scheme-name: The string naming the accounting method list, which may contain 1 to 20 printable characters except for the space. Note that a customized accounting method list cannot be named “default” or have the same name as its initial character substring. The character string can contain 1 to 20 characters.

method: Sets an accounting method for the login accounting method list. You must set one method at least, and can set two at most. If you select radius first, you can additionally select none. But if you select none first, you cannot input another parameter.

Table 1-1 Login accounting methods

Keyword	Description
none	Do not impose accounting on any user.
radius	Use the RADIUS server for accounting.

Description

Use the aaa accounting-scheme login command to create an accounting scheme.

Use the undo aaa accounting-scheme login command to delete the specified accounting scheme.

By default, the default scheme aaa accounting-scheme login default none has existed.

This system supports the following two accounting methods:

RADIUS: NAS reports the user activities to the RADIUS server in the form of accounting records. Each record contains the attribute pairs and is saved on the RADIUS security server.

An accounting scheme defines the accounting method to be executed. If no accounting method has been named for some type of activities, the default accounting scheme will be used. If the default accounting scheme is not set, no accounting will be implemented. A login user can customize an accounting scheme, or use the default accounting scheme. If no accounting scheme is used, the accounting function will be disabled, that is, no accounting is imposed.

If the keyword login is used, the accounting record will include the user name, date, start and ending time.

It allows of only a maximum of nine accounting schemes, including the default accounting scheme.

Whenever the number of accounting schemes configured by the login user has exceeded the allowed maximum number, the VG will display the following prompt:

Warning: Reach the max limited of aaa accounting-scheme method list .

Whenever deleting a non-existent accounting method list, the following prompt will be displayed:

Warning: no such accounting method list .

Related command: see aaa-enable, login-method.

Example

# Define a default accounting scheme, taking RADIUS as the accounting server.

[VG] aaa accounting-scheme login default radius

1.1.2 aaa authentication-scheme login

Syntax

aaa authentication-scheme login { default | scheme-name } { method [ method ] }

undo aaa authentication-scheme login { default | scheme-name }

View

System view

Parameter

default: Uses the authentication and authorization method(s) defined behind this parameter as the default scheme for authenticating and authoring the login users.

scheme-name: The string naming the authentication and authorization scheme, which may contain any printable character except for the space. Note that a customized authentication and authorization scheme cannot be named “default” or have the same name as its initial character substring. The character string can contain 1 to 20 characters.

method: Configures authentication and authorization methods for the login authentication and authorization scheme. At least one method must be set and there are two methods available. You are not allowed to put any other methods behind either local or none.

Table 1-2 The login authentication and authorization methods

Keyword	Description
local	Use the local user name database for authentication and authorization.
none	All the users can successfully log in without undergoing any authentication and authorization.
radius	Use a Radius server for authentication and authorization.

Description

Use the aaa authentication-scheme login command to create a login authentication and authorization scheme.

Use the undo aaa authentication-scheme login command to delete a specified login authentication and authorization scheme.

By default, there is a default scheme aaa authentication-scheme login default local.

Using aaa authentication-scheme login command, you can create an authentication and authorization scheme for login users, and the default scheme or the scheme-name of other schemes thus created will be referenced by the login-method authentication-mode command. If no scheme has been specified for the authentication and authorization on a login type, the one named default will be used as the default scheme. In an authentication and authorization process, the methods configured for a scheme will be executed in the specified order. A method will be tried only when using the previous one cannot get any response (due to a busy server, the failure to set up a connection with the server, or any other reasons). If the authentication and authorization using a method is failed during this process, however, the subsequent methods will not be tried any more and the authentication and authorization will be terminated.

A maximum of nine schemes (including the default one) is allowed for login authentication and authorization.

If none is specified as the last authentication and authorization method to be used, authentication and authorization will be passed in the event that using all the previous methods cannot get any response.

If the number of configured login authentication and authorization schemes exceeds the allowed maximum number, the VG will display the following prompt:

Warning: reach the max limited of AAA authentication scheme list.

When deleting a non-existent login authentication and authorization scheme, the following prompt will be displayed:

Warning: no such scheme list for authentication and authorization

Related command: login-method authentication-mode.

Example

# Create the default login authentication and authorization scheme. In this scheme, RADIUS server will be used first. If the server does not respond, the login users will be permitted to access without any authentication and authorization.

[VG] aaa authentication-scheme login default radius none

1.1.3 aaa-enable

Syntax

aaa-enable

undo aaa-enable

View

System view

Parameter

None

Description

Use the aaa-enable command to enable AAA.

Use the undo aaa-enable command to disable AAA.

By default, AAA is enabled.

Only if AAA has been enabled can you proceed to other AAA configuration tasks.

All the configurations about AAA will still be kept after you execute the undo aaa-enable command. However, you cannot see them by executing the display current-configuration command. If you execute the aaa-enable command again, you will see them by executing the display current-configuration command. If the save operation is performed and the VG is rebooted after executing the undo aaa-enable command, all the configured commands will become invalid, except for those that can still be configured when AAA is disabled.

The AAA-concerned debugging and display commands can be used, regardless of the status of AAA.

Related command: aaa accounting-scheme, radius.

& Note:

The radius command is available only when the AAA function is enabled.

Example

# Enable AAA.

[VG] aaa-enable

1.1.4 debugging aaa

Syntax

debugging aaa { error | event }

undo aaa { error | event }

View

Any view

Parameter

error: Enables the debugging of AAA errors.

event: Enables the debugging of AAA events.

Description

Use the debugging aaa command to enable AAA debugging.

Use the undo debugging aaa command to disable AAA debugging.

Example

# Enable the debugging of AAA events, and display the system debugging information for the user admin who logs in to the voice gateway (VG).

[VG] info-center enable

[VG] info-center console debugging

[VG] debugging aaa event

TELNET: A user from 192.168.80.100 login, waiting for authentication

AAA_INFO: Use the local authentication method

AAA_INFO: After user authentication success, send the attributes to EXEC

AAA_INFO: AAA local authorization success

AAA_INFO: User authorization success, send the attributes to EXEC

User lijian logged in.

1.1.5 display aaa user

Syntax

display aaa user

View

Any view

Parameter

None

Description

Use the display aaa user command to view information of a logon user.

Based on the output information of this command, you can monitor the logon users and diagnose AAA faults.

Example

# Display the information of AAA users.

[VG] display aaa user

Index User Type IP Address Connecting Time Calling Number User Name

0 EXEC 127.0.0.1 00:01:01 anchun

The above information displays the, user index, user type, IP address of the user, user connecting time, calling number, user name, etc.

1.1.6 display level

Syntax

display level

View

Any view

Parameter

None

Description

Use the display level command to display the level of the current logon user.

Example

# Display the level of the current logon user.

[VG] display level

User Level: Administrator

1.1.7 display local-user command-history

Syntax

display local-user command-history { all | brief | index number | username name }

View

Any view

Parameter

all: Displays the recorded command history information of all the login users and low level users.

brief: Briefly displays the record information of all the login users.

index: Displays the recorded command history of the login users by the specified index number.

index: Specifies the indexes of the users whose information is to be displayed.

username: Displays the recorded command history of the login users whose names have been specified.

name: Specifies the users whose information is to be displayed by name.

Description

Use the display local-user command-history command to display the recorded command history information of the login users, which includes user names of the login users, login times, the last login time, the number of commands executed by the users, the history command of the users, and so on.

& Note:

The login users can view only their own command history information and that of the users with lower rights. The Guest users’ command history is not recorded, and thus it is not available when the command history is displayed.

Example

# Display the history command records of the logon users.

[VG] display local-user command-history all

User<lijian> total<1> records:

ID Execute-Time Command-Information

1 05:59:26 Jan/1/2005 display current-configuration

1.1.8 display local-user level

Syntax

display local-user level

View

Any view

Parameter

None

Description

Use the display local-user level command to display the current user level.

Example

# Display the current user level.

[VG10-41]display local-user level

User Level: Administrator

1.1.9 display local-user login-history

Syntax

display local-user login-history { all | username name }

View

Any view

Parameter

all: Displays the recorded login history of all the login users.

username name: Displays the recorded login history of the login users whose names have been specified. It may contain 1 to 31 characters.

Description

Use the display local-user login-history command to display the recorded login history information of the users, which mainly includes user name of login user, login times, each login time, each logout time, login interface, and so on.

Example

# Display the history login records of the login users.

[VG] display local-user login-history all

User<lijian> total login <1> times:

Index Login-Interface LogIn-Time LogOut-Time

1 Console 05:59:22 Jan/1/2005 User online

1.1.10 display local-user online

Syntax

display local-user online

View

Any view

Parameter

None

Description

Use the display local-user online command to display information of the current online users of the VG, which includes task ID, login interface name, remote address, user name, and the periods that the users stay online. The users include those who log in through Telnet, Console, and FTP but exclude the HTTP users.

Example

# Display the online users of the current VG.

[VG] display local-user online

UserID InterfaceName Ipaddress ConnectedTime UserName

14 Console 00:00:10 anchun

25 Ethernet0 192.168.192.100 00:00:07 anchun

1.1.11 local-user password

Syntax

local-user user-name [ password { simple | cipher } password ]

undo local-user user

View

System view

Parameter

user-name: Username, ranging from 1 to 31 characters. You can configure up to 15 users.

simple: Password displayed in plain text.

cipher: Password displayed in ciphered text.

password: User password for authentication, ranging from 1 to 16, characters or figures.

Description

Use the local-user password command to configure the user password for authentication.

Use the undo local-user command to cancel the setting.

By default, no username or authentication password is configured. If a user is created without setting a password, the system does not provide a default password.

Besides, the user password should be displayed in ciphered text.

Related command: display local-user.

Example

# Add a user, whose both name and password are Router1, and password must be displayed in ciphered text.

[VG] local-user Router1 password cipher Router1

1.1.12 local-user service-type

Syntax

local-user user-name service-type { administrator | guest | operator | ftp }

undo local-user user-name

View

System view

Parameter

user-name: Username of the authorized user, ranging from 1 to 31 characters. You can configure up to 15 users.

administrator: The authorized user is an administrator.

guest: The authorized user is a guest.

operator: The authorized user is an operator.

ftp: The authorized user is an FTP user.

Description

Use the local-user service-type command to configure the user authentication and authorization service type.

Use the undo local-user command to cancel the setting.

By default, if a user is created without configuring a service type, it will be authorized as a guest by default.

This command can be used together with the local-user password command.

When single service is authorized to the user, only one parameter among administrator, guest, operator and ftp is needed after service-type. When multiple services are authorized to user, it is necessary to configure two service type parameters, but not to use this command repeatedly. Otherwise, the new service type will overwrite the old one, instead of stacking the service type.

Related command: local-user password, aaa authentication-scheme login.

Example

# Configure an administrator (username: abc, password: abcd).

[VG] local-user abc password cipher abcd service-type administrator

1.1.13 login-method accounting-mode

Syntax

login-method accounting-mode login-type { default | scheme-name }

undo login-method accounting-mode login-type

View

System view

Parameter

login-type: Enables accounting for the login users of a specified type.

default: The name of the default scheme, which has been defined by the aaa accounting-scheme login command.

scheme-name: Specifies name of the scheme used for accounting, which may contain 1 to 20 characters and is defined by the aaa accounting-scheme login command.

login-type: Configures any login type listed in the following table for this parameter.

Table 1-3 login types

Keyword	Description
Console	Log in from a console interface
telnet	Log in by means of Telnet

Description

Use the login-method accounting-mode command to enable the accounting on the login users with the specified accounting mode.

Use the undo login-method accounting-mode command to disable the accounting on the login users.

By default, the accounting scheme is not applied to the login users. That is, the accounting function is disabled..

Before applying an accounting method list to a specified login type using the login-method accounting-mode command, you should first define the accounting method list using the aaa accounting-scheme command. If no accounting method list is specified, the default one will be used.

If the configured scheme-name, the scheme name defined for login accounting for example, does not exist, the following prompt will be displayed:

Warning: the accounting list is not configured.

Related command: aaa accounting-scheme.

Example

# Adopt the "test-list" scheme to make accounting for the telnet login users.

[VG] login-method accounting-mode telnet test-list

1.1.14 login-method authentication-mode

Syntax

login-method authentication-mode login-type { default | scheme-name }

undo login-method authentication-mode login-type

View

System view

Parameter

default: Uses the default scheme.

scheme-name: An authentication and authorization scheme name, which may contain 1 to 20 characters, and is defined by the aaa authentication-scheme login command.

login-type: Any login type selected from the following table.

Table 1-4 Login types

Keyword	Description
console	Log in from a console interface
telnet	Log in by means of Telnet
ftp	Log in by means of FTP
http	Log in by means of HTTP

Description

Use the login-method authentication-mode command to specify a scheme for authenticating and authorizing the login users.

Use the undo login-method authentication-mode command to restore the default scheme for authenticating and authorizing the login users.

By default, the users that log in by means of console, telnet or ftp must be authenticated and authorized, and the default list is used as the authentication and authorization scheme for the login users. As for the users that log in by means of HTTP, the authentication and authorization scheme is not used, so they can log in directly.

This command is used to specify a scheme for authenticating and authorizing the login users. If no scheme has been specified, the default one will be used. For the users that log in by means of console, telnet or ftp, the undo login-method authentication-mode command functions the same as the login-method authentication-mode login-type default command.

Before configuring this command, you should use the aaa authentication-scheme login command to create the authentication and authorization scheme. If no scheme has been configured, the following prompt will be displayed:

Warning: the list is not configured for login authentication and authorization

Related command: aaa authentication-scheme login.

Example

# Adopt the “test-listname” scheme to authenticate and authorize the telnet login users.

[VG] login-method authentication-mode telnet test-listname

1.1.15 reset local-user history

Syntax

reset local-user history username

View

Any view

Parameter

username: A user that has not logged in.

Description

Use the reset local-user history command to clear the history command information related to VG operations by the users who are not login users in the current situation.

Only the administrator and operator who logs in from a console interface can use this command to clear the history command information related to VG operations by the users who are not login users of the voice gateway in the current situation. A user cannot clear the history command information of another user that has higher rights.

Example

# Clear the history command information related to VG operations of the login user operator001

[VG] reset local-user history operator001

Delete user<operator001> successfully.

Chapter 2 Firewall Configuration Commands

2.1 Firewall Configuration Commands

2.1.1 acl

Syntax

acl acl-number [ match-order ][ config | auto ]

undo acl {acl-number| all }

View

System view

Parameter

acl: Enters an ACL rule group.

acl-number: ACL number, the range of 2000 to 2098 stands for the basic ACL, and that of 3000 to 3099 stands for extended ACL.

match-order: Specifies the configuration order of ACL. By default, it is auto.

config: Means the ACL adopts configuration sequence to match.

auto: Means the ACL adopts automatic sequence match according to the “depth-first principle”.

all: Deletes all rules.

Description

Use the acl command to add an ACL policy group and enter the ACL view.

If an ACL exists, you can directly enter into the ACL policy group.

Use the undo acl command to remove a specified ACL policy group.

By default, no ACL policy group is configured. You can configure up to 100 ACL policy groups.

Related command: display acl.

Example

# Configure a basic ACL based on IP address and using automatic match sequence.

[VG] acl 2088 match-order auto

2.1.2 debugging filter

Syntax

debugging filter { all | icmp | tcp | udp }

undo debugging filter { all | icmp | tcp | udp }

View

Any view

Parameter

all: Enables all the information debugging of the firewall.

icmp: Enables the ICMP sending and receiving packets debugging of the firewall.

tcp: Enables the TCP protocol information debugging of the firewall.

udp: Enables the UDP protocol information debugging of the firewall.

Description

Use the debugging filter command to enable the information debugging of the firewall.

Use the undo debugging filter command to disable the corresponding information debugging of the firewall.

Example

# Enable the debugging of all firewall information.

[VG] debugging filter all

2.1.3 display acl

Syntax

display acl [ acl-number | interface type number ]

View

Any view

Parameter

acl-number: Displays the access rules in the specified ACL.

interface: Displays the serial number of the serial number of ACL being applied on the interface.

type: Type of the interface.

number: Interface number.

Description

Use the display acl command to view packet filter rules and their application conditions on the interface.

This command is used to display the specified rules and their packet filtering information. Each rule has a corresponding counter. If a packet was filtered based on this rule, the counter will increase by 1. By observing the counter, you can see, among the configured rules, which rules are effective, and which are basically ineffective.

Related command: acl.

Example

# Display the ACL rule with the number 300.

[VG] display acl 3000

Using normal packet-filtering access rules now.

3000 deny icmp 10.1.0.0 0.0.255.255 any host-redirect(3 matches,252 bytes -- rule 1)

3000 permit icmp 10.1.0.0 0.0.255.255 any echo (no matches -- rule 2)

3000 deny udp any any eq rip (no matches -- rule 3)

2.1.4 display firewall

Syntax

display firewall

View

Any view

Parameter

None

Description

Use the display firewall command to view the firewall statistics, in which the packet statistics is about the non-fast-forwarded packets.

Related command: firewall.

Example

# Display the statistics of the firewall

[VG] display firewall

Firewall is enable, default filtering method is 'permit'.

InBound packets: None;

OutBound: 0 packets, 0 bytes, 0% permitted,

0 packets, 0 bytes, 0% denied,

1709 packets, 194826 bytes, 100% permitted in default condition,

0 packets, 0 bytes, 0% denied in default condition.

From 09:10:36 to 09:10:56

0 packets, 0 bytes, permitted,

0 packets, 0 bytes, denied,

1 packets, 114 bytes, permitted in default condition,

0 packets, 0 bytes, denied in default condition;

2.1.5 firewall

Syntax

firewall { enable | disable }

View

System view

Parameter

enable: Enables the firewall.

disable: Disables the firewall.

Description

Use the firewall command to enable or disable the firewall.

By default, the firewall is enabled.

This command is used to enable or disable the firewall, and the result can be displayed with the display firewall command. This command controls the general switch of the firewall. When the firewall is disabled with the firewall disable command, the statistics of the firewall will also be deleted.

Related command: acl, firewall packet-filter.

Example

# Enable the firewall.

[VG] firewall enable

2.1.6 firewall default

Syntax

firewall default { permit | deny }

View

System view

Parameter

permit: Defaults filter attribute to “permit”.

deny: Defaults filter attribute to “deny”.

Description

Use the firewall default command to configure the default filtering mode when there is no matching access rule.

By default, packets are permitted to pass the firewall in the case that the firewall is enabled.

If none of the access rules applied on the interface can judge whether a packet is permitted or denied, the default filtering attribute will function. If the default filtering attribute is “permit”, then the packet can pass. Otherwise, it will be discarded.

Example

# Configure the default filtering attribute to “permit”.

[VG] firewall default permit

2.1.7 firewall packet-filter

Syntax

firewall packet-filter { acl-number } [ inbound | outbound ]

undo firewall packet-filter { access-list-number [ inbound | outbound ] | inbound | outbound | all }

View

Interface view

Parameter

packet-filter: Sets packet filtering firewall.

acl-number: Sequence number of ACL rule.

inbound: Uses ACL rule to filter the packets received on the interface.

outbound: Uses ACL rule to filter the packets forwarded from the interface.

all: Disables all the ACL rules that are applied to a specified interface.

Description

Use the firewall packet-filter command to apply related ACL on a specified interface.

Use the undo firewall packet-filter command to disable applying related ACL on a specified interface.

By default, no ACL rule is applied on the interface.

If you want to filter the packets received from an interface, you need to use the keyword inbound; If you want to filter the packets forwarded from an interface, you need to use the keyword outbound. If no direction is defined, the keyword outbound will be selected.

Up to 20 ACLs can be applied on the one direction of an interface. The greater the rule sequence number, the higher the priority. When configuring the rules, it is recommended to put the rules of the same network configuration into the ACL of the same sequence number. You can use display acl command to view the arrangement and sequence of the rules in a ACL.

Related command: acl.

& Note:

To improve configuration flexibility, the VG deals with configuration ACLs and application ACLs respectively, so it can apply ACLs first and then configure content of the ACLs.

Example

# Apply ACL 3050 on the inbound direction of the Ehternet0 interface.

[VG-Ethernet0] firewall packet-filter 3050 inbound

2.1.8 reset acl counters

Syntax

reset acl counters [ access-list-number ]

View

Any view

Parameter

access-list-number: Sequence number of the ACL whose statistics will be cleared. It is an integer in the range of 2000 to 2098, and 3000 to 3099. If not specified, the statistics of all the rules will be cleared.

Description

Use the reset acl counters command to clear counters of ACL rules.

By default, access-list counters are not cleared.

This command is used to clear the counters of all access rules currently in service. If no sequence number is specified, then the statistics of all the access rules will be deleted.

Related command: acl.

Example

# Clear the statistics of the ACL with serial number 3000.

[VG] reset acl counters 3000

# Clear the statistics of all the access rules currently in service.

[VG] reset acl counters

2.1.9 rule

Syntax

rule { permit | deny } source { source-addr source-wildcard | any }

rule { permit | deny } { tcp | udp } source { source-addr source-wildcard | any } [ source-port operator port1 [ port2 ] ] destination { dest-addr dest-wildcard | any } [ destination-port operator port [ port2 ] ] [ established ] [ logging ]

rule { permit | deny } icmp source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ icmp-type icmp-type [ icmp-code ] ] [ logging ]

rule { permit | deny } ip source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ logging ]

rule { permit | deny } protocol-number source { source-addr source-wildcard | any } destination { dest-addr dest-wildcard | any } [ logging ]

undo rule { rule-id | all }

View

ACL view

Parameter

rule: Adds a ACL rule.

all: Deletes all rules.

permit: Permits the packets that satisfy some conditions to pass.

deny: Denies the packets that satisfy some conditions to pass.

tcp, udp, icmp, ip: Refers to the TCP, UDP, ICMP, and IP protocols.

protocol-number: Protocol number.

source: Specifies source information.

source-addr: Source IP address, in dotted decimal format. “any“ stands for the source address 0.0.0.0 and wildcard of 255.255.255.255.

source-wildcard: Wildcard of the source address. 0 stands for wildcard bit 0.0.0.0, which, along with source-addr, identifies a host.

destination: Specifies the destination address information.

dest-addr: Destination address, in dotted decimal format. “any“ stands for the source address 0.0.0.0 and wildcard of 255.255.255.255.

dest-wildcard: Wildcard of destination address. 0 stands for wildcard bit 0.0.0.0.

source-port: Specifies the source port information.

operator: Port operator (optional). If the protocol is TCP or UDP, port comparison can be performed, and the operation includes “equal”, “greater-than”, “less-than”, “not-equal” or “range”. If the operator is “range”, it should be followed by two ports.

port1: Port number when the protocol is TCP or UDP, in the range of 0 to 65535.

port2: Port number when the protocol is TCP or UDP and the operation type is “range”, in the range of 0 to 65535.

destination-port: Specifies the destination port information.

established: Matches all TCP packets marked with ACK and RST, including SYN+ACK, ACK, FIN+ACK, RST, and RST+ACK packets. This parameter is valid only when the protocol is TCP.

icmp-type: Specifies the ICMP type.

icmp-type: It appears when the protocol is ICMP and represents ICMP packet type. It can be the preset value (e.g., echo-reply) or a number from 0 to 255.

icmp-code: It appears when the protocol is ICMP and no preset value is chosen, and represents ICMP code. It is a number from 0 to 255.

logging: The system records log if the packet meets conditions.

rule-id: Sequence number of the ACL rule to be deleted. You can know the ID of the rule to be deleted by the display acl command, and then execute the undo rule command.

Description

Use the first command to add a basic ACL rule.

Use the second to fifth commands to add an advanced ACL rule.

By default, no ACL rule is defined. Up to 100 rules can be configured.

Related command: acl, display acl.

Example

# Define an ACL whose rule ID is 3050 and define a rule on the ACL to allow the host on the segment 129.9.0.0 to send WWW packets to the host on the segment 202.38.160.0.

[VG] acl 3050

[VG-acl-3050] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port equal www

TOP

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.