password-string Indicates the tunnel authentication password.

Defaults No tunnel authentication password is set for the system by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide If tunnel authentication is required, tunnel authentication must be enabled and the same authentication
password must be used at both ends of a tunnel. Any effective change on the tunnel authentication
password will cause active and forcible disconnection of the relevant L2TP tunnel.
This command is displayed after the protocol l2tp command or the protocol any command is run.

Configuratio #Set the tunnel authentication password to share.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol any
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# l2tp tunnel password share

Verification Run the show running-config command to display the tunnel authentication password.

7-16
Command Reference VPDN Commands

l2tp tunnel receive-window

Use this command to set the size of the receive window for tunnel control messages.
l2tp tunnel receive-window size

Use the no form of this command to restore the default configuration of the system.
no l2tp tunnel receive-window

Parameter
Parameter Description
Description
Indicates the size of the receive window for tunnel control
size
messages. The range is from 4 to 300.

Defaults The default size of the receive window for tunnel control messages is 4.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide Any changes on the size of the receive window for tunnel control messages will cause forcible
disconnection of relevant L2TP tunnels.
This command is displayed after the protocol l2tp command or the protocol any command is run.

Configuratio #Set the size of the receive window for control messages to 12.
n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol any
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# l2tp tunnel receive-window 12
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the size of the receive window for tunnel control
messages.

l2tp tunnel retransmit

Use this command to set retransmission parameters for L2TP tunnel control messages.
l2tp tunnel retransmit { retries number | timeout { min | max } seconds }

Use the no form of this command to restore the default configuration of the system.
no l2tp tunnel retransmit { retries | timeout { min | max } }

7-17
Command Reference VPDN Commands

Parameter
Parameter Description
Description
number Indicates the number of retransmission times of control messages.
seconds Indicates the retransmission interval of control messages.

Defaults The maximum number of retransmission times of control messages is 5, the minimum retransmission
interval is 1 second, and the maximum retransmission interval is 8 seconds by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide Any effective change on settings of retransmission parameters of tunnel control messages will cause
active and forcible disconnection of relevant L2TP tunnels.
This command is displayed after the protocol l2tp command or the protocol any command is run.

Configuratio #Set the maximum number of retransmission times of control messages to 10.
n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol any
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# l2tp tunnel retransmit retries 10
Ruijie(config-vpdn)#

Verification Run the show running-config command to display retransmission parameters of L2TP tunnel control
messages.

l2tp tunnel timeout

Use this command to set the maximum waiting timeout period for establishing a session connection
or control connection of an L2TP tunnel.
l2tp tunnel timeout { no-session | setup } seconds

Use the no form of this command to restore the default configuration of the system.
no l2tp tunnel timeout { no-session | setup }

Parameter
Parameter Description
Description
Indicates that a tunnel is established but the session connection is
no-session
not established.
setup Indicates that a control connection (tunnel) is not established.
seconds Indicates the timeout period in seconds.

7-18
Command Reference VPDN Commands

Defaults The maximum allowable waiting timeout period for establishing a session connection is 600 seconds
and the maximum allowable waiting timeout period for establishing a control connection (tunnel) is 300
seconds by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide Any effective change on the maximum allowable waiting timeout period for establishing a session
connection or control connection for an existing tunnel will cause active and forcible disconnection of
the L2TP tunnel.
This command is displayed after the protocol l2tp command or the protocol any command is run.

Configuratio #Set the allowable waiting timeout period for establishing a session connection of a tunnel to 1,200
n Example seconds.
Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol any
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# l2tp tunnel timeout no-session 1200
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the maximum allowable waiting timeout period for
establishing a session connection or control connection of an L2TP tunnel.

l2tp-class

Use this command to set the L2TP-class interface of a specified name. If the L2TP-class interface of
the specified name does not exist, the system creates an L2TP-class interface with the specified name.
l2tp-class l2tp-class-name

Use the no form of this command to delete the L2T-class interface of a specified name.
no l2tp-class l2tp-class-name

Parameter
Parameter Description
Description
l2tp-class-name Indicates the name of an L2TP-class interface.

Defaults No L2TP-class interface is set by default.

Command Global configuration mode

Mode

7-19
Command Reference VPDN Commands

Default Level 14

Usage Guide You can configure or reference an L2TP-class interface to set work parameters for the L2TP control
connection.

Configuratio #Create an L2TP-class interface named l2x.

n Example Ruijie(config)# l2tp-class l2x
Ruijie(config-l2tp-class)#

Verification Run the show running-config command to display the L2TP-class interface of the specified name.

lcp renegotiation always

Use this command to ignore errors in L2TP control packets that are from the peer device and do not
comply with the RFC specifications, to ensure normal negotiation.
lcp renegotiation always

Use the no form of this command to restore the default configuration of the system.
no lcp renegotiation always

Parameter
Parameter Description
Description
N/A N/A

Defaults Received L2TP control packets must strictly comply with specifications by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide Use this command to ignore errors in L2TP control packets that are from the peer device and do not
comply with the RFC specifications, to ensure normal negotiation.

Configuratio #Configure the function of ignoring errors in L2TP control packets that are from the peer device and
n Example do not comply with the RFC specifications.
Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# lcp renegotiation always
Ruijie(config-vpdn)#

Verification Run the show running-config command to check whether errors in L2TP control packets that are
from the peer device and do not comply with the RFC specifications are ignored.

7-20
Command Reference VPDN Commands

local name

Use this command to set the local host name of a tunnel.

local name local-hostname-string

Use the no form of this command to restore the default configuration of the system.
no local name

Parameter
Parameter Description
Description
local-hostname-string Indicates the local host name of a tunnel.

Defaults The system uses the router name as the local host name of a tunnel by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You can set the local host name for a tunnel on the router to identify the tunnel. The effective
configuration or change of this command will immediately cause active and forcible disconnection of
existing relevant tunnels.

Configuratio #Set the local host name of a tunnel to LNS.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# local name LNS
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the local host name of the tunnel.

password (L2TP)

Use this command to set the tunnel authentication password.

password password-string

Use the no form of this command to restore the default configuration of the system.
no password

Parameter
Parameter Description
Description
password-string Indicates the tunnel authentication password.

7-21
Command Reference VPDN Commands

Defaults Tunnel authentication is disabled by default and therefore no tunnel authentication password is set.

Command L2TP-class interface configuration mode

Mode

Default Level 14

Usage Guide If tunnel authentication is required, tunnel authentication must be enabled and the same authentication
password must be used at both ends of a tunnel. Any effective change on the tunnel authentication
password will cause active and forcible disconnection of the relevant L2TP tunnel.

Configuratio #Set the tunnel authentication password to share.

n Example Ruijie(config)# l2tp-class 1
Ruijie(config-l2tp-class)# password share
Ruijie(config-l2tp-class)#

Verification Run the show running-config command to display the tunnel authentication password.

pptp flow-control receive-window

Use this command to set the maximum number of packets that are allowed to be sent before the peer
device of a PPTP session receives the ACK from the local device.
pptp flow-control receive-window packets

Use the no form of this command to restore the default configuration of the system.
no pptp flow-control receive-window

Parameter
Parameter Description
Description
Indicates the maximum number of packets that are allowed to be
packets sent before the peer device of a PPTP session receives the ACK
from the local device. The value range is from 1 to 64.

Defaults The default value is 64 on the PNS and 16 on the PAC.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide This command is a proprietary configuration command of PPTP. Therefore, this command is available
only after the protocol pptp or protocol any command is configured.
According to recommendations in RFC2637 of PPTP, both parties of a session use half of the
maximum receive window received from the peer device as the initial send window for the local device

7-22
Command Reference VPDN Commands

during negotiation. When the send window is full, the system stops sending packets to the peer device
of the session, and reduces the size of the send window by half till the size of the send window
becomes 1. The system resumes packet sending after receiving the ACK response to sent packets
from the peer device. If no ACK timeout occurs after packets of the quantity equaling the size of the
current send window are continuously sent to the peer device, the system increases the size of the
local send window by 1 till the size is equal to the maximum receive window size of the peer device.
The ACK timeout interval is calculated using a dedicated algorithm according to RFC2637. This
command is available only after the protocol pptp or protocol any command is configured.

Configuratio #Set the maximum size of the receive window for local PPTP sessions to 32.
n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol pptp
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# pptp flow-control receive-window 32
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the maximum number of packets that are allowed
to be sent.

pptp flow-control static-rtt

Use this command to set the static reference timeout period for waiting the ACK response to a sent
single data packet in a PPTP session.
pptp flow-control static-rtt timeout-interval

Use the no form of this command to restore the default configuration of the system.
no pptp flow-control static-rtt

Parameter
Parameter Description
Description
Indicates the static reference timeout period in milliseconds for
timeout-interval waiting the ACK response to a sent single data packet in a PPTP
session. The value range is from 100 to 5,000.

Defaults The default value is 1500 milliseconds.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide This command is a proprietary configuration command of PPTP. Therefore, this command is available
only after the protocol pptp or protocol any command is configured.

7-23
Command Reference VPDN Commands

According to recommendations in RFC2637 of PPTP, the timeout interval for waiting the ACK
response to sent PPTP packets, that is, the Acknowledgment Time-Out (ATO), is calculated using a
dedicated algorithm, and the dynamically calculated Round-Trip Time (RTT) is used. static-rtt
configured in this command is used as an initial reference value in RTT calculation.

Configuratio #Set the static reference timeout period for waiting the ACK response to a sent single data packet in
n Example a PPTP session to 32 milliseconds.
Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol pptp
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# pptp flow-control static-rtt 32
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the static reference timeout period for waiting the
ACK response to a sent single data packet in a PPTP session.

pptp tunnel echo

Use this command to set the interval for the local device of a PPTP tunnel for actively sending echo
requests.
pptp tunnel echo echo-packet-interval

Use the no form of this command to restore the default configuration of the system.
no pptp tunnel echo

Parameter
Parameter Description
Description
Indicates the interval in seconds for the local device of a PPTP
echo-packet-interval tunnel for actively sending echo requests. The value range is from
0 to 1000.

Defaults The default interval is 60 seconds.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide This command is a proprietary configuration command of PPTP. Therefore, this command is available
only after the protocol pptp or protocol any command is configured. When echo-packet-interval is
set to 0, the local device of a PPTP tunnel does not actively send echo packets.
When echo-packet-interval is not set to 0, the local device of a PPTP tunnel actively sends an echo
request to detect the tunnel status and starts a timer for waiting for an echo reply from the peer device

7-24
Command Reference VPDN Commands

if it fails to receive any valid protocol or data packet from the peer device within the interval specified
by echo-packet-interval. The initial waiting timeout period is 1 second. If timeout occurs during
waiting for the first echo reply, the local device of the PPTP tunnel sends the second echo request and
doubles the waiting timeout period, and by analogy. If the local device fails to receive the echo reply
from the peer device within five intervals, the device considers that the tunnel communication is
abnormal, and disables the tunnel as well as sessions carried on the tunnel. This command is available
only after the protocol pptp or protocol any command is configured.

Configuratio #Set the interval for the local device of a PPTP tunnel for sending echo requests to 30 seconds.
n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol pptp
Ruijie(config-vpdn-acc-in)# exit
Ruijie(config-vpdn)# pptp tunnel echo 30
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the interval for the local device of a PPTP tunnel
for actively sending echo requests.

protocol

Use this command to set a tunnel protocol for a tunnel.

protocol { any | l2tp | pptp }

Use the no form of this command to restore the default configuration of the system.
no protocol

Parameter
Parameter Description
Description
any Matches all available tunnel protocols.
l2tp Matches L2TP.
pptp Matches PPTP.

Defaults No tunnel protocol is specified for a tunnel by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You must specify a tunnel protocol for a tunnel. Any effective setting of or change on the tunnel protocol
will cause active disconnection of existing relevant tunnels. This command is available only after the
accept-dialin command is configured.

7-25
Command Reference VPDN Commands

Configuratio #Set the tunnel protocol to L2TP.

n Example Ruijie(config-vpdn)# accept-dialin
Ruijie(config-vpdn-acc-in)# protocol l2tp
Ruijie(config-vpdn-acc-in)#

Verification Run the show running-config command to display the tunnel protocol used by the tunnel.

protocol (L2TP)

Use this command to set L2TP control connection parameters.

protocol l2tpv2 [ l2tp-class-name ]

Use the no form of this command to restore the default configuration of the system.
no protocol

Parameter
Parameter Description
Description
l2tpv2 Uses L2TP as the tunnel protocol.
l2tp-class-name Indicates the name of a referenced L2TP-class interface.

Defaults The system uses L2TPv2 as the L2TP tunnel protocol by default.

Command Pseudowire-class interface configuration mode

Mode

Default Level 14

Usage Guide Any effective change on control connection parameters will cause active and forcible disconnection
of the L2TP tunnel.

Configuration #Set the tunnel protocol to L2TPv2 and apply the L2TP-class interface named l2x to set control
Example connection parameters.
Ruijie(config)# pseudowire-class pw
Ruijie(config-pw-class)# protocol l2tpv2 l2x
Ruijie(config-pw-class)#

Verification Run the show running-config command to display L2TP control connection parameters.

pseudowire

Use this command to configure pseudowire rules.

pseudowire peer-ip-address vcid { encapsulation l2tpv2 [ pw-class pw-class-name ] | pw-class pw-
class-name }

7-26
Command Reference VPDN Commands

Use the no form of this command to restore the default configuration of the system.
no pseudowire

Use this command to configure pseudowire rules using hostname.

pseudowire hostname peer-hostname vcid { encapsulation l2tpv2 [ pw-class pw-class-name ] |

pw-class pw-class-name }

Use the no form of this command to restore the default configuration of the system.
no pseudowire

Parameter
Parameter Description
Description
peer-ip-address Indicates the address of the remote L2TP network server (LNS).
Indicates the host name that is registered by the LNS with the DNS
peer-hostname
server and that is maps to the address of the LNS.
vcid Indicates the pseudowire global ID.
l2tpv2 Uses L2TPv2 (described in RFC 2661) as the tunnel protocol.
pw-class-name Indicates the name of a referenced pseudowire-class unit.

Defaults No pseudowire rule is configured by default.

Command Interface configuration mode

Mode

Default Level 14

Usage Guide Pseudowire rules can be configured only on the virtual-ppp interface. Any effective change on
pseudowire rules of the virtual-ppp interface will cause active and forcible disconnection of relevant
L2TP tunnels.

Configuratio #Configure a pseudowire rule on the virtual-ppp interface, and set the LNS address to 192.168.12.213
n Example and reference the pseudowire-class interface named pw.
Ruijie(config)# interface virtual-ppp 1
Ruijie(config-if-Virtual-ppp 1)# pseudowire 192.168.12.213 33 pw-class pw
#Configure a pseudowire rule using the host name as follows:
Enable the DNS service, configure the address of the DNS server, and configure a route to the DNS
server.
ip domain-lookup
l2tp-class 1
pseudowire-class 1
encapsulation l2tpv2
ip name-server 192.168.5.119

7-27
Command Reference VPDN Commands

ip name-server 61.154.22.41
interface FastEthernet 0/0
ip ref
ip address 192.168.52.90 255.255.255.0
duplex auto
speed auto
interface Virtual-ppp 1
pseudowire hostname mm.hxs.meibu.com 1 encapsulation l2tpv2
ppp pap sent-username user1 password 11
ip address negotiate
ip route 0.0.0.0 0.0.0.0 192.168.52.1

Verification Run the show running-config command to display pseudowire rules.

pseudowire-class

Use this command to set a pseudowire-class interface of a specified name. If the pseudowire-class
interface of the specified name does not exist, the system creates a pseudowire-class interface with
the specified name.
pseudowire-class pseudowire-class-name

Use the no form of this command to delete a pseudowire-class interface of a specified name.
no pseudowire-class pseudowire-class-name

Parameter
Parameter Description
Description
pseudowire-class-name Indicates the name of a pseudowire-class interface.

Defaults No pseudowire-class interface is set in the system by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide You can configure and reference a pseudowire-class interface to set L2TP tunnel work parameters.

Configuratio #Create a pseudowire-class interface named pw.

n Example Ruijie(config)# pseudowire-class pw
Ruijie(config-pw-class)#

Verification Run the show running-config command to display the pseudowire-class interface of the specified
name.

7-28
Command Reference VPDN Commands

receive-window

Use this command to set the size of the receive window for tunnel control messages.
receive-window size

Use the no form of this command to restore the default configuration of the system.
no receive-window

Parameter
Parameter Description
Description
Indicates the size of the receive window for control messages,
size
ranging from 1 to 800.

Defaults The default size of the receive window for control messages is 8.

Command L2TP-class interface configuration mode

Mode

Default Level 14

Usage Guide Any effective change on the size of the receive window for tunnel control messages will cause active
and forcible disconnection of the L2TP tunnel.

Configuratio #Set the size of the receive window for control messages to 12.
n Example Ruijie(config)# l2tp-class 1
Ruijie(config-l2tp-class)# receive-window 12
Ruijie(config-l2tp-class)#

Verification Run the show running-config command to display the size of the receive window for tunnel control
messages.

retransmit

Use this command to set retransmission parameters for control messages.

retransmit {initial {retries initial-retries | timeout {max | min} initial-timeout} | retries retries | timeout
{max | min} timeout}

Use the no form of this command to restore the default configuration of the system.
no retransmit { initial {retries | timeout {max | min} }| retries | timeout {max | min} }

Parameter
Parameter Description
Description

7-29
Command Reference VPDN Commands

Indicates the number of SCCRQ retransmission times. The value

initial-retries
range is from 1 to 1000.
Indicates the SCCRQ retransmission interval. The value range is
initial-timeout
from 1 to 8.
Indicates the number of retransmission times of other control
retries
messages. The value range is from 5 to 1000.
Indicates the retransmission interval of other control messages.
timeout
The value range is from 1 to 8.

Defaults By default, the number of SCCRQ retransmission times is 2, the number of retransmission times of
other control messages is 5, and the minimum and maximum retransmission intervals of control
messages are 1 second and 8 seconds respectively.

Command L2TP-class interface configuration mode

Mode

Default Level 14

Usage Guide Any effective change on retransmission parameter settings of control messages will cause active and
forcible disconnection of the L2TP tunnel.

Configuratio #Set the number of SCCRQ retransmission times to 3.

n Example Ruijie(config)# l2tp-class 1
Ruijie(config-l2tp-class)# retransmit initial retries 3
Ruijie(config-l2tp-class)#

Verification Run the show running-config command to display retransmission parameters of control messages.

show l2tp-class

Use this command to display the configuration information of a specified L2TP-class interface in the
current system.
show l2tp-class [ l2tp-class-name ]

Parameter
Parameter Description
Description
l2tp-class-name Specifies the name of an L2TP-class interface.

Defaults N/A

Command Common user configuration mode and privileged EXEC mode

Mode

Default Level 14

7-30
Command Reference VPDN Commands

Usage Guide You can use this command to display detailed configuration information of all L2TP-class interfaces
or a specified L2TP-class interface configured in the system.

Configuratio #Display the detailed configuration information of all L2TP-class interfaces in the current system.
n Example Ruijie# show l2tp-class
L2TP Class class-default:
hidden disable, authentication disable
hello interval 60 second(s)
hostname Router, password Router
timeout setup 120 seconds
receive-window 8, no cookie space
retransmit retries 5, retransmit initial retries 2
retransmit timeout max 8 second(s), retransmit timeout min 1 second(s)
retransmit initial timeout max 8 second(s)
retransmit initial timeout min 1 second(s)

L2TP Class l2x:

hidden disable, authentication disable
hello interval 60 second(s)
hostname Router, password Router
timeout setup 120 seconds
receive-window 8, no cookie space
retransmit retries 5, retransmit initial retries 2
retransmit timeout max 8 second(s), retransmit timeout min 1 second(s)
retransmit initial timeout max 8 second(s)
retransmit initial timeout min 1 second(s)
Ruijie#

#Display the detailed configuration information of the L2TP-class interface of a specified name.
Ruijie# show l2tp-class l2x
L2TP Class l2x:
hidden disable, authentication disable
hello interval 60 second(s)
hostname Router, password Router
timeout setup 120 seconds
receive-window 8, no cookie space
retransmit retries 5, retransmit initial retries 2
retransmit timeout max 8 second(s), retransmit timeout min 1 second(s)
retransmit initial timeout max 8 second(s)
retransmit initial timeout min 1 second(s)
reference count: 1

7-31
Command Reference VPDN Commands

Field description:
Field Description
hidden Indicates whether attribute-value pairs (AVPs) are
hidden. The value disable indicates that AVPs are not
hidden.
authentication Indicates whether tunnel authentication is supported.
The value disable indicates that tunnel authentication is
not supported.
hello interval Indicates the interval for sending Hello packets.
timeout setup Indicates the maximum allowable time for establishing a
control connection.
receive-window Indicates the size of the receive window for tunnel
control messages.
retransmit retries Indicates the number of retransmission times of control
messages except SCCRQ.
retransmit initial retries Indicates the number of retransmission times of SCCRQ
packets.
retransmit timeout max Indicates the maximum retransmission interval of control
messages except SCCRQ.
retransmit timeout min Indicates the minimum retransmission interval of control
messages except SCCRQ.
retransmit initial timeout max Indicates the maximum retransmission interval of
SCCRQ packets.
retransmit initial timeout min Indicates the minimum retransmission interval of
SCCRQ packets.
reference count Indicates the number of pseudowire-class interfaces
associated with the L2TP-class interface.

show pseudowire-class

Use this command to display the configuration information of a specified pseudowire-class interface
in the current system.
show pseudowire-class [ pseudowire-class-name ]

Parameter
Parameter Description
Description
pseudowire-class-name Indicates the name of a specified pseudowire-class interface.

Defaults -

Command Common user configuration mode and privileged EXEC mode

Mode

Default Level 14

7-32
Command Reference VPDN Commands

Usage Guide You can use this command to display detailed configuration information of all pseudowire-class
interfaces or a specified pseudowire-class interface configured in the current system.

Configuratio #Display the detailed configuration information of all pseudowire-class interfaces in the current system.
n Example Ruijie# show pseudowire-class

Pseudowire Class pw:

encapsulation l2tpv2, protocol l2tpv2 on l2tp-class l2x
ip dfbit set disable, ip pmtu disable, ip ttl 255
ip tos reflect disable, ip tos value 0
reference count: 1000

Pseudowire Class pw1:

encapsulation l2tpv2
ip dfbit set disable, ip pmtu disable, ip ttl 255
ip tos reflect disable, ip tos value 0
reference count: 0

Pseudowire Class pw2:

encapsulation l2tpv2, protocol l2tpv2 on l2tp-class l2x
ip dfbit set disable, ip pmtu disable, ip ttl 255
ip tos reflect disable, ip tos value 0
reference count: 0
Ruijie#

#Display the detailed configuration information of a pseudowire-class interface of a specified name.

Ruijie# show pseudowire-class pw

Pseudowire Class pw:

encapsulation l2tpv2, protocol l2tpv2 on l2tp-class l2x
ip dfbit set disable, ip pmtu disable, ip ttl 255
ip tos reflect disable, ip tos value 0
reference count: 1000
Ruijie#

Field description:
Field Description
encapsulation Indicates the encapsulation protocol.
protocol Indicates the adopted protocol.
l2tp-class Indicates the associated L2TP-class interface.
ip dfbit Indicates whether tunnel data fragmentation is allowed.
ip ttl Indicates the TTL field in the IP header of tunnel packets.

7-33
Command Reference VPDN Commands

ip tos Indicates the TOS field in the IP header of tunnel

packets.
reference count Indicates the number of virtual-ppp interfaces associated
with the pseudowire-class interface.

show vpdn

Use this command to display information about a specified VPDN tunnel in the current system.
show vpdn [ session | tunnel [ { l2tp | pptp } locid ] ]

Parameter
Parameter Description
Description
session Displays all sessions.
tunnel Displays all tunnels.
Displays details about the L2TP tunnel of a specified ID. The value
l2tp locid
range is from 1 to 65535.
Displays details about the PPTP tunnel of a specified ID. The value
pptp locid
range is from 0 to 65535.

Defaults N/A

Command Common user configuration mode and privileged EXEC mode

Mode

Default Level 14

Usage Guide You can use this command to check VPDN tunnel information in the current system. If no parameter
is specified, information about all VPDN tunnels and sessions in the current system will be displayed.
Note: The username length is arbitrary. Therefore, when the show command is executed, only the
first 12-byte strings in usernames are displayed to ensure alignment in the display format. Usernames
with the length beyond the 12 bytes are not displayed completely.
To display the full names of usernames, run the show vpdn tunnel l2tp locid and show vpdn tunnel
pptp locid commands.

Configuratio #Display information about all VPDN tunnels in the current system.
n Example Ruijie# show vpdn
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/
VPDN Group
4 77 BLIZZARD est 192.168.12.213 1701 1 1
LocID RemID TunID Username, Intf/ State Last Chg
Vcid, Circuit
1 1 4 ms,Vi1 est 00:33:58

7-34
Command Reference VPDN Commands

%No active PPTP tunnels

Ruijie#

#Display information about all VPDN tunnels in the current system.

Ruijie# show vpdn tunnel
L2TP Tunnel Information Total tunnels 1
LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/
VPDN Group
4 77 BLIZZARD est 192.168.12.213 1701 1 1
%No active PPTP tunnels
Ruijie#
Display information about all VPDN sessions in the current system.
Ruijie# show vpdn session
L2TP Session Information Total sessions 1
LocID RemID TunID Username, Intf/ State Last Chg
Vcid, Circuit
1 1 4 ms,Vi1 est 00:37:03
%No active PPTP tunnels
Ruijie#
#Display details about a specified PPTP or L2TP tunnel.
Display details about the L2TP tunnel of a specified tunnel ID.
Ruijie# show vpdn tunnel l2tp 4
L2TP tunnel locid 4 is up,remote id is 77, 1 active sessions
Tunnel state is est
Tunnel transport is UDP
Remote tunnel name is BLIZZARD
Internet Address 192.168.12.213, port 1701
Local tunnel name is LNStest
Internet Address 192.168.12.212, port 1701
VPDN group for tunnel is 1
Tunnel domain unknown
ip mtu adjust disabled
Control Ns 2, Nr 4
Display details about the PPTP tunnel of a specified tunnel ID.
Ruijie#show vpdn tunnel
%No active L2TP tunnels
PPTP Tunnel Information Total tunnels 1
LocID Remote Name State Remote Address Port Sessions
2 estbed 192.168.45.160 3077 1
Ruijie#
Ruijie#show vpdn tunnel pptp 2
PPTP tunnel id 2 is up, remote id is 0, 1 active session
Tunnel state is estbed
Remote tunnel name is

7-35
Command Reference VPDN Commands

Internet Address 192.168.45.160, port 3077

Local tunnel name is
Internet Address 192.168.45.161
Field description:
Field Description
L2TP Tunnel Indicates an L2TP tunnel.
Session Information Indicates session information.
LocID Indicates the ID of the local device.
RemID Indicates the ID of the peer device.
TunID Indicates the tunnel ID.
Username, Intf: Indicates the username and interface.
State Indicates a state.
Last Chg Indicates the last change time.
Remote Address Indicates the peer address.
Port Indicates the port.

show vpdn log

Use this command to display user online and offline information in the current log file.
show vpdn log [user username]

Parameter
Parameter Description
Description
username Specifies a username.

Defaults N/A

Command Common user configuration mode and privileged EXEC mode

Mode

Default Level 14

Usage Guide You can use this command to display online and offline information of all users or a specified user in
the current log file.

Configuratio #Display online and offline information of all users in the current log file.
n Example Ruijie# show vpdn log
Username IP State Online time Offline
time
user-1 100.1.1.2 out 2014-11-16-14:09:04 2014-11-16-
14:29:26
user-2 100.1.2.2 out 2014-11-16-15:09:05 2014-11-16-
16:09:27

7-36
Command Reference VPDN Commands

user-3 100.1.3.2 out 2014-11-16-17:09:04 2014-11-16-

18:09:26
user-4 100.1.4.2 in 2014-11-16-18:09:05
Ruijie#

#Display online and offline information of a specified user in the current log file.
Ruijie# show vpdn log user user-1
Username IP State Online time Offline time
user-1 100.1.1.2 out 2014-11-16-14:09:04 2014-11-16-14:29:26
Ruijie#
Ruijie#show vpdn log user ruijie
%No vpdn logs for username: ruijie.
Ruijie#
Field description:
Field Description
Username Indicates the username.
IP Indicates the peer IP address.
State Indicates the current state.
Online time Indicates the online time.
Offline time Indicates the offline time.

source-ip

Use this command to set the local (source) address of a tunnel established using the current VPDN-
group.
source-ip A.B.C.D

Use the no form of this command to restore the default configuration of the system.
no source-ip

Parameter
Parameter Description
Description
Indicates the local (source) address of a tunnel established using
A.B.C.D
the current VPDN-group.

Defaults The system does not limit the local (source) address of a tunnel established using the VPDN-group by
default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

7-37
Command Reference VPDN Commands

Usage Guide If the local (source) address is set globally for the VPDN function, the local (source) address of a tunnel
established using the VPDN-group must be consistent with the global local (source) address. The
effective configuration or change of this command will immediately cause active and forcible
disconnection of existing relevant tunnels.

Configuratio #Set the local address of the tunnel established using the current VPDN-group to 202.101.92.73.
n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# source-ip 202.101.92.73
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the local (source) address of a tunnel established
using the current VPDN-group.

terminate-from

Use this command to specify the peer host name of a tunnel.

terminate-from hostname remote-hostname-string

Use the no form of this command to restore the default configuration of the system.
no terminate-from

Parameter
Parameter Description
Description
remote-hostname-string Indicates the peer host name of a tunnel.

Defaults The peer host name of a tunnel is not set by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You can use this command to limit the host name of users who access the device remotely. If the peer
host name of a tunnel is not set, the VPDN-group will not limit the host name of users who access the
device remotely. Any effective change on the peer host name of a tunnel will cause active and forcible
disconnection of all existing tunnels established using the VPDN-group.

Configuratio #Set the peer host name of a tunnel to LAC.

n Example Ruijie(config)# vpdn-group 1
Ruijie(config-vpdn)# terminate-from hostname LAC
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the peer host name of the tunnel.

7-38
Command Reference VPDN Commands

timeout setup

Use this command to set the maximum allowable time for establishing a control connection.
timeout setup seconds

Use the no form of this command to restore the default configuration of the system.
no timeout setup

Parameter
Parameter Description
Description
Indicates the maximum allowable time in seconds for establishing
seconds
a control connection. The value range is from 60 to 6,000.

Defaults The maximum allowable time for establishing a control connection is 120 seconds by default.

Command L2TP-class interface configuration mode

Mode

Default Level 14

Usage Guide Any effective change on the maximum allowable time for establishing a control connection will cause
active and forcible disconnection of the relevant L2TP tunnel.

Configuratio #Set the maximum allowable time for establishing a control connection to 240 seconds.
n Example Ruijie(config)# l2tp-class 1
Ruijie(config-l2tp-class)# timeout setup 240
Ruijie(config-l2tp-class)#

Verification Run the show running-config command to display the maximum allowable time for establishing a
control connection.

virtual-template

Use this command to set the virtual template interface bound to the current VPDN-group.
virtual-template number

Use the no form of this command to restore the default configuration of the system.
no virtual-template

Parameter
Parameter Description
Description
Indicates the serial number of a virtual template interface. The
number
value range is from 1 to 1200.

7-39
Command Reference VPDN Commands

Defaults No virtual template interface is bound to the VPDN-group by default.

Command VPDN-group interface configuration mode

Mode

Default Level 14

Usage Guide You can use this command to bind the virtual template interface to a VPDN group so as to set
parameters for network interfaces that carry sessions. Any effective change on the virtual template
interface bound to a VPDN-group will cause forcible disconnection of existing tunnels of the VPDN-
group.
Configure this command only after configuring the protocol command. Otherwise, the command is
unavailable.

Configuratio #Bind Virtual Template Interface 1 to VPDN-group 1.

n Example Ruijie(config)#
Ruijie(config)#vpdn-group 1
Ruijie(config-vpdn)#accept-dialin
Ruijie(config-vpdn-acc-in)#protocol any
Ruijie(config-vpdn-acc-in)#virtual-template 1
Ruijie(config-vpdn-acc-in)#

Verification Run the show running-config command to display the virtual template interface bound to the current
VPDN-group.

vpdn congestion_avoidanc

Use this command to enable VPDN congestion control.

vpdn congestion_avoidanc

Use the no form of this command to disable VPDN congestion control.

no vpdn congestion_avoidanc

Parameter
Parameter Description
Description
N/A N/A

Defaults VPDN congestion control is disabled by default.

Command Global configuration mode

Mode

7-40
Command Reference VPDN Commands

Default Level 14

Usage Guide You can determine whether to enable congestion control based on the current network environment.

Configuratio #Enable VPDN congestion control.

n Example Ruijie#config
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# vpdn congestion_avoidanc
Ruijie(config)#

Verification Run the show running-config command to check whether VPDN congestion control is enabled.

vpdn enable

Use this command to enable the VPDN function.

vpdn enable

Use the no form of this command to disable the VPDN function.

no vpdn enable

Parameter
Parameter Description
Description
N/A N/A

Defaults The VPDN function is disabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide The VPDN function is not required for client-initiated L2TP tunnels, but it needs to be enabled when
the device running RGOS provides the LAC or LNS function, or the device running RGOS uses the
PPTP or L2TP protocol. The effective configuration or change of this command will immediately cause
active and forcible disconnection of existing relevant tunnels.

Configuratio #Enable the VPDN function.

n Example Ruijie#config
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# vpdn enable
Ruijie(config)#

Verification Run the show running-config command to check whether the VPDN function is enabled.

7-41
Command Reference VPDN Commands

vpdn ignore_source

Use this command to ignore the VPDN source address check on packets sent from the peer device.
After this command is configured, the source address match is not checked for data packets sent from
the peer device.
vpdn ignore_source

Use the no form of this command to strictly check the source addresses of packet sent from the peer
device.
no vpdn ignore_source

Parameter
Parameter Description
Description
N/A N/A

Defaults The system checks the source address match of tunnel packets by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Use this command to ignore the VPDN source address check on packets sent from the peer device.
After this command is configured, the source address match is not checked for data packets sent from
the peer device. This command is available only to data forwarded rapidly.

Configuratio #Ignore the VPDN source address check on packets sent from the peer device.
n Example Ruijie(config)# vpdn ignore_source
Ruijie(config)#

Verification Run the show running-config command to check whether the function of ignoring VPDN source
address check on packets sent from the peer device is enabled.

vpdn limit_rate

Use this command to set the maximum number of VPDN tunnels that can be established per second,
that is, limit the establishment rate of VPDN tunnels.
vpdn limit_rate rate_num

Use the no form of this command to disable the VPDN connection rate limit.
no vpdn limit_rate

7-42
Command Reference VPDN Commands

Parameter
Parameter Description
Description
Indicates the number of tunnels that can be established per
rate_num
second. The value range is from 5 to 100.

Defaults The establishment rate of VPDN tunnels is limited by default and the default value is 15 tunnels per
second.

Command Global configuration mode

Mode

Default Level 14

Usage Guide When the dial-in of excessive VPDN tunnels affects overall performance of the system, use this
command to limit the number of VPDN tunnel dial-ins.

Configuratio #Set the number of tunnels that can be established per second to 50.
n Example Ruijie(config)# vpdn limit_rate 50
Ruijie(config)#

Verification Run the show running-config command to display the number of VPDN tunnels that can be
established per second.

vpdn session-limit

Use this command to set the maximum number of VPDN sessions allowed by the current system.
vpdn session-limit sessions

Use the no form of this command to restore the default configuration of the system.
no vpdn session-limit

Parameter
Parameter Description
Description
Indicates the maximum number of VPDN sessions allowed by the
sessions
system. The value range is from 1 to 1000.

Defaults The maximum number of sessions supported by the system is configured by default.

Command Global configuration mode

Mode

Default Level 14

7-43
Command Reference VPDN Commands

Usage Guide When the dial-in of excessive VPDN tunnels affects overall performance of the system, use this
command to limit the number of VPDN tunnel dial-ins. You must run the vpdn enable command to
enable the VPDN function first.

Configuratio #Set the maximum number of allowable sessions to 100.

n Example Ruijie(config)# vpdn session-limit 100
Ruijie(config)#

Verification Run the show running-config command to display the maximum number of VPDN sessions allowed
by the current system.

vpdn source-ip

Use this command to set the VPDN local (source) address used by the current system.
vpdn source-ip A.B.C.D

Use the no form of this command to restore the default configuration of the system.
no vpdn source-ip A.B.C.D

Parameter
Parameter Description
Description
A.B.C.D Indicates the VPDN local address used by the system.

Defaults No VPDN local (source) address is set for the system by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide If the system provides the LNS (via L2TP) or home gateway (HGW) (via PPTP) function, you can use
this command to limit the destination address in connection requests of all accepted tunnels to the
preset address. The effective configuration or change of this command will immediately cause active
and forcible disconnection of existing relevant tunnels. You must run the vpdn enable command to
enable the VPDN function first.

Configuratio #Set the destination address to be used in connection requests of all accepted tunnels to
n Example 192.168.12.223.
Ruijie(config)# vpdn source-ip 192.168.12.223
Ruijie(config)#

Verification Run the show running-config command to display the VPDN local (source) address used by the
current system.

7-44
Command Reference VPDN Commands

vpdn-group

Use this command to set a VPDN-group interface of a specified name. If the VPDN-group interface of
the specified name does not exist, the system creates a VPDN-group interface with the specified
name.
vpdn-group vpdn-group-name

Use the no form of this command to delete the VPDN-group interface of a specified name.
no vpdn-group vpdn-group-name

Parameter
Parameter Description
Description
vpdn-group-name Indicates the name of a VPDN-group interface.

Defaults No VPDN-group interface is set by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide If the router needs to serve as an LNS (L2TP Network Server) or HGW (Home Gateway), a VPDN-
group interface must be created and set. You can use this command to manage VPDN-group
interfaces. The deletion of a VPDN-group interface will directly cause active and forcible disconnection
of existing tunnels. You must run the vpdn enable command to enable the VPDN function first.

Configuratio #Create a VPDN-group interface named 1.

n Example Ruijie(config)#vpdn enable
Ruijie(config)#vpdn-group 1
Ruijie(config-vpdn)#

Verification Run the show running-config command to display the VPDN-group interface of the specified name.

7-45
Command Reference IPSEC-IKE Commands

8 IPSEC-IKE Commands

address

Use this command to configure the range of XAUTH addresses. Use the no form of this command to
restore the default configuration.
address low-ip high-ip
no address low-ip high-ip

Parameter Parameter Description

Description low-ip Start address
high-ip End address

Command ISAKMP address pool configuration mode

Mode

Default Level 14

Usage Guide To configure a local address pool, select an unused IP address in the associated address pool. The
local address pool is required to be configured only when the client is a smart phone or a PC.
You can configure multiple address pools so that different groups can be associated with different
address pools. In this way, you can assign IP addresses in specific network segments to different
groups.

Configuratio The following example configures the address range.

n Example Ruijie(config)# crypto isakmp ippool pool
Ruijie(config-isakmp-ippool)#address 60.10.10.10 60.10.10.200

authentication ( IKE policy )

Use this command to specify the authentication method for IKE policies.
authentication { pre-share }

Use the no form of this command to restore the default configuration.

no authentication

Parameter
Parameter Description
Description
pre-share Indicates pre-shared key authentication.

Defaults The pre-shared key authentication is used by default.

8-1
Command Reference IPSEC-IKE Commands

Command IKE policy configuration mode

Mode

Default Level 14

Usage Guide
Currently, IKE negotiation policies use the pre-shared key authentication by default.

Configuratio #Configure an IKE policy with the priority of 10 and use pre-shared key authentication in the policy.
n Example Ruijie(config)# crypto isakmp policy 10
Ruijie(isakmp-policy)#authentication pre-share

Verification N/A

clear crypto isakmp

Use this command to clear the currently running IKE security association (SA).
clear crypto isakmp [ connection-id | neg-counter ]

Parameter
Parameter Description
Description
Indicates the ID of an IKE SA. All existing IKE SAs are cleared by
connection-id
default. The value range is from 0 to 65535.
neg-counter Clears the negotiation counter.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide In general, only a specific IKE SA is cleared. Run the show crypto isakmp sa command to display
the ID of the SA to be cleared, and then run the clear crypto isakmp command using the ID to clear
the specific IKE SA.

Configuratio #Clear all IKE SAs.

n Example Ruijie# clear crypto isakmp

clear crypto log

Use this command to clear IPSec VPN login and logout logs.
clear crypto log

8-2
Command Reference IPSEC-IKE Commands

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Clear IPSec VPN login and logout logs.

n Example Ruijie # clear crypto log
N/A

Ruijie # clear crypto log

ipsec is writing or reading log now, can not delete file
The command output shows that the IPSec process is writing data to or reading data from the log file,
and therefore the log file cannot be deleted.

clear crypto sa

Use this command to clear an IPSec SA.

clear crypto sa

Use this command to clear an IPSec SA of the remote peer by IP address or host name.
clear crypto sa peer { ip-address | peer-name }

Use this command to clear an IPSec SA of the remote peer by encryption mapping name.
clear crypto sa map map-name

Use this command to clear an IPSec SA of the remote peer by IP address and security parameter
index (SPI).
clear crypto sa spi destination-address { ah | esp } spi

Parameter
Parameter Description
Description
ip-address Indicates the IP address of the remote peer.
peer-name Indicates the host name of the remote peer.
map-name Indicates the name of an encryption mapping set.
destination-address Indicates the IP address of the local or remote peer.
spi Specifies an SPI. The value range is from 0 to 4,294,967,295.

8-3
Command Reference IPSEC-IKE Commands

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide 1. The preceding commands are used to clear IPSec SAs. If the peer, map, and SPI keywords are
not specified, all IPSec SAs will be deleted by default.
2. If an SA is established via IKE, the SA will be cleared. If IPSec activation packets are detected
on an interface, IPSec renegotiates a new SA. If an SA is manually configured, the SA will be
cleared and a new SA will be re-established.
3. New parameters are effective only to SAs negotiated after the parameter configuration but do not
affect existing SAs. To make new parameters effective to existing SAs, run commands to clear
existing SAs for SA re-negotiation.
4. The deletion of SAs will interrupt communication. To ensure that communication using other
IPSec SAs is not interrupted, use the peer, map, and SPI keywords to specify a specific SA.
5. If only one SA is available or no data is communicated through other SAs, clear all SAs for SA
re-negotiation.

Configuratio #Clear all IKE SAs.

n Example Ruijie# clear crypto sa

crypto dynamic-map

Use this command to create a dynamic encryption mapping entry and enter the encryption mapping
configuration mode.
crypto dynamic-map dynamic-map-name dynamic-seq-num

Use the no form of this command to delete an encryption mapping set or entry.
no crypto dynamic-map dynamic-map-name [dynamic-seq-num]

Parameter
Parameter Description
Description
dynamic-map-name Specifies the name of an encryption mapping set.
Specifies the ID of an encryption mapping entry. The value range is
dynamic-seq-num
from 1 to 65,535.

Defaults No dynamic encryption mapping exists by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide

8-4
Command Reference IPSEC-IKE Commands

Configuratio Hostname# configure terminal

n Example Hostname(config)# crypto dynamic-map user-map 100
Hostname(config-crypto-map)#

Verification N/A

crypto ipsec df-bit

Use this command to set the DF value of the encapsulation header for all interfaces.
crypto ipsec df-bit { clear | set | copy }

Parameter
Parameter Description
Description
Zeroes out the DF bit in the external IP header. The device may
clear
fragment packets and encapsulate the data via IPSec.
Sets the DF bit to 1 in the external IP header. If the DF bit in the original
set
IP header is zeroed out, the device may fragment packets.
copy Uses the original DF bit value as the DF bit value in the external header.
The default value is copy.

Defaults This command is disabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide In IPSec tunnel mode, use the clear keyword in the command when you need to send packets with
the size greater than the MTU or when you do not know the size of the MTU.

 If this command is not enabled using a specific parameter, the device uses copy as the DF bit
value by default.

Configuratio #Zero out the DF bit of all interfaces.

n Example Ruijie(config)# crypto ipsec df-bit clear

Verification N/A

crypto ipsec multicast disable

Use this command to disable IPSec processing on multicast and broadcast packets.
crypto ipsec multicast disable

8-5
Command Reference IPSEC-IKE Commands

Use the no form of this command to enable IPSec processing on multicast and broadcast packets.
no crypto ipsec multicast disable

Parameter
Parameter Description
Description
N/A N/A

Defaults When this command is not configured and an ACL involves multicast and broadcast packets, the
device conducts IPSec processing on the packets by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide If IPSec processing is not required for multicast and broadcast packets, configure this command to
skip IPSec processing.

Configuratio #Disable IPSec processing on multicast and broadcast packets.

n Example Ruijie(config)# crypto ipsec multicast disable

Verification N/A

crypto ipsec optional

Use this command to disable the IPSec security check.

crypto ipsec optional

Use the no form of this command to enable the IPSec security check.
no crypto ipsec optional

Parameter
Parameter Description
Description
N/A N/A

Defaults The IPSec security check is disabled by default.

Command Global configuration mode

Mode

Default Level 14

8-6
Command Reference IPSEC-IKE Commands

Usage Guide The security check consumes considerable resources. Disabling the security check can save CPU
resources. In the L2TP over IPSec model, the IPSec security check can be forcibly enabled or only
IPSec encrypted packets are allowed to pass through. For example, L2TP and IPSec encryption may
be used together as required.

Configuratio #Cancel the security check.

n Example Ruijie(config)# crypto ipsec optional

Verification N/A

crypto ipsec profile ( global IPSec-profile )

Use this command to create or modify an encryption mapping set (profile).

crypto ipsec profile profile-name

Use the no form of this command to cancel an encryption mapping set (profile) or entry.
no crypto ipsec profile profile-name

Parameter
Parameter Description
Description
profile-name Indicates the name of an encryption mapping set (profile).

Defaults No encryption mapping set is configured by default.

Command Global configuration mode

Mode Run this command to enter the profile encryption mapping configuration mode.

Default Level 14

Usage Guide When data encryption and protection are required on a tunnel interface, define an encryption mapping
set (profile) and then apply it to the tunnel interface. Define encryption communication parameters in
the encryption mapping set (profile). The parameters include the following:
1. IPSec security policies to be applied to communication: Select policies from the list composed of
one or more transformation sets.
2. SA lifetime
3. Information about whether SAs are manually configured or established via IKE
4. Apply the encryption mapping set of a tunnel to the tunnel interface. In this way, all IP
communication through the tunnel interface will be encrypted according to the encryption
mapping set applied to the tunnel interface. After configuration is completed, the device
automatically initiates IKE negotiation, or triggers IKE negotiation when receiving packets from
this interface. Policies described in encryption mapping entries are used during SA negotiation.
To ensure smooth IPSec communication between two IPSec peers, the encryption mapping
entries of the tunnel between the two peers must contain compatible configuration statements.
When two peers try to establish an SA, each of the peers must have one encryption mapping

8-7
Command Reference IPSEC-IKE Commands

entry compatible with one encryption mapping entry of the other peer, and the encryption mapping
entry must meet at least the following conditions:
1. An encryption mapping entry must contain a compatible encryption access list (for example,
image access list).
2. Encryption mapping entries of both peers must specify the peer address (unless the peer is using
a dynamic encryption set).
3. The encryption mapping entries must share at least one identical transformation set.
4. Only one encryption mapping set is applied to a single interface. The encryption mapping set
specifies IPSec/IKE.
Create multiple encryption mapping entries for one interface in either of the following cases:
1. Different data flows of the interface will be processed by different IPSec peers.
2. Different levels of IPSec security need to be applied to different types of communication (data
sent to the same or different peers), for example, the communication between devices in one
subnet needs to be authenticated while the communication between devices in another subnet
needs to be authenticated and encrypted. In this case, different types of communication should
be defined in two different ACLs, and one separate encryption mapping entry must be created for
each encryption access list.

Configuratio #Complete the minimum configuration for an encryption mapping set (profile). The name of the profile
n Example is testprofile and the name of the transformation set is mytest.
Ruijie(config)# crypto ipsec profile testprofile
Ruijie(config-crypto-map)# set transform-set myset

Verification N/A

crypto ipsec security-association lifetime

Use this command to change the global lifetime of an IPSec SA.

crypto ipsec security-association lifetime { seconds seconds | kilobytes kilobytes }

Use the no form of this command to restore the default value of lifetime.
no crypto ipsec security-association lifetime { seconds | kilobytes }

Parameter
Parameter Description
Description
Indicates the SA timeout period in seconds. The default value is 3,600 (1
seconds seconds hour). It can be set to 0, indicating that the timeout function is disabled. The
value can be 0, or any value from 120 to 86,400.
Indicates the timeout communication amount of an SA in kilobytes. The
default value is 4,608,000. It can be set to 0, indicating that the byte timeout
kilobytes kilobytes
function is disabled. The value can be 0, or any value from 2,560 to
536,870,912.

Defaults 3,600 seconds (1 hour) and 4,608,000 KB (communication for 1 hour at the rate of 10 MB per second)

8-8
Command Reference IPSEC-IKE Commands

Command Global configuration mode

Mode

Default Level 14

Usage Guide 1. The communication encrypted using IPSec SAs uses shared keys. An SA times out after a period
of time is reached or a certain communication amount is reached, so as to ensure security. Both
ends need to re-negotiate an SA and use the new shared key. When devices negotiate an SA,
the smaller value between the lifetime proposed by the peer and that configured on the local
device is used as the lifetime of the new SA.
2. There are two lifetimes: time lifetime and communication amount lifetime. An SA times out
whenever either lifetime expires first. If the global lifetime is changed, this change is effective only
to new SAs that are negotiated after the change and does not affect existing SAs. To make the
new settings take effect as soon as possible, run the clear crypto sa command to clear some or
all content in the SA database.
3. To change the global time lifetime, run the crypto ipsec security-association lifetime seconds
command. The time lifetime specifies that an SA times out after certain seconds. To change the
global communication amount lifetime, run the crypto ipsec security-association lifetime
kilobytes command. The communication amount lifetime specifies that an SA times out when
the amount (in KB) of communication encrypted using the SA key reaches a certain amount.
4. A smaller lifetime indicates a lower probability of successful key cracking, because there is less
data that is encrypted using the same key and that can be used by attackers for analysis.
However, when the lifetime is shorter, it takes longer time for the CPU to establish a new SA.
Manually configured SAs does not involve lifetime.
5. Lifetime work principle: After a certain period of time (specified by seconds) is reached or a
certain data communication amount (specified by the kilobytes keyword) is reached, whichever
is earlier, an SA (and relevant key) will time out. The negotiation of a new SA starts before the
old SA lifetime expires. In this way, a new SA is available before the old SA times out. The
negotiation of a new SA starts 30 seconds before the lifetime specified by the seconds keyword
times out or 256 KB away from the amount lifetime of data communication carried by the tunnel
(specified by the kilobytes keyword) expires, whichever is earlier. If no communication passes
through a tunnel within the lifetime of an SA, no new SA will be negotiated when the SA times
out. Likewise, the negotiation of a new SA starts only when IPSec needs to protect a packet.
6. The time lifetime and communication amount lifetime cannot be zero simultaneously. Otherwise,
the negotiation will fail. The device does not check the local configuration and you need to confirm
that the time lifetime and communication amount lifetime are not zero simultaneously.

Configuratio #Set the time lifetime to 2,500 seconds and communication amount lifetime to 2,304,000 KB
n Example (communication for half an hour at the rate of 10 MB) for IPSec SAs.
Ruijie(config)# crypto ipsec security-association lifetime seconds 2500
Ruijie(config)# crypto ipsec security-association lifetime kilobytes
2304000

8-9
Command Reference IPSEC-IKE Commands

Verification N/A

crypto ipsec security-association lifetime not_based_on initiator

Use this command to modify the negotiation match rule for lifetime in Phase 2 of IPSec. That is, the
final negotiation result of lifetime in Phase 2 is the smaller value between the lifetime of the device in
branch and that of the device in the headquarters.
crypto ipsec security-association lifetime not_based_on initiator

Use the no form of this command to restore the default match rule of lifetime in Phase 2. That is, the
final negotiation result uses the lifetime of the device in the branch.
no crypto ipsec security-association lifetime { seconds | kilobytes }

Parameter
Parameter Description
Description
N/A N/A

Defaults The final negotiation result of lifetime in Phase 2 uses the lifetime of the device in the branch by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide By default, the negotiation result of lifetime in Phase 2 uses the lifetime of the device in the branch,
indicating that devices in both the headquarters and the branch use the lifetime of the branch as the
lifetime in Phase 2. You can use the command to modify the match rule of the lifetime in Phase 2, so
as to use the smaller value between the lifetime of the device in the headquarters and that of the device
in the branch as the final negotiation result.

Configuratio #Modify the match result of lifetime in Phase 2.

n Example Ruijie(config)# crypto ipsec security-association lifetime not_based_on
initiator

Verification N/A

crypto ipsec security-association replay disable

Use this command to disable the replay function so as not to check retransmitted packets.
crypto ipsec security-association replay disable

Use the no form of this command to check retransmitted packets.

no crypto ipsec security-association replay disable

8-10
Command Reference IPSEC-IKE Commands

Parameter
Parameter Description
Description
N/A N/A

Defaults Replay check is enabled by default. This command is not configured by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide After the command is executed to disable replay, packet retransmission is not checked, which can
improve packet processing efficiency but increase the possibility of DoS attacks.

Configuratio #Disable the packet retransmission check.

n Example Ruijie(config)# crypto ipsec security-association replay disable

Verification N/A

crypto ipsec transform-set

Use this command to define a transformation set for SAs.

crypto ipsec transform-set transform-set-name transform1 [ transform2 [ transform3 ] ]

Use the no form of this command to delete a transformation set.

no crypto ipsec transform-set transform-set-name

Parameter
Parameter Description
Description
transform-set-name Indicates the name of a transformation set.
transform1, transform2, Indicates the security protocol and algorithm used by an SA. For details,
transform3 see the security configuration guide.

Defaults No transformation set is configured by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide 1. A set is a combination of security protocols, algorithms, and other settings for communication
protected by IPSec. During IPSec SA negotiation, peers must use the same specific
transformation set to protect specific data flows.

8-11
Command Reference IPSEC-IKE Commands

2. Configure multiple transformation sets and then specify one or more of them in encryption
mapping entries. Transformation sets defined in encryption mapping entries are used for IPSec
SA negotiation, so as to protect data flows that match the ACL referenced in the encryption
mapping entries. During negotiation, both peers search for the same transformation set that is
available on both peers. When such a transformation set is found, it is selected as a part of IPSec
SAs of both peers and applied to protected communication.
3. If an SA is configured manually, no parameter needs to be negotiated for the SA. Therefore, the
same transformation set must be specified on both peers.

Configuratio #Define a transformation set that uses the ESP-DES-MD5 protection mode (providing encryption and
n Example authentication services).
Ruijie(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac

Verification N/A

crypto isakmp enable

Use this command to enable IKE so as to use IKE to negotiate IPSec SAs.
crypto isakmp enable

Use the no form of this command to disable IKE.

no crypto isakmp enable

Parameter
Parameter Description
Description
N/A N/A

Defaults IKE is enabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide IKE is enabled by default. If you need to use IKE for IPSec SA negotiation, this command is not
required. If you do not use IKE for IPSec SA negotiation, use the no form of this command to disable
IKE.

Configuratio #Enable IKE.

n Example Ruijie(config)# crypto isakmp enable

Verification N/A

8-12
Command Reference IPSEC-IKE Commands

crypto isakmp keepalive

Use this command to send peer detection messages to the remote peer.
crypto isakmp keepalive secs [ on-demand | periodic ]
crypto isakmp keepalive secs retries [ on-demand | periodic ]

Use the no form of this command to disable the peer detection function.
no crypto isakmp keepalive

Parameter
Parameter Description
Description
Indicates the keepalive duration of a tunnel in seconds. The value range
secs
is from 5 to 3600.
Indicates the interval for retransmitting packets in seconds. The value
retries
range is from 2 to 60.
on-demand Sends messages at the idle time of packet forwarding.
periodic Sends messages at the configured interval.

Defaults No peer detection message is sent by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Use the crypto isakmp keepalive command to enable the device to periodically send peer detection
messages to the remote peer, to check whether the remote peer is alive.

Configuratio #Set the tunnel keepalive duration to 60 seconds, packet retransmission interval to 5 seconds, and
n Example use the on-demand mode.
Ruijie(config)# crypto isakmp keepalive 60 5 on-demand

Verification N/A

crypto isakmp key

Use this command to specify the pre-shared key used in IKE negotiation.
crypto isakmp key { 0 | 7 } keystring { hostname peer-hostname | address peer-address [ mask ] }

Use the no form of this command to delete the specified pre-shared key.
no crypto isakmp key { 0 | 7} keystring { hostname peer-hostname | address peer-address [ mask ] }

8-13
Command Reference IPSEC-IKE Commands

Parameter
Parameter Description
Description
Specifies a plaintext key or ciphertext key. 0 indicates a plaintext key
0|7
and 7 indicates a ciphertext key.
Indicates the pre-shared key string. It can contain a maximum of 128
keystring
characters.
peer-hostname Indicates the host name of the remote peer.
peer-address Indicates the IP address of the remote peer.
mask Specifies the subnet for a network segment address.

Defaults No pre-shared key is specified by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide In general, IKE uses a pre-shared key for negotiation. To enable IKE to successfully establish an IKE
SA, use this command to configure the same pre-shared key on both communication peers. If the
specified peer is a network segment, use mask to identify the subnet mask. When both peer-address
and Mask are 0.0.0.0, the default pre-shared key is used.

Configuratio #Set the pre-shared key used for IKE negotiation with the peer at the IP address of 172.16.1.1 to
n Example mysecret.
Ruijie(config)# crypto isakmp key 0 mysecret address 172.16.1.1

Verification N/A

crypto isakmp limit disable

Use this command to disable the IKE negotiation rate limit function.
crypto isakmp limit disable

Use the no form of this command to enable the IKE negotiation rate limit function.
no crypto isakmp limit disable

Parameter
Parameter Description
Description
N/A N/A

Defaults The IKE negotiation rate limit function is enabled by default and the negotiation rate is limited to 1000.

Command Global configuration mode

Mode

8-14
Command Reference IPSEC-IKE Commands

Default Level 14

Usage Guide Disable the IKE negotiation rate limit function.

Configuratio #Disable the IKE negotiation rate limit function.

n Example Ruijie(config)# crypto isakmp limit disable

Verification N/A

crypto isakmp limit rate

Use this command to limit the IKE negotiation rate, that is, limit the maximum number of tunnels that
can be negotiated simultaneously.
crypto isakmp limit rate numbers

Use the no form of this command to cancel the rate limit and restore the default value.
no crypto isakmp limit rate

Parameter
Parameter Description
Description
numbers Indicates the limited rate.

Defaults The limited rate is 1000 by default, indicating that 1000 IPSec tunnels can be negotiated
simultaneously.

Command Global configuration mode

Mode

Default Level 14

Usage Guide When thousands of tunnels are negotiated simultaneously, the negotiation fails to converge or the
convergence is slow. As a result, the entire negotiation takes several hours or even a longer time. For
this, use this command to limit the negotiation rate, to ensure that the number of tunnels that are
simultaneously negotiated is controlled to be within a certain range, thereby improving the negotiation
efficiency.

Configuratio #Set the IKE negotiation rate.

n Example Ruijie(config)# crypto isakmp limit rate 500

Verification N/A

8-15
Command Reference IPSEC-IKE Commands

crypto isakmp mode-detect

Use this command to enable the local security gateway to automatically use the aggressive mode for
negotiation when it fails to complete IKE negotiation initiated by the peer in main mode.
crypto isakmp mode-detect

Use the no form of this command to disable the automatic aggressive mode.
no crypto isakmp mode-detect

Parameter
Parameter Description
Description
N/A N/A

Defaults When this command is not configured, only the main mode is adopted for negotiation by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Many vendors set foot in security products but the implementation methods of security products from
different vendors are different. Only two work modes are supported in Phase 1 of IKE negotiation. To
ensure compatibility, use this command to automatically complete negotiation in aggressive mode
when the IKE negotiation initiated by the peer cannot be completed.

Configuratio #Enable the device to automatically identify negotiation initiated in aggressive mode.
n Example Ruijie(config)# crypto isakmp mode-detect

Verification N/A

crypto isakmp nat keepalive

Use this command to configure the interval for sending NAT keepalive messages.
crypto isakmp nat keepalive secs

Use the no form of this command to cancel the configured interval for sending NAT keepalive
messages and restore the default transmission interval.
no crypto isakmp nat keepalive

Parameter
Parameter Description
Description
Indicates the keepalive duration of a tunnel in seconds. The value range
secs
is from 5 to 3,600.

8-16
Command Reference IPSEC-IKE Commands

Defaults The default value is 300 seconds.

Command Global configuration mode

Mode

Default Level 14

Usage Guide The device complies with RFC3947 and uses the IPSEC NAT-T technology and UDP header to resolve
the NAT traversal problem. The keepalive mode is used for transmitting packets to prevent NAT
connection timeout. Run the crypto isakmp nat keepalive command to specify the interval for sending
keepalive messages. If the interval is not specified, the default value (300 seconds) is used.

Configuratio #Set the interval for sending tunnel keepalive packets to 60 seconds.
n Example Ruijie(config)# crypto isakmp nat keepalive 60

Verification N/A

crypto isakmp nat-traversal disable

Use this command to disable the NAT traversal function.

crypto isakmp nat-traversal disable

Use the no form of this command to enable the NAT traversal function.
no crypto isakmp nat-traversal disable

Parameter
Parameter Description
Description
N/A N/A

Defaults NAT traversal is enabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide The protocols for implementing the NAT traversal function supported by devices of some vendors may
be incompatible. In special cases, disable the NAT traversal function to implement device interworking.

Configuratio #Disable the NAT traversal function.

n Example Ruijie(config)# crypto isakmp nat-traversal disable

Verification N/A

8-17
Command Reference IPSEC-IKE Commands

crypto isakmp next-payload disable

Use this command to disable the next-payload check.

crypto isakmp next-payload disable

Use the no form of this command to enable the next-payload check.

no crypto isakmp next-payload disable

Parameter
Parameter Description
Description
N/A N/A

Defaults By default, when DOI information cannot be identified, the device considers that the negotiation cannot
continue and returns a failure message.

Command Global configuration mode

Mode

Default Level 14

Usage Guide After the next-payload check is disabled, the DOI field that cannot be identified is ignored and the
negotiation continues. However, if the reserved field is not 0 or the field length does not match the
length range, a failure message is still returned.

Configuratio #Disable the next-payload check.

n Example Ruijie(config)# crypto isakmp next-payload disable

Verification N/A

crypto isakmp peer

Use this command to specify the first peer that initiates negotiation in the case of multiple peers.
crypto isakmp peer { bind | random }

Use the no form of this command to cancel the priority of the specified first peer that initiates
negotiation.
no crypto isakmp peer

Parameter
Parameter Description
Description
Binds peers with IPSec dialup peer addresses when multiple peer
bind
addresses are configured for a 3G card. This parameter takes effect

8-18
Command Reference IPSEC-IKE Commands

only in 3G networks. The first dialup maps to the first peer according to
the configured sequence.
random Randomly selects the first peer that tries to initiate negotiation.

Defaults By default, the negotiation starts from the first peer according to the configured sequence.

Command Global configuration mode

Mode

Default Level 14

Usage Guide When 3G links are used, if multiple dialup addresses configured for a 3G card map to peers in the
IPSec mapping set, enable the peer binding function to accelerate dialup. Otherwise, the device needs
to try multiple times to find the correct peer. It takes a long time to establish a tunnel for the first time.

Configuratio #Enable the function of randomly selecting the tunnel connection address.
n Example Ruijie(config)# crypto isakmp peer random

Verification N/A

crypto isakmp policy

Use this command to define an IKE policy of a certain priority and enter the IKE policy configuration
mode.
crypto isakmp policy priority

Use the no form of this command to delete the policy of a certain priority.
no crypto isakmp policy priority

Parameter
Parameter Description
Description
Indicates the priority of an IKE policy. The value is an integer in the
priority range from 1 to 10,000, where 1 indicates the highest priority while
10,000 indicates the lowest priority.

Defaults There is no default priority.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Use this command to specify parameters for negotiating IKE SAs. Run this command to enter the IKE
policy configuration mode. In IKE policy configuration mode, you can set the following parameters:

8-19
Command Reference IPSEC-IKE Commands

encryption (IKE policy): The default value is 56-bit DES-CBC.

hash (IKE policy): The default value is SHA-1.
authentication (IKE policy): The default value is RSA signature.
group (IKE policy): The default value is 768-bit group.
Diffie-Hellman lifetime(IKE policy): The default value is 86,400 seconds (1 day).
If a parameter is not set, the default value of the parameter is used. You can configure multiple IKE
policies on the device. After the IKE negotiation starts, the device tries to search for the public policy
configured at both ends, and the search starts from the policy with the specified highest priority on the
remote peer.

Configuratio #Configure an IKE policy with the priority of 100.

n Example Ruijie(config)# crypto isakmp policy 100
Ruijie(isakmp-policy)# authentication pre-share
Ruijie(isakmp-policy)# encryption des
Ruijie(isakmp-policy)# group 2
Ruijie(isakmp-policy)# hash sha

Verification N/A

crypto isakmp vendorid disable

Use this command to disable the transmission of Ruijie vendor ID information during IKE negotiation.
crypto isakmp vendorid disable

Use the no form of this command to enable the transmission of Ruijie vendor ID information during
IKE negotiation.
no crypto isakmp vendorid disable

Parameter
Parameter Description
Description
N/A N/A

Defaults By default, Ruijie vendor ID information is transmitted during IKE negotiation.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Devices from some vendors cannot identify private vendor IDs during IKE negotiation, resulting in a
negotiation failure. In this case, use this command to disable transmission of Ruijie vendor ID
information.

8-20
Command Reference IPSEC-IKE Commands

Configuratio #Disable transmission of vendor IDs during negotiation.

n Example Ruijie(config)# crypto isakmp vendorid disable

Verification N/A

crypto map (global IPSec)

Use this command to create or modify an encryption mapping set.

crypto map map-name seq-num { ipsec-manual | ipsec-isakmp [ dynamic dynamic-map-name ] }

Use the no form of this command to cancel an encryption mapping set or entry.
no crypto map map-name [ seq-num ]

Parameter
Parameter Description
Description
map-name Indicates the name of an encryption mapping set.
Indicates the serial number of an encryption mapping entry. The value
seq-num
range is from 1 to 65535.
Specifies that a mapping entry is used for manually configuring IPSec
ipsec-manual
SAs.
Specifies that a mapping entry is used for establishing IPSec SAs
ipsec-isakmp
negotiated via IKE.
Specifies the name of a dynamic encryption mapping set that is used
dynamic-map-name
as a policy template.

Defaults No encryption mapping set is configured by default.

Command Global configuration mode

Mode Run this command to enter the encryption mapping configuration mode.

Default Level 14

Usage Guide To encrypt and protect data using IPSec, define an encryption mapping set and then apply it to a
specific interface. Define encryption communication parameters in the encryption mapping set. The
parameters include the following:
1. IPSec protection to be provided for communication: Associate a configured encryption access
list.
2. Destination address of the communication protected via IPSec: Specify the remote IPSec peer.
3. Local address used for IPSec communication: Apply the encryption mapping set to an interface.
IPSec uses the address of a communication interface as the address of the local peer.
4. IPSec security policies to be applied to communication: Select policies from the list composed of
one or more transformation sets.
5. SA lifetime
6. Information about whether SAs are manually configured or established via IKE

8-21
Command Reference IPSEC-IKE Commands

Encryption mapping entries that share the same encryption mapping name but have different mapping
SNs constitute one encryption mapping set. Apply the encryption mapping set to an interface. In this
way, all IP communication through the interface will be checked according to the encryption mapping
set applied to the interface. If outbound IP communication matches an encryption mapping entry and
needs to be protected, and IKE is specified in the encryption mapping entry, the device negotiates an
SA with the remote peer according to parameters specified in the encryption mapping entry. If manually
configured SAs are specified in the encryption mapping entry, an SA must be configured during the
configuration of the encryption mapping entry. Provided that an SA is successfully established, data
will be encrypted for transmission regardless of whether the SA is manually configured or established
via IKE. If the SA negotiation fails, data will be discarded.
Policies described in encryption mapping entries are used during SA association. To ensure smooth
IPSec communication between two IPSec peers, the encryption mapping entries of the two peers must
contain compatible configuration statements. When two peers try to establish an SA, each of the peers
must have one encryption mapping entry compatible with one encryption mapping entry of the other
peer, and the encryption mapping entry must meet at least the following conditions:
1. An encryption mapping entry must contain a compatible encryption access list (for example,
image access list).
2. Encryption mapping entries of both peers must specify the peer address (unless the peer is using
a dynamic encryption mapping set).
3. The encryption mapping entries must share at least one identical transformation set.
4. Only one encryption mapping set is applied to a single interface. The encryption mapping set
specifies IPSec/IKE or the combination of IPSec and manually configured entries. To create
multiple encryption mapping entries for a specified interface, use the seq-num parameter to rank
these encryption mapping entries. A smaller value of seq-num indicates a higher priority.
Create multiple encryption mapping entries for one interface in either of the following cases:
1. Different data flows of the interface will be processed by different IPSec peers.
2. Different levels of IPSec security need to be applied to different types of communication (data
sent to the same or different peers), for example, the communication between devices in one
subnet needs to be authenticated while the communication between devices in another subnet
needs to be authenticated and encrypted. In this case, different types of communication should
be defined in two different ACLs, and one separate encryption mapping entry must be created for
each encryption access list.
For use of dynamic encryption mapping, see the section "crypto dynamic-map".

Configuratio #Complete the minimum configuration for a manually configured IPSec SA.
n Example Ruijie(config)# crypto map mymap 3 ipsec-manual
Ruijie(config-crypto-map)# set peer 2.2.2.2
Ruijie(config-crypto-map)# set session-key inbound esp 301 cipher
abcdef1234567890
Ruijie(config-crypto-map)# set session-key outbound esp 300 cipher
abcdef1234567890
Ruijie(config-crypto-map)# set transform-set myset
Ruijie(config-crypto-map)# match address 101

8-22
Command Reference IPSEC-IKE Commands

#Complete the minimum configuration for an IPSec SA negotiated via IKE.

Ruijie(config)# crypto map mymap 4 ipsec-isakmp
Ruijie(config-crypto-map)# set peer 2.2.2.2
Ruijie(config-crypto-map)# set transform-set myset
Ruijie(config-crypto-map)# match address 101

Verification N/A

crypto map (interface IPSec)

Use this command to apply a defined encryption mapping set to an interface.

crypto map map-name

Use the no form of this command to cancel the association between an interface and an encryption
mapping set.
no crypto map [map-name]

Parameter
Parameter Description
Description
map-name Indicates the name of an encryption mapping set.

Defaults No encryption mapping set is applied to an interface by default.

Command Interface configuration mode

Mode

Default Level 14

Usage Guide Use this command to apply an encryption mapping set to an interface. An encryption mapping set must
be applied to an interface so that IPSec encryption and protection can be provided for data on the
interface. One interface can be associated with only one encryption mapping set. If multiple encryption
mapping entries share the same map-name value but have different seq-num values, these
encryption mapping entries belong to the same encryption mapping set and are applied to the same
interface. The encryption mapping entry with a smaller seq-num value has a higher priority and is used
for data matching first.
One encryption mapping set can be configured only on one interface.

Configuratio #Apply the encryption mapping set named mymap to Interface s0.
n Example Ruijie(config)# interface serial 0
Ruijie(config-if)# crypto map mymap

Verification N/A

8-23
Command Reference IPSEC-IKE Commands

crypto map local-address

Use this command to specify the IPSec local address.

crypto map map-name local-address interface-type interface-number

Use the no form of this command to cancel the specified IPSec local address.
no crypto map map-name local-address

Parameter
Parameter Description
Description
map-name Indicates the name of an IPSec encryption mapping set.
Indicates the type of the interface of which the address is used as the
interface-type
IPSec local address.
Indicates the serial number of the interface of which the address is used
interface-number
as the IPSec local address.

Defaults The address of the outbound interface of IPSec data is used as the IPSec local address by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide If an encryption mapping set is applied to multiple interfaces and this command is not executed, the
device running RGOS creates an IPSec SA for each interface with the same remote peer and the
same ACL. The IP address of the interface that sends and receives encryption traffic is used as the
local address by default. After this command is executed to specify the local address, if the same
encryption mapping set is applied to multiple interfaces, only one IPSec SA is created for
communication.
If multiple interfaces on one device support IPSec communication, use this command to specify the
IPSec local address to facilitate management. In this way, the device running RGOS uses a fixed
address to communicate with external routers.
In general, it is recommended to use the IP address of the loopback interface as the IPSec local
interface.

Configuratio #Specify the address of the Loopback0 interface as the IPSec local address.
n Example Ruijie(config)# crypto map mymap local-address loopback 0

Verification N/A

debug crypto engine

Use this command to enable the work status debugging function for the encryption card.

8-24
Command Reference IPSEC-IKE Commands

debug crypto engine

Use the no form of this command to disable the work status debugging function for the encryption
card.
no debug crypto engine

Parameter
Parameter Description
Description
N/A N/A

Defaults The debugging function is disabled by default.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Enable the work status debugging function for the encryption card.
n Example Ruijie# debug crypto engine

#Disable the work status debugging function for the encryption card.
Ruijie# no debug crypto engine

debug crypto ipsec

Use this command to enable the debugging function for IPSec packet forwarding.
debug crypto ipsec

Use the no form of this command to disable the debugging function for IPSec packet forwarding.
no debug cryptoipsec

Parameter
Parameter Description
Description
N/A N/A

Defaults The debugging function is disabled by default.

Command Privileged EXEC mode

Mode

Default Level 14

8-25
Command Reference IPSEC-IKE Commands

Usage Guide N/A

Configuratio #Enable the debugging function for IPSec packet forwarding.

n Example Ruijie# debug crypto ipsec

#Disable the debugging function for IPSec packet forwarding.

Ruijie# no debug crypto ipsec

Debugging 1. Packet encryption and decryption event

Debugging can not find sa 727130249, vrf 0
Information
Description The SA with the SPI 727130249 is not found in vrf 0.
Cause If a received packet needs to be decrypted, IPSec searches for an SA by SPI and
other information in the packet for decryption. If no SA is found, the prompt above is
displayed. This case mostly occurs in 3G links. IPSec configurations at both ends are
inconsistent due to link instability, that is, an SA exists at one end but no SA exists at
the other end.
Handling If this case occurs frequently, configure the IPSec keepalive mechanism, that is, DPD.
Suggestion

 VRF is not supported on NBR products. VRF-related cases are for reference only.

Debugging packet need encrypto but not!

Information
Description IPSec receives an unencrypted packet that is supposed to be encrypted.
Cause The possible cause is that IPSec is configured only at one end. When receiving an
unencrypted packet, the device on which IPSec is configured discards the packet.
Handling Check the configurations at both ends.
Suggestion

debug crypto isakmp

Use this command to enable the IKE debugging function.

debug crypto isakmp

Use the no form of this command to disable the IKE debugging function.
no debug crypto isakmp

Parameter
Parameter Description
Description
N/A N/A

Defaults The debugging function is disabled by default.

8-26
Command Reference IPSEC-IKE Commands

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Enable the IKE debugging function.

n Example Ruijie# debug crypto isakmp

#Disable the IKE debugging function.

Ruijie# no debug crypto isakmp

Debugging 1. Protocol packet event

Debugging received packet from 9.9.9.1, (R) MM_SR1_WI2, MM_KEY_EXCH
Information
Description An IKE negotiation packet is received from 9.9.9.1 and the negotiation mode is main
mode. When the packet is received, the local device has sent the first packet SR1 and
is waiting for the second packet WI2 from the initiator.
Cause Every function that processes received packets prints similar information during IKE
negotiation.
Handling N/A
Suggestion

2. Policy matching event in Phase 1

Debugging (main mode)process in I1:no fit sa attribute was accepted!
Information
Description When processing the first negotiation message I1 from the initiator, the receiver fails
to find the proper Phase 1 policy configuration.
Cause The Phase 1 policies configured on the receiver and initiator are inconsistent.
Handling Check whether IKE policy configurations at both ends are consistent.
Suggestion

3. Negotiation authentication event

Debugging Check main mode hash payload fail!
Information
Description The IKE negotiation authentication fails in main mode.
Cause The identity of the peer needs to be authenticated in the last phase of IKE negotiation.
In pre-shared authentication mode, both parties need to use the configured pre-shared
key to authenticate the peer.
Handling Check whether the pre-shared keys of both parties are consistent.
Suggestion

8-27
Command Reference IPSEC-IKE Commands

encryption (IKE policy)

Use this command to specify the encryption algorithm for IKE policies.
encryption { des | 3des | aes-128 | aes-192 | aes-256 }

Use the no form of this command to restore the default encryption algorithm.
no encryption

Parameter
Parameter Description
Description
des Specifies the 56-bit DES-CBC as the encryption algorithm.
3des Specifies the 168-bit DES-CBC as the encryption algorithm.
aes-128 Specifies the AES with the 128-bit key as the encryption algorithm.
aes-192 Specifies the AES with the 192-bit key as the encryption algorithm.
aes-256 Specifies the AES with the 256-bit key as the encryption algorithm.

Defaults The 56-bit DES-CBC encryption algorithm is used by default.

Command IKE policy configuration mode

Mode

Default Level 14

Usage Guide The data encryption algorithm specified by this command is used for encryption of IKE SA data. It
differs from the encryption algorithm used by IPSec SAs.

Configuratio #Specify DES as the encryption algorithm for IKE policies.

n Example Ruijie(config)# crypto isakmp policy 10
Ruijie(isakmp-policy)# encryption des

Verification N/A

group (IKE policy)

Use this command to specify the ID of the Diffie-Hellman group in IKE policies.
group { 1 | 2 | 5 }

Use the no form of this command to restore the default ID of the Diffie-Hellman group.
no group

Parameter
Parameter Description
Description
1 Indicates the 768-bit Diffie-Hellman group.

8-28
Command Reference IPSEC-IKE Commands

2 Indicates the 1024-bit Diffie-Hellman group.

5 Indicates the 1536-bit Diffie-Hellman group.

Defaults The 768-bit Diffie-Hellman group (group 1) is used by default.

Command IKE policy configuration mode

Mode

Default Level 14

Usage Guide Use this command to specify the Diffie-Hellman group to be used in an IKE policy.

Configuratio #Specify the 1024-bit Diffie-Hellman group for an IKE policy.

n Example Ruijie(config)# crypto isakmp policy 10
Ruijie(isakmp-policy)# group 2

Verification N/A

Platform
Description

hash (IKE policy)

Use this command to specify the hash algorithm for IKE policies.
hash { sha | md5 }

Use the no form of this command to restore the default hash algorithm.
no hash

Parameter
Parameter Description
Description
sha Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5 Specifies MD5 (HMAC variant) as the hash algorithm.

Defaults SHA is used as the hash algorithm by default.

Command IKE policy configuration mode

Mode

Default Level 14

Usage Guide Use this command to specify the hash algorithm to be used in an IKE policy.

8-29
Command Reference IPSEC-IKE Commands

Configuratio #Specify MD5 as the hash algorithm.

n Example Ruijie(config)# crypto isakmp policy 10
Ruijie(isakmp-policy)# hash md5

Verification N/A

lifetime (IKE policy)

Use this command to specify the lifetime of IKE SAs.

lifetime seconds

Use the no form of this command to restore the default IKE SA lifetime.
no lifetime

Parameter
Parameter Description
Description
Indicates the IKE SA lifetime in seconds. The value is an integer in the
seconds
range from 60 to 86,400.

Defaults The default value is 86,400 seconds (1 day).

Command IKE policy configuration mode

Mode

Default Level 14

Usage Guide Use this command to specify the lifetime of IKE SAs. When starting negotiation, IKE first reaches an
agreement on session security parameters with the peer IKE. These consistent parameters will be
referenced by IKE SAs on each peer and are retained on each peer till the IKE SA lifetime times out.
A new SA must be negotiated prior to the expiration of the current SA.
IPSec SAs are negotiated on the basis of IKE SAs. Therefore, a longer lifetime should be configured
for IKE SAs to shorten the time required for negotiating IPSec SAs. However, the cracking probability
is directly proportional to the lifetime. A longer lifetime indicates a higher cracking probability while a
shorter lifetime indicates a lower cracking probability. Therefore, set a proper lifetime (for example,
43,200 seconds) as required.

Configuratio #Set the IKE SA lifetime to 1,000 seconds.

n Example Ruijie(config)# crypto isakmp policy 10
Ruijie(isakmp-policy)# lifetime 1000

Verification N/A

8-30
Command Reference IPSEC-IKE Commands

match address (IPSec)

Use this command to specify an ACL for an encryption mapping entry.

match address access-list-number

Use the no form of this command to delete an ACL from an encryption mapping entry.
no match address

Parameter
Parameter Description
Description
Indicates the ACL No. (100-199, 2000-2699, and 2900-3899).
access-list-number
Encryption mapping entries use only IP extended ACLs.

Defaults No ACL is specified in encryption mapping entries.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide Use this command to specify an ACL for an encryption mapping entry. The device judges whether data
needs to be protected via IPSec according to the ACL in encryption mapping entry.
The ACL specified by this command is applied to both outbound and inbound communication. If it is
detected that outbound data matches the ACL and an SA is already established, the device encrypts
and forwards the data. If no SA is established, the device triggers the SA negotiation (using IKE). If it
is detected that inbound data matches the ACL, the device decrypts the encrypted data and directly
discards data that is not encrypted.

Configuratio #Associate ACL 101 with the encryption mapping set named mymap.
n Example Ruijie(config)# crypto map mymap 4 IPSec-isakmp
Ruijie(config-crypto-map)# match address 101

Verification N/A

match any

Use this command to specify the local IP address/subnet mask (0.0.0.0/0.0.0.0) and peer IP
address/subnet mask (0.0.0.0/0.0.0.0) of the interested flow.
match any

Use the no form of this command to cancel the specified interested flow with local IP address/subnet
mask (0.0.0.0/0.0.0.0) and peer IP address/subnet mask (0.0.0.0/0.0.0.0).
no match any

8-31
Command Reference IPSEC-IKE Commands

Parameter
Parameter Description
Description
N/A N/A

Defaults The interested flow is not the flow from the local IP address/subnet mask (0.0.0.0/0.0.0.0) to the peer
IP address/subnet mask (0.0.0.0/0.0.0.0) by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide Use this command to specify the interested flow with the local IP address/subnet mask (0.0.0.0/0.0.0.0)
and peer IP address/subnet mask (0.0.0.0/0.0.0.0) for an encryption mapping set (profile). The
encryption mapping set (profile) is mainly used in IPSec over GRE and L2TP over IPSec.
If match any is configured in the encryption mapping set (profile) where IPSec over GRE is used, the
interested flow negotiated in Phase 2 is the flow from the local IP address/subnet mask (0.0.0.0/0.0.0.0)
to the peer IP address/subnet mask (0.0.0.0/0.0.0.0).

Configuratio #Configure the interested flow in the encryption mapping set (profile) named test.
n Example Ruijie(config)#crypto ipsec profile test
Ruijie(config-crypto-profile)#match any

Verification N/A

mode (IPSec)

Use this command to change the encryption transformation set mode.

mode { tunnel | transport }

Use the no form of this command to restore the default mode.

no mode

Parameter
Parameter Description
Description
tunnel Sets the transformation set mode to tunnel mode.
transport Sets the transformation set mode to transport mode.

Defaults The tunnel mode is used by default.

Command Encryption transformation set configuration mode

Mode

8-32
Command Reference IPSEC-IKE Commands

Default Level 14

Usage Guide Mode setting is effective only to communication using addresses of IPSec peers as the source and
destination addresses, and is ineffective to other communication (other communication is made in
tunnel mode).
If the communication to be protected uses the IP addresses same as the IP addresses of IPSec peers
(that is, the source and destination IP addresses are both IP addresses of IPSec peers) and the
transport mode is specified, the device will apply for the transport mode during negotiation and the
device allows both the transport mode and tunnel mode. If the tunnel mode is specified, the device will
apply for the tunnel mode and allows only the tunnel mode.

Configuratio #Set the transformation set mode to tunnel mode.

n Example
Ruijie(config)#
Ruijie(config)#crypto ipsec transform-set myset
Ruijie(cfg-crypto-trans)#mode tunnel
Ruijie(cfg-crypto-trans)#mode transport
Ruijie(cfg-crypto-trans)#

Verification N/A

reverse-route

Use this command to enable the reverse route injection function. When this command is configured,
the IPSec module automatically adds a static route destined for the peer end of a tunnel or a specified
IP address after the negotiation of the tunnel is completed.
reverse-route [ remote-peer ip-address ] [ distance ]

Use the no form of this command to disable the reverse route injection function.
no reverse-route [ remote-peer ip-address ] [ distance ]

Parameter
Parameter Description
Description
ip-address (Optional) Specifies the next-hop address.
distance Specifies the next-hop distance. The value range is from 1 to 255.

Defaults The reverse route injection function is disabled by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

8-33
Command Reference IPSEC-IKE Commands

Usage Guide You can run the show ip route command to display added routes.
You can run the debug crypto IPSec command to display information about added routes and deleted
routes.

Configuratio #Enable the reverse route injection function in the mapping encryption entry named mymap.
n Example Ruijie(config)# crypto map mymap 5 ipsec-isakmp
Ruijie(config-crypto-map)# reverse-route

Verification N/A

self-identity

Use this command to specify the form of the local identity.

self-identity { address | dn | fqdn fqdn | user-fqdn user-fqdn }

Use the no form of this command to restore the default local identity form.
no self-identity

Parameter
Parameter Description
Description
address Indicates the local IP address.
dn Uses the unique name of the router certificate as the identifier
fqdn Indicates the local domain name.
user-fqdn Indicates the local username and domain name.

Defaults The local identity uses the local IP address by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Use this command to set the identity for the negotiation initiated in aggressive mode. You can use the
domain name or address to specify the local identity.

Configuratio #Set the local identity.

n Example Ruijie(config)# self-identity fqdn www.vpdn.com
Ruijie(config)# self-identity address

Verification N/A

8-34
Command Reference IPSEC-IKE Commands

set autoup

Use this command to set tunnel auto-connection.

set autoup

Use the no form of this command to restore the default configuration.

no set autoup

Parameter
Parameter Description
Description
Indicates the ACL No. (100-199, 2000-2699, and 2900-3899).
access-list-number
Encryption mapping entries use only IP extended ACLs.

Defaults Tunnel auto-connection is disabled by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide Use this command to prevent packet loss caused by tunnel negotiation. Use this function in scenarios
where data transmission is sensitive to tunnels and the tunnels need to be in the Up state at any time.

Configuratio #Set the tunnel auto-connection.

n Example Ruijie(config)# crypto map mymap 10 IPSec-isakmp
Ruijie(config-crypto-map)# set autoup

Verification N/A

set exchange-mode

Use this command to set the work mode used in Phase 1 of IKE negotiation between peers.
set exchange-mode { main | aggressive }

Use the no form of this command to restore the default work mode.
no set exchange-mode

Parameter
Parameter Description
Description
main Indicates the main mode.
aggressive Indicates the aggressive mode.

Defaults The main mode is used by default.

8-35
Command Reference IPSEC-IKE Commands

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide The IKE negotiation includes two phases:

In Phase 1, a secure channel that passes authentication is established between two ISAKMP entities.
The main mode or aggressive mode can be adopted in this phase.
In Phase 2, service SAs are negotiated.
Select the required work mode in Phase 1 based on their advantages and disadvantages. The main
mode is adopted by default. When IP addresses are not statically configured, the aggressive mode is
recommended.

Configuratio #Set the work mode to aggressive mode.

n Example Ruijie(config)# crypto map mymap 10 IPSec-isakmp
Ruijie(config-crypto-map)# set exchange-mode aggressive

Verification N/A

set isakmp-policy

Use this command to specify a policy for negotiating a mapping set.

set isakmp-policy number

Use the no form of this command to cancel a policy for negotiation.

no set isakmp-policy

Parameter
Parameter Description
Description
number Indicates the serial number of the specified policy for negotiation.

Defaults No policy is specified for negotiation by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide In aggressive mode, the device in the branch sends the policy of the highest priority to the device in
the headquarters for negotiation by default. Therefore, if the same device in the branch negotiates with
multiple devices in the headquarters in aggressive mode, the policy of the highest priority on each
device in the headquarters needs to be consistent with that on the device in the branch, which reduces
device compatibility. Use this command to specify a policy for negotiating a mapping set. In this way,

8-36
Command Reference IPSEC-IKE Commands

the policy of the highest priority on each device in the headquarters does not need to be consistent
with that on the device in the branch. This command is effective only to static mapping sets and is
unavailable to dynamic mapping sets.

Configuratio #Specify the policy with the serial number 2 for negotiation in the static mapping set named ruijie.
n Example 11.x_site1(config)#crypto map ruijie 100 ipsec-isakmp
11.x_site1(config-crypto-map)#set isakmp-policy 2

Verification N/A

set local (IPSec)

Use this command to specify the local IP address in an encryption mapping entry.
set local ip-address

Use the no form of this command to delete the local peer from an encryption mapping entry.
no set local ip-address

Parameter
Parameter Description
Description
ip-address Indicates the local IP address.

Defaults No local peer is specified by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide Use this command to set the local IP address used in the negotiation. The main address of the interface
is used for negotiation when the IP address is not configured. The specified IP address is used for
negotiation after configuration.

Configuratio #Specify a local peer (2.2.2.2) in the mapping encryption entry named mymap.
n Example Ruijie(config)# crypto map mymap 5 IPSec-isakmp
Ruijie(config-crypto-map)# set local 2.2.2.2

Verification N/A

set mtu

Use this command to set the IPSec pre-fragmentation mode (valid in tunnel mode).
set mtu length

8-37
Command Reference IPSEC-IKE Commands

Use the no form of this command to disable the IPSec pre-fragmentation mode.
no set mtu

Parameter
Parameter Description
Description
Indicates the size of a data packet fragment prior to encapsulation. The
length
value range is from 512 to 1,500.

Defaults The IPSec pre-fragmentation mode is disabled by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide Specify the pre-fragmentation mode for IPSec tunnel encapsulation.

Configuratio #Specify the pre-fragmentation mode in the encryption mapping set named mymap.
n Example Ruijie(config)# crypto map mymap 5 IPSec-isakmp
Ruijie(config-crypto-map)# set mtu 1000

Verification N/A

set peer (IPSec)

Use this command to specify a remote peer in an encryption mapping entry.

set peer { hostname | ip-address }

Use the no form of this command to delete the remote peer from an encryption mapping entry.
no set peer { hostname | ip-address }

Parameter
Parameter Description
Description
ip-address Indicates the IP address of the remote peer.
hostname Indicates the host name of the remote peer.

Defaults No remote peer is specified by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

8-38
Command Reference IPSEC-IKE Commands

Usage Guide A remote peer must be specified for an encryption mapping entry in use.
When there are multiple certificate chains locally, specify the certificate chain according to each peer.
If no local certificate chain is specified, the peer certificate chain (CA certificate) is used for
authentication. When the peer certificate chain is not specified, the default certificate chain (CA
certificate) is used for authentication.

Configuratio #Specify a remote peer (2.2.2.2) in the mapping encryption entry named mymap.
n Example Ruijie(config)# crypto map mymap 5 IPSec-isakmp
Ruijie(config-crypto-map)# set peer 2.2.2.2

Verification N/A

set peer-identical

Use this command to specify multiple ACEs to use the same remote peer in the negotiation in Phase
2.
set peer-identical

Use the no form of this command to delete the same remote peer configured in multiple ACEs used in
the negotiation in Phase 2.
no set peer-identical

Parameter
Parameter Description
Description
N/A N/A

Defaults No identical remote peer is specified for multiple ACEs in the negotiation in Phase 2 by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide When multiple ACEs are configured in an ACL and multiple remote peers are configured, use this
command to ensure that all ACEs use the same peer for negotiation.

Configuratio #Specify ACEs to use the same remote peer in the encryption mapping entry named mymap.
n Example Ruijie(config)# crypto map mymap 5 IPSec-isakmp
Ruijie(config-crypto-map)# set peer-identical

Verification N/A

8-39
Command Reference IPSEC-IKE Commands

set peer-preempt

Use this command to specify the remote peer of a higher priority to initiate preemption.
set peer-preempt

Use the no form of this command cancel the configuration of requesting the remote peer of a higher
priority to initiate preemption.
no set peer-preempt

Parameter
Parameter Description
Description
N/A N/A

Defaults No remote peer of a higher priority is specified to initiate preemption by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide Use the peer of a higher priority for negotiation when multiple remote peers are configured.
Multiple remote peers can be configured for one encryption mapping set. A remote peer configured
earlier has a priority higher than that of a remote peer configured later. The peer of a higher priority is
used for negotiation. When the device switches to another peer for negotiation after a tunnel is
interrupted, if the peer of a higher priority can initiate negotiation, the peer of the higher priority is used
for negotiation and forwarding and the tunnel negotiation using the peer of a lower priority is
interrupted. This command must be configured to implement the preceding functions.

Configuratio #Specify the remote peer of a higher priority to initiate preemption in the encryption mapping set named
n Example mymap.
Ruijie(config)# crypto map mymap 5 IPSec-isakmp
Ruijie(config-crypto-map)# set peer-preempt

Verification N/A

set pfs (IPSec)

Use this command to specify the Diffie-Hellman group ID used in IPSec tunnel encapsulation.
set pfs { group1 | group2 }

Use the no form of this command to cancel the Diffie-Hellman group ID used in tunnel encapsulation.
no set pfs

8-40
Command Reference IPSEC-IKE Commands

Parameter
Parameter Description
Description
group1 Indicates the 768-bit group.
group2 Indicates the 1024-bit group.

Defaults No Diffie-Hellman group is used by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide Specify the Diffie-Hellman group ID used in IPSec tunnel encapsulation.

Configuratio #Specify the 1024-bit Diffie-Hellman group in the encryption mapping set named mymap.
n Example Ruijie(config)# crypto map mymap 5 IPSec-isakmp
Ruijie(config-crypto-map)# set pfs group2

Verification N/A

set security-association lifetime

Use this command to set the global lifetime used for IPSec SA association in an encryption mapping
set.
set security-association lifetime { seconds seconds | kilobytes kilobytes ] }

Use the no form of this command to restore the default value of global lifetime used for IPSec SA
association in an encryption mapping set.
no set security-association lifetime { seconds | kilobytes }

Parameter
Parameter Description
Description
Indicates the SA timeout period in seconds. The value range is from
seconds seconds
120 to 86400.
Indicates the timeout communication amount of an SA in kilobytes. The
kilobytes kilobytes
value range is from 2,560 to 536,870,912.

Defaults SAs in an encryption mapping set are negotiated based on the global lifetime.

Command Encryption mapping configuration mode

Mode

Default Level 14

8-41
Command Reference IPSEC-IKE Commands

Usage Guide This command is effective only to encryption mapping entries used for negotiation of IPSec SAs
established via IKE and is unavailable to encryption mapping entries of SAs that are manually
configured.
By default, all IPSec SAs are negotiated based on the global lifetime. If a different lifetime is required
for SA negotiation for a specific destination IP address, use this command to change the lifetime in the
encryption mapping entry that uses this destination address for negotiation.

 This command changes the lifetime for IPSec SA negotiation in a specific encryption entry and
does not affect the global lifetime.

Configuratio #Change the lifetime of Entry 5 to 2,500 seconds in the encryption mapping set named mymap.
n Example Ruijie(config)# crypto map mymap 5 IPSec-isakmp
Ruijie(config-crypto-map)# set security-association lifetime seconds 2500

Verification N/A

set session-key

Use this command to set the SPIs and passwords for relevant algorithms for inbound and outbound
protected communication.
set session-key { inbound | outbound } ah spi hex-key-data
set session-key { inbound | outbound } esp spi { cipher hex-key-data | authenticator hex-key-
data }

Use the no form of this command to delete the SPIs and passwords of relevant algorithms.
no set session-key { inbound | outbound } ah
no set session-key { inbound | outbound } esp

Parameter
Parameter Description
Description
inbound The security parameters are applied to the inbound SA.
outbound The security parameters are applied to the outbound SA.
ah Specifies the AH as the authentication algorithm.
spi Indicates the SPI.
hex-key-data Indicates a password in hexadecimal notation.
esp Specifies the ESP as the authentication algorithm.
cipher Indicates ESP password.
authenticator Confirm ESP password.

Defaults No SPI or password of any algorithm is specified by default.

Command Encryption mapping configuration mode

Mode

8-42
Command Reference IPSEC-IKE Commands

Default Level 14

Usage Guide This command is applicable only to manually configured SAs and is used only in IPSec-manual.

Configuratio #Specify the ESP encapsulation in the encryption mapping set named mymap and set the
n Example encapsulation and decapsulation passwords to abcdef1234567890.
Ruijie(config)# crypto map mymap 5 ipsec-manual
Ruijie(config-crypto-map)# set session-key inbound esp 301 cipher
abcdef1234567890
Ruijie(config-crypto-map)# set session-key outbound esp 300 cipher
abcdef1234567890

Verification N/A

set transform-set

Use this command to specify transformation sets to be used in an encryption mapping entry.
Set transform-set transform-set-name1 [ transform-set-name2 ] [ transform-set-name3 ] [ transform-
set-name4 ] [ transform-set-name5 ] [ transform-set-name6 ]

Use the no form of this command to delete all transformation sets from an encryption mapping entry.
no set pfs

Parameter
Parameter Description
Description
transform-set-name1,
[transform-set-name2],
[transform-set-name3], Indicates the name of a transformation set. A maximum of six
[transform-set-name4], transformation sets can be specified in one encryption mapping entry.
[transform-set-name5],
[transform-set-name6]

Defaults No transformation set is specified by default.

Command Encryption mapping configuration mode

Mode

Default Level 14

Usage Guide A transformation set is indispensable for successful establishment of an SA. Use this command to
specify a transformation set when any encryption mapping set is configured.

Configuratio #Specify the transformation set named myset in the encryption mapping entry.
n Example Ruijie(config)# crypto IPSec transform-set myset esp-des esp-sha-hmac

8-43
Command Reference IPSEC-IKE Commands

Ruijie(config)# crypto map mymap 5 IPSec-isakmp

Ruijie(config-crypto-map)# set transform-set myset

Verification N/A

show crypto dynamic-map (IPSec)

Use this command to display dynamic encryption mapping information.

show crypto dynamic-map [ map-name ]

Parameter
Parameter Description
Description
map-name Indicates the name of an encryption mapping set.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide Use this command to display the PIM interfaces on the device, PIM neighbors of interfaces, Hello
message retransmission interval, DR address, and other information.

Configuratio #Display information about all dynamic encryption mapping sets.

n Example Ruijie# show crypto dynamic-map
Crypto Map Template "mydmap" 1
No matching address list set.
Security association lifetime: 4608000 kilobytes/3600 seconds(id=34)
PFS (Y/N): N
Transform sets = { }

show crypto IPSec sa

Use this command to display information about the current active IPSec SA.
show crypto IPSec sa

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

8-44
Command Reference IPSEC-IKE Commands

Usage Guide N/A

Configuratio #Display information about the current active IPSec SA.

n Example Interface: GigabitEthernet 1/0/0
Crypto map tag:mymap, local addr 2.2.2.3
media mtu 1500
sub_map type:static, seqno:7, id=0
local ident (addr/mask/prot/port): (2.2.2.3/0.0.0.0/0/0))
remote ident (addr/mask/prot/port): (2.2.2.2/0.0.0.0/0/0))
PERMIT
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#send errors 0, #recv errors 0
Inbound esp sas:
spi:0x79b8e4bb (2042160315)
transform: esp-3des
in use settings={Tunnel,}
crypto map mymap 7
sa timing: remaining key lifetime (k/sec): (4607000/3505)
IV size: 8 bytes
max reply windows size: 0
Replay detection support:Y

Outbound esp sas:

spi:0x293b8b55 (691768149)
transform: esp-3des
in use settings={Tunnel,}
crypto map mymap 7
sa timing: remaining key lifetime (k/sec): (4607000/3505)
IV size: 8 bytes
max reply windows size: 0
Replay detection support:Y

show crypto ipsec transform-set

Use this command to display information about transformation sets configured for the device.
show crypto IPSec transform-set

Parameter
Parameter Description
Description
N/A N/A

8-45
Command Reference IPSEC-IKE Commands

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Display information about transformation sets configured for the device.
n Example Ruijie# show crypto IPSec transform-set
transform set myset3: { esp-des,}
will negotiate = {Tunnel,}

show crypto isakmp policy

Use this command to display the IKE policy configured for the device.
show crypto isakmp policy

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Display the IKE policy configured for the device.

n Example Ruijie# show crypto isakmp policy
Protection suite of priority 9
encryption algorithm: 3DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 1000 seconds
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 1000 seconds
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).

8-46
Command Reference IPSEC-IKE Commands

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400seconds

show crypto isakmp sa

Use this command to display the current active IKE SA on the device.
show crypto isakmp sa

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Display the current active IKE SA on the device.

n Example Ruijie# show crypto isakmp sa
destination source state conn-id lifetime(second)
1.1.1.1 1.1.1.2 IKE_IDLE 59 32254

show crypto log

Use this command to display IPSec VPN login and logout logs.
show crypto log

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

8-47
Command Reference IPSEC-IKE Commands

Configuratio #Display IPSec VPN login and logout logs.

n Example Ruijie # sh cr log
Time RemoteName
PeerIP/Port Action Reason
Interface Proto:(Local)ip/mask/port <--> (Peer)ip/mask/port

-------------------- ----------------------------------------------------
-------- --------------------------------------------- --------------- --
------------- ---------------------- ------------------------------------
-----------------------------------------------------------------------
2014-11-15-01:07:06 3.3.3.3
3.3.3.3/500 logout DEL_IPS_PKT
Gi0/1 17:3.3.3.3/32/1701<-->3.3.3.3/32/1701
2014-11-15-01:07:06 3.3.3.3
3.3.3.3/500 logout DEL_ISA_PKT
Gi0/1 NULL

show crypto log remotename

Use this command to display IPSec VPN login and logout logs that are filtered by peer name (or IP
address).
show crypto log remotename name

Parameter
Parameter Description
Description
name Specifies the peer name used for filtering and displaying logs.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Display IPSec VPN login and logout logs that are filtered by peer name (or IP address).
n Example 11.x_site1#show crypto log remotename 61.100.1.20

total log numbers: 184

Time RemoteName
PeerIP/Port Action Reason
Interface Proto:(Local)ip/mask/port <--> (Peer)ip/mask/pot

8-48
Command Reference IPSEC-IKE Commands

-------------------- ----------------------------------------------------
-------- --------------------------------------------- --------------- --
------------- ---------------------- ------------------------------------
-----------
2015-10-16-03:50:14 61.100.1.20
61.100.1.20/500 login NA Gi0/2
NULL
2015-10-16-03:50:14 61.100.1.20
61.100.1.20/500 login NA Gi0/2
0:1.1.1.0/24/0<-->2.2.2.0/24/0
2015-10-16-03:55:50 61.100.1.20
61.100.1.20/500 logout CLR_ISA_SA
Gi0/2 0:1.1.1.0/24/0<-->2.2.2.0/24/0
2015-10-16-03:56:51 61.100.1.20
61.100.1.20/500 logout IDLE_TIMER
Gi0/2 NULL
Filter log numbers: 4
11.x_site1#

show crypto log remotename name start start_lines end end_lines

Use this command to display IPSec VPN login and logout logs that are filtered by peer name (or IP
address) and are in specified lines.
show crypto log remotename name start start_lines end end_lines

Parameter
Parameter Description
Description
name Specifies the peer name used for filtering and displaying logs.
start_lines Specifies the start line of logs to be displayed.
end_lines Specifies the end line of logs to be displayed.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Display IPSec VPN login and logout logs that are filtered by peer name (or IP address) and are in
n Example specified lines.
11.x_site1#show crypto log remotename 61.100.1.20 start 1 end 2

total log numbers: 188

8-49
Command Reference IPSEC-IKE Commands

Time RemoteName
PeerIP/Port Action Reason
Interface Proto:(Local)ip/mask/port <--> (Peer)ip/mask/pot

-------------------- ----------------------------------------------------
-------- --------------------------------------------- --------------- --
------------- ---------------------- ------------------------------------
-----------
2015-10-16-03:50:14 61.100.1.20
61.100.1.20/500 login NA Gi0/2
NULL
2015-10-16-03:50:14 61.100.1.20
61.100.1.20/500 login NA Gi0/2
0:1.1.1.0/24/0<-->2.2.2.0/24/0
Filter log numbers: 4

show crypto log start start_lines end end_lines

Use this command to display IPSec VPN login and logout logs in specified lines.
show crypto log start start_lines end end_lines

Parameter
Parameter Description
Description
start_lines Specifies the start line of logs to be displayed.
end_lines Specifies the end line of logs to be displayed.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Display IPSec VPN login and logout logs in specified lines.
n Example 11.x_site1# show crypto log start 1 end 2

total log numbers: 184

8-50
Command Reference IPSEC-IKE Commands

Time RemoteName
PeerIP/Port Action Reason
Interface Proto:(Local)ip/mask/port <--> (Peer)ip/mask/pot

-------------------- ----------------------------------------------------
-------- --------------------------------------------- --------------- --
------------- ---------------------- ------------------------------------
-----------
2015-10-16-03:23:55 NO_NAME
(null)/0 restart IPSEC_RESTART
NULL
2015-10-16-03:42:57 NO_NAME
(null)/0 restart IPSEC_RESTART
NULL
11.x_site1#

show crypto map (IPSec)

Use this command to display information about an encryption mapping set.

show crypto map [ map-name ]

Parameter
Parameter Description
Description
map-name Indicates the name of an encryption mapping set.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio #Display information about all encryption mapping sets.

n Example Ruijie# show crypto map

Crypto Map:"mymap1" 1 IPSec-isakmp, (Complete)

Extended IP access list 100
Security association lifetime: 0 kilobytes/120 seconds(id=2)
PFS (Y/N): N
Transform sets = { myset3, }

Interfaces using crypto map mymap1:

GigabitEthernet 1/1/0

8-51
Command Reference IPSEC-IKE Commands

tunnel protection ipsec profile

Use this command to apply a defined encryption mapping set (profile) to a tunnel interface.
tunnel protection ipsec profile [ profile-name ]

Use the no form of this command to cancel the association between an interface and an encryption
mapping set.
no tunnel protection ipsec profile [ profile-name ]

Parameter
Parameter Description
Description
profile-name Indicates the name of an encryption mapping set (profile).

Defaults No encryption mapping set is applied to a tunnel interface by default.

Command Interface configuration mode

Mode

Default Level 14

Usage Guide Use this command to apply an encryption mapping set to an interface. An encryption mapping set must
be applied to a tunnel interface so that IPSec encryption and protection can be provided for all packets
of the tunnel interface. One interface can be associated with only one encryption mapping set.

 Encryption mapping sets (profiles) can be applied only to tunnels that support GRE, or IPIP. If
they are configured on an unsupported tunnel or the tunnel mode is changed to a mode that is
not supported by the encryption mapping sets (profiles), the encryption mapping sets configured
on the tunnel interfaces will be deleted.

Configuratio 1. #Apply the encryption mapping set named profile-name to Interface Tunnel 1.
n Example Ruijie(config)# interface tunnel 1
Ruijie(config-if-Tunnel 1)# tunnel protection IPSec profile profile-name
2. #Apply the encryption mapping set named test to Interface virtual-ppp 1.
Ruijie(config)#crypto ipsec profile test
Ruijie(config-crypto-profile)#exit
Ruijie(config)#
Ruijie(config)#int virtual-ppp 1
Ruijie(config-if-Virtual-ppp 1)#tunnel protection ipsec profile test
Ruijie(config-if-Virtual-ppp 1)#exit
Ruijie(config)#

Verification N/A

8-52
Command Reference AAA Commands

9 AAA Commands

aaa accounting commands

Use this command to configure NAS command accounting.

Use the no form of this command to restore the default setting.
aaa accounting commands level { default | list-name } start-stop method1 [ method2…]
no aaa accounting commands level { default | list-name }

Parameter Parameter Description

Description The accounting command level, 0-15. The message shall be
level
recorded before which command level is executed is determined.
When this parameter is used, the following defined method list is
default
used as the default method for command accounting.
Name of the command accounting method list, which could be any
list-name
character strings.
It must be one of the keywords listed in the following table. One
method
method list can contain up to four methods.
none Does not perform accounting.
Uses the server group for accounting, the TACACS+ server group is
group
supported.

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide RGOS enables the accounting command function after enabling the login authentication. After
enabling the accounting function, it sends the command information to the security service.
The configured accounting command method must be applied to the terminal line that needs
accounting command; otherwise it is ineffective.

Configuration The following example enables NAS command accounting.

Examples Ruijie(config)# aaa accounting commands 15 default start-stop group
tacacs+

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa authentication Defines AAA authentication.
Applies the accounting commands to the
accounting commands
terminal line.

9-1
Command Reference AAA Commands

Platform N/A
Description

aaa accounting exec

Use this command to enable NAS access accounting.

Use the no form of this command to restore the default setting.
aaa accounting exec { default | list-name } start-stop method1 [ method2...]
no aaa accounting exec { default | list-name }

Parameter Parameter Description

Description When this parameter is used, the following defined method list is
default
used as the default method for Exec accounting.
Name of the Exec accounting method list, which could be any
list-name
character strings
It must be one of the keywords: none and group. One method list
method
can contain up to four methods.
none Does not perform accounting.
Uses the server group for accounting, the RADIUS and TACACS+
group
server group is supported.

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide RGOS enables the exec accounting function after enabling the login authentication.
After enabling the accounting function, it sends the account start information to the security server
when the users log in the NAS CLI, and sends the account stop information to the security server
when the users log out. If it does not send the account start information to the security server when a
user logs in, it does not send the account stop information to the security server when a user logs
out, either.
The configured exec accounting method must be applied to the terminal line that needs accounting
command; otherwise it is ineffective.

Configuration The following example enables NAS access accounting.

Examples Ruijie(config)# aaa accounting network start-stop group radius

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa authentication Defines AAA authentication.
Applies the Exec accounting to the terminal
accounting commands
line.

9-2
Command Reference AAA Commands

Platform N/A
Description

aaa accounting network

Use this command to enable network access accounting.

Use the no form of this command to restore the default setting.
aaa accounting network { default | list-name } start-stop method1 [ method2..]
no aaa accounting network { default | list-name }

Parameter Parameter Description

Description When this parameter is used, the following defined method list
default
is used as the default method for Network accounting.
list-name Name of the accounting method list
An accounting packet is sent at both the start time and the end
time of access. Users can access the network even when the
start-stop
account packet sent at the start time fails to enbale the
accounting.
Sends accounting messages at both the start time and the end
time of access. Users are allowed to access the network, no
method
matter whether the start accounting message enables the
accounting successfully.
none Does not perform accounting.
Uses the server group for accounting, the RADIUS and
group
TACACS+ server group is supported.

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide RGOS performs accounting of user activities by sending record attributes to the security server. Use
the start-stop keyword to set the user accounting option.

Verification Run the show aaa method-list command to display the configur ed network access accounting.

Configuration The following example enables network access accounting.

Examples Ruijie(config)# aaa accounting network start-stop group radius

Notification 1. If no gourp is specified, an error prompt occurs.

%Group XXX is not existed
2. If the accounting medthod is not supported by the group, an error prompt occurs.

9-3
Command Reference AAA Commands

The accounting does not support this type of group

3. If the command is repeatedly run, the new configuration will overwrite the prebious one.

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa authorization network Defines a network authorization method list.
aaa authentication Defines AAA authentication.
username Defines a local user database.

Platform N/A
Description

aaa accounting update

Use this command to enable the accounting update function.

Use the no form of this command to restore the default setting.
aaa accounting update
no aaa accounting update

Parameter
N/A
Description

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide If the AAA security service is not enabled, the accounting update function cannot be used. This
command is used to set the accounting interval if the AAA security service has been enabled.

Configuration The following example enables the accounting update function.

Examples Ruijie(config)# aaa new-model
Ruijie(config)# aaa accounting update

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa accounting network Defines a network accounting method list.

Platform N/A
Description

9-4
Command Reference AAA Commands

aaa accounting update periodic

Use this command to set the interval of sending the accounting update message.
Use the no form of this command to restore the default setting.
aaa accounting update periodic interval
no aaa accounting update periodic

Parameter Parameter Description

Description Interval of sending the accounting update message, in the unit of
interval
minutes. The shortest interval is 1 minute.

Defaults The default is 5 minutes.

Command Global configuration mode

Mode

Usage Guide If the AAA security service is not enabled, the accounting update function cannot be used. This
command is used to set the accounting interval if the AAA security service has been enabled.
If the command is repeatedly run, the new configuration will overwrite the prebious one.

Configuration The following example sets the interval of accounting update to 1 minute.
Examples Ruijie(config)# aaa new-model
Ruijie(config)# aaa accounting update
Ruijie(config)# aaa accounting update periodic 1

Verification Run the show aaa accounting update command to display the configured interval of accounting
update.

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa accounting network Defines a network accounting method list.

Platform N/A
Description

aaa authentication enable

Use this command to enable AAA Enable authentication and configure the Enable authentication
method list.
Use the no form of this command to delete the user authentication method list.
aaa authentication enable default method1 [ method2...]
no aaa authentication enable default

9-5
Command Reference AAA Commands

Parameter Parameter Description

Description When this parameter is used, the following defined authentication
default
method list is used as the default method for Enable authentication.
It must be one of the keywords: local, none and group. One method
method
list can contain up to four methods.
local Uses the local user name database for authentication.
none Does not perform authentication.
Uses the server group for authentication. At present, the RADIUS and
group
TACACS+ server groups are supported.
enable Enables AAA Enable authentication.

Defaults N/A

Command Global configuration mode

Mode

Usage Guide If the AAA Enable authentication service is enabled on the device, users must use AAA for Enable
authentication negotiation. You must use the aaa authentication enable command to configure a
default or optional method list for Enable authentication.
The next method can be used for authentication only when the current method does not work.
The Enable authentication function automatically takes effect after configuring the Enable
authentication method list.

Configuration The following example defines an AAA Enable authentication method list. In the authentication
Examples method list, first the RADIUS security server is used for authentication. If the RADIUS security server
does not respond, the local user database is used for authentication.
Ruijie(config)# aaa authentication enable default group radius local

Related Command Description

Commands aaa new-model Enables the AAA security service.
enable Switchover the user level.
username Defines a local user database.

Notification 1. If no gourp is specified, an error prompt occurs.

%Group XXX is not existed
2. If the accounting medthod is not supported by the group, an error prompt occurs.
usernameThe accounting does not support this type of group
3. If the command is repeatedly run, the new configuration will overwrite the prebious one.
Platform N/A
Description

9-6
Command Reference AAA Commands

aaa authentication iportal

Use this command to enable AAA Portal Web user authentication.

Use the no form of this command to delete the authentication method list.
aaa authentication iportal { default | list-name } method1 [ method2...]
no aaa authentication iportal { default | list-name }

Parameter Parameter Description

Description When this parameter is used, the following defined authentication
default
method list is used as the default method for Login authentication.
Name of the user authentication method list, which could be any
list-name
character strings
It must be one of the keywords: local, none, subs and group. One
method
method list can contain up to four methods.
local Uses the local user name database for authentication.
none Does not perform authentication.
Uses the server group for authentication. At present, the RADIUS
group
server group is supported.
subs Uses the subs database for authentication.

Defaults N/A

Command Global configuration mode

Mode

Usage Guide If the AAA Portal Web security service is enabled on the device, users must use AAA for Portal Web
authentication negotiation. You must use the aaa authentication iportal command to configure a
default or optional method list for Portal Web authentication.

Configuration The following example defines an AAA Portal Web authentication method list named rds_web. First
Examples the RADIUS security server is used for authentication. If the RADIUS security server does not
respond, the local user database is used for authentication.
Ruijie(config)# aaa authentication iportal rds_web group radius local

Related Command Description

Commands aaa new-model Enables the AAA security service.
login authentication Applies the Login authentication method to the terminal lines.
username Defines a local user database.

Platform N/A
Description

9-7
Command Reference AAA Commands

aaa authentication login

Use this command to enable AAA Login authentication and configure the Login authentication
method list.
Use the no form of this command to delete the authentication method list.
aaa authentication login { default | list-name } method1 [ method2..]
no aaa authentication login { default | list-name }

Parameter Parameter Description

Description When this parameter is used, the following defined authentication
default
method list is used as the default method for Login authentication.
Name of the user authentication method list, which could be any
list-name
character strings
It must be one of the keywords: local, none, group and subs. One
method
method list can contain up to four methods.
local Uses the local user name database for authentication.
none Does not perform authentication.
Uses the server group for authentication. At present, the RADIUS
group
and TACACS+ server groups are supported.
subs Uses the subs database for authentication.

Defaults N/A

Command Global configuration mode

Mode

Usage Guide If the AAA Login authentication security service is enabled on the device, users must use AAA for
Login authentication negotiation. You must use the aaa authentication login command to configure
a default or optional method list for Login authentication.
The next method can be used for authentication only when the current method does not work.
You need to apply the configured Login authentication method to the terminal line which needs Login
authentication. Otherwise, the configured Login authentication method is invalid.

Configuration The following example defines an AAA Login authentication method list named list-1. In the
Examples authentication method list, first the RADIUS security server is used for authentication. If the RADIUS
security server does not respond, the local user database is used for authentication.
Ruijie(config)# aaa authentication login list-1 group radius local

Related Command Description

Commands aaa new-model Enables the AAA security service.
login authentication Applies the Login authentication method to the terminal lines.
username Defines a local user database.

9-8
Command Reference AAA Commands

Platform N/A
Description

aaa authentication ppp

Use this command to enable the AAA authentication for PPP user and configure the PPP user
authentication method list.
Use the no form of this command to delete the authentication method list.
aaa authentication ppp { default | list-name } method1 [ method2...]
no aaa authentication ppp { default | list-name }

Parameter Parameter Description

Description When this parameter is used, the following defined authentication
default method list is used as the default method for PPP user
authentication.
Name of the user authentication method list, which could be any
list-name
character strings
It must be one of the keywords: local, none group and subs.
method
One method list can contain up to four methods.
local Uses the local user name database for authentication.
none Does not perform authentication.
Uses the server group for authentication. At present, the RADIUS
group
server group is supported.
subs Uses the subs database for authentication.

Defaults N/A

Command Global configuration mode

Mode

Usage Guide If the AAA PPP security service is enabled on the device, users must use AAA authentication for
PPP negotiation. You must use the aaa authentication ppp command to configure a default or
optional method list for PPP user authentication.
The next method can be used for authentication only when the current method does not work.

Configuration The following example defines an AAA authentication method list named rds_ppp for PPP session.
Examples In the authentication method list, first the RADIUS security server is used for authentication. If the
RADIUS security server does not respond, the local user database is used for authentication.
Ruijie(config)# aaa authentication ppp rds_ppp group radius local

Related Command Description

Commands aaa new-model Enables the AAA security service.
ppp authentication Associates a specific method list with the PPP user.

9-9
Command Reference AAA Commands

username Defines a local user database.

Platform N/A
Description

aaa authentication sslvpn

Use this command to enable AAA authentication for the SSL VPN user and configure the SSL VPN
user authentication method list.
Use the no form of this command to delete the authentication method list.
aaa authentication sslvpn { default | list-name } method1 [ method2...]
no aaa authentication sslvpn { default | list-name }

Parameter Parameter Description

Description When this parameter is used, the following defined authentication
default method list is used as the default method for SSL VPN user
authentication.
Name of SSL VPN user authentication method list, which could be
list-name
any character strings
It must be one of the keywords: local, none, subs and group.
method
One method list can contain up to four methods.
local Use the local user name database for authentication.
none Does not perform authentication.
Uses the server group for authentication. At present, the RADIUS
group
server group is supported.
subs Uses the subs database for authentication.

Defaults N/A

Command Global configuration mode

Mode

Usage Guide If the SSL VPN security service is enabled on the device, users must use the AAA authentication for
SSL VPN negotiation. You must use the aaa authentication sslvpn command to configure a default
or optional method list for user authentication.
The next method can be used for authentication only when the current method does not work.

Configuration The following example defines an AAA authentication method list named rds_sslvpn for SSL VPN
Examples session. In the authentication method list, the RADIUS security server is first used for authentication.
If the RADIUS security server does not respond, the local user database is used for authentication.
Ruijie(config)# aaa authentication sslvpn rds_sslvpn group radius local

Command Description

9-10
Command Reference AAA Commands

Related
N/A N/A
Commands

Platform N/A
Description

aaa authorization commands

Use this command to authorize the command executed by the user who has logged in the NAS CLI.
Use the no form of this command to restore the default setting.
aaa authorization commands level { default | list-name } method1 [ method2...]
no aaa authorization commands level { default | list-name }

Parameter Parameter Description

Description level Command level to be authorized in the range from 0 to 15
When this parameter is used, the following defined method list is used as the
default
default method for command authorization.
Name of the user authorization method list, which could be any character
list-name
strings
It must be one of the keywords: none and group. One method list can
method
contain up to four methods.
none Do not perform authorization.
Uses the server group for authorization. At present, the TACACS+ server
group
group is supported.

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide RGOS supports authorization of the commands executed by the users. When the users input and
attempt to execute a command, AAA sends this command to the security server. This command is to
be executed if the security server allows to. Otherwise, it will prompt command deny.
It is necessary to specify the command level when configuring the command authorization, and this
specified command level is the default command level.
The configured command authorization method must be applied to terminal line which requires the
command authorization. Otherwise, the configured command authorization method is ineffective.

Configuration The following example uses the TACACS+ server to authorize the level 15 command.
Examples Ruijie(config)# aaa authorization commands 15 default group tacacs+

Related Command Description

Commands aaa new-model Enables the AAA security service.

9-11
Command Reference AAA Commands

authorization commands Applies the command authorization for the terminal line.

Platform N/A
Description

aaa authorization config-commands

Use this command to authorize the configuration commands (including in the global configuration
mode and its sub-mode).
Use the no form of this command to restore the default setting.
aaa authorization config-commands
no aaa authorization config-commands

Parameter Parameter Description

Description N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide If you only authorize the commands in the non-configuration mode (for example, privileged EXEC
mode), you can use the no form of this command to disable the authorization function in the
configuration mode, and execute the commands in the configuration mode and its sub-mode without
command authorization.

Configuration The following example enables the configuration command authorization function.
Examples Ruijie(config)# aaa authorization config-commands

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa authorization commands Defines the AAA command authorization.

Platform N/A
Description

aaa authorization console

Use this command to authorize the commands of the users who have logged in the console.
Use the no form of this command to restore the default setting.
aaa authorization console
no aaa authorization console

9-12
Command Reference AAA Commands

Parameter Parameter Description

Description N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide RGOS supports to identify the users logged in from the console and from other terminals, configure
whether to authorize the users logged in from the console or not. If the command authorization
function is disabled on the console, the authorization method list applied to the console line is
ineffective.

Configuration The following example enables the aaa authorization console function.
Examples Ruijie(config)# aaa authorization console

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa authorization commands Defines the AAA command authorization.
authorization commands Applies the command authorization to the terminal line.

Platform N/A
Description

aaa authorization exec

Use this command to authorize the users logged in the NAS CLI and assign the authority level.
Use the no form of this command to restore the default setting.
aaa authorization exec { default | list-name } method1 [ method2...]
no aaa authorization exec { default | list-name }

Parameter Parameter Description

Description When this parameter is used, the following defined method list is used
default
as the default method for Exec authorization.
Name of the user authorization method list, which could be any
list-name
character strings
It must be one of the keywords listed in the following table. One
method
method list can contain up to four methods.
local Uses the local user name database for authorization.
none Does not perform authorization.
Uses the server group for authorization. At present, the RADIUS
group
server group is supported.

9-13
Command Reference AAA Commands

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide RGOS supports authorization of users logged in the NAS CLI and assignment of CLI authority level
(0-15). The aaa authorization exec function is effective on condition that Login authentication
function has been enabled. It cannot enter the CLI if it fails to enable the aaa authorization exec.
You must apply the exec authorization method to the terminal line; otherwise the configured method
is ineffective.

Configuration The following example uses the RADIUS server to authorize Exec.
Examples Ruijie(config)# aaa authorization exec default group radius

Related Command Description

Commands aaa new-model Enables the AAA security service.
authorization exec Applies the command authorization to the terminal line.
username Defines a local user database.

Platform N/A
Description

aaa authorization network

Use this command to authorize the service requests (including such protocols as PPP and SLIP)
from the users that access the network.
Use the no form of this command to restore the default setting.
aaa authorization network { default | list-name } method1 [ method2...]
no aaa authorization network { default | list-name }

Parameter Parameter Description

Description When this parameter is used, the following defined method list is used
default
as the default method for Network authorization.
It must be one of the keywords: none and group. One method list can
method
contain up to four methods.
none Does not perform authorization.
Uses the server group for authorization. At present, the RADIUS
group
server group is supported.

Defaults This function is disabled by default.

Command Global configuration mode

Mode

9-14
Command Reference AAA Commands

Usage Guide RGOS supports authorization of all the service requests related to the network, such as PPP and
SLIP. If authorization is configured, all the authenticated users or interfaces will be authorized
automatically.
Three different authorization methods can be specified. Like authorization, the next method can be
used for authorization only when the current authorization method does not work. If the current
authorization method fails, other subsequent authorization method is not used.
The RADIUS server authorizes authenticated users by returning a series of attributes. Therefore,
RADIUS authorization is based on RADIUS authorization. RADIUS authorization is performed only
when the user passes the RADIUS authorization.

Configuration The following example uses the RADIUS server to authorize network services.
Examples Ruijie(config)# aaa authorization network default group radius

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa accounting Defines AAA accounting.
aaa authentication Defines AAA authentication.
username Defines a local user database.

Platform N/A
Description

aaa domain

Use this command to configure the domain attributes.

Use the no form of this command to restore the default setting.
aaa domain { default | domain-name }
no aaa domain { default | domain-name }

Parameter Parameter Description

Description default Uses this parameter to configure the default domain.
domain-name The name of the specified domain

Defaults No domain is configured by default.

Command Global configuration mode

Mode

Usage Guide Use this command to configure the domain-name–based AAA service. The default is to configure
the default domain. That is the method list used by the network device if the users are without
domain information. The domain-name is the specified domain name, if the users are with this
domain name, the method lists associated with this domain are used. At present, the system can
configure up to 32 domains.

9-15
Command Reference AAA Commands

Configuration The following example configures the domain name.

Examples Ruijie(config)# aaa domain ruijie.com
Ruijie(config-aaa-domain)#

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Enables the domain-name-based AAA service.
show aaa domain Displays the domain configuration.

Platform N/A
Description

aaa domain enable

Use this command to enable domain-name-based AAA service.

Use the no form of this command to restore the default setting.
aaa domain enable
no aaa domain enable

Parameter Parameter Description

Description N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide To perform the domain-name-based AAA service configuration, enable this service.

Configuration The following example enables the domain-name-based AAA service.

Examples Ruijie(config)# aaa domain enable

Related Command Description

Commands aaa new-model Enables the AAA security service.
show aaa doamain Displays the domain configuration.

Platform N/A
Description

aaa local authentication attempts

Use this command to set login attempt times.

aaa local authentication attempts max-attempts

9-16
Command Reference AAA Commands

Parameter Parameter Description

Description max-attempts In the range from 1 to 2,147,483,647

Defaults The default is 3.

Command Global configuration mode

Mode

Usage Guide Use this command to configure login attempt times.

Configuration The following example sets login attempt times to 6.

Examples Ruijie #configure terminal
Ruijie(config)#aaa local authentication attempts 6

Related Command Description

Commands show running-config Displays the current configuration of the switch.
show aaa lockout Displays the lockout configuration parameter of current login.

Platform N/A
Description

aaa local authentication lockout-time

Use this command to configure the lockout-time period when the login user has attempted for more
than the limited times.
aaa local authentication lockout-time lockout-time

Parameter Parameter Description

Description lockout-time In the range from 1 to 2,147,483,647 in the unit of minutes

Defaults The default is 15 minutes.

Command Global configuration mode

Mode

Usage Guide Use this command to configure the length of lockout-time when the login user has attempted for
more than the limited times.

Configuration The following example sets the lockout-time period to 5 minutes.

Examples Ruijie#configure terminal
Ruijie(config)#aaa local authentication lockout-time 5

9-17
Command Reference AAA Commands

Related Command Description

Commands show running-config Displays the current configuration of the switch.
show aaa lockout Displays the lockout configuration parameter of current login.

Platform N/A
Description

aaa local user allow public account

Use this command to allow the local account (username or subs) to be shared by multiple terminals
with Web authentication configured or built-in.
aaa local user allow public account

Parameter Parameter Description

Description N/A N/A

Defaults One local account cannot be shared by multiple terminals by default.

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example allows the local account (username or subs) to be shared by multiple
Examples terminals with Web authentication configured or built-in.
Ruijie#configure terminal
Ruijie(config)#aaa local user allow public account

Related Command Description

Commands N/A N/A

Platform
Description

aaa log enable

Use this command to enable the system to print the syslog informing AAA authentication success.
Use the no form of this command to restore the default setting.
aaa log enable
no aaa log enable

Parameter Parameter Description

Description N/A N/A

9-18
Command Reference AAA Commands

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide Use this command to enable the system to print the syslog informing aaa authentication success.

Configuration The following example disables the system to print the syslog informing aaa authentication success.
Examples Ruijie(config)# no aaa log enable

Related Command Description

Commands N/A N/A

Platform N/A
Description

aaa log rate-limit

Use this command to set the rate of printing the syslog informing AAA authentication success.
Use the no form of this command to restore the default printing rate.
aaa log rate-limit num
no aaa log rate-limit

Parameter Parameter Description

Description The number of syslog entries printed per second. The range is from
num 0 to 65,535.
0 indicates the printing rate is not limited.

Defaults The default is 5.

Command Global configuration mode

Mode

Usage Guide
Too much printing may flood the screen or even reduce device performance. In this case, use this
command to adjust the printing rate.

Configuration The following example sets the rate of printing the syslog informing AAA authentication success to
Examples 10.
Ruijie(config)# aaa log rate-limit 10

Related Command Description

Commands N/A N/A

9-19
Command Reference AAA Commands

Platform N/A
Description

aaa new-model

Use this command to enable the RGOS AAA security service.

Use the no form of this command to restore the default setting.
aaa new-model
no aaa new-model

Parameter Parameter Description

Description N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide Use this command to enable AAA. If AAA is not enabled, none of the AAA commands can be
configured.

Configuration The following example enables the AAA security service.

Examples Ruijie(config)# aaa new-model

Related Command Description

Commands aaa authentication Defines a user authentication method list.
aaa authorization Defines a user authorization method list.
aaa accounting Defines a user accounting method list.

Platform N/A
Description

access-limit

Use this command to configure the number of users limit for the domain, which is only valid for the
IEEE802.1 users.
Use the no form of this command to restore the default setting.
access-limit num
no access-limit

Parameter Description

9-20
Command Reference AAA Commands

Parameter The number used for the user limitation is only valid for the IEEE802.1
num
Description users.

Defaults By default, no number of users is limited.

Command Domain configuration mode

Mode

Usage Guide This command limits the number of users for the domain.

Configuration The following example sets the number of users to 20 for the domain named ruijie.com.
Examples Ruijie(config)# aaa domain ruijie.com
Ruijie(config-aaa-domain)# access-limit 2

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Switchover the user level.
show aaa domain Defines a local user database.

Platform N/A
Description

accounting network

Use this command to configure the Network accounting list.

Use the no form of this command to restore the default setting.
accounting network { default | list-name }
no accounting network

Parameter Parameter Description

Description default Uses this parameter to specify the default method list.
list-name The name of the network accounting list

Defaults With no method list specified, if the user sends the request, the device will attempt to specify the
default method list for the user.

Command Domain configuration mode

Mode

Usage Guide Use this command to configure the Network accounting method list for the specified domain.

Configuration The following example sets the Network accounting method list for the specified domain.
Examples Ruijie(config)# aaa domain ruijie.com
Ruijie(config-aaa-domain)# accounting network default

9-21
Command Reference AAA Commands

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Enables the domain-name-based AAA service.
show aaa domain Displays the domain configuration.

Platform N/A
Description

authentication dot1x

Use this command to configure the IEEE802.1x authentication list.

Use the no form of this command to restore the default setting.
authentication dot1x { default | list-name }
no authentication dot1x

Parameter Parameter Description

Description default Uses this parameter to specify the default method list
list-name The name of the specified method list

Defaults With no method list specified, if users send the request, the device will attempt to specify the default
method list for users.

Command Domain configuration mode

Mode

Usage Guide Specify an IEEE802.1x authentication method list for the domain.

Configuration The following example sets an IEEE802.1x authentication method list for the specified domain.
Examples Ruijie(config)# aaa domain ruijie.com
Ruijie(config-aaa-domain)# authentication dot1x default

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Enables the domain-name-based AAA service.
show aaa domain Displays the domain configuration.

Platform N/A
Description

authorization network

Use this command to configure the Network authorization list.

9-22
Command Reference AAA Commands

Use the no form of this command to restore the default setting.

authorization network { default | list-name }
no authorization network

Parameter Parameter Description

Description default Uses this parameter to specify the default method list.
list-name The name of the specified method list

Defaults With no method list specified, if users send the request, the device will attempt to specify the default
method list for users.

Command Domain configuration mode

Mode

Usage Guide Specify an authorization method list for the domain.

Configuration The following example sets an authorization method list for the specified domain.
Examples Ruijie(config)# aaa domain ruijie.com
Ruijie(config-aaa-domain)# authorization network default

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Enables the domain-name-based AAA service.
show aaa domain Displays the domain configuration.

Platform N/A
Description

clear aaa local user lockout

Use this command to clear the lockout user list.

clear aaa local user lockout { all | user-name word }

Parameter Parameter Description

Description all Indicates all locked users.
user-name word Indicates the ID of the locked User.

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide Use this command to clear all the user lists or a specified user list.

9-23
Command Reference AAA Commands

Configuration The following example clears the lockout user list.

Examples Ruijie(config)# clear aaa local user lockout all

Related Command Description

Commands show running-config Displays the current configuration of the switch.
show aaa lockout Displays the lockout configuration parameter of current login.

Platform N/A
Description

show aaa accounting update

Use this command to display the accounting update information.

show aaa accounting update

Parameter Parameter Description

Description N/A N/A

Defaults N/A

Command Privileged EXEC mode/Global configuration mode/Interface configuration mode

Mode

Usage Guide Use this command to display the accounting update interval and whether the accounting update is
enabled.

Configuration The following example displays the accounting update information.

Examples Ruijie# show aaa accounting update

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Enables the domain-name-based AAA service.

Platform N/A
Description

show aaa domain

Use this command to display all current domain information.

show aaa domain [ default | domain-name ]

Parameter Description

9-24
Command Reference AAA Commands

Parameter default Displays the default domain.

Description
domain-name Displays the specified domain.

Defaults N/A

Command Privileged EXEC mode/Global configuration mode/Interface configuration mode

Mode

Usage Guide If no domain-name is specified, all domain information will be displayed.

Configuration The following example displays the domain named domain.com.

Examples Ruijie(config)# show aaa domain domain.com
=============Domain domain.com=============
State: Active
Username format: Without-domain
Access limit: No limit
802.1X Access statistic: 0

Selected method list:

authentication dot1x default

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Enables the domain-name-based AAA service.

Platform N/A
Description

group

Use this command to display all the server groups configured for AAA.
show aaa group

Parameter Parameter Description

Description N/A N/A

Defaults N/A

Command Privileged EXEC mode/Global configuration mode/Interface configuration mode

Mode

Usage Guide N/A

9-25
Command Reference AAA Commands

Configuration The following command displays all the server groups.

Examples Ruijie# show aaa group
Type Reference Name
---------- ---------- ----------
radius 1 radius
tacacs+ 1 tacacs+
radius 1 dot1x_group
radius 1 login_group
radius 1 enable_group

Related Command Description

Commands aaa group server Configures the AAA server group.

Platform N/A
Description

show aaa lockout

Use this command to display the lockout configuration.

show aaa lockout

Parameter Parameter Description

Description N/A N/A

Defaults N/A

Command Privileged EXEC mode/Global configuration mode/Interface configuration mode

Mode

Usage Guide Use this command to display the lockout configuration.

Configuration The following example displays the lockout configuration.

Examples Ruijie# show aaa lockout
Lock tries: 3
Lock timeout: 15 minutes

Related Command Description

Commands N/A N/A

Platform N/A
Description

9-26
Command Reference AAA Commands

show aaa method-list

Use this command to display all AAA method lists.

show aaa method-list

Parameter Parameter Description

Description N/A N/A

Defaults N/A

Command Privileged EXEC mode/Global configuration mode/Interface configuration mode

Mode

Usage Guide Use this command to display all AAA method lists.

Configuration The following example displays the AAA method list.

Examples Ruijie# show aaa method-list
Authentication method-list
aaa authentication login default group radius
aaa authentication ppp default group radius
aaa authentication dot1x default group radius
aaa authentication dot1x san-f local group angel group rain none
aaa authentication enable default group radius
Accounting method-list
aaa accounting network default start-stop group radius
Authorization method-list
aaa authorization network default group radius

Related Command Description

Commands aaa authentication Defines a user authentication method list
aaa authorization Defines a user authorization method list
aaa accounting Defines a user accounting method list

Platform N/A
Description

show aaa user

Use this command to display AAA user information.

show aaa user { all | lockout | by-id session-id | by-name user-name }

Parameter Parameter Description

Description all Displays all AAA user information.

9-27
Command Reference AAA Commands

lockout Displays the locked AAA user information.

Displays the information of the AAA user that with a
by-id session-id
specified session ID.
Displays the information of the AAA user with a specified
by-name user-name
user name.

Defaults N/A

Command Privileged EXEC mode/Global configuration mode/Interface configuration mode

Mode

Usage Guide Use this command to display AAA user information.

Configuration The following example displays AAA user information.

Examples Ruijie#show aaa user all

-----------------------------

Id ----- Name

2345687901 wwxy

-----------------------------

Ruijie# show aaa user by-id 2345687901

-----------------------------

Id ----- Name

2345687901 wwxy

Ruijie# show aaa user by-name wwxy

-----------------------------

Id ----- Name

2345687901 wwxy

-----------------------------

Ruijie# show aaa user lockout

Name Tries Lock Timeout(min)

-------------------------------- ---------- ---------- ------------

Ruijie#

Related Command Description

Commands N/A N/A

9-28
Command Reference AAA Commands

Platform N/A
Description

state

Use this command to set whether the configured domain is valid.

Use the no form of this command to restore the default setting.
state { block | active }
no state

Parameter Parameter Description

Description block The configured domain is invalid.
active The configured domain is valid.

Defaults The default is active.

Command Domain configuration mode

Mode

Usage Guide Use this command to set whether the specified configured domain is valid.

Configuration The following example sets the configured domain to be invalid.

Examples Ruijie(config)# aaa domain ruijie.com
Ruijie(config-aaa-domain)# state block

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Enables the domain-name-based AAA service.
show aaa domain enable Displays the domain configuration.

Platform N/A
Description

username-format

Use this command to configure the user name whether to be with the domain information when the
NAS interacts with the servers.
Use the no form of this command to restore the default setting.
username-format { without-domain | with-domain }
no username-format

Parameter Parameter Description

Description without-domain Sets the user name without the domain information.

9-29
Command Reference AAA Commands

with-domain Sets the user name with the domain information.

Defaults The default is without-domain.

Command Domain configuration mode

Mode

Usage Guide Use this command to configure the user name whether to be with the domain information when the
NAS interacts with the servers.

Configuration The following example sets the user name without the domain information.
Examples Ruijie(config)# aaa domain ruijie.com
Ruijie(config-aaa-domain)# username-domain without-domain

Related Command Description

Commands aaa new-model Enables the AAA security service.
aaa domain enable Enables the domain-name-based AAA service.
show aaa domain Displays the domain configuration.

Platform N/A
Description

9-30
Command Reference RADIUS Commands

10 RADIUS Commands

aaa group server radius

Use this command to enter AAA server group configuration mode.

Use the no form of this command to restore the default setting.
aaa group server radius name
no aaa group server radius name

Parameter
Parameter Description
Description
name Server group name. Keywords “radius” and “tacacs +” are excluded
as they are the default RADIUS and TACACS+ server group names.

Defaults N/A

Command Global configuration mode

Mode

Usage Guide This command is used to configure a RADIUS AAA server group.

Configuration The following example configures a RADIUS AAA server group named ss.
Examples Ruijie(config)# aaa group server radius ss
Ruijie(config-gs-radius)# end
Ruijie# show aaa group
Type Reference Name
---------- ---------- ----------
radius 1 radius
tacacs+ 1 tacacs+
radius 1 ss

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

ip oob

Use this command to specify the MGMT port used in the TACACS+ server group.

10-1
Command Reference RADIUS Commands

Use the no form of this command to restore the default setting.

ip oob
no ip oob

Parameter
Parameter Description
Description

Defaults N/A

Command server group configuration mode

Mode

Usage Guide Use the aaa group server radius command to enter radius server group configuration mode. If no
port is specified as the MGMT port. MGMT Port 0 is default.

Configuratio
n Examples

Related
Command Description
Commands
N/A N/A

Platform MGMT ports are supported on NBR6205-E, NBR6205-E V2, NBR6210-E, NBR6210-E V2 and
Description NBR6215-E but not on NBR6120-E.

ip radius source-interface

Use this command to specify the source IP address for the RADIUS packet.
Use the no form of this command to delete the source IP address for the RADIUS packet.
ip radius source-interface interface-name
no radius source-interface interface-name

Parameter
Parameter Description
Description
interface-name Interface that the source IP address of the RADIUS packet belongs
to.

Defaults The source IP address of the RADIUS packet is set by the network layer.

Command Global configuration mode

mode

10-2
 Command Reference RADIUS Commands

Usage Guide In order to reduce the NAS information to be maintained on the RADIUS server, use this command to
set the source IP address of the RADIUS packet. This command uses the first IP address of the
specified interface as the source IP address of the RADIUS packet. This command is used in the layer
3 devices.

Configuratio The following example specifies that the RADIUS packet obtains an IP address from the fastEthernet
n Examples 0/0 interface and uses it as the source IP address of the RADIUS packet.
Ruijie(config)# ip radius source-interface fastEthernet 0/0

Related
Command Description
Commands
radius-server host Defines the RADIUS server.
ip address Configures the IP address of the interface.

Platform N/A
Description

radius data-flow-format

Use this command to configure the unit of the data flow and data packets sent to the RADIUS server.
radius data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-
packet | mega-packet | one-packet } }

Use the no form of this command to restore the default settings.

no radius data-flow-format

Parameter Parameter Description

Description data byte Sets the unit of the data flow to bytes.
data giga-byte Sets the unit of the data flow to gigabytes.
data kilo-byte Sets the unit of the data flow to kilobytes.
data mega-byte Sets the unit of the data flow to megabytes.
packet giga-packet Sets the unit of the data packets to giga-packet.
packet kilo-packet Sets the unit of the data packets to kilo-packet.
packet mega-packet Sets the unit of the data packets to mega-packet.
packet one-packet Sets the unit of the data packets to one-packet.

Defaults By default, the units of the data flow and data packets sent to the RADIUS server are set to bytes and one-
packet respectively.

Command Global configuration mode

Mode

Default Level 14

10-3
 Command Reference RADIUS Commands

Usage Guide N/A

Configuratio The following example sets the unit of data flow sent to the RADIUS server to kilobytes.
n Example Ruijie(config)# radius data-flow-format data kilo-byte

Verification Run the show running-config command to display the configured QoS value.

Common
N/A
Error

radius dscp

Use this command to configure the DHCP priority for RADIUS packets.
radius dscp dscp-value

Use the no form of this command to restore the default settings.

no radius dscp

Parameter Parameter Description

Description dscp-value Sets the DSCP priority for RADIUS packets. Range: 0-63.

Defaults By default, the DSCP priority is 0.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Contained in the ToS value of the IP header, Differentiated Services Code Point (DSCP) is used for packet
priority classification. A larger DHCP value indicates a higher transmission pripority for packes. The default
DSCP priority of RADIUS packets is 0. You can configure the DHCP prioritirs for RADIUS packets to change
the transmission priority of the RADIUS pakcets.
It uses the 6-bit Differentiated Services (DS) field in the IP header for the purpose of packet classification.

Configuratio The following example sets the DHCP prority for RADIUS packets to 2.
n Example Ruijie(config)# radius dscp 2

Verification Run the show running-config command to display the configured QoS value.

Common
N/A
Error

10-4
Command Reference RADIUS Commands

radius set qos cos

Use this command to set the QoS value sent by the RADIUS server as the CoS value of the
interface. Use the no form of this command to restore the default setting.
radius set qos cos
no radius set qos cos

Parameter
Parameter Description
Description
N/A N/A

Defaults Set the QoS value sent by the RADIUS server as the DSCP value.

Command Global configuration mode.

Mode

Usage Guide

Configuration The following example sets the QoS value sent by the RADIUS server as the CoS value of the
Examples interface:
Ruijie(config)# radius set qos cos

Related
Command Description
Commands
Extends RADIUS as not to
radius vendor-specific extend differentiate the IDs of private
vendors.

Platform N/A
Description

radius support cui

Use this command to enable RADIUS to support the cui function.

Use the no form of this command to restore the default setting.
radius support cui
no radius support cui

Parameter
Parameter Description
Description
N/A N/A

Defaults This function is disabled by default.

10-5
Command Reference RADIUS Commands

Command Global configuration mode

Mode

Usage Guide This command is used to enable RADIUS to support the cui function.

Configuration The following example enables RADIUS to support the cui function.
Examples Ruijie(config)# radius support cui

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

radius vendor-specific attribute support

Use this command to configure whether RADIUS accounting request packets carry the private
attribute of a specified vendor.
Use the no form of this command to configure that RADIUS accounting request packets do not carry
the private attribute of a specified vendor.
radius vendor-specific attribute support { cisco | huawei | ms}
no radius vendor-specific attribute support { cisco | huawei | ms}

Parameter
Parameter Description
Description
Indicates the private attribute of
cisco
Cisco.
Indicates the private attribute of
huawei
Huawei.
Indicates the private attribute of
ms
Microsoft.

Defaults By default, RADIUS accounting request packets carry the private attribute of a specified vendor.

Command Global configuration mode

Mode

Usage Guide This command is used to configure whether RADIUS accounting request packets carry the private
attribute of a specified vendor as required.

Configuration 1. The following example configures that RADIUS accounting request packets carry the private
Examples attribute of Huawei.

10-6
Command Reference RADIUS Commands

Ruijie(config)# radius vendor-specific attribute support huawei

2. The following example configures that RADIUS accounting request packets do not carry the
private attribute of Huawei.
Ruijie(config)# no radius vendor-specific attribute support huawei

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

radius vendor-specific extend

Use this command to extend RADIUS not to differentiate the IDs of private vendors.
Use the no form of this command to restore the default setting.
radius vendor-specific extend
no radius vendor-specific extend

Parameter
Parameter Description
Description
N/A N/A

Defaults Only the private vendor IDs of Ruijie are recognized.

Command Global configuration mode

Mode

Usage Guide This command is used to identify the attributes of all vendor IDs by type.

Configuration The following example extends RADIUS so as not to differentiate the IDs of private vendors:
Examples Ruijie(config)# radius vendor-specific extend

Related
Command Description
Commands
radius attribute Configures vendor type.
Sets the QoS value sent by the
radius set qos cos RADIUS server as the cos value of
the interface.

10-7
Command Reference RADIUS Commands

Platform N/A
Description

radius-server account attribute

Use this command to enable account-request packets to contain a specified RADIUS attribute.
Use the no or default form of this command to restore the default setting.
radius-server account attribute type package
no radius-server account attribute type package
default radius-server account attribute type package

Use this command to disable account-request packets to contain a specified RADIUS attribute.
Use the no or default form of this command to restore the default setting.
radius-server account attribute type unpackage
no radius-server account attribute type unpackage
default radius-server account attribute type unpackage

Parameter
Parameter Description
Description
type RADIUS attribute in the range from 1 to 255

Defaults RFC-compliant

Command Global configuration mode

Mode

Usage Guide Use this command to enable or disable account-request packets to contain a specified RADIUS
attribute.

Configuratio The following example disables account-request packets to contain attribute NAS-PORT-ID.
n Examples Ruijie(config)# radius-server account attribute 87 unpackage

Platform
N/A
Description

radius-server account update retransmit

Use this command to configure accounting update packet retransmission for the Web authentication
user.
Use the no form of this command to restore the default setting,
radius-server account update retransmit
no radius-server account update retransmit

10-8
Command Reference RADIUS Commands

Parameter
Parameter Description
Description
N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide This command is used to configure accounting update packet retransmission for the Web
authentication user exclusively.

Configuration The following example configures accounting update packet retransmission for the Web
Examples authentication user.
Ruijie(config)#radius-server account update retransmit

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

radius-server account vendor

Use this command to make the RADIUS accounting request packets carry the private attribute of a
specified vendor.
radius-server account vendor { cmcc | microsoft | cisco | hw } package

Use the following commands to restore the default setting.

no radius-server account vendor { cmcc | microsoft | cisco | hw } package
default radius-server account vendor { cmcc | microsoft | cisco | hw } package

Parameter Parameter Description

Description Vendors:
cmcc: China Mobile Communications Corporation
cmcc | microsoft | cisco | hw microsoft: Microsoft
cisco: Cisco
hw: Huawei

Defaults No private attriute of a specific vendor is carried in the packets.

Command Global configuration mode

Mode

10-9
Command Reference RADIUS Commands

Usage Guide Use this command to configure whether accounting request packets carry the private attribute of a
specified vendor.

Configuration The following example carries the private attribute of China Mobile in the RADIUS accounting
Examples request packets.
Ruijie(config)# radius-server account vendor cmcc package

Verification Conduct packet capture of the RADIUS server to check whether the the private attribute of CMCC is
carried in the RADIUS accounting request packets.

Platform N/A
Description

radius-server attribute class

Use this command to analyze the flow control value of the RADIUS CLASS attributes.
Use the no form of this command to restore the default setting.
radius-server attribute class user-flow-control { format-16bytes | format-32bytes | unit bit/s |
unit byte/s }
no radius-server attribute class user-flow-control

Parameter
Parameter Description
Description
user-flow-control Analyzes flow control value in the CLASS attribute.
format-16bytes Sets the format of flow control value to 16 bytes.
format-32bytes Sets the format of flow control value to 32 bytes.
unit bit/s Sets the unit of rate limit to bit/s.
unit byte/s Sets the unit of rate limit to byte/s.

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide This command is required if the server pushes the flow control value through the CLASS attribute.

Configuration The following example analyzes the flow control value of the CLASS attribute and sets the format to
Examples 32 bytes.
Ruijie(config)#radius-server attribute class user-flow-control format-
32bytes

Related
Command Description
Commands

10-10
Command Reference RADIUS Commands

N/A N/A

Platform N/A
Description

radius-server attribute 31

Use this command to specify the MAC-based format of RADIUS Calling-Station-ID attribute.
Use the no form of this command to restore the default setting.
radius-server attribute 31 mac format { 3hyphen | ietf | normal | unformatted | { { colon-split
| dot-split | hyphen-split } { mode1 | mode2 } [ lowercase | uppercase ] } }
no radius-server attribute 31 mac format

Parameter
Parameter Description
Description
ietf The standard format specified by the IETF RFC3580. ‘-‘is used as
the separator, for example: 00-D0-F8-33-22-AC.
normal Normal format representing the MAC address. ;.’is used as the
separator. For example: 00d0.f833.22ac.
unformatted No format and separator. By default, unformatted is used. For
example: 00d0f83322ac.
colon-split Sets the MAC address to be pieced together with colons (:) as the
delimiting characters. The final form should combine mode 1 and
mode 2.
dot-split Sets the MAC address to be pieced together with periods (.) as
the delimiting characters. The final form should combine mode 1
and mode 2.
hyphen-split Sets the MAC address to be pieced together with hyphens (-) as
the delimiting characters. The final form should combine mode 1
and mode 2.
mode1 Divide the characters of the MAC address into groups of 4
characters by using the separators of periods, colons or hypens.
(Example: 00D0.F833.22AC; 00D0:F833:22AC; 00D0-F833-
22AC)
mode2 Divide the characters of the MAC address into groups of 2
characters by using periods, colons or hypens. (Example:
00.D0.F8.33.22.AC, 00:D0:F8:33:22:AC, and 00-D0-F8-33-22-AC)
lowercase Sets the MAC format to lowercases.
uppercase Sets the MAC format to uppercases.

Defaults The default format is unformatted.

Command Mode Global configuration mode

10-11
Command Reference RADIUS Commands

Usage Guide Some RADIUS security servers (mainly used to 802.1x authentication) may identify the IETF
format only. In this case, the RADIUS Calling-Station-ID attribute shall be set as the IETF format
type.

Configuration The following example defines the RADIUS Calling-Station-ID attribute as IETF format.
Examples Ruijie(config)# radius-server attribute 31 mac format ietf

Related
Command Description
Commands
radius-server host Defines the RADIUS server.

Platform N/A
Description

radius-server authentication attribute

Use this command to enable access-request packets to contain a specified RADIUS attribute.
Use the no or default form of this command to restore the default setting.
radius-server authentication attribute type package
no radius-server authentication attribute type package
default radius-server authentication attribute type package

Use this command to disable access-request packets to contain a specified RADIUS attribute.
Use the no or default form of this command to restore the default setting.
radius-server authentication attribute type unpackage
no radius-server authentication attribute type unpackage
default radius-server authentication attribute type unpackage

Parameter
Parameter Description
Description
type RADIUS attribute in the range from 1 to 255

Defaults RFC-compliant

Command Global configuration mode

Mode

Usage Guide Use this command to enable access-request packets to contain a specified RADIUS attribute.

Configuration The following example disables access-request packets to contain attribute NAS-PORT-ID.
Examples Ruijie(config)# radius-server authentication attribute 87 unpackage

10-12
Command Reference RADIUS Commands

Platform
N/A
Description

radius-server authentication vendor

Use this command to enable access-request packets to contain vendor-specific RADIUS attributes.
Use the no or default form of this command to restore the default setting.
radius-server authentication vendor vendor_name package
no radius-server authentication vendor vendor_name package

default radius-server authentication vendor vendor_name package

Parameter
Parameter Description
Description
vendor_name cmcc/ microsoft / cisco

Defaults Access-request packets do not contain vendor- specific RADIUS attributes by default.

Command Global configuration mode

Mode

Usage Guide Use this command to enable access-request packets to contain vendor- specific RADIUS attributes.

Configuration The following example enables access-request packets to contain “cmcc”.

Examples Ruijie(config)# radius-server authentication vendor cmcc package

Platform
N/A
Description

radius-server dead-criteria

Use this command to configure criteria on a device to determine that the Radius server is
unreachable.
Use the no form of this command to restore the default setting.
radius-server dead-criteria { time seconds [ tries number ] | tries number }
no radius-server dead-criteria { time seconds [ tries number ] | tries number }

Parameter
Parameter Description
Description
Configures the timeout value. If the device does not receive a correct
response packet from the Radius server within the specified time, the
time seconds
Radius server is considered to be unreachable. The value is in the
range from 1 to 120 in the unit of seconds.

10-13
Command Reference RADIUS Commands

Configures the successive timeout times. When sending a request

from the device to the Radius server times out for the specified
tries number
times, the device considers that the Radius server is unreachable.
The value is in the range from 1 to 100 in the unit of seconds.

Defaults The default time seconds is 60 and tries number is 10.

Command Global configuration mode

Mode

Usage Guide If a Radius server meets the timeout and timeout times at the same time, it is considered to be
unreachable. This command is used to adjust the parameter conditions of timeout and timeout times.

Configuration The following example sets the timeout to 120 seconds and timeout times to 20.
Examples Ruijie(config)# radius-server dead-criteria time 120 tries 20

Related
Command Description
Commands
radius-server host Defines the RADIUS security server.
Defines the duration when a device stops
radius-server deadtime sending any requests to an unreachable
Radius server.
Defines the timeout for the packet re-
radius-server timeout
transmission.

Platform N/A
Description

radius-server deadtime

Use this command to configure the duration when a device stops sending any requests to an
unreachable Radius server.
Use the no form of this command to restore the default setting.
radius-server deadtime minutes
no radius-server deadtime

Parameter
Parameter Description
Description
Defines the duration in minutes when the device stops sending any
minutes requests to the unreachable Radius server. The value is in the range
from 1 to 1,440 in the unit of minutes.

Defaults The default value of minutes is 0, that is, the device keeps sending requests to the unreachable
Radius server.

10-14
Command Reference RADIUS Commands

Command Global configuration mode

Mode

Usage Guide If active Radius server detection is enabled on the device, the time parameter of this command does
not take effect on the Radius server. Otherwise, the Radius server becomes reachable when the
duration set by this command is shorter than the unreachable time.

Configuration The following example sets the duration when the device stops sending requests to 1 minute.
Examples Ruijie(config)# radius-server deadtime 1

Related
Command Description
Commands
radius-server host Defines the RADIUS security server.
radius-server dead-criteria Defines the criteria to determine that a Radius
server is unreachable.

Platform N/A
Description

radius-server host

Use this command to specify a RADIUS security server host.

Use the no form of this command to restore the default setting.
radius-server host [ oob ] { ipv4-address | ipv6-address } [ auth-port port-number ] [ acct-port
port-number ] [ test username name [ idle-time time ] [ ignore-auth-port ] [ ignore-acct-port ] ]
[ key [ 0 | 7 ] text-string ]

no radius-server host { ipv4-address | ipv6-address }

Parameter
Parameter Description
Description
Specifies an MGMT port as the source port for TACACS+
oob
communication. The default is MGMT Port 0.
ipv4-address IPv4 address of the RADIUS security server host.
ipv6-address IPv4 address of the RADIUS security server host.
auth-port UDP port used for RADIUS authentication.
Number of the UDP port used for RADIUS authentication. If it is set
port-number
to 0, this host does not perform authentication.
acct-port UDP port used for RADIUS accounting.
Number of the UDP port used for RADIUS accounting. If it is set to 0,
port-number
this host does not perform accounting.

10-15
Command Reference RADIUS Commands

(Optional) Enables the active detection to the RADIUS security

test username name
server and specify the username used by the active detection.
(Optional) Sets the interval of sending the test packets to the
idle-time time reachable RADIUS security server, which is 60 minutes by default
and in the range of 1 to 1440 minutes (namely 24 hours).
(Optional) Disables the detection to the authentication port on the
ignore-auth-port
RADIUS security server. It is enabled by default.
(Optional) Disables the detection to the authentication port on the
ignore-acct-port
RADIUS security server. It is enabled by default.
Configure a shared key for the server. The type of encryption can be
key [ 0 | 7 ] text-string specified. 0 is no encryption and 7 is simple encryption. The default
is 0.

Defaults No RADIUS host is specified by default.

Command Global configuration mode

Mode

Usage Guide In order to implement the AAA security service using RADIUS, you must define a RADIUS security
server. You can define one or more RADIUS security servers using the radius-server host
command.

Configuration The following example defines a RADIUS security server host:

Examples Ruijie(config)# radius-server host 192.168.12.1

The following example defines a RADIUS security server host in the IPv4 environment, enable the
active detection with the detection interval 60 minutes and disable the accounting UDP port
detection:
Ruijie(config)# radius-server host 192.168.100.1 test username viven idle-
time 60 ignore-acct-port

The following example defines a RADIUS security server host in the IPv6 environment

Ruijie(config)# radius-server host 3000::100

Related
Command Description
Commands
aaa authentication Defines the AAA authentication method list
Defines a shared password for the RADIUS
radius-server key
security server.
Defines the number of RADIUS packet
radius-server retransmit
retransmissions.

Platform MGMT ports are supported on NBR6205-E, NBR6205-E V2, NBR6210-E, NBR6210-E V2 and
Description NBR6215-E but not on NBR6120-E.

10-16
Command Reference RADIUS Commands

radius-server key

Use this command to define a shared password for the network access server (device) to
communicate with the RADIUS security server.
Use the no form of this command to restore the default setting.
radius-server key [ 0 | 7 ] text-string
no radius-server key

Parameter
Parameter Description
Description
text-string Text of the shared password
0|7 Password encryption type.
0: no encryption;
7: Simply-encrypted.

Defaults No shared password is specified by default.

Command
Mode Global configuration mode.

Usage Guide A shared password is the basis for communications between the device and the RADIUS security
server. In order to allow the device to communicate with the RADIUS security server, you must
define the same shared password on the device and the RADIUS security server.

Configuration The following example defines the shared password aaa for the RADIUS security server:
Examples Ruijie(config)# radius-server key aaa

Related
Command Description
Commands
radius-server host Defines the RADIUS security server.
Defines the number of RADIUS packet
radius-server retransmit
retransmissions.
radius-server timeout Defines the timeout for the RADIUS packet.

Platform N/A
Description

radius-server retransmit

Use this command to configure the number of packet retransmissions before the device considers
that the RADIUS security server does not respond.
Use the no form of this command to restore the default setting.
radius-server retransmit retries

10-17
Command Reference RADIUS Commands

no radius-server retransmit

Parameter
Parameter Description
Description
retries Number of retransmissions in the range from 1 to 100.

Defaults The default is 3.

Command Global configuration mode.

Mode

Usage Guide AAA uses the next method to authenticate users only when the current security server for
authentication does not respond. When the device retransmits the RADIUS packet for the specified
times and the interval between every two retries is timeout, the device considers that the security
sever does not respond.

Configuration The following example sets the number of retransmissions to 4.

Examples Ruijie(config)# radius-server retransmit 4

Related
Command Description
Commands
radius-server host Defines the RADIUS security server.
Defines a shared password for the RADIUS
radius-server key
server.
radius-server timeout Defines the timeout for the RADIUS packet.

Platform N/A
Description

radius-server source-port

Use this command to configure the source port to send RADIUS packets.
Use the no form of this command to restore the default setting.
radius-server source-port port
no radius-server source-port

Parameter
Parameter Description
Description
port The port ID, in the range from 0 to 65535.

Defaults The default is a random number.

Command Global configuration mode

Mode

10-18
Command Reference RADIUS Commands

Usage Guide The source port is random by default. This command is used to specify a source port.

Configuration The following example configures source port 10000 to send RADIUS packets.
Examples Ruijie(config)# radius-server source-port 10000

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

radius-server timeout

Use this command to set the time for the device to wait for a response from the security server after
retransmitting the RADIUS packet.
Use the no form of this command to restore the default setting.
radius-server timeout seconds
no radius-server timeout

Parameter
Parameter Description
Description
seconds Timeout in the range from 1 to 1,000 in the unit of seconds.

Defaults The default is 5 seconds.

Command
Mode Global configuration mode

Usage Guide This command is used to change the timeout of packet retransmission.

Configuration The following example sets the timeout to 10 seconds.

Examples Ruijie(config)# radius-server timeout 10

Related
Command Description
Commands
radius-server host Defines the RADIUS security server.
Defines the number of the RADIUS packet
radius-server retransmit
retransmissions.
Defines a shared password for the RADIUS
radius-server key
server.

10-19
Command Reference RADIUS Commands

Platform N/A
Description

server auth-port acct-port

Use this command to add the server of the AAA server group.
Use the no form of this command to restore the default setting.
server { ipv4-addr } [ auth-port port1 ] [ acct-port port2 ]
no server { ipv4-addr } [ auth-port port1 ] [ acct-port port2 ]

Parameter
Parameter Description
Description
ip-addr Server IP address
port1 Server authentication port
port2 Server accounting port

Defaults No server is configured by default.

Command Server group configuration mode

Mode

Usage Guide N/A

Configuration The following example adds server 192.168.4.12 to server group ss and sets the accounting port
Examples and authentication port to 5 and 6 respectively.
Ruijie(config)# aaa group server radius ss
Ruijie(config-gs-radius)# server 192.168.4.12 acct-port 5 auth-port 6
Ruijie(config-gs-radius)# end
Ruijie# show aaa group
Type Reference Name
---------- ---------- ----------
radius 1 radius
tacacs+ 1 tacacs+
radius 1 ss

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

10-20
Command Reference RADIUS Commands

show radius acct statistics

Use this command to display RADIUS accounting statistics.

show radius acct statistics

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Global configuration mode/Privileged EXEC mode/Interface configuration mode

Mode

Usage Guide N/A

Configuration The following example displays RADIUS accounting statistics.

Examples Ruijie#show radius acct statistics
Accounting Servers:

Server Index..................................... 1
Server Address................................... 192.168.1.1
Server Port...................................... 1813
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 1
Retry Requests................................... 1
Accounting Responses............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests........
Field Description:
Field Description
Server Index Server index
Server Address IP address of the server
Server Port Server port
The interval between sending an access request to the
Msg Round Trip Time
server and receiving the response from the server.
The number of sending packets to the server for the
First Requests
first time.
Retry Requests The number of retransmission
Accounting Responses The number of receiving the accounting responses.
The number of malformed RADIUS access-response
Malformed Msgs
received from the server.
Bad Authenticator Msgs The number of packets that fail to pass the verification.

10-21
Command Reference RADIUS Commands

The number of the RADIUS access-request pakcets

that haven’t timed out or are responsed by the server.
 The number increases when the access request
Pending Requests packet is sent.
 The number decreases when the access-request
packet is accepted, rejected, challenged,
retransferred or times out.

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show radius attribute

Use this command to display standard Radius attributes.

show radius attribute

Parameter
Parameter Description
Description
N/A N/A

Command Global configuration mode/Privileged EXEC mode/Interface configuration mode

Mode

Usage Guide N/A

Configuration The following example displays standard RADIUS attributes.

Examples Ruijie# show radius attribute
type implicate
---- ---------
1..........User-Name
2..........User-Password
3..........Chap-Password
4..........NAS-Ip-Addr
5..........Nas-Ip-Port
6..........Service-Type
7..........Framed-Protocol
8..........Frame-Ip-Address
9..........Framed-Ip-Mask
10..........Framed-Routing
11..........Filter-Id

10-22
Command Reference RADIUS Commands

12..........Framed-Mtu
13..........Framed-Compress
14..........Login-Ip-Host
15..........Login-Service
16..........Login-Tcp-Port
18..........Reply-Message
19..........Callback-Num
20..........Callback-Id
22..........Framed-Route
23..........Framed-IPX-Network
24..........State
25..........Class
26..........Vendor-Specific
27..........Session-Timeout
28..........Idle-Timeout
29..........Termination-Action
30..........Called-Station-Id
31..........Calling-Station-Id
32..........Nas-Id
33..........Proxy-State
34..........Login-LAT-Service
35..........Login-LAT-Node
36..........Login-LAT-Group
37..........Framed-AppleTalk-Link
38..........Framed-AppleTalk-Net
39..........Framed-AppleTalk-Zone
40..........Acct-Status-Type
41..........Acct-Delay-Time
42..........Acct-Input-Octets
43..........Acct-Output-Octets
44..........Acct-Session-Id
45..........Acct-Authentic
46..........Acct-Session-Time
47..........Acct-Input-Packet
48..........Acct-Output-Packet
49..........Acct-Terminate-Cause
50..........Acct-Multi-Session-ID
51..........Acct-Link-Count
52..........Acct-Input-Gigawords
53..........Acct-Output-Gigawords
60..........Chap-Challenge
61..........Nas-Port-Type
62..........Port-Limit
63..........Login-Lat-Port

10-23
Command Reference RADIUS Commands

64..........Tunnel-Type
65..........Tunnel-Medium-Type
66..........Tunnel-Client-EndPoint
67..........Tunnel-Service-EndPoint
79..........eap msg
80..........Message-Authenticator
81..........group id
85..........Acct-Interim-Interval
87..........Nas-Port-Id
89..........cui
95..........Nas-Ipv6-Addr
96..........Framed-Interface-Id
Fied Descirption:

Field Description

type serial number

implicate standard attributes

Platform
N/A
Description

show radius auth statistics

Use this command to display RADIUS authentication statistics.

show radius auth statistics

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Global configuration mode/Privileged EXEC mode/Interface configuration mode

Mode

Usage Guide N/A

Configuration The following example displays RADIUS authentication statistics.

Examples Ruijie#show radius auth statistics
Authentication Servers:

Server Index..................................... 1
Server Address................................... 192.168.1.1
Server Port...................................... 1812

10-24
Command Reference RADIUS Commands

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
Fied Descirption:

Field Description

Server Index Server index

Server Address IP address of the server

Server Port Server port

The interval between sending an access request to the

Msg Round Trip Time
server and receiving the response from the server.
The number of sending packets to the server for the first
First Requests
time.

Retry Requests The number of retransmission

Accept Responses The number of receiving Access-Accept.

Reject Responses The number of receiving Reject.

Challenge Response The number of receibing Access-Challenge..

The number of malformed RADIUS Access-Response

Malformed Msgs
received from the server.

Bad Authenticator Msgs The number of packets that fail to pass the verification.

The number of the RADIUS access-request pakcets that

haven’t timed out or are responsed by the server.
 The number increases when the access request
Pending Requests packet is sent.
 The number decreases when the access-request
packet is accepted, rejected, challenged,
retransferred or times out.

Timeout Requests The number of timout requests.

Related
Command Description
Commands
N/A N/A

10-25
Command Reference RADIUS Commands

Platform N/A
Description

show radius group

Use this command to display RADIUS server group configuration.

show radius group

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Global configuration mode/Privileged EXEC mode/Interface configuration mode

Mode

Usage Guide N/A

Configuration The following example displays RADIUS server group configuration.

Examples Ruijie#show radius group
==========Radius group radius==========
Vrf:not-set
Server:192.168.1.1
Server key:ruijie
Authentication port:1812
Accounting port:1813
State:Active
Fied Descirption:

Field Description

Server Server address

Server key Server Key

Authentication port Authentication port

Accounting port Accounting port

State Status of server

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

10-26
Command Reference RADIUS Commands

show radius parameter

Use this command to display global RADIUS server parameters.

show radius parameter

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Global configuration mode/Privileged EXEC mode/Interface configuration mode

Mode

Usage Guide N/A

Configuration The following example displays global RADIUS server parameters.

Examples Ruijie# show radius parameter
Server Timout: 5 Seconds
Server Deadtime: 0 Minutes
Server Retries: 3
Server Dead Critera:
Time: 10 Seconds
Tries: 10
Fied Descirption:
Field Description
Server Timout The waiting period before sending a retransmission request
The period when the device stops to send request packets to the
Server Deadtime
unreachable RADIUS server.
Server Retries The number of sending packets before verifiying that the RADIUS is invalid.
Server Dead Critera The critera of determining that the RADIUS server is unreachable.
If the device does not receive a correct response packet from the RADIUS
Time server within this period, the RADIUS server is regarded as an unreachable
server.
If the number of sending packets from the device to packets to the RADIUS
Tries server reaches this specified number, the RADIU server is regarded as an
unrachabel server.

Related
Command Description
Commands
N/A N/A

10-27
Command Reference RADIUS Commands

Platform N/A
Description

show radius server

Use this command to display the configuration of the RADIUS server.

show radius server

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the configuration of the RADIUS server.
Examples Ruijie# show radius server
Server IP: 192.168.4.12
Accounting Port: 23
Authen Port: 77
Test Username: viven
Test Idle Time: 10 Minutes
Test Ports: Authen
Server State: Active
Current duration 765s, previous duration 0s
Dead: total time 0s, count 0
Statistics:
Authen: request 15, timeouts 1
Author: request 0, timeouts 0
Account: request 0, timeouts 0

Server IP: 192.168.4.13

Accounting Port: 45
Authen Port: 74
Test Username: <Not Configured>
Test Idle Time: 60 Minutes
Test Ports: Authen and Accounting
Server State: Active
Current duration 765s, previous duration 0s
Dead: total time 0s, count 0

10-28
Command Reference RADIUS Commands

Statistics:
Authen: request 0, timeouts 0
Author: request 0, timeouts 0
Account: request 20, timeouts 0
Fied Descirption:

Field Description

Server IP IP address of the server.

Accounting Port Accounting port.

Authen Port Authentication port.

Test Username The username used for active detection.

The interval of sending test packets to reachable

Test Idle Time
RADIUS server.

Test Ports Port that sends test pakcets.

Server State Server State.

Dead The unreachable duration and times.

Statistics Statistics.

Authen The number of authentication requests.

Author The number of authorization requests.

Account The number of accounting request.

Related
Command Description
Commands
radius-server host Defines the RADIUS security server.
Defines the number of RADIUS packet
radius-server retransmit
retransmissions.
Defines a shared password for the RADIUS
radius-server key
server.
radius-server timeout Defines the packet transmission timeout.

Platform N/A
Description

show radius vendor-specific

Use this command to display the configuration of the private vendors.

show radius vendor-specific

Parameter
Parameter Description
Description
N/A N/A

10-29
Command Reference RADIUS Commands

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the configuration of the private vendors.
Examples Ruijie#show radius vendor-specific
id vendor-specific type-value
----- -------------------- ----------
1 max-down-rate 1
2 port-priority 2
3 user-ip 3
4 vlan-id 4
5 last-supplicant-vers 5
ion
6 net-ip 6
7 user-name 7
8 password 8
9 file-directory 9
10 file-count 10
11 file-name-0 11
12 file-name-1 12
13 file-name-2 13
14 file-name-3 14
15 file-name-4 15
16 max-up-rate 16
17 current-supplicant-version 17
18 flux-max-high32 18
19 flux-max-low32 19
20 proxy-avoid 20
21 dialup-avoid 21
22 ip-privilege 22
23 login-privilege 42
Fied Descirption:

Field Description

id serial number

vendor-specific private attribute

type-value private ID attribute

10-30
Command Reference RADIUS Commands

Related
Command Description
Commands
radius-server host Defines the RADIUS security server.
Defines the number of RADIUS packet
radius-server retransmit
retransmissions.
Defines a shared password for the RADIUS
radius-server key
server.
radius-server timeout Defines the packet transmission timeout.

Platform N/A
Description

10-31
Command Reference Web Authentication Commands

11 Web Authentication Commands

accounting

Use this command to set an accounting method for the template.

Use the no form of this command to restore the default setting.
accounting method-list
no accounting

Parameter
Parameter Description
Description
method-list Name of the method list

Defaults N/A

Command Template configuration mode

Mode

Usage Guide The method-list parameter in this command should be consistent with network accounting list name
configured in AAA.

Configuration Hostname# configure terminal

Examples Hostname(config)# web-auth template iportal
Hostname(config.tmplt.iportal)# accounting mlist1

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

authentication

Use this command to set an authentication method for the template.

Use the no form of this command to restore the default setting.
authentication method-list
no authentication

Parameter
Parameter Description
Description

11-1
Command Reference Web Authentication Commands

method-list Name of the method list

Defaults N/A

Command Template configuration mode

Mode

Usage Guide The method-list parameter in this command should be consistent with the Web authentication method
list configured in AAA.
The first generation authentication does not support the authentication method list configuration.

Configuration The following example uses the mlist 1 as the authentication method.
Examples Hostname> enable
Hostname# configure terminal
Hostname(config)# web-auth template iportal
Hostname(config.tmplt.iportal)# authentication mlist1

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

bindmode

Use this command to set a binding mode for the template.

Use the no form of this command to restore the default setting.
bindmode ip-only-mode
no bindmode

Parameter
Parameter Description
Description
IP-only mode. In this mode, IPs are delivered only to the forwarding
ip-only-mode
table entry.

Defaults The default is ip-mac-mode.

Command Template configuration mode

Mode

Usage Guide N/A

11-2
Command Reference Web Authentication Commands

Configuration The following example sets the binding mode to IP-only mode for the build-in template.
Examples Ruijie(config)# web-auth template iportal
Ruijie(config.tmplt.iportal)#bindmode ip-only-mode

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

clear web-auth direct-arp

Use this command to clear all ARP resources exempt from authentication.
clear web-auth direct-arp

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example clears all ARP resources exempt from authentication.
Examples Ruijie# clear web-auth direct-arp

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

clear web-auth direct-host

Use this command to clear all authentication-exempted users.

clear web-auth direct-host [range]

11-3
Command Reference Web Authentication Commands

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example clears all authentication-exempted users.

Examples Ruijie# clear web-auth direct-host

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

clear web-auth direct-site

Use this command to clear all authentication-exempted network resources.

clear web-auth direct-site

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example clears all authentication-exempted network resources.

Examples Ruijie# clear web-auth direct-site

Related
Command Description
Commands
N/A N/A

11-4
Command Reference Web Authentication Commands

Platform N/A
Description

clear web-auth group

Use this command to clear all group information.

clear web-auth group

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example clears all group information.

Examples Ruijie# clear web-auth group

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

clear web-auth user

Use this command to force the user to go offline.

clear web-auth user { all | ip ip-address | mac mac-address | name name-string }

Parameter
Parameter Description
Description
ip-address Specifies the user’s IPv4 address.
mac-address Specifies the user’s MAC address.
name-string Specifies the user name.

Defaults N/A

11-5
Command Reference Web Authentication Commands

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example forces all users to go offline.

Examples Ruijie(config)# clear web-auth user all

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

fmt

Use this command to set the URL redirection format in the second template configuration mode.
fmt { cmcc-ext1 | cmcc-ext2 | cmcc-mtx | cmcc-normal | cmcc-ext3 | ruijie | custom }
Use this command to set the URL redirection format in the first template configuration mode.
fmt { ace | ruijie | custom }

Use this command to set the custom URL redirection format in the first & second template configuration
modes.
fmt custom [ encry { md5 | des | des_ecb | des_ecb3 | none } ] [ user-ip userip-str ] [ user-mac
usermac-str mac-format [dot | line | none ] ] [ user-vid uservid-str ] [ user-id userid-str ] [ nas-ip
nasip-str ] [ nas-id nasid-str ] [ nas-id2 nasid2-str ] [ ac-name acname-str ] [ ac-name acname-str ]
[ ap-mac apmac-str mac-format [ dot | line | none ] ] [ url url-str ] [ ssid ssid-str ] [ port port-str ] [ ac-
serialno ac-sno-str ] [ ap-serialno ap-sno-str ]

Use the no form of fmt custom command to remove the custom URL redirection format.
no fmt custom [ user-ip ] [ user-mac ] [ user-vid ] [ user-id ] [ nas-ip ] [ nas-id ] [ nas-id2 ] [ ac-
name ] [ ap-mac ] [ url ] [ ssid ] [ port ] [ ac-serialno ] [ ap-serialno ] [ additional ]

Parameter
Parameter Description
Description
cmcc-ext1 Extended CMCC format
cmcc-ext2 Liaoning CMCC format
cmcc-mtx CMCC format for AC manufacturers
cmcc-normal Standard CMCC format
ace Supports ACE correlation.
ruijie Ruijie format
custom Custom format
userip-str User IP address string

11-6
Command Reference Web Authentication Commands

usermac-str User MAC address string

uservid-str User VID string
nasid-str NAS device ID string
nasid2-str NAS device ID string (supports 2 NAS ID)
acname-str AC name string
apmac-str Associated AP MAC address string
url-str Original URL string
ssid-str SSID string
port-str Auth-Port string
ac-sno-str SN string of the AC
ap-sno-str SN string of the AP
md5 MD5 encryption
des DES encryption
des_ecb DES_ECB encryption
des_ecb3 DES_ECB3 encryption
none Not-encrypted

Defaults The default URL redirection format is Ruijie format.

Command Template configuration mode

Mode

Usage Guide Use this command to set the URL redirection format based on the corresponding portal standard.

Configuration The following example configures the URL to support ACE correlation..
Examples Hostname> enable
Hostname# configure terminal
Hostname(config)# web-auth template eportalv1
Hostname(config.tmplt.eportalv1)# fmt ace

Platform
N/A
Description

http redirect direct-arp

Use this command to set the address range of the authentication-exempted ARP.
Use the no form of this command to restore the default setting.
http redirect direct-arp { ip-address [ ip-mask ] }
no http redirect direct- arp { ip-address [ ip-mask ] }

Parameter
Parameter Description
Description
ip-address IPv4 address

11-7
Command Reference Web Authentication Commands

ip-mask (Optional) IPv4 mask

Defaults No authentication-exempted ARP resource is configured by default.

Command Global configuration mode

Mode

Usage Guide The user cannot learn the ARPs of devices such as the gateway with the ARP CHECK function
enabled. Use this command to enable the device to learn the ARP within a specified IP address range
without authentication.

Configuration The following example sets the IP address 172.16.0.1 as the authentication-exempted ARP resource.
Examples Ruijie(config)# http redirect direct-arp 172.16.0.1

Related
Command Description
Commands
Displays the address range of the
show web-auth direct-arp
authentication-exempted ARP

Platform N/A
Description

http redirect direct-site

Use this command to set the range of authentication-exempted network resources.

Use the no form of this command to restore the default setting.
http redirect direct-site { ipv4-address [ ip-mask ] [ arp ] | mac-address | range starip-address endip-
address} [ description description-str ] [ group group-name ]
no http redirect direct-site { ipv4-address [ ip-mask ] | mac-address | range startip-address endip-
address }

Parameter
Parameter Description
Description
ipv4-address IPv4 address of the authentication-exempted network resources
ip-mask IPv4 address mask of the authentication-exempted network resources
(optional)
arp If the ARP Check is enabled on the access device, the keyword arp is
needed for ARP binding of the authentication-exempted network
resources (optional). It is necessary for IPv4 network resources only.
mac-address MAC address of the authentication-exempted user
startip-address Start IP address of continuous authentication-exempted network
resources.

11-8
Command Reference Web Authentication Commands

endip-address End IP address of continuous authentication-exempted network

resources.
group-name Group where authentication-exempted network resources belong.
description-str Description of authentication-exempted network resources.

Defaults No authentication-exempted network resource is set.

Command Global configuration mode

Mode

Usage Guide When Web/802.1x authentication is enabled, all users must pass Web/client authentication to access
network resources. This command is used to make certain network resources available to
unauthenticated users. All users can access the authentication-exempted Web sites.
Up to 50 authentication-exempted users are supported.

Configuration The following example sets the Web site with IP address 172.16.0.1 as the authentication-exempted
Examples resource.
Ruijie(config)# http redirect direct-site 172.16.0.1
The following example sets the Web site with MAC address 0000:5e00:0101 as the authentication-
exempted resource.
Ruijie(config)# http redirect direct-site 0000:5e00:0101
The following example sets the IP range of authentication-exempted resource to 10.0.0.1-12.0.0.1.
Ruijie(config)# http redirect direct-site range 10.0.0.1 12.0.0.1

Related
Command Description
Commands
show http redirect Displays the HTTP redirection configuration.

Platform N/A
Description

http redirect port

Use this command to redirect users’ HTTP redirection request to a certain destination port.
Use the no form of this command to restore the default setting.
http redirect port port-num
no http redirect port port-num

Parameter
Parameter Description
Description
port-num Destination port of the HTTP request

Defaults The HTTP packets sent by port 80 by default.

11-9
Command Reference Web Authentication Commands

Command Global configuration mode

Mode

Usage Guide When you access the network resource, you send HTTP packets. The access device can intercept
such HTTP packets to detect your access. If the access device detects that an unauthenticated user
is accessing the network resource, it stops the users with an authentication page/client download
page.
By default, the access device intercepts users’ HTTP packets with port 80 to check whether they are
accessing network resources.
This command is used to change the destination port of HTTP packets that are intercepted by the
access device.
Up to 10 ports can be configured, including port 80.

Configuration The following example redirects users’ HTTP requests with port 8080.
Examples Ruijie(config)# http redirect port 8080
The following example does not redirect users’ HTTP requests with port 80.
Ruijie(config)# no http redirect port 80

Related
Command Description
Commands
show web-auth rdport Displays the TCP interception port.

Notification Disallow to block the HTTP requests send by well-known ports such as port 23.
%Error: Can't set local reserved port(23) as redirection port.

Platform N/A
Description

http redirect session-limit

Use this command to set the total number of HTTP sessions that can be originated by an
unauthenticated user.
Use the no form of this command to restore the default setting.
http redirect session-limit session-num
no http redirect session-limit

Parameter
Parameter Description
Description
session-num Total number of HTTP sessions that can be originated by an
unauthenticated user, in the range from 1 to 255.

Defaults Totally 255 HTTP sessions can be originated by an unauthenticated user, and 300 HTTP sessions
that can be originated by an unauthenticated user connected to each port.

11-10
Command Reference Web Authentication Commands

Command Global configuration mode

Mode

Usage Guide To prevent HTTP attacks caused by unauthenticated users from using up the TCP connections of the
access device, the maximum number of HTTP sessions by unauthenticated users must be limited on
the access device.
In addition to authentication, other programs may also occupy HTTP sessions. Therefore, it is not
recommended that the maximum number of HTTP sessions by unauthenticated users be 1

Configuration The following example sets the maximum number of HTTP sessions originated by an unauthenticated
Examples user to 4.
Ruijie(config)# http redirect session-limit 4

Related
Command Description
Commands
show web-auth parameter Displays the HTTP redirect configuration.

Platform N/A
Description

http redirect timeout

Use this command to set the timeout for the redirection connection maintenance.
Use the no form of this command to restore the default setting.
http redirect timeout seconds
no http redirect timeout

Parameter
Parameter Description
Description
seconds Set the timeout for the redirection connection maintenance, in the
range from 1 to 10 in the unit of seconds.

Defaults The default is 3 seconds.

Command Global configuration mode

Mode

Usage Guide This command is used to set the timeout for the redirection connection maintenance. After the three-
way handshake succeeds, the redirection connection is maintained until the user sends an HTTP
GET/HEAD packet and the system returns an HTTP redirection packet. This timeout is set to prevent
users from occupying TCP connections for long without sending any GET/HEAD packets.

Configuration The following example sets the timeout for the redirection connection maintenance to 4 seconds.
Examples Ruijie(config)# http redirect timeout 4

11-11
Command Reference Web Authentication Commands

Related
Command Description
Commands
show http redirect Displays the HTTP redirection configuration.

Platform N/A
Description

ip

Use this command to set an IP address for the portal server.

Use the no form of this command to restore the default setting.
port { ip-address }
no port

Parameter
Parameter Description
Description
ip-address The IPv4 address of the portal server

Defaults No IP address is set for the portal server by default.

Command Template configuration mode

Mode

Usage Guide This command takes place of the http redirect [ip-address] command, which is now hidden as a
compatible command.

Configuration The following example sets the IP address of the eportalv1 template to 172.16.0.1.
Examples Ruijie(config.tmplt.eportalv1)#ip 172.16.0.1
Ruijie(config.tmplt.eportalv1)#

Related
Command Description
Commands
show web-auth template Displays the parameters of the template.

Platform N/A
Description

ip portal source-interface

Use this command to specify a communication port for the portal server.
Use the no form of this command to restore the default setting.
ip portal source-interface interface-type interface-num

11-12
 Command Reference Web Authentication Commands

no ip portal source-interface

Parameter
Parameter Description
Description
interface-type Port type
interface-num Port No.

Defaults No communication interface is specified by default.

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example specifies an aggregate port as the communication port.
Examples Ruijie(config)# ip portal source-interface Aggregateport 1

Platform
N/A
Description

iportal nat enable

Use this command to enable NAT function for local Web authentication.
Use the no form of this command to restore the default setting.
iportal nat enable
no iportal nat enable

Parameter
Parameter Description
Description
N/A N/A

Defaults NAT is disabled by default.

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example enables NAT function for local Web authentication.
Examples Ruijie(config)# iportal nat enable

Platform
N/A
Description

11-13
 Command Reference Web Authentication Commands

iportal retransmit

Use this command to set the retransmission count of HTTP packets.

Use the no form of this command to restore the default setting.
iportal retransmit times
no iportal retransmit

Parameter
Parameter Description
Description
times Retransmission count

Defaults The retransmission count of HTTP packets is 3 by default.

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example sets the retransmission count of HTTP packets to 5.
Examples Ruijie(config)# iportal retransmit 5

Platform
N/A
Description

iportal service

Use this command to configure a service template.

Use the no form of this command to restore the default setting.
iportal service [ internet internet-name ] [ local local-name ]
no iportal service [ internet internet-name ] [ local local-name ]

Parameter
Parameter Description
Description
internet-name External service name
local-name Local service name

Defaults No service template is configured by default.

Command Global configuration mode

Mode

Usage Guide N/A

11-14
 Command Reference Web Authentication Commands

Configuration The following example configures a local service template.

Examples Ruijie(config)# iportal service local local-srv

Platform
N/A
Description

iportal user-agent

Use this command to configure the name and string for User Agent (UA).
Use the no form of this command to remove the UA name and string.
iportal user-agent ua-name type mobile ua-string
no iportal user-agent ua-name type mobile ua-string

Parameter
Parameter Description
Description
ua-name UA name
ua-string UA string

Defaults No UA name and string is configured by default.

Command Global configuration mode

Mode

Usage Guide Terminal recognition is used to replace this command at present.

Configuration
Examples

Platform
N/A
Description

login-popup

Use this command to configure a pre-login popup advertisement.

Use the no form of this command to restore the default setting.
login-popup url-string
no login-popup

Parameter
Parameter Description
Description
url-string Ad URL

11-15
 Command Reference Web Authentication Commands

Defaults No pre-login popup advertisement is configured by default.

Command Template configuration mode

Mode

Usage Guide The URL of the popup advertisement should begin with “http://” or “https://”.

Configuration The following example configures a pre-login popup advertisement.

Examples Ruijie(config.tmplt.iportal)#login-popup http://www.ruijie.com.cn

Platform
N/A
Description

online-popup

Use this command to configure a post-login popup advertisement.

Use the no form of this command to restore the default setting.
online-popup url-string
no online-popup

Parameter
Parameter Description
Description
url-string Ad URL

Defaults No post-login popup advertisement is configured by default.

Command Template configuration mode

Mode

Usage Guide The URL of the popup advertisement should begin with “http://” or “https://”.

Configuration The following example configures a post-login popup advertisement.

Examples Ruijie(config.tmplt.iportal)#online-popup http://www.ruijie.com.cn

Platform
N/A
Description

page-suite

Use this command to configure a resource suite for the login page.
Use the no form of this command to restore the default setting.
page-suite filename
no page-suite

11-16
 Command Reference Web Authentication Commands

Parameter
Parameter Description
Description
filename Resource suite name

Defaults The installed resource suite is used by default.

Command Template configuration mode

Mode

Usage Guide Make sure to download page resource files in the directory of portal/zip under FLASH before.

Configuration The following example configures a page suite for internal Web authentication.
Examples Ruijie(config.tmplt.iportal)#page-suite ruijiepage

Platform
N/A
Description

port

Use this command to set a surveillance port for the portal server.
Use the no form of this command to restore the default setting.
port port-num
no port

Parameter
Parameter Description
Description
port The surveillance port of the portal server.

Defaults The default is 50100 based on the UDP protocol. For iportal authentication, this port is the http port
monitored by the local device.

Command Template configuration mode

Mode

Usage Guide N/A

Configuration The following example sest the surveillance port to port 10000 for the portal server.
Examples Hostname> enable
Hostname# configure terminal
Hostname(config)# web-auth template iportal
Hostname(config.tmplt.iportal)# port 10000

11-17
Command Reference Web Authentication Commands

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

redirect

Use this command to set the redirect packet protocol.

Use the no form of this command to restore the default setting.
redirect { http | js }
no redirect

Parameter
Parameter Description
Description
http HTTP 302
js HTTP 200

Defaults The default is HTTP 302.

Command Template configuration mode

Mode

Usage Guide N/A

Configuration The following example sets the redirect packet protocol to HTTP 200.
Examples Hostname> enable
Hostname# configure terminal
Hostname(config)# web-auth template eportalv1
Hostname(config.tmplt.eportalv1)# redirect http

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth cgi

Use this command to display CGI configuration.

show web-auth cgi

11-18
 Command Reference Web Authentication Commands

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays CGI configuration,

Examples Ruijie# show web-auth cgi
Total 0 cgi items:
id-string url-string
--------------- ----------------------------------
Field description:
Field Description
id-string ID of CGI command
url-string Character string of CGI command

Platform
N/A
Description

show web-auth control

Use this command to display the authentication configuration.

show web-auth control

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the authentication configuration and statistics information on the
Examples interface.
Ruijie(config)#show web-auth control
Port Control Server Name Online User Count

11-19
Command Reference Web Authentication Commands

------------------------- -------- --------------------- ----------------

-
GigabitEthernet 0/1 On <not configured> 0
Ruijie(config)#

Field Description

Port Name of the authentication port.

Displays whether the Web authentication is enabled on the

Control
port or not.
The customized server name on the port. <not configured>
Server Name
indicates the server name has not been configured.

Online User Count The number of online users on this port.

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth direct-arp

Use this command to display the address range of the authentication-exempted ARP.
show web-auth direct-arp

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide I N/A

Configuration The following example displays the address range of the authentication-exempted ARP.
Examples Ruijie(config)#show web-auth direct-arp
Direct arps:
Address Mask
--------------- ---------------
1.1.1.1 255.255.255.255
2.2.2.2 255.255.255.255

11-20
Command Reference Web Authentication Commands

Ruijie(config)#

Field Description

Address IPv4 address.

Mask IPv4 mask.

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth direct-host

This command is used to display the Web authentication-exempted users.

show web-auth direct-host

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the Web authentication-exempted users.

Examples Ruijie# show web-auth direct-host
Address Mask Port ARP Binding Group Description
---------------- ---------------- ---------- ------------ ---------- -------------
192.168.0.1 255.255.255.255 Gi0/2 On N/A N/A
192.168.4.11 255.255.255.255 Gi0/10 On N/A N/A
192.168.5.0 255.255.255.0 Gi0/16 Off N/A N/A

Field Description

Address IP address of the user free of authentication

Mask IP address mask of the user free of authentication

11-21
Command Reference Web Authentication Commands

Port Access device port that is bound with the user’s IP address

ARP Binding Enable/Disable ARP binding

Group The group to which the user belongs

2. The following example displays the configurations of continuous authentication-exempt users.

Ruijie# show web-auth direct-host range
Direct host Ranges: 1
Start Address End Address Port Group Description
---------------- ---------------- ---------- ------------ -----------
192.168.0.1 192.168.100.1 Gi0/2 N/A N/A

Field Description

Start Address The start address of the continuous authentication-exempt users.

End Address The end address of the continuous authentication-exempt users.

Port The port that is bound to the IP address of the user.

Group The group to which the user belongs

Description Description

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth direct-site

Use this command to display the range of the Web authentication-exempted network resources.
show web-auth direct-site

Parameter
Parameter Description
Description
N/A N/A

Defaults No network resource without authentication is set.

Command Privileged EXEC mode

Mode

11-22
Command Reference Web Authentication Commands

Usage Guide N/A

Configuration The following example displays the range of the Web authentication-exempted network resources
Examples without authentication.
Ruijie# show web-auth direct-site
Direct sites:
Address Mask ARP Binding Group Description
--------------- --------------- ----------- ---------- -------------
1.1.1.1 255.255.255.255 Off N/A N/A
2.2.2.2 255.255.255.255 On N/A N/A
Ruijie(config)#

Field Description

Address IP address.

Mask IP mask.

ARP Binding Displays whether the ARP binding function is enabled.

The following example displays the range of the Web authentication-exempted network resources
without continuous authentication.
Ruijie# show web-auth direct-site range
Direct site Ranges: 1
Start Address End Address Group Description
--------------- --------------- -------------- -------------
1.1.1.1 5.5.5.5 N/A N/A

Field Description

Start Addres Start IP address

End Address End IP address

Group The group to which the Web authentication-exempted

network resources belong.
Description Description

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth global

Use this command to display global Web authentication configuration.

11-23
 Command Reference Web Authentication Commands

show web-auth global

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays global WEB authentication configuration.

Examples Ruijie# show web-auth parameter
Webauth...........................................enable
Webauth-type......................................external
Customized-pages..................................(Not Configured)
Customized-logo...................................disable
Server-port.......................................8081
Public account....................................disable
Authentication....................................(Not Configured)
Current global template:
name:.........................................eportalv1
type:.........................................v1
Ip:...........................................192.168.197.79

URL:..........................................http://192.168.197.79:8080/e
portal/index.jsp

Field Description

Webauth-type Web authentication type

Customized-pages The custom page of local Web authentication

Customized-logo The custom logo of local Web authentication

Server-port The surveillance port of local Web authentication

Public account Whether the public account is enabled

Authentication Authentication method

Current global template Current global template

Platform
N/A
Description

11-24
 Command Reference Web Authentication Commands

show web-auth global authentication

Use this command to display the Web authentication method.

show web-auth global authentication

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the WEB authentication method.

Examples Ruijie# show web-auth global authentication
Webauth...........................................enable
Authentication....................................(Not Configured)

Field Description

Webauth Whether Web authentication is enabled

Authentication Authentication method

Platform
N/A
Description

show web-auth global customized-pages

Use this command to display the customized page information.

show web-auth global customized-pages

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the customized page information.

Examples Ruijie# show web-auth global customized-pages

11-25
 Command Reference Web Authentication Commands

Webauth...........................................enable
Customized-pages..................................(Not Configured)

Field Description

Webauth Whether Web authentication is enabled

Customized-pages Customized pages

Platform
N/A
Description

show web-auth global local-portal

Use this command to display the local portal server configuration.

show web-auth global local-portal

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Usage Guide This command is used to display the local portal server configuration.

Configuration The following example displays the local portal server configuration.
Examples Ruijie# show web-auth global local-portal
Webauth...........................................enable
Server-port.......................................8081
Public account....................................disable

Field Description

Webauth Whether Web authentication is enabled

Server-port Surveillance port

Public account Whether the public account is enabled

Platform
N/A
Description

show web-auth global template

Use this command to display the global authentication template.

11-26
 Command Reference Web Authentication Commands

show web-auth global template

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the global authentication template.

Examples Ruijie# show web-auth global template
Webauth...........................................enable
Current global template:
name:.........................................eportalv1
type:.........................................v1
Ip:...........................................192.168.197.79

URL:..........................................http://192.168.197.79:8080/e
portal/index.jsp

Field Description

Webauth WEB authentication is enabled.

Current global template Current global template summary

Platform
N/A
Description

show web-auth global webauth-type

Use this command to display the global authentication type.

show web-auth global webauth-type

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Usage Guide This command is used to diplay the global authentication type.

11-27
Command Reference Web Authentication Commands

Configuration The following example displays the global authentication type.

Examples Ruijie# show web-auth global webauth-type
Webauth...........................................enable
Webauth-type......................................external

Field Description

Webauth Whether Web authentication is enabled

Webauth-type Authentication type

Platform
N/A
Description

show web-auth info

Use this command to display user authentication configuration.

show web-auth info

Parameter
Parameter Description
Description
N/A N/A

Command Mode Privileged EXEC mode

Usage Guide This command is used to display Web authentication configuration.

Configuration The following example displays user authentication configuration.

Examples Ruijie# show web-auth cgi
web-auth info:
Update interval: 180
User mode: ip
Portal key: ruijie

Field Description

Update interval Update interval of user information

User mode User binding mode

Portal key Portal communication key

Platform
N/A
Description

11-28
 Command Reference Web Authentication Commands

show web-auth ip-mapping

Use this command to display the portal-client mapping rule.

show web-auth ip-mapping

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the portal-client mapping rule.

Examples Ruijie(config)#show web-auth ip-mapping
------------------------------------------------------------
Name: iportal
Ip: 0.0.0.0
Url:
Ip-Mapping:
------------------------------------------------------------
Name: eportalv1
Ip: 172.18.105.9
Url: http://172.18.105.9:8080/eportal/index.jsp
Ip-Mapping:
1.1.1.0-255.255.255.0 Global
Ruijie(config)#

Platform
N/A
Description

show web-auth local-portal

Use this command to display local portal server configuration.

show web-auth local-portal

Parameter
Parameter Description
Description
N/A N/A

11-29
Command Reference Web Authentication Commands

Command Privileged EXEC mode

Mode

Usage Guide This command is used to diplay local portal server configuration

Configuratio The following example displays local portal server configuration.

n Examples Ruijie# show web-auth local-portal
Local web-auth info:
Server-port: 8081
AAA method-list: (Not Configured)
Public account: disable

Field Description

Server-port Surveillance port

AAA method-list AAA method list

Public account Whether the public account is enabled

Platform
N/A
Description

show web-auth parameter

Use this command to display the HTTP redirect configuration.

show web-auth parameter

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide This command is used to display the basic onfigurations of Web authentication.

Configuration The following example displays the HTTP redirect configuration

Examples Ruijie# show web-auth parameter
session-limit: 10
timeout: 5

Field Description

11-30
Command Reference Web Authentication Commands

Total number of HTTP sessions that are created by an

session-limit
unauthenticated user.

timeout Timeout interval of the redirection connection.

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth portal-check

Use this command to display the portal-check configuration.

show web-auth portal-check

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the portal-check configuration.

Examples Ruijie#sh web portal-check
Check: Enable
Interval: 3s
Timeout: 5s
Retransmit: 3
Escape: Enable
Nokick: Disable

Field Description

Check Whether the portal-check function is enabled

Interval Detection interval

Timeout Timeout period of detection

Retransmit The number of retransmission per time

11-31
Command Reference Web Authentication Commands

Escape Whether the escape is enabled

Whether to kick off the users when the portal server is

Nokick
unreachable with the escape function is enabled

Platform
N/A
Description

show web-auth rdport

Use this command to display the TCP interception port.

show web-auth rdport

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the TCP interception port.

Examples Ruijie#show web-auth rdport
Rd-Port:
80 443
Ruijie#

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth syslog ip

Use this command to display online and offline records about users.
show web-auth syslog ip ip-address

Parameter
Parameter Description
Description

11-32
Command Reference Web Authentication Commands

ip-address User’s IP address

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide This command is used to display the online and offline records about users.

Configuration The following example displays online and offline records about users.
Examples Ruijie#show web-auth syslog ip 192.168.197.35
Address: 192.168.197.35 Core-index 0 Current index 2
Index: 0
Time: 2015-10-16 20:37:34
Behavior: ONLINE
Mac: 00d0.f822.33e7
Vid: 101
Port: Gi3/1
Timeused: 0d 00:00:00
Flow_up: 0
Flow_down: 0

Index: 1
Time: 2015-10-16 20:42:08
Behavior: OFFLINE
Mac: 00d0.f822.33e7
Vid: 101
Port: Gi3/1
Timeused: 0d 00:04:27
Flow_up: 2107872
Flow_down: 2108224

Field Description

Index Record ID

Time Generated time of the record

Behavior Online or offline

MAC MAC addresses of users

Vid User VID

Port Port of the user

Timeused The time when the user goes online

Flow UP Uplink flow

11-33
Command Reference Web Authentication Commands

Flow down Downlink flow

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth template

Use this command to display the portal server configuration.

show web-auth template

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide Use this command to display the portal server configuration.

Configuration The following example displays the port server configuration.

Examples Ruijie#show web-auth template
Webauth Template Settings:
------------------------------------------------------------
Name: eportalv1
Url: http://17.17.1.21:8080/eportal/index.jsp
Ip: 17.17.1.21
BindMode: ip-mac-mode
Type: v1

Field Description

Name Template name.

Url Server homepage address.

Ip Server IP address.

Server type, including the first generation portal server v1, the
Type second generation portal server v2 and the intra portal server
intra.

11-34
Command Reference Web Authentication Commands

The protocol packet communication port of the server, which

Port
is on only the second generation portal server.
Accounting method list name, which is on only the second
Acctmlist
generation portal server and the intra portal server
Authentication method list name. which is on only the second
Authmlist
generation portal server and the intra portal server

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show web-auth user

Use this comma to display the online information, including IP address, interface, and online duration,
of all users or the specified users.
show web-auth user { all | ip ip-address | mac mac-address | name name-string | session-id num |
escape }

Parameter
Parameter Description
Description
ip-address IPv4 address of the user.
mac-address MAC address of the user.
name-string User name.
num AAA session ID.

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the global Web authentication configuration and statistics.
Examples Ruijie# show web-auth user all
Current user num : 4, online 2

Address Online Time Limit Time Used Status Name

--------------- ------- ------------- -------------- -------- ---------
192.168.0.11 On 0d 01:00:00 0d 00:15:10 Active
192.168.0.13 On 0d 01:00:00 0d 00:00:59 Active 111

11-35
 Command Reference Web Authentication Commands

192.168.0.25 Off 0d 01:00:00 0d 00:00:59 Create

192.168.0.46 Off 0d 01:00:00 0d 01:00:00 Destroy 222

Ruijie# show web-auth user ip 192.168.0.11

Address : 192.168.0.11
Mac : 00d0.f800.2233
Port : Gi0/2
Online : On
Time Limit : 0d 01:00:00
Time Used : 0d 00:15:10
Time Start : 2009-02-22 20:05:10
Status : Active

Field Description

Address IP address of the user

Mac MAC address of the user

Port Access device port connected to the user

Online Whether the user is online

Time Limit Available duration of the user. 0 means unlimited.

Time Used Online duration of the user

Time Start Time when the user passes authentication and gets online
User status. Active means the user is normally online, Create means the user
Status is created without any settings, Destroy means the user is deleted with its
settings not cleared.

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

time-interval

Use this command to set the interval for popup advertisement.

Use the no form of this command to restore the default setting.
time-interval hour
no time-interval

Parameter
Parameter Description
Description
hour The popup interval in the range from 0 to 24 in the unit of hours

11-36
 Command Reference Web Authentication Commands

Defaults The default is 1 hour.

Command Template configuration mode

Mode

Usage Guide If the parameter hour is 0, it means no popup interval.

Configuration The following example sets the interval for popup advertisement to 2 hours.
Examples Ruijie(config.tmplt.iportal)#time-interval 2

Platform
N/A
Description

url

Use this command to set the portal server URL.

Use the no form of this command to restore the default setting.
url url-string
no url

Parameter
Parameter Description
Description
url-string Portal server URL, starting with http:// or https://. The maximum
length of this address is 255 bytes.

Defaults No portal server URL is set by default.

Command Template configuration mode

Mode

Usage Guide This command takes place of the http redirect homepage [ url-string ] command, which is now hidden
as a compatible command.,
If no URL is specified, the default URL in the http://[ ip-address ] format will be adopted, among which
ip-address is the IP address of the server.

Configuration The following example sets the eportalv1 template URL to http://www.web-auth.net/login.
Examples Ruijie(config)# web-auth template eportalv1
Ruijie(config.tmplt.eportalv1)# url http://www.web-auth.net/login

Related
Command Description
Commands
N/A N/A

11-37
 Command Reference Web Authentication Commands

Platform N/A
Description

web-auth account-share ip-limit

Use this command to set the account share limit.

Use the no form of this command to remove the settings.
web-auth account-share ip-limit { limit-num }
no web-auth account-share

Parameter
Parameter Description
Description
limit-num The account share limit

Defaults N/A

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example sets the account share limit to 20.
Examples Ruijie (config)# web-auth account-share ip-limit 20

Platform
Description

web-auth acl

Use this command to configure a blacklist or whitelist.

Use no form of this command to restore the default setting.
web-auth acl { black-ip ip | black-port port | black-url name | white-url name }
no web-auth acl { black-ip ip | black-port port | black-url name | white-url name }

Parameter
Parameter Description
Description
black-ip ip Blacklist /Whitelist IP address
black-port port Blacklist /Whitelist Port number in the range from 1 to 65535
black-url url Blacklist /Whitelist URL
white-url url Whitelist URL
white-port port Whitelist Port

Defaults N/A

11-38
 Command Reference Web Authentication Commands

Command Global configuration mode/WLAN security configuration mode

Mode

Usage Guide The whitelist allows listed users to access specific network resources before authentication.
The blacklist prohibits listed users from accessing specific network resources after authentication.

Configuration The following example configures the whitelist and blacklist.

Examples Ruijie (config)# web-auth acl black-ip 192.168.1.2
Ruijie (config)# web-auth acl white-url www.ruijie.com.cn

Platform
N/A
Description

web-auth customized-logo enable

Use this command to enable the custom logo on the authentication page.
Use no form of this command to remove the customized logo.
web-auth customized-logo enable
no web-auth customized-logo

Parameter
Parameter Description
Description
N/A N/A

Defaults N/A

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example enables the custom logo on the authentication page.
Examples Ruijie(config)# web customized-logo enable

Platform
N/A
Description

web-auth direct-host

Use this command to set the authentication-exempted IP/MAC address range.

Use the no form of this command to restore the default setting.

11-39
Command Reference Web Authentication Commands

web-auth direct-host { ipv4-address [ ip-mask ] [ arp ] | mac-address | range starip-address endip-

address } [ port interface-name ] [ description description-str ] [ group group-name]

no web-auth direct-host { ipv4-address [ ip-mask ] | mac-address | range starip-address endip-

address }

Parameter
Parameter Description
Description
ipv4-address IPv4 address of authentication-exempted user
ip-mask Mask of the IPv4 address free of authentication (optional).
port interface-name Binds user’s IP address with a port of the access device (optional).
arp If ARP CHECK is enabled on the access device, keyword arp is
needed for ARP binding of the IP address used by users free of
authentication (optional). It is necessary for IPv4 addresses only.
mac-address MAC address of authentication-exempted user
startip-address Start IP address of continuous authentication-exempted network
resources.
endip-address End IP address of continuous authentication-exempted network
resources.
group-name Group where authentication-exempted network resources belong.
description-str Description of authentication-exempted network resources.

Defaults No user is exempted from authentication. All users must pass the Web authentication to access the
restricted network resources.

Command Global configuration mode

Mode

Usage Guide When a user is set to be exempted from authentication, it can access all reachable network resources
without Web authentication.
Up to 50 users can be set to be exempted from authentication.

Configuration The following example sets the user with the IP address 172.16.0.1 to be exempted from
Examples authentication.
Ruijie(config)# web-auth direct-host 172.16.0.1
The following example sets the user with the MAC address 0000:5e00:0101 to be exempted from
authentication.
Ruijie(config)# web-auth direct-host 0000:5e00:0101

Related
Command Description
Commands
show web-auth direct-host Displays the users free of Web authentication.

11-40
Command Reference Web Authentication Commands

Platform N/A
Description

web-auth enable

Use this command to enable the Web authentication function.

Use the no form of this command to restore the default setting.
web-auth enable
no web-auth enable

Parameter
Parameter Description
Description
N/A N/A

Defaults The Web authentication function is disabled by default.

The default template is eportalv1.

Command Global configuration mode

Mode

Usage Guide To ensure the Web authentication function, the authentication page URL should be configured.

Configuration The following example enables the Web authentication function.

Examples Ruijie(config)# web-auth enable

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

web-auth group

Use this command to configure group information.

Use the no form of this command to remove the configuration.
web-auth group group-name [ description description-str ]
no web-auth group group-name

Parameter
Parameter Description
Description
group-name Group name
description-str Description of the group

11-41
Command Reference Web Authentication Commands

Defaults By default, no accounting-exempted IP address is configured.

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example configures group information.

Examples Ruijie (config)# web-auth group group-1

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

web-auth logging enable

Use this command to enable the Web authentication syslog function.

Use the no form of this command to restore the default setting.
web-auth logging enable num
no web-auth logging enable

Parameter
Parameter Description
Description
The syslog printing rate, indicating how many syslog entries can be
num printed in a second. The value is in the range from 0 to 65535. 0
indicates no limit.

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide This command is used to limit the syslog printing rate for only the functional module.

Configuration The following example enables the syslog printing with no rate limit.
Examples Ruijie(config)# web-auth logging enable 0

Related
Command Description
Commands
N/A N/A

11-42
 Command Reference Web Authentication Commands

Platform N/A
Description

web-auth portal

Use this command to map different portal servers with users in different subnets.
Use the no form of this command to restore the default setting.
web-auth portal { eportalv1 | eportalv2 | iportal | name } [ ip-mapping ipv4 mask ]
no web-auth portal { eportalv1 | eportalv2 | iportal | name } [ ip-mapping ipv4 mask ]

Parameter Parameter Description

Description name Portal server name
ipv4 User IPv4 address
mask User IPv4 mask

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example configures a network segment to be mapped.

Examples Ruijie(config)# web-auth portal eportalv1 ip-mapping 192.168.2.0
255.255.255.0

Verification Run the show running config command to display the configuration.

Platform
N/A
Description

web-auth portal key

Use this command to set the communication key between the access device and the authentication
server.
Use the no form of this command to clear the communication key between the redirected Web request
of a user and the authentication server.
web-auth portal key key-string
no web-auth portal key

Parameter
Parameter Description
Description

11-43
 Command Reference Web Authentication Commands

key-string Communication key between the access device and the

authentication server. The maximum length of the key is 255 bytes.

Defaults No key is set by default.

Command Global configuration mode

Mode

Usage Guide To use the Web authentication function, the communication key between the access device and the
authentication server must be set.

Configuration The following example sets the communication key between the access device and the authentication
Examples server to web-auth.
Ruijie(config)# web-auth portal key web-auth

Related
Command Description
Commands
http redirect Sets the IP address of the authentication server.
Sets the address of the authentication
http redirect homepage
homepage.
web-auth port-control Enables the Web authentication on the port.

Platform N/A
Description

web-auth portal-escape

Use this command to enable portal-escape function.

Use the no form of this command to restore the default setting.
web-auth portal-escape
no web-auth portal-escape

Parameter Parameter Description

Description N/A N/A

Defaults This function is disabled by default.

Command Global configuration mode

Mode

Usage Guide Configure portal escape if the continuity of some critical services on the network needs to be maintained
when the portal server is faulty. You must configure portal detection when you use this function.

11-44
 Command Reference Web Authentication Commands

Configuration The following example enables portal-escape function.

Examples Ruijie (config)# web-auth portal-escape

Verification Run the show running config command to display the configuration.

Platform
N/A
Description

web-auth portal-check

Use this command to enable portal server check.

Use the no form of this command to restore the default setting.
web-auth portal-check [ interval intsec ] [ timeout tosec ] [ retransmit retires ]
no web-auth porta-check

Parameter
Parameter Description
Description
Intsec Check interval in the range from 1 to 1,000 in the unit of seconds.
The default is 10 seconds.
Timeout interval in the range from 1 to 1,000 in the unit of seconds.
tosec
The default is 5 seconds.
Retry count in the range from 1 to 100.
retries
The default is 3.

Defaults Portal server check is disabled by default.

Command Global configuration mode

Mode

Usage Guide It is recommended to use this command when there are multiple servers.

Configuration The following example enables portal server check.

Examples Ruijie (config)# web-auth portal-check interval 20 timeout 2 retransmit 2

Platform
N/A
Description

web-auth template

Use this command to create the first generation authentication template and enter its configuration
mode.
web-auth template eportalv1

11-45
Command Reference Web Authentication Commands

Use this command to create the customized authentication template and enter its configuration mode.
web-auth template template-name v1

Use this command to create the second generation authentication template and enter its configuration
mode.
web-auth template eportalv2

Use this command to create the customized second generation authentication template and enter its
configuration mode.
web-auth template template-name v2

Use this command to remove the template.

no web-auth template template-name

Parameter
Parameter Description
Description
eportalv1 Applies the first generation authentication template.
eportalv2 Applies the second generation authentication template.
iportal Applies the built-in authentication template.
template-name Sets the name of the customized authentication template.

Defaults No template is configured by default.

Command Global configuration mode

Mode

Usage Guide You can enter the eportalv1 template mode to configure the IP address and URL instead of executing
the http redirect and http redirect homepage commands. The http redirect and http redirect
homepage commands are compatible on the device, which will be converted to this command.
The original command portal-server is compatible on the device, which will be converted to this
command.
To ensure the Web authentication function, configure and apply a functional portal server. The
eportalv1 template is applied by default. The IP address, the URL and the communication secret key
of the eportalv1 template should be configured. If no URL format is specified, the default http://[ ip-
address ] format will be adopted. The IP address of the portal server is the network resource exempted
from authentication, so the unauthenticated user can access it. The device limits the uplink traffic that
accesses the IP address to prevent attacks. The upper limit is proportionate to the number of the
physical ports.

Configuration The following example configures the eportalv1 template.

Examples Ruijie(config)# web-auth template eportalv1
Ruijie(config.tmplt.eportalv1)#

11-46
Command Reference Web Authentication Commands

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

web-auth update-interval

Use this command to set the interval at which the online user information is updated.
Use the no form of this command to restore the default setting.
web-auth update-interval seconds
no web-auth update-interval

Parameter
Parameter Description
Description
seconds Update interval in seconds, in the range from 30 to 3,600 in the unit of
seconds.

Defaults The default is 180 seconds.

Command Global configuration mode

Mode

Usage Guide N/A

Configuration The following example sets the interval at which the online user information is updated to 60 seconds.
Examples Ruijie(config)# web-auth update-interval 60

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

11-47
Command Reference IPoE Commands

12 IPoE Commands

clear ipoe-auth user

Use this command to clear IPv4 IPoE authenticated clients by forcing them to go offline.
clear ipoe-auth user { all | ip ip-address | mac mac-address }

Parameter
Parameter Description
Description
ip-address Specifies the IP address.
mac-address Specifies the source MAC address.

Defaults IPv4 IPoE authenticated clients are not cleared by default.

Command Privileged EXEC mode

Mode

Usage Guide Use this command to clear IPv4 IPoE authenticated clients by forcing them to go offline.

Configuration #Clear all IPv4 IPoE authenticated clients.

Example Ruijie# clear ipoe-auth user all

Verification Verify that no user entry is displayed after running the show ipoe-auth summary command.

ipoe-auth enable

Use this command to enable the IPv4 IPoE function.

ipoe-auth enable

Use the no form of this command to disable the IPv4 IPoE function.
no ipoe-auth enable

Parameter
Parameter Description
Description
N/A N/A

Defaults The IPv4 IPoE function is disabled by default.

Command Global configuration mode

Mode

12-1
Command Reference IPoE Commands

Usage Guide Other IPv4 IPoE-related configurations can take effect only after the IPv4 IPoE function is enabled.

Configuration #Enable the IPv4 IPoE function.

Example Ruijie# configure
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# ipoe-auth enable

Verification Run the show running-config command to display the configuration result.

ipoe-auth quiet-period

Use this command to configure the silent time for IPv4 IPoE authenticated clients.
ipoe-auth quiet-period time

Use the no form of this command to restore the default silent time.
no ipoe-auth quiet-period

Parameter
Parameter Description
Description
Specifies the silent time. The value range is from 0 to 65,535 seconds.
time
No input is equivalent to the value 10 by default.

Defaults The silent time of IPv4 IPoE authenticated clients is 10 seconds by default.

Command Global configuration mode

Mode

Usage Guide Use this command to set the silent time of a client upon an authentication failure. During the silent time,
the device directly discards packets from the client that fails authentication, to avoid the device from
continuously sending packets to the server, thereby preventing impact on the device performance.
After the silent time, if the device receives packets from the client again, the device can authenticate
the client.

Configuration #Configure the silent time of IPv4 IPoE authenticated client to 100 seconds in global configuration
Example mode.
Ruijie#configure
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# ipoe-auth quiet-period 100

Verification Run the show running-config command to display the configuration result.

12-2
Command Reference IPoE Commands

ipoe-auth server-timeout

Use this command to configure the IPv4 IPoE authentication timeout period.
ipoe-auth server-timeout time

Use the no form of this command to restore the default authentication timeout period.
no ipoe-auth server-timeout

Parameter
Parameter Description
Description
Specifies the authentication timeout period. The value range is from 1
time
to 65,535 seconds. No input is equivalent to the value 30 by default.

Defaults The IPv4 IPoE authentication timeout period is 30 seconds by default.

Command Global configuration mode

Mode

Usage Guide Use this command to ensure that the IPv4 IPoE timeout period is longer than timeout period of the
RADIUS server.

Configuration #Configure the IPv4 IPoE authentication timeout period to 30 seconds in global configuration mode.
Example Ruijie#configure
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# ipoe-auth server-timeout 100

Verification Run the show running-config command to display the configuration result.

ipoe-auth user-limit

Use this command to configure the maximum number of IPv4 IPoE authenticated clients allowed.
ipoe-auth user-limit number

Use the no form of this command to restore the default maximum number of IPv4 IPoE authenticated
clients allowed.
no ipoe-auth user-limit

Parameter
Parameter Description
Description
Specifies the maximum number of IPv4 IPoE authenticated clients. The
number value range is from 1 to 1,000,000. No input is equivalent to the value
0 by default, and indicates that the maximum number is not limited.

12-3
Command Reference IPoE Commands

Defaults The number of IPv4 IPoE authenticated clients is not limited by default.

Command Global configuration mode

Mode

Usage Guide When the number of IPv4 IPoE authenticated clients reaches the maximum value, no other clients can
perform IPoE authentication after they go online.

Configuration #Configure the maximum number of IPv4 IPoE authenticated clients allowed to 100.
Example Ruijie#configure
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# ipoe-auth user-limit 100

Verification Run the show running-config command to display the configuration result.

show ipoe-auth summary

Use this command to display information related to an IPv4 IPoE

authenticated client.
show ipoe-auth summary

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode, global configuration mode, and interface configuration mode
Mode

Usage Guide Use this command to display the statistics of IPv4 IPoE authenticated clients.

Configuration #Display the statistics of IPv4 IPoE authenticated clients in privileged EXEC mode.
Example Ruijie#show ipoe-authe summary
ID User MAC Interface VLAN INNER-VLAN Auth-State
Backend-State Port-Status User-Type Time
-------- ---------- -------------- --------- ---- ---------- ------------
--- ------------- ----------- --------- ------------------
Field description:
Field Description
ID ID obtained from the AAA server by running the show aaa user
all command
User Username
MAC Address MAC address of the authenticated client

12-4
Command Reference IPoE Commands

Interface Interface of the authenticated client

VLAN ID of the VLAN where the authenticated client is located
INNER-VLAN ID of the inner VLAN where the authenticated client is located.
This field is supported by the device supporting two layers of tags
of the authenticated client.
Auth-State Front-end authentication status
Backend-State Back-end authentication status
Port-State Authentication status of the port
User-Type Authentication type
Time Online duration

show ipoe-auth user

Use this command to display information about the IPv4 IPoE authenticated client.
show ipoe-auth user [ mac mac-address ] [ username name ]

Parameter
Parameter Description
Description
mac-address Source MAC address
name Username

Command Privileged EXEC mode, global configuration mode, and interface configuration mode
Mode

Usage Guide Use this command to display information about the IPv4 IPoE authenticated client.

Configuration #Display information about the IPv4 IPoE authenticated client in privileged EXEC mode.
Example Ruijie# show ipoe-auth user mac 0000.0000.0001
User name: 000000000001
User id: 150994945
Type: static
Mac address is 0000.0000.0001
Vlan id is 10
Access from port Gi4/8
Time online: 0days 0h 0m20s
User ip address is 192.168.197.159
Max user number on this port is 10
Authorization session time is 20736000 seconds
Start accounting
Field description:
Field Description
User name Username
Type User type
Mac address MAC address of a user

12-5
Command Reference IPoE Commands

Vlan id VLAN ID of a user

Access from port Port where the client is located
Time online Online duration of a user
User ip address IP address of a user
Max user number on this port Maximum number of users on a port
Authorization session time Authorization session time of a client

12-6
Command Reference IP Group Commands

13 IP Group Commands

description

Configure IP address group description.

description description-string

Delete IP address group description.

no description

Parameter
Parameter Description
Description
Descriptive string, which can consist of up to 32 characters
description-string
(spaces are not allowed)

Defaults By default, no descriptive string is configured.

Command IP address group configuration mode

Mode

Default Level 14

Usage Guide N/A

Configuration 1. Configure IP address group description.

Example Ruijie(config-ip-group)#description test
2. Delete IP address group description.
Ruijie(config-ip-group)#no description

Verification Run the show ip-group [ id ] command to display IP address group configurations.

ip-group

Configure an IP address group.

ip-group id

Delete an IP address group.

no ip-group id

Parameter
Parameter Description
Description

13-1
Command Reference IP Group Commands

id IP address group index, which ranges from 1 to 1,000

Defaults By default, no IP address group is configured.

Command Global configuration mode

Mode

Default Level 14

Usage Guide N/A

Configuration 1. Configure an IP address group.

Example Ruijie(config)# ip-group 1
Ruijie(config-ip-group)#
2. Delete an IP address group.
Ruijie(config)# no ip-group 1

Verification Run the show ip-group [ id ] command to display IP address group configurations.

ip-range

Configure an IP address range.

ip-range start [ end ]

Delete an IP address range.

no ip-range start [ end ]

Parameter
Parameter Description
Description
start Start address of the IP address range
End address of the IP address range (if end is not set, it uses the
end
value of start by default)

Defaults By default, no IP address range is configured.

Command IP address group configuration mode

Mode

Default Level 14

Usage Guide N/A

13-2
Command Reference IP Group Commands

Configuration 1. Configure the IP address range 1.1.1.1–1.1.1.10.

Example Ruijie(config-ip-group)# ip-range 1.1.1.2 1.1.1.10
2. Delete the IP address range 1.1.1.1–1.1.1.10.
Ruijie(config-ip-group)#no ip-range 1.1.1.2 1.1.1.10

Verification Run the show ip-group [ id ] command to display IP address group configurations.

ip-subnet

Configure an IP network segment.

ip-subnet subnet {mask | mask_len }

Delete an IP network segment.

no ip-subnet subnet mask_len

Parameter
Parameter Description
Description
subnet Start address of the IP network segment
mask Mask
mask_len Mask length

Defaults By default, no IP network segment is configured.

Command IP address group configuration mode

Mode

Default Level 14

Usage Guide N/A

Configuration 1. Configure an IP network segment.

Example Ruijie(config-ip-group)# ip-subnet 10.10.10.0 24
2. Delete an IP network segment.
Ruijie(config-ip-group)#no ip-subnet 10.10.10.0 24

Verification Run the show ip-group [ id ] command to display IP address group configurations.

route-db

Configure a routing address database.

route-db name

Delete a routing address database.

13-3
Command Reference IP Group Commands

no route-db name

Parameter
Parameter Description
Description

name Name of a routing address database list.

Defaults By default, no routing address database is configured.

Command IP address group configuration mode

Mode

Usage Guide N/A

Configuration 1. Configure an IP address segment.

Example Ruijie(config-ip-group)# route-db cmc

2. Delete an IP address segment.

Ruijie(config-ip-group)#no route-db cmc

Verification Run the show ip-group [ id ] command to display the configuration information of an IP group.

show ip-group

Display IP address group configurations.

show ip-group [ id ]

Parameter
Parameter Description
Description
id ID of an IP address group

Command Privileged mode, global configuration mode, or interface configuration mode

Mode

Default Level 14

Default Level If the id parameter is set, the configurations of the corresponding IP address group are displayed. If
the id parameter is not set, the configurations of all IP address groups are displayed.

Configuration 1. Display the configurations of an IP address group.

Example Ruijie# show ip-group 1

13-4
Command Reference IP Group Commands

ip-group 1
description test
ip-range 1.1.1.2 1.1.1.10
ip-subnet 10.10.10.0 24
ip-range 10.10.10.10 10.10.10.15
ip-subnet 10.10.11.0 30
ip-range 20.10.10.10 20.10.20.200

show ip-group statistics

Display IP address group statistics.

show ip-group statistics

Parameter
Parameter Description
Description
N/A N/A

Command Privileged mode, global configuration mode, or interface configuration mode

Mode

Default Level 14

Usage Guide If the id parameter is set, the routing information of the corresponding IP address group is displayed.
If the id parameter is not set, the routing information of all IP address groups is displayed.

Configuration Display IP address group statistics.

Example Ruijie# show ip-group statistics
ip-group server: 1.1.1.1
ip-group state: down
ip-group cnt: 0.
ip-group add event: 0.
ip-group del event: 0.
ip-group syn event: 0.
ip-group error event: 0.
ip-group enq err event: 0.
ip-group add table failed: 0
ip-group del table failed: 0
ip-group add entry failed: 0
ip-group del entry failed: 0
ip-group db-acct cnt: 0
Field description:
Field Description
ip-group server IP address of the server to which the database
is connected

13-5
Command Reference IP Group Commands

ip-group state Database connection status

ip-group add event Statistics on added IP addresses
ip-group del event Statistics on deleted IP addresses
ip-group syn event Statistics on synchronized IP addresses
ip-group error event Statistics on incorrect IP addresses received
ip-group enq err event Statistics on IP address enqueue errors
Ip-group add table failed Number of failures in adding routing tables
Ip-group del table failed Number of failures in deleting routing tables
Ip-group add entry failed Number of failures in adding entries
Ip-group del entry failed Number of failures in deleting entries
ip-group db-acct cnt Acct table synchronization times

13-6
Command Reference ANTI-PAP Commands

14 ANTI-PAP Commands

anti-pap avoid-block

Use this command to add the blocking-free server resources. Use the no or default form of this
command to restore the default settings.
anti-pap avoid-block ip-group id
no anti-pap avoid-block ip-group id
default anti-pap avoid-block

Parameter Parameter Description

Description id Indicates the ID of the IP object group.

Defaults No blocking-free server is configured by default.

Command Global configuration mode

Mode

Usage Guide The command should be run to avoid blocking when internal clients visit the auth server and other
special resources through devices.

Configuration The following example adds the blocking-free server.

Examples Ruijie(config)# anti-pap avoid-block ip-group 1

Related
Command Description
Commands
show anti-pap config Displays the confiugration.

Platform N/A
Description

anti-pap control

Use this command to block the user for the specified period.
anti-pap control addr [ time ] { block | limit down rate1 up rate2 ] } base { user | ip }

Parameter Parameter Description

Description addr IP address of the user
time Block time, range: 1-1440 minutes. Default time: 10 minutes.
user Indicates blocking by username.

14-1
Command Reference ANTI-PAP Commands

ip Indicates blocking by IP address.

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example blocks the user for 20 minutes based on the username.
Examples Ruijie# anti-pap control 192.168.1.2 20 block base user

Related
Command Description
Commands
N/A

Platform N/A
Description

anti-pap monitor

Use this command to detect the user, specify/update the device, and whether to block. Use the no or
default form of this command to restore the default settings.
anti-pap monitor { subscriber { subs-name1 | any } | auth-subscriber { subs-name2 | any } }
[ expected-terminal pc ] [ { block [ time ] | limit [ time ] down rate1 up rate2 } base { user | ip } ]
no anti-pap monitor [ subscriber { subs-name1 | any } | auth-subscriber { subs-name2 | any } ]
default anti-pap monitor

Parameter Parameter Description

Description subscriber subs-name1 Specifies the local username to be detected.
subscriber any Specifies that all local users will be detected.
auth-subscriber subs-name2 Specifies the authenticated username to be detected.
auth-subscriber any Specifies that all authenticated users will be detected.
expected-terminal pc Specifies the expected client type. The default type is any type.
block Specifies whether blocking is enabled. Blocking is disabled by
default.
time Indicates the blocking period in minutes. The value range is from
1 to 1440 minutes. The default value is 10 minutes.
limit Indicates the user bandwidth limit. The rate is not limited by
default.
rate1 Indicates the downlink bandwidth, range 1-1000 Kbps.
rate2 Indicates the uplink bandwidth, range 1-1000 Kbps.

14-2
Command Reference ANTI-PAP Commands

user Indicates blocking by username.

ip Indicates blocking by IP address.

Defaults No user is detected.

Command Global configuration mode

Mode

Usage Guide The username commonly is the user group name. Rules of authenticated users have higher priorities
than those of local users, and rules of lower-level users have higher priorities than those of upper-
level users.

Configuration The following example detects all authenticated users whose expected client type is PC. If any AP is
Examples detected, the user will be blocked.

Ruijie(config)# anti-pap monitor auth-subscriber any expected-terminal pc

block

Related Command Description

Commands show anti-pap config Displays the configuration.

Platform N/A
Description

clear anti-pap control

Use this command to remove the user blocking.

clear anti-pap control addr

Parameter Parameter Description

Description addr Indicates the IP address of user.

Defaults N/A

Command Privileged EXEC mode

Mode

Usage Guide N/A

Configuration The following example removes the user blocking.

Examples Ruijie# clear anti-pap control 192.168.1.4

14-3
Command Reference ANTI-PAP Commands

Related
Command Description
Commands
N/A N/A

Platform N/A
Description

show anti-pap config

Use this command to display the blocking-free server and the user configuration.
show anti-pap config

Parameter Parameter Description

Description N/A N/A

Defaults N/A

Command Privileged EXEC mode or global configuration mode

Mode

Default Level 14

Usage Guide

Configuration The following example displays the configuration information.

Example Ruijie# show anti-pap config

"code": 0,

"msg": "",

"data": {

"avoid-block": [

],

"monitor": [

"User": "any",

"Auth": "no",

"Invalid": false,

"Exp-Term": "any",

14-4
Command Reference ANTI-PAP Commands

"Ctrl": "block",

"Time": 10,

"ByUser": false

Field Description
avoid-block Blocking-free server resources
User Username
Auth Authenticated user or not
Invalid Valid or invalid
Exp-Term Expected device type:
any-all device types
PC-PC
Ctrl Punishment type:
Blank-no punishment
block-blocking
limit-limit the speed
Time Period
ByUser Block by username. False indicates blocking by
IP address

Verification

show anti-pap log

Use this command to display the log.

show anti-pap log detail from y1 m1 d1 [ H1:M1:S1 ] to y2 m2 d2 [ H2:M2:S2 ] [ subscriber subs-
name1 | auth-subscriber subs-name2 ] [ ip addr ] order-by { time | subscriber | auth-subscriber |
ip } { asc | desc } [ start-item num1 end-item num2 ]

Use this command to display the log quantity.

show anti-pap log stat from y1 m1 d1 [ H1:M1:S1 ] to y2 m2 d2 [ H2:M2:S2 ] [ subscriber subs-

name1 | auth-subscriber subs-name2 ] [ ip addr ]

Parameter Parameter Description

Description y1 m1 d1 Start date
H1:M1:S1 Start time, default: 00:00:00
y2 m2 d2 End date
H2:M2:S2 End time, default: 23:59:59

14-5
Command Reference ANTI-PAP Commands

subscriber subs-name1 | Local or authenticated username. No username is configured by

auth-subscriber subs- default.
name2
ip addr IP address. Separate multiple IPs by comma. No IP is configured by
default.
time Sort the search result by time
subscriber Sort the search result by local username
auth-subscriber Sort the search result by authenticated username
ip Sort the search result by IP address
asc Sort the search result in ascending order
desc Sort the search result in descending order
start-item num1 end-item Start and end position of search. All records are searched by default.
num2

Command Global configuration mode or priviledge EXEC mode

Mode

Usage Guide N/A

Configuration The following example displays the log.

Examples Ruijie# show anti-pap log from 2016-10-11 0:0:0 to 2016-10-11 23:59:59
order-by time desc start-item 1 end-item 20

"code": 0,

"msg": "",

"data": [

"IP": "192.168.203.8",

"User": "pc4",

"Auth": false,

"Manual": false,

"Time": "2017-02-16 11:38:39",

"Reason": [

"PC",

"Mobile"

],

"Ctrl": "block"

14-6
Command Reference ANTI-PAP Commands

Field Description
IP IP address of user
User Username
Auth Authenticated user or not
Manual Manual punishment or not
Time Log generation time, that is, punishment time
Ctrl Punishment type:
Blank-no punishment
block-blocking
limit-limit the speed
Reason Punishment reason and device information:
PC-one PC is detected
PC*-multiple PCs are detected
Mobile-one mobile client is detected
Mobile*-multiple mobile clients are detected
VID-logged virtual accounts exceed the limit
Related
Command Description
Commands
N/A

Platform N/A
Description

show anti-pap user

Use this command to display the user detection information.

show anti-pap user [ normal | controlled | subscriber subs-name1 | auth-subscriber subs-
name2 | ip addr ]

Parameter Parameter Description

Description normal Configure the search users as normal users.
controlled Configure the search users as illegal users.
subscriber subs-name1 | Configure the local/authenticated username.
auth-subscriber subs-
name2
ip addr Configure the IP address of users.

Defaults None

Command Global configuration mode or priviledge EXEC mode

Mode

14-7
Command Reference ANTI-PAP Commands

Usage Guide N/A

Configuration The following example displays the detection information of users.

Examples Ruijie# show anti-pap user

"code": 0,

"msg": "",

"data": [

"IP": "192.168.203.6",

"User": "pc4",

"Auth": false,

"Controlled": false,

"Ctrl": "block"

},

"IP": "192.168.203.5",

"User": "pc4",

"Auth": false,

"Controlled": true,

"Manual": false,

"Time": "2017-02-16 11:36:33",

"Reason": [

"PC",

"Mobile"

],

"Ctrl": ""

Field Description
IP IP address of user
User Username
Auth Authenticated user or not

14-8
Command Reference ANTI-PAP Commands

Controlled Punish or not

Manual Manual punishment or not
Ctrl Punishment type:
Blank-no punishment
block-blocking
limit-limit the speed
Time Update time of Reason field
Reason Punishment reason, and device information:
PC-one PC is detected
PC*-multiple PCs are detected
Mobile-one mobile client is detected
Mobile*-multiple mobile clients are detected
VID-logged virtual accounts exceed the limit
Related
Command Description
Commands
N/A

Platform N/A
Description

14-9
Command Reference WEB-ADVERT Commands

15 WEB-ADVERT Commands

advertising enable

Use this command to enable the advertisement function in global configuration mode.
advertising enable

Use the no form of this command to disable the advertisement function.

no advertising enable

Parameter
Parameter Description
Description
N/A N/A

Defaults The advertisement function is disabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide You must configure the network segment range for advertisement push and the URL of an
advertisement pop-up box so that the advertisement function is successfully applied.

Configuratio #Enable the advertisement function.

n Example Ruijie(config)# advertising enable

Verification Run the show advertising command to display the configuration.

advertising free-user

Use this command to configure a network segment range for advertisement push.
advertising free-user ip < ip-address > mask < ip-mask >

Use the no form of this command to delete a network segment range.

no advertising free-user ip < ip-address > mask < ip-mask >

Parameter
Parameter Description
Description
ip-address Indicates the IP address, in dotted decimal
notation.

15-1
Command Reference WEB-ADVERT Commands

ip-mask Indicates the subnet mask, in dotted decimal

notation.

Defaults No network segment range for advertisement push is configured by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Up to 50 network segements can be configured.

Configuration 1. Configure a network segment for advertisement push.

Example Ruijie(config)# advertising free-user ip 192.168.198.1 mask 255.255.255.0

2. Configure the full network segment for advertisement push. This command is compatible with the
advertising all-user without-webauth command.
Ruijie(config)# advertising free-user ip 0.0.0.0 mask 255.255.255.255

Notification An error prompt occurs when the 51st segement for advertisement push is configured.
%Error: Has reached the 50 rules limit.

advertising min-interval

Use this command to configure the periodical interception interval.

advertising min-interval interval-value

Use the no form of this command to delete the periodical interception interval.
no advertising min-interval

Parameter
Parameter Description
Description
interval-value Indicates the interval in minutes. The value range
is from 30 to 1440. The default value is 30.

Defaults The default periodical interception interval is 30 minutes.

Command Global configuration mode

Mode

Default Level 14

Usage Guide 1. When periodical interception is disabled, the default value is 0.

2. After periodical interception is enabled, the default value is 30.

15-2
Command Reference WEB-ADVERT Commands

3. After periodical interception is enabled, an error occurs if the configured interval is deleted.

Configuratio #Configure the periodical interception interval.

n Example Ruijie(config)# advertising min-interval 30

Verification Run the show advertising command to display the configuration.

Notification After periodical interception is enabled, an error occurs if the configured interval is deleted.
%Warning: Should set min-interval to default value: 30mins, due to
advertising suppress.

advertising popup-page

Use this command to enable the function of preventing advertisement pop-up boxes from being
intercepted by the browser.
advertising popup-page

Use the no form of this command to disable the function of preventing advertisement pop-up boxes
from being intercepted by the browser.
no advertising popup-page

Parameter
Parameter Description
Description
N/A N/A

Defaults The function is not configured by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide This command is hidden. Therefore, it does not support the abbreviated mode.

Configuratio #Enable the function of preventing advertisement pop-up boxes from being intercepted by the browser.
n Example Ruijie(config)# advertising popup-page

Verification Run the show advertising command to display the configuration.

advertising suppress

Use this command to enable periodical interception.

15-3
Command Reference WEB-ADVERT Commands

advertising suppress

Use the no form of this command to disable periodical interception.

no advertising suppress

Parameter
Parameter Description
Description
N/A N/A

Defaults Periodical interception is disabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide The default periodical interception interval is 30 minutes after periodical interception is enabled.

Configuration #Enable periodical interception.

Example Ruijie(config)# advertising suppress

Verification Run the show advertising command to display the configuration.

advertising url

Use this command to configure the URL of an advertisement pop-up box.

advertising url url-string

Use the no form of this command to delete the URL of an advertisement pop-up box.
no advertising url

Parameter
Parameter Description
Description
Indicates a URL. It must begin with "http://" "https://."
Otherwise, a configuration failure prompt is
url-string
displayed. The value contains a maximum of 255
characters.

Defaults No URL is configured by default.

Command Global configuration mode

Mode

Default Level 14

15-4
Command Reference WEB-ADVERT Commands

Usage Guide N/A

Configuration #Configure the URL of an advertisement pop-up box.

Example Ruijie(config)# advertising url http://www.baidu.com/

Verification Run the show advertising command to display the configuration.

show advertising

Use this command to display basic configurations of the advertisement function.

show advertising

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command displays the basic parameter settings of the advertisement function.

Configuratio #Display the basic configurations of the advertisement function.

n Example Ruijie#show advertising
advertising enable: On
advertising url: http://www.baidu.com/
advertising suppress: On
advertising popup-page: On
advertising min-interval: 30
advertising free-user:
192.168.198.0 255.255.255.0
1.1.1.1 255.255.0.0
Field description:
Field Description
advertising enable whether to enable advertisement fucntion
advertising url URL of the advertisement pop-up box
advertising suppress Whether to enable periodical interception
advertising popup- Displays the basic configurations only after the advertisement function is
page enabled.
Displays the basic configurations only after a network segment range for
advertising free-user
advertisement push is configured.

15-5
Command Reference WEB-ADVERT Commands

show advertising free-user

Use this command to display the network segment range for advertisement push.
show advertising free-user

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command displays the network segment range for advertisement push.

Configuratio #Display the network segment range for advertisement push.

n Example Ruijie#show advertising free-user
free-user configuration:
Address Mask
--------------- ---------------
192.168.198.0 255.255.255.0
1.1.1.1 255.255.0.0
2.2.2.2 255.0.0.0
Field description:

Field Description

Address Indicates an IP address.

Mask Indicates the subnet mask of the IP address.

show advertising user

Use this command to display users who access the network through advertisement push. This
command is compatible with the show advertising tmo command.
show advertising user

Parameter
Parameter Description
Description
N/A N/A

15-6
Command Reference WEB-ADVERT Commands

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command displays users who access the network through advertisement push.

Configuration #Display users who access the network through advertisement push.
Example Ruijie(config)#show adv user
Current online advertising user num: 1
Address Online Time Limit Time used Name
--------------- ------- -------------- -------------- ---------
192.168.198.34 On 0d 00:30:00 0d 00:08:50 AD_USER

Field Description

Address Indicates an IP address.

Online Indicates whether a user is online.

Time Limit Indicates the advertisement push interval.

Time used Indicates the online duration.

Indicates a username. The default username is

Name
AD_USER.

15-7
Command Reference Local-Account Commands

16 Local-Account Commands

debug local-account

Use this command to enable the debugging function. Use the no form of this command to disable the
debugging function.

debug local-account { client num | http_proxy | server }

no debug local-account { client num | http_proxy | server }

Parameter
Parameter Description
Description
client Enables the debugging function on the client.
num Indicates the client number.
http_proxy Enables the debugging function on the HTTP proxy.
server Enables the debugging function on the server.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to display debugging information about this module.

Configuration The following example enables the debugging function on the server.
Examples Ruijie# debug local-account server

Prompt The debugging function is enabled.

Message Ruijie#show debug
debug:
local account debug debugging is on

Ruijie#

description

Use this command to configure a description for a user.

description string

Parameter
Parameter Description
Description
description string Indicates the description of a user.

16-1
Command Reference Local-Account Commands

Defaults No description is configured for a user by default.

Command local-account-user mode

Mode

Default Level 14

Usage Guide N/A

Configuratio The following example configures a description for a user.

n Examples Ruijie# configure terminal
Ruijie(config)# local-account user test
Ruijie(local-account-user)# description test
Ruijie(local-account-user)# exit
Ruijie(config)# end

Verification Run the show local-account users command to display the user description.
Ruijie#show local-account users

(O) Online (S) State: 0=Invalid 1=Normal 3=Overdue

--------------------------------------------------------------------------
-------------------
Name O S Policy Ip addr Mac addr Note
--------------------------------------------------------------------------
------------------- test 0 3 2018/01/21 192.168.1.2
11:11:22:22:33:33 test

total:1 upper limit:150

Ruijie

ip

Use this command to bind the user IP address.

ip a.b.c.d

Parameter
Parameter Description
Description
ip a.b.c.d Indicates the IP address to be bound for a user.

Defaults No IP address is bound for a user by default.

Command local-account-user mode

Mode

16-2
Command Reference Local-Account Commands

Default Level 14

Usage Guide N/A

Configuration The following example binds the IP address 192.168.1.2 for a user.
Examples Ruijie# configure terminal
Ruijie(config)# local-account user test
Ruijie(local-account-user)# ip 192.168.1.2
Ruijie(local-account-user)# exit
Ruijie(config)# end

Verification Run the show local-account users command to display the bound user IP address. The IP address
displayed in the Ip addr column is bound for the user.
Ruijie#show local-account users

(O) Online (S) State: 0=Invalid 1=Normal 3=Overdue

-------------------------------------------------------------------------
--------------------
Name O S Policy Ip addr Mac addr Note
-------------------------------------------------------------------------
-------------------- test 0 3 2018/01/21 192.168.1.2
11:11:22:22:33:33 test

total:1 upper limit:150

Ruijie

local-account user

Use this command to create a user.

local-account user username

Parameter
Parameter Description
Description
user username Indicates the username.

Defaults No user is configured by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide N/A

16-3
Command Reference Local-Account Commands

Configuratio The following example creates a user named test.

n Examples Ruijie# configure terminal
Ruijie(config)# local-account user test
Ruijie(local-account-user)# exit
Ruijie(config)# end

Verification Run the show local-account users command to display the user status.
Ruijie#show local-account users

(O) Online (S) State: 0=Invalid 1=Normal 3=Overdue

--------------------------------------------------------------------------
-------------------
Name O S Policy Ip addr Mac addr Note
--------------------------------------------------------------------------
------------------- test 0 3 2018/01/21 192.168.1.2
11:11:22:22:33:33 test

total:1 upper limit:150

Ruijie

local-account period

Use this command to configure the interval for the external module to send notifications.
local-account period time

Parameter
Parameter Description
Description
period time Indicates the interval for the external module to send notifications.

Defaults No interval is configured by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide N/A

Configuration The following example sets the notification interval to 60s.

Examples Ruijie# configure terminal
Ruijie(config)# local-account period 60
Ruijie(config)# end

16-4
Command Reference Local-Account Commands

Verification Run the show local-account config command to display the user status.
Ruijie#show local-account config
users-limit: 150
acct-period: 60s
notice: on
notice-time: 5h
notice-interval: 10m
Ruijie

local-account notice

Use this command to configure a user notification system.

local-account notice { enable | date-rule hour interval-min }

Parameter
Parameter Description
Description
notice Indicates the user notification system.
enable Enables user notification.
date-rule Sets date rules for notifications.
Indicates the time in advance users are notified that their accounts
hour are about to expire. Unless this parameter is specified, the time is 48
hours by default.
Indicates the notification interval. Unless the notification interval is
interval-min
specified, it is 60 minutes by default.

Defaults No user notification system is configured by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide N/A

Configuration The following example enables the notification function and configures the device to give notifications
Examples 5 hours before expiration and at an interval of 10 minutes.
Ruijie# configure terminal
Ruijie(config)# local-account notice enable
Ruijie(config)# local-account notice date-rule 5 10
Ruijie(config)# end

Verification Run the show local-account config command to display the user status.
Ruijie#show local-account config
users-limit: 150

16-5
Command Reference Local-Account Commands

acct-period: 20s
notice: on
notice-time: 5h
notice-interval: 10m
Ruijie

mac

Use this command to bind the user MAC address.

mac { mac-address | auto }

Parameter
Parameter Description
Description
mac Binds the MAC address.
mac-address Indicates manual MAC address binding.
auto Indicates automatic MAC address binding.

Defaults No MAC address is bound for a user by default.

Command Local-account-user mode

Mode

Default Level 14

Usage Guide N/A

Configuratio The following example binds the MAC address of a user.

n Examples Ruijie# configure terminal
Ruijie(config)# local-account user test
Ruijie(local-account-user)# mac 1111.2222.3333
Ruijie(local-account-user)# exit
Ruijie(config)# end

Verification Run the show local-account config command to display the user status.
Ruijie#show local-account users

(O) Online (S) State: 0=Invalid 1=Normal 3=Overdue

--------------------------------------------------------------------------
-------------------
Name O S Policy Ip addr Mac addr Note
--------------------------------------------------------------------------
------------------- test 0 3 2018/01/21 192.168.1.2
11:11:22:22:33:33 test

16-6
Command Reference Local-Account Commands

total:1 upper limit:150

Ruijie

policy

Use this command to configure a charging policy for users.

policy date yyyy mm dd

Parameter
Parameter Description
Description
policy date Uses the date-based charging policy.
yyyy Indicates the expiration year.
mm Indicates the expiration month.
dd Indicates the expiration day.

Defaults No charging policy is configured by default.

Command local-account-user mode

Mode

Default Level 14

Usage Guide N/A

Configuratio The following example configures a charging policy, in which the expiration date is December 12, 2020.
n Examples Ruijie# configure terminal
Ruijie(config)# local-account user test
Ruijie(local-account-user)# policy date 2020 12 12
Ruijie(local-account-user)# exit
Ruijie(config)# end

Verification Run the show local-account users command to display the user status.
Ruijie#show local-account users

(O) Online (S) State: 0=Invalid 1=Normal 3=Overdue

--------------------------------------------------------------------------
-------------------
Name O S Policy Ip addr Mac addr Note
--------------------------------------------------------------------------
------------------- test 0 3 2020/12/12 192.168.1.2
11:11:22:22:33:33 test

total:1 upper limit:150

Ruijie

16-7
Command Reference Local-Account Commands

show local-account config

Use this command to display the configuration of this module.

show local-account config

Parameter
Parameter Description
Description
config Displays the configuration and parameters of the module.

Defaults N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuration
N/A
Examples

Verification Run the show local-account config command to display the configuration of this module.
Ruijie# show local-account config
users-limit: 150
acct-period: 20s
notice: on
notice-time: 48h
notice-interval: 60m
Ruijie#

Field description:

Field Description
lacc Whether the local charging function is enabled
users-limit Maximum number of supported users
acct-period Interval for the external module to send
notifications, in seconds
notice Whether to enable the user notification system
when user accounts are about to expire
notice-time Time in advance users are notified that their
accounts are about to expire
notice-interval Notification interval

16-8
Command Reference Local-Account Commands

show local-account online

Use this command to display information about online users.

show local-account online [ by-name name ]

Parameter
Parameter Description
Description
online Displays online users.
by-name Searches for users by username.
name Indicates the username.

Defaults N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio
N/A
n Examples

Verification Run the show local-account online by-name test1 command to check whether the user is online.
Ruijie#show local-account online by-name test1

--------------------------------------------------------------------------
---------------
Name Ip addr Mac addr Start Online
--------------------------------------------------------------------------
---------------
test1 192.168.0.13 00:23:24:03:03:03 2018/01/22 14:06:43
0days 00:02:55

Total:1
Ruijie#

Field description:

Field Description
Name Username
Ip addr IP address of the user
Mac addr MAC address of the user
Start Time when the user goes online
Online Online duration

16-9
Command Reference Local-Account Commands

Total Number of users under this account

show local-account users

Use this command to display user information.

show local-account users [ by-name name ]

Parameter
Parameter Description
Description
users Displays users.
by-name Searches for users by username.
name Username

Defaults N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide N/A

Configuratio
N/A
n Examples

Verification Run the show local-account users command to display user information.
Ruijie# show local-account users

(O) Online (S) State: 0=Invalid 1=Normal 3=Overdue

--------------------------------------------------------------------------
-------------------
Name O S Policy Ip addr Mac addr Note
--------------------------------------------------------------------------
-------------------
test1 0 1 N/A N/A N/A testtest

Total:1 Upper limit:150

Ruijie#

Field description:

Field Description
Name Username
O Online, indicating that the user is online
S State, indicating the user status

16-10
Command Reference Local-Account Commands

Policy Charging policy of the user

Ip addr Whether the user IP address is bound
Mac addr Whether the user MAC address is bound
Note Remarks of the user
Total Total number of current users
Upper limit Total number of users supported by the system

16-11
Command Reference Firewall Commands

17 Firewall Commands

NETWORK_DEFEND Commands

17.1.1 bypass

Use this command to configure a policy that allows bypass traffic to enter a network attack defense
domain. Use the no form of this command to delete the configured policy that allows bypass traffic to
enter a network attack defense domain. Use the default form of this command to restore the default
settings.
bypass src-ip-address [ mask src-ip-mask ] [ proto { tcp [ dest-port dest-port-num ] | udp [ dest-
port dest-port-num ] | icmp | protocol-num } ]
no bypass src-ip-address [ mask src-ip-mask ] [ proto { tcp [ dest-port dest-port-num ] | udp [ dest-
port dest-port-num ] | icmp | protocol-num } ]
default bypass src-ip-address [ mask src-ip-mask ] [ proto { tcp [ dest-port dest-port-num ] | udp
[ dest-port dest-port-num ] | icmp | protocol-num } ]

Parameter
Parameter Description
Description
src-ip-address Indicates the source IP address.
src-ip-mask Indicates the subnet mask of the source IP address.
tcp Indicates the TCP protocol.
udp Indicates the UDP protocol.
icmp Indicates the ICMP protocol.
protocol-num Indicates the protocol number.
dest-port-num Indicates the destination port number.

Defaults No policy that allows bypass traffic to enter a network attack defense domain is configured by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide Traffic matching a rule in the policy is considered as bypass traffic.

Configuration The following example configures a policy on the egress gateway or wireless AC, in which TCP
Examples packets (with the destination port of 80) from the host with the IP address of 192.168.9.2 are allowed
to directly pass through the network attack defense domain named web.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# bypass 192.168.9.2 proto tcp dest-port 80

17-1
 Command Reference Firewall Commands

Ruijie(config-defend-zone)# exit
Verification Run the show running command to check whether a policy that allows bypass traffic to enter a
network attack defense domain is configured successfully.

17.1.2 blacklist
Use this command to add a host to the blacklist to forbid the traffic of the host from entering or leaving
a network attack defense domain. Use the no form of this command to delete a host from the blacklist.
Use the default form of this command to restore the default settings.
blacklist ip-address
no blacklist [ ip-address ]
default blacklist [ ip-address ]

Parameter
Parameter Description
Description
ip-address Indicates the IP address of the host to be blacklisted.

Defaults No host is added to the blacklist.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide This command is used to add a host to the blacklist to forbid the traffic of the host from entering or
leaving a network attack defense domain.

Configuration The following example forbids packets of the host with the IP address of 192.168.9.2 from passing
Examples through the network attack defense domain named web.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# blacklist 192.168.9.2
Ruijie(config-defend-zone)# exit

Verification Run the show running command to check whether the blacklist is configured successfully.

17.1.3 clear defend

Use this command to clear statistics on packet loss caused by attack defense.
clear defend drop

Parameter
Parameter Description
Description
N/A N/A

17-2
Command Reference Firewall Commands

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to clear statistics on packet loss caused by attack defense.

Configuration The following example clears statistics on packet loss caused by attack defense.
Examples Ruijie# clear defend drop

17.1.4 clear defend-zone

Use this command to clear statistics of a network attack defense domain.
clear defend-zone net-defend-zone-name counters

Use this command to clear global protection statistics.

clear defend-zone global counters

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.
global Indicates global protection.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to clear data transmission and receiving statistics as well as TopN list in traffic
monitoring.

Configuration The following example clears statistics of the network attack defense domain named web.
Examples Ruijie# clear defend-zone web counters

17.1.5 defend
Use this command to enable the defense against specified protocol attacks. Use the no form of this
command to disable the defense against specified protocol attacks. Use the default form of this
command to restore the default settings.
defend { winnuke | source-route | route-record | icmp-redirect | icmp-unreachable | fraggle |
land | large-icmp [ icmp-length ] }
no defend { winnuke | source-route | route-record | icmp-unreachable | fraggle | land | large-
icmp }
default defend { winnuke | source-route | route-record | icmp-unreachable | fraggle | land |
large-icmp }

17-3
Command Reference Firewall Commands

Parameter
Parameter Description
Description
Configures the defense against WinNuke attacks on the firewall.
winnuke
WinNuke attack packets will be discarded.
Configures the defense against source route attacks on the firewall.
source-route
IP packets using this option will be discarded.
route-record Configures the defense against route-record attacks on the firewall.
IP packets using this option will be discarded.
icmp-unreachable Configures the defense against ICMP destination unreachable
attacks on the firewall. ICMP destination unreachable packets will
be discarded.
icmp-redirect Configures the defense against ICMP redirection attacks on the
firewall. ICMP redirectional packets will be discarded.
fraggle Configures the defense against Fraggle attacks on the firewall.
land Configures the defense against LAND attacks on the firewall. IP
packets with the source IP address same as the destination IP
address will be discarded.
large-icmp Configures the defense against jumbo ICMP packet attacks on the
firewall.
icmp-length Indicates the allowable ICMP packet length, in bytes. ICMP packets
beyond this length will be discarded. The default value is 4,000
bytes. The value ranges from 28 to 65,499.

Defaults The defense against LAND attacks is enabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide This command is used to enable the defense against various protocol attacks.

 The source IP address may be the same as the destination IP address in some special valid
applications (such as BFD). In this case, the defense against LAND attacks needs to be disabled
on the firewall.

Configuration The following example enables the defense against WinNuke attacks.
Examples Ruijie# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# defend winnuke

Verification 1. Run the show running command to check whether the defense against protocol attacks is
configured successfully.

17-4
Command Reference Firewall Commands

2. Run the show defend drop command to display packet loss caused by the defense against
protocol attacks.

17.1.6 defend-zone
Use this command to configure a network attack defense domain. Use the no form of this command
to delete the network attack defense domain. Use the default form of this command to restore the
default settings.
defend-zone net-defend-zone-name
no defend-zone net-defend-zone-name
default defend-zone net-defend-zone-name

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.

Defaults No network attack defense domain is configured by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Network attack defense domains can be configured on the device to provide independent protection
measures and protection management for different protection objects. Each network attack defense
domain contains at least two parts: a defined collection (associated with ACLs) of protected hosts and
the protection policy.
If the network segment, to which a protected interface belongs, is large (for example, the subnet mask
is about 16 bits), you need to configure an anti-scanning policy in the network attack defense domain
in routing mode. The purpose is to prevent switch abnormalities caused by scanning attacks.

Configuration
N/A
Examples

Verification 1. Run the show running command to check whether a network attack defense domain is configured
successfully.
2. Run the show defend-zone net-defend-zone-name command to display the status of the network
attack defense domain.

17.1.7 defend-zone global

Use this command to enable global protection. Use the no form of this command to disable global
protection. Use the default form of this command to restore the default settings.
defend-zone global
no defend-zone global

17-5
Command Reference Firewall Commands

default defend-zone global

Parameter
Parameter Description
Description
N/A N/A

Defaults Global protection is enabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide Global protection can directly classify and limit all traffic of the current device. It can effectively defend
against TCP flooding, and limit the rate of new UDP, ICMP and other protocol packets to restrict the
UDP, ICMP, and other protocol attacks. The defense and rate limit can effectively enhance the
firewall's defense capability against attacks and reduce network resources occupied by various
flooding traffic.
Global protection is enabled by default. It needs to be disabled when the firewall performance and
capacity are tested.

Configuration The following example enables global protection.

Examples Ruijie# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# defend-zone global

Verification 1. Run the show running command to check whether global protection is enabled successfully.
2. Run the show defend drop command to display packet loss caused by global protection.

17.1.8 description
Use this command to configure a description for a network attack defense domain. Use the no form
of this command to delete the description of the network attack defense domain. Use the default form
of this command to restore the default settings.
description description-string
no description
default description

Parameter
Parameter Description
Description
Indicates the description of a network attack defense domain. It can
description-string
contain a maximum of 100 characters.

Defaults No description is configured by default.

17-6
Command Reference Firewall Commands

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide This command is used to configure a description for a network attack defense domain.

Configuration The following example configures a description for the network attack defense domain named web.
Examples Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# description “Defend policy for zone abc”

Verification Run the show defend-zone net-defend-zone-name command to display the description of the
network attack defense domain.

17.1.9 detect
Use this command to configure the anti-scanning detection sensitivity, interval, and number of
consecutive scans. Use the no form of this command to delete the configured anti-scanning detection
sensitivity, interval, and number of consecutive scans. Use the default form of this command to
restore the default settings.
detect { low | medium | high } { period time-interval | times last-times }
no detect { low | medium | high } { period | times }
default detect { low | medium | high } { period | times }

Parameter
Parameter Description
Description
low Indicates detection at low sensitivity.
medium Indicates detection at medium sensitivity.
high Indicates detection at high sensitivity.
time-interval Indicates the anti-scanning detection interval, in seconds. The value
ranges from 1 to 2000.
last-times Indicates the number of consecutive scans. It is considered that a
scanning attack occurs only when the number of consecutive scans
reaches this value. The value ranges from 1 to 10 and the default value
is 1.

Defaults You can run the show scan parameter command to display default values of parameters and current
parameter configuration. For field descriptions, see the show scan parameter command.

Command config-scan-policy configuration mode

Mode

Default Level 14

Usage Guide This command is used to set the sensitivity for anti-scanning detection.

17-7
Command Reference Firewall Commands

Configuration The following example sets the low-sensitivity detection interval to 100 seconds.
Examples Ruijie(config)# scan policy
Ruijie(config-scan-policy)# detect low period 100

Verification Run the show scan parameter command to display parameter results.

17.1.10 icmp auth-src-in

Use this command to configure a policy for defending against ICMP traffic from authentic source
hosts. Use the no form of this command to delete the policy for defending against ICMP traffic from
authentic source hosts. Use the default form of this command to restore the default settings.
icmp auth-src-in src-ip threshold threshold-num [ timeout seconds ] action { limit | blocking |
notify }
no icmp auth-src-in src-ip
default icmp auth-src-in src-ip

Parameter
Parameter Description
Description
Indicates packets that enter a network attack defense domain and are
auth-src-in
from authentic source hosts.
Indicates that the policy is applied to identify packets from each source
src-ip
host.
Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
limit Limits the traffic below the value of threshold-num.
Blocks the traffic of the host that enters and leaves the attack defense
blocking
domain.
notify Records the attack event only.

Defaults No such a policy is configured by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide When the rate of ICMP traffic that is from any authentic source host and enters a network attack
defense domain exceeds the threshold, the device starts the defense mechanism. The device limits
the rate (not exceeding the threshold) of such packets that are from the source host and enter the
network attack defense domain, or blocks all traffic of the source host that enters or leaves the network

17-8
Command Reference Firewall Commands

attack defense domain (according to the policy execution time). The policy execution duration is not
shorter than the value of seconds.

Configuration The following example configures a policy for defending against ICMP flood traffic from authentic
Examples source hosts for the network attack defense domain named web. In the policy, when the ICMP packets
sent from a source host (passing source verification) to the network attack defense domain named
web exceed 100 pps, the device is required to block all traffic of the host (for at least 60 seconds).
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# icmp auth-src-in src-ip threshold 100 action
blocking Ruijie(config-defend-zone)# exit

17.1.11 icmp pkt-in

Use this command to configure a policy for limiting the ICMP traffic that enters a network attack
defense domain. Use the no form of this command to delete the policy for limiting the ICMP traffic that
enters a network attack defense domain. Use the default form of this command to restore the default
settings.
icmp pkt-in { dst-ip | global } threshold threshold-num [ timeout seconds ] action { limit | notify }
no icmp pkt-in { dst-ip |global }
default icmp pkt-in { dst-ip |global }

Parameter
Parameter Description
Description
Indicates all types of packets that enter a network attack defense
pkt-in
domain.
Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
Indicates that the policy is applied to identify packets sent to each
dst-ip
destination host.
Indicates that the policy is applied to identify all packets that enter the
global
domain.
limit Limits the traffic below the value of threshold-num.
notify Records the attack event only.

Defaults N/A

Command config-defend-zone configuration mode

Mode

Default Level 14

17-9
Command Reference Firewall Commands

Usage Guide When the rate of ICMP traffic that enters a network attack defense domain exceeds the threshold, the
device limits the rate of the traffic to be lower than or equal to the threshold. The policy execution
duration is not shorter than the value of seconds.
When the rate of ICMP traffic destined for any host in a network attack defense domain exceeds the
threshold, the device limits the rate of the traffic to be lower than or equal to the threshold. The policy
execution duration is not shorter than the value of seconds.

Configuration The following example configures a policy for defending against ICMP flood traffic for the network
Examples attack defense domain named web. In the policy, when the rate of ICMP packets destined for a host
in the network attack defense domain named web exceeds 100 pps, the device is required to limit the
ICMP traffic of the host (not exceeding 100 pps).
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# icmp pkt-in dst-ip threshold 100 action limit
Ruijie(config-defend-zone)# exit

17.1.12 icmp unauth-src-in

Use this command to configure a policy for defending against ICMP traffic that does not pass authentic
source verification. Use the no form of this command to delete the policy for defending against ICMP
traffic that does not pass authentic source verification. Use the default form of this command to restore
the default settings.
icmp unauth-src-in { dst-ip | global } threshold threshold-num [ timeout seconds ] action { limit |
drop | notify }
no icmp unauth-src-in { dst-ip | global }
default icmp unauth-src-in { dst-ip | global }

Parameter
Parameter Description
Description
Indicates packets that enter a network attack defense domain but do not
unauth-src-in
pass authentic source verification.
Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
Indicates that the policy is applied to identify packets sent to each
dst-ip
destination host.
Indicates that the policy is applied to identify all packets that enter the
global
domain.
limit Limits the traffic below the value of threshold-num.
drop Discards the traffic.
notify Records the attack event only.

Defaults No such a policy is configured by default.

17-10
Command Reference Firewall Commands

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide When the rate of ICMP packets that enter a network attack defense domain but do not pass the
authentic source verification exceeds the threshold, the device starts the defense mechanism. The
device limits the rate (not exceeding the threshold) of the packets entering the network attack defense
domain or discards all such packets.
When the rate of ICMP packets that are destined for any host in a network attack defense domain but
do not pass the authentic source verification exceeds the threshold, the device starts the defense
mechanism. The device limits the rate (not exceeding the threshold) of the packets entering the host
or discards all such packets.

Configuration The following example configures a policy for defending against ICMP flood packets using fake source
Examples IP addresses, for the network attack defense domain named web. In the policy, when the rate of ICMP
packets using suspicious fake source IP addresses destined for a host in the network attack defense
domain named web exceeds 100 pps, the device is required to limit such ICMP traffic (not exceeding
100 pps); when the attack is stopped, the policy will keep effective for 1 hour.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# icmp unauth-src-in global threshold 100
timeout 3600 action rate-limit

17.1.13 ignore
Use this command to ignore the scanning category during anti-scanning detection. Use the no form
of this command to cancel ignoring the scanning category during anti-scanning detection. Use the
default form of this command to restore the default settings.
ignore protocol { tcp | udp | icmp | other-protocol }
no ignore protocol { tcp | udp | icmp | other-protocol }
default ignore protocol { tcp | udp | icmp | other-protocol }

Parameter
Parameter Description
Description
icmp Indicates the ICMP protocol.
other-protocol Indicates protocols other than TCP, UDP, and ICMP.
tcp Indicates the TCP protocol.
udp Indicates the UDP protocol.

Defaults Anti-scanning detection is applied to all protocol categories.

Command config-scan-policy configuration mode

Mode

Default Level 14

17-11
Command Reference Firewall Commands

Usage Guide This command is used to ignore the scanning behavior of a protocol as required. This command can
be configured multiple times.

Configuration The following example ignores the scanning of the TCP protocol during anti-scanning detection.
Examples Ruijie(config)# scan policy
Ruijie(config-scan-policy)# ignore protocol tcp

17.1.14 ip access-group
Use this command to configure an ACL to be associated with a network attack defense domain. Use
the no form of this command to disassociate the ACL from the network attack defense domain. Use
the default form of this command to restore the default settings.
ip access-group access-list
no ip access-group
default ip access-group

Parameter
Parameter Description
Description
access-list Indicates the name of the associated IP-compliant ACL.

Defaults No ACL is associated with a network attack defense domain by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide This command is used to configure an ACL to be associated with a network defense domain, to define
the protection area of the domain.

 If the ACL to be associated does not exist or is incorrect, this command is still available but an
error prompt will be displayed. Users need to manually correct the ACL association. The
association with an incorrect ACL will invalidate the function. Run the show defend-zone web
command to display the attack defense status.

 The ACL associated with attack defense can contain no more than 200 ACEs. Only the ACL
composed of access-list id permit {src src-wildcard | host src } ACEs is supported. When
the associated ACL does not meet this condition, the network attack defense domain is
unavailable. The deny policy and the any and time-range keywords are not supported in ACLs.

Configuration The following example configures the network attack defense domain named web to protect all hosts
Examples (defined in the ACL server) in the 192.168.3.X network segment.
Ruijie(config)# ip access-list standard server
Ruijie(config-std-nal)#10 permit 192.168.3.0 0.0.0.255
Ruijie(config-std-nal)#exit

17-12
Command Reference Firewall Commands

Ruijie(config)# defend-zone web

Ruijie(config-defend-zone)# ip access-group server
Ruijie(config-defend-zone)# exit

Verification Run the show defend-zone command to display the desired ACL and whether the ACL is correctly
associated.

17.1.15 log
Use this command to enable the function of logging different types of attacks. Use the no form of this
command to disable the function of logging different types of attacks. Use the default form of this
command to restore the default settings.
log { tcp-auth | tcp-unauth | icmp | udp | other-protocol | scan | all } [ syslog | save ]
no log { tcp-auth | tcp-unauth | icmp | udp | other-protocol | scan | all } [ syslog | save ]
default log { tcp-auth | tcp-unauth | icmp | udp | other-protocol | scan | all } [ syslog | save ]

Parameter
Parameter Description
Description
tcp-auth Logs all TCP attacks from authentic source IP addresses.
Logs all attacks using TCP traffic that does not pass authentic source
tcp-unauth
verification.
Icmp Logs all ICMP attacks.
udp Logs all UDP attacks.
other-protocol Logs all attacks of other protocols (except TCP, UDP, and ICMP).
scan Logs scanning attacks.
all Logs all types of attacks.
syslog Records attack logs in the form of system logs.
save Saves attack information to the database.

Defaults The attack logging function is disabled by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide This command is used to enable the function of logging different types of attacks. The keyword all
indicates that all types of attacks are logged. When syslog or save is not carried in the command,
attack information is both recorded in the system logs and database.

Configuration The following example saves all ICMP attack logs.

Examples
Ruijie(config)# defend-zone web

Ruijie(config-defend-zone)# log icmp save

17-13
Command Reference Firewall Commands

Ruijie(config-defend-zone)# exit

Verification After an attack occurs, run the show defend-zone net-defend-zone-name report command to display
attack results.

17.1.16 net-defend enable

Use this command to enable NETWORK_DEFEND. Use the no form of this command to disable
NETWORK_DEFEND. Use the default form of this command to restore the default settings.
net-defend enable
no net-defend enable
default net-defend enable

Parameter
Parameter Description
Description
N/A N/A

Defaults NETWORK_DEFEND is disabled by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide When you need to enable NETWORK_DEFEND, you must also enable the ip session tcp-state-
inspection-enable fw and ip session track-state-strictly commands in global configuration mode.
When NETWORK_DEFEND is disabled, you also need to disable the ip session tcp-state-
inspection-enable fw and ip session track-state-strictly commands.

Configuration The following example enables NETWORK_DEFEND.

Examples Ruijie(config)# net-defend enable

Platform Egress gateways support this command. NETWORK_DEFEND is enabled on firewalls by default and
Description therefore, firewalls do not support this command.

17.1.17 net-defend learning

Use this command to enable defense policy self-learning in a network attack defense domain.
net-defend learning net-defend-zone-name [ days days ]

Use this command to enable defense policy self-learning for global protection.
net-defend learning global [ days days ]

Parameter
Parameter Description
Description

17-14
Command Reference Firewall Commands

net-defend-zone-name Indicates the name of a network attack defense domain.

global Indicates global protection.
days Indicates the number of policy learning days. Range: 3-60.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide Before configuring a defense policy, users can enable the policy self-learning function. By monitoring
traffic for a period of time, the device provides reasonable policy configuration suggestions for the
network attack defense domain. During policy learning, the system automatically enables the session-
based policy for defending against TCP SYN flooding attacks for the network attack defense domain,
in which policy learning is started. Users cannot enable the manually configured defense policies during
policy learning. Therefore, if the system is attacked during policy learning (for example, an abnormality
occurs when a network attack defense domain is suspected to be attacked), the policy thresholds
learned by the system are inaccurate. In this case, users are recommended to restart policy self-
learning. The policy learning duration should be 7 days or longer.
Policy suggestions provided via policy learning are obtained based on traffic peaks in a network attack
defense domain during monitoring. Users can directly use these thresholds or adjust them, for
example, increase the thresholds by a certain percentage.

Configuratio The following example enables policy learning for the network attack defense domain named web for
n Examples 7 days.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# ip access-group server
Ruijie(config-defend-zone)# exit
Ruijie# net-defend learning web
Net defend policies learning for defend-zone ‘web’ begin. (Period: 7 days)

Prompt 1. Policy learning is enabled successfully.

Message Ruijie# net-defend learning web
Net defend policies learning for defend-zone ‘web’ begin. (Period: 7 days)

2. A defense policy is already available and policy learning cannot be enabled.

Ruijie#net-defend learning web
Learning policy for 'web' fail: policies have been configured.

17.1.18 net-defend mode

Use this command to configure the NETWORK_DEFEND mode. Use the no form of this command
to cancel the configured NETWORK_DEFEND mode. Use the default form of this command to
restore the default settings.
net-defend mode { nat | no-nat }
no net-defend mode { nat | no-nat }

17-15
 Command Reference Firewall Commands

default i net-defend mode { nat | no-nat }

Parameter
Parameter Description
Description
nat Indicates the NAT mode.
no-nat Indicates the non-NAT mode.

Defaults The default NETWORK_DEFEND mode is NAT mode on gateways and non-NAT mode on bridges.

Command Global configuration mode

Mode

Default Level 14

Usage Guide If NAT is deployed on the network, the NETWORK_DEFEND mode needs to be set to NAT mode.
Bridges do not support NAT and the NAT mode cannot be configured on them.

Configuration The following example sets the NETWORK_DEFEND mode to NAT mode.
Examples Ruijie(config)# net-defend mode nat

Platform Egress gateways support this command. Firewalls do not support NAT and therefore do not support
Description this command.

17.1.19 ratelimit
Use this command to limit the bandwidth of traffic that enters or leaves a network attack defense
domain. Use the no form of this command to cancel the limit on the bandwidth of traffic that enters or
leaves a network attack defense domain. Use the default form of this command to restore the default
settings.
ratelimit { in | out } [ src-ip | dst-ip ] bandwidth bps-num
no ratelimit { in | out } [ src-ip | dst-ip ]
default ratelimit { in | out } [ src-ip | dst-ip ]

Parameter
Parameter Description
Description
in Limits the bandwidth of traffic that enters a network attack defense domain.
Limits the bandwidth of traffic that leaves a network attack defense
out
domain.
src-ip Applies the limit to each source IP address.
dst-ip Applies the limit to each destination IP address.
bps-number Indicates the bandwidth limit, in bps. The value ranges from 1 to
1,000,000,000.

Defaults No bandwidth limit is configured by default.

17-16
Command Reference Firewall Commands

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide src-ip: Limits the bandwidth of each source IP address.

dst-ip: Limits the bandwidth of each destination IP address.

 When both src-ip and dst-ip are not configured, the bandwidth of all traffic that enters or leaves
the network attack defense domain is limited. If traffic comes from hosts whose authenticity is
not confirmed, such traffic is not limited by the policy.

Configuration The following example limits the total bandwidth of traffic that enters the network attack defense
Examples domain named web to be no more than 100,000,000 bps.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# ratelimit in bandwidth 100000000
Ruijie(config-defend-zone)# exit

17.1.20 session-limit
Global
Protection Use this command to limit the session creation rate. Use the no form of this command to cancel the
limit on the session creation rate. Use the default form of this command to restore the default settings.
session-limit { tcp | udp | icmp | other-protocol } new-session-per-second
no session-limit { tcp | udp | icmp | other-protocol }
default session-limit { tcp | udp | icmp | other-protocol }
Attack
Defense Use this command to limit the creation rate of sessions that enter or leave a network attack defense
Domain domain. Use the no form of this command to cancel the limit on the session creation rate. Use the
default form of this command to restore the default settings.
session-limit { in | out } [ src-ip | dst-ip ] session-rate new-session-per-second
no session-limit { in | out } [ src-ip | dst-ip ]
default session-limit { in | out } [ src-ip | dst-ip ]

Parameter
Parameter Description
Description
Indicates the number of sessions to be created per second. The
new-session-per-second
value ranges from 1 to 1,000,000.
tcp Limits the creation rate of all TCP sessions.
udp Limits the creation rate of all UDP sessions.
icmp Limits the creation rate of all ICMP sessions.
Limits the creation rate of all IP sessions other than TCP, UDP, and
other-protocol
ICMP sessions.
Limits the creation rate of sessions that enter the network attack
in
defense domain.

17-17
Command Reference Firewall Commands

Limits the creation rate of sessions that leave the network attack
out
defense domain.
src-ip Applies the limit to each source IP address.
dst-ip Applies the limit to each destination IP address.

Defaults The default values of the session-limit command for global protection are as follows:
tcp: 300000
udp: 300000
icmp: 100000
other-protocol: 100000

By default, the session-limit command is disabled in a network attack defense domain.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide This command is used to limit the creation rate of various sessions.
Global protection is enabled by default. It needs to be disabled when the firewall performance and
capacity are tested.

Configuration The following example limits the creation rate of TCP sessions to be lower than 10,000 per second.
Examples Ruijie(config)# defend-zone global
Ruijie(config-defend-zone)# session-limit tcp 10000

17.1.21 scan
Use this command to set an anti-scanning policy. Use the no form of this command to cancel the anti-
scanning policy. Use the default form of this command to restore the default settings.
scan { in | out } src-ip threshold { low | medium | high } [ timeout seconds ] action { blocking |
notify }
no scan { in | out } src-ip
default scan { in | out } src-ip

Parameter
Parameter Description
Description
in Detects the traffic that enters a network attack defense domain.
out Detects the traffic that leaves a network attack defense domain.
low Conducts detection at low sensitivity.
medium Conducts detection at medium sensitivity.
high Conducts detection at high sensitivity.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
notify Records attacks only.

17-18
Command Reference Firewall Commands

blocking Blocks all traffic of an attack after the attack is identified.

Defaults No such a policy is configured by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide This command is used to defend against scanning behavior towards and from a network attack
defense domain.
If the network segment, to which a protected interface belongs, is large (for example, the subnet mask
is about 16 bits), you need to configure an anti-scanning policy in the network attack defense domain
in routing mode. The purpose is to prevent switch abnormalities caused by scanning attacks.

Configuration The following example configures an anti-scanning policy for detecting, at low sensitivity, scanning
Examples behavior from an external network towards the network attack defense domain named web. In the
policy, when scanning behavior of a host is detected, all traffic of the host that enters or leaves the
domain is blocked for 1,800 seconds.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# scan in src-ip threshold low timeout 1800
action blocking
Ruijie(config-defend-zone)# exit

17.1.22 scan policy

Use this command to redefine default anti-scanning parameters. Use the no form of this command to
delete defined default anti-scanning parameters. Use the default form of this command to restore the
default settings.
scan policy
no scan policy
default scan policy

Parameter
Parameter Description
Description
N/A N/A

Defaults You can run the show scan parameter command to display default values of parameters and current
parameter configuration. For field descriptions, see the show scan parameter command.

Command Global configuration mode

Mode

Default Level 14

17-19
Command Reference Firewall Commands

Usage Guide This command is used to display the anti-scanning parameter configuration screen. It allows you to
redefine default anti-scanning parameters for an anti-scanning policy.

Configuration The following example displays the anti-scanning configuration screen.

Examples Ruijie(config)# scan policy
Ruijie(config-scan-policy)# exit

Verification Run the show scan parameter command to display adjusted parameter results.

17.1.23 show defend

Use this command to display overall statistics on packet loss caused by NETWORK_DEFEND.
show defend drop

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to display overall statistics on packet loss caused by attack defense.

Configuration The following example displays statistics on packet loss caused by attack defense.
Examples Ruijie# show defend drop
Drops packet: 1,192
Winnuke: 20
Land: 80
Global protect: 102
Zone ‘web’: 890
Zone ‘ftp’: 100
Drops flow: 120
Global protect: 50
Zone ‘web’: 270
Field description:
Field Description
Drops packet Number of discarded packets
Drops flow Number of discarded flows
Winnuke Number of WinNuke attacks that are defended
against
LAND Number of LAND attacks that are defended
against

17-20
Command Reference Firewall Commands

Global protect Number of attacks that are defended against by

global protection
Zone Network attack defense domain

Prompt
If no packet is discarded in the defense against a type of attack, the attack item is not displayed.
Message

17.1.24 show defend module

Use this command to display the overall work status of the current attack defense service module.
show defend module

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to display the connection status of the current attack defense service module.

Configuratio The following example displays the connection status of the current attack defense service module.
n Examples Ruijie# show defend module
Defend services module: 2
Group Slot CPU State
----------------------------------------
0 3 0 Connect
0 5 1 Online
Field description:
Field Description
Defend services module Number of connected attack defense service
modules
Group Attack defense service group
Slot Slot of the service module
CPU CPU number of the service module
State Current status of the service module
Connect Connection completed but service configuration
uncompleted
Online Connection completed and service configuration
completed

17-21
Command Reference Firewall Commands

17.1.25 show defend-zone

Use this command to display the status and statistics of a network attack defense domain.
show defend-zone net-defend-zone-name [ counters | host ]

Use this command to display statistics of global protection.

show defend-zone global counters

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.
global Indicates global protection.
counters Indicates various statistics.
host Displays the host statistics.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to display the status, statistics, and attack information of a network attack
defense domain.

Configuratio The following example displays the status of a network attack defense domain.
n Examples Ruijie# show defend-zone web
Description : web-servers-protect-zone
Zone state: Running
ACL associated: server-zone
Traffic monitor: tcp, http, udp, icmp, ip
Field description:
Field Description
Description Description of the domain
Zone state Status of the domain Running: The domain is
running.
Stopped: The domain is stopped.
Learning: The domain is conducting learning.
ACL associated Name of the associated ACL
Traffic monitor Enabled traffic monitoring

The following example displays statistics of the network attack defense domain.
Ruijie# show defend-zone web counters
Counters :
Received: 8234
Forwarded: 7981
Dropped(packets): 20

17-22
Command Reference Firewall Commands

Dropped(flows): 10
Replied: 105
Dropped:
Black-list: 0
rate-limit: 5
policy-drop(packets):15
policy-drop(flows): 5

Ruijie# show defend-zone global counters

Received: 0
Forwarded: 0
Dropped(flows): 0
Replied: 0
Dropped:
tcp-session-limit: 0
udp-session-limit: 0
icmp-session-limit: 0
other-protocol-session-limit: 0
Replied:
tcp syn-in: 0
tcp half-connin: 0
Field description:
Field Description
Received Number of packets received and processed by
the domain
Forwarded Number of forwarded packets
Dropped(packets) Number of discarded packets
Dropped(flows) Number of discarded flows
Replied Number of response packets. The response
packets are used for TCP SYN cookie.
Dropped List of dropped packets
Black-list Number of packets discarded due to the blacklist
rate-limit Number of packets discarded due to the rate
limit policy
policy-drop(packets) Number of packets discarded due to other
policies
policy-drop(flows) Number of flows discarded due to other policies
tcp-session-limit Number of packets discarded due to the rate
limit policy of TCP sessions.
udp-session-limit Number of packets discarded due to the rate
limit policy of UDP sessions.
icmp-session-limit Number of packets discarded due to the rate
limit policy of ICMP sessions.

17-23
Command Reference Firewall Commands

other-protocol-session-limit Number of packets discarded due to the rate

limit policy of sessions of other protocols.
tcp syn-in Number of response TCP SYN pakcets.
tcp half-connin Number of packets that do not finish the TCP
handshake.

The following example displays statistics of host objects relevant to the domain.
Ruijie# show defend-zone web host
Host protected (inside defend object): 178
Host monitored (outside defend object): 5732
Free host objects: 8372783 (Total)
Field description:
Field Description
Host protected (inside defend object) Number of monitored hosts in the network attack
defense domain
Host monitored (outside defend object) Number of monitored hosts outside the network
attack defense domain
Free host objects Number of idle host objects

17.1.26 show defend-zone traffic-snapshot

Use this command to display the current traffic snapshot of a network attack defense domain.
show defend-zone net-defend-zone-name traffic-snapshot { tcp [ syns-in | conn-in | half-conn-
in | bandwidth ] [ topn ] | http [ syns-in | conn-in ] | { ip | udp | icmp } [ bandwidth | pkts ] }

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.
tcp Indicates statistics on TCP data flows.
http Indicates statistics on HTTP data flows.
ip Indicates statistics on IP data flows.
udp Indicates statistics on UDP data flows.
icmp Indicates statistics on ICMP data flows.
Indicates the rate of TCP SYN packets that enter the network
syns-in
attack defense domain.
Indicates the number of concurrent connections that enter the
conn-in
network attack defense domain.
Indicates the number of semi-connections that enter the
half-conn-in
network attack defense domain.
Indicates the bandwidth of traffic that enters the network
bandwidth
attack defense domain.
topn Lists the Top10 hosts.
pkts Indicates the number of packets per second.

17-24
Command Reference Firewall Commands

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to display the current traffic snapshot of a network attack defense domain. You
can define parameters so that the snapshot of a specific type of traffic is displayed.

Configuration The following example displays a snapshot of all traffic.

Examples Ruijie# show defend-zone web traffic-snapshot
Total Pkts current bps
Received 1234567891 12567893
Dropped 1934823 289302
Replied 12114 1983

TCP FLOW:
Syns in: 672 pps
Connections(in): 987374
Half-connections (in): 23453
Bandwidth (in): 573823453 bps
Bandwidth (out): 829353321 bps

HTTP FLOW:
Syns in:1200 pps
Connections(in): 987374

UDP FLOW:
Pkts (in):289 pps
Pkts (out):289 pps
Bandwidth (in): 57382 bps
Bandwidth (out): 8293 bps

ICMP FLOW:
Pkts (in):289 pps
Pkts (out):289 pps
Bandwidth (in): 57382 bps
Bandwidth (out): 8293 bps

IP FLOW:
Pkts (in):289 pps
Pkts (out):289 pps
Bandwidth (in): 57382 bps
Bandwidth (out): 8293 bps
Field description:

17-25
Command Reference Firewall Commands

Field Description
Total Pkts Number of packets
current bps Current baud rate
Received Statistics on received packets
Dropped Statistics on discarded packets
Replied Statistics on response packets
Syns in Rate of SYN packets that enter the network
attack defense domain
Connections(in) Number of concurrent connections that enter
the network attack defense domain
Half-connections (in) Number of semi-connections that enter the
network attack defense domain
Bandwidth (in) Bandwidth of traffic that enters the network
attack defense domain
Bandwidth (out) Bandwidth of traffic that leaves the network
attack defense domain
Pkts (in) Number of packets that enter the network attack
defense domain
Pkts (out) Number of packets that leave the network attack
defense domain

The following example displays a snapshot of current TCP connection creation rate and TopN hosts
with the maximum rate.
Ruijie #show defend-zone web traffic-snapshot tcp syns-in topN
TCP FLOW
Syns-in : 1200 pps
Top 10 Sources:
10.23.45.21 450
121.2.65.90 350
121.2.65.94 300
121.2.62.97 120
121.2.66.121 60
121.2.61.9 35
121.2.60.81 35
121.2.60.82 23
121.2.60.84 10
121.2.60.86 8
Field description:
Field Description
Top 10 Sources Top 10 hosts that create the most connections

17.1.27 show defend-zone running-protect

Use this command to display ongoing attacks and protection in a network attack defense domain.

17-26
Command Reference Firewall Commands

show defend-zone net-defend-zone-name running-protect [ tcp-auth | tcp-unauth | icmp | udp |

other-protocol | scan | protect-id | attack { tcp-syn-flood | tcp-conn-flood | udp-spoof-flood |
icmp-spoof-flood | other-spoof-flood | udp-flood | icmp-flood | other-flood | scan } ]

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.
Indicates attacks that are defended against by a policy of the tcp-
tcp-auth
auth type.
Indicates attacks that are defended against by a policy of the tcp-
tcp-unauth
unauth type.
Indicates attacks that are defended against by a policy of the icmp
icmp
type.
Indicates attacks that are defended against by a policy of the udp
udp
type.
Indicates attacks that are defended against by a policy of the
other-protocol
other-protocol type.
Indicates the protection policy ID. This ID uniquely identifies a
protect-id
protection policy that the system enables against each attack.
tcp-syn-flood Indicates the TCP SYN flood attack type.
tcp-conn-flood Indicates the TCP connection flood attack type.
udp-spoof-flood Indicates the UDP flood attack type.
icmp-spoof-flood Indicates the ICMP flood attack type.
other-spoof-flood Indicates other flood attack type.
udp-flood Indicates the UDP flood attack type.
icmp-flood Indicates the ICMP flood attack type.
other-flood Indicates other flood attack type.
scan Indicates the scanning attack type.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to display ongoing attacks and protection in a network attack defense domain.
The results can be displayed by attack defense policy or attack type.

Configuration
The following example displays ongoing protection in the network attack defense domain.
Examples
Ruijie # show defend-zone web running-protect
Defend zone: ‘web’, Total report: 1
Attack type: ‘TCP SYN Flood’
id: 823
Begin:2012-5-9 12:03:04 ,timeout 60s

17-27
Command Reference Firewall Commands

Flow: *  172.15.0.12, Action: Anti-spoofing(syn cookie)

Policy: tcp-unauth:half-conn:dst_ip
Threshold:100, current: 80
Received:2300, Replied: 1300, Dropped:103, Auth host: 108
Field description:
Field Description
Attack type Attack type
id Attack ID. A unique ID is generated for each
attack instance.
Begin Start time of an attack
timeout Protection duration after an attack is stopped
Flow Attack data flow. An asterisk (*) indicates that
the IP address is not static.
Action Protection behavior against the attack
Policy Policy that identifies the attack
Threshold Threshold
Received Number of packets processed due to the
protection policy
Replied Number of response packets given due to the
protection policy
Dropped Number of packets discarded due to the
protection policy
Auth host Number of authenticated hosts

17.1.28 show defend-zone report

Use this command to display stopped attacks in a network attack defense domain.
show defend-zone net-defend-zone-name report [ begin-date [ begin-hour ] [ to end-date [ end-
hour ] ] ] [ tcp-auth | tcp-unauth | icmp | udp | other-protocol | scan | attack { tcp-syn-flood | tcp-
conn-flood | udp-spoof-flood | icmp-spoof-flood | other-spoof-flood | udp-flood | icmp-flood |
other-flood | scan } ]

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.
begin-date Indicates the start date, in the format of YYYY-MM-DD.
begin-hour Indicates the start hour. The value ranges from 0 to 23.
end-date Indicates the end date, in the format of YYYY-MM-DD.
end-hour Indicates the end hour. The value ranges from 0 to 23.
Indicates attacks that are defended against by a policy of the tcp-
tcp-auth
auth type.
Indicates attacks that are defended against by a policy of the tcp-
tcp-unauth
unauth type.

17-28
Command Reference Firewall Commands

Indicates attacks that are defended against by a policy of the icmp

icmp
type.
Indicates attacks that are defended against by a policy of the udp
udp
type.
Indicates attacks that are defended against by a policy of the
other-protocol
other-protocol type.
tcp-syn-flood Indicates the TCP SYN flood attack type.
tcp-conn-flood Indicates the TCP connection flood attack type.
udp-spoof-flood Indicates the UDP flood attack type.
icmp-spoof-flood Indicates the ICMP flood attack type.
other-spoof-flood Indicates other flood attack type.
udp-flood Indicates the UDP flood attack type.
icmp-flood Indicates the ICMP flood attack type.
other-flood Indicates other flood attack type.
scan Indicates the scanning attack type.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to display stopped attacks in a network attack defense domain. The results can
be displayed by attack defense policy or attack type. You can specify the date range.

 The network attack defense records attack reports of recent seven days.

Configuratio The following example displays attack protection reports archived on 2012-5-9.
n Examples Ruijie # show defend-zone web report 2012-5-9
Defend zone: web, Total report: 1
Attack type: ‘TCP SYN Flood’
2012-5-9 12:03:04 ~ 2012-5-9 15:06:04
Flow: * -> 172.15.0.12, Action: Anti-spoofing(syn cookie)
Policy: tcp-unauth:half-conn:dst_ip
Threshold: 100, Action: Anti-spoofing(syn cookie)
Received: 10928, Replied: 8790, Dropped: 405
Field description:
Field Description
2012-5-9 12:03:04 ~ 2012-5-9 15:06:04 Indicates the start time and end time of the
attack.
Attack type Attack type
Flow Attack data flow. An asterisk (*) indicates that the
IP address is not static.
Action Protection behavior against the attack
Policy Policy that identifies the attack

17-29
Command Reference Firewall Commands

Threshold Threshold
Received Number of packets processed due to the
protection policy
Replied Number of response packets given due to the
protection policy
Dropped Number of packets discarded due to the
protection policy

17.1.29 show net-defend learning

Use this command to display policy learning results of a network attack defense domain.
show net-defend learning net-defend-zone-name

Use the global form of this command to display policy learning results of global protection.
show net-defend learningglobal

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.
global Indicates global protection.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to display policy learning results. You need to check a learned policy and adjust
thresholds before configuring the policy on devices. Before the learning of a policy is over, you can
also view the policy learning result, which is only traffic exporting policy for the current learning period.

Configuration The following example displays policy learning results of a network attack defense domain.
Examples Ruijie# show net-defend learning web
Learning status：Finished (End time: 2022-3-12 15:00:30)
<TCP flow statistic (in)>
Every dst-ip:
Max half connection: 200
Max syns (pps): 100
Every auth-src-ip:
Max half connection: 20
Max connection: 500
Max syns (pps): 50
Global：
Max half connection: 293829
Max syns (pps): 1453
<UDP flow statistic (in) >

17-30
Command Reference Firewall Commands

Every dst-ip:
Max UDP flow rate(pps): 3024
Max unauth-src UDP flow rate(pps): 2000
Every auth-src-ip:
Max UDP flow rate(pps): 1000
Global:
Max UDP flow rate(pps): 60345
Max unauth-src UDP flow rate(pps): 3000
<ICMP flow statistic (in) >
Every dst-ip:
Max ICMP flow rate(pps): 0
Max unauth-src ICMP flow rate(pps): 0
Every auth-src-ip:
Max ICMP flow rate(pps): 0
Global:
Max ICMP flow rate(pps): 0
Max unauth-src ICMP flow rate(pps): 0
<Other-protocol flow statistic (in) >
Every dst-ip:
Max other-protocol flow rate(pps): 0
Max unauth-src other-protocol flow rate(pps): 0
Every auth-src-ip:
Max other-protocol flow rate(pps): 0
Global:
Max other-protocol flow rate(pps): 0
Max unauth-src other-protocol flow rate(pps): 0

Advices net defend polices for defend-zone ‘web’:

! These policies for anti-spoofing (TCP SYN Flooding Attack)
tcp-unauth half-conn-in dst-ip threshold 200 action anti-spoofing
tcp-unauth half-conn-in global threshold 293829 action anti-spoofing
tcp-unauth syns-in dst-ip threshold 100 action anti-spoofing
tcp-unauth syns-in global threshold 1453 action anti-spoofing

! These policies for Client Attack

tcp-auth conn-in src-ip threshold 1000 action notify
tcp-auth half-conn-in src-ip threshold 20 action notify
tcp-auth syns-in src-ip threshold 50 action notify

! These policies for UDP/ICMP/Other-protocol Flooding Attack

udp unauth-src-in global threshold 2000 notify
udp auth-src-in src-ip threshold 1000 notify
udp pkt-in global threshold 60345 action notify

17-31
Command Reference Firewall Commands

udp pkt-in dst-ip threshold 3024 action notify

icmp unauth-src-in global threshold 10 timeout 600 notify
icmp auth-src-in src-ip threshold 3 timeout 600 notify
other-protocol unauth-src-in global threshold 10 timeout 600 notify
other-protocol auth-src src-ip threshold 5 timeout 600 notify
Field description:
Field Description
Learning status Policy learning status
End time End time
Every dst-ip Every destination host
Every auth-src-ip Every host that passes source verification
(using an authentic IP address rather than a
fake IP address)
Global Entire domain
Max half connection Maximum number of concurrent semi-
connections
Max syns (pps) Maximum rate of TCP SYN packets (pps)
Max connection Maximum number of concurrent connections
Max unauth-src UDP flow rate(pps) Maximum rate of UDP traffic that does not pass
source verification (may be from fake source
addresses)
Max unauth-src ICMP flow rate(pps) Maximum rate of ICMP traffic that does not pass
source verification (may be from fake source
addresses)
Max unauth-src Other-protocol flow rate(pps) Maximum rate of other types of traffic that does
not pass source verification (may be from fake
source addresses)
Max UDP flow rate(pps) Maximum UDP packet rate
Max ICMP flow rate(pps) Maximum ICMP packet rate
Max Other-protocol flow rate(pps) Maximum rate of other type of packets

17.1.30 show scan parameter

Use this command to display anti-scanning parameter configuration.
show scan parameter

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode

Mode

Default Level 14

17-32
Command Reference Firewall Commands

Usage Guide This command is used to display anti-scanning parameter configuration. For modified parameters,
the original default values are displayed in parentheses following the current values.
You can run the scan policy command to adjust default parameter values.

Configuration The following example displays current anti-scanning parameters.

Examples Ruijie# show scan parameter
Period Times New conns Rejected conns IP count port
count
-------------------------------------------------------------------------
-----------------
TCP(L) 100(60) 3(1) NA 50 30
30
TCP(M) 90 1 50 25 25 25
TCP(H) 300 1 50 20 20 20
UDP(L) 100(60) 3(1) NA 50 30
30
UDP(M) 90 1 50 20 25 25
UDP(L) 300 1 50 17 20 20
ICMP(L) 100(60) 3(1) NA 50 35
NA
ICMP(M) 90 1 40 25 25 NA
ICMP(H) 300 1 30 20 20 NA
Other-
protocol(L) 100(60) 3(1) NA 50 30
30
Other-
protocol(M) 90 1 40 30 25 25
Other-
protocol(H) 300 1 40 20 20 20
Field description:
Field Description
Period Recovery period of the scanning behavior detection counter. If the number
of scans detected in this period reaches the configured anti-scanning
threshold, it is judged that a scanning attack occurs.
Times Number of periods when a scanning behavior is detected. It is judged that
a scanning attack occurs only after scans are detected in this number of
consecutive periods.
New conns Number of new abnormal connections, that is, number of new connections
that do not enter the established state in the detection period.
Rejected cons Number of connections rejected in the detection period, for example,
connections for which the peer responds with RST or unreachable.
IP count Number of changes on destination IP addresses of new connections in the
detection period

17-33
Command Reference Firewall Commands

Port count Number of changes on destination ports of new connections in the

detection period

17.1.31 stop net-defend learning

Use this command to stop policy learning in a network attack defense domain.
stop net-defend learning net-defend-zone-name

Use the global form of this command to stop policy learning of global protection.
stop net-defend learning global

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.
global Indicates global protection.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide This command is used to stop policy learning.

Configuration The following example stops policy learning.

Examples Ruijie# stop net-defend learning web

17.1.32 sync defend config

Use this command to manually synchronize the current attack defense configuration to the kernel
module.
sync defend config [ net-defend-zone-name ] [ force ]

Parameter
Parameter Description
Description
net-defend-zone-name Indicates the name of a network attack defense domain.
Forcibly clears the attack defense configuration on the service
force
module of the firewall and synchronizes configuration.

Command Privileged EXEC mode

Mode

Default Level 14

Usage Guide When the attack defense module on the service module of the firewall malfunctions (for example, due
to insufficient resources), you can synchronize the configuration to restore the status of the attack

17-34
Command Reference Firewall Commands

defense service module. This command is used to synchronize the current attack defense
configuration.
If the name of a network attack defense domain is specified, this command synchronizes the
configuration of this domain to the kernel service module of the firewall. If no domain name is specified,
this command synchronizes all network attack defense configuration to the kernel service module of
the firewall.
When the force keyword is used, the configuration on the service module of the firewall is cleared,
and then the synchronization is started.

Configuration The following example forcibly synchronizes all network attack defense configuration to the kernel
Examples service module of the firewall.
Ruijie# sync defend config force

17.1.33 tcp
This command is used to configure global protection to defend all firewall traffic against TCP SYN
Flood attacks. Use the no form of this command to cancel configuring global protection to defend all
firewall traffic against TCP SYN Flood attacks. Use the default form of this command to restore the
default settings.
tcp { syns-in | half-conn-in } global threshold threshold-num action anti-spoofing
no tcp { syns-in | half-conn-in } global
default tcp { syns-in | half-conn-in } global

Parameter
Parameter Description
Description
Indicates the rate of TCP SYN packets that enter a network attack
syns-in
defense domain.
Indicates the number of incomplete TCP handshake connections
half-conn-in
initiated to a network attack defense domain.
When syns is set, it indicates the maximum number of packets per
second (pps) and the value ranges from 1 to 800,000.
threshold threshold-num
When half-conn is set, it indicates the maximum number of semi-
connections and the value ranges from 1 to 10,000,000.
Conducts TCP SYN cookie anti-spoofing on traffic exceeding the
anti-spoofing
threshold.

Defaults The default value of syn-in is 300,000 and the default value of half-conn-in is 4,000,000.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide This command is used to configure global protection to defend all firewall traffic against TCP SYN
Flood attacks.

17-35
Command Reference Firewall Commands

Attack defense is started when the rate of SYN packets that pass through the firewall exceeds the
threshold or the number of TCP semi-connections exceeds the threshold.
Global protection is enabled by default. It needs to be disabled when the firewall performance and
capacity are tested.

 No log is generated for global protection.

Configuratio The following example conducts TCP SYN cookie anti-spoofing on the current device's TCP semi-
n Examples connections out of 100,000.
Ruijie(config)# defend-zone global
Ruijie(config-defend-global)# tcp half-conn-in global threshold 100000
action anti-spoofing

17.1.34 tcp-auth
Use this command to configure a policy for defending against TCP traffic from authentic source IP
addresses. Use the no form of this command to cancel the policy for defending against TCP traffic
from authentic source IP addresses. Use the default form of this command to restore the default
settings.
tcp-auth { conn-in | half-conn-in | syns-in } src-ip threshold threshold-num [ timeout seconds ]
action { limit | blocking | notify }
no tcp-auth { conn-in | half-conn-in | syns-in } src-ip
default tcp-auth { conn-in | half-conn-in | syns-in } src-ip

Parameter
Parameter Description
Description
Indicates the number of TCP connections initiated to a network attack
conn-in
defense domain.
Indicates the rate of TCP SYN packets that enter a network attack defense
syns-in
domain.
Indicates the number of incomplete TCP handshake connections initiated
half-conn-in
to a network attack defense domain.
When conn-in/half-conn-in is set, it indicates the maximum number of
threshold threshold- connections and the value ranges from 1 to 10,000,000.
num When syns-in is set, it indicates the maximum number of packets per
second (pps) and the value ranges from 1 to 800,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
Indicates that the policy is applied to identify packets from each source
src-ip
host.
limit Limits the traffic below the value of threshold-num.
Blocks the traffic of the host that enters and leaves the attack defense
blocking
domain.
notify Records the attack event only.

17-36
Command Reference Firewall Commands

Defaults No such a policy is configured by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide The device starts the defense mechanism when the number of TCP concurrent connections (conn-in)
initiated from any authentic source host (src-ip) to a network attack defense domain exceeds the
threshold, the number of incomplete TCP handshake semi-connections (half-conn-in) exceeds the
threshold, or the rate of initiated TCP SYN packets exceeds the threshold. The device limits the
number of concurrent connections or the rate (according to the threshold) or blocks all traffic of the
source host that enters or leaves the network attack defense domain (according to the policy execution
time). The policy execution duration is not shorter than the value of seconds.

Configuration The following example configures a policy, in which when the number of TCP semi-connections
Examples initiated from a source host (using an authentic source IP address) to the network attack defense
domain named web exceeds 200, the device is required to block all traffic of the host that enters or
leaves the domain for 360s.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# tcp-auth half-conn-in src-ip threshold 200
timeout 3600 action blocking
Ruijie(config-defend-zone)# exit

17.1.35 threshold
Use this command to configure scanning detection thresholds for each sensitivity. Use the no form of
this command to delete configured scanning detection thresholds of each sensitivity. Use the default
form of this command to restore the default settings.
threshold { low | medium | high } [ protocol { tcp | udp | icmp | other-protocol } ] { ip-count |
port-count | new-conn | reject-conn } threshold-num
no threshold { low | medium | high } [ protocol { tcp | udp | icmp | other-protocol } ] { ip-count
| port-count | new-conn | reject-conn }
default threshold { low | medium | high } [ protocol { tcp | udp | icmp | other-protocol } ] { ip-
count | port-count | new-conn | reject-conn }

Parameter
Parameter Description
Description
low Indicates detection at low sensitivity.
medium Indicates detection at medium sensitivity.
high Indicates detection at high sensitivity.
icmp Indicates the ICMP protocol.
other-protocol Indicates protocols other than TCP, UDP, and ICMP.
tcp Indicates the TCP protocol.
udp Indicates the UDP protocol.

17-37
 Command Reference Firewall Commands

Indicates the threshold of IP address changes in a scanning attack

ip-count
event.
port-count Indicates the threshold of port changes in a scanning attack event.
new-conn Indicates the threshold of new connections in a scanning attack event.
Indicates the threshold of rejected connections in a scanning attack
reject-conn
event.
Indicates the threshold of scanning detection parameters. When the
parameters are ip-count, port-count, and reject-conn, the value
threshold-num
ranges from 1 to 2,000. When the parameter is new-conn, the value
ranges from 10 to 2,000.

Defaults You can run the show scan parameter command to display default values of parameters and current
parameter configuration. For field descriptions, see the show scan parameter command.

Command config-scan-policy configuration mode

Mode

Default Level 14

Usage Guide This command is used to set the anti-scanning detection threshold for each sensitivity.

Configuration The following example configures low-sensitivity detection and sets the threshold of TCP port
Examples changes to 100.
Ruijie(config)# scan policy
Ruijie(config-scan-policy)# threshold low protocol tcp port-count 100

Verification Run the show scan parameter command to display adjusted parameter results.

17.1.36 traffic-monitor
Use this command to enable monitoring of different types of traffic. Use the no form of this command
to disable monitoring of different types of traffic. Use the default form of this command to restore the
default settings.
traffic-monitor { tcp | http | udp | icmp | ip | all }
no traffic-monitor { tcp | http | udp | icmp | ip | all }
default traffic-monitor { tcp | http | udp | icmp | ip | all }

Parameter
Parameter Description
Description
tcp Monitors TCP traffic that enters a network attack defense domain.
http Monitors HTTP traffic that enters a network attack defense domain.
udp Monitors UDP traffic that enters a network attack defense domain.
icmp Monitors ICMP traffic that enters a network attack defense domain.
ip Monitors IP traffic that enters a network attack defense domain.
all Monitors all traffic above.

17-38
Command Reference Firewall Commands

Defaults Traffic monitoring is disabled by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide This command is used to enable monitoring of traffic, including TCP, HTTP, UDP, ICMP, and IP traffic.
If the all keyword is used, monitoring is enabled for all traffic.

Configuratio The following example enables TCP traffic monitoring for the network attack defense domain named
n Examples web.
Ruijie(config)#defend-zone web
Ruijie(config-defend-zone)# traffic-monitor tcp

Verification Run the show defend-zone net-defend-zone-name traffic-snapshot command to display information
about different types of traffic.

17.1.37 udp auth-src-in

Use this command to configure a policy for defending against UDP traffic from authentic source hosts.
Use the no form of this command to cancel the policy for defending against UDP traffic from authentic
source hosts. Use the default form of this command to restore the default settings.
udp auth-src-in src-ip threshold threshold-num [ timeout seconds ] action { limit | blocking |
notify }
No udp auth-src-in src-ip
default udp auth-src-in src-ip

Parameter
Parameter Description
Description
Indicates packets that enter a network attack defense domain and are
auth-src-in
from authentic source hosts.
Indicates that the policy is applied to identify packets from each source
src-ip
host.
Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
limit Limits the traffic below the value of threshold-num.
Blocks the traffic of the host that enters and leaves the attack defense
blocking
domain.
notify Records the attack event only.

Defaults No such policy is configured by default.

17-39
Command Reference Firewall Commands

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide When the rate of UDP traffic that is from any authentic source host and enters a network attack
defense domain exceeds the threshold, the device starts the defense mechanism. The device limits
the rate (not exceeding the threshold) of UDP packets that are from the source host and enter the
network attack defense domain, or blocks all traffic of the source host that enters or leaves the network
attack defense domain (according to the policy execution time). The policy execution duration is not
shorter than the value of seconds.

Configuration The following example configures a policy, in which when the UDP packets sent from any authentic
Examples source host to the network attack defense domain named web exceeds 100 pps, the device is
required to block all packets sent from this source IP address to the domain for 60 seconds.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# udp auth-src-in src-ip threshold 100 action
blocking Ruijie(config-defend-zone)# exit

17.1.38 udp pkt-in

Use this command to limit the UDP traffic that enters a network attack defense domain. Use the no
form of this command to cancel the limit on UDP traffic that enters a network attack defense domain.
Use the default form of this command to restore the default settings.
udp pkt-in { dst-ip | global } threshold threshold-num [ timeout seconds ] action { limit | notify }
no udp pkt-in { dst-ip | global }
default udp pkt-in { dst-ip | global }

Parameter
Parameter Description
Description
Indicates all types of packets that enter a network attack defense
pkt-in
domain.
Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
Indicates that the policy is applied to identify packets sent to each
dst-ip
destination host.
Indicates that the policy is applied to identify all packets that enter the
global
domain.
limit Limits the traffic below the value of threshold-num.
notify Records the attack event only.

Defaults No such limit is configured by default.

17-40
Command Reference Firewall Commands

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide When the rate of UDP traffic that enters a network attack defense domain exceeds the threshold, the
device limits the rate of the traffic to be lower than or equal to the threshold. The policy execution
duration is not shorter than the value of seconds.
When the rate of UDP traffic destined for any host in a network attack defense domain exceeds the
threshold, the device limits the rate of such traffic destined for the host to be lower than or equal to the
threshold. The policy execution duration is not shorter than the value of seconds.

Configuration The following example limits the rate of UDP packets sent to a host in the network attack defense
Examples domain named web to be lower than the threshold when the rate of UDP packets received by the host
exceeds 100 pps.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# udp pkt-in dst-ip threshold 100 action limit
Ruijie(config-defend-zone)# exit

17.1.39 udp unauth-src-in

Use this command to configure a policy for defending against UDP traffic that does not pass authentic
source verification. Use the no form of this command to cancel the policy for defending against UDP
traffic that does not pass authentic source verification. Use the default form of this command to restore
the default settings.
udp unauth-src-in { dst-ip | global } threshold threshold-num [ timeout seconds ] action { limit |
drop | notify }
no udp unauth-src-in { dst-ip | global }
default udp unauth-src-in { dst-ip | global }

Parameter
Parameter Description
Description
Indicates packets that enter a network attack defense domain but do not
unauth-src-in
pass authentic source verification.
Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
Indicates that the policy is applied to identify packets sent to each
dst-ip
destination host.
Indicates that the policy is applied to identify all packets that enter the
global
domain.
limit Limits the traffic below the value of threshold-num.
drop Discards the traffic.

17-41
Command Reference Firewall Commands

notify Records the attack event only.

Defaults No such a policy is configured by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide When the rate of UDP packets that enter a network attack defense domain but do not pass the authentic
source verification exceeds the threshold, the device starts the defense mechanism. The device limits
the rate (not exceeding the threshold) of the packets entering the network attack defense domain or
discards all such packets.
When the rate of UDP packets that are destined for any host in a network attack defense domain but
do not pass the authentic source verification exceeds the threshold, the device starts the defense
mechanism. The device limits the rate (not exceeding the threshold) of the packets entering the host
or discards all such packets.

Configuratio The following example configures a policy, in which when the rate of UDP packets using suspicious
n Examples fake source IP addresses that are sent to the network attack defense domain named web exceeds 100
pps, the device is required to limit the rate of such packets to be lower than or equal to the threshold,
and the device should keep the protection effective for 1 hour after the attack is stopped.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# udp unauth-src-in global threshold 100 timeout
3600 action limit
Ruijie(config-defend-zone)# exit

17.1.40 other-protocol auth-src-in

Use this command to configure a policy for defending against other protocol traffic (except TCP, UDP,
and ICMP traffic) from authentic source hosts. Use the no form of this command to cancel the policy
for defending against other protocol traffic (except TCP, UDP, and ICMP traffic) from authentic source
hosts. Use the default form of this command to restore the default settings.
other-protocol auth-src-in src-ip threshold threshold-num [ timeout seconds ] action { limit |
blocking | notify }
no other-protocol auth-src-in src-ip
default other-protocol auth-src-in src-ip

Parameter
Parameter Description
Description
Indicates packets that enter a network attack defense domain and are
auth-src-in
from authentic source hosts.
Indicates that the policy is applied to identify packets from each source
src-ip
host.

17-42
Command Reference Firewall Commands

Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
limit Limits the traffic below the value of threshold-num.
Blocks the traffic of the host that enters and leaves the attack defense
blocking
domain.
notify Records the attack event only.

Defaults No such policy is configured by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide When the rate of other protocol traffic (except TCP, UDP, and ICMP traffic) that is from any authentic
source host and enters a network attack defense domain exceeds the threshold, the device starts the
defense mechanism. The device limits the rate (not exceeding the threshold) of such packets that are
from the source host and enter the network attack defense domain, or blocks all traffic of the source
host that enters or leaves the network attack defense domain (according to the policy execution time).
The policy execution duration is not shorter than the value of seconds.

Configuratio The following example configures a policy, in which when other protocol traffic sent from any authentic
n Examples source host to the network attack defense domain exceeds 100 pps, the device is required to block the
source host to send or receive any packets to or from the domain.
Ruijie(config)#defend-zone web
Ruijie(config-defend-zone)# other-protocol auth-src-in src-ip threshold
100 action blocking
Ruijie(config-defend-zone)# exit

17.1.41 other-protocol pkt-in

Use this command to limit other protocol traffic (except TCP, UDP, and ICMP traffic) that enters a
network attack defense domain. Use the no form of this command to cancel the limit on other protocol
traffic (except TCP, UDP, and ICMP traffic) that enters a network attack defense domain. Use the
default form of this command to restore the default settings.
other-protocol pkt-in { dst-ip | global } threshold threshold-num [ timeout seconds ] action { limit
| notify }
no other-protocol pkt-in { dst-ip | global }
default other-protocol pkt-in { dst-ip | global }

Parameter
Parameter Description
Description

17-43
Command Reference Firewall Commands

Indicates all types of packets that enter a network attack defense

pkt-in
domain.
Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
Indicates that the policy is applied to identify packets sent to each
dst-ip
destination host.
Indicates that the policy is applied to identify all packets that enter the
global
domain.
limit Limits the traffic below the value of threshold-num.
notify Records the attack event only.

Defaults No limit is configured by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide When the rate of other protocol traffic (except the TCP, UDP, and ICMP traffic) that enters a network
attack defense domain exceeds the threshold, the device will limit the rate of the traffic to be lower
than or equal to the threshold. The policy execution duration is not shorter than the value of seconds.
When the rate of other protocol traffic (except the TCP, UDP, and ICMP traffic) destined for any host
in a network attack defense domain exceeds the threshold, the device will limit the rate of the traffic
destined for the host to be lower than or equal to the threshold. The policy execution duration is not
shorter than the value of seconds.

Configuration The following example limits the rate of other protocol packets sent to a host in the network attack
Examples defense domain named web to be lower than the threshold when the rate of other protocol packets
received by the host exceeds 100 pps.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# other-protocol pkt-in dst-ip threshold 100
action limit
Ruijie(config-defend-zone)# exit

17.1.42 other-protocol unauth-src-in

Use this command to configure a policy for defending against other protocol traffic (except TCP, UDP,
and ICMP traffic) that does not pass authentic source verification. Use the no form of this command to
cancel the policy for defending against other protocol traffic (except TCP, UDP, and ICMP traffic) that
does not pass authentic source verification. Use the default form of this command to restore the default
settings.
other-protocol unauth-src-in { dst-ip | global } threshold threshold-num [ timeout seconds ] action
{ limit | drop | notify }

17-44
Command Reference Firewall Commands

no other-protocol unauth-src-in { dst-ip | global }

default other-protocol unauth-src-in { dst-ip | global }

Parameter
Parameter Description
Description
Indicates packets that enter a network attack defense domain but do not
unauth-src-in
pass authentic source verification.
Indicates the maximum number of packets per second. The value ranges
threshold threshold-num
from 1 to 100,000,000.
Indicates the minimum execution duration of the policy, in seconds. The
timeout seconds
default value is 60. The value ranges from 10 to 86,400.
Indicates that the policy is applied to identify packets sent to each
dst-ip
destination host.
Indicates that the policy is applied to identify all packets that enter the
global
domain.
limit Limits the traffic below the value of threshold-num.
drop Discards the traffic.
notify Records the attack event only.

Defaults No such policy is configured by default.

Command config-defend-zone configuration mode

Mode

Default Level 14

Usage Guide When the rate of other protocol packets (except the TCP, UDP, and ICMP packets) that enter a network
attack defense domain but do not pass the authentic source verification exceeds the threshold, the
device starts the defense mechanism. The device limits the rate (not exceeding the threshold) of the
packets entering the network attack defense domain or discards all such packets.
When the rate of other protocol packets (except the TCP, UDP, and ICMP packets) that are destined
for any host in a network attack defense domain but do not pass the authentic source verification
exceeds the threshold, the device starts the defense mechanism. The device limits the rate (not
exceeding the threshold) of the packets entering the host or discards all such packets.

Configuratio The following example configures a policy, in which when the rate of other protocol packets using
n Examples suspicious fake source IP addresses that are sent to the network attack defense domain named web
exceeds 100 pps, the device is required to limit the rate of such packets to be lower than or equal to
the threshold, and the device should keep the protection effective for 1 hour after the attack is stopped.
Ruijie(config)# defend-zone web
Ruijie(config-defend-zone)# other-protocol unauth-src-in global threshold
100 timeout 3600 action limit
Ruijie(config-defend-zone)# exit

17-45
Command Reference Firewall Commands

Security Zone Commands

17.2.1 description
Use this command to configure a description string for a security zone. Use the no form of this
command to delete the description string of a security zone. Use the default form of this command to
restore the default settings.
description string
no description
default description

Parameter
Parameter Description
Description
Indicates the description string of a security zone. The value is a string
string
of 1–40 characters.

Defaults No description string is configured for a security zone by default.

Command Security zone mode

Mode

Default Level 14

Usage Guide N/A

Configuration The following example sets the description string of a security zone to trust.
Examples Ruijie(config)# security-zone hello
Ruijie(config-security-zone)# description trust

Verification Run the show security-zone command to display the description string of the security zone.

17.2.2 inner-zone-access
Use this command to allow IP mutual access within a security zone when the access policy of the
security zone is not matched. Use the no form of this command to reject IP mutual access within a
security zone when the access policy of the security zone is not matched. Use the default form of this
command to restore the default settings.
inner-zone-access
no inner-zone-access
default inner-zone-access

Parameter
Parameter Description
Description

17-1
 Command Reference Firewall Commands

N/A N/A

Defaults By default, IP mutual access is not allowed within a security zone when the access policy of the security
zone is not matched.

Command Security zone mode

Mode

Default Level 14

Usage Guide The priority of this command is higher than that of the global loose-inner-zone-access command. If
this command is not configured, the configuration of the global loose-inner-zone-access command
shall prevail.

Configuration The following example allows IP mutual access within the security zone named abc when the access
Examples policy of the security zone is not matched.
Ruijie(config)# security-zone abc
Ruijie(config-security-zone)# inner-zone-access
Ruijie(config-security-zone)# description trust

Verification Run the show security-zone command to check whether IP mutual access is allowed within the
security zone when the access policy of the security zone is not matched.

17.2.3 interface
Use this command to add an interface to a security zone. Use the no form of this command to delete
an interface from a security zone. Use the default form of this command to restore the default settings.
interface interface-name
no interface interface-name
default interface interface-name

Parameter
Parameter Description
Description
interface-name Indicates the interface name.

Defaults An interface belongs to the default security zone when it is not added to a security zone.

Command Security zone mode

Mode

Default Level 14

Usage Guide Multiple interface names can be configured for one security zone but one interface can belong to only
one security zone.

17-2
Command Reference Firewall Commands

 This configuration is applicable only to security zones divided by network interface.

 The default security zone does not support the interface command.

Configuration The following example adds interface vlan2 to the security zone named hello.
Examples Ruijie(config)# security-zone hello
Ruijie(config-security-zone)# interface vlan 2

Verification Run the show security-zone command to display the interfaces associated with the security zone.

17.2.4 loose-inner-zone-access
Use this command to globally allow IP mutual access within a security zone when the intra–security
zone access policy is not matched. Use the no form of this command to globally reject IP mutual
access within a security zone when the intra–security zone access policy is not matched. Use the
default form of this command to restore the default settings.
loose-inner-zone-access
no loose-inner-zone-access
default loose-inner-zone-access

Parameter
Parameter Description
Description
N/A N/A

Defaults By default, mutual access is no allowed when the inter–security zone access policy is not matched.

Command Global configuration mode

Mode

Default Level 14

Usage Guide The priority of this command is lower than that of the inner-zone-access command.

Configuration The following example allows IP mutual access within security zones when the intra–security zone
Examples access policy is not matched.
Ruijie(config)# loose-inner-zone-access

Verification Run the show security-access-global command to display the global access policy of the security
zone.

17.2.5 loose-inter-zone-access
Use this command to globally allow mutual access between security zones with the same security
zone priority when the inter–security zone access policy is not matched. Use the no form of this
command to globally reject mutual access between security zones with the same security zone priority

17-3
Command Reference Firewall Commands

when the inter–security zone access policy is not matched. Use the default form of this command to
restore the default settings.
loose-inter-zone-access
no loose-inter-zone-access
default loose-inter-zone-access

Parameter
Parameter Description
Description
N/A N/A

Defaults By default, mutual access is not allowed between security zones with the same security zone priority
when the inter–security zone access policy is not matched.

Command Global configuration mode

Mode

Default Level 14

Usage Guide N/A

Configuration The following example allows mutual access between security zones with the same security zone
Examples priority when the inter–security zone access policy is not matched on the device.
Ruijie(config)# loose-inter-zone-access

Verification Run the show security-access-global command to display the global access policy of the security
zone.

17.2.6 security-access
Use this command to configure a policy for IPv4 packet access from one security zone to another
when ACL-based security zone access policies are used for packet matching. The policy is effective
unidirectionally. Use the no form of this command to delete the ACL-based policy for IPv4 packet
access from one security zone to another. Use the default form of this command to restore the default
settings.
security-access [ sequence sequence-number ] from zone-name to zone-nameaccess-list
[ inactive ] [ description string ]
no security-access { sequence sequence-number | from zone-name to zone-name access-list }
default security-access { sequence sequence-number | from zone-name to zone-name access-
list }

Use this command to configure a policy for IPv4 packet access from one security zone to another
when object-based security zone access policies are used for packet matching. The policy is effective
unidirectionally. Use the no form of this command to delete the object-based policy for IPv4 packet
access from one security zone to another. Use the default form of this command to restore the default
settings.

17-4
Command Reference Firewall Commands

security-access [ sequence sequence-number ] from zone-name to zone-name { deny | permit }

src-address-object src-object-name dest-address-object dest-object-name service serv-name
[ time-range time-range-name ] [ inactive ] [ description string ]
no security-access { sequence sequence-number | from zone-name to zone-name { deny | permit }
src-address-object src-object-name dest-address-object dest-object-name service serv-name
[ time-range time-range-name ] }
default security-access { sequence sequence-number | from zone-name to zone-name { deny |
permit } src-address-object src-object-name dest-address-object dest-object-name service serv-
name [ time-range time-range-name ] }

Use this command to activate an IPv4 access policy for a security zone. Use the no form of this
command to deactivate the IPv4 access policy of a security zone.
security-access sequence sequence-number active
no security-access sequence sequence-number [ active ]

Parameter
Parameter Description
Description
access-list Indicates the associated IPv4 ACL.
zone-name Indicates the name of a security zone.
Indicates the sequence number. The value ranges from 1 to
2,147,483,647. A policy with a smaller sequence number is used for
matching preferentially. If no sequence number is contained in this
command, the system assigns a default sequence number to the
sequence-number
entry. The default sequence number of the first entry is step-number.
The default sequence number of each subsequent unassigned entry
is greater than the last policy sequence number by step-number (see
the security-access-step command).
deny Indicates that packets matching the rule are not allowed to pass.
permit Indicates that packets matching the rule are allowed to pass.
Indicates the source address object and any_address is a special
src-object-name
address object.
Indicates the destination address object and any_address is a special
dest-object-name
address object.
Indicates the service object and any_service is a special service
serv-name
object.
time-range-name Indicates the time range associated with a rule.
Indicates the description string. The value is a string of 1–31
string
characters.
inactive Indicates that a rule is not activated.
active Indicates that a rule is activated.

Defaults No security zone access policy is configured for IPv4 packets by default.

17-5
Command Reference Firewall Commands

Command Global configuration mode

Mode

Default Level 14

Usage Guide The name of the source security zone can be the same as that of the destination security zone. If the
two security zones share the same name, the rule is an intra–security zone access policy.
ACL-based access policies cannot coexist with object-based access policies and they are controlled
by the security-access-match-object command. Object-based access policies take effect only on
security zones that are divided by network interface.

Configuration The following example configures a unidirectional access policy for IPv4 packet access from security
Examples zone aaa to security zone bbb on the device and references an ACL named hello in the policy.
Ruijie(config)# security-access from aaa to bbb hello
The following example configures a unidirectional access policy for IPv4 packet access from security
zone aaa to security zone bbb on the device and references the address object and service object in
the policy.
Ruijie(config)# security-access sequence 10 from aaa to bbb permit src-
address-object TERM dest-address-object Server service myweb

Verification Run the show security-access-rule command to display the IPv4 packet access policy of the security
zone.

17.2.7 security-access-match-object
Use this command to configure object-based matching when security zone access policies are used
for packet matching. Use the no form of this command to restore the ACL-based matching when
security zone access policies are used for patch matching. Use the default form of this command to
restore the ACL-based matching when security zone access policies are used for patch matching.
security-access-match-object
no security-access-match-object
default security-access-match-object

Parameter
Parameter Description
Description
N/A N/A

Defaults By default, ACL-based matching is adopted when security zone access policies are used for patch
matching.

Command Global configuration mode

Mode

Default Level 14

17-6
Command Reference Firewall Commands

Usage Guide After the security-access-match-object command is configured, the ACL-based security zone
access policy configured using the security-access access-list command will be deleted and the
command will be hidden. Likewise, after the no security-access-match-object command is
configured, the object-based security zone access policy configured using the security-access
[ sequence sequence-number ] command will be deleted and the command will be hidden.

 This command takes effect only on security zones divided by network interface.

Configuration The following example configures object-based matching when security zone access policies are used
Examples for packet matching on the device.
Ruijie(config)# security-access-match-object

17.2.8 security-access-step
Use this command to configure the default sequence number step for security zone access policies.
Use the no form of this command to restore the default sequence number step for security zone access
policies to 10. Use the default form of this command to restore the default sequence number step for
security zone access policies to 10.
security-access-step step-number
no security-access-step
default security-access-step

Parameter
Parameter Description
Description
Indicates the default sequence number step for the security-access
step-number and security-access-ipv6 commands. The value ranges from 1 to
2,147,483,647.

Defaults The default value is 10.

Command Global configuration mode

Mode

Default Level 14

Usage Guide N/A

Configuration The following example sets the default sequence number step for security zone access policies to 20.
Examples Ruijie(config)# security-access-step 20

Verification Run the show security-access-global command to display the default sequence number step of
security zone access policies.

17-7
 Command Reference Firewall Commands

17.2.9 security-deny-access-log
Use this command to configure log generation (SYSLOG) in the case of packet discarding due to
violation of a security zone access policy. Use the no form of this command to configure not to generate
logs in the case of packet discarding due to violation of a security zone access policy. Use the default
form of this command to restore the default settings.
security-deny-access-log
no security-deny-access-log
default security-deny-access-log

Parameter
Parameter Description
Description
N/A N/A

Defaults By default, logs are not generated in the case of packet discarding due to violation of a security zone
access policy.

Command Global configuration mode

Mode

Default Level 14

Usage Guide This command is generally used for fault diagnosis only. The forwarding performance of the device
will deteriorate after this command is enabled.

 When packets are discarded due to violation of a security zone policy, a log will be generated
immediately if this command is configured. In the current version, the device can send logs only
to the log server, but not to the console or buffer.

Configuration The following example configures log generation in the case of packet discarding due to violation of a
Examples security zone access policy.
Ruijie(config)# security-deny-access-log

Verification Run the show security-access-global command to check whether logs are generated when packets
are discarded due to violation of a security zone access policy.

17.2.10 security-level
Use this command to configure the priority for a security zone. Use the no form of this command to
delete the priority of a security zone. Use the default form of this command to restore the default
settings.
security-level level-num
no security-level
default security-level

17-8
Command Reference Firewall Commands

Parameter
Parameter Description
Description
Indicates the priority of a security zone. The value ranges from 1 to
level-num
100. A larger value indicates a higher priority.

Defaults By default, a security zone has no priority.

Command Security zone mode

Mode

Default Level 14

Usage Guide By default, a security zone has no priority for comparison.

Configuration The following example sets the priority of a security zone to the maximum value.
Examples Ruijie(config)# security-zone hello
Ruijie(config-security-zone)# security-level 100

Verification Run the show security-zone command to display the priority of the security zone.

17.2.11 security-permit-access-log
Use this command to configure log generation (SYSLOG) in the case of connection release after
packet traffic matches a security zone policy. Use the no form of this command to configure not to
generate logs in the case of connection release after packet traffic matches a security zone policy.
Use the default form of this command to restore the default settings.
security-permit-access-log
no security-permit-access-log
default security-permit-access-log

Parameter
Parameter Description
Description
N/A N/A

Defaults Logs are not generated when packets match a security zone policy.

Command Global configuration mode

Mode

Default Level 14

Usage Guide This command is generally used for fault diagnosis only. The forwarding performance of the device
will deteriorate after this command is enabled.

17-9
Command Reference Firewall Commands

 When packets match a security zone policy, logs can be generated only after connection release
if this command is configured. In the current version, the device can send logs only to the log
server, but not to the console or buffer.

Configuration The following example configures log generation in the case of connection establishment and release
Examples after packet traffic matches a security zone policy.
Ruijie(config)# security-permit-access-log

Verification Run the show security-access-global command to check whether logs are generated when a
security zone access policy is matched.

17.2.12 security-zone
Use this command to create a security zone or go to an existing security zone. Use the no form of this
command to delete the security zone. Use the default form of this command to restore the default
settings.
security-zone zone-name
no security-zone zone-name
default security-zone zone-name

Parameter
Parameter Description
Description
Indicates the name of a security zone. The value is a string of 1–32
zone-name characters. A security zone named default is retained in the system,
and can be neither created nor deleted.

Defaults No security domain is created and only the default security zone exists by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide A default security zone exists on each device by default. You can run the security-zone default
command to enter the configuration mode of the security zone. The default security zone can be
neither created nor deleted.

Configuration The following example creates a security zone named hello.

Examples Ruijie(config)# security-zone hello
Ruijie(config-security-zone)#

Verification Run the show security-zone command to display information about the security zone.

17-10
Command Reference Firewall Commands

17.2.13 security-zone-base interface

Use this command to divide security zones by network interface. Use the no form of this command to
divide security zones by IP address set. Use the default form of this command to restore the default
settings.
security-zone-base interface
no security-zone-base interface
default security-zone-base interface

Parameter
Parameter Description
Description
N/A N/A

Defaults Security zones are divided by network interface by default.

Command Global configuration mode

Mode

Default Level 14

Usage Guide
 When the security zone division method is changed, all existing security zones, security zone
access policies, and the global access policy will be cleared.

 When security zones are divided by IP address set, the security zone policy is applied only to
IPv4 packets and IPv6 packets are allowed to pass directly.

Configuration The following example divides security zones by IP address set on the device.
Examples Ruijie(config)# no security-zone-base interface

The following example divides security zones by network interface on the device.
Ruijie(config)# security-zone-base interface

Verification Run the show security-access-global command to display the security zone division method.

17.2.14 show security-access-global

Use this command to display the global security zone access policy.
show security-access-global

Parameter
Parameter Description
Description
N/A N/A

Command Privileged EXEC mode, global configuration mode, and interface configuration mode
Mode

17-11
Command Reference Firewall Commands

Default Level 14

Usage Guide The global access policy has a lower priority than an inter–security zone access policy (or intra–
security zone access policy if two security zones have the same name). The global access policy takes
effect only when no inter–security zone access policy is matched. Global information shown by this
command includes whether mutual access is globally allowed in a security zone and between security
zones with the same priority, security zone division method, whether a security zone access policy is
based on an ACL or object, whether logs need to be generated in the case of connection establishment
and release after a security zone policy is matched, whether logs need to be generated in the case of
packet discarding due to violation of a security zone access policy, whether the function of collecting
statistics on the inter–security zone policy matching is enabled, and sequence number step for security
zone access policy commands.

Configuration The following example displays the global access policy of the device.
Examples Ruijie# show security-access-global
security zone is base interface
security rule is base ACL
inner-zone access:on
inter-zone access between same level:on
permit access log:off
deny access log:off
access statistics:off
web-auth enable:off
access rule step:10
Field description:
Field Description
security zone is base Security zone division method
security rule is base Whether the security zone access policy is based on an ACL or
object
inner-zone access Whether IP mutual access is allowed within a security zone when
the access policy of the security zone is not matched
inter-zone access between Whether IP mutual access is allowed between security zones with
same level the same security level when no inter–security zone access policy
is matched
permit access log Whether logs need to be generated in the case of connection
establishment/release after a security zone policy is matched
deny access log Whether logs need to be generated in the case of packet
discarding due to violation of a security zone access policy
access statistics Whether the function of collecting statistics on inter–security zone
policy matching is enabled
web-auth enable Whether Web authentication is enabled
access rules step Sequence number step for the security-access and security-
access-ipv6 commands

17-12
Command Reference Firewall Commands

17.2.15 show security-access-rules

Use this command to display the IPv4 packet access policy of a security zone.
show security-access-rules [ from zone-name1 | to zone-name2 ]

Parameter
Parameter Description
Description
zone-name1 Indicates the name of security zone 1.
zone-name2 Indicates the name of security zone 2.

Command Privileged EXEC mode, global configuration mode, and interface configuration mode
Mode

Default Level 14

Usage Guide N/A

Configuration The following example displays all IPv4 access policies of the device.
Examples Ruijie#show security-access-rules
security-access 100 from trust to untrust 10
security-access 101 from dmz to trust 20
security-aceess 102 from dmz to default 30

The following example displays all IPv4 access policies, in which the source security zone is trust, on
the device.
Ruijie#show security-access-rules from trust
security-access 100 from trust to untrust 10
security-access 101 from trust to dmz 20

The following example displays all IPv4 access policies, in which the destination security zone is
trustB, on the device.
Ruijie#show security-access-rules to trustB
security-access 100 from trustA to trustB 10
security-access 101 from dmz to trustB 20
Field description:
Field Description
100 IPv4 ACL
101 IPv4 ACL
102 IPv4 ACL
trust Name of a security zone
untrust Name of a security zone
dmz Name of a security zone
default Name of a security zone
trustA Name of a security zone
trustB Name of a security zone

17-13
Command Reference Firewall Commands

10 Sequence number
20 Sequence number
30 Sequence number

17.2.16 show security-zone

Use this command to display the configuration of a single or all security zones.
show security-zone [ zone-name ]

Parameter
Parameter Description
Description
Indicates the name of a security zone. By default, the
zone-name
configuration of all security zones is displayed.

Command Privileged EXEC mode, global configuration mode, and interface configuration mode
Mode

Default Level 14

Usage Guide This command is used to display the configuration of a single or all security zones. Security zone
information includes the description string, priority, associated access-group or contained interfaces,
and whether mutual access is allowed within the security zone.

Configuration The following example displays the configuration of the security zone named TERM.
Examples Ruijie#show security-zone TERM
security-zone:TERM
description:terminal_client_zone
level: 80
inner-zone access:on
ip access-group:10

The following example displays the configuration of all security zones.

Ruijie#show security-zone
security-zone:TERM
description:terminal_client_zone
level: 80
inner-zone access:on
ip access-group:10

security-zone:default
description:terminal_client_zone
level: 90
inner-zone access:on
Field description:
Field Description

17-14
Command Reference Firewall Commands

security- zone Name of a security zone

description Description string of the security zone
level Priority of the security zone
inner-zone access Whether IP mutual access is allowed within a security zone
when the access policy of the security zone is not matched
ip access-group ACL associated with the security zone

17.2.17 show security-zone-match

Use this command to display the matching of a security zone policy based on IPv4 packet
characteristics.
show security-zone-match ip-protocol source-ip dst-ip from src-interface to dst-interface firewall-
name

Use this command to display the matching of a security zone policy based on IPv4 TCP or UDP packet
characteristics.
show security-zone-match { 6 | 17 | tcp | udp } source-ip dst-ip [ src-port dst-port ] from src-interface
to dst-interface

Use this command to display the matching of a security zone policy based on IPv4 ICMP packet
characteristics.
show security-zone-match { 1 | icmp } source-ip dst-ip [ type code ] from src-interface to dst-
interface

Parameter
Parameter Description
Description
ip-protocol Indicates the IP protocol.
1 Indicates the ICMP protocol.
6 Indicates TCP packets.
17 Indicates UDP packets.
tcp Indicates TCP packets.
udp Indicates UDP packets.
source-ip Indicates the source IP address.
dst-ip Indicates the destination IP address.
src-port Indicates the source port number. The default port number is 0.
Indicates the destination port number. The default port number is
dst-port
0.
type Indicates the ICMP type. The default value is 8.
code Indicates the ICMP code. The default value is 0.
src-interface Indicates the source interface.
dst-interface Indicates the destination interface.

Command Privileged EXEC mode, global configuration mode, and interface configuration mode
Mode

17-15
Command Reference Firewall Commands

Default Level 14

Usage Guide This command is generally used for configuration diagnosis.

Configuration The following example displays the matching of a security zone policy based on IPv4 packet
Examples characteristics.
Ruijie#show security-zone-match udp 192.168.1.1 192.168.2.1 3456 80 from
vlan 2 to vlan 3
Allowed for permitted by inner zone accessing control
Field description:
Field Description
Denied for a unpredictable error Packets are rejected due to an internal error of the firewall.
occurs
Denied for inner-zone access is Packets are rejected because access within the security
forbidden zone is forbidden.
Denied for inter-zone access with Packets are rejected because the priority of the source
same level is forbidden security zone is the same as that of the destination
security zone.
Denied for the level of src_zone is less Packets are rejected because the priority of the source
than dst_zone's security zone is lower than that of the destination security
zone.
Denied for hitting a security zone rule Packets are rejected because they match the deny rule in
(deny) the security zone access policy.
Denied for not match the security Packets are rejected because no relevant security zone
policy access policy is found.
Allowed for the destination ip is a Packets are allowed to pass because their destination IP
broadcast ip or multicast ip addresses are a broadcast or multicast IP address.
Allowed for the destination ip is to Packets are allowed to pass because their destination IP
local addresses are the IP address of the local device.
Allowed for the source ip is a local ip Packets are allowed to pass because their source IP
addresses are the IP address of the local device.
Allowed for hitting a security zone rule Packets are allowed to pass because they match a
security zone policy.
Allowed for permitted by inner zone Packets are allowed to pass because mutual access is
accessing control allowed in the security zone.
Allowed for the level of src_zone is Packets are allowed to pass because the priority of the
greater than dst_zone’s source security zone is higher than that of the destination
security zone.
Allowed for the level of dst_zone is Packets are allowed to pass because the priority of the
equal to src_zone’s source security zone is the same as that of the destination
security zone.

17-16