0% found this document useful (0 votes)

7 views1,068 pages

01-14 Security Commands

The document serves as a command reference for security commands related to S300, S500, S1700, S2700, S5700, and S6700 Series Ethernet switches. It details various command categories including ACL configuration, local attack defense, traffic suppression, and port security, among others. Each command section outlines its function, parameters, usage guidelines, and examples for practical application.

Uploaded by

emanuel

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

7 views1,068 pages

01-14 Security Commands

Uploaded by

emanuel

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1068

S300, S500, S1700, S2700, S5700, and S6700 Series

Ethernet Switches
Command Reference 14 Security Commands

14 Security Commands

14.1 ACL Configuration Commands

14.2 Local Attack Defense Configuration Commands
14.3 MFF Configuration Commands
14.4 Attack Defense Configuration Commands
14.5 Traffic Suppression and Storm Control Configuration Commands
14.6 ARP Security Configuration Commands
14.7 Port Security Configuration Commands
14.8 DHCP Snooping Configuration Commands
14.9 ND Snooping Configuration Commands
14.10 IPv6 RA Guard Configuration Command
14.11 PPPoE+ Configuration Commands
14.12 IP Source Guard Configuration Commands
14.13 SAVI Configuration Commands
14.14 URPF Configuration Commands
14.15 Keychain Configuration Commands
14.16 MPAC Configuration Commands
14.17 Traffic Isolation Between the Service and Management planes Configuration
Commands
14.18 Security Risk Commands
14.19 PKI Configuration Commands
14.20 OLC Configuration Commands
14.21 ECA Configuration Commands
14.22 Network Deception Configuration Commands
14.23 Terminal Anti-Spoofing Configuration Commands

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10013

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.24 WEAKEA Command Reference

14.1 ACL Configuration Commands

14.1.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.1.2 acl ip-pool

Function
The acl ip-pool command creates an ACL IP address pool and enters the ACL IP
address pool view.
The undo acl ip-pool command deletes an ACL IP address pool.
By default, no ACL IP address pool has been created on the device.

Product Support

S5731-H, S5731-S, S5731S-H, S5731S- Supported

S, S5732-H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-
S, and S6730S-S

S1720GF, S1720GFR-P, S1720GW, Not supported

S1720GW-E, S1720GWR, S1720GWR-E,
S1730S-H, S2720-EI, S5720I-SI, S5720-
LI, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-
L1, S5735S-L-M, S5720S-LI, S5735-S,
S500, S5735S-S, S5735-S-I, S5735S-H,
S5736-S

Format
acl ip-pool acl-ip-pool-name
undo acl ip-pool acl-ip-pool-name

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10014

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

acl-ip-pool-name Specifies the name of The value is a string of 1

the ACL IP address pool to 32 characters without
to be created. spaces and starting with
a letter.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
An ACL IP address pool applies when policy-based routing (PBR) is used to redirect
packets to multiple next hops. An ACL IP address pool can be invoked by the
redirect ip-multihop command to redirect packets to the next hop specified by
the ACL IP address pool.
Follow-up Procedure
Run the ip-address (ACL IP address pool view) command multiple times to
specify multiple IP addresses.
Precautions
The switch supports a maximum of 12 ACL IP address pools. Each ACL IP address
pool supports a maximum of 4 IP addresses.
In the scenario when PBR is used to redirect packets to multiple next hops, if the
device has no ARP entry matching the specified next hop IP address, the
redirection does not take effect. The device still forwards packets to the original
destination until the ARP entry matching the specified next hop IP address is
generated on the device. You can run the display acl ip-pool command to check
whether the next hop IP address specified in the ACL IP address pool takes effect.

Example
# Create an ACL IP address pool named abc.
<HUAWEI> system-view
[HUAWEI] acl ip-pool abc

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10015

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.1.3 acl ipv6 ip-pool

Function
The acl ipv6 ip-pool command creates an ACL IPv6 address pool and enters the
ACL IPv6 address pool view.

The undo acl ipv6 ip-pool command deletes an ACL IPv6 address pool.

By default, no ACL IPv6 address pool has been created on the device.

Product Support

S5731-H, S5731-S, S5731S-H, S5731S- Supported

S, S5732-H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-
S, and S6730S-S

S1720GF, S1720GFR-P, S1720GW, Not supported

Format
acl ipv6 ip-pool acl-ipv6-pool-name

undo acl ipv6 ip-pool acl-ipv6-pool-name

Parameters
Parameter Description Value

acl-ipv6-pool-name Specifies the name of The value is a string of 1

the ACL IPv6 address to 32 characters without
pool to be created. spaces and starting with
a letter.

Views
System view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10016

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
An ACL IPv6 address pool applies when policy-based routing (PBR) is used to
redirect packets to multiple next hops. An ACL IPv6 address pool can be invoked
by the redirect ipv6-multihop command to redirect packets to the next hop
specified by the ACL IPv6 address pool.
Follow-up Procedure
Run the ipv6 address (ACL IPv6 address pool view) command multiple times to
specify multiple IPv6 addresses.
Precautions
The switch supports a maximum of 12 ACL IPv6 address pools. Each ACL IPv6
address pool supports a maximum of 4 IPv6 addresses.
In the scenario where PBR is used to redirect packets to multiple next hops, if the
device does not match the neighbor entry corresponding to the next hop IPv6
address, the device sends NS packets to check whether the neighbor is reachable.
If the neighbor is unreachable, packets are forwarded based on the original path
and redirection does not take effect. You can run the display acl ipv6 ip-pool
command to check whether the next hop IPv6 address specified in the ACL IPv6
address pool takes effect.

Example
# Create an ACL IPv6 address pool named abc.
<HUAWEI> system-view
[HUAWEI] acl ipv6 ip-pool abc

14.1.4 acl ipv6 name

Function
The acl ipv6 name command creates a named ACL6 and enters the ACL6 view.
The undo acl ipv6 name command deletes a named ACL6.
By default, no named ACL6 is created.

Format
acl ipv6 name acl6-name [ advance | basic | ucl | acl6-number ] [ match-order
{ auto | config } ]
undo acl ipv6 name acl6-name

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10017

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

acl6-name Specifies the name of an The value is a string of 1

ACL6. to 64 case-sensitive
characters without
spaces. The value must
start with a letter.

advance Indicates an advanced -

ACL6.

basic Indicates a basic ACL6. -

ucl Indicates an user ACL6. -

acl6-number Specifies the number of The value is an integer.

an ACL6. The value range is as
follows:
● The value of a basic
ACL6 ranges from
2000 to 2999.
● The value of an
advanced ACL6
ranges from 3000 to
3999.
● The value of a user
ACL6 ranges from
6000 to 9999.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10018

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

match-order { auto | Indicates the matching -

config } order of ACL6 rules.
● auto: indicates that
ACL6 rules are
matched based on the
depth first principle.
If the ACL6 rules are
of the same depth
first order, they are
matched in ascending
order of rule IDs.
● config: indicates that
ACL6 rules are
matched based on the
configuration order.
The ACL6 rules are
matched based on the
configuration order
only when the rule ID
is not specified. If rule
IDs are specified, the
ACL6 rules are
matched in ascending
order of rule IDs.
If the match-order
parameter is not
specified when you
create an ACL6, the
default match order
config is used.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
An ACL6 is a set of rules composed of permit or deny clauses. ACL6s are mainly
used in QoS. ACL6s can limit data flows to improve network performance. For
example, ACL6s are configured on an enterprise network to limit video data flows,
which lowers the network load and improves network performance.
Follow-up Procedure

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10019

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Run the rule command to configure ACL6 rules and apply the ACL6 to services for
which packets need to be filtered.

Precautions

● The Switch allocates a number to named ACL6s that have no specified

number. The number allocated depends on the following:
– If only the type of a named ACL6 is specified, the number of the named
ACL6 allocated by the Switch is the maximum value of the named ACL6
of the type.
– If the number and the type of a named ACL6 are not specified, the Switch
considers the named ACL6 as the advanced ACL6 and allocates the
maximum value as the number of the named ACL6.
● After you create a named ACL6 by using the acl ipv6 name command, the
ACL6 still exists even if you exit from the ACL6 view. You must run the undo
acl ipv6 name acl6-name or undo acl ipv6 acl6-number command to delete
the ACL6.
● When you delete an ACL6 that has been referenced by other services, the
services will be interrupted. Therefore, before deleting an ACL6, ensure that
the ACL6 is not in use.
● For the S1720GF, S1720GFR-P, S1720GW, S1720GW-E, S1720GWR,
S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, and S5736-
S, before creating an user ACL6, the ACL resource allocation mode device
must be set to NAC mode using the assign resource-template acl-mode,
restarted to make the NAC mode take effect.
● For versions earlier than V200R019C00, if the rule IDs of basic or advanced
ACL6 rules are disordered, after the version is upgraded to V200R019C00 or a
later version, all rule IDs are updated at a step of 5.

Example
# Create basic ACL6 2001 named test2.
<HUAWEI> system-view
[HUAWEI] acl ipv6 name test2 2001

14.1.5 acl ipv6 (system view)

Function
The acl ipv6 command creates a numbered ACL6 and enters the ACL6 view.

The undo acl ipv6 command deletes a numbered ACL6.

By default, no numbered ACL6 is created.

Format
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]

undo acl ipv6 { all | [ number ] acl6-number }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10020

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

number Indicates the number that identifies an -

ACL6.

acl6-number Specifies an ACL6 number. The value is an

integer. The value
range is as follows:
● The value of a
basic ACL6 ranges
from 2000 to 2999.
● The value of an
advanced ACL6
ranges from 3000
to 3999.
● The value of a user
ACL6 ranges from
6000 to 9999.

match-order Indicates the matching order of ACL6 -

{ auto | rules.
config }
● auto: indicates that ACL6 rules are
matched based on the depth first
principle.
If the ACL6 rules are of the same
depth first order, they are matched in
ascending order of rule IDs.
● config: indicates that ACL6 rules are
matched based on the configuration
order.
The ACL6 rules are matched based on
the configuration order only when the
rule ID is not specified. If rule IDs are
specified, the ACL6 rules are matched
in ascending order of rule IDs.
If the match-order parameter is not
specified when you create an ACL6, the
default match order config is used.

all Indicates that all the configured ACL6s -

are deleted.

Views
System view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10021

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

An ACL6 is a set of rules composed of permit or deny clauses. ACL6 rules can be
referenced by modules. ACL6s are applicable to QoS. ACL6s can limit data flows to
improve network performance. For example, ACL6s are configured on an
enterprise network to limit video data flows, which lowers the network load and
improves network performance.

Follow-up Procedure

Run the rule command to configure ACL6 rules and apply the ACL6 to services for
which packets need to be filtered.

Precautions

● After you create a named ACL6 using the acl ipv6 command, the ACL6 still
exists even if you exit from the ACL6 view. You must run the undo acl ipv6
acl6-number command to delete the ACL6.
● When you delete an ACL6 that has been referenced by other services, the
services will be interrupted. Before deleting an ACL6, ensure that the ACL6 is
not in use.
● All ACL6s can be deleted on the device in one go, but this method is not
recommended.
● For the S1720GF, S1720GFR-P, S1720GW, S1720GW-E, S1720GWR,
S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, and S5736-
S, before creating an user ACL6, the ACL resource allocation mode device
must be set to NAC mode using the assign resource-template acl-mode,
restarted to make the NAC mode take effect.
● For versions earlier than V200R019C00, if the rule IDs of basic or advanced
ACL6 rules are disordered, after the version is upgraded to V200R019C00 or a
later version, all rule IDs are updated at a step of 5.

Example
# Create an advanced ACL6 with the number of 3000.
<HUAWEI> system-view
[HUAWEI] acl ipv6 number 3000

14.1.6 acl name

Function
The acl name command creates a named ACL and enters the ACL view.

The undo acl name command deletes a named ACL.

By default, no ACL is created.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10022

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
acl name acl-name [ advance | basic | link | ucl | user | acl-number ] [ match-
order { auto | config } ]
undo acl name acl-name

Parameters
Parameter Description Value

acl-name Specifies the name of an The value is a string of 1

ACL. to 64 case-sensitive
characters without
spaces. The value must
start with a letter.

advance Indicates an advanced -

ACL.

basic Indicates a basic ACL. -

link Indicates a Layer 2 ACL. -

ucl Indicates a user ACL. -

user Indicates a user-defined -

ACL.

acl-number Specifies the number of The value is an integer.

an ACL. ● The number of a basic
ACL ranges from 2000
to 2999.
● The number of an
advanced ACL ranges
from 3000 to 3999.
● The number of a
Layer 2 ACL ranges
from 4000 to 4999.
● The number of a
user-defined ACL
ranges from 5000 to
5999.
● The number of a user
ACL ranges from 6000
to 9999.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10023

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

match-order { auto | Indicates the matching -

config } order of ACL rules.
● auto:
indicates that ACL
rules are matched
based on the depth
first principle.
If the ACL rules are of
the same depth first
order, they are
matched in ascending
order of rule IDs.
● config: indicates that
ACL rules are
matched based on the
configuration order.
The ACL rules are
matched based on the
configuration order
only when the rule ID
is not specified. If rule
IDs are specified, the
ACL rules are
matched in ascending
order of rule IDs.
If the match-order
parameter is not
specified when you
create an ACL, the
default match order
config is used.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

An ACL consists of a series of rules defined by multiple permit or deny clauses.

ACLs are mainly applied to QoS, route filtering, and user access. The major
functions of ACLs are as follows:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10024

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● Limit data flows to improve network performance. For example, ACLs are
configured on an enterprise network to limit video data flows, which lowers
the network load and improves network performance.
● Provide flow control. For example, ACLs are used to limit transmission of
routing updates so that the bandwidth is saved.
● Provide network access security. For example, ACLs are configured to allow
specified users to access the human resource network.

Follow-up Procedure

Run the rule command to configure ACL rules and apply the ACL to services for
which packets need to be filtered.

Precautions

After you create a named ACL by using the acl name command, the ACL still
exists even if you exit from the ACL view. You must run the undo acl name acl-
name or undo acl acl-number command to delete the ACL.
When you delete an ACL that has been referenced by other services, the services
may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.

The device automatically allocates a number to the named ACLs that have no
number specified. The number allocated depends on the following:

● If the type of a named ACL is specified, the number of the named ACL
allocated by the device is the maximum value of the named ACL of the type.
● If the number and the type of a named ACL are not specified, the device
considers the named ACL as the advanced ACL and allocates the maximum
value as the number of the named ACL.

The Switch does not allocate the number to a named ACL repeatedly.

Example
# Create basic ACL 2001 named test1.
<HUAWEI> system-view
[HUAWEI] acl name test1 2001

14.1.7 acl (system view)

Function
The acl command creates an ACL with the specified number and enters the ACL
view.

The undo acl command deletes a specified ACL.

By default, no ACL is created.

Format
acl [ number ] acl-number [ match-order { auto | config } ]

undo acl { [ number ] acl-number | all }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10025

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

number Specifies the number -

that identifies an ACL.

acl-number Specifies the number of The value is an integer.

an ACL. ● The number of a basic
ACL ranges from 2000
to 2999.
● The number of an
advanced ACL ranges
from 3000 to 3999.
● The number of a
Layer 2 ACL ranges
from 4000 to 4999.
● The number of a user
defined ACL ranges
from 5000 to 5999.
● The number of a user
ACL ranges from 6000
to 9999.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10026

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

match-order { auto | Indicates the matching -

config } order of ACL rules.
● auto: indicates that
ACL rules are
matched based on the
depth first principle.
If the ACL rules are of
the same depth first
order, they are
matched in ascending
order of rule IDs.
● config: indicates that
ACL rules are
matched based on the
configuration order.
The ACL rules are
matched based on the
configuration order
only when the rule ID
is not specified. If rule
IDs are specified, the
ACL rules are
matched in ascending
order of rule IDs.
If the match-order
parameter is not
specified when you
create an ACL, the
default match order
config is used.

all Indicates that all ACLs -

are deleted.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
An ACL consists of a series of rules defined by multiple permit or deny clauses.
ACLs are mainly applied to QoS, route filtering, and user access. The major
functions of ACLs are as follows:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10027

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Follow-up Procedure

Run the rule command to configure ACL rules and apply the ACL to services for
which packets need to be filtered.

Precautions

● After you create an ACL using the acl command, the ACL still exists even if
you exit from the ACL view. You must run the undo acl acl-number command
to delete the ACL.
● When you delete an ACL that has been referenced by other services, the
services may be interrupted. Before deleting an ACL, ensure that the ACL is
not in use.
● You are advised not to delete all ACLs because this operation may cause a
service interruption.

Example
# Create an ACL numbered 2000.
<HUAWEI> system-view
[HUAWEI] acl number 2000

14.1.8 acl threshold-alarm

Function
The acl threshold-alarm command configures the alarm threshold percentage of
ACL, Meter or Counter resource usage.

The undo acl threshold-alarm command restores the default alarm threshold
percentage of ACL, Meter or Counter resource usage.

By default, the lower alarm threshold percentage is 70, and the upper alarm
threshold percentage is 80.

Format
acl [ meter | counter ] threshold-alarm { upper-limit upper-limit | lower-limit
lower-limit } *

undo acl [ meter | counter ] threshold-alarm

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10028

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

meter Indicates the alarm threshold -

percentage of Meter resource
usage.

counter Indicates the alarm threshold -

percentage of Counter resource
usage.

upper-limit upper- Indicates the upper alarm The value is an integer

limit threshold percentage. that ranges from 1 to
100.

lower-limit lower- Indicates the lower alarm The value is an integer

limit threshold percentage. that ranges from 1 to
100.

NOTE

● If neither meter nor counter is specified, the alarm threshold percentage of ACL
resource usage is configured.
● The value of upper-limit must be greater than that of lower-limit. If the offset
between the value of the two parameters is too small, trap information may be
frequently displayed.
● S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-
L-M, S5735-S, S500, S5735S-S, and S5735-S-I does not support counter parameter.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
ACL resources are occupied by ACL or ACL6 services, Meter resources are occupied
by traffic rate limiting services, and Counter resources are occupied by traffic
statistics service. You can run the this command to configure the alarm threshold
percentage of ACL, Meter or Counter resources usage.
When the ACL, Meter or Counter resource usage is equivalent to or higher than
the threshold, the device generates an alarm. When the ACL, Meter or Counter
resource usage becomes equivalent to or lower than the lower threshold, the
device generates a clear alarm.
Precautions

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10029

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

If you run this command multiple times, only the latest configuration takes effect.

The upper threshold must be equivalent to or greater than the lower threshold.

Example
# Configure the lower alarm threshold percentage to 30 and the upper alarm
threshold percentage to 50.
<HUAWEI> system-view
[HUAWEI] acl threshold-alarm upper-limit 50 lower-limit 30

14.1.9 assign resource-template acl-mode { enhanced-acl | nac

| normal }

Function
The assign resource-template acl-mode command sets the ACL resource
allocation mode.

The undo assign resource-template acl-mode command restores the default ACL
resource allocation mode.

By default, the ACL resource allocation mode is Normal.

NOTE

The nac parameter is available only on the S1720GF, S1720GW, S1720GFR-P, S1720GWR,
S1720GW-E, S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, and S5736-
S. The enhanced-acl parameter is available only on the S6735-S.

Format
assign resource-template acl-mode { enhanced-acl | nac | normal } [ slot slot-
id ]

undo assign resource-template acl-mode [ slot slot-id ]

Parameters
Parameter Description Value

enhanced-acl Specifies the Enhanced -

ACL resource allocation
mode.

nac Specifies the NAC ACL -

resource allocation
mode.

normal Specifies the Normal ACL -

resource allocation
mode.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10030

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

slot slot-id ● Specifies the slot ID if The value must be set

stacking is not according to the device
configured. configuration.
● Specifies the stack ID
if stacking is
configured.
If slot-id is not specified,
the ACL resource
allocation mode of all
stacked switches is
displayed.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The default ACL resource allocation mode is Normal. In Normal mode, the ACL
does not support matching of destination IPv6 addresses. If matching destination
IPv6 addresses is required, switch the ACL resource allocation mode to NAC. On
the S6735-S, you can switch the resource allocation mode to the enhanced-acl
mode to increase the number of ACLs.

Precautions

● The ACL specifications in NAC and Normal ACL resource allocation modes are
the same.
● In NAC mode, matching MAC addresses of IPv6 packets is not supported. As a
result, the configuration of the corresponding function matching the source
and destination MAC addresses of IPv6 packets in Normal mode may be lost
or not take effect.
● After configuring the ACL resource allocation mode, save the configuration,
and restart the device for the configuration to take effect.

Example
# Change the ACL resource allocation mode to NAC.
<HUAWEI> system-view
[HUAWEI] assign resource-template acl-mode nac

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10031

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.1.10 description
Function
The description command configures the description of an ACL or ACL6.
The undo description command deletes the description of an ACL or ACL6.
By default, no description is configured for an ACL or ACL6.

Format
description text
undo description

Parameters
Parameter Description Value

text Describes an ACL or The value is a string of 1

ACL6. to 127 case-sensitive
characters with spaces
supported.

Views
ACL view, ACL6 view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The description command configures the description of an ACL or ACL6, for
example, the usage or application scenario of the ACL. It is used to differentiate
ACLs.
Prerequisites
The ACL or ACL6 to be described has been created.
Configuration Impact
If you run the description command multiple times in the same ACL view or ACL6
view, only the latest configuration takes effect.

Example
# Configure the description of ACL 2100.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10032

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] acl 2100
[HUAWEI-acl-basic-2100] description This acl is used in QoS policy
[HUAWEI-acl-basic-2100] display acl 2100
Basic ACL 2100, 0 rule
This acl is used in QoS policy
Acl's step is 5

# Configure the description of ACL6 3100.

<HUAWEI> system-view
[HUAWEI] acl ipv6 3100
[HUAWEI-acl6-adv-3100] description This acl is used in QoS policy
[HUAWEI-acl6-adv-3100] display acl ipv6 3100

Advanced IPv6 ACL 3100, 0 rule

This acl is used in QoS policy

14.1.11 display acl

Function
The display acl command displays the configuration of an ACL.

Format
display acl { acl-number | name acl-name | all }

Parameters

Parameter Description Value

acl-number Specifies the The value is an integer.
number of an ● The number of a basic ACL ranges from
ACL. 2000 to 2999.
● The number of a numbered advanced ACL
ranges from 3000 to 3999.
● The number of a Layer 2 ACL ranges from
4000 to 4999.
● The number of a user-defined ACL ranges
from 5000 to 5999.
● The number of a user ACL ranges from
6000 to 9999.
name acl- Specifies the The value is a string of 1 to 64 case-sensitive
name name of an ACL. characters without spaces. The value must
start with a letter.

all Indicates all ACLs. -

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10033

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
The display acl command displays the ACL configuration.

Example
# Display configuration about the ACL named test.
<HUAWEI> display acl name test
Advanced ACL test 3999, 1 rule, match-order is auto
Acl's step is 5
rule 5 permit ip destination 10.10.10.1 0

# Display the ACL configuration.

<HUAWEI> display acl all
Total nonempty ACL number is 1

Advanced ACL 3000, 1 rule

Acl's step is 5
rule 5 permit ip dscp cs1

Table 14-1 Description of the display acl command output

Item Description

Advanced ACL test 3999, 1 rule, Advanced ACL 3999 named test that
match-order is auto matches in the automatic order and
contains one rule.

Acl's step is 5 The ACL's step is 5.

To set the step between ACL rule IDs, run
the step command.

rule 5 permit ip destination Rule 5 that matches packets whose

10.10.10.1 0 source IP address is 10.10.10.1.
To modify an advanced ACL rule, run the
rule (advanced ACL view) command.

Total nonempty ACL number is 1 One ACL contains rules.

Advanced ACL 3000, 1 rule Advanced ACL 3000 contains one rule.

rule 5 permit ip dscp cs1 Rule 5 that matches packets with DSCP
priorities.
To modify an advanced ACL rule, run the
rule (advanced ACL view) command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10034

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.1.12 display acl ip-pool

Function
The display acl ip-pool command displays the configuration and status of an ACL
IP address pool.

Product Support

S5731-H, S5731-S, S5731S-H, S5731S- Supported

S, S5732-H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-
S, and S6730S-S

S1720GF, S1720GFR-P, S1720GW, Not supported

Format
display acl ip-pool acl-ip-pool-name [ multihop-status [ vpn-instance vpn-
instance-name ] ]

Parameters
Parameter Description Value

acl-ip-pool-name Specifies the name of The ACL IP address pool

the ACL IP address pool name must exist.
that you want to check.

multihop-status Displays the status of -

the next hop IP address
specified in the ACL IP
address pool.

vpn-instance vpn- Displays the ACL IP The VPN instance name

instance-name address pool of a must exist.
specified VPN instance.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10035

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
After an ACL IP address pool is configured, you can run the display acl ip-pool
command to check the configuration of the ACL IP address pool and whether the
next hop IP address takes effect.
In the scenario when PBR is used to redirect packets to multiple next hops, if the
device has no ARP entry matching the specified next hop IP address, the
redirection does not take effect. The device still forwards packets to the original
destination until the ARP entry matching the specified next hop IP address is
generated on the device. You can run the display acl ip-pool command to check
whether the next hop IP address specified in the ACL IP address pool takes effect.

Example
# Display the configuration and status of the ACL IP address pool named abc.
<HUAWEI> display acl ip-pool abc multihop-status
-----------------------------------------------------------------------------------------
IP Address NQA AdminName NQA TestName Status
-----------------------------------------------------------------------------------------
10.3.3.3 -- -- invalid
192.168.200.1 user test valid
192.168.150.1 user test valid
-----------------------------------------------------------------------------------------
Total: 3

Table 14-2 Description of the display acl ip-pool abc multihop-status command
output

Item Description

IP Address IP address in the ACL IP address pool.

NQA AdminName Administrator of an NQA test instance.

NQA TestName Name of the NQA test instance.

Status Status of the next hop IP address.

● valid: indicates that the next hop IP
address already takes effect.
● invalid: indicates that the next hop IP
address is not effective.
NOTE
When associating NQA with the next-hop IP
address configured using the ip-address (ACL
IP-pool view) command in an ACL IP pool,
ensure that an NQA test instance has been
correctly configured and started. Otherwise,
you cannot obtain the correct Status field
value and cannot determine whether the next-
hop IP address takes effect.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10036

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.1.13 display acl ipv6 ip-pool

Function
The display acl ipv6 ip-pool command displays the configuration and status of an
ACL IPv6 address pool.

Product Support

S5731-H, S5731-S, S5731S-H, S5731S- Supported

S, S5732-H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-
S, and S6730S-S

S1720GF, S1720GFR-P, S1720GW, Not supported

Format
display acl ipv6 ip-pool acl-ipv6-pool-name [ multihop-status [ vpn-instance
vpn-instance-name ] ]

Parameters
Parameter Description Value

acl-ipv6-pool-name Specifies the name of The ACL IPv6 address

the ACL IPv6 address pool name must exist.
pool that you want to
check.

multihop-status Displays the status of -

the next hop IPv6
address specified in the
ACL IP address pool.

vpn-instance vpn- Displays the ACL IPv6 The VPN instance name
instance-name address pool of a must exist.
specified VPN instance.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10037

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
After an ACL IPv6 address pool is configured, you can run the display acl ipv6 ip-
pool command to check the configuration of the ACL IPv6 address pool and
whether the next hop IPv6 address takes effect.
In the scenario when PBR is used to redirect packets to multiple next hops, if the
device does not match the neighbor entry corresponding to the next hop IPv6
address, the device sends NS packets to check whether the neighbor is reachable.
If the neighbor is unreachable, packets are forwarded based on the original path
and redirection does not take effect. You can run the display acl ipv6 ip-pool
command to check whether the next hop IPv6 address specified in the ACL IPv6
address pool takes effect.

Example
# Display the configuration and status of the ACL IPv6 address pool named abc.
<HUAWEI> display acl ip-pool abc multihop-status
-----------------------------------------------------------------------------------------------------------------

IPv6 Address NQA AdminName NQA TestName

Status
-----------------------------------------------------------------------------------------------------------------

2001:DB8::1 -- -- invalid
2001:DB8::2 -- -- invalid
-----------------------------------------------------------------------------------------------------------------

Total: 2

Table 14-3 Description of the display acl ipv6 ip-pool abc multihop-status
command output
Item Description

IPv6 Address IPv6 address in the ACL IPv6 address pool.

NQA AdminName Administrator of an NQA test instance.

NQA TestName Name of the NQA test instance.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10038

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Status Status of the next hop IPv6 address.

● valid: indicates that the next hop IPv6
address already takes effect.
● invalid: indicates that the next hop
IPv6 address is not effective.
NOTE
When associating NQA with the next-hop IPv6
address configured using the ipv6 address
(ACL IPv6 address pool view) command in an
ACL IPv6 address pool, ensure that an NQA
test instance has been correctly configured and
started. Otherwise, you cannot obtain the
correct Status field value and cannot
determine whether the next-hop IPv6 address
takes effect.

14.1.14 display acl ipv6

Function
The display acl ipv6 command displays the configuration of a specific ACL6 or all
ACL6s.

Format
display acl ipv6 { acl6-number | name acl6-name | all }

Parameters
Parameter Description Value

acl6-number Specifies an ACL6 The value is an integer.

number. The value range is as
follows:
● The value of a basic
ACL6 ranges from
2000 to 2999.
● The value of an
advanced ACL6
ranges from 3000 to
3999.
● The value of a user
ACL6 ranges from
6000 to 9999.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10039

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

name acl6-name Displays the ACL6 with a The value is a string of 1

specified name. to 64 case-sensitive
characters without
spaces. The value must
start with a letter.

all Displays the -

configurations of all
ACL6s.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display acl ipv6 command displays the ACL6 configuration.

Example
# Display the configuration about the ACL6 with the number of 2000.
<HUAWEI> display acl ipv6 2000

Basic IPv6 ACL 2000, 2 rules

rule 1 permit source 4::/64
rule 0 deny source 3::/64

# Display the ACL6 configuration.

<HUAWEI> display acl ipv6 all
Total nonempty acl6 number is 1

Basic IPv6 ACL 2000, 2 rules

rule 1 permit source 4::/64
rule 0 deny source 3::/64

Advanced IPv6 ACL 3999 name test, 0 rule

Ucl group IPv6 ACL 6000, 0 rule

Table 14-4 Description of the display acl ipv6 command output

Item Description

Total nonempty acl6 One ACL6 contains rules.

number is 1

Basic IPv6 ACL 2000, 2 ACL6 2000, which is a basic ACL6 and has two rules.
rules

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10040

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

rule 0 deny source 3::/64 ACL6 rule 0, which denies packets with the source
IPv6 address 3::/64.
To modify a basic ACL6 rule, run the rule (rule
basic acl6 view) command.

rule 1 permit source ACL6 rule 1, which permits packets with the source
4::/64 IPv6 address 4::/64.
To modify a basic ACL6 rule, run the rule (rule
basic acl6 view) command.

Advanced IPv6 ACL 3999 ACL6 3999, named test, which is an advanced ACL6
name test, 0 rule and has 0 rule.

Ucl group IPv6 ACL 6000, ACL6 6000, which is an user ACL6 and has 0 rule.
0 rule

14.1.15 display acl resource

Function
The display acl resource command displays information about ACL resources.

Format
display acl resource [ slot slot-id ]

Parameters
Parameter Description Value

slot slot-id ● This parameter The value is an integer.

specifies the slot ID if The value range depends
stacking is not on the configuration of a
configured. device.
● This parameter
specifies the stack ID
if stacking is enabled.

Views
All views

Default Level
1: Monitoring level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10041

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

ACL resource information includes: :

● ACL resources: used to store ACL rules. Each ACL entry stores an ACL rule.
● Meter/Car resources: used to limit the traffic rate.
● Counter resources: used to collect traffic statistics.

If ACL configuration fails, all the ACL, Meter, or Counter resources on the device
may have been used up. You can run the display acl resource command to check
whether there are available ACL, Meter, or Counter resources (including ACL4 and
ACL6).

Precautions

● After ACL is applied to the S1720GF, S1720GW, S1720GFR-P, S1720GWR,

S1720GW-E, S1720GWR-E, S2720-EI, S5720-LI, S5720S-LI, S5735S-H, and
S5736-S, the ACL resources are applied to both incoming and outgoing traffic.
For example, if a traffic policy is applied to only the incoming traffic, the
Outbound-ACL value and Inbound-ACL value in the display acl resource
command output are the same.
● On the S6735-S, S6720-EI and S6720S-EI, ACL resources are divided in slice
mode. On the S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, and S5735-S-I,
ACL resources are divided in block mode. Each slice and block contains a
certain number of ACL resources. Different types of services apply for different
slices or blocks when ACLs are applied. When ACL resource insufficiency is
displayed while ACL resources are applied to a service, but the Free field
shows there are still free ACL resources, this indicates that ACL resources in
the slice or block occupied by the service are insufficient, and new slices or
blocks cannot be obtained. The free resources in the Free field are ACL
resources in the slice or block occupied by other services.

Example
# Display information about ACL resources in slot 0 (S5720-LI is used as an
example).
<HUAWEI> display acl resource slot 0
Slot 0
GigabitEthernet0/0/1 to GigabitEthernet0/0/12
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 0 65 65
Rule Free 512 3007 3007
Rule Total 512 3072 3072

Meter Used 0 0 0
Meter Free 0 768 128
Meter Total 0 768 128

Counter Used 0 0 0
Counter Free 0 768 128
Counter Total 0 768 128
----------------------------------------------------------------------------
Slot 0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10042

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

# Display information about ACL resources in slot 0 (S5731-H is used as an

example).
<HUAWEI> display acl resource slot 0
Slot 0
GigabitEthernet0/0/1 to GigabitEthernet0/0/24
XGigabitEthernet0/0/1 to XGigabitEthernet0/0/4
Used Free Total
----------------------------------------------------------------------------
ACL Unallocated - - 2048
ACL Allocated 2333 227 2560
Srv ACL 2047 - -
Sec ACL 286 - -

Car 396 32372 32768

Counter 486 65050 65536
-----------------------------------------------------------------------------

# Display information about ACL resources in slot 0 (S6720-EI is used as an

example).
<HUAWEI> display acl resource slot 0
Slot 0
GigabitEthernet0/0/1 to GigabitEthernet0/0/48
XGigabitEthernet0/0/1 to XGigabitEthernet0/0/4
Used Free Total
----------------------------------------------------------------------------
VACL Slice 1 3 4
VACL 8 2040 2048

IACL Slice 11 1 12
IACL Unallocated - - 3072
IACL Allocated - - 1024
Srv ACL 10 502 512
Sec ACL 348 164 512

EACL Slice 0 4 4
EACL Unallocated - - 1024
EACL Allocated - - 0

Ingress Meter 36 4060 4096

Egress Meter 0 1024 1024
Ingress Counter 155 3941 4096
Egress Counter 0 1024 1024

Ingress UDF 0 8 8
----------------------------------------------------------------------------

# Display information about ACL resources in slot 0 (S5735-S is used as an

example).
<HUAWEI> display acl resource slot 0
Slot 0
GigabitEthernet0/0/1 to GigabitEthernet0/0/16
Used Free Total
-----------------------------------------------------------------------------
VACL Block 2 - -
IACL Block 25 - -
EACL Block 3 - -
Block 30 2 32
ACL Unallocated - - 256
ACL Allocated 2370 1470 3840
Ingress L2ACL 2049 127 2176
Sec VACL 4 252 256
Sec IACL 240 784 1024
Sec EACL 77 307 384

Car 42 470 512

Sec Car 42 118 160

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10043

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Srv Car 0 352 352

-----------------------------------------------------------------------------

Table 14-5 Description of the display acl resource command output

Item Description

Slot Stack ID.

GigabitEthernet 0/0/1 to Interface to which an ACL is applied.

GigabitEthernet 0/0/x
XGigabitEthernet 0/0/1 to
XGigabitEthernet 0/0/x

Vlan-ACL Inbound ACL resources delivered before

Layer 2 forwarding process starts.
● For the services related to VLAN
translation, for example, VLAN
mapping (configured by using the port
vlan-mapping vlan map-vlan
command) and VLAN stacking
(configured by using the port vlan-
stacking command), the device
delivers Vlan-ACL resources.
● When a traffic policy is applied to the
inbound direction and bound to a
traffic behavior containing a VLAN-
related action (except remark 8021p),
for example, if the action in a traffic
behavior is to remark the VLAN tag on
VLAN packets (configured by using the
remark vlan-id command), the device
delivers Vlan-ACL resources. This
applies to the S5731-H, S5731-S,
S5731S-H, S5731S-S, S5732-H, S6730-
H, S6730S-H, S6730-S, and S6730S-S.

Inbound-ACL Inbound ACL resources delivered after

Layer 3 forwarding process is complete.
Generally, the device delivers Inbound-
ACL resources in either of the following
situations:
● The ACL is applied to a service
irrelevant to direction, for example, a
user group.
● The traffic policy is applied to the
inbound direction and contains a
traffic behavior irrelevant to VLAN.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10044

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Outbound-ACL ACL resources in outbound direction. The

device delivers Outbound-ACL resources
when the traffic policy applied to the
outbound direction contains a traffic
behavior which is not mirroring to
observe-port. If the traffic behavior
contained in the traffic policy is mirroring
to observe-port, the device delivers
Inbound-ACL resources.

Reserved-ACL ACL resources reserved for CPCAR.

Rule Used Number of used ACL rules.

Rule Free Number of free ACL rules.

Rule Total Total number of ACL rules.

Meter Used Number of used rate limiting resources.

Meter Free Number of idle rate limiting resources.

Meter Total Total number of rate limiting resources.

Counter Used Number of used counters.

Counter Free Number of free counters.

Counter Total Total number of counters, including those

for collecting statistics on traffic policies,
VLAN traffic, VLANIF interface traffic, and
packets sent to the CPU.

Car Traffic monitoring resources.

● Srv ACL: ACL resources of service type.
● Sec ACL: ACL resources of security
type.

Counter Traffic statistics collection resources.

Used Number of used resources.

Free Number of free resources.

Total Total number of resources.

ACL Unallocated Unallocated common ACL resources.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10045

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

ACL Allocated Number of ACL resources:

● Vlan ACL: ACL resources used by VLAN.
● Ingress ACL: Resources used by
inbound traffic policy, ACL-based
simplified traffic policy, and IPSG.
● Egress ACL: Resources used by
outbound traffic policy and ACL-based
simplified traffic policy.
● Ingress UCL: Resources used by traffic
from user terminals to switch.
● Egress UCL: Resources used by traffic
from switch to user terminals.
● Srv ACL: Resources used by inbound
and outbound iPCA and voice VLAN.
● Sec ACL: Inbound secure ACL
resources.

EXT Unallocated Unallocated extended ACL resources.

EXT Allocated Number of extended ACL resources:

● Ingress ACL: Resources used by
inbound traffic policy and ACL-based
simplified traffic policy.
● Egress ACL: Resources used by
outbound traffic policy and ACL-based
simplified traffic policy.

VACL Slice Inbound slice resources delivered before

Layer 2 forwarding process starts.

VACL Inbound ACL resources delivered before

Layer 2 forwarding process starts.

IACL Slice Inbound slice resources.

IACL Unallocated Unallocated inbound ACL resources.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10046

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

IACL Allocated Inbound ACL resources are allocated,

including:
● L2 ACL: ACL resources of L2 type.
● IPv4 ACL: ACL resources of IPv4 type.
● IPv6 ACL: ACL resources of IPv6 type.
● L2IPv4 ACL: ACL resources of L2 IPv4
type.
● L2IPv6 ACL: ACL resources of L2 IPv6
type.
● UDF ACL: user-defined ACL resources.
● Srv ACL: ACL resources of service type.
● Sec ACL: ACL resources of security
type.
● Ext ACL: extended ACL resources.

EACL Slice Outbound slice resources.

EACL Unallocated Unallocated outbound ACL resources.

EACL Allocated Outbound ACL resources are allocated,

Ingress Meter Inbound rate limiting resources.

Egress Meter Outbound rate limiting resources.

Ingress Counter Inbound statistics collection resources.

Egress Counter Outbound statistics collection resources.

Ingress UDF Inbound user-defined ACL resources.

VACL Block Inbound block resources delivered before

Layer 2 forwarding process starts.

IACL Block Inbound block resources.

EACL Block Outbound block resources.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10047

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Block Total number of block resources.

14.1.16 display time-range

Function
The display time-range command displays the configuration and status of the
current time range.

Format
display time-range { all | time-name }

Parameters
Parameter Description Value

all Indicates all the -

configured time ranges.

time-name Specifies the name of a The value is a string of 1

time range during which to 32 case-sensitive
ACL rules take effect. characters without
spaces.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
To specify a time range during which ACL rules take effect, run the time-range
command and reference the time range name when you configure an ACL.

Before using a time range to filter data packets, run the display time-range
command to view the time range configuration to avoid duplicate time ranges.

NOTE

The device updates the status of ACLs with a delay of about 30 seconds. The display time-
range command adopts the current time range to determine the status of ACLs; therefore,
you may find that the ACL using an active time range is inactive. This is normal.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10048

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Display the configuration and status of all time ranges.
<HUAWEI> display time-range all
Current time is 14:48:13 10-17-2012 Wednesday

Time-range : abc (Active)

from 23:23 2012/9/9 to 23:59 2012/12/31
Total time-range number is 1

Table 14-6 Description of the display time-range command output

Item Description

Current time is 14:48:13 The current time is Wednesday 14:48:13

10-17-2012 Wednesday 10-17-2012.

Time-range:abc (Active) The time range is named abc and is

active. The time range can be:
● Active.
● Inactive.

from 23:23 2012/9/9 to 23:59 Time range abc is from 23:23 2012/9/9 to
2012/12/31 23:59 2012/12/31.

Total time-range number The total time-range number.

14.1.17 ip address (ACL IP address pool view)

Function
The ip address command configures an IP address in an ACL IP address pool.
The undo ip address command deletes an IP address from an ACL IP address
pool.
By default, no IP address is configured in an ACL IP address pool.

Product Support

S5731-H, S5731-S, S5731S-H, S5731S- Supported

S, S5732-H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-
S, and S6730S-S

S1720GF, S1720GFR-P, S1720GW, Not supported

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10049

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
ip address ip-address [ mask-length | wildcard | track-nqa admin-name test-
name ]
undo ip address ip-address [ mask-length | wildcard | track-nqa admin-name
test-name ]

Parameters
Parameter Description Value

ip-address Specifies the IP address The value is in dotted

in the ACL IP address decimal notation.
pool.

mask-length Specifies the subnet The value is an integer

mask. that ranges from 0 to 32.
NOTE
If the ACL IP address pool
is invoked by the redirect
ip-multihop command,
ensure that the subnet
mask is 32-bit long.
Otherwise, redirection to
the next hop will fail.

wildcard Specifies the wildcard of The value is in dotted

the IP address. decimal notation.

track-nqa Specifies an NQA test -

instance to be associated
with the ACL IP address
pool.

admin-name Specifies the The value is a string of 1

administrator of the to 32 case-sensitive
NQA test instance. characters, excluding
question marks (?),
hyphens (-), and
quotation marks (").

test-name Specifies the name of The value is a string of 1

the NQA test instance. to 32 case-sensitive
characters, excluding
question marks (?),
hyphens (-), and
quotation marks (").

Views
ACL IP address pool view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10050

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After an ACL IP address pool is created, you can run the ip address command to
specify an IP address for the ACL IP address pool. The ACL IP address pool can be
invoked by the redirect ip-multihop command to redirect packets to the next hop
specified in the ACL IP address pool.
Prerequisites
An ACL IP address pool has been created by running the acl ip-pool command.
Precautions
The switch supports a maximum of 12 ACL IP address pools. Each ACL IP address
pool supports a maximum of 4 IP addresses.
In the scenario when PBR is used to redirect packets to multiple next hops, if the
device has no ARP entry matching the specified next hop IP address, the
redirection does not take effect. The device still forwards packets to the original
destination until the ARP entry matching the specified next hop IP address is
generated on the device. You can run the display acl ip-pool command to check
whether the next hop IP address specified in the ACL IP address pool takes effect.

Example
# Specify five IP addresses for the ACL IP address pool named abc.
<HUAWEI> system-view
[HUAWEI] acl ip-pool abc
[HUAWEI-acl-ip-pool-abc] ip address 192.168.10.1 32
[HUAWEI-acl-ip-pool-abc] ip address 192.168.20.1 32
[HUAWEI-acl-ip-pool-abc] ip address 192.168.30.1 32
[HUAWEI-acl-ip-pool-abc] ip address 192.168.40.1 32
[HUAWEI-acl-ip-pool-abc] ip address 192.168.50.1 32

14.1.18 ipv6 address (ACL IPv6 address pool view)

Function
The ipv6 address command configures an IPv6 address in an ACL IPv6 address
pool.
The undo ipv6 address command deletes an IPv6 address from an ACL IPv6
address pool.
By default, no IPv6 address is configured in an ACL IPv6 address pool.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10051

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Product Support

S5731-H, S5731-S, S5731S-H, S5731S- Supported

S, S5732-H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-
S, and S6730S-S

S1720GF, S1720GFR-P, S1720GW, Not supported

Format
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
ipv6 address ipv6-address
undo ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
undo ipv6 address ipv6-address

Parameters
Parameter Description Value

ipv6-address Specifies the IPv6 The value consists of 128

address in the ACL IPv6 octets, which are
address pool. classified into 8 groups.
Each group contains 4
hexadecimal numbers in
the format
X:X:X:X:X:X:X:X.

prefix-length Specifies the prefix The value is an integer

length of an IPv6 that ranges from 1 to
address. 128.
NOTE
If the ACL IPv6 address
pool is invoked by the
redirect ipv6-multihop
command, ensure that the
prefix length is 128.
Otherwise, redirection to
the next hop will fail.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10052

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
ACL IPv6 address pool view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After an ACL IPv6 address pool is created, you can run the ipv6 address command
to specify an IPv6 address for the ACL IPv6 address pool. The ACL IPv6 address
pool can be invoked by the redirect ipv6-multihop command to redirect packets
to the next hop specified in the ACL IPv6 address pool.

Prerequisites

An ACL IPv6 address pool has been created by running the acl ipv6 ip-pool
command.

Precautions

The switch supports a maximum of 12 ACL IPv6 address pools. Each ACL IPv6
address pool supports a maximum of 4 IPv6 addresses.

In the scenario when PBR is used to redirect packets to multiple next hops, if the
device does not match the neighbor entry corresponding to the next hop IPv6
address, the device sends NS packets to check whether the neighbor is reachable.
If the neighbor is unreachable, packets are forwarded based on the original path
and redirection does not take effect. You can run the display acl ipv6 ip-pool
command to check whether the next hop IPv6 address specified in the ACL IPv6
address pool takes effect.

Example
# Specify four IPv6 addresses for the ACL IPv6 address pool named abc.
<HUAWEI> system-view
[HUAWEI] acl ipv6 ip-pool abc
[HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::1 128
[HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::2 128
[HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::3 128
[HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::4 128

14.1.19 reset acl counter

Function
The reset acl counter command clears statistics about ACLs.

Format
reset acl counter { name acl-name | acl-number | all }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10053

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
name acl- Specifies the name of
The value is a string of 1 to 64 case-
name an ACL whose
sensitive characters without spaces. The
statistics need to be
value must start with a letter.
cleared.
acl-number Specifies the number The value is an integer.
of an ACL whose
statistics need to be ● The number of a basic ACL ranges
cleared. from 2000 to 2999.
● The number of a numbered advanced
ACL ranges from 3000 to 3999.
● The number of a Layer 2 ACL ranges
from 4000 to 4999.
● The number of a user-defined ACL
ranges from 5000 to 5999.
● The number of a user ACL ranges from
6000 to 9999.
all Clears all the ACL -
statistics.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To obtain the accurate ACL statistics generated in a certain period, run the reset
acl counter command to clear existing statistics and start statistics collection.

NOTICE

After the reset acl counter command is executed, the system does not prompt
you the statistics deletion.
Before using the reset acl counter command, determine whether you intend to
clear ACL statistics.

Follow-up Procedure
After running the reset acl counter command to clear the previous ACL statistics,
you can use the display acl match-counter command in the diagnostic view to

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10054

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

check ACL rules and statistics on the packets matching the ACL rules in the
current period.

Example
# Clear statistics about ACL 2000.
<HUAWEI> reset acl counter 2000

14.1.20 reset acl ipv6 counter

Function
The reset acl ipv6 counter command clears the ACL6 statistics.

Format
reset acl ipv6 counter { name acl6-name | acl6-number | all }

Parameters
Parameter Description Value

name acl6-name Specifies the name of an The value is a string of 1

ACL6 whose statistics to 64 case-sensitive
need to be cleared. characters without
spaces. The value must
start with a letter.

acl6-number Specifies the number of The value is an integer.

an ACL6 whose statistics The value range is as
need to be cleared. follows:
● The value of a basic
ACL6 ranges from
2000 to 2999.
● The value of an
advanced ACL6
ranges from 3000 to
3999.
● The value of a user
ACL6 ranges from
6000 to 9999.

all Clears all the ACL6 -

statistics.

Views
User view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10055

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To obtain the accurate ACL6 statistics in a certain period, run the reset acl ipv6
counter command to clear existing statistics and start statistics collection.

NOTICE

Before using the reset acl ipv6 counter command, determine whether you intend
to clear ACL6 statistics.
After the reset acl ipv6 counter command is executed, the system does not
prompt you the statistics deletion.

Follow-up Procedure
After running the reset acl ipv6 counter command to clear the previous ACL
statistics, you can use the display acl ipv6 command to view ACL rules and
statistics on the packets matching the ACL rules in the current period.

Example
# Clear the statistics about basic ACL6 2000.
<HUAWEI> reset acl ipv6 counter 2000

14.1.21 rule (advanced ACL view)

Function
The rule command adds or modifies an advanced ACL rule.
The undo rule command deletes an advanced ACL rule.
By default, no advanced ACL rule is configured.

Format
● When the parameter protocol is specified as the Internet Control Message
Protocol (ICMP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination
{ destination-address destination-wildcard | any } | { { precedence precedence
| tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type
{ icmp-name | icmp-type [ icmp-code ] } | source { source-address source-
wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-
instance-name | public } ] *
undo rule { deny | permit } { protocol-number | icmp } [ destination
{ destination-address destination-wildcard | any } | { { precedence precedence
| tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10056

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

{ icmp-name | icmp-type [ icmp-code ] } | source { source-address source-

wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-
instance-name | public } ] *
● When the parameter protocol is specified as the Transmission Control Protocol
(TCP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination
{ destination-address destination-wildcard | any } | destination-port { eq port
| gt port | lt port | range port-start port-end } | { { precedence precedence |
tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source
{ source-address source-wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst
| syn | urg } * | time-range time-name | ttl-expired | { vpn-instance vpn-
instance-name | public } ] *
undo rule { deny | permit } { protocol-number | tcp } [ destination
{ destination-address destination-wildcard | any } | destination-port { eq port
| gt port | lt port | range port-start port-end } | { { precedence precedence |
tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source
{ source-address source-wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst
| syn | urg } * | time-range time-name | ttl-expired | { vpn-instance vpn-
instance-name | public } ] *
● When the parameter protocol is specified as the User Datagram Protocol
(UDP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination
{ destination-address destination-wildcard | any } | destination-port { eq port
| gt port | lt port | range port-start port-end } | { { precedence precedence |
tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source
{ source-address source-wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | time-range time-name | ttl-expired |
{ vpn-instance vpn-instance-name | public } ] *
undo rule { deny | permit } { protocol-number | udp } [ destination
{ destination-address destination-wildcard | any } | destination-port { eq port
| gt port | lt port | range port-start port-end } | { { precedence precedence |
tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source
{ source-address source-wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | time-range time-name | ttl-expired |
{ vpn-instance vpn-instance-name | public } ] *
● When the parameter protocol is specified as another protocol rather than
GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip |
ospf } [ destination { destination-address destination-wildcard | any } |
{ { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-
fragment } | logging | source { source-address source-wildcard | any } | time-
range time-name | ttl-expired | { vpn-instance vpn-instance-name |
public } ] *
undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip |
ospf } [ destination { destination-address destination-wildcard | any } |
{ { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-
fragment } | logging | source { source-address source-wildcard | any } | time-

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10057

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

range time-name | ttl-expired | { vpn-instance vpn-instance-name |

public } ] *
● To delete an advanced ACL rule, run:
undo rule rule-id [ destination | destination-port | { { precedence | tos } * |
dscp } | { fragment | first-fragment } | logging | icmp-type | source |
source-port | tcp-flag | time-range | ttl-expired | vpn-instance | public } ] *
NOTE

● Only the S6735-S, S6720S-EI and S6720-EI support ttl-expired.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10058

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

rule-id Specifies the ID of an The value is an integer

ACL rule. that ranges from 0 to
● If the specified rule ID 4294967294.
has been created, the
new rule is added to
the rule with this ID,
that is, the old rule is
modified. If the
specified rule ID does
not exist, the device
creates a rule and
determines the
position of the rule
according to the ID.
● If the rule ID is not
specified, the device
allocates an ID to the
new rule. The rule IDs
are sorted in
ascending order. The
device automatically
allocates IDs
according to the step.
The step value is set
by using the step
command.
NOTE
ACL rule IDs assigned
automatically start from
the step value. The default
step is 5. With this step,
the device creates ACL
rules with IDs being 5, 10,
15, and so on.

deny Denies the packets that -

match the rule.

permit Permits the packets that -

match the rule.

icmp Indicates that the -

protocol type is ICMP.
The value 1 indicates
that ICMP is specified.

tcp Indicates that the -

protocol type is TCP. The
value 6 indicates that
TCP is specified.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10059

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

udp Indicates that the -

protocol type is UDP. The
value 17 indicates that
UDP is specified.

gre Indicates that the -

protocol type is GRE. The
value 47 indicates the
GRE protocol.

igmp Indicates that the -

protocol type is IGMP.
The value 2 indicates the
IGMP protocol.

ip Indicates that the -

protocol type is IP.

ipinip Indicates that the -

protocol type is IPINIP.
The value 4 indicates the
IPINIP protocol.

ospf Indicates that the -

protocol type is OSPF.
The value 89 indicates
the OSPF protocol.

protocol-number Indicates the protocol The value expressed by

type expressed by name number is an integer
or number. that ranges from 1 to
NOTE 255.
Parameters in an ACL vary
with the protocol type. The
combination of source-
port { eq port | gt port | lt
port | range port-start
port-end } and
destination-port { eq port
| gt port | lt port | range
port-start port-end } is
applicable to TCP and UDP
only.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10060

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

destination Indicates the destination destination-address: The

{ destination-address IP address of packets value is in dotted
destination-wildcard | that match ACL rules. If decimal notation.
any } this parameter is not destination-wildcard: The
specified, packets with value is in dotted
any destination IP decimal notation. The
address are matched. wildcard mask of the
● destination-address: destination IP address
specifies the can be 0, equivalent to
destination IP address 0.0.0.0, indicating that
of data packets. the destination IP
● destination-wildcard: address is the host
specifies the wildcard address.
mask of the NOTE
destination IP address. The wildcard is in dotted
decimal format. After the
● any: indicates any value is converted to a
destination IP address binary number, the value 0
of packets. That is, indicates that the IP
the value of address needs to be
matched and the value 1
destination-address is indicates that the IP
0.0.0.0 or the value of address does not need to
destination-wildcard be matched. The values 1
is 255.255.255.255. and 0 can be
discontinuous. For
example, the IP address
192.168.1.169 and the
wildcard 0.0.0.172
represent the website
192.168.1.x0x0xx01. The
value x can be 0 or 1.

icmp-type { icmp-name Indicates the type and icmp-type is an integer

| icmp-type [ icmp- code of ICMP packets, that ranges from 0 to
code ] } which are valid only 255.
when the protocol of icmp-code is an integer
packets is ICMP. If this that ranges from 0 to
parameter is not 255.
specified, all types of
ICMP packets are The value of icmp6-
matched. name and the
corresponding
● icmp-name: specifies
the name of ICMP The value of ICMP name
packets. and the corresponding

● icmp-type: specifies ICMP type and ICMP

the type of ICMP code are as Table 14-8.
packets.
● icmp-code: specifies
the code of ICMP
packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10061

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source { source-address Indicates the source IP source-address: The

source-wildcard | any } address of packets that value is in dotted
match an ACL rule. If this decimal notation.
parameter is not source-wildcard: The
specified, packets with value is in dotted
any source IP address are decimal notation. The
matched. wildcard mask of the
● source-address: source IP address can be
specifies the source IP 0, equivalent to 0.0.0.0,
address of packets. indicating that the
● source-wildcard: source IP address is the
specifies the wildcard host address.
mask of the source IP NOTE
address. The wildcard is in dotted
decimal format. After the
● any: indicates any value is converted to a
source IP address of binary number, the value 0
packets. That is, the indicates that the IP
value of source- address needs to be
matched and the value 1
address is 0.0.0.0 or indicates that the IP
the value of source- address does not need to
wildcard is be matched. The values 1
255.255.255.255. and 0 can be
discontinuous. For
example, the IP address
192.168.1.169 and the
wildcard 0.0.0.172
represent the website
192.168.1.x0x0xx01. The
value x can be 0 or 1.

tcp-flag Indicates the SYN Flag in -

the TCP packet header.

ack Indicates that the SYN -

Flag type in the TCP
packet header is ack
(010000).

established Indicates that the SYN -

Flag type in the TCP
packet header is
ack(010000) or
rst(000100).

fin Indicates that the SYN -

Flag type in the TCP
packet header is fin
(000001).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10062

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

psh Indicates that the SYN -

Flag type in the TCP
packet header is psh
(001000).

rst Indicates that the SYN -

Flag type in the TCP
packet header is rst
(000100).

syn Indicates that the SYN -

Flag type in the TCP
packet header is syn
(000010).

urg Indicates that the SYN -

Flag type in the TCP
packet header is urg
(100000).

time-range time-name Specifies the name of a The value is a string of 1

time range during which to 32 characters.
ACL rules take effect.
If this parameter is not
specified, ACL rules take
effect at any time.
NOTE
When you specify the
time-range parameter to
reference a time range to
the ACL, if the specified
time-name does not exit,
the ACL cannot be bound
to the specified time range.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10063

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

destination-port { eq Specifies the destination The value of port can be

port | gt port | lt port | port of UDP or TCP a name or a number.
range port-start port- packets. The value is ● When the value is
end } valid only when the expressed as a
protocol of packets is number, it ranges
TCP or UDP. If this from 0 to 65535 in eq
parameter is not port
specified, TCP or UDP
packets with any ● When the value is
destination port are expressed as a
matched. The operators number, it ranges
are as follows: from 0 to 65534 in gt
port
● eq port: equivalent to
the destination port ● When the value is
number. expressed as a
number, it ranges
● gt port: greater than from 1 to 65535 in lt
the destination port port
number.
The value of port-start
● lt port: smaller than and port-end can be a
the destination port name or a number.
number. When the value is
● range port-start port- expressed as a number, it
end: destination port ranges from 0 to 65535.
number range. port- Table 14-9 and Table
start specifies the 14-10 list the mapping
start port number. between the well-known
port-end specifies the source or destination
end port number. port numbers of UDP or
TCP and values of port.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10064

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source-port { eq port | Specifies the source port The value of port can be
gt port | lt port | range of UDP or TCP packets. a name or a number.
port-start port-end } The value is valid only ● When the value is
when the protocol of expressed as a
packets is TCP or UDP. If number, it ranges
this parameter is not from 0 to 65535 in eq
specified, TCP or UDP port
packets with any source
port are matched. The ● When the value is
operators are as follows: expressed as a
number, it ranges
● eq port: equivalent to from 0 to 65534 in gt
the source port port
number.
● When the value is
● gt port: greater than expressed as a
the source port number, it ranges
number. from 1 to 65535 in lt
● lt port: smaller than port
the source port The value of port-start
number. and port-end can be a
● range port-start portname or a number.
end: source port When the value is
number range. port- expressed as a number, it
start specifies the ranges from 0 to 65535.
start port number. Table 14-9 and Table
port-end specifies the 14-10 list the mapping
end port number. between the well-known
source or destination
port numbers of UDP or
TCP and values of port.

dscp dscp Specifies the value of a The value is an integer

Differentiated Services or a name.
Code Point (DSCP). ● The value ranges from
NOTE 0 to 63 when it is an
The dscp dscp and integer.
precedence precedence
parameters cannot be set ● When it is a name,
for the same rule. the value can be af11,
The dscp dscp and tos tos af12, af13, af21, af22,
parameters cannot be set af23, af31, af32, af33,
for the same rule. af41, af42, af43, cs1,
cs2, cs3, cs4, cs5, cs6,
cs7, default, or ef.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10065

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

tos tos Indicates that packets The value is an integer

are filtered according to or a name.
the Type of Service (ToS). ● The value can be 0, 1,
2, 4, or 8 when it is an
integer.
● When the value is a
name, the value can
be normal, min-
monetary-cost, max-
reliability, max-
throughput, or min-
delay. Table 14-7
describes the mapping
between ToS names
and values.

precedence precedence Indicates that packets The value ranges from 0

are filtered based on the to 7. The values 0 to 7
precedence field. correspond to routine,
precedence specifies the priority, immediate,
precedence value. flash, flash-override,
critical, internet, and
network.
fragment Indicates that the rule is -
valid only for non-initial
fragments. If this
parameter is specified,
the rule is valid for only
non-initial fragments.

first-fragment Indicates that the rule is -

valid for only initial
fragments. If this
parameter is specified,
the rule is valid for only
initial fragments.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10066

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

logging Logs IP information of -

packets that match the
rule.
NOTE
The logging parameter
takes effect for incoming
packets in either of the
following scenarios:
● An ACL-based
simplified traffic policy
is configured and the
traffic-filter and
traffic-secure
commands reference
ACLs.
● MQC is configured, the
traffic behavior is set to
permit or deny, and
the traffic-policy
command references
ACLs.
In addition, for the
S1720GF, S1720GFR-P,
S1720GW-E, S1720GWR-E,
S2720-EI, S5720I-SI, S5720-
LI, S1730S-H, S2730S-S,
S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M,
S5720S-LI, S5735-S, S500,
S5735S-S, S5735-S-I,
S5735S-H, and S5736-S,
deny must be specified for
the logging parameter to
take effect.

ttl-expired Matches packets with -

the TTL value 1. If this
keyword is not specified,
the ACL rule matches
packets with any TTL
value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10067

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

vpn-instance vpn- ● vpn-instance vpn- -

instance-name | public instance-name:
Specifies the name of
a VPN instance,
indicating that the
ACL rule matches
private network
packets.
● public: Indicates that
the ACL rule matches
public network
packets.
NOTE
This two parameter cannot
be configured together. If
neither vpn-instance nor
public is specified, both
public and private network
packets are matched.

Table 14-7 Mapping between ToS names and values

ToS Name Value ToS Name Value

normal 0 max-reliability 2

min-monetary- 1 max-throughput 4
cost

min-delay 8 - -

Table 14-8 Values of ICMP name and the corresponding ICMP type and ICMP
code
ICMP name ICMP type ICMP code

Echo 8 0

Echo-reply 0 0

Parameter-problem 12 0

Port-unreachable 3 3

Protocol-unreachable 3 2

Reassembly-timeout 11 1

Source-quench 4 0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10068

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

ICMP name ICMP type ICMP code

Source-route-failed 3 5

Timestamp-reply 14 0

Timestamp-request 13 0

Ttl-exceeded 11 0

Fragmentneed-DFset 3 4

Host-redirect 5 1

Host-tos-redirect 5 3

Host-unreachable 3 1

Information-reply 16 0

Information-request 15 0

Net-redirect 5 0

Net-tos-redirect 5 2

Net-unreachable 3 0

Table 14-9 Mapping between well-known source or destination port numbers of

UDP and values of port
Parameter Value of port Protocol Description

7 echo Echo Port for the Echo

service.

9 discard Discard Port for the null

service, which is
used for connectivity
test.

37 time Time Port for the time

protocol.

42 nameserver Host Name Server Port for the host

name service.

53 dns Domain Name DNS port.

Service (DNS)

65 tacacs-ds TACACS-Database Port for the TACACS

Service database service.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10069

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Value of port Protocol Description

67 bootps Bootstrap Protocol Port for the BOOTP

(BOOTP) Server server, which is also
used by DHCP
servers.

68 bootpc Bootstrap Protocol Port for the BOOTP

(BOOTP) Client client, which is also
used by DHCP
clients.

69 tftp Trivial File Transfer TFTP port.

Protocol (TFTP)

90 dnsix DNSIX Security Port for DoD

Attribute Token Map Network Security for
Information
Exchange (DNSIX)
Security Attribute
Token Map.

111 sunrpc SUN Remote Port for the RPC

Procedure Call (SUN protocol of SUN. It is
RPC) used to remotely
execute commands
and used by the
NFS.

123 ntp Network Time NTP port, which

Protocol (NTP) may be utilized by
worm virus.

137 netbios-ns NETBIOS Name Port for the NetBIOS

Service name service.

138 netbios-dgm NETBIOS Datagram Port for the NetBIOS

Service datagram service.

139 netbios-ssn NETBIOS Session Port for the NetBIOS

Service session service.

161 snmp SNMP Port for the Simple

Network
Management
Protocol (SNMP).

162 snmptrap SNMPTRAP Port for SNMP trap.

177 xdmcp X Display Manager XDMCP port.

Control Protocol
(XDMCP)

434 mobilip-ag MobileIP-Agent Port for the mobile

IP agent.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10070

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Value of port Protocol Description

435 mobilip-mn MobileIP-MN Port for mobile IP

management.

512 biff Mail notify Port used to notify

user of received
emails.

513 who Who Port for the login

user list.

514 syslog Syslog Port for the UNIX

system log service.

517 talk Talk Port used to

remotely talk with
servers and clients.

520 rip Routing Information RIP port.

Protocol

Table 14-10 Mapping between well-known source or destination port numbers of

TCP and values of port
Port Value of port Protocol Description
Number

7 echo Echo Port for the Echo

service.

9 discard Discard Port for the null

service, which is
used for connectivity
test.

13 daytime Daytime Port used to send

the date and time to
the requesting host.

19 CHARgen Character generator Port for the

Character Generator
Protocol.

20 ftp-data FTP data FTP data port.

connections

21 ftp File Transfer FTP port.

Protocol (FTP)

23 telnet Telnet Port for the Telnet

service.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10071

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Port Value of port Protocol Description

Number

25 smtp Simple Mail SMTP port.

Transport Protocol
(SMTP)

37 time Time Port for the time

protocol.

43 whois Nicname (WHOIS) Port for the

directory service.

49 tacacs TAC Access Control Port for the access

System (TACACS) control system
based on TCP/IP
authentication
(TACACS login host
protocol).

53 domain Domain Name DNS port.

Service (DNS)

70 gopher Gopher Port for the

information index
protocol (document
searching and
indexing on the
Internet).

79 finger Finger Port for the Finger

service, which is
used to query
information, such as
online users of
remote hosts.

80 www World Wide Web HTTP port for the

(HTTP) WWW service, which
NOTE is used to browse
If the HTTPS protocol web pages.
is used, the port
number is 443.

101 hostname NIC hostname Host name service

server port on the NIC
machine.

109 pop2 Post Office Protocol Port for the email

v2 protocol version 2.

110 pop3 Post Office Protocol Port for the email

v3 protocol version 3.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10072

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Port Value of port Protocol Description

Number

111 sunrpc Sun Remote Port for the RPC

Procedure Call (RPC) protocol of SUN. It is
used to remotely
execute commands
and used by the
network file system
(NFS).

119 nntp Network News NNTP port, which

Transport Protocol carries USENET.
(NNTP)

179 bgp Border Gateway BGP port.

Protocol (BGP)

194 irc Internet Relay Chat Port for the IRC

(IRC) protocol.

512 exec Exec (rsh) Port used to

authenticate remote
processes.

513 login Login (rlogin) Port for remote

514 cmd Remote commands Port used to execute

non-interactive
commands on a
remote system
(rshell, rcp).

515 lpd Printer service Port for the Line

Printer Daemon
protocol.

517 talk Talk Port used to

remotely talk with
servers and clients.

540 uucp Unix-to-Unix Copy Port for the Unix-to-

Program Unix copy protocol.

543 klogin Kerberos login Port for Kerberos

remote login
protocol version 5.

544 kshell Kerberos shell Port for Kerberos

remote shell
protocol version 5.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10073

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
Advanced ACL view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

An advanced ACL matches packets based on information such as source and

destination IP addresses, source and destination port numbers, and protocol types.

The rule command defines the time range and flexibly configures the time ACL
rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original
rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule.
Otherwise, the configuration result will be incorrect.

To configure both the precedence precedence and tos tos parameters, set the two
parameters consecutively in the command.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If
a simplified traffic policy references a specified rule in an ACL, this command does
not take effect.) Before deleting a rule, ensure that the rule is not being
referenced.

The parameter fragment cannot be set together with source-port, destination-

port, icmp-type, and tcp-flag; otherwise, the following error message is
displayed:
Error: The fragment cannot be configured together with the source-port, destination-port, icmp-type and
tcp-flag.

Example
# Add a rule to ACL 3000 to filter ICMP packets.
<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 1 permit icmp

# Delete a rule from ACL 3000.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] undo rule 1

# Add a rule to ACL 3000 to filter IGMP packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10074

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 2 permit igmp

# Add a rule to ACL 3000 to filter packets with DSCP priorities.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 3 permit ip dscp cs1

# Add a rule to ACL 3001 to filter all the IP packets sent from hosts at 10.9.0.0 to
hosts at 10.38.160.0.
<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit ip source 10.9.0.0 0.0.255.255 destination 10.38.160.0 0.0.0.255

# Add a rule to ACL 3001 to filter the packets with source UDP port number 128
from 10.9.8.0 to 10.38.160.0.
<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit udp source 10.9.8.0 0.0.0.255 destination 10.38.160.0 0.0.0.255
destination-port eq 128

14.1.22 rule (advanced ACL6 view)

Function
The rule command adds or modifies an advanced ACL6 rule.
The undo rule command deletes an advanced ACL6 rule.
By default, no advanced ACL6 rule is created.

Format
● When the protocol is set to TCP, the command format is as follows:
rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | destination-port { eq port | gt port | lt port | range
port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } |
routing [ routing-type routing-type ] | { fragment | first-fragment } |
logging | source { source-ipv6-address prefix-length | source-ipv6-address/
prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-
address wildcard | any } | source-port { eq port | gt port | lt port | range port-
start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * |
time-range time-name | { vpn-instance vpn-instance-name | public } ] *
undo rule { deny | permit } { tcp | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | destination-port { eq port | gt port | lt port | range
port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } |
routing [ routing-type routing-type ] | { fragment | first-fragment } |
logging | source { source-ipv6-address prefix-length | source-ipv6-address/
prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-
address wildcard | any } | source-port { eq port | gt port | lt port | range port-

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10075

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * |
time-range time-name | { vpn-instance vpn-instance-name | public } ] *
● When the protocol is set to UDP, the command format is as follows:
rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | destination-port { eq port | gt port | lt port | range
port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } |
routing [ routing-type routing-type ] | { fragment | first-fragment } |
logging | source { source-ipv6-address prefix-length | source-ipv6-address/
prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-
address wildcard | any } | source-port { eq port | gt port | lt port | range port-
start port-end } | time-range time-name | { vpn-instance vpn-instance-name
| public } ] *
undo rule { deny | permit } { udp | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | destination-port { eq port | gt port | lt port | range
port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } |
routing [ routing-type routing-type ] | { fragment | first-fragment } |
logging | source { source-ipv6-address prefix-length | source-ipv6-address/
prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-
address wildcard | any } | source-port { eq port | gt port | lt port | range port-
start port-end } | time-range time-name | { vpn-instance vpn-instance-name
| public } ] *
● When the protocol is set to ICMPv6, the command format is as follows:
rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp }
| routing [ routing-type routing-type ] | { fragment | first-fragment } |
icmp6-type { icmp6-name | icmp6-type [ icmp6-code ] } | logging | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length |
source-ipv6-address postfix postfix-length | source-ipv6-address wildcard |
any } | time-range time-name | { vpn-instance vpn-instance-name |
public } ] *
undo rule { deny | permit } { icmpv6 | protocol-number } [ destination
{ destination-ipv6-address prefix-length | destination-ipv6-address/prefix-
length | destination-ipv6-address postfix postfix-length | destination-ipv6-
address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp }
| routing [ routing-type routing-type ] | { fragment | first-fragment } |
icmp6-type { icmp6-name | icmp6-type [ icmp6-code ] } | logging | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length |
source-ipv6-address postfix postfix-length | source-ipv6-address wildcard |
any } | time-range time-name | { vpn-instance vpn-instance-name |
public } ] *
● When the protocol is set to other protocols, the command format is as
follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf }
[ destination { destination-ipv6-address prefix-length | destination-ipv6-

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10076

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

address/prefix-length | destination-ipv6-address postfix postfix-length |

destination-ipv6-address wildcard | any } | { { precedence precedence | tos
tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment |
first-fragment } | logging | source { source-ipv6-address prefix-length |
source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length
| source-ipv6-address wildcard | any } | time-range time-name | { vpn-
instance vpn-instance-name | public } ] *
undo rule { deny | permit } { protocol-number | gre | ipv6 | ospf }
[ destination { destination-ipv6-address prefix-length | destination-ipv6-
address/prefix-length | destination-ipv6-address postfix postfix-length |
destination-ipv6-address wildcard | any } | { { precedence precedence | tos
tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment |
first-fragment } | logging | source { source-ipv6-address prefix-length |
source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length
| source-ipv6-address wildcard | any } | time-range time-name | { vpn-
instance vpn-instance-name | public } ] *
● To delete an advanced ACL6 rule, run:
undo rule rule-id [ destination | destination-port | routing [ routing-type
routing-type ] | { fragment | first-fragment } | icmp6-type | logging |
{ { precedence | tos } * | dscp } | routing | source | source-port | tcp-flag |
time-range | { vpn-instance | public } ] *
NOTE

● The vpn-instance and public parameter is supported only when a software-based ACL is
applied to the S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731-
S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-
S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL Implementations" in
the S300, S500, S2700, S5700, and S6700 V200R021C10 Configuration Guide - Security ACL
Configuration - ACL Fundamentals.
● For details about the parameters that are not supported when ACL rules are hardware-based
ACLs, see Table 14-11.
● Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI, S6730-H,
S6730S-H, S6730-S, and S6730S-S support routing [ routing-type routing-type ].
● Only the S1720GF, S1720GW, S1720GW-E, S1720GWR, S1720GFR-P, S1720GWR-E, S2720-EI,
S5720-LI, S5720S-LI, S5720I-SI, S5735S-H, S5736-S, S5731-H, S5731-S, S5731S-H, S5731S-S,
S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, S6730S-S, S1730S-H,
S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S,
S500, S5735S-S, and S5735-S-I support dscp, precedence, and tos.
● Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I,
S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support
destination and first-fragment. For the S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, and S5735-S-I, an ACL
containing the first-fragment can only be used in the inbound direction.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10077

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

rule-id Specifies the ID of an The value is an integer

ACL6 rule. that ranges from 0 to
● If the specified rule ID 4294967294.
has been created, the
new rule is added to
the rule with this ID,
that is, the old rule is
modified. If the
specified rule ID does
not exist, a rule is
created using the ID
and ordered based on
the configured
sequence.
● If the rule ID is not
specified, the device
allocates an ID to the
new rule. By default,
the increment of
ACL6 is 5 and cannot
be changed.
Therefore, the device
allocates IDs at an
increment of 5 to
ACL6 rules.
NOTE
ACL rule IDs assigned
automatically by the
device starts from the
increment value. The
default increment value is
5. With this increment, the
device creates ACL rules
with IDs being 5, 10, 15,
and so on.

deny Denies the packets that -

match the rule.

permit Permits the packets that -

match the rule.

tcp Indicates that the -

protocol type is TCP.

udp Indicates that the -

protocol type is UDP.

icmpv6 Indicates that the -

protocol type is ICMPv6.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10078

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

protocol-number Specifies the protocol The value ranges from 1

type that is expressed as to 255. The protocol type
a name or a number. expressed as a name can
be GRE, ICMPv6, IPv6,
OSPF, TCP, and UDP.

destination Indicates the destination destination-ipv6-address

{ destination-ipv6- address and prefix of a is expressed in colon
address prefix-length | packet. hexadecimal notation.
destination-ipv6-address/ The value of prefix-
prefix-length | any } length is an integer that
ranges from 1 to 128.
You can also use any to
represent any destination
address.

destination destination- Indicates the destination destination-ipv6-address

ipv6-address postfix address and the length indicates the destination
postfix-length of destination address address and is expressed
postfix. in colon hexadecimal
notation. postfix-length
is an integer that ranges
from 1 to 64.

destination destination- Indicates the destination destination-ipv6-address

ipv6-address wildcard address and wildcard indicates the destination
mask. address and is expressed
in colon hexadecimal
notation. wildcard is
expressed in colon
hexadecimal notation.
After the value is
converted to a binary
number, the value 0
indicates that the
equivalent bit must
match and the value 1
indicates that the
equivalent bit does not
matter. The values 1 and
0 can be discontinuous.
For example, the IPv6
address FC00::1 and the
wildcard mask 0::2
indicate that the address
is FC00::00x1, where x
can be any value from 0
to F in hexadecimal
notation.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10079

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

dscp dscp Specifies the The value of dscp can be

Differentiated Services an integer or a name.
Code Point (DSCP) value. When the value is an
NOTE integer, the value ranges
The dscp dscp and from 0 to 63. When the
precedence precedence value is a name, the
parameters cannot be set value can be af11, af12,
for the same rule.
af13, af21, af22, af23,
The dscp dscp and tos tos af31, af32, af33, af41,
parameters cannot be set af42, af43, cs1, cs2, cs3,
for the same rule.
cs4, cs5, cs6, cs7, default,
or ef.

routing [ routing-type Specifies the IPv6 header The value of routing-

routing-type ] in ACL6. The routing- type is an integer that
type parameter specifies ranges from 0 to 255.
the routing-type field in
the IPv6 header.

fragment Indicates that the rule is -

valid only for non-first
fragments.

first-fragment Indicates that the rule is -

valid only for first
fragments.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10080

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

logging Logs IP information of -

packets that match the
rule.
NOTE
The logging parameter
takes effect for incoming
packets in either of the
following scenarios:
● An ACL-based
simplified traffic policy
is configured and the
traffic-filter command
references ACLs.
● MQC is configured, the
traffic behavior is set to
permit or deny, and
the traffic-policy
command references
ACLs.
In addition, for the
S1720GF, S1720GFR-P,
S1720GW-E, S1720GWR-E,
S2720-EI, S5720I-SI,
S5720-LI, S1730S-H,
S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI,
S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, and
S5736-S, deny must be
specified for the logging
parameter to take effect.

precedence precedence Indicates that the precedence can be

packets are filtered expressed as a name or
according to the a number. The value
precedence field. ranges from 0 to 7.

source { source-ipv6- Indicates the source source-ipv6-address

address prefix-length | address and prefix of a indicates the source
source-ipv6-address/ packet. address and is expressed
prefix-length | any } in colon hexadecimal
notation. prefix-length is
an integer that ranges
from 1 to 128. You can
also use any to represent
any source address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10081

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source source-ipv6- Indicates the source source-ipv6-address

address postfix postfix- address and the length indicates the source
length of source address postfix. address and is expressed
in colon hexadecimal
notation. postfix-length
is an integer that ranges
from 1 to 64.

source source-ipv6- Indicates the source source-ipv6-address

address wildcard address and wildcard indicates the source
mask. address and is expressed
in colon hexadecimal
notation. wildcard is
expressed in colon
hexadecimal notation.
After the value is
converted to a binary
number, the value 0
indicates that the
equivalent bit must
match and the value 1
indicates that the
equivalent bit does not
matter. The values 1 and
0 can be discontinuous.
For example, the IPv6
address FC00::1 and the
wildcard mask 0::2
indicate that the address
is FC00::00x1, where x
can be any value from 0
to F in hexadecimal
notation.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10082

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

destination-port { eq Specifies the destination The value of port can be

port | gt port | lt port | port of UDP or TCP a name or a number.
range port-start port- packets. The value is ● When the value is
end } valid only when the expressed as a
protocol of packets is number, it ranges
TCP or UDP. If this from 0 to 65535 in eq
parameter is not port
specified, TCP or UDP
packets with any ● When the value is
destination port are expressed as a
matched. The operators number, it ranges
are as follows: from 0 to 65534 in gt
port
● eq port: equivalent to
the destination port ● When the value is
number. expressed as a
number, it ranges
● gt port: greater than from 1 to 65535 in lt
the destination port port
number.
The value of port-start
● lt port: smaller than and port-end can be a
the destination port name or a number.
number. When the value is
● range port-start port- expressed as a number, it
end: destination port ranges from 0 to 65535.
number range. port- Table 14-15 and Table
start specifies the 14-14 list the mapping
start port number. between the well-known
port-end specifies the source or destination
end port number. port numbers of UDP or
TCP and values of port.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10083

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source-port { eq port | Specifies the source port The value of port can be
gt port | lt port | range of UDP or TCP packets. a name or a number.
port-start port-end } The value is valid only ● When the value is
when the protocol of expressed as a
packets is TCP or UDP. If number, it ranges
this parameter is not from 0 to 65535 in eq
specified, TCP or UDP port
packets with any source
port are matched. The ● When the value is
operators are as follows: expressed as a
number, it ranges
● eq port: equivalent to from 0 to 65534 in gt
the source port port
number.
● When the value is
● gt port: greater than expressed as a
the source port number, it ranges
number. from 1 to 65535 in lt
● lt port: smaller than port
the source port The value of port-start
number. and port-end can be a
● range port-start portname or a number.
end: source port When the value is
number range. port- expressed as a number, it
start specifies the ranges from 0 to 65535.
start port number. Table 14-15 and Table
port-end specifies the 14-14 list the mapping
end port number. between the well-known
source or destination
port numbers of UDP or
TCP and values of port.

icmp6-type { icmp6- Indicates the type and icmp6-type is an integer

name | icmp6-type code of ICMPv6 packets, that ranges from 0 to
[ icmp6-code ] } which are valid only 255.
when the protocol of icmp6-code is an integer
packets is ICMPv6. If this that ranges from 0 to
parameter is not 255.
specified, all ICMPv6
packets are matched. The value of icmp6-
name and the
● icmp6-name: specifies corresponding ICMPv6
the name of ICMPv6 type and ICMPv6 code
packets. are as described in Table
● icmp6-type: specifies 14-13.
the type of ICMPv6
packets.
● icmp6-code: specifies
the code of ICMPv6
packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10084

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

tcp-flag Indicates the SYN Flag in -

the TCP packet header.

ack Indicates that the type of -

the SYN Flag in the TCP
packet header is ack
(010000).

established Indicates that the type of -

the SYN Flag in the TCP
packet header is ack
(010000) or rst
(000100).

fin Indicates that the type of -

the SYN Flag in the TCP
packet header is fin
(000001).

psh Indicates that the type of -

the SYN Flag in the TCP
packet header is psh
(001000).

rst Indicates that the type of -

the SYN Flag in the TCP
packet header is rst
(000100).

syn Indicates that the type of -

the SYN Flag in the TCP
packet header is syn
(000010).

urg Indicates that the type of -

the SYN Flag in the TCP
packet header is urg
(100000).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10085

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

time-range time-name Indicates that the The value of time-name

configured ACL6 rule is is a string of 1 to 32
effective only in the characters.
specified time range.
time-name indicates the
name of the time range
during which the ACL6
rule takes effect.
NOTE
When you specify the
time-range parameter to
reference a time range to
the ACL6, if the specified
time-name does not exit,
the ACL6 does not take
effect.

tos tos Indicates that packets The value is an integer

are filtered according to or a name.
the Type of Service ● The value ranges
(ToS). from 0 to 15 when it
is an integer.
● When the value is a
name, the value can
be normal, min-
monetary-cost, max-
reliability, max-
throughput, or min-
delay. Table 14-12
describes the
mappings between
ToS names and
values.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10086

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

vpn-instance vpn- ● vpn-instance vpn- -

instance-name | public instance-name:
Specifies the name of
a VPN instance,
indicating that the
ACL6 rule matches
private network
packets.
● public: Indicates that
the ACL6 rule
matches public
network packets.
NOTE
The two parameters
cannot be configured
together. If neither vpn-
instance nor public is
specified, both public and
private network packets
are matched.

Table 14-11 Parameter support regarding different protocols when ACL rules
configured are implemented on hardware
Parameter TCP UDP ICMPv6 Other
Protocols

destination Supported Supported Supported Supported

source Supported Supported Supported Supported

destination- Supported Supported Not Not

port supported supported

source-port Supported Supported Not Not

supported supported

icmp6-type N/A N/A Supported N/A

precedence Not Not Not Supported

supported supported supported

tos Not Not Not Supported

supported supported supported

dscp Not Not Not Supported

supported supported supported

tcp-flag Not Not Not Not

supported supported supported supported

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10087

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter TCP UDP ICMPv6 Other

Protocols

routing Not Not Not Not

supported supported supported supported

fragment | Not Not Not Not

first- supported supported supported supported
fragment

time-range Supported Supported Supported Supported

logging Supported Supported Supported Supported

vpn-instance Not Not Not Not

vpn-instance- supported supported supported supported
name | public

Table 14-12 Mapping between ToS names and values

ToS Name Value ToS Name Value

normal 0 max-reliability 2

min-monetary- 1 max-throughput 4
cost

min-delay 8 - -

Table 14-13 Values of icmp6-name and the corresponding ICMPv6 type and
ICMPv6 code
ICMPv6 Name ICMPv6 Type ICMPv6 Code

Redirect 137 0

Echo 128 0

Echo-reply 129 0

Err-Header-field 4 0

Frag-time-exceeded 3 1

Hop-limit-exceeded 3 0

Host-admin-prohib 1 1

Host-unreachable 1 3

Neighbor-advertisement 136 0

Neighbor-solicitation 135 0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10088

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

ICMPv6 Name ICMPv6 Type ICMPv6 Code

Network-unreachable 1 0

Packet-too-big 2 0

Port-unreachable 1 4

Router-advertisement 134 0

Router-solicitation 133 0

Unknown-ipv6-opt 4 2

Unknown-next-hdr 4 1

Table 14-14 Mapping between well-known source or destination port numbers of

TCP and values of port
Port Value of port Protocol Description
Number

7 echo Echo Port for the Echo

service.

9 discard Discard Port for the null

service, which is
used for connectivity
test.

13 daytime Daytime Port used to send

the date and time to
the requesting host.

19 CHARgen Character generator Port for the

Character Generator
Protocol.

20 ftp-data FTP data FTP data port.

connections

21 ftp File Transfer FTP port.

Protocol (FTP)

23 telnet Telnet Port for the Telnet

service.

25 smtp Simple Mail SMTP port.

Transport Protocol
(SMTP)

37 time Time Port for the time

protocol.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10089

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Port Value of port Protocol Description

Number

43 whois Nicname (WHOIS) Port for the

directory service.

49 tacacs TAC Access Control Port for the access

System (TACACS) control system
based on TCP/IP
authentication
(TACACS login host
protocol).

53 domain Domain Name DNS port.

Service (DNS)

70 gopher Gopher Port for the

information index
protocol (document
searching and
indexing on the
Internet).

79 finger Finger Port for the Finger

service, which is
used to query
information, such as
online users of
remote hosts.

80 www World Wide Web HTTP port for the

(HTTP) WWW service, which
NOTE is used to browse
If the HTTPS protocol web pages.
is used, the port
number is 443.

101 hostname NIC hostname Host name service

server port on the NIC
machine.

109 pop2 Post Office Protocol Port for the email

v2 protocol version 2.

110 pop3 Post Office Protocol Port for the email

v3 protocol version 3.

111 sunrpc Sun Remote Port for the RPC

Procedure Call (RPC) protocol of SUN. It is
used to remotely
execute commands
and used by the
network file system
(NFS).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10090

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Port Value of port Protocol Description

Number

119 nntp Network News NNTP port, which

Transport Protocol carries USENET.
(NNTP)

179 bgp Border Gateway BGP port.

Protocol (BGP)

194 irc Internet Relay Chat Port for the IRC

(IRC) protocol.

512 exec Exec (rsh) Port used to

authenticate remote
processes.

513 login Login (rlogin) Port for remote

514 cmd Remote commands Port used to execute

non-interactive
commands on a
remote system
(rshell, rcp).

515 lpd Printer service Port for the Line

Printer Daemon
protocol.

517 talk Talk Port used to

remotely talk with
servers and clients.

540 uucp Unix-to-Unix Copy Port for the Unix-to-

Program Unix copy protocol.

543 klogin Kerberos login Port for Kerberos

remote login
protocol version 5.

544 kshell Kerberos shell Port for Kerberos

remote shell
protocol version 5.

Table 14-15 Mapping between well-known source or destination port numbers of

UDP and values of port
Parameter Value of port Protocol Description

7 echo Echo Port for the Echo

service.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10091

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Value of port Protocol Description

9 discard Discard Port for the null

service, which is
used for connectivity
test.

37 time Time Port for the time

protocol.

42 nameserver Host Name Server Port for the host

name service.

53 dns Domain Name DNS port.

Service (DNS)

65 tacacs-ds TACACS-Database Port for the TACACS

Service database service.

67 bootps Bootstrap Protocol Port for the BOOTP

(BOOTP) Server server, which is also
used by DHCP
servers.

68 bootpc Bootstrap Protocol Port for the BOOTP

(BOOTP) Client client, which is also
used by DHCP
clients.

69 tftp Trivial File Transfer TFTP port.

Protocol (TFTP)

90 dnsix DNSIX Security Port for DoD

Attribute Token Map Network Security for
Information
Exchange (DNSIX)
Security Attribute
Token Map.

111 sunrpc SUN Remote Port for the RPC

Procedure Call (SUN protocol of SUN. It is
RPC) used to remotely
execute commands
and used by the
NFS.

123 ntp Network Time NTP port, which

Protocol (NTP) may be utilized by
worm virus.

137 netbios-ns NETBIOS Name Port for the NetBIOS

Service name service.

138 netbios-dgm NETBIOS Datagram Port for the NetBIOS

Service datagram service.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10092

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Value of port Protocol Description

139 netbios-ssn NETBIOS Session Port for the NetBIOS

Service session service.

161 snmp SNMP Port for the Simple

Network
Management
Protocol (SNMP).

162 snmptrap SNMPTRAP Port for SNMP trap.

177 xdmcp X Display Manager XDMCP port.

Control Protocol
(XDMCP)

434 mobilip-ag MobileIP-Agent Port for the mobile

IP agent.

435 mobilip-mn MobileIP-MN Port for mobile IP

management.

512 biff Mail notify Port used to notify

user of received
emails.

513 who Who Port for the login

user list.

514 syslog Syslog Port for the UNIX

system log service.

517 talk Talk Port used to

remotely talk with
servers and clients.

520 rip Routing Information RIP port.

Protocol

Views
Advanced ACL6 view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Advanced ACL6s classify data packets based on the source IP address, destination
IP address, source port number, destination port number, and protocol type.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10093

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The rule command defines the time range to flexibly configure the time during
which ACL6 rules take effect.
Prerequisites
An ACL6 has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original
rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule.
Otherwise, the configuration result will be incorrect.
To configure both the precedence precedence and tos tos parameters, set the two
parameters consecutively in the command.
When you use the undo rule command to delete an ACL6 rule, the rule ID must
exist. If the rule ID is unknown, you can use the display acl ipv6 command to
view the rule ID.
The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced.
Use this command with caution, especially when you delete an ACL6 rule that has
been referenced.
The parameter fragment cannot be set together with source-port, destination-
port, icmp6-type, and tcp-flag.

Example
# Add a rule to ACL6 3000 to deny the packets with the destination UDP port
number that is greater than 128 from fc00:1::1 to fc00:3::1.
<HUAWEI> system-view
[HUAWEI] acl ipv6 3000
[HUAWEI-acl6-adv-3000] rule deny udp source fc00:1::1 64 destination fc00:3::1 64 destination-port gt
128

14.1.23 rule (basic ACL view)

Function
The rule command adds or modifies a basic ACL rule.
The undo rule command deletes a basic ACL rule.
By default, no rule is configured for a basic ACL.

Format
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any }
| fragment | logging | time-range time-name | { vpn-instance vpn-instance-
name | public } ] *
undo rule { deny | permit } [ source { source-address source-wildcard | any } |
fragment | logging | time-range time-name | { vpn-instance vpn-instance-name
| public } ] *

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10094

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo rule rule-id [ fragment | logging | source | time-range | { vpn-instance |

public } ] *

NOTE

The vpn-instance and public parameter is supported only when a software-based ACL is
applied to the S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H,
S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H,
S6730-S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL
Implementations" in the S300, S500, S2700, S5700, and S6700 V200R021C10
Configuration Guide - Security ACL Configuration - ACL Fundamentals.

Parameters
Parameter Description Value

rule-id Specifies the ID of an ACL The value is an

rule. integer that ranges
● If the specified rule ID has from 0 to
been created, the new rule 4294967294.
is added to the rule with
this ID, that is, the old rule
is modified. If the specified
rule ID does not exist, the
device creates a rule and
determines the position of
the rule according to the
ID.
● If the rule ID is not
specified, the device
allocates an ID to the new
rule. The rule IDs are
sorted in ascending order.
The device automatically
allocates IDs according to
the step. The step value is
set by using the step
command.
NOTE
ACL rule IDs assigned
automatically by the device
starts from the step value. The
default step value is 5. With this
step, the device creates ACL
rules with IDs being 5, 10, 15,
and so on.

deny Denies the packets that -

match the rule.

permit Permits the packets that -

match a rule.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10095

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source { source-address Indicates the source IP source-address: The

source-wildcard | any } address of packets that match value is in dotted
an ACL rule. If this parameter decimal notation.
is not specified, packets with source-wildcard: The
any source IP address are value is in dotted
matched. decimal notation. The
● source-address: specifies wildcard mask of the
the source IP address of source IP address can
packets. be 0, equivalent to
● source-wildcard: specifies 0.0.0.0, indicating
the wildcard mask of the that the source IP
source IP address. address is the host
address.
● any: indicates any source
NOTE
IP address of packets. That
The wildcard is in
is, the value of source- dotted decimal format.
address is 0.0.0.0 or the After the value is
value of source-wildcard is converted to a binary
255.255.255.255. number, the value 0
indicates that the IP
address needs to be
matched and the value
1 indicates that the IP
address does not need
to be matched. The
values 1 and 0 can be
discontinuous. For
example, the IP
address 192.168.1.169
and the wildcard
0.0.0.172 represent the
website
192.168.1.x0x0xx01.
The value x can be 0 or
1.

fragment Indicates that the rule is valid -

for only non-first fragmented
packets. If fragment is
contained, the rule is valid for
non-first fragmented packets
and invalid for non-
fragmented packets and first
fragmented packet.
NOTE
Rules that do not contain
fragment are valid for all the
packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10096

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

logging Logs IP information of -

packets that match the rule.
NOTE
The logging parameter takes
effect for incoming packets in
either of the following scenarios:
● An ACL-based simplified
traffic policy is configured
and the traffic-filter and
traffic-secure commands
reference ACLs.
● MQC is configured, the
traffic behavior is set to
permit or deny, and the
traffic-policy command
references ACLs.
In addition, for the S1720GF,
S1720GFR-P, S1720GW-E,
S1720GWR-E, S2720-EI, S5720I-
SI, S5720-LI, S1730S-H, S2730S-
S, S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI, S5735-S,
S500, S5735S-S, S5735-S-I,
S5735S-H, and S5736-S, deny
must be specified for the
logging parameter to take
effect.

time-range time-name Specifies the name of a time The value is a string

range during which ACL rules of 1 to 32 characters.
take effect.
If this parameter is not
specified, ACL rules take
effect at any time.
NOTE
When you specify the time-
range parameter to reference a
time range to the ACL, if the
specified time-name does not
exit, the ACL cannot be bound to
the specified time range.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10097

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

vpn-instance vpn- ● vpn-instance vpn- -

instance-name | public instance-name: Specifies
the name of a VPN
instance, indicating that
the ACL rule matches
private network packets.
● public: Indicates that the
ACL rule matches public
network packets.
NOTE
This two parameter cannot be
configured together. If neither
vpn-instance nor public is
specified, both public and
private network packets are
matched.

Views
Basic ACL view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A basic ACL matches packets based on information such as source IP addresses,

fragment flags, and time ranges.

The rule command defines the time range and flexibly configures the time ACL
rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original
rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule.
Otherwise, the configuration result will be incorrect.

The undo rule command deletes an ACL rule even if the ACL rule is referenced.
Use this command with caution, especially when you delete an ACL rule that has
been referenced.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10098

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Add a rule in ACL 2001 to permit the packets from 192.168.32.1.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule permit source 192.168.32.1 0

# Delete rule 5 from ACL 2001.

<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] undo rule 5

14.1.24 rule (basic ACL6 view)

Function
The rule command adds or modifies basic ACL6 rules.
The undo rule command deletes a basic ACL6 rule.
By default, no basic ACL6 rule is configured.

Format
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-
address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address
postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-
name | { vpn-instance vpn-instance-name | public } ] *
undo rule { deny | permit } [ fragment | logging | source { source-ipv6-address
prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix
postfix-length | source-ipv6-address wildcard | any } | time-range time-name |
{ vpn-instance vpn-instance-name | public } ] *
undo rule rule-id [ fragment | logging | source | time-range | { vpn-instance |
public } ] *

NOTE

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10099

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

rule-id Specifies the ID of an The value is an integer

deny Denies the packets that -

match the rule.

permit Permits the packets that -

match the rule.

fragment Indicates that the rule is -

valid only for non-first
fragments.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10100

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

logging Logs IP information of -

packets that match the
rule.
NOTE
The logging parameter
takes effect for incoming
packets in either of the
following scenarios:
● An ACL-based
simplified traffic policy
is configured and the
traffic-filter command
references ACLs.
● MQC is configured, the
traffic behavior is set to
permit or deny, and
the traffic-policy
command references
ACLs.
In addition, for the
S1720GF, S1720GFR-P,
S1720GW-E, S1720GWR-E,
S2720-EI, S5720I-SI,
S5720-LI, S1730S-H,
S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI,
S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, and
S5736-S, deny must be
specified for the logging
parameter to take effect.

source { source-ipv6- Indicates the source source-ipv6-address

address prefix-length | address and prefix of a indicates the source
source-ipv6-address/ packet. address and is expressed
prefix-length } in colon hexadecimal
notation. prefix-length is
an integer that ranges
from 1 to 128.

source source-ipv6- Indicates the source source-ipv6-address

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10101

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source source-ipv6- Indicates the source source-ipv6-address

any Indicates any source -

address.

time-range time-name Indicates that the The value of time-name

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10102

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

vpn-instance vpn- ● vpn-instance vpn- -

Views
Basic ACL6 view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A basic ACL6 matches packets based on information such as source IP addresses,

fragment flags, and time ranges.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original
rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule.
Otherwise, the configuration result will be incorrect.

When you use the undo rule command to delete an ACL6 rule, the rule ID must
exist. If the rule ID is unknown, you can use the display acl ipv6 command to
view the rule ID.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10103

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced.
Use this command with caution, especially when you delete an ACL6 rule that has
been referenced.

Example
# Add a rule for the ACL6 with a number of 2000 to prohibit the passing of
packets from the source fc00:1::1/64.
<HUAWEI> system-view
[HUAWEI] acl ipv6 2000
[HUAWEI-acl6-basic-2000] rule deny source fc00:1::1/64

14.1.25 rule (layer 2 ACL view)

Function
The rule command adds or modifies a Layer 2 ACL rule.
The undo rule command deletes a Layer 2 ACL rule.
By default, there is no rule in the related Layer 2 ACL view.

Format
rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-
value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] |
source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-
mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p
802.1p-value | double-tag | time-range time-name ] *
undo rule { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value
[ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-
mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] |
8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-
value | double-tag | time-range time-name ] *
undo rule rule-id

NOTE

The S1720GF, S1720GW, S1720GW-E, S1720GWR, S1720GFR-P, S1720GWR-E, S2720-EI,

S5720I-SI, S5720-LI, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735-S-I, and S5735S-S do not support
cvlan-id cvlan-id [ cvlan-id-mask ], cvlan-8021p 802.1p-value, and double-tag.
The S5735S-H, and S5736-S do not support cvlan-8021p 802.1p-value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10104

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

rule-id Specifies the ID of an ACL The value is an integer

rule. that ranges from 0 to
● If the specified rule ID 4294967294.
has been created, the
new rule overwrites the
old rule. If the specified
rule ID does not exist,
the device creates a rule
and determines the
position of the rule
according to the ID.
● If the rule ID is not
specified, the device
allocates an ID to the
new rule. The rule IDs
are sorted in ascending
order. The device
automatically allocates
IDs according to the
step. The step value is
set by using the step
command.
NOTE
ACL rule IDs assigned
automatically by the device
starts from the step value. The
default step value is 5. With
this step, the device creates
ACL rules with IDs being 5, 10,
15, and so on.

deny Denies the packets that -

match a rule.

permit Permits the packets that -

match a rule.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10105

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

ether-ii | 802.3 | snap Indicates the encapsulation -

format of a packet that
matches the rule.
● ether-ii: specifies the
Ethernet II
encapsulation.
● 802.3: specifies the 802.3
encapsulation.
● snap: specifies the SNAP
encapsulation.
NOTE
On the S1720GF, S1720GW-E,
S1720GFR-P, S1720GWR-E,
S2720-EI, S5720I-SI, S5720-LI,
S1730S-H, S2730S-S, S5735-L-
I, S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1, S5735S-
L-M, S5720S-LI, S5735-S, S500,
S5735-S-I, and S5735S-S,
when an ACL rule is
configured to match the
packets with encapsulation
format ether-ii or snap, the
ACL rule matches all the
packets with encapsulation
formats Ethernet II and SNAP,
including IPv4 and IPv6
packets.
On the S5735S-H, S5736-S,
when the ACL matching the
encapsulation format ether-ii
or snap is configured, the ACL
matches the IPv6 packets
encapsulated with Ethernet II
and SNAP, but matches the
IPv4 packets encapsulated
with either ether-ii or snap.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10106

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

l2-protocol type-value Indicates the type of a type-value can be a

[ type-mask ] Layer 2 protocol. This hexadecimal number of
parameter corresponds to 3 to 6 bits that ranges
the Ethernet type of from 0x0000 to 0xFFFF
Ethernet_II frames and the or the following
type-code domain of protocol name:
Ethernet_SNAP frames. ● ARP: corresponding
● type-value: specifies the to 0x0806
type value of a Layer 2 ● IP: corresponding to
protocol. 0x0800
● type-mask: specifies the ● IPv6: corresponding
type mask of a Layer 2 to 0x86dd
protocol.
● MPLS: corresponding
to 0x8847
● RARP: corresponding
to 0x8035
The default value of
type-mask is 0xffff.
destination-mac dest- Specifies the destination dest-mac-address and
mac-address [ dest- MAC address of packets dest-mac-mask are both
mac-mask ] that matches ACL rules. in the format of H-H-H.
● dest-mac-address Each H stands for one
specifies the destination to four hexadecimal
MAC address of packets. digits. The default value
of the dest-mac-mask is
● dest-mac-mask specifies ffff-ffff-ffff.
the mask of the
destination MAC address You can obtain the
of packets. required destination
MAC address range by
specifying source-mac-
address and source-
mac-mask. For example,
00e0-fc01-0101 ffff-ffff-
ffff specifies a MAC
address 00e0-fc01-0101,
whereas 00e0-fc01-0101
ffff-ffff-0000 specifies a
MAC address range
from 00e0-fc01-0000 to
00e0-fc01-ffff.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10107

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source-mac source- Specifies the source MAC source-mac-address and

mac-address [ source- address of packets that source-mac-mask are
mac-mask ] matches ACL rules. both in the format of H-
● source-mac-address H-H. Each H stands for
specifies the source MAC one to four hexadecimal
address of packets. digits. The default value
of the source-mac-mask
● source-mac-mask is ffff-ffff-ffff.
specifies the mask of the
source MAC address of You can obtain the
packets. If this required source MAC
parameter is not address range by
specified, the mask is specifying source-mac-
ffff-ffff-ffff. address and source-
mac-mask. For example,
00e0-fc01-0101 ffff-ffff-
ffff specifies a MAC
address 00e0-fc01-0101,
whereas 00e0-fc01-0101
ffff-ffff-0000 specifies a
MAC address range
from 00e0-fc01-0000 to
00e0-fc01-ffff.

vlan-id vlan-id [ vlan- Indicates the outer VLAN ID The value of vlan-id is
id-mask ] contained in a packet that an integer ranging from
matches the rule. 1 to 4094.
● vlan-id: specifies the The value of the vlan-
number of the VLAN ID. id-mask is a
● vlan-id-mask: specifies hexadecimal number
the mask of the VLAN ranging from 0x0 to
ID. 0xFFF. The default value
is 0xFFF.

8021p 802.1p-value Indicates the 802.1p priority The value is an integer

in the outer VLAN tag of a ranging from 0 to 7.
packet that matches the
rule.

cvlan-id cvlan-id Indicates the inner VLAN ID The value of cvlan-id is

[ cvlan-id-mask ] of a packet that matches an integer ranging from
the rule. 1 to 4094.
● cvlan-id: specifies the The value of the cvlan-
number of the inner id-mask is a
VLAN ID. hexadecimal number
● cvlan-id-mask: specifies ranging from 0x0 to
the mask of the inner 0xFFF. The default value
VLAN ID. is 0xFFF.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10108

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cvlan-8021p 802.1p- Indicates the 802.1p priority The value is an integer

value in the inner VLAN tag of a ranging from 0 to 7.
packet that matches the
rule.

double-tag Indicates that only packets -

with double tags match the
rule.

time-range time- Defines the time range The value of time-name

name during which an ACL rule is is a string of 1 to 32
valid. time-name specifies characters.
the name of a time range.
NOTE
When you specify the time-
range parameter to reference
a time range to the ACL, if the
specified time-name does not
exit, the ACL cannot be bound
to the specified time range.

Views
layer 2 ACL view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A Layer 2 ACL matches packets based on Layer 2 information of the packets, such
as source MAC addresses, destination MAC addresses, and Layer 2 protocol types.
The rule command defines the time range and flexibly configures the time when
the ACL rules take effect.
Prerequisites
An ACL has been created before the rule is configured.
Precautions
If the specified rule ID already exists, the new rule overwrites the old rule no
matter whether the rules conflict.
To modify an existing rule, delete the old rule, and then create a new rule.
Otherwise, the configuration result will be incorrect.
The undo rule command deletes an ACL rule even if the ACL rule is referenced.
Use this command with caution, especially when you delete an ACL rule that has
been referenced.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10109

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Add a rule to ACL 4001 to match packets with the destination MAC address
being 0000-0000-0001, source MAC address being 0000-0000-0002, and the value
of the Layer 2 protocol type being 0x0800.
<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-
protocol 0x0800

14.1.26 rule (user-defined ACL view)

Function
The rule command adds or modifies a user-defined ACL rule.
The undo rule command deletes an ACL rule.
By default, no ACL rule is configured.

Format
rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head
{ udp | tcp | vxlan } ] { rule-string rule-mask offset } &<1-8> | time-range time-
name ] *
undo rule { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head { udp |
tcp | vxlan } ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *
undo rule rule-id

NOTE

The following switch models does not support &<1-8> and ipv6-head: S1720GF, S1720GW-
E, S1720GFR-P, S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI, S1730S-H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L, S5735S-L1, S5735S-L, S5735S-L-M, S5720S-LI, S500, S5735-S,
S5735S-S, S5735-S-I, S5735S-H, S5736-S
The udp, tcp, and vxlan parameters are supported only by the S6735-S.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10110

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

rule-id Specifies the ID of an The value is an integer that ranges

ACL rule. from 0 to 4294967294.
● If the specified rule
ID has been created,
the new rule
overwrites the old
rule. If the specified
rule ID does not exist,
the device creates a
new rule and
determines the
position of the rule
according to the ID.
● If the rule ID is not
specified, the device
allocates an ID to the
new rule. The rule IDs
are sorted in
ascending order. The
device automatically
allocates IDs
according to the
increment. The
increment value is set
by using the step
command.
NOTE
ACL rule IDs assigned
automatically by the
device starts from the
increment value. The
default increment value is
5. With this increment, the
device creates ACL rules
with IDs being 5, 10, 15,
and so on.

deny Denies the packets that -

match the rule.

permit Permits the packets that -

match the rule.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10111

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

l2-head | Indicates the position -

ipv4-head | from which the offset
ipv6-head | starts. For example:
l4-head ● l2-head: indicates
{ udp | tcp | that the offset begins
vxlan } from the Layer 2
header.
● ipv4-head: indicates
that the offset begins
from the IPv4 header.
● ipv6-head: indicates
that the offset begins
from the IPv6 header.
● l4-head: indicates
that the offset begins
from the Layer 4
header; udp indicates
that udp packets can
be matched; tcp
indicates that TCP
packets can be
matched; and vxlan
indicates that VXLAN
packets can be
matched.

rule-string Specifies the customized The value is a hexadecimal string of

rule string. 3 to 10 characters. A maximum of
four bytes are supported.
NOTE
The rule (user-defined ACL view)
command matches four bytes each time.
If the length of the configured rule-
string parameter is less than four bytes,
0s are added.

rule-mask Specifies the mask of The value is a hexadecimal string of

the rule string. 3 to 10 characters. A maximum of
four bytes are supported. When the
mask bit of the customized
character string is 1, the ACL
matches the bit. When the mask bit
of the customized character string is
0, the ACL does not match the bit.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10112

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

offset Specifies the value of The value is an integer, in bytes. The

the offset. value of the offset varies with the
offset position.
● For l2-head, the value of offset is
4N+2. N is an integer starting
from 0.
● For other offset positions, the
value of offset is 4N. N is an
integer starting from 0.
NOTE
For the S1730S-H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L, S5735S-L1,
S5735S-L, S5735S-L-M, S5735-S, S500,
S5735-S-I, and S5735S-S: Values of
offsets at all offset positions are 2N, and
N is an integer starting from 0.

time-range Defines the time range The value is a string of 1 to 32

time-name during which an ACL characters.
rule takes effect. time-
name specifies the name
of the time range during
which an ACL rule takes
effect.

Views
User-defined ACL view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A user-defined ACL defines rules by setting the offset position and value of the
packet. User-defined ACLs are mainly used for matching rules in a traffic classifier.
The rule command defines the time range and flexibly configures the time that
ACL rules take effect.

NOTE

The user-defined ACL is applicable only to the incoming traffic.

Prerequisites
An ACL has been created before the rule is configured.
Precautions

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10113

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● If the specified rule-id already exists and the new rule conflicts with the
original one, the new rule replaces the original rule. To modify an existing
rule, delete the old rule, and then create a new one. Otherwise, the
configuration result will be incorrect.
● To change the offset in a user-defined ACL rule, delete the existing rule and
reconfigure a new one.
● The undo rule command can delete an ACL rule even if this rule is
referenced. Use this command with caution, especially when you delete an
ACL rule that has been referenced.
● On the S5735S-H and S5736-S, an ACL rule is specified to perform the offset
matching based on the Layer 2 packet header. In this case, if the packets
passing through the GE electrical interface to which the ACL rule is applied do
not carry tags, a tag needs to be added to the packets before the offset value
is calculated.
● On the S6735-S, the packet type must be specified when an ACL rule is
specified to perform the offset matching based on the Layer 4 packet header.

Example
# Add a rule to ACL 5001 to match a 4-byte character string whose content is
0x0180C200 with a 14-byte offset beginning from the Layer 2 packet header.
<HUAWEI> system-view
[HUAWEI] acl 5001
[HUAWEI-acl-user-5001] rule permit l2-head 0x0180C200 0xFFFFFFFF 14

14.1.27 rule (user ACL view)

Function
The rule command configures a user ACL rule.

The undo rule command deletes a user ACL rule.

By default, no user ACL rule is configured.

Format
● When the parameter protocol is specified as the ICMP, the command format is
as follows:
rule [ rule-id ] { permit | deny } { icmp | protocol-number } [ source
{ { source-address source-wildcard | any } | { ucl-group { name source-ucl-
group-name | source-ucl-group-index } } } * | destination { { { destination-
address destination-wildcard | any } | { ucl-group { name destination-ucl-
group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-
type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-
name | time-range time-name ] *
undo rule { permit | deny } { icmp | protocol-number } [ source { { source-
address source-wildcard | any } | { ucl-group { name source-ucl-group-name |
source-ucl-group-index } } } * | destination { { { destination-address
destination-wildcard | any } | { ucl-group { name destination-ucl-group-name
| destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-type { icmp-

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10114

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-name | time-

range time-name ] *
● When the parameter protocol is specified as the TCP, the command format is
as follows:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-
address source-wildcard | any } | { ucl-group { source-ucl-group-index | name
source-ucl-group-name } } } * | destination { { { destination-address
destination-wildcard | any } | { ucl-group { destination-ucl-group-index |
name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port
{ eq port | gt port | lt port | range port-start port-end } | destination-port
{ eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack |
established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-
instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | tcp } [ source { { source-
address source-wildcard | any } | { ucl-group { source-ucl-group-index | name
source-ucl-group-name } } } * | destination { { { destination-address
destination-wildcard | any } | { ucl-group { destination-ucl-group-index |
name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port
{ eq port | gt port | lt port | range port-start port-end } | destination-port
{ eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack |
established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-
instance vpn-instance-name ] *
● When the parameter protocol is specified as the UDP, the command format is
as follows:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source
{ { source-address source-wildcard | any } | { ucl-group { source-ucl-group-
index | name source-ucl-group-name } } } * | destination { { { destination-
address destination-wildcard | any } | { ucl-group { destination-ucl-group-
index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-
port { eq port | gt port | lt port | range port-start port-end } | destination-
port { eq port | gt port | lt port | range port-start port-end } | time-range
time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | udp } [ source { { source-
address source-wildcard | any } | { ucl-group { source-ucl-group-index | name
source-ucl-group-name } } } * | destination { { { destination-address
destination-wildcard | any } | { ucl-group { destination-ucl-group-index |
name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port
{ eq port | gt port | lt port | range port-start port-end } | destination-port
{ eq port | gt port | lt port | range port-start port-end } | time-range time-
name | vpn-instance vpn-instance-name ] *
● When the parameter protocol is specified as the GRE, IGMP, IP, IPINIP, or
OSPF, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip |
ospf } [ source { { source-address source-wildcard | any } | { ucl-group
{ source-ucl-group-index | name source-ucl-group-name } } } * | destination
{ { { destination-address destination-wildcard | any } | { ucl-group
{ destination-ucl-group-index | name destination-ucl-group-name } } } * |
fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-
name ] *

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10115

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip |

ospf } [ source { { source-address source-wildcard | any } | { ucl-group
{ source-ucl-group-index | name source-ucl-group-name } } } * | destination
{ { { destination-address destination-wildcard | any } | { ucl-group
{ destination-ucl-group-index | name destination-ucl-group-name } } } * |
fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-
name ] *
● To delete an ACL rule, run:
undo rule rule-id
NOTE

The S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI, S5720-LI, S1730S-H,

S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5720S-LI,
S5735-S, S500, S5735S-S, S5735-S-I, S5720I-SI, S5735S-H, S5736-S, S6735-S, S6720S-EI, and
S6720-EI do not support destination { fqdn fqdn-name }, ucl-group { destination-ucl-
group-index | name destination-ucl-group-name }, and vpn-instance vpn-instance-name.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10116

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

rule-id Specifies the ID of an The value is an integer

deny Denies the packets that -

match the rule.

permit Permits the packets that -

match the rule.

icmp Indicates that the -

protocol type is ICMP.
The value 1 indicates
that ICMP is specified.

tcp Indicates that the -

protocol type is TCP. The
value 6 indicates that
TCP is specified.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10117

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

udp Indicates that the -

protocol type is UDP. The
value 17 indicates that
UDP is specified.

gre Indicates that the -

protocol type is GRE. The
value 47 indicates the
GRE protocol.

igmp Indicates that the -

protocol type is IGMP.
The value 2 indicates the
IGMP protocol.

ip Indicates that the -

protocol type is IP.

ipinip Indicates that the -

protocol type is IPINIP.
The value 4 indicates the
IPINIP protocol.

ospf Indicates that the -

protocol type is OSPF.
The value 89 indicates
the OSPF protocol.

protocol-number Indicates the protocol The value expressed by

type expressed by number is an integer
number. that ranges from 1 to
255.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10118

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source { { source-address Indicates the source IP ● source-address: The

source-wildcard | any } | address of packets that value is in dotted
{ [ source ] ucl-group match an ACL rule. If decimal notation.
{ source-ucl-group-index this parameter is not ● source-wildcard: The
| name source-ucl- specified, packets with value is in dotted
group-name } } } * any source IP address are decimal notation. The
matched. wildcard mask of the
● source-address: source IP address can
specifies the source IP be 0, equivalent to
address of packets. 0.0.0.0, indicating that
● source-wildcard: the source IP address
specifies the wildcard is the host address.
mask of the source IP NOTE
address. The wildcard is in
dotted decimal format.
● any: indicates any After the value is
source IP address of converted to a binary
packets. That is, the number, the value 0
value of source- indicates that the IP
address needs to be
address is 0.0.0.0 and matched and the value
the value of source- 1 indicates that the IP
wildcard is address does not need
255.255.255.255. to be matched. The
values 1 and 0 can be
● ucl-group source-ucl- discontinuous. For
group-index: specifies example, the IP address
the ID of the UCL 192.168.1.169 and the
group to which the wildcard 0.0.0.172
source IP address of represent the website
packets belongs. 192.168.1.x0x0xx01.
The value x can be 0 or
● ucl-group name 1.
source-ucl-group- ● The value of source-
name: specifies the ucl-group-name must
name of the UCL be the name of an
group to which the existing UCL group.
source IP address of
packets belongs. ● source-ucl-group-
index is an integer,
the value varies
according to different
devices. When the
value is 0, the source
address of packet
matching the ACL
rule is beyond the
UCL group range.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10119

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

destination Indicates the destination ● destination-address:

{ { { destination-address IP address of packets The value is in dotted
destination-wildcard | that match ACL rules. If decimal notation.
any } | { ucl-group this parameter is not ● destination-wildcard:
{ destination-ucl-group- specified, packets with The value is in dotted
index | name any destination IP decimal notation. The
destination-ucl-group- address are matched. wildcard mask of the
name } } } * | fqdn fqdn- ● destination-address: destination IP address
name } specifies the can be 0, equivalent
destination IP address to 0.0.0.0, indicating
of data packets. that the destination IP
● destination-wildcard: address is the host
specifies the wildcard address.
mask of the NOTE
destination IP address. The wildcard is in
dotted decimal format.
● any: indicates any After the value is
destination IP address converted to a binary
of packets. That is, number, the value 0
the value of indicates that the IP
destination-address is address needs to be
matched and the value
0.0.0.0 and the value 1 indicates that the IP
of destination- address does not need
wildcard is to be matched. The
255.255.255.255. values 1 and 0 can be
discontinuous. For
● ucl-group example, the IP address
destination-ucl- 192.168.1.169 and the
group-index: specifies wildcard 0.0.0.172
the ID of the UCL represent the website
group to which the 192.168.1.x0x0xx01.
destination IP address The value x can be 0 or
1.
of packets belongs.
● The value of
● ucl-group name
destination-ucl- destination-ucl-
group-name: specifies group-name must be
the name of an
the name of the UCL
existing UCL group.
group to which the
destination IP address ● destination-ucl-
of packets belongs. group-index is an
● fqdn fqdn-name: integer, the value
specifies the name of varies according to
a domain. The precise different devices.
matching and fuzzy When the value is 0,
matching (using *) the source address of
are supported. In packet matching the
fuzzy matching, the ACL rule is beyond
domain name must the UCL group range.
be in the format of ● The value of fqdn-
*.XXX, for example, name is a string of 1
to 64 characters.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10120

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

*.abc.com. The fuzzy

domain name and full
domain name cannot
include each other.
For example, if
www.abc.com has
been configured on
the device, *.abc.com
cannot be configured,
but *.aaa.com can be
configured. Similarly,
if *.abc.com has been
configured on the
device,
*.www.abc.com
cannot be configured,
but www.aaa.com
can be configured.
This parameter is
available for only
wireless users.

icmp-type { icmp-name | Indicates the type and icmp-type is an integer

icmp-type [ icmp- code of ICMP packets, that ranges from 0 to
code ] } which are valid only 255.
when the protocol of icmp-code is an integer
packets is ICMP. If this that ranges from 0 to
parameter is not 255.
specified, all types of
ICMP packets are The value of ICMP name
matched. and the corresponding

● icmp-name: specifies ICMP type and ICMP

the name of ICMP code are as Table 14-16.
packets.
● icmp-type: specifies
the type of ICMP
packets.
● icmp-code: specifies
the code of ICMP
packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10121

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source-port { eq port | Specifies the source port The value of port can be
gt port | lt port | range of UDP or TCP packets. a name or a number.
port-start port-end } The value is valid only ● When the value is
when the protocol of expressed as a
packets is TCP or UDP. If number, it ranges
this parameter is not from 0 to 65535 in eq
specified, TCP or UDP port
packets with any source
port are matched. The ● When the value is
operators are as follows: expressed as a
number, it ranges
● eq port: equal from 0 to 65534 in gt
operator. port
● gt port: greater than ● When the value is
operator. expressed as a
● lt port: smaller than number, it ranges
operator. from 1 to 65535 in lt
● range port-start port- port
end: within the The value of port-start
range.port-start and port-end can be a
specifies the start port name or an integer.
number.port-end When the value is
specifies the end port expressed as an integer,
number. it ranges from 0 to
65535.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10122

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

destination-port { eq Specifies the destination The value of port can be

port | gt port | lt port | port of UDP or TCP a name or a number.
range port-start port- packets. The value is ● When the value is
end } valid only when the expressed as a
protocol of packets is number, it ranges
TCP or UDP. If this from 0 to 65535 in eq
parameter is not port
specified, TCP or UDP
packets with any ● When the value is
destination port are expressed as a
matched. The operators number, it ranges
are as follows: from 0 to 65534 in gt
port
● eq port: equal
operator. ● When the value is
expressed as a
● gt port: greater than number, it ranges
operator. from 1 to 65535 in lt
● lt port: smaller than port
operator. The value of port-start
● range port-start port- and port-end can be a
end: within the range. name or an integer.
port-start specifies When the value is
the start port number. expressed as an integer,
port-end specifies the it ranges from 0 to
end port number. 65535.

tcp-flag Indicates the SYN Flag in -

the TCP packet header.

ack Indicates that the SYN -

Flag type in the TCP
packet header is ack
(010000).

established Indicates that the SYN -

Flag type in the TCP
packet header is
ack(010000) or
rst(000100).

fin Indicates that the SYN -

Flag type in the TCP
packet header is fin
(000001).

psh Indicates that the SYN -

Flag type in the TCP
packet header is psh
(001000).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10123

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

rst Indicates that the SYN -

Flag type in the TCP
packet header is rst
(000100).

syn Indicates that the SYN -

Flag type in the TCP
packet header is syn
(000010).

urg Indicates that the SYN -

Flag type in the TCP
packet header is urg
(100000).

time-range time-name Specifies the name of a The value is a string of 1

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance on the existing VPN instance
inbound interface. name.

Table 14-16 Values of ICMP name and the corresponding ICMP type and ICMP
code
ICMP name ICMP type ICMP code

Echo 8 0

Echo-reply 0 0

Fragmentneed-DFset 3 4

Host-redirect 5 1

Host-tos-redirect 5 3

Host-unreachable 3 1

Information-reply 16 0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10124

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

ICMP name ICMP type ICMP code

Information-request 15 0

Net-redirect 5 0

Net-tos-redirect 5 2

Net-unreachable 3 0

Parameter-problem 12 0

Port-unreachable 3 3

Protocol-unreachable 3 2

Reassembly-timeout 11 1

Source-quench 4 0

Source-route-failed 3 5

Timestamp-reply 14 0

Timestamp-request 13 0

Ttl-exceeded 11 0

Views
User ACL view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A user ACL defines rules to filter IPv4 packets based on the source IP addresses or
source User Control List (UCL) groups, destination IP addresses or destination UCL
groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP
source/destination port numbers, and time ranges.
Currently, the user ACL can be applied only to the UCL groups of the NAC mode.
To control the network access rights of users based on user groups, you can
perform the following operations: configure a UCL group, associate user ACL rules
with the UCL group so that the ACL rules apply to all users in the user group,
configure packet filtering based on the user ACL to make the ACL take effect, and
then apply the UCL group to the AAA service scheme.
Prerequisites
If the ucl-group name source-ucl-group-name or ucl-group name destination-
ucl-group-name parameter is configured for a rule, the source and destination
UCL groups must have been created by the ucl-group command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10125

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Precautions
If the specified rule ID already exists and the new rule conflicts with the original
rule, the new rule replaces the original rule.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If
a simplified traffic policy references a specified rule in an ACL, this command does
not take effect.) Before deleting a rule, ensure that the rule is not being
referenced.

Example
# Add a rule to ACL 6000 to reject all the IP packets sent from UCL group group1
to network segment 10.9.9.0/24.
<HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl 6000
[HUAWEI-acl-ucl-6000] rule deny ip source ucl-group name group1 destination 10.9.9.0 0.0.0.255

14.1.28 rule (user ACL6 view)

Function
The rule command configures a user ACL6 rule.
The undo rule command deletes a user ACL6 rule.
By default, no user ACL6 rule is configured.

Format
● When the protocol is set to ICMPv6, the command format is as follows:
rule [ rule-id ] { permit | deny } { icmpv6 | protocol-number } [ source
{ { source-ipv6-address prefix-length | source-ipv6-address/prefix-length |
source-ipv6-address postfix postfix-length | source-ipv6-address wildcard |
any } | { ucl-group { name source-ucl-group-name | source-ucl-group-
index } } } * | destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | destination-ipv6-address postfix
postfix-length | destination-ipv6-address wildcard | any } | icmp6-type
{ icmp6-type [ icmp6-code ] | icmp6-name } | vpn-instance vpn-instance-
name | time-range time-name ] *
undo rule { permit | deny } { icmpv6 | protocol-number } [ source { { source-
ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-
address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-
group { name source-ucl-group-name | source-ucl-group-index } } } * |
destination { destination-ipv6-address prefix-length | destination-ipv6-
address/prefix-length | destination-ipv6-address postfix postfix-length |
destination-ipv6-address wildcard | any } | icmp6-type { icmp6-type [ icmp6-
code ] | icmp6-name } | vpn-instance vpn-instance-name | time-range time-
name ] *
● When the protocol is set to TCP, the command format is as follows:
rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ source { { source-
ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10126

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-

group { source-ucl-group-index | name source-ucl-group-name } } } * |
destination { destination-ipv6-address prefix-length | destination-ipv6-
address/prefix-length | destination-ipv6-address postfix postfix-length |
destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | destination-port { eq port | gt port | lt
port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst
| syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { tcp | protocol-number } [ source { { source-
ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-
address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-
group { source-ucl-group-index | name source-ucl-group-name } } } * |
destination { destination-ipv6-address prefix-length | destination-ipv6-
address/prefix-length | destination-ipv6-address postfix postfix-length |
destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | destination-port { eq port | gt port | lt
port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst
| syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
● When the protocol is set to UDP, the command format is as follows:
rule [ rule-id ] { deny | permit } { udp | protocol-number } [ source
{ { source-ipv6-address prefix-length | source-ipv6-address/prefix-length |
source-ipv6-address postfix postfix-length | source-ipv6-address wildcard |
any } | { ucl-group { source-ucl-group-index | name source-ucl-group-
name } } } * | destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | destination-ipv6-address postfix
postfix-length | destination-ipv6-address wildcard | any } | source-port { eq
port | gt port | lt port | range port-start port-end } | destination-port { eq
port | gt port | lt port | range port-start port-end } | time-range time-name |
vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { udp | protocol-number } [ source { { source-
ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-
address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-
group { source-ucl-group-index | name source-ucl-group-name } } } * |
destination { destination-ipv6-address prefix-length | destination-ipv6-
address/prefix-length | destination-ipv6-address postfix postfix-length |
destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | destination-port { eq port | gt port | lt
port | range port-start port-end } | time-range time-name | vpn-instance
vpn-instance-name ] *
● When the protocol is set to GRE, IPv6, or OSPF, the command format is as
follows:
rule [ rule-id ] { deny | permit } { gre | ipv6 | ospf | protocol-number }
[ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-
length | source-ipv6-address postfix postfix-length | source-ipv6-address
wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-
group-name } } } * | destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | destination-ipv6-address postfix
postfix-length | destination-ipv6-address wildcard | any } | time-range time-
name | vpn-instance vpn-instance-name ] *

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10127

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo rule { deny | permit } { gre | ipv6 | ospf | protocol-number } [ source

{ { source-ipv6-address prefix-length | source-ipv6-address/prefix-length |
source-ipv6-address postfix postfix-length | source-ipv6-address wildcard |
any } | { ucl-group { source-ucl-group-index | name source-ucl-group-
name } } } * | destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | destination-ipv6-address postfix
postfix-length | destination-ipv6-address wildcard | any } | time-range time-
name | vpn-instance vpn-instance-name ] *
● To delete a user ACL6 rule, run:
undo rule rule-id
NOTE

The S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S1730S-H, S2720-EI, S5720-LI,

S5720S-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735S-S, S5735-S-I, S5720I-SI, S5735S-H, S5736-S, S6735-S, S6720S-EI, and
S6720-EI do not support vpn-instance vpn-instance-name.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10128

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

rule-id Specifies the ID of an The value is an integer

deny Denies the packets that -

match the rule.

permit Permits the packets that -

match the rule.

icmpv6 Indicates that the -

protocol type is ICMPv6.
The value 58 indicates
the ICMPv6 protocol.

tcp Indicates that the -

protocol type is TCP. The
value 6 indicates the TCP
protocol.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10129

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

udp Indicates that the -

protocol type is UDP. The
value 17 indicates the
UDP protocol.

gre Indicates that the -

protocol type is GRE. The
value 47 indicates the
GRE protocol.

ipv6 Indicates that the -

protocol type is IPv6.

ospf Indicates that the -

protocol type is OSPF.
The value 89 indicates
the OSPF protocol.

protocol-number Indicates the protocol The value is an integer

type expressed by that ranges from 1 to
number. 255.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10130

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source { { source-ipv6- Indicates the source IPv6 ● source-ipv6-address:

address prefix-length | address of packets that The value is in colon
source-ipv6-address/ match an ACL6 rule. If hexadecimal notation.
prefix-length | source- this parameter is not ● prefix-length: The
ipv6-address postfix specified, packets with value is an integer
postfix-length | source- any source IPv6 address that ranges from 1 to
ipv6-address wildcard | are matched. 128.
any } | { ucl-group ● source-ipv6-address:
{ name source-ucl- ● postfix-length: The
specifies the source value is an integer
group-name | source-ucl- IPv6 address of data that ranges from 1 to
group-index } } } * packets. 64.
● prefix-length: specifies ● wildcard: The value is
the prefix of the in colon hexadecimal
source IPv6 address. notation. After the
● postfix postfix-length: value is converted to
specifies the length of a binary number, the
source address value 0 indicates that
postfix. the equivalent bit
must match and the
● wildcard: specifies the value 1 indicates that
wildcard mask of the the equivalent bit
address. does not matter. The
● any: indicates any values 1 and 0 can be
source IPv6 address of discontinuous. For
packets. example, the IPv6
address FC00::1 and
● ucl-group name
the wildcard mask
source-ucl-group-
0::2 indicate that the
name: specifies the
address is FC00::00x1,
name of the UCL
where x can be any
group to which the
value from 0 to F in
source IPv6 address of
hexadecimal notation.
packets belongs.
● source-ucl-group-
● ucl-group source-ucl-
name: The value must
group-index: specifies
be the name of an
the ID of the UCL
existing UCL group.
group to which the
source IPv6 address of ● source-ucl-group-
packets belongs. index: The value is an
integer and must be
NOTE
In a stack, if the source the index of an
IP address of the existing UCL group.
S5735S-H and S5736-S When the value is 0,
is specified as ucl- the source address of
group, inter-card traffic packet matching the
forwarding does not
ACL rule is beyond
take effect.
the UCL group range.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10131

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

destination Indicates the destination ● destination-ipv6-

{ destination-ipv6- IPv6 address of packets address: The value is
address prefix-length | that match ACL6 rules. If in colon hexadecimal
destination-ipv6-address/ this parameter is not notation.
prefix-length | specified, packets with ● prefix-length: The
destination-ipv6-address any destination IPv6 value is an integer
postfix postfix-length | address are matched. that ranges from 1 to
destination-ipv6-address ● destination-ipv6- 128.
wildcard | any } address: specifies the ● postfix-length: The
destination IPv6 value is an integer
address of data that ranges from 1 to
packets. 64.
● prefix-length: specifies ● wildcard: The value is
the prefix of the in colon hexadecimal
destination IPv6 notation. After the
address. value is converted to
● postfix postfix-length: a binary number, the
specifies the length of value 0 indicates that
destination address the equivalent bit
postfix. must match and the
● wildcard: specifies the value 1 indicates that
wildcard mask of the the equivalent bit
address. does not matter. The
values 1 and 0 can be
● any: indicates any discontinuous. For
destination IPv6 example, the IPv6
address of packets. address FC00::1 and
the wildcard mask
0::2 indicate that the
address is FC00::00x1,
where x can be any
value from 0 to F in
hexadecimal notation.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10132

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

icmp6-type { icmp6- Indicates the type and icmp6-type is an integer

name | icmp6-type code of ICMPv6 packets, that ranges from 0 to
[ icmp6-code ] } which are valid only 255.
when the protocol of icmp6-code is an integer
packets is ICMPv6. If this that ranges from 0 to
parameter is not 255.
specified, all ICMPv6
packets are matched. The value of cmp6-name
and the corresponding
● icmp6-name: specifies ICMPv6 type and ICMPv6
the name of ICMPv6 code are as described in
packets. Table 14-17.
● icmp6-type: specifies
the type of ICMPv6
packets.
● icmp6-code: specifies
the code of ICMPv6
packets.

source-port { eq port | Specifies the source port The value of port can be
gt port | lt port | range of UDP or TCP packets. a name or a number.
port-start port-end } The value is valid only ● When the value is
when the protocol of expressed as a
packets is TCP or UDP. If number, it ranges
this parameter is not from 0 to 65535 in eq
specified, TCP or UDP port
packets with any source
port are matched. The ● When the value is
operators are as follows: expressed as a
number, it ranges
● eq port: equal from 0 to 65534 in gt
operator. port
● gt port: greater than ● When the value is
operator. expressed as a
● lt port: smaller than number, it ranges
operator. from 1 to 65535 in lt
● range port-start port- port
end: source port The value of port-start
number range. port- and port-end can be a
start specifies the name or an integer.
start port number. When the value is
port-end specifies the expressed as an integer,
end port number. it ranges from 0 to
65535.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10133

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

destination-port { eq Specifies the destination The value of port can be

port | gt port | lt port | port of UDP or TCP a name or a number.
range port-start port- packets. The value is ● When the value is
end } valid only when the expressed as a
protocol of packets is number, it ranges
TCP or UDP. If this from 0 to 65535 in eq
parameter is not port
specified, TCP or UDP
packets with any ● When the value is
destination port are expressed as a
matched. The operators number, it ranges
are as follows: from 0 to 65534 in gt
port
● eq port: equal
operator. ● When the value is
expressed as a
● gt port: greater than number, it ranges
operator. from 1 to 65535 in lt
● lt port: smaller than port
operator. The value of port-start
● range port-start port- and port-end can be a
end: source port name or an integer.
number range. port- When the value is
start specifies the expressed as an integer,
start port number. it ranges from 0 to
port-end specifies the 65535.
end port number.

tcp-flag Indicates the SYN Flag in -

the TCP packet header.

ack Indicates that the SYN -

Flag type in the TCP
packet header is ack
(010000).

established Indicates that the SYN -

Flag type in the TCP
packet header is ack
(010000) or rst
(000100).

fin Indicates that the SYN -

Flag type in the TCP
packet header is fin
(000001).

psh Indicates that the SYN -

Flag type in the TCP
packet header is psh
(001000).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10134

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

rst Indicates that the SYN -

Flag type in the TCP
packet header is rst
(000100).

syn Indicates that the SYN -

Flag type in the TCP
packet header is syn
(000010).

urg Indicates that the SYN -

Flag type in the TCP
packet header is urg
(100000).

time-range time-name Specifies the name of a The value is a string of 1

time range during which to 32 characters.
ACL6 rules take effect.
If this parameter is not
specified, ACL6 rules
take effect at any time.
NOTE
When you specify the
time-range parameter to
reference a time range to
the ACL6, if the specified
time-name does not exit,
the ACL6 does not take
effect.

vpn-instance vpn- Specifies the name of a The value must be an

instance-name VPN instance on the existing VPN instance
inbound interface. name.

Table 14-17 Values of cmp6-name and the corresponding ICMPv6 type and
ICMPv6 code
ICMPv6 Name ICMPv6 Type ICMPv6 Code

Echo 128 0

Echo-reply 129 0

err-Header-field 4 0

frag-time-exceeded 3 1

hop-limit-exceeded 3 0

host-admin-prohib 1 1

host-unreachable 1 3

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10135

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

ICMPv6 Name ICMPv6 Type ICMPv6 Code

neighbor-advertisement 136 0

neighbor-solicitation 135 0

network-unreachable 1 0

packet-too-big 2 0

port-unreachable 1 4

redirect 137 0

router-advertisement 134 0

router-solicitation 133 0

unknown-ipv6-opt 4 2

unknown-next-hdr 4 1

Views
User ACL6 view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A user ACL6 defines rules to filter IPv6 packets based on the source IPv6 addresses
or source User Control List (UCL) groups, destination IPv6 addresses, IPv6 protocol
types, ICMPv6 types, TCP source/destination port numbers, UDP source/
destination port numbers, and time ranges.

Currently, the user ACL6 can be applied only to the UCL groups of the NAC mode.
To control the network access rights of users based on user groups, you can
perform the following operations: configure a UCL group, associate user ACL6
rules with the UCL group so that the ACL6 rules apply to all users in the user
group, configure packet filtering based on the user ACL6 to make the ACL6 take
effect, and then apply the UCL group to the AAA service scheme.

Prerequisites

If the ucl-group name source-ucl-group-name parameter is configured for a rule,

the source UCL groups must have been created by the ucl-group command.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original
rule, the new rule replaces the original rule.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10136

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

To modify an existing rule, delete the old rule, and then create a new rule.
Otherwise, the configuration result will be incorrect.
The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced.
Use this command with caution, especially when you delete an ACL6 rule that has
been referenced.

Example
# Add a rule to ACL6 6000 to reject all the IPv6 packets sent from UCL group
group1 to network segment fc00:1::/64.
<HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl ipv6 6000
[HUAWEI-acl6-ucl-6000] rule deny ipv6 source ucl-group name group1 destination fc00:1:: 64

14.1.29 rule description

Function
The rule description command configures the description of an ACL rule.
The undo rule description command deletes the description of an ACL rule.
By default, no description is configured for an ACL rule.

Format
rule rule-id description description
undo rule rule-id description

Parameters
Parameter Description Value

rule-id Specifies the ID of an The value must be an

ACL rule. rule-id.
description description Specifies the description The value is a character
of an ACL rule. string and contains a
You can configure the maximum of 127
description to record an characters.
ACL rule in detail.

Views
ACL view, ACL6 view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10137

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Application Scenarios
The rule-id parameter identifies a rule, but cannot describe the meaning and
usage of the rule. The description with a character string can be used to solve the
problem.
Prerequisites
The ACL rule has been created. If the ACL rule does not exist, the system displays
an error message when you run this command.
Precautions
If the rule description command is run repeatedly, the latest configuration takes
effect.
After you run the undo rule rule-id command, the rule and rule description are
deleted.

Example
# Configure the description for rule 5 in acl 2001, which permits the packets from
192.168.32.1.
<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 192.168.32.1 0
[HUAWEI-acl-basic-2001] rule 5 description permit 192.168.32.1
[HUAWEI-acl-basic-2001] display acl 2001
Basic ACL 2001, 1 rule
Acl's step is 5
rule 5 permit source 192.168.32.1 0
rule 5 description permit 192.168.32.1

14.1.30 step
Function
The step command sets the step between ACL rule IDs.
The undo step command restores the default step between ACL rule IDs.
By default, the step between ACL rule IDs is 5.

Format
step step
undo step

Parameters
Parameter Description Value

step Specifies the step The value is an integer

between ACL rule IDs. that ranges from 1 to 20.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10138

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
ACL view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The step is the difference between rule IDs when the system automatically assigns
rule IDs. For example, if the ACL step value is set to 5, rules are numbered 5, 10,
15, and so on.
To add a rule between existing rules, you need to reset the step. For example, an
ACL in config mode contains three rules with IDs being 5, 10, and 15. To insert a
new rule after rule 5 (the first rule), run the rule 7 xxxx command to insert rule 7.
If the step value is changed, ACL rule IDs are arranged automatically. For example,
if the original rule IDs are 5, 10, and 15, the rule IDs become 2, 4, and 6 after you
change the step value to 2.

NOTE

The undo step command can be used to realign ACL rule IDs immediately based on the
default step. For example, ACL rule group 3001 contains four rules with IDs being 1, 3, 5,
and 7, and the step is 2. After the undo step command is executed, the rule IDs become 5,
10, 15, and 20 and the step value is restored to 5.

Prerequisites
An ACL has been created by running the acl command.
Precautions
The ACL6 does not support the step.

Example
# Set the step between rules in ACL 3101 to 2.
<HUAWEI> system-view
[HUAWEI] acl 3101
[HUAWEI-acl-adv-3101] step 2

14.1.31 time-range
Function
The time-range command sets a time range.
The undo time-range command deletes a time range.
By default, no time range is set.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10139

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
time-range time-name { start-time to end-time { days } &<1-7> | from time1
date1 [ to time2 date2 ] }
undo time-range time-name [ start-time to end-time { days } &<1-7> | from
time1 date1 [ to time2 date2 ] ]

Parameters
Parameter Description Value

time-name Specifies the name of a The value is a string of

time range. case-sensitive characters
without spaces and must
begin with a letter. The
value ranges from 1 to
32. To avoid confusion,
do not use "all" as the
name of a time range.

start-time Specify the start time of The format is hh:mm.

a time range. ● hh specifies the hour.
The value is an
integer that ranges
from 0 to 23.
● mm specifies the
minute. The value is
an integer that ranges
from 0 to 59.

end-time Specify the end time of a The format is hh:mm.

time range. ● hh specifies the hour.
The value is an
integer that ranges
from 0 to 23.
● mm specifies the
minute. The value is
an integer that ranges
from 0 to 59.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10140

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

days Specifies the date on The value can be one of

which the time range the following:
takes effect. ● The numbers 0 to 6
indicate that the time
range takes effect
from Sunday to
Saturday. The number
0 refers to Sunday.
● A weekday includes
Monday, Tuesday,
Wednesday, Thursday,
Friday, Saturday, and
Sunday.
● The value "Daily"
indicates that the
time range takes
effect during the
seven days in a week.
● The value "off-day"
indicates that the
time range takes
effect on weekends
including Saturday
and Sunday.
● The value "Working-
day" indicates that
the time range takes
effect in five days
from Monday to
Friday.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10141

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

from time1 date1 Specifies the time for the time1 is in the format of
time range to take hh:mm.
effect. ● hh specifies the hour.
The value is an
integer that ranges
from 0 to 23.
● mm specifies the
minute. The value is
an integer that ranges
from 0 to 59.
date1 is in the format of
yyyy/mm/dd.
● yyyy specifies the
year. The value is an
integer that ranges
from 1970 to 2099.
● mm specifies the
month. The value is
an integer that ranges
from 1 to 12.
● dd specifies the day.
The value is an
integer that ranges
from 1 to 31.

to time2 date2 Specifies the end of a The formats time2 and

time range. date2 are the same as
those of the start time.
The end time must be
later than the start time.
If the end time is not set,
the device takes the
maximum value allowed
by the system.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10142

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

If some services or functions need to be started at intervals or periodically, you

can run the time-range command to set the time range. When configuring ACL or
ACL6 rules, you can reference the names of time ranges.
The time range is classified into the following types:
● Relative time range (periodic time range): It is specified by start-time and
end-time. The weekday when the time range takes effect is determined by
days.
● Absolute time range: It is specified by from and to. The absolute time range
can be used to limit the periodic time range.
You can set the same name for multiple time ranges to describe a special period.
If multiple time ranges have the same name, the periodic time ranges are ORed,
and a periodic time range and a definite time range are ANDed. For example,
three time ranges are set with the same name test:
● Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
● Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
● Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
The time range test takes effect at 8:00-18:00 on Monday to Friday and
14:00-18:00 on Saturday and Sunday in the year 2010.
Precautions
There may be a time difference of no more than 10 seconds between the
configured time range and the time range that actually takes effect.

Example
# Set a time range named test that takes effect from 2010-01-01 00:00 to
2010-12-31 23:59.
<HUAWEI> system-view
[HUAWEI] time-range test from 0:0 2010/1/1 to 23:59 2010/12/31

# Set a time range named test that takes effect at 8:00-18:00 from Monday to
Friday.
<HUAWEI> system-view
[HUAWEI] time-range test 8:00 to 18:00 working-day

# Set a time range named test that takes effect from 14:00 to 18:00 on every
Saturday and Sunday.
<HUAWEI> system-view
[HUAWEI] time-range test 14:00 to 18:00 off-day

14.2 Local Attack Defense Configuration Commands

14.2.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10143

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.2 auto-defend attack-packet sample

Function
The auto-defend attack-packet sample command sets the packet sampling ratio
for attack source tracing.
The undo auto-defend attack-packet sample command restores the default
packet sampling ratio.
By default, the packet sampling ratio is 5. That is, one packet is sampled in every 5
packets.

Format
auto-defend attack-packet sample sample-value
undo auto-defend attack-packet sample

Parameters
Parameter Description Value
sample-value Specifies the packet sampling The value is an integer that
ratio for attack source tracing. ranges from 1 to 1024.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Attack source tracing samples packets to identify attacks. Errors may occur in
attack packet identification or packet rate calculation. A proper packet sampling
ratio can reduce errors. A small sampling ratio makes the attack source tracing
result accurate, but increases CPU usage. For example, when the sampling ratio is
set to 1, every packet is sampled. The attack source tracing result is accurate, but
the CPU usage is high because every packet is resolved.
The auto-defend attack-packet sample command sets the sampling ratio. You
can set a proper value based on the requirements of attack source tracing
precision and CPU usage.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10144

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

When a smaller attack source tracing threshold is used, the sampling ratio has
greater impact on the attack source tracing result.

Example
# Set the sampling ratio for attack source tracing in the attack defense policy
named test to 2.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend attack-packet sample 2

14.2.3 auto-defend enable

Function
The auto-defend enable command enables automatic attack source tracing.
The undo auto-defend enable command disables automatic attack source
tracing.
By default, attack source tracing is enabled.

Format
auto-defend enable
undo auto-defend enable

Parameters
None

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A large number of attack packets may attack the device CPU. Attack source
tracing enables the device to trace attack sources and send logs or alarms to
notify the administrator so that the administrator can take measures to defend
against the attacks. By default, logs are sent to notify the administrator if attack
source tracing is enabled.
After automatic attack source tracing is enabled, the device traces the source of
the specified packets sent to the CPU. The packet type can be set using the auto-
defend protocol command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10145

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Precautions

Attack source tracing configured in an attack defense policy takes effect only
when the attack defense policy is applied in the system view.

If the system software of a switch in a version earlier than V200R009C00 is

upgraded to V200R009C00 or later version, an undo auto-defend enable
configuration is automatically generated.

Example
# Enable attack source tracing in the attack defense policy named test.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable

14.2.4 auto-defend action

Function
The auto-defend action command enables the attack source punish function and
specifies a punish action.

The undo auto-defend action command disables the attack source punish
function.

By default, the attack source punish function is disabled.

Format
auto-defend action { deny [ timer time-length ] | error-down }

undo auto-defend action

Parameters
Parameter Description Value

deny Discards packets sent from an attack -

source.

timer time-length Specifies the period during which The value ranges from
packets sent from an identified 1 to 86400, in
attack source are discarded. seconds. The default
value is 300.

error-down Sets the interface that receives attack -

packets to the error-down state.

Views
Attack defense policy view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10146

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The attack source tracing process consists of four phases: packet parsing, traffic
analysis, attack source identification, and taking attack source punish actions. The
auto-defend action command is applied to taking attack source punish actions.
The device discards the packets sent from the identified source or sets the
interface receiving attack packets to the error-down state.

NOTE

If the auto-defend action is set to error-down, run the error-down auto-recovery cause auto-
defend interval interval-value command to set a recovery delay before the device is attacked.
This command is invalid for the interface in error-down state.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend action command multiple times, only the latest
configuration takes effect.

After the auto-defend action is set to deny, the device discards packets when
being attacked. The configuration result can be verified using the display auto-
defend attack-source command.

The device does not take punish actions on attack sources of whitelist users.

Attack source tracing configured in an attack defense policy takes effect only
when the attack defense policy is applied in the system view.

NOTICE

If the device sets the interface that receives the attack packets to the error-down
state, services of authorized users on the interface are interrupted. Exercise
caution when you configure the device to set the interface to the error-down
state.

Example
# Configure the device to discard packets from the identified source every 10
seconds.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
Info: This configuration may cause packet loss.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10147

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.5 auto-defend alarm enable

Function
The auto-defend alarm enable command enables the event reporting function
for attack source tracing.

The undo auto-defend alarm enable command disables the event reporting
function for attack source tracing.

By default, the event reporting function for attack source tracing is disabled.

Format
auto-defend alarm enable

undo auto-defend alarm enable

Parameters
None

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When the number of packets of a specified protocol from an attack source

exceeds the threshold in a specified period, the device reports an event to the
administrator so that the administrator can take measures to protect the device.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Follow-up Procedure

Run the auto-defend threshold command to set the event reporting threshold for
attack source tracing.

Example
# Enable the event reporting function in the attack defense policy test.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend alarm enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10148

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.6 auto-defend protocol

Function
The auto-defend protocol command specifies the types of protocol packets that
the device monitors in attack source tracing.
The undo auto-defend protocol command deletes specified types of protocol
packets that the device monitors in attack source tracing.
By default, the device traces sources of 8021X, ARP, DHCP, DHCPv6, ICMP, ICMPv6,
IGMP, MLD, ND, TCP, TCPv6, Telnet in attack source tracing.

Format
auto-defend protocol { all | { 8021x | arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp
| mld | nd | tcp | tcpv6 | telnet | ttl-expired | udp | udpv6 }* }
undo auto-defend protocol { 8021x | arp | dhcp | dhcpv6 | icmp | icmpv6 | igmp
| mld | nd | tcp | tcpv6 | telnet | ttl-expired | udp | udpv6 }*

NOTE

S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,

S5735-S, S500, S5735-S-I, and S5735S-S do not support tcpv6 parameter.

Parameters
Parameter Description Value

all Configures the device to -

trace sources of 8021X,
ARP, DHCP, DHCPv6,
ICMP, ICMPv6, IGMP,
MLD, ND, TCP, TCPv6,
Telnet, TTL-expired,
UDPv6, and UDP packets
in attack source tracing.

8021x Adds 8021X packets to -

the list of traced packets
or deletes 8021X packets
from the list.

arp Adds Address Resolution -

Protocol (ARP) packets
to the list of traced
packets or deletes ARP
packets from the list.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10149

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

dhcp Adds Dynamic Host -

Configuration Protocol
(DHCP) packets to the
list of traced packets or
deletes DHCP packets
from the list.

dhcpv6 Adds Dynamic Host -

Configuration Protocol
for IPv6 (DHCPv6)
packets to the list of
traced packets or deletes
DHCPv6 packets from
the list.

icmp Adds Internet Control -

Message Protocol (ICMP)
packets to the list of
traced packets or deletes
ICMP packets from the
list.

icmpv6 Adds Internet Control -

Message Protocol for
IPv6 (ICMPv6) packets to
the list of traced packets
or deletes ICMPv6
packets from the list.

igmp Adds Internet Group -

Management Protocol
(IGMP) packets to the
list of traced packets or
deletes IGMP packets
from the list.

mld Adds Internet Group -

Management Protocol
(MLD) packets to the list
of traced packets or
deletes MLD packets
from the list.

nd Adds Internet Group -

Management Protocol
(ND) packets to the list
of traced packets or
deletes ND packets from
the list.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10150

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

tcp Adds Transmission -

Control Protocol (TCP)
packets to the list of
traced packets or deletes
TCP packets from the
list.

tcpv6 Adds Transmission -

Control Protocol for IPv6
(TCPv6) packets to the
list of traced packets or
deletes TCPv6 packets
from the list.

telnet Adds Telnet packets to -

the list of traced packets
or deletes Telnet packets
from the list.

ttl-expired Adds TTL-expired packets -

to the list of traced
packets or deletes these
packets from the list.

udp Adds User Datagram -

Protocol (UDP) packets
to the list of traced
packets or deletes UDP
packets from the list.

udpv6 Adds User Datagram -

Protocol for IPv6
(UDPv6) packets to the
list of traced packets or
deletes UDPv6 packets
from the list.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The attack source tracing process consists of four phases: packet parsing, traffic
analysis, attack source identification, and taking attack source punish actions. The

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10151

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

auto-defend protocol command is applied to the packet parsing phase. When an

attack occurs, you cannot identify the type of attack packets. The auto-defend
protocol command allows you to flexibly specify the types of traced packets.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions
● If you run this command multiple times, only the latest configuration takes
effect.
● If a packet type is specified, when the device is attacked and the attack source
is traced, you can run the display auto-defend attack-source command to
view attack source information.

Example
# Delete IGMP and TTL-expired packets from the list of traced packets.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired

14.2.7 auto-defend threshold

Function
The auto-defend threshold command sets the checking threshold and event
reporting threshold for attack source tracing.
The undo auto-defend threshold command restores the default checking
threshold and event reporting threshold for attack source tracing.
By default, the checking threshold and event reporting threshold for attack source
tracing is 60 pps.

Format
auto-defend threshold threshold
undo auto-defend threshold

Parameters
Parameter Description Value

threshold Specifies the checking threshold and The value is an integer that
event reporting threshold for attack ranges from 1 to 65535, in
source tracing. pps.

Views
Attack defense policy view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10152

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After attack source tracing is enabled, you can set the checking threshold and
event reporting threshold for attack source tracing. When the number of sent
protocol packets from an attack source in a specified period exceeds the checking
threshold, the device traces and logs the attack source.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

If you run the auto-defend threshold command in the same attack defense policy
view multiple times, only the latest configuration takes effect.

After the auto-defend enable command is executed, the device traces the attack
source based on the default threshold even if the auto-defend threshold
command is not used.

Example
# Set the checking threshold and event reporting threshold for attack source
tracing in the attack defense policy named test to 200 pps.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend threshold 200

14.2.8 auto-defend trace-type

Function
The auto-defend trace-type command configures an attack source tracing mode.

The undo auto-defend trace-type command deletes an attack source tracing

mode.

By default, attack source tracing is based on source IP addresses and source MAC
addresses.

Format
auto-defend trace-type { source-mac | source-ip | source-portvlan } *

undo auto-defend trace-type { source-mac | source-ip | source-portvlan } *

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10153

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

source-mac Configures attack source tracing based on source MAC -

addresses so that the device classifies and collects
statistics based on the source MAC address and
identifies the attack source.

source-ip Configures attack source tracing based on source IP -

addresses so that the device classifies and collects
statistics based on the source IP address and identifies
the attack source.

source- Configures attack source tracing based on source ports -

portvlan +VLANs so that the device classifies and collects
statistics based on the source port and VLAN and
identifies the attack source.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After enabling attack source tracing, you can specify one or more attack source
tracing modes. The device then uses the specified modes to trace attack sources.
The device supports the following attack source tracing modes:
● Source IP address-based tracing: defends against Layer 3 attack packets.
● Source MAC address-based tracing: defends against Layer 2 attack packets
with a fixed source MAC address.
● Source port+VLAN based tracing: defends against Layer 2 attack packets with
different source MAC addresses.
Prerequisites
Attack source tracing has been enabled using the auto-defend enable command.
Precautions
In VXLAN scenarios, the source port+VLAN based tracing mode is not supported.
In addition, for the S6735-S, S6720-EI and S6720S-EI, the source IP address-based
tracing mode is not supported.
Table 14-18 lists the attack source tracing modes supported for different types of
packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10154

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-18 Attack source tracing modes supported for different types of packets

Packet Type Attack Source Tracing Mode

802.1X Based on source MAC addresses and

based on source ports+VLANs

ARP, DHCP, IGMP, ND, DHCPv6, MLDv6 Based on source MAC addresses, based
on IP addresses, and based on source
ports+VLANs

ICMP, TTL-expired, Telnet, TCP, UDP, Based on source IP addresses and

UDPv6 based on source ports+VLANs

If you run this command multiple times, only the latest configuration takes effect.

A switch supports different numbers if attack source tracing modes for different
protocol packets. For details, see the default modes described above.

After the attack source tracing function is enabled on the device, you can run the
display auto-defend attack-source command to view attack source tracing
information if an attack occurs.

When the attack source tracing mode is source-ip and action is error-down, if
multiple interfaces receive the attack packets with the same source IP address and
the packet rate exceeds the threshold, the switch shuts down only one interface,
and then checks packet rate again. If the packet rate is still higher than the
threshold, the switch shuts down another interface. The switch repeats the
operations until the packet rate falls below the threshold.

Example
# Configure attack source tracing based on source MAC addresses.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend trace-type source-ip source-portvlan

14.2.9 auto-defend whitelist

Function
The auto-defend whitelist command configures an attack source tracing
whitelist. The switch does not trace the source of users in the whitelist.

The undo auto-defend whitelist command deletes an attack source tracing

whitelist.

By default, no whitelist is configured for attack source tracing. If any of the

following conditions is met, however, the switch uses the condition as the whitelist
matching rule, regardless of whether attack source tracing is enabled. After attack
source tracing is enabled, the switch does not perform attack source tracing for
the packets matching such rules.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10155

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● If an application uses the TCP protocol and has set up a TCP connection with
the switch, the switch will not consider TCP packets with the matching source
IP address as attack packets. If no TCP packets match a source IP address
within 1 hour, the rule that specifies this source IP address will be aged out.
● If an interface has been configured as a DHCP trusted interface using the
dhcp snooping trusted command, the switch will not consider DHCP packets
received from this interface as attack packets.
● If an interface has been configured as a MAC forced forwarding (MFF)
network-side interface using the mac-forced-forwarding network-port
command, the switch will not consider ARP packets received from this
interface as attack packets.
For the preceding conditions, the switch supports a maximum of 16 whitelist
matching rules based on source IP addresses and interfaces, and a maximum of 8
whitelist matching rules based on source IP addresses of TCP packets.

Format
auto-defend whitelist whitelist-number { acl acl-number | interface interface-
type interface-number }
undo auto-defend whitelist whitelist-number [ acl acl-number | interface
interface-type interface-number ]

Parameters
Parameter Description Value
whitelist-number Specifies the number of a The value is an integer that
whitelist. ranges from 1 to 16.
acl acl-number Specifies the number of an The value is an integer that
ACL referenced by a whitelist. ranges from 2000 to 4999.
● 2000 to 2999: basic ACLs
● 3000 to 3999: advanced
ACLs
● 4000 to 4999: Layer 2 ACLs
interface Specifies the interface to -
interface-type which the whitelist is applied.
interface-number ● interface-type specifies the
interface type.
● interface-number specifies
the interface number.

Views
Attack defense policy view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10156

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

Attack source tracing helps locate and punish sources of denial of service (DoS)
attacks. If some users do not need to be traced regardless of whether an attack
occurs, run the auto-defend whitelist command to configure a whitelist for users.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

Before referencing an ACL in a whitelist, create the ACL and configure rules.

If the ACL referenced by the whitelist specifies some protocols, ensure that packets
of these protocols can be traced. You can run the display auto-defend
configuration command to view the protocols supported by attack source tracing.
If a protocol is not supported by attack source tracing, you can run the auto-
defend protocol command to configure attack source tracing to support the
protocol.

Example
# Add source IP addresses 10.1.1.1 and 10.1.1.2 to the attack source tracing
whitelist.
<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2000

14.2.10 auto-port-defend aging-time

Function
The auto-port-defend aging-time command configures the aging time for port
attack defense.

The undo auto-port-defend aging-time command restores the default aging

time for port attack defense.

By default, the aging time for port attack defense is 300 seconds.

Format
auto-port-defend aging-time time

undo auto-port-defend aging-time [ time ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10157

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

aging-time time Specifies the aging time The value is an integer that ranges
for port attack defense. from 30 to 86400, and must be a
multiple of 10. The unit is second.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After a device with port attack defense function enabled detects an attack on a
port, the device traces the source and limits the rate of the attack packets on the
port within the aging time (T seconds). When the aging time expires, the device
calculates the protocol packet rate on the port again. If the rate is still above the
protocol rate threshold, the device keeps tracing the source and limits the rate of
the attack packets; otherwise, the device stops the operations.

If the aging time is too short, the device frequently starts packet rate detection on
ports, which consumes CPU resources. If the aging time is too long, protocol
packets cannot be promptly processed by the CPU, which affects services.
Therefore, you need to run the auto-port-defend aging-time command to set an
appropriate aging time according to the CPU usage and service status.

Prerequisites

The port attack defense function has been enabled using the auto-port-defend
enable command.

Precautions

If you run the auto-port-defend aging-time command multiple times in the

same attack defense policy view, only the latest configuration takes effect.

Example
# Set the aging time in the attack defense policy test view to 350 seconds.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend aging-time 350

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10158

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.11 auto-port-defend alarm enable

Function
The auto-port-defend alarm enable command enables the report of port attack
defense events.
The undo auto-port-defend alarm enable command disables the report of port
attack defense events.
By default, port attack defense events are not reported.

Format
auto-port-defend alarm enable
undo auto-port-defend alarm enable

Parameters
None

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If a port undergoes a DoS attack, the malicious attack packets sent from this port
to the CPU occupy bandwidth. As a result, the CPU cannot process the protocol
packets sent from other ports, and services are interrupted. In this situation, you
can enable the report of port attack defense events. When the rate of protocol
packets on a port exceeds the check threshold, the switch reports an event to
notify the network administrator, so that the administrator can promptly take
measures to protect the switch.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend
enable command.
Follow-up Procedure
Run the auto-port-defend protocol threshold command to set the threshold for
protocol packet check in port attack defense.

Example
# Enable the report of port attack defense events in the attack defense policy test.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10159

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend alarm enable

14.2.12 auto-port-defend enable

Function
The auto-port-defend enable command enables the port attack defense function.

The undo auto-port-defend enable command disables the port attack defense
function.

By default, the port attack defense function is enabled.

Format
auto-port-defend enable

undo auto-port-defend enable

Parameters
None

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If an attacker initiates a DoS attack on a port, the malicious attack packets sent
from this port to the CPU occupy bandwidth. As a result, the CPU cannot process
the protocol packets sent from other ports, and services are interrupted.

The port attack defense function effectively limits the number of packets sent to
the CPU, and prevents DoS attacks aiming at the CPU.

This function is enabled by default. If the number of packets received by a port

within one second exceeds the protocol rate threshold, the device considers that
an attack occurs on the port. Then the device traces the source and limits the rate
of attack packets, and records an attack log to avoid impact on other ports.

Precautions

After the port attack defense function is enabled in an attack defense policy, the
attack defense policy must be applied in the system view.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10160

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Enable the port attack defense function in the attack defense policy test view.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable

14.2.13 auto-port-defend protocol

Function
The auto-port-defend protocol command specifies the types of protocol packets
to which port attack defense is applied.

The undo auto-port-defend protocol command cancels port attack defense for
certain types of protocol packets.

By default, port attack defense is applicable to ARP Request, Unicast ARP Request
packets, ARP Reply, DHCP, ICMP, IGMP, IP fragment, and ND packets.

Format
auto-port-defend protocol { all | { arp-request | arp-request-uc | arp-reply |
dhcp | icmp | igmp | ip-fragment | nd } * }

undo auto-port-defend protocol { arp-request | arp-request-uc | arp-reply |

dhcp | icmp | igmp | ip-fragment | nd } *

NOTE

● S2720-EI, S5720-LI, S5720S-LI, S5720I-SI, S5735S-H, and S5736-S do not support arp-
request-uc parameter.
● S2720-EI, S5720-LI, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-S-I, S5720I-SI,
S5735S-H, and S5736-S do not support icmp and ip-fragment parameter.
● S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-
L-M, S5735-S, S500, S5735-S-I, and S5735S-S do not support nd parameter.

Parameters
Parameter Description Value

all Applies port attack -

defense to ARP Request,
Unicast ARP request,
ARP Reply, DHCP, ICMP,
IGMP, IP fragment, and
ND packets.

arp-request Applies port attack -

defense to ARP Request
packets or cancels port
attack defense for ARP
Request packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10161

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

arp-request-uc Applies port attack -

defense to Unicast ARP
Request packets or
cancels port attack
defense for Unicast ARP
request packets.

arp-reply Applies port attack -

defense to ARP Reply
packets or cancels port
attack defense for ARP
Reply packets.

dhcp Applies port attack -

defense to DHCP packets
or cancels port attack
defense for DHCP
packets.

icmp Applies port attack -

defense to ICMP packets
or cancels port attack
defense for ICMP
packets.

igmp Applies port attack -

defense to IGMP packets
or cancels port attack
defense for IGMP
packets.

ip-fragment Applies port attack -

defense to IP fragment
packets or cancels port
attack defense for IP
fragment packets.

nd Applies port attack -

defense to ND packets or
cancels port attack
defense for ND packets.

Views
Attack defense policy view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10162

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
By default, the device calculates the rate of all protocol packets, including ARP
Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragment packets, received by a
port, and traces the source and limits the rate of attack packets. If the packets
exceeding protocol rate threshold contain only a few attack packets, you can run
the undo auto-port-defend protocol command to cancel port attack defense for
unneeded protocol types. If the device limits the rate of too many protocols,
services are affected.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend
enable command.
Precautions
If you run this command multiple times in the same attack defense policy view,
only the latest configuration takes effect.
After port attack defense is applied to a type of protocol packets, the display
auto-port-defend attack-source command can display the attack source tracing
information if the port is attacked by the specified protocol packets.

Example
# In the attack defense policy test, cancel port attack defense for ARP Reply
packets.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-port-defend protocol arp-reply

14.2.14 auto-port-defend protocol threshold

Function
The auto-port-defend protocol threshold command sets the protocol packet rate
threshold for port attack defense.
The undo auto-port-defend protocol threshold command restores the default
protocol packet rate threshold for port attack defense.
The following table lists the default rate thresholds for different protocols.

Packet Type Rate Threshold

arp-request 60 pps for the S1730S-H, S2730S-S, S5735-L-I,

S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-
I, S6720S-EI, S6735-S, and S6720-EI, 120 pps for
the S5731-H, S5731S-H, S5731-S, S5731S-S,
S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-
S, and 30 pps for other switch models

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10163

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Packet Type Rate Threshold

arp-request-uc 60 pps for the S1730S-H, S2730S-S, S5735-L-I,

arp-reply 60 pps for the S1730S-H, S2730S-S, S5735-L-I,

dhcp ● 60 pps for the S1730S-H, S2730S-S, S5735-L-

I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500,
S5735S-S, S5735-S-I, S6720S-EI, S6735-S,
and S6720-EI, 120 pps for the S5731-H,
S5731S-H, S5731-S, S5731S-S, S5732-H,
S6730-H, S6730S-H, S6730-S, S6730S-S, and
30 pps for other switch models

icmp 120 pps for the S5731-H, S5731S-H, S5731-S,

S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-
S, S6730S-S, and 60 pps for other switch
models

igmp 120 pps for the S5731-H, S5731S-H, S5731-S,

S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-
S, S6730S-S, and 60 pps for other switch
models

ip-fragment 30 pps

nd 60 pps for the S6720S-EI, S6735-S and S6720-

EI, 120 pps for the S5731-H, S5731S-H, S5731-
S, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, S6730S-S, and 30 pps for other switch
models

Format
auto-port-defend protocol { all | arp-request | arp-request-uc | arp-reply | dhcp
| icmp | igmp | ip-fragment | nd } threshold threshold
undo auto-port-defend protocol { all | arp-request | arp-request-uc | arp-reply
| dhcp | icmp | igmp | ip-fragment | nd } threshold [ threshold ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10164

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

Parameters
Parameter Description Value

all Sets the rate thresholds for ARP Request, -

Unicast ARP Request, ARP Reply, DHCP,
ICMP, IGMP, IP fragment, and ND
packets.

arp-request Specifies the rate threshold for ARP -

Request packets.

arp-request-uc Specifies the rate threshold for Unicast -

ARP request packets.

arp-reply Specifies the rate threshold for ARP -

Reply packets.

dhcp Specifies the rate threshold for DHCP -

packets.

icmp Specifies the rate threshold for ICMP -

packets.

igmp Specifies the rate threshold for IGMP -

packets.

ip-fragment Specifies the rate threshold for IP -

fragment packets.

nd Specifies the rate threshold for ND -

packets.

threshold Specifies the protocol rate threshold. The value is an

threshold integer that
ranges from 1 to
65535, in pps.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10165

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After port attack defense is enabled on a port, the device calculates the rate of
affected protocol packets received by the port. If the packet rate exceeds the
protocol rate threshold, the device considers that an attack occurs. Then the device
traces the source and limits the rate of attack packets on the port, and records a
log. The device moves the packets within the protocol rate limit (CPCAR in attack
defense policies) to the low-priority queue, and then sends them to the CPU.Port
Attack Defense The device discards the excess packets.
You need to set an appropriate rate threshold for port attack defense according to
service requirements. If the CPU fails to process many protocol packets promptly
after port attack defense is enabled, set a large packet rate threshold. If the CPU is
busy processing the packets of a protocol, set a small rate threshold for this
protocol to avoid impact on other services.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend
enable command.
Precautions
If you run the auto-port-defend protocol threshold command multiple times in
the same attack defense policy view, only the latest configuration takes effect.

Example
# In the attack defense policy test, set the rate threshold for ARP Request packets
to 40 pps.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend protocol arp-request threshold 40

14.2.15 auto-port-defend sample

Function
The auto-port-defend sample command sets the protocol packet sampling ratio
for port attack defense.
The undo auto-port-defend sample command restores the default protocol
packet sampling ratio for port attack defense.
By default, the protocol packet sampling ratio for port attack defense is 5. That is,
one packet is sampled when every 5 packets are received.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10166

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
auto-port-defend sample sample-value
undo auto-port-defend sample [ sample-value ]

Parameters
Parameter Description Value
sample sample- Specifies the protocol packet The value is an integer
value sampling ratio for port attack that ranges from 1 to
defense. 1024.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A device with port attack defense enabled identifies attacks by analyzing sampled
packets. There may be errors in attack packet identification or packet rate
calculation. Errors influence the attack defense effect. An appropriate sampling
ratio helps you control attack defense accuracy.
A small sampling ratio improves attack defense accuracy, but consumes more CPU
resources. When the sampling ratio is set to 1, the device analyzes every packet.
The attack packets can be detected quickly, but CPU usage becomes high and
services are affected. Therefore, make a balance between the attack defense
requirement and CPU usage to decide a sampling ratio.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend
enable command.
Precautions
If the protocol packet rate threshold for port attack defense is set to a small value,
the attack identification error caused by packet sampling ratio is large.

Example
# Set the protocol packet sampling ratio to 4 in the attack defense policy test
view.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend sample 4

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10167

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.16 auto-port-defend whitelist

Function
The auto-port-defend whitelist command configures a whitelist for port attack
defense.

The undo auto-port-defend whitelist command deletes a whitelist for port

attack defense.

By default, no whitelist is configured for port attack defense. If any of the

following conditions is met, however, the switch uses the condition as the whitelist
matching rule, regardless of whether port attack defense is enabled. After port
attack defense is enabled, the switch does not perform port attack defense for the
packets matching such rules.
● If an interface has been configured as a DHCP trusted interface using the
dhcp snooping trusted command, the switch will not consider DHCP packets
received from this interface as attack packets.
● If an interface has been configured as a MAC forced forwarding (MFF)
network-side interface using the mac-forced-forwarding network-port
command, the switch will not consider ARP packets received from this
interface as attack packets.

For the preceding conditions, the switch supports a maximum of 16 whitelist

matching rules based on source IP addresses and interfaces.

Format
auto-port-defend whitelist whitelist-number { acl acl-number | interface
interface-type interface-number }
undo auto-port-defend whitelist whitelist-number [ acl acl-number | interface
interface-type interface-number ]

Parameters
Parameter Description Value

whitelist-number Specifies the number of the The value is an integer that

whitelist configured for port ranges from 1 to 16.
attack defense.

acl acl-number Specifies the number of the The value of acl-number is

ACL applied to the whitelist. an integer that ranges from
2000 to 4999.
● 2000 to 2999: basic ACLs
● 3000 to 3999: advanced
ACLs
● 4000 to 4999: Layer 2
ACLs

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10168

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

interface Specifies the type and number -

interface-type of the interface to which the
interface- whitelist is applied.
number
● interface-type specifies the
interface type.
● interface-number specifies
the interface number.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The port attack defense function is enabled by default on the device, so the device
calculates protocol packet rates on all interfaces, and traces the source and limits
the rate of attack packets. In some services, network-side interfaces need to
receive a lot of valid protocol packets. You should add these interfaces or network
nodes connecting to these interfaces to the whitelist. The device does not trace
the source or limit the rate of protocol packets received by the interfaces in the
whitelist.
Prerequisites
The port attack defense function has been enabled using the auto-port-defend
enable command.
Precautions
To define the whitelist using an ACL, you must create an ACL and configure rules
for the ACL.
Before configuring an ACL whitelist for some protocols, ensure that the port attack
defense function supports these protocols. Use the auto-port-defend protocol
command to specify the protocols to which port attack defense is applied.

Example
# In the attack defense policy test, configure a whitelist that references an ACL.
The ACL permits the packets from the users with IP addresses 10.1.1.1 and
10.1.1.2.
<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0
[HUAWEI-acl-basic-2000] quit

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10169

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI] cpu-defend policy test

[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 acl 2000

# In the attack defense policy test, add interface GE0/0/1 to the whitelist for port
attack defense.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-port-defend enable
[HUAWEI-cpu-defend-policy-test] auto-port-defend whitelist 1 interface gigabitethernet 0/0/1

14.2.17 blacklist

Function
The blacklist command configures a blacklist.

The undo blacklist command deletes a blacklist.

By default, no blacklist is configured.

Format
IPv4 blacklist:

blacklist blacklist-id acl acl-number1

undo blacklist blacklist-id

IPv6 blacklist:

blacklist blacklist-id acl ipv6 acl-number2

undo blacklist blacklist-id

Blacklist that discards the packets matching ACL rules in the forwarding chip:

blacklist blacklist-id acl acl-number3 hard-drop

undo blacklist blacklist-id

NOTE

Only the S1720GF, S1720GW, S1720GFR-P, S1720GW-E, S1720GWR, S1720GWR-E, S2720-EI,

S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, and S5736-S support the blacklist that discards
the packets matching ACL rules in the forwarding chip.

Parameters
Parameter Description Value

blacklist-id Specifies the ID of a The value is an integer

blacklist. that ranges from 1 to 8.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10170

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

acl acl-number1 Specifies the number of The value is an integer

an Access Control List that ranges from 2000 to
(ACL) referenced by a 4999.
blacklist. ● 2000 to 2999: basic
ACLs
● 3000 to 3999:
advanced ACLs
● 4000 to 4999: Layer 2
ACLs

acl ipv6 acl-number2 Specifies the ACL The value of acl-

matching the IPv6 number2 is an integer
blacklist. that ranges from 3000 to
3999.

acl acl-number3 Specifies the ACL The value of acl-

matching the IPv4 number3 is an integer
blacklist. that ranges from 3000 to
3999.

hard-drop Discards the packets -

matching the blacklist in
the forwarding chip.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
To defend against malicious packet attacks, the device uses ACLs to add users with
the specific characteristic into a blacklist and discards the packets from the users
in the blacklist. In addition, for S1720GF, S1720GW, S1720GFR-P, S1720GW-E,
S1720GWR, S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, and
S5736-S, packets matching the IPv4 blacklist are sent to the CPU first, and then
discarded. To discard the packets directly without sending them to the CPU, you
can run the blacklist blacklist-id acl acl-number3 hard-drop command. This
function can reduce impact of malicious packets on the CPU usage, and applies to
only IPv4 packets.
An attack defense policy can contain a maximum of eight blacklists (including
IPv4 and IPv6 blacklists and the blacklist that discards the packets matching ACL
rules).
For S6735-S, S6720-EI, and S6720S-EI, packets sent from blacklisted users are
discarded after traffic statistics are collected; therefore, you can run the display

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10171

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

cpu-defend statistics command to view statistics on the packets sent from

blacklisted users. For other device models, the statistics on discarded packets
collected by the display cpu-defend statistics command do not contain the
statistics on the packets sent from blacklisted users.

Example
# Specify ACL 2001 as the rule of blacklist 2.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] blacklist 2 acl 2001
Info: This configuration may cause packet loss.

# Apply ACL 3001 to IPv6 blacklist 3.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] blacklist 3 acl ipv6 3001
Info: This configuration may cause packet loss.

# Apply ACL 3006 to blacklist 5 to discard the packets matching ACL 3006 in the
forwarding chip.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] blacklist 5 acl 3006 hard-drop
Info: This configuration may cause packet loss.

14.2.18 car (attack defense policy view)

Function
The car command sets the rate limit for packets sent to the CPU.

The undo car command restores the default rate limit for packets sent to the CPU.

By default, the CIR value for user-defined flows is 64 kbit/s. You can run the
display cpu-defend configuration command to check the CAR values for protocol
packets.

Format
car { packet-type packet-type | user-defined-flow flow-id } cir cir-value [ cbs
cbs-value ]

undo car { packet-type packet-type | user-defined-flow flow-id }

Parameters

Parameter Description Value

packet-type Specifies the type The supported packet type depends on the
packet-type of packets. device.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10172

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

user-defined- Specifies the ID of The value is an integer that ranges from 1

flow flow-id the user-defined to 8.
flow.
NOTE
Only the S5731-H,
S5731-S, S5731S-H,
S5731S-S, S5732-H,
S6735-S, S6720-EI,
S6720S-EI, S6730-H,
S6730S-H, S6730-S,
and S6730S-S
support this
parameter.

cir cir-value Specifies the The value is an integer.

committed ● The value of packet-type packet-type
information rate varies according to packet types. The
(CIR). value range can be displayed after you
press ? following the command.
● The value of user-defined-flow flow-id
ranges from 24 to 4096 for the S5731-H,
S5731-S, S5731S-H, S5731S-S, S5732-H,
S6730-H, S6730S-H, S6730-S, and
S6730S-S and from 8 to 4096 for the
S6720-EI and S6720S-EI, in kbit/s.
NOTE
The minimum value that can take effect for
different models may be greater than the
configurable minimum value. If the configured
value is smaller than the minimum value that
can take effect, the minimum value that can take
effect will be used. You can run the display cpu-
defend applied command to view the value that
actually takes effect.

cbs cbs-value Specifies the The value is an integer.

committed burst ● The value of packet-type packet-type
size (CBS). varies according to packet types. The
value range can be displayed after you
press ? following the command. If the
cbs is not set, the default cbs-value is
188 times the cir-value.
● The value of user-defined-flow flow-id
ranges from 10000 to 800000, in bytes.
If the cbs is not set, the default cbs-value
is 188 times the cir-value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10173

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The switch has default CAR values for each type of protocol packet. You can adjust
CAR values for specified types of protocol packets based on services and network
environment.
After an attack defense policy is created, you can limit the rate of protocol packets
using the policy:
● Reduce the CAR values in the following situation: When a network undergoes
an attack, reduce the CAR values of the corresponding protocol, to reduce
impact on the system CPU.
● Increase the CAR values in the following situation: When service traffic
volume on the network increases, a large number of protocol packets need to
be sent to the CPU. Increase the CAR values of the corresponding protocols to
meet service requirements.

NOTICE

Improper CPCAR settings will affect services on your network. If you need to
adjust CPCAR settings, you are advised to contact technical support personnel for
help.

For the S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H,

S6730-S, and S6730S-S the device limits the rate of some protocol packets in pps
mode. That is, the actual CPCAR value is the number of packets allowed to pass
per second, which is calculated as follows:
CIR value x 1024/(8 x Packet length)
For example, if the CIR value of https-syn packets is set to 64 kbit/s, 40 https-syn
packets are allowed to pass per second. The number 40 is calculated as follows:
64 x 1024/(8 x 200) = 40.96 (rounded down to the integer 40)
The following table lists the types and lengths of packets that support rate
limiting in pps mode.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10174

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Packet Type Packet Length

(Including Preamble
and IFG)

nac-arp-reply, nac-arp-request, 8021x, 8021x- 88

wireless, 8021x-start-wlan, 8021x-ident-wlan, 8021x-
start, 8021x-ident, nac-nd, dot1x, dot1x identity

eap-key, capwap-other, capwap-ap-update, capwap- 100

keepalive, capwap-airoaming

capwap-association, capwap-smart-roam, capwap- 120

disassoc, capwap-station, capwap-ac-roam-syn

hw-tacacs, wapi, capwap-rf-neighbor, capwap- 128

regular-rep, capwap-ap-auth, capwap-license-mng,
capwap-ac-auth

portal 152

wlan-not-capwap, https-syn, ipsec-passby 200

capwap-discov-bc, capwap-discov-uc 256

dhcp-server 374

capwap-echo, radius, nac-dhcpv6 400

https-other, https-portal 500

sip 800

Precautions
If you run the deny command and then the car command, the car command
takes effect; if you run the car command, and then the deny command, the deny
command takes effect.

NOTE

When the actual and configured rates of packets sent to the CPU are large, the CPU usage
may be high and the performance may deteriorate. In the worst situation, the stack breaks.
The S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI,
S5720S-LI, S5735S-H, and S5736-S use the CAR values configured for FIB-hit packets to
limit the rate of ND packets destined for the MAC address of the local switch, and limit
rates of BPDU and CDP packets by using the CPCAR configured by the car packet-type
bpdu-tunnel cir cir-value [ cbs cbs-value ] command.

Example
# Set the rate limit in the attack defense policy named test for ARP Reply packets:
set the CIR value to 64 kbit/s and the CBS value to 33000 bytes.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] car packet-type arp-reply cir 64 cbs 33000
Warning: Improper parameter settings may affect stable operating of the system. Use this command under

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10175

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

assistance of Huawei engineer

s. Continue? [Y/N]:y

14.2.19 cpu-defend application-apperceive enable

Function
The cpu-defend application-apperceive enable command enables active link
protection (ALP). After the ALP is enabled, the CAR values of protocol packets set
using linkup-car can take effect.

The undo cpu-defend application-apperceive enable command disables ALP.

By default, ALP is enabled on FTP, IPv6 FTP, HTTP, HTTPS, IP-CLOUD, IKE, IPSEC-
ESP, SSH, TELNET, and TFTP packets and disabled on BGP, BGP4+, ISIS, OSPF, and
OSPFv3 packets.

undo cpu-defend application-apperceive [ bgp | bgp4plus | ftp | ftpv6 | http |

NOTE

● Only the S5735S-H, S5736-S, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-S,
S500, S5735S-S, S5735-S-I, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S,
and S6730S-S support the bgp parameter.
● Only the S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI, S5720I-SI, S5720-
LI, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S6735-
S, S6720-EI, and S6720S-EI support the ike parameter.
● Only the S2720-EI, S5720I-SI, S5720-LI, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-
S-I, S5735S-H, S5736-S, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S,
S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ipsec-esp
parameter.
● Only the S1720GF, S1720GFR-P, S1720GW-E, S1720GWR-E, S2720-EI, S5720-LI, S1730S-
H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735S-S, S5735-S-I, S5720S-LI, S5735S-H, S5736-S, S5731-H, S5731-S,
S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S support the ospf parameter.
● Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the bgp4plus and isis
parameter.
● Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ospfv3 parameter.
● Only the S1720-10GF-2P, S1720-10GF-PWR-2P, S1720-28GFR-4P, S1720-28GFR-PWR-4P,
S1720-52GFR-4P, S1720-52GFR-PWR-4P, S1730S-H, S1730S-S1, S200, S5720I-SI, S5720-
LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5720S-LI, S500, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731S-H,
S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6735-S, S6720-EI, S6720S-EI, S6730-
H, S6730S-H support the ip-cloud parameter.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10176

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

bgp Enables ALP on BGP packets. -

bgp4plus Enables ALP on BGP4+ packets. -

ftp Enables ALP on FTP packets. -

ftpv6 Enables ALP on IPv6 FTP packets. -

http Enables ALP on HTTP packets. -

https Enables ALP on HTTPS packets. -

ike Enables ALP on IKE packets. -

ip-cloud Enables ALP on IP-CLOUD packets. -

ipsec-esp Enables ALP on IPSEC-ESP packets. -

isis Enables ALP on ISIS packets. -

ospf Enables ALP on OSPF packets. -

ospfv3 Enables ALP on OSPFv3 packets. -

ssh Enables ALP on SSH packets. -

telnet Enables ALP on TELNET packets. -

tftp Enables ALP on TFTP packets. -

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The default CAR value of BGP, BGP4+, FTP, IPv6 FTP, HTTP, HTTPS, IP-CLOUD, ISIS,
OSPFv3, OSPF, IKE, IPSEC-ESP, SSH, TFTP, or TELNET protocol is small. When a

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10177

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

switch uses these protocols to transfer files or set up connections with other hosts
or devices, the number of protocol packets sharply increases in a short period.
When the packet rate exceeds the limit, the protocol packets are dropped. The
switch may also undergo attacks of other protocols. This affects data transmission
and causes service interruption.

You can run the cpu-defend application-apperceive command to enable ALP for
above protocols, ensuring normal operation of these related services when attacks
occur. When a connection is set up, the switch sends packets at the rate of the
CPCAR value configured using the linkup-car command. The CPCAR value can be
set as required.

Precautions

To enable the ALP function for a certain protocol, run the cpu-defend
application-apperceive enable command to enable ALP globally. For example,
before enabling ALP for the TFTP protocol, run the cpu-defend application-
apperceive enable command, and then the cpu-defend application-apperceive
tftp enable command to make the configuration take effect.

Example
# Enable ALP on BGP packets and set the CIR value to 256 kbit/s.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type bgp cir 256
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend application-apperceive enable
[HUAWEI] cpu-defend application-apperceive bgp enable

14.2.20 cpu-defend dynamic-adjust enable

Function
The cpu-defend dynamic-adjust enable command enables adaptive CPCAR
adjustment for protocol packets.

The undo cpu-defend dynamic-adjust enable command disables adaptive CPCAR

adjustment for protocol packets and restores the default CPCAR values of protocol
packets.

By default, adaptive CPCAR adjustment for protocol packets is enabled.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this function.

Format
cpu-defend dynamic-adjust [ packet-type { arp-reply | arp-request | arp-
request-uc | dhcp-client | dhcp-server | igmp | nd } ] enable

undo cpu-defend dynamic-adjust [ packet-type { arp-reply | arp-request | arp-

request-uc | dhcp-client | dhcp-server | igmp | nd } ] enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10178

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type Specifies the type of -

protocol packets.
NOTE
If this parameter is not
specified, adaptive CPCAR
adjustment for protocol
packets is enabled or
disabled globally.

arp-reply Specifies ARP reply -

packets.

arp-request Specifies ARP request -

packets.

arp-request-uc Specifies unicast ARP -

request packets.

dhcp-client Specifies the packets -

sent by DHCP clients.

dhcp-server Specifies the packets -

sent by DHCP servers.

igmp Specifies IGMP packets. -

nd Specifies IPv6 neighbor -

discovery packets.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The default CPCAR values for protocol packets may not meet the dynamic
requirements on the rate of sending protocol packets to the CPU. To resolve this
problem, you can run this command to enable the adaptive CPCAR adjustment
function for protocol packets.
After adaptive CPCAR adjustment is enabled for a specified type of protocol
packets, the device periodically detects whether the protocol packets are lost. If
packet loss occurs in the last detection period, the device adjusts the CPCAR value
of the protocol packets according to the CPU usage. If the CPU usage is low, the
device increases the CPCAR value. If the CPU usage is high, the device decreases

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10179

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

the CPCAR value. The new CPCAR values must be within the allowed range. If
packet loss occurs due to congestion in the queue of protocol packets, the device
restores the default CPCAR value of the protocol packets. You can run the display
cpu-defend dynamic-adjust history-record command to view the historical
adaptive CPCAR adjustment records.

The following table lists the supported protocol packet types and the maximum
CPCAR values allowed after adjustment.

Protocol Packet Type Description Maximum CPCAR Value

After Adjustment

arp-reply ARP reply packets Twice the default value

arp-request ARP request packets Twice the default value

arp-request-uc Unicast ARP request Twice the default value

packets

dhcp-client Packets sent by DHCP 1.5 times the default

clients value

dhcp-server Packets sent by DHCP 1.5 times the default

servers value

igmp IGMP packets Twice the default value

nd IPv6 neighbor discovery Twice the default value

packets

Precautions

● This function takes effect only when the default CPCAR values of protocol
packets are not manually modified.
● After adaptive CPCAR adjustment for protocol packets is enabled globally, this
function takes effect for all supported types of protocol packets.
● If this command is configured together with the cpu-defend dynamic-car
enable command for the same type of protocol packets, this command takes
effect.

Example
# Enable adaptive CPCAR adjustment for ARP request packets.
<HUAWEI> system-view
[HUAWEI] cpu-defend dynamic-adjust packet-type arp-request enable

14.2.21 cpu-defend dynamic-car enable

Function
The cpu-defend dynamic-car enable command enables a switch to dynamically
adjust the default CIR value for protocol packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10180

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo cpu-defend dynamic-car enable command disables a switch from

dynamically adjusting the default CIR value for protocol packets.

By default, dynamic adjustment of the default CIR value is enabled globally, but
the switch is disabled from dynamically adjusting the default CIR value for VRRP
and ARP protocol packets.

NOTE

Only the S5720I-SI, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-
L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731-S,
S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and
S6730S-S support this command.

Format
cpu-defend dynamic-car [ arp | vrrp ] enable

undo cpu-defend dynamic-car [ arp | vrrp ] enable

Parameters

Parameter Description Value

arp Enables the switch to dynamically adjust the default CIR -

value for ARP protocol packets.

vrrp Enables the switch to dynamically adjust the default CIR -

value for VRRP protocol packets.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A fixed default CIR value may not adapt to dynamic requirements on rate limiting
for protocol packets. The cpu-defend dynamic-car enable command enables a
switch to dynamically adjust the default CIR value for protocol packets.

If the default CIR value for a protocol has never been changed, the switch
dynamically adjusts the default CIR value for the protocol packets based on service
scale (for example, number of dynamic ARP entries) and CPU usage to meet
various service requirements. For details, see Table 14-19.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10181

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-19 Default CPCAR adjustment for ARP packets

X = Number of ARP Entries Adjusted CPCAR

X ≤ 512 Unchanged

512 < X ≤ 1024 128 kbit/s (remain unchanged if the

default CIR is greater than 128 kbit/s)

1024 < X ≤ 3072 256 kbit/s

3072 < X ≤ 4096 512 kbit/s

X > 4096 512 kbit/s

Table 14-20 Default CPCAR adjustment for VRRP packets

X = Number of VRRP Groups Adjusted CPCAR

X ≤ 200 192 kbit/s

200 < X ≤ 300 256 kbit/s

300 < X ≤ 400 320 kbit/s

400 < X ≤ 500 384 kbit/s

500 < X ≤ 600 448 kbit/s

600 < X ≤ 1000 512 kbit/s

NOTE

When the number of entries increases, the CPCAR value is dynamically increased. When the
CPU usage is between 70% to 98%, the dynamic CPCAR adjustment stops. If the CPU usage
is greater than 98%, the default CPCAR value is used.

Precautions

The switch dynamically adjusts the default CIR value for VRRP or ARP protocol
packets only when the function is enabled globally and on VRRP or ARP protocol
packets.

The default CIR value dynamically adjusted only takes effect when the CIR value
of the protocol packet is not manually changed.

After the default CPCAR setting is modified for ARP, only the CIR value for ARP
reply, Unicast ARP request, and ARP request packets is adjusted.

Example
# Enable the switch to dynamically adjust the default CIR value for ARP protocol
packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10182

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] cpu-defend dynamic-car enable
[HUAWEI] cpu-defend dynamic-car arp enable

14.2.22 cpu-defend host-car

Function
The cpu-defend host-car command specifies the packet type to which the user-
level rate limiting is applied.

By default, the user-level rate limiting can apply to ARP Request, ARP Reply, ND,
DHCP Request, DHCPv6 Request, and 8021x packets, but does not apply to IGMP
and HTTPS-SYN packets.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Format
cpu-defend host-car { { arp | dhcp-request | dhcpv6-request | igmp | nd | 8021x
| https-syn } * | all }

Parameters
Parameter Description Value
arp Applies user-level rate limiting to ARP packets. -
dhcp-request Applies user-level rate limiting to DHCP Request -
packets.
dhcpv6-request Applies user-level rate limiting to DHCPv6 Request -
packets.
igmp Applies user-level rate limiting to IGMP packets. -
nd Applies user-level rate limiting to ND packets. -
8021x Applies user-level rate limiting to 8021x packets. -
https-syn Applies user-level rate limiting to HTTPS-SYN packets. -
all Applies user-level rate limiting to ARP, DHCP Request, -
DHCPv6 Request, IGMP, ND, 8021x, and HTTPS-SYN
packets.

Views
System view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10183

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

By default, the switch limits the rates of the ARP, ND, DHCP Request, DHCPv6
Request, and 8021x packets received from user MAC addresses, including wired
and wireless users, and discards excessive packets when the packet rates exceed
the rate limit. If you need to limit the rate of only IGMP and HTTPS-SYN packets
or packets of the specified types, specify the packet type.

Precautions

● Before using this command, run the cpu-defend host-car enable command
to enable user-level rate limiting.
● If the command is run multiple times, the user-level rate limiting applies to
the packet type specified in the last command. For example, if the command
specifying ARP and DHCP Request packets is run, and then the cpu-defend
host-car arp command is run, the user-level rate limiting applies to only ARP
packets.
● After the cpu-defend host-car all command is run, the configuration file
displays cpu-defend host-car 8021x arp dhcp-request dhcpv6-request
https-syn igmp nd.

Example
# Apply user-level rate limiting to ARP, DHCP Request, DHCPv6 Request, IGMP,
and ND packets.
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car arp dhcp-request dhcpv6-request igmp nd

14.2.23 cpu-defend host-car drop-packet cir

Function
The cpu-defend host-car drop-packet cir command sets a rate limit for sending
packets that are discarded due to user-level rate limiting to the CPU.

The undo cpu-defend host-car drop-packet cir command restores the default
rate limit.

By default, the CIR and CBS for sending packets that are discarded due to user-
level rate limiting to the CPU are 64 kbit/s and 12032 bytes, respectively.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Format
cpu-defend host-car drop-packet cir cir-value [ cbs cbs-value ]

undo cpu-defend host-car drop-packet cir

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10184

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

cir-value Specifies the CIR value. The value is an integer in the range from
64 to 4096, in kbit/s.

cbs cbs-value Specifies the CBS value. The value is an integer in the range from
10000 to 800000, in bytes.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the undo cpu-defend host-car drop-packet monitor disable command is
run to enable monitoring for packets discarded due to user-level rate limiting, the
discarded packets are sent to the CPU. You can run the cpu-defend host-car
drop-packet cir command to adjust the rate limit for sending these discarded
packets to the CPU.
Prerequisites
Monitoring for packets discarded due to user-level rate limiting has been enabled
using the undo cpu-defend host-car drop-packet monitor disable command.

Example
# Set the CIR and CBS for sending packets that are discarded due to user-level rate
limiting to the CPU to 128 kbit/s and 16384 bytes, respectively.
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car enable
[HUAWEI] undo cpu-defend host-car drop-packet monitor disable
[HUAWEI] cpu-defend host-car drop-packet cir 128 cbs 16384

14.2.24 cpu-defend host-car drop-packet monitor disable

Function
The cpu-defend host-car drop-packet monitor disable command disables
monitoring for packets discarded due to user-level rate limiting.
The undo cpu-defend host-car drop-packet monitor disable command enables
monitoring for packets discarded due to user-level rate limiting.
By default, monitoring for packets discarded due to user-level rate limiting is
enabled.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10185

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Format
cpu-defend host-car drop-packet monitor disable

undo cpu-defend host-car drop-packet monitor disable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After user-level rate limiting is enabled, the switch discards the excess packets if
the rate of packets from the same source MAC address exceeds the rate limit
within a specified period of time. To check the information about discarded
packets, you can run the cpu-defend host-car drop-packet monitor disable
command to enable monitoring for packets discarded due to user-level rate
limiting.

Prerequisites

User-level rate limiting has been enabled using the cpu-defend host-car enable
command.

Precautions

After you run the cpu-defend host-car drop-packet monitor disable command
to disable monitoring for packets discarded due to user-level rate limiting, the
cpu-defend host-car drop-packet cir command configuration is deleted.

Example
# Enable monitoring for packets discarded due to user-level rate limiting.
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car enable
[HUAWEI] undo cpu-defend host-car drop-packet monitor disable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10186

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.25 cpu-defend host-car enable

Function
The cpu-defend host-car enable command enables user-level rate limiting.
The undo cpu-defend host-car enable command disables user-level rate limiting.
By default, user-level rate limiting is enabled.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Format
cpu-defend host-car enable
undo cpu-defend host-car enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
User-side hosts are prone to virus attacks. Infected hosts may send a large number
of protocol packets to network devices, causing a high CPU usage and degraded
performance on the devices and affecting services. You can configure the user-
level rate limiting to resolve this problem. User-level rate limiting identifies users
by user MAC addresses and limits the rates of specified packets for both wired and
wireless users. By default, the threshold for each user MAC address is 10 pps.
The user-level rate limiting is more precise than CPCAR (based on switches) and
port attack defense (based on interfaces) because it is user-specific and has little
impact on online users.
Precautions
● After you run the undo cpu-defend host-car enable command to disable
user-level rate limiting, all configurations related to user-level rate limiting are
deleted or restored to the default values.
● You are advised to disable user-level rate limiting on network-side ports of
access switches and network interconnection interfaces of gateway switches.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10187

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● During user-level rate limiting, the system performs a hash calculation for the
source MAC addresses of specified packets, and places the packets into
different buckets. Therefore, multiple users may share the rate limit. When
the traffic volume is heavy on the network, packets may be dropped. If you
confirm that these users are authorized, run the cpu-defend host-car mac-
address mac-address command to increase the rate threshold for the
specified MAC addresses.

Example
# Disable user-level rate limiting.
<HUAWEI> system-view
[HUAWEI] undo cpu-defend host-car enable

14.2.26 cpu-defend host-car pps

Function
The cpu-defend host-car pps command sets the rate limit for the user-level rate
limiting.

The undo cpu-defend host-car command restores the default rate limit for the
user-level rate limiting.

By default, the rate limit for the user-level rate limiting is 10 pps.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Format
cpu-defend host-car [ mac-address mac-address | car-id car-id ] pps pps-value

undo cpu-defend host-car { mac-address mac-address | car-id car-id }

Parameters

Parameter Description Value

mac-address mac- Sets the rate limit for The value is in the H-H-H format.
address the specified MAC H is a hexadecimal number of 1
address. to 4 digits.

car-id car-id Sets the rate limit for The value is an integer that
the specified bucket. ranges from 0 to 8191.

pps pps-value Indicates the rate limit. The value is an integer that
ranges from 1 to 128.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10188

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
User-level rate limiting identifies users by user MAC addresses and limits the rates
of specified packets (ARP, ND, DHCP Request, DHCPv6 Request, IGMP, 802.1X, and
HTTPS-SYN packets) for both wired and wireless users. By default, the user-level
rate limit is 10 pps. You can set a rate limit based on user.
Precautions
● Before using this command, run the cpu-defend host-car enable command
to enable user-level rate limiting.
● If the rate limit is too high, attacks cannot be prevented and CPU may be
overloaded.
● If both the cpu-defend host-car mac-address mac-address pps pps-value
and cpu-defend host-car pps pps-value commands are run, the rate limit for
the specified MAC address is determined by the former command, and the
rate limit for other MAC addresses is determined by the latter command.
● The user-level rate limiting performs a hash calculation for the source MAC
addresses of specified packets, and places the packets into different buckets.
When two user MAC addresses are mapped to the same bucket index, the
two users share the same rate limit (in pps mode). If the two users modify
the rate limit for the bucket simultaneously, the setting will be overwritten. To
avoid this situation, the rate limit for the specified MAC address cannot be set
upon hash conflict.
● When the cpu-defend host-car mac-address mac-address pps pps-value and
cpu-defend host-car pps pps-value commands are run to configure the rate
limit for multiple MAC addresses, the settings are displayed in the alphabetic
order in the configuration file.

Example
# Set the rate limit for MAC address 00e0-fc0b-000c to 20 pps.
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car mac-address 00e0-fc0b-000c pps 20

14.2.27 cpu-defend policy

Function
The cpu-defend policy command creates an attack defense policy and displays
the attack defense policy view.
The undo cpu-defend policy command deletes an attack defense policy.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10189

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the default attack defense policy exists on the device and is applied to
the device. The default attack defense policy cannot be deleted or modified.

Format
cpu-defend policy policy-name

undo cpu-defend policy policy-name

Parameters
Parameter Description Value

policy-name Specifies the name of The value is a string of 1 to 31 case-

an attack defense insensitive characters without spaces. If the
policy. string is enclosed in double quotation
marks (" "), the string can contain spaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A large number of packets including malicious attack packets are sent to the CPU
on a network. If excess packets are sent to the CPU, the CPU usage becomes high
and CPU performance deteriorates. The attack packets affect services and may
even cause system breakdown. To solve the problem, create an attack defense
policy and configure CPU attack defense and attack source tracing in the attack
defense policy.

Precautions

The device supports a maximum of 13 attack defense policies, including the

default attack defense policy. The default attack defense policy is generated in
the system by default and is applied to the device. The default attack defense
policy cannot be deleted or modified. The other 12 policies can be created,
modified, and deleted.

The configuration in a user-defined attack defense policy overrides the

configuration in the default attack defense policy. If no parameter is set in the
user-defined attack defense policy, the configuration in the default attack defense
policy is used.

When the default attack defense policy is used, protocol packets sent to the CPU
are limited based on the default CIR value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10190

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Create an attack defense policy named test.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test]

14.2.28 cpu-defend-policy

Function
The cpu-defend-policy command applies an attack defense policy.

The undo cpu-defend-policy command cancels the application of an attack

defense policy.

By default, the default attack defense policy is applied to the switch.

Format
The stack-incapable models support the following commands:

cpu-defend-policy policy-name global

undo cpu-defend-policy { policy-name global | global }

Other models support the following format:

cpu-defend-policy policy-name [ global ]

undo cpu-defend-policy [ policy-name ] [ global ]

Parameters

Parameter Description Value

policy-name Specifies the name of an attack defense policy. The attack
defense
● If the global keyword is specified, the attack policy must
defense policy is applied to the switching chip. already
● If the global keyword is not specified, the attack exist.
defense policy is applied to the CPU. Only the
attack defense policies that limit the rates of
packets sent to the CPU can be applied to the CPU.
Other types of attack defense policies are not
applicable to the CPU, so configuring such policies
cannot protect the CPU.

Views
System view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10191

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After an attack defense policy is created, you must apply the policy in the system
view. Otherwise, the attack defense policy does not take effect.
Prerequisites
An attack defense policy has been created by using the cpu-defend policy
command.

Example
# Apply the attack defense policy named test to all devices.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend-policy test global

14.2.29 cpu-defend trap drop-packet

Function
The cpu-defend trap drop-packet command enables alarm reporting for packet
loss caused by CPCAR exceeding.
The undo cpu-defend trap drop-packet command restores the default
configuration.
By default, the system does not report alarms for packet loss caused by CPCAR
exceeding.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S1730S-H, S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I,
S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this
command.

Format
cpu-defend trap drop-packet
undo cpu-defend trap drop-packet

Parameters
None

Views
System view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10192

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To protect the CPU, a switch limits the rate of protocol packets sent to the CPU
based on the CPCAR. If the rate of protocol packets exceeds the CPCAR, excess
protocol packets are dropped. As a result, the corresponding service may not run
normally. To quickly detect packet loss caused by CPCAR exceeding, you can use
this command to enable alarm reporting for this event. After this function is
enabled, the switch checks for packet loss caused by CPCAR at 10-minute
intervals. If the switch finds that the number of dropped packets of a protocol
increases, the switch reports a packet loss alarm.

Precautions

After this alarm reporting function is enabled, the switch reports packet loss
alarms based on protocol types. That is, if the rates of packets of multiple
protocols exceed the CPCAR values set for these protocols, the switch reports an
alarm for each protocol.

Example
# Enable alarm reporting for packet loss caused by CPCAR exceeding.
<HUAWEI> system-view
[HUAWEI] cpu-defend trap drop-packet

14.2.30 deny

Function
The deny command configures the device to discard packets sent to the CPU.

The undo deny command restores the default action taken for the packets sent to
the CPU.

By default, the device does not discard packets sent to the CPU. Instead, the device
limits the rate of packets sent to the CPU and user-defined flows using the default
rate. You can check the CAR values of each type of packets using the display cpu-
defend configuration command.

Format
deny { packet-type packet-type | user-defined-flow flow-id }

undo deny { packet-type packet-type | user-defined-flow flow-id }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10193

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type Specifies the type of the packet to be The supported packet

packet-type discarded. type depends on the
device.

user-defined- Specifies the ID of the user-defined The value is an

flow flow-id flow to be discarded. integer that ranges
from 1 to 8.
NOTE
Only the S5731-H, S5731-S, S5731S-H,
S5731S-S, S5732-H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this parameter.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After an attack defense policy is created, if the device receives attack packets of a
specified type or a large number of packets sent to the CPU, run the deny
command to configure the device to discard packets of the specified type sent to
the CPU.

Precautions

If you run the deny command, and then the car command, the car command
takes effect; if you run the car command, and then the deny command, the deny
command takes effect. After the undo deny command is executed, the default
action for packets sent to the CPU is restored, that is, CIR and CBS actions are
performed.

To configure the S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI,

S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, and S5736-S, switch to discard BPDU,
CDP, LNP, and VCMP packets, run the deny packet-type bpdu-tunnel command.

Example
# Configure the drop action taken for ARP Reply packets to be sent to the CPU in
the attack defense policy test.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] deny packet-type arp-reply

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10194

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.31 description (attack defense policy view)

Function
The description command configures the description of an attack defense policy.

The undo description command deletes the description of an attack defense

policy.

By default, no description is configured for an attack defense policy.

Format
description text

undo description

Parameters
Parameter Description Value
text Specifies the content of a It is a string of 1 to 63 case-sensitive
description. characters with spaces.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The description command configures the description of an attack defense policy,

for example, the usage or application scenario of the attack defense policy. The
description is used to differentiate attack defense policies.

Precautions

If you run the description command in the same attack defense policy view
multiple times, only the latest configuration takes effect.

Example
# Configure the description defend_arp_attack for the attack defense policy
named test.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] description defend_arp_attack

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10195

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.32 display auto-defend attack-source

Function
The display auto-defend attack-source command displays the attack sources.

Format
display auto-defend attack-source [ history [ begin begin-date begin-time ]
[ slot slot-id ] | [ slot slot-id ] [ detail ] ]

Parameters
Parameter Description Value

history Displays the history -

attack source
information.
If history is not specified,
all existing attack source
information is displayed.

begin begin-date begin- Specifies the start time. begin-date is in the

time format YYYY/MM/DD.
begin-time is in the
format HH:MM:SS.
The value of
YYYY/MM/DD ranges
from 2000/1/1 to
2099/12/31. The value of
HH:MM:SS ranges from
00:00:00 to 23:59:59.

slot slot-id ● This parameter The value must be set

specifies the slot ID if according to the device
stacking is not configuration.
configured.
● This parameter
specifies the stack ID
if stacking is enabled.

detail Displays detailed -

information about the
attack sources, including
the type of attack
packets. If detail is not
specified, brief
information about the
attack sources is
displayed.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10196

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display auto-defend attack-source command displays the attack sources.
In a stack, the attack source list can be saved on each member switch. The display
auto-defend attack-source slot slot-id command displays the attack source list
on the specified member switch.

Example
# Display the attack source list.
<HUAWEI> display auto-defend attack-source
Attack Source User Table (slot 0):
-----------------------------------------------------------------------------
MacAddress InterfaceName Vlan:Outer/Inner TotalPackets
-----------------------------------------------------------------------------
xxxx-xxxx-xxxx GigabitEthernet0/0/1 100 1395
-----------------------------------------------------------------------------
Total: 1

Attack Source Port Table (slot 0):

------------------------------------------------------------
InterfaceName Vlan:Outer/Inner TotalPackets
------------------------------------------------------------
GigabitEthernet0/0/1 100 605
------------------------------------------------------------
Total: 1

Attack Source IP Table (slot 0):

----------------------------------------------------------------------
IPAddress TotalPackets
----------------------------------------------------------------------
2001:db8:1::1 1395
----------------------------------------------------------------------
Total: 1

# Display detailed information about the attack source list.

<HUAWEI> display auto-defend attack-source detail
Attack Source User Table (slot 0):
----------------------------------------------------
MAC Address xxxx-xxxx-xxxx
Interface GigabitEthernet0/0/1
VLAN: Outer/Inner 100
ARP: 1580
Total 1580
----------------------------------------------------
Total: 1

Attack Source Port Table (slot 0):

----------------------------------------------------
Interface GigabitEthernet0/0/1
VLAN: Outer/Inner 100
ARP: 790
Total 790
----------------------------------------------------

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10197

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Total: 1

Attack Source IP Table (slot 0):

---------------------------------------------------------------------------
IP address 2001:db8:1::1
ARP: 1580
Total 1580
---------------------------------------------------------------------------
Total: 1

Table 14-21 Description of the display auto-defend attack-source command

output
Item Description

Attack Source User Source tracing information of device, which is

Table (slot 0) distinguished according to the attack user.

Attack Source Port Source tracing information of device, which is

Table (slot 0) distinguished according to the attacked interface.
NOTE
The device does not support attack source tracing based on
source interfaces and VLANs for Layer 3 Ethernet interfaces.
Therefore, this field does not contain the attack source tracing
information of Layer 3 Ethernet interfaces.

Attack Source IP Source tracing information of device, which is

Table (slot 0) distinguished according to the attacked interface.

IPAddress User IP address.

MacAddress MAC address of the user.

InterfaceName Name of the interface that initiates the attack.

Interface Name of the interface that initiates the attack.

Vlan:Outer/Inner ID of the VLAN that an interface belongs to. Outer

indicates the outer VLAN ID and Inner indicates the
inner VLAN ID.
NOTE
This field displays - for the attack source tracing entries of
Layer 3 Ethernet interfaces.

TotalPackets Total number of packets received by the device.

# Display history attack source information.

<HUAWEI> display auto-defend attack-source history

S : start time
E : end time

Attack History User Table (slot 0):

------------------------------------------------------------------------------
AttackTime MacAddress IFName Vlan:O/I Protocol PPS
------------------------------------------------------------------------------
S:2016-09-08 07:36:15 xxxx-xxxx-xxxx GE0/0/1 100 ARP 40
E:-
------------------------------------------------------------------------------
Total: 1

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10198

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Attack History Port Table (slot 0):

---------------------------------------------------------------
AttackTime IFName Vlan:O/I Protocol PPS
---------------------------------------------------------------
S:2016-09-08 07:36:37 GE0/0/1 100 ARP 40
E:-
---------------------------------------------------------------
Total: 1

Attack History IP Table (slot 0):

----------------------------------------------------------------------------
AttackTime IPAddress Protocol
PPS
----------------------------------------------------------------------------
S:2016-09-08 07:36:15 2001:db8:1::1 ARP
E:-
40
----------------------------------------------------------------------------
Total: 1

Table 14-22 Description of the display auto-defend attack-source history

command output
Item Description

Attack History User Information about attack sources on the device, which is
Table (slot 0) distinguished according to attackers.

Attack History Port Information about attack sources on the device, which is
Table (slot 0) distinguished according to attacked interfaces.

Attack History IP Information about attack sources on the device, which is

Table (slot 0) distinguished according to attacked source IP addresses.

AttackTime Attack time.

● S indicates start time.
● E indicates end time. If the attack is not ended when
you display history attack source information, this
field displays -.

MacAddress User MAC address.

IPAddress User IP address.

IFName Name of the interface that initiates the attack.

Vlan:O/I ID of the VLAN that an interface belongs to. The value

O indicates the outer VLAN ID and the value I indicates
the inner VLAN ID.

Protocol Attack type.

PPS Highest rate of attack packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10199

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.33 display auto-defend configuration

Function
The display auto-defend configuration command displays the attack source
tracing configuration.

Format
display auto-defend configuration [ cpu-defend policy policy-name ]

Parameters
Parameter Description Value

cpu-defend policy Displays the attack The value is a string of 1

policy-name source tracing to 31 case-sensitive
configuration of a characters without
specified attack defense spaces.
policy.
● If this parameter is
specified, the
configuration of the
specified attack
defense policy is
displayed.
● If this parameter is
not specified, the
configurations of all
attack defense
policies are displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After attack source tracing is configured in an attack defense policy, you can run
the display auto-defend configuration command to view the attack source
tracing configuration.

Example
# Display the attack source tracing configuration.
<HUAWEI> display auto-defend configuration
----------------------------------------------------------------------------

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10200

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Name : test
Related slot : <0>
auto-defend : enable
auto-defend attack-packet sample : 5
auto-defend threshold : 60 (pps)
auto-defend alarm : enable
auto-defend trace-type : source-mac source-ip
auto-defend protocol : arp icmp dhcp igmp tcp telnet 8021x nd dhcpv6 mld icmpv6 tcpv6
auto-defend action : deny (Expired time : 300 s)
auto-defend whitelist 1 : acl number 2002
----------------------------------------------------------------------------

NOTE

The preceding information is an example. The displayed information depends on the actual
situation.

Table 14-23 Description of the display auto-defend configuration command

output
Item Description

Name Name of an attack defense policy.

Related slot ID of the stack to which the attack defense policy is

applied.

auto-defend Whether attack source tracing is enabled. To enable

attack source tracing, run the auto-defend enable
command.

auto-defend attack- Packet sampling ratio for attack source tracing. To set
packet sample the packet sampling ratio for attack source tracing, run
the auto-defend attack-packet sample command.

auto-defend Checking threshold for attack source tracing. To set the

threshold checking threshold for attack source tracing, run the
auto-defend threshold command.

auto-defend alarm Whether the alarm function for attack source tracing is
enabled. To enable the alarm function for attack source
tracing, run the auto-defend alarm enable command.

auto-defend trace- Attack source tracing mode:

type ● source-mac: indicates attack source tracing based on
source MAC addresses.
● source-ip: indicates attack source tracing based on
source IP addresses.
● source-portvlan: indicates attack source tracing based
on source ports+VLANs.
To configure the attack source tracing mode, run the
auto-defend trace-type command.

auto-defend protocol Type of traced packets. To specify the types of protocol

packets that the device monitors in attack source
tracing, run the auto-defend protocol command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10201

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

auto-defend action Action taken on the attack source. The value can be:
● deny (Expired time: 300s): indicates that the device
discards all attack packets in 300s.
● error-down: indicates that the inbound interfaces of
attack packets are shut down.
To configure the punish action, run the auto-defend
action command.

auto-defend whitelist Whitelist for attack source tracing. For related

1 commands, see auto-defend whitelist.

14.2.34 display auto-defend whitelist

Function
The display auto-defend whitelist command displays information about the
attack source tracing whitelist.

Format
display auto-defend whitelist [ slot slot-id ]

Parameters
Parameter Description Value

slot slot-id ● On a standalone Set the value according

switch without the to the device
stacking function configuration.
configured, this
parameter specifies a
slot ID.
● In a stack system, this
parameter specifies a
stack ID.

Views
All views

Default Level
1: Monitoring level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10202

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
After the whitelist for attack source tracing is configured or when you locate faults
on network, run the display auto-defend whitelist command to verify whitelist
information. If no whitelist is configured, the command displays no whitelist
information.

Example
# Display information about the attack source tracing whitelist on the switch.
<HUAWEI> display auto-defend whitelist
Protocol Interface IP ACL Status
-------------------------------------------------------------------------------
DHCP GE0/0/1 -- -- auto
DHCP GE0/0/2 -- -- auto

Table 14-24 Description of the display auto-defend whitelist command output

Item Description

Protocol Protocol type of the packets excluded

from attack source tracing.

Interface Interface on which inbound packets are

excluded from attack source tracing.

IP Source IP address of the packets excluded

from attack source tracing. If not source
IP address is specified in the whitelist rule,
this field displays --.

ACL ACL number specified in a manually

configured whitelist rule. If the whitelist
rule is automatically delivered, this field
displays --.

Status Type of the whitelist rule, which can be:

● auto: An automatically delivered
whitelist rule is triggered by services.
● manual: You can run the auto-defend
whitelist whitelist-number { acl acl-
number | interface interface-type
interface-number } command in the
attack defense policy view to manually
configure an attack source tracing
whitelist.

14.2.35 display auto-port-defend attack-source

Function
The display auto-port-defend attack-source command displays source tracing
information on interfaces.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10203

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
display auto-port-defend attack-source [ slot slot-id ]

Parameters
Parameter Description Value

slot slot-id ● The value indicates The value depends on

the slot ID if stacking the device configuration.
is not configured.
● The value indicates
the stack ID when
stack is configured.
If slot slot-id is not
specified, the source
tracing information on
the interfaces of the
master device (stack
configured) or local
device (stack not
configured) is displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The source tracing information helps you locate attack sources.

Example
# Display the source tracing information on the interfaces of the device.
<HUAWEI> display auto-port-defend attack-source
Attack source table on slot 0:
Total : 1
--------------------------------------------------------------------------------
Interface VLAN Protocol Expire(s) PacketRate(pps)
LastAttackTime
--------------------------------------------------------------------------------
GE0/0/1 NA arp-request 297 12 2013-07-06 17:36:54
--------------------------------------------------------------------------------

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10204

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-25 Description of the display auto-defend attack-source command

output

Item Description

Attack source table Source tracing information on the interfaces of device.

on slot 0

Total Number of source tracing records.

Interface Name of the attacked interface.

VLAN VLAN ID in attack packets.

If the device does not support checking on VLAN IDs in
attack packets, this field displays NA.

Protocol Attack packet type.

Expire(s) Remaining time of the aging time for port attack

defense.
NOTE
If the Expire(s) field of an entry displays 0, this entry will be
deleted after a certain period (a maximum of 10 seconds).

PacketRate(pps) Rate of the last received attack packet.

LastAttackTime Time when the last attack packet is received.

14.2.36 display auto-port-defend configuration

Function
The display auto-port-defend configuration command displays the configuration
of port attack defense.

Format
display auto-port-defend configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10205

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
To view the configuration of port attack defense, use this command.

Example
# Display the configuration of port attack defense on the local device.
<HUAWEI> display auto-port-defend configuration
--------------------------------------------------------------------------------
Name : test
Related slot : <0>
Auto-port-defend : enable
Auto-port-defend sample :5
Auto-port-defend aging-time : 300 second(s)
Auto-port-defend arp-request threshold : 120 pps(enable)
Auto-port-defend arp-request-uc threshold : 120 pps(enable)
Auto-port-defend arp-reply threshold : 120 pps(enable)
Auto-port-defend dhcp threshold : 120 pps(enable)
Auto-port-defend icmp threshold : 120 pps(enable)
Auto-port-defend igmp threshold : 120 pps(enable)
Auto-port-defend ip-fragment threshold : 30 pps(enable)
Auto-port-defend nd threshold : 120 pps(enable)
Auto-port-defend alarm : disable
--------------------------------------------------------------------------------

NOTE

The preceding information is an example. The displayed information depends on the actual
situation.

Table 14-26 Description of the display auto-port-defend configuration command

output
Item Description

Name Name of an attack defense policy.

Related slot ID of the stack to which the attack defense policy is

applied. In a non-stack environment, this field indicates
that the attack defense policy is applied to the local
device.

Auto-port-defend Whether port attack defense is enabled.

To enable the port attack defense function, run the
auto-port-defend enable command.

Auto-port-defend Sampling ratio for protocol packets.

sample To set this parameter, run the auto-port-defend
sample command.

Auto-port-defend Aging time for port attack defense.

aging-time To set this parameter, run the auto-port-defend aging-
time command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10206

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Auto-port-defend Whether port attack defense is applied to ARP Request

arp-request threshold packets and rate threshold.
To set this parameter, run the auto-port-defend
protocol arp-request and auto-port-defend protocol
arp-request threshold threshold commands.

Auto-port-defend Whether port attack defense is applied to Unicast ARP

arp-request-uc Request packets and rate threshold.
threshold To set this parameter, run the auto-port-defend
protocol arp-request-uc and auto-port-defend
protocol arp-request-uc threshold threshold
commands.

Auto-port-defend Whether port attack defense is applied to ARP Reply

arp-reply threshold packets and rate threshold.
To set this parameter, run the auto-port-defend
protocol arp-reply and auto-port-defend protocol
arp-reply threshold threshold commands.

Auto-port-defend Whether port attack defense is applied to DHCP packets

dhcp threshold and rate threshold.
To set this parameter, run the auto-port-defend
protocol dhcp and auto-port-defend protocol dhcp
threshold threshold commands.

Auto-port-defend Whether port attack defense is applied to ICMP packets

icmp threshold and rate threshold.
To set this parameter, run the auto-port-defend
protocol icmp and auto-port-defend protocol icmp
threshold threshold commands.

Auto-port-defend Whether port attack defense is applied to IGMP packets

igmp threshold and rate threshold.
To set this parameter, run the auto-port-defend
protocol igmp and auto-port-defend protocol igmp
threshold threshold commands.

Auto-port-defend ip- Whether port attack defense is applied to IP fragments

fragment threshold and rate threshold.
To set this parameter, run the auto-port-defend
protocol ip-fragment and auto-port-defend protocol
ip-fragment threshold threshold commands.

Auto-port-defend nd Whether port attack defense is applied to ND packets

threshold and rate threshold.
To set this parameter, run the auto-port-defend
protocol nd and auto-port-defend protocol nd
threshold threshold commands.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10207

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Auto-port-defend Whether the report of port attack defense events is

alarm enabled.
To set this parameter, run the auto-port-defend alarm
enable command.

14.2.37 display auto-port-defend statistics

Function
The display auto-port-defend statistics command displays packet statistics
about port attack defense.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S1730S-H, S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S
support this command.

Format
display auto-port-defend statistics [ slot slot-id ]

Parameters
Parameter Description Value

slot slot-id ● The value indicates The value depends on

the slot ID when the device configuration.
stacking is not
configured.
● The value indicates
the stack ID when
stacking is configured.
If slot slot-id is not
specified, packet
statistics on the master
device (stack configured)
or local device (stack not
configured) are
displayed.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10208

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to view statistics about the packets discarded and
accepted in the port attack defense service. The statistics help you understand
protocol packet processing status and promptly adjust the attack defense policy.

Example
# Display packet statistics on the interfaces of the device.
<HUAWEI> display auto-port-defend statistics
Statistics on MPU:
--------------------------------------------------------------------------------
Protocol Vlan Queue Cir(Kbps) Pass(Packet/Byte) Drop(Packet/
Byte)
--------------------------------------------------------------------------------
icmp NA 2 256 23095 3
NA NA
--------------------------------------------------------------------------------

NOTE

The preceding information is an example. The displayed packet type depends on the actual
situation.

Table 14-27 Description of the display auto-port-defend statistics command

output
Item Description

Statistics on MPU Packet statistics on the interfaces of the

device.

Protocol Attack packet type.

Vlan VLAN ID in attack packets.

If the device does not support checking
VLAN IDs in attack packets, this field
displays NA.

Queue Queue from which attack packets are

sent.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10209

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Cir(Kbps) Protocol rate limit. (When slot is not

specified, the default CPCAR value is
displayed if the manually configured
CPCAR value is smaller than the default
CPCAR value; the manually configured
CPCAR value is displayed if the manually
configured CPCAR value is greater than
the default CPCAR value. When slot is
specified, the default CPCAR value is
displayed. However, the rate limit of
protocol packets except DHCP packets
cannot exceed 256 kbit/s when slot is
specified.)
To configure a CIR value, run the car
packet-type packet-type cir cir-value
command in the attack defense policy
view.

Pass(Packet/Byte) Number and bytes of attack packets that

pass through the device.
The value 23095 indicates the number of
accepted packets. The value NA indicates
that the device does not support statistics
collection by byte.

Drop(Packet/Byte) Number and bytes of attack packets

discarded by the device.
The value 3 indicates the number of
discarded packets. The value NA indicates
that the device does not support statistics
collection by byte.

14.2.38 display auto-port-defend whitelist

Function
The display auto-port-defend whitelist command displays information about the
interface attack defense whitelist.

Format
display auto-port-defend whitelist [ slot slot-id ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10210

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

slot slot-id ● Specifies a slot ID if Set the value according

stacking is not to the device
configured. configuration.
● Specifies a stack ID in
a stack.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the whitelist for port attack defense is configured or when you locate faults
on network, run the display auto-port-defend whitelist command to verify
whitelist information. If no whitelist is configured, the command displays no
whitelist information.

Example
# Display information about the interface attack defense whitelist.
<HUAWEI> display auto-port-defend whitelist
Protocol Interface IP ACL Status
-------------------------------------------------------------------------------
-- Eth-Trunk0 -- -- auto
-- GE0/0/1 -- -- manual
-- -- -- 2000 manual

Table 14-28 Description of the display auto-port-defend whitelist command

output
Item Description

Protocol Protocol type of packets free from the

interface attack defense action. If no
packet protocol type is specified in the
whitelist rule, this field displays --.

Interface Interface free from the attack defense

action. If the whitelist is configured based
on ACL rules, this field displays --.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10211

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

IP Source IP address of packets free from the

interface attack defense action. If the
whitelist is configured based on interfaces
or automatically delivered, this field
displays --.

ACL ACL number specified in a manually

configured whitelist rule.

Status Type of the whitelist rule, which can be:

● auto: An automatically delivered
whitelist rule is triggered by services.
● manual: You can run the auto-port-
defend whitelist whitelist-number
{ acl acl-number | interface interface-
type interface-number } command in
the attack defense policy view to
configure a whitelist for port attack
defense.

14.2.39 display cpu-defend applied

Function
The display cpu-defend applied command displays the actual CAR values for the
protocol packets delivered to the chip.

Format
display cpu-defend applied [ packet-type packet-type ] { mcu | slot slot-id | all }

Parameters
Parameter Description Value

packet-type packet-type Specifies a packet type. The supported packet

type depends on the
device.

mcu Indicates the main -

control board.
NOTE
Only the stack-capable
models support the mcu
parameter.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10212

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

slot slot-id ● This parameter The value must be set

specifies the slot ID if according to the device
stacking is not configuration.
configured.
● This parameter
specifies the stack ID
if a stack is
configured.

all Indicates all switches in -

a stack if stacking is
enabled, or the switch
itself if stacking is
disabled.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The actual CAR values may be different from the configured CAR values. The
possible causes are as follows:
● The CIR value specified in the car packet-type packet-type cir cir-value [ cbs
cbs-value ] command is a consecutive range. However, the actual CIR value is
discrete, depending on chip granularity. For example, if the CIR value range is
set to 65 to 128 with the granularity 64 kbit/s, the actual CIR value may be 64
or 128, which depends on product models.
● The configured CIR value exceeds the chip capacity and the upper threshold.
For example, the CIR value is set to 10000, but the chip does not support CIR
value 1000. Then the actual CIR value cannot reach 10000.
You can run the display cpu-defend applied command to view the actual CAR
values for protocol packets.

NOTE

When too much output information is to be displayed, specify the begin, exclude, or include
parameter to display only the required information.

Example
# Display the actual CAR values for ARP Request messages sent from the switch.
<HUAWEI> display cpu-defend applied packet-type arp-request slot 0
Applied Car on slot 0:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10213

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

-------------------------------------------------------------------------------
Packet Type Cir(Kbps) Cbs(Byte) Applied Cir(Kbps) Applied Cbs(Byte)
-------------------------------------------------------------------------------
arp-request 65 10000 128 10000
-------------------------------------------------------------------------------

Table 14-29 Description of the display cpu-defend applied command output

Item Description

Applied Car on slot 0 CAR value for protocol packets sent by a specified
stack.

Packet Type Packet type.

Cir(Kbps) Configured committed information rate (CIR), in

kbit/s. To set the CIR value, run the car and linkup-
car commands.

Cbs(Byte) Configured committed burst size (CBS) value, in

bytes. To set the CBS value, run the car and linkup-
car commands.

Applied Cir(Kbps) Actual CIR value on the chip, in kbit/s.

Applied Cbs(Byte) Actual CBS value on the chip, in bytes.

14.2.40 display cpu-defend configuration

Function
The display cpu-defend configuration command displays CAR configurations.

Format
The stack-incapable models support the following commands:
display cpu-defend configuration [ packet-type packet-type ] [ all | slot slot-
id ]
Other models support the following format:
display cpu-defend configuration [ packet-type packet-type ] { all | slot slot-id |
mcu }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10214

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type packet-type Specifies a packet type. The supported packet

type depends on the
device.
NOTE
The CAR configuration
information about packet
type IPv6 FTP is displayed
when the packet type ftp is
specified in the command.

all Indicates all devices. -

slot slot-id ● This parameter The value must be set

specifies the slot ID if according to the device
stacking is not configuration.
configured.
● This parameter
specifies the stack ID
if stacking is enabled.

mcu Indicates the main -

control board.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display cpu-defend configuration command to view the rate
limit of protocol packets sent to the CPU. By default, the rate limit of protocol
packets in the default policy is displayed.
In a stack, you can run the cpu-defend-policy global command to bind all
switches to the same attack defense policy. Then you can run the display cpu-
defend configuration all command to view the same CAR configuration of all
switches in the stack.

Example
# Display the CAR configurations.
<HUAWEI> display cpu-defend configuration all
Car configurations on mainboard.
----------------------------------------------------------------------
Packet Name Status Cir(Kbps) Cbs(Byte)
----------------------------------------------------------------------

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10215

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

arp-miss Enabled 64 12032

arp-reply Enabled 256 48128
arp-request Enabled 256 48128
bgp Enabled 384 72192
bgp4plus Enabled 256 48128
dhcpv6-reply Enabled 256 48128
dhcpv6-request Enabled 256 48128
dns Enabled 64 12032
fib-hit Enabled 64 12032
fib-miss Enabled 64 12032
ftp Enabled 512 96256
hop-limit Enabled 64 12032
http Enabled 512 96256
https Enabled 512 96256
hw-tacacs Enabled 128 24064
icmp Enabled 128 24064
icmpv6 Enabled 64 12032
igmp Enabled 256 48128
ip-cloud Enabled 128 24064
isis Enabled 256 48128
mdns-relay Enabled 256 48128
mld Enabled 256 48128
mpls-fib-hit Enabled 256 48128
mpls-ldp Enabled 512 96256
mpls-one-label Enabled 128 24064
mpls-ping Enabled 128 24064
mpls-rsvp Enabled 128 24064
mpls-ttl-expired Enabled 128 24064
mpls-vccv-ping Enabled 128 24064
nac-arp-reply Enabled 128 24064
nac-arp-request Enabled 128 24064
nac-nd Enabled 64 12032
nd Enabled 128 24064
ntp Enabled 128 24064
ospf Enabled 384 72192
ospfv3 Enabled 384 72192
pim Enabled 256 48128
pimv6 Enabled 128 24064
portal Enabled 128 24064
radius Enabled 128 24064
rip Enabled 256 48128
ripng Enabled 256 48128
snmp Enabled 128 24064
ssh Enabled 128 24064
tcp Enabled 64 12032
telnet Enabled 128 24064
ttl-expired Enabled 64 12032
vrrp Enabled 128 24064
vrrp6 Enabled 128 24064
----------------------------------------------------------------------

Linkup Information:
--------------------------------------------------------------------------------
Packet Name : ftp
Cir(Kbps)/Cbs(Byte) : 4096/770048
SIP(SMAC) : 10.1.2.1
DIP(DMAC) : 10.1.3.1
Port(S/C) : 42372/22
--------------------------------------------------------------------------------
Car configurations on slot 0.
----------------------------------------------------------------------
Packet Name Status Cir(Kbps) Cbs(Byte) Queue Port-Type
----------------------------------------------------------------------
8021x Disabled 128 24064 3 NA
arp-mff Disabled 64 12032 3 NA
arp-miss Enabled 64 12032 3 NA
arp-reply Enabled 128 24064 3 UNI
arp-request Enabled 128 24064 3 UNI
bfd Disabled 64 12032 5 NNI

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10216

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

bgp Enabled 256 48128 5 NA

bgp4plus Enabled 128 24064 5 NA
bpdu-tunnel Disabled 64 12032 5 NA
cdp Disabled 128 24064 5 NA
dhcp-client Enabled 512 96256 3 NNI
dhcp-server Enabled 512 96256 3 UNI
dhcpv6-reply Enabled 256 48128 3 NNI
dhcpv6-request Enabled 256 48128 3 UNI
dldp Disabled 128 24064 5 NA
dns Enabled 64 12032 5 NA
easy-operation Disabled 128 24064 3 NA
eoam-1ag Disabled 256 48128 5 NA
eoam-1ag-lblt Disabled 128 24064 5 NA
eoam-3ah Disabled 64 12032 5 NA
erps-port Disabled 64 12032 5 NA
fib-hit Enabled 64 12032 3 NA
fib-miss Disabled 64 12032 3 UNI
ftp Enabled 64 12032 3 NA
gre-keepalive Enabled 64 12032 5 NA
gvrp Disabled 128 24064 5 NA
hop-limit Enabled 64 12032 2 NNI
http Enabled 64 12032 3 NA
https Enabled 64 12032 3 NA
hw-tacacs Enabled 64 12032 3 NNI
icmp Enabled 128 24064 3 UNI
icmp-ttl-expired Disabled 0 0 3 UNI
icmpv6 Enabled 64 12032 3 NNI
igmp Enabled 128 24064 3 NA
ip-cloud Disabled 64 12032 3 NA
ipsec-ah Disabled 256 48128 5 NA
ipsec-esp Disabled 256 48128 5 NA
isis Disabled 256 48128 5 NNI
lacp Disabled 128 24064 7 NA
ldt Enabled 64 12032 5 NA
lldp Disabled 128 24064 5 NA
lnp Enabled 128 24064 5 NA
loopbacktest Disabled 64 12032 5 NA
mad Disabled 128 24064 5 NA
mdns-relay Disabled 256 48128 5 NA
mld Disabled 128 24064 3 NNI
mpls-fib-hit Enabled 128 24064 5 NA
mpls-ldp Enabled 256 48128 5 NA
mpls-one-label Enabled 128 24064 3 NA
mpls-ping Enabled 64 12032 5 NA
mpls-rsvp Enabled 128 24064 5 NA
mpls-ttl-expired Enabled 128 24064 5 NA
mpls-vccv-ping Disabled 128 24064 3 NA
nac-arp-reply Disabled 64 12032 3 NA
nac-arp-request Disabled 64 12032 3 NA
nac-dhcp Disabled 256 48128 3 NA
nac-dhcpv6 Disabled 256 48128 3 NA
nac-nd Disabled 64 12032 3 NA
nd Enabled 64 12032 5 UNI
ntdp Enabled 128 24064 5 NA
ntp Enabled 64 12032 5 NNI
ospf Disabled 256 48128 5 NNI
ospf-hello Disabled 256 48128 5 NNI
ospfv3 Disabled 256 48128 5 NNI
pim Enabled 128 24064 5 NNI
pimv6 Disabled 64 12032 5 NNI
portal Enabled 64 12032 3 NNI
pppoe Disabled 128 24064 3 NA
radius Enabled 64 12032 3 NNI
rip Disabled 128 24064 5 NNI
ripng Disabled 256 48128 5 NNI
rrpp Disabled 64 12032 5 NA
sep-global Disabled 128 24064 5 NA
sep-port Disabled 128 24064 5 NA
smart-link Disabled 64 12032 5 NA

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10217

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

snmp Enabled 128 24064 3 NNI

ssh Enabled 64 12032 5 NNI
stp Disabled 64 12032 5 NA
tcp Enabled 64 12032 3 NA
telnet Enabled 64 12032 5 NA
ttl-expired Enabled 64 12032 2 NA
udp-helper Disabled 64 12032 3 NA
vbst Disabled 64 12032 5 NA
vbst-trunk Disabled 64 12032 5 NA
vcmp Enabled 128 24064 3 NA
vpls-igmp Disabled 64 12032 3 NA
vrrp Disabled 64 12032 5 NA
vrrp6 Disabled 64 12032 5 NA
y1731 Disabled 256 48128 5 NA
----------------------------------------------------------------------

NOTE

The preceding information is an example. The displayed packet type depends on the actual
situation.

Table 14-30 Description of the display cpu-defend configuration command

output

Item Description

Car configurations on slot 0 CAR configuration of a stack with a

specified ID.

Car configurations on mainboard CAR configurations on the device.

Packet Name Packet type.

Status Protocol packet status:

● Enabled
● Disabled

Cir(Kbps) Committed Information Rate (CIR), in

kbit/s. To set the CIR value, run the car
and linkup-car commands.

Cbs(Byte) Committed burst size (CBS), in bytes.

To configure the CBS value, run the
car and linkup-car commands.

Queue Queue that protocol packets are sent

to.

Port-Type Port type. The value can be UNI, NNI,

or ENI. To configure the port type, run
the port type and port-type
commands.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10218

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Linkup Information Information about the protocol

connection.
NOTE
This information is displayed only when
association of protocols is triggered.
For the S2720-EI, S5720I-SI, S5720-LI,
S5720S-LI, S5735S-H, and S5736-SS, the
linkup information about packet type http
is displayed when the packet type fib-hit is
specified in the command.

SIP(SMAC) Source IP address or source MAC

address.

DIP(DMAC) Destination IP address or destination

MAC address.

Port(S/C) Source/Destination port number.

14.2.41 display cpu-defend dynamic-adjust history-record

Function
The display cpu-defend dynamic-adjust history-record command displays
historical adaptive CPCAR adjustment records of protocol packets.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this function.

Format
display cpu-defend dynamic-adjust history-record [ packet-type { arp-reply |
arp-request | arp-request-uc | dhcp-client | dhcp-server | igmp | nd } ] { all |
mcu | slot slot-id }

Parameters
Parameter Description Value

packet-type Specifies the type of -

protocol packets.
NOTE
If this parameter is not
specified, the historical
adaptive CPCAR
adjustment records of all
supported types of
protocol packets are
displayed.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10219

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

arp-reply Specifies ARP reply -

packets.

arp-request Specifies ARP request -

packets.

arp-request-uc Specifies unicast ARP -

request packets.

dhcp-client Specifies the packets -

sent by DHCP clients.

dhcp-server Specifies the packets -

sent by DHCP servers.

igmp Specifies IGMP packets. -

nd Specifies IPv6 neighbor -

discovery packets.

all Specifies all switches in a -

stack if stacking is
enabled or the local
switch if stacking is
disabled.

mcu Specifies MPUs. -

slot slot-id ● Specifies the ID of a The value must be set

slot on a standalone according to the device
switch if stacking is configuration.
not enabled.
● Specifies a stack ID if
stacking is enabled.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After adaptive CPCAR adjustment for protocol packets is enabled, you can run this
command to view the historical adaptive CPCAR adjustment records of protocol
packets. The information includes the adjustment time, CPCAR adjustments, and
reason for the adjustments.

You can use this command to check a maximum of 100 latest historical records.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10220

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Display historical adaptive CPCAR adjustment records of protocol packets.
<HUAWEI> display cpu-defend dynamic-adjust history-record all
Dynamic-adjust history-record on mainboard:
----------------------------------------------------------------------------------------

Adjustment time Packet type Default/Previous/Current(kbps) Reason

2019-04-22 11:00:41 arp-request-uc 384/672/720 CPCAR drop
packet
2019-04-22 10:59:41 arp-request-uc 384/624/672 CPCAR drop
packet
2019-04-22 10:58:41 arp-request-uc 384/576/624 CPCAR drop
packet
2019-04-22 10:57:41 arp-request-uc 384/528/576 CPCAR drop
packet
2019-04-22 10:56:41 arp-request-uc 384/480/528 CPCAR drop
packet
2019-04-22 10:55:41 arp-request-uc 384/432/480 CPCAR drop
packet
2019-04-22 10:54:41 arp-request-uc 384/384/432 CPCAR drop
packet
----------------------------------------------------------------------------------------

Dynamic-adjust history-record on slot 0

----------------------------------------------------------------------------------------

Adjustment time Packet type Default/Previous/Current(kbps) Reason

----------------------------------------------------------------------------------------

Table 14-31 Description of the display cpu-defend dynamic-adjust history-

record command output
Item Item

Dynamic-adjust Historical adaptive CPCAR adjustment records of

history-record on protocol packets on MPUs.
mainboard

Adjustment time Time when the CPCAR value was adjusted.

Packet type Type of protocol packets.

Default/Previous/ ● Default: default CPCAR value (in kbit/s)

Current(kbps) ● Previous: CPCAR value after the last adjustment (in
kbit/s)
● Current: current CPCAR value (in kbit/s)

Reason Reason for the adjustment:

● CPCAR drop packet: Packet loss occurred due to
CPCAR.
● CPU queue drop packet: Packet loss occurred in the
CPU queue.
● CPU overload: The CPU was overloaded.
● Set default: CPCAR was restored to the default
value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10221

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Item

Dynamic-adjust Historical adaptive CPCAR adjustment records of

history-record on slot protocol packets in a slot.
0

14.2.42 display cpu-defend dynamic-car history-record

Function
The display cpu-defend dynamic-car history-record command displays historical
records on dynamic adjustment of the default CIR value of protocol packets.

NOTE

Format
display cpu-defend dynamic-car history-record

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After the default CIR value is set, you can run this command to view the historical
records of adjusting the CPCAR value of protocol packets from 64 kbit/s to a
specific value.
The granularity of each adjustment is 64 kbit/s on the switch. If the default CPCAR
value is greater than 64 kbit/s, the adjustments from 64 kbit/s to the default
CPCAR value are only recorded but do not take effect.
You can use this command to check a maximum of 100 latest historical records.

Example
# Display the historical records on dynamic adjustment of the default CIR value of
protocol packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10222

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> display cpu-defend dynamic-car history-record

Global status : Enable
-------------------------------------------------------------------------------
Time Protocol Packet-type Slot CIR(Kbps) Status
-------------------------------------------------------------------------------
2012-08-24 11:28:10 arp arp-reply 0 128 Success
2012-08-24 11:28:08 arp arp-request 0 128 Success
2012-08-24 11:27:37 arp arp-reply 0 64 Success
2012-08-24 11:27:37 arp arp-request 0 64 Success
-------------------------------------------------------------------------------

Table 14-32 Description of the display cpu-defend dynamic-car history-record

command output
Item Description

Global status The device is enabled to dynamically adjust the

default CIR value of protocol packets.
To enable the device to dynamically adjust the
default CIR value of protocol packets, run the cpu-
defend dynamic-car enable command.

Time Timestamps of the default CIR value of protocol

packets that is dynamically adjusted.

Protocol Protocol name. To configure a protocol, run the cpu-

defend dynamic-car [ arp | vrrp ] command.

Packet-type Packet type.

Slot ID of the stack where the default CIR value is

dynamically adjusted. The value indicates the slot ID
if stacking is not configured.

CIR(Kbps) Dynamically adjusted default CIR value, in kbit/s. If

the default CIR value restores to the original default
CIR value, NA is displayed.
NOTE
When the rate of sending packets to the CPU is too large,
the CPU becomes overloaded. The device restores the
original default CIR value for protocol packets and this field
is displayed as NA.

Status Result of dynamic adjustment. The value can be:

● success: indicates that the adjustment succeeds.
● fail: indicates that the adjustment fails.
● conflict: indicates that the adjusted default CIR
value conflicts the configured CIR value. The CIR
value configured by users takes effect.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10223

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.43 display cpu-defend host-car statistics

Function
The display cpu-defend host-car statistics command displays the number of
packets discarded in user-level rate limiting.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Format
display cpu-defend host-car [ mac-address mac-address ] statistics [ slot slot-
id ]

Parameters
Parameter Description Value

mac-address mac-address Indicates the number of discarded packets -

from the specified MAC address.

slot slot-id Indicates the number of packets discarded by -

the specified slot.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
To view the number of packets discarded in the user-level rate limiting, run this
command.
Precautions
● Before using this command, run the cpu-defend host-car enable command
to enable user-level rate limiting.
● If the number of discarded packets is 0, the index is not displayed.

Example
# Display the number of packets discarded in the user-level rate limiting.
<HUAWEI> display cpu-defend host-car statistics
slot 0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10224

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

car-id car-drop
--------------------------------------------
3192 740385
3347 7
4133 529474
4471 529477
5075 529476
5836 529474
6046 1001218

Table 14-33 Description of the display cpu-defend host-car statistics command

output
Item Description

slot Slot ID.

car-id Bucket ID for rate limiting.

car-drop Number of dropped packets whose

rate exceeds the CAR. To configure
the CAR value, run the cpu-defend
host-car [ mac-address mac-
address | car-id car-id ] pps pps-
value command.

14.2.44 display cpu-defend policy

Function
The display cpu-defend policy command displays the attack defense policy
configuration.

Format
display cpu-defend policy [ policy-name ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10225

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

policy-name Displays the The attack defense policy

configuration of a must already exist.
specified attack defense
policy.
● If policy-name is
specified, information
about the specified
attack defense policy
is displayed.
● If policy-name is not
specified, information
about all attack
defense policies is
displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After an attack defense policy is created, you can run the display cpu-defend
policy command to view the stack ID that the attack defense policy is applied to
and configurations of the attack defense policy.

Example
# Display information about all attack defense policies.
<HUAWEI> display cpu-defend policy
----------------------------------------------------------------
Name : default
Related slot : <3>
----------------------------------------------------------------
Name : test
Description : defend_arp_attack
Related slot : <mcu>

# Display information about the attack defense policy named test.

<HUAWEI> display cpu-defend policy test
Description : defend_arp_attack
Related slot : <0>
Configuration :
Whitelist 1 ACL number : 2002
Blacklist 1 ACL number : 2001
Car packet-type arp-request : CIR(128) CBS(24064)
Deny packet-type arp-reply

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10226

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Port-type eni packet-type arp-request

Linkup-car packet-type ftp : CIR(5000) CBS(940000)

Table 14-34 Description of the display cpu-defend policy command output

Item Description

Name Name of an attack defense policy. To

configure an attack defense policy, run
the cpu-defend policy command.

Description Description of an attack defense policy. To

configure a description for an attack
defense policy, run the description
command.

Related slot Slot ID or stack ID that an attack defense

policy is applied to. When mcu is
displayed, it indicates the main control
board.

Whitelist 1 ACL number Number of an ACL defined in whitelist 1.

To configure a whitelist, run the whitelist
command.

Blacklist 1 ACL number Number of an ACL defined in blacklist 1.

To configure a blacklist, run the blacklist
command.

Car packet-type arp-request CIR values of ARP Request packets. To set

the CIR values for ARP Request packets,
run the car command.

Deny packet-type arp-reply ARP Reply packets are discarded. To

configure the device to discard ARP Reply
packets, run the deny command.

Port-type eni packet-type arp- ARP Request packets are sent to the CPU
request through ENI ports.

Linkup-car packet-type ftp CIR values of FTP packets after an FTP

connection is set up. To set the CIR values
of FTP packets after an FTP connection is
set up, run the linkup-car and cpu-
defend application-apperceive enable
commands.

14.2.45 display cpu-defend port-type

Function
The display cpu-defend port-type command displays physical interfaces of
Network-to-Network Interface (NNI), User-to-Network Interface (UNI), and
Enhanced Network Interface (ENI) types.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10227

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

Only the S6735-S, S6720S-EI and S6720-EI support this command.

Format
display cpu-defend port-type slot slot-id

Parameters
Parameter Description Value

slot slot-id ● This parameter specifies the slot ID if The value must be set
stacking is not configured. according to the device
● This parameter specifies the stack ID configuration.
if a stack is configured.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After specifying interfaces types for sending protocol packets using the port type
{ uni | eni | nni } and port-type { uni | eni | nni } packet-type type commands,
you can run the display cpu-defend port-type command to view types of
interfaces on the device.

Example
# Display interface types in stack 0.
<HUAWEI> display cpu-defend port-type slot 0
Uni Port :
Eni Port :
Nni Port :GigabitEthernet0/0/1-22

Table 14-35 Description of the display cpu-defend port-type command output

Item Description

Uni Port The interface is a user-side interface on the device.

Eni Port The interface is an interface connected to another

switch or user.

Nni Port The interface is a network-side interface on the

device.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10228

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.2.46 display cpu-defend rate

Function
The display cpu-defend rate command displays the rate of sending protocol
packets to the CPU.

NOTE

Format
display cpu-defend rate [ packet-type packet-type ] [ all | slot slot-id ]

Parameters
Parameter Description Value

packet-type packet-type Specifies a packet type. The supported packet

type depends on the
device.

all Indicates all switches in -

a stack if stack is
enabled, or the switch
itself if stack is disabled.

slot slot-id ● This parameter The value must be set

specifies the slot ID if according to the device
stacking is not configuration.
configured.
● This parameter
specifies the stack ID
if stack is enabled.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run the display cpu-defend rate command to view the rate of sending
protocol packets to the CPU when checking the configuration of an attack defense

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10229

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

policy. In this way, you can determine which type of protocols may attack the CPU
based on the rate.

NOTE

To ensure normal operation of other services and protect the CPU, the rate of incremental
protocol packets is calculated only in a specified period after you run the display cpu-defend
rate command and displayed on the terminal. After you run this command, a message is
displayed to wait for a while.

Example
# Display the rate of ARP Reply packets sent from the switch to the CPU.
<HUAWEI> display cpu-defend rate packet-type arp-reply slot 0
Info: Please wait for a moment....
Cpu-defend rate on slot 0:
-------------------------------------------------------------------------------
Packet Type Pass(bps) Drop(bps) Pass(pps) Drop(pps)
-------------------------------------------------------------------------------
arp-reply 49504 86496 91 159
-------------------------------------------------------------------------------

Table 14-36 Description of the display cpu-defend rate command output

Item Description

Packet Type Packet type.

Pass(bps) Number of forwarded bits within one second.

Drop(bps) Number of discarded bits within one second.

Pass(pps) Number of forwarded packets within one second.

Drop(pps) Number of discarded packets within one second.

14.2.47 display cpu-defend statistics

Function
The display cpu-defend statistics command displays statistics about packets sent
to the CPU.

Format
display cpu-defend statistics [ packet-type packet-type ] [ all | slot slot-id ]

NOTE

The S1720GF, S1720GFR-P, S1720GW-E, and S1720GWR-E do not support this command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10230

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type packet-type Displays statistics about The supported packet

the specified type of type depends on the
protocol packets sent to device.
the CPU. packet-type NOTE
specifies the packet type. The statistics about
packets IPv6 FTP sent to
● If packet-type is
the CPU is displayed when
specified, statistics the packet type ftp is
about the specified specified in the command.
type of protocol
packets sent to the
CPUare displayed.
● If packet-type is not
specified, statistics
about all protocol
packets are sent to
the CPU displayed.

all Statistics about packets -

sent to the CPU on all
switches in a stack are
displayed if stacking is
enabled. If stacking is
disabled, statistics about
packets sent to the CPU
only on the local switch
are displayed.
If all and slot are not
specified, CAR statistics
about packets sent to
the CPU on the master
switch are displayed.

slot slot-id ● This parameter The value must be set

specifies the slot ID if according to the device
stacking is not configuration.
configured.
● This parameter
specifies the stack ID
if stacking is enabled.

Views
All views

Default Level
1: Monitoring level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10231

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
The display cpu-defend statistics command displays statistics about packets sent
to the CPU, including forwarded and discarded packets. This helps network
administrators configure attack defense policies.
Precautions
If all and slot are not specified, CAR statistics about packets sent to the CPU on
the master switch in a stack are displayed.

Example
# Display statistics about packets sent to the CPU on the switch, for example.
<HUAWEI> display cpu-defend statistics
Statistics on slot 0:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
arp-miss 0 0 -
0 0
arp-reply 0 0 -
0 0
arp-request 0 0 -
0 0
......

# Display statistics about CAR packets sent to the CPU on the switch, for example,
the S5720-LI.
<HUAWEI> display cpu-defend statistics
Statistics on mainboard:
--------------------------------------------------------------------------------
Packet Type Pass(Packet) Drop(Packet)
--------------------------------------------------------------------------------
8021x 0 0
arp-reply 0 0
arp-request 0 0
bpdu 0 0
bpdu-tunnel 0 0
capwap-ctrl 0 0
dhcp-client 0 0
dhcp-server 0 0
eth-ring 0 0
fib-hit 0 0
ftp 0 0
https 0 0
icmp 0 0
igmp 0 0
ip-cloud 0 0
lacp 0 0
ldt 0 0
lnp 0 0
nd 0 0
ospf 0 0
pim 0 0
pppoe 0 0
rip 0 0
sip 0 0
telnet 0 0
vrrp 0 0
----------------------------------------------------------------------

# Display CAR statistics about Telnet packets of the switch, for example.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10232

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> display cpu-defend statistics packet-type telnet

Statistics on slot 0:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
telnet 3625354 5612376421 2020-04-13 12:05:37
377036776 583687147k
--------------------------------------------------------------------------------
Linkup statistics on slot 0:
--------------------------------------------------------------------------------
Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time
--------------------------------------------------------------------------------
telnet 0 0 -
0 0
--------------------------------------------------------------------------------

# Display CAR statistics about Telnet packets sent to the CPU on the switch, for
example, the S5720-LI.
<HUAWEI> display cpu-defend statistics packet-type telnet
Statistics on mainboard:
--------------------------------------------------------------------------------
Packet Type Pass(Packet) Drop(Packet)
--------------------------------------------------------------------------------
telnet 0 0
--------------------------------------------------------------------------------

NOTE

The preceding information is an example. The displayed packet type depends on the actual
situation.

Table 14-37 Description of the display cpu-defend statistics command output

Item Description

Statistics on slot 0 CAR statistics about protocol packets sent

to the CPU by a specified switch or stack.
NOTE
If any of the S1720GF, S1720GW-E, S1720GFR-
P, S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI,
S1730S-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI, S5735-S, S500,
S5735S-S, S5735-S-I, S5735S-H, and S5736-S
functions as the master switch in a stack,
packet statistics on the switch interfaces are
not displayed.

Statistics on mainboard CAR statistics about protocol packets sent

to the CPU by a main control board.

Linkup statistics on slot 0 CAR statistics about protocol packets sent

to the CPU collected when the protocol
connection is established.

Packet Type Packet type.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10233

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Pass(Packet/Byte) Number of forwarded packets or bytes.

NOTE
The S1720GF, S1720GW-E, S1720GFR-P,
S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI,
S1730S-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI, S5735-S, S500,
S5735S-S, S5735-S-I, S5735S-H, and S5736-S
do not support collection of packet statistics
by byte.

Drop(Packet/Byte) Number of discarded packets or bytes.

NOTE
When the length exceeds 11 digits, the end of
the value is displayed as k, indicating that the
value is multiplied by 1000. When the length
exceeds 14 digits, the end of the value is
displayed as m, indicating that the value is
multiplied by 1000000. When the length
exceeds 17 digits, the end of the value is
displayed as g, indicating that the value is
multiplied by 1000000000.
If the S1720GF, S1720GW-E, S1720GFR-P,
S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI,
S1730S-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI, S5735-S, S500,
S5735S-S, S5735-S-I, S5735S-H, and S5736-S
function as standby and slave switches in a
stack, they cannot collect the number of
dropped packets.

Last-dropping-time Last time statistics about dropped packets

were collected.

14.2.48 host-car disable

Function
The host-car disable command disables user-level rate limiting on interfaces.
The undo host-car disable command enables user-level rate limiting on
interfaces.
By default, user-level rate limiting is enabled on all interfaces.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Format
host-car disable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10234

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo host-car disable

Parameters
None

Views
GE interface view, MultiGE interface view, XGE interface view, 25GE interface view,
40GE interface view, 100GE interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

By default, the switch performs user-level rate limiting on the users connecting to
all interfaces. If you are sure that the users connecting to an interface are secure,
you can disable user-level rate limiting on this interface.

Precautions

● Before using this command, run the cpu-defend host-car enable command
to enable user-level rate limiting.
● After user-level rate limiting is disabled on an interface, the switch does not
limit the rate of packets received from the specified user MAC address and
cannot protect the interface against attacks. In addition, the packets of the
same type sent from other users may be affected.

Example
# Disable user-level rate limiting on the interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] host-car disable

14.2.49 linkup-car

Function
The linkup-car command sets the CPCAR value for packets of a protocol
connection, including the Committed Information Rate (CIR) and Committed Burst
Size (CBS).

The undo linkup-car command restores the default CPCAR rate limit.

Table 14-38 lists the default CIR and CBS values for the setup of BGP, BGP4+, FTP,
IPv6 FTP, HTTP, HTTPS, IKE, IPSEC-ESP, ISIS, OSPF, OSPFv3, SSH, TELNET, and TFTP
connections; the CIR and CBS for sending packets of IP-CLOUD connections are
2048 kbit/s and 385024 bytes respectively.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10235

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
linkup-car packet-type { bgp | bgp4plus | ftp | ftpv6 | http | https | ike | ip-
cloud | ipsec-esp | isis | ospf | ospfv3 | ssh | telnet | tftp } cir cir-value [ cbs cbs-
value ]
undo linkup-car packet-type { bgp | bgp4plus | ftp | ftpv6 | http | https | ike |
ip-cloud | ipsec-esp | isis | ospf | ospfv3 | ssh | telnet | tftp }

NOTE

● Only the S5735S-H, S5736-S, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-S,
S500, S5735S-S, S5735-S-I, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S,
and S6730S-S support the bgp parameter.
● Only the S5735S-H, S5736-S, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S1730S-
H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735S-S, S5735-S-I, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S support the https parameter.
● Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the bgp4plus and isis
parameter.
● Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ospfv3 parameter.
● Only the S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI, S5720I-SI, S5720-
LI, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S6735-
S, S6720-EI, and S6720S-EI support the ike parameter.
● Only the S2720-EI, S5720I-SI, S5720-LI, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-
S-I, S5735S-H, S5736-S, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S,
S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the ipsec-esp
parameter.
● Only the S1720GF, S1720GFR-P, S1720GW-E, S1720GWR-E, S2720-EI, S5720-LI, S1730S-
H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735S-S, S5735-S-I, S5720S-LI, S5735S-H, S5736-S, S5731-H, S5731-S,
S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S support the ospf parameter.
● Only the S1720-10GF-2P, S1720-10GF-PWR-2P, S1720-28GFR-4P, S1720-28GFR-PWR-4P,
S1720-52GFR-4P, S1720-52GFR-PWR-4P, S1730S-H, S1730S-S1, S200, S5720I-SI, S5720-
LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5720S-LI, S500, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731S-H,
S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6735-S, S6720-EI, S6720S-EI, S6730-
H, S6730S-H support the ip-cloud parameter.

Parameters
Parameter Description Value

bgp Indicates that the -

protocol type is BGP.

bgp4plus Indicates that the -

protocol type is BGP4+.

ftp Indicates that the -

protocol type is FTP.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10236

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

ftpv6 Indicates that the -

protocol type is IPv6 FTP.

http Indicates that the -

protocol type is HTTP.

https Indicates that the -

protocol type is HTTPS.

ike Indicates that the -

protocol type is IKE. This
parameter does not take
effect in non-NAT
scenarios.

ip-cloud Indicates that the -

protocol type is IP-
CLOUD.

ipsec-esp Indicates that the -

protocol type is IPSEC-
ESP. ipsec-esp specified
in the linkup-car
command indicates the
type of the protocol used
by IPsec EVPN, and
ipsec-esp specified in the
car command indicates
the type of the protocol
used by OSPFv3.

isis Indicates that the -

protocol type is ISIS.

ospf Indicates the protocol -

type is OSPF.

ospfv3 Indicates the protocol -

type is OSPFv3.

ssh Indicates the protocol -

type is SSH.

telnet Indicates the protocol -

type is TELNET.

tftp Indicates the protocol -

type is TFTP.

cir cir-value Specifies the CIR value. The value is an integer

that ranges from 64 to
65535, in kbit/s.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10237

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cbs cbs-value Specifies the CBS value. The value is an integer

that ranges from 10000
to 4294967295, in bytes.
If the cbs is not set, the
default cbs-value is 188
times the cir-value.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The default CPCAR value of BGP, BGP4+, FTP, IPv6 FTP, HTTP, HTTPS, IP-CLOUD,
ISIS, OSPFv3, OSPF, IKE, IPSEC-ESP, SSH, TFTP, or TELNET protocol is small. When a
switch uses these protocols to transfer files or set up connections with other hosts
or devices, the number of protocol packets sharply increases in a short period.
When the packet rate exceeds the limit, the protocol packets are dropped. The
switch may also undergo attacks of other protocols. This affects data transmission
and causes service interruption.
You can run the cpu-defend application-apperceive command to enable active
link protection, ensuring normal operation of these protocols related services
when attacks occur. When a connection is set up, the switch sends packets at the
rate of the CPCAR value configured using the linkup-car command. The CPCAR
value can be set as required.
Follow-up Procedure
Run the cpu-defend application-apperceive enable command to enable ALP to
enable the rate limit set using the linkup-car command. By default, ALP is
enabled on FTP, IPv6 FTP, HTTP, IP-CLOUD, HTTPS, IKE, IPSEC-ESP, TFTP, SSH, and
TELNET packets and disabled on BGP, BGP4+, ISIS, OSPF, and OSPFv3 packets.
Precautions
You are advised to run the display cpu-defend configuration command to check
the CIR value supported by the protocol being used before running the linkup-car
command to set the rate limit.
BGP, BGP4+, ISIS, OSPF, and OSPFv3 are disabled when the configuration is
initialized. You can set the rate limit using the car command before the protocols
are enabled and the linkup-car command after connections are set up and ALP is
enabled.
You can set a shared CPCAR value for packets of FTP, IPv6 FTP, SSH, TFTP
connections on S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI,

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10238

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, and S5736-S. For example, the linkup-
car packet-type ftp cir cir-value [ cbs cbs-value ] command specifies the CPCAR
value for FTP packets when an FTP connection is set up, and also specifies the
CPCAR value for packets of IPv6 FTP, SSH, TFTP connections.

Table 14-38 Default CIR and CBS values

Product CIR CBS

S1720GW, ● FTP, IPv6 FTP, HTTP, ● FTP, IPv6 FTP, HTTP, SSH,
S1720GWR, SSH, TFTP: 1024 TFTP: 192512 bytes
S1720GF, S1720GW- kbit/s ● IKE: 12032 bytes
E, S1720GFR-P, ● IKE: 64 kbit/s
S1720GWR-E, ● IPSEC-ESP: 60160 bytes
S5720-LI, S5720S-LI ● IPSEC-ESP: 320 kbit/s ● OSPF: 96256 bytes
● OSPF: 512 kbit/s ● TELNET: 12032 bytes
● TELNET: 64 kbit/s

S5720I-SI ● FTP, IPv6 FTP, HTTP, ● FTP, IPv6 FTP, HTTP, SSH,
SSH, TFTP: 1024 TFTP: 192512 bytes
kbit/s ● IKE: 12032 bytes
● IKE: 64 kbit/s ● IPSEC-ESP: 60160 bytes
● IPSEC-ESP: 320 kbit/s ● TELNET: 12032 bytes
● TELNET: 64 kbit/s

S1730S-H, S2730S-S, ● FTP, IPv6 FTP, HTTP, ● FTP, IPv6 FTP, HTTP,
S5735-L-I, S5735- HTTPS, SSH, TFTP: HTTPS, SSH, TFTP:
L1,S300, S5735-L, 1536kbit/s 288768bytes
S5735S-L, S5735S- ● IKE: 64kbit/s ● IKE: 12032bytes
L1, S5735S-L-M
● IPSEC-ESP: 800kbit/s ● IPSEC-ESP: 150400bytes
● OSPF: 512kbit/s ● OSPF: 96256bytes
● TELNET: 64kbit/s ● TELNET: 12032bytes

S500, S5735-S, ● BGP: 1024kbit/s ● BGP: 192512bytes

S5735S-S, S5735-S-I ● FTP, IPv6 FTP, HTTP, ● FTP, IPv6 FTP, HTTP,
HTTPS, SSH, TFTP: HTTPS, SSH, TFTP:
1536kbit/s 288768bytes
● IKE: 64kbit/s ● IKE: 12032bytes
● IPSEC-ESP: 800kbit/s ● IPSEC-ESP: 150400bytes
● OSPF: 512kbit/s ● OSPF: 96256bytes
● TELNET: 64kbit/s ● TELNET: 12032bytes

S2720-EI ● FTP, IPv6 FTP, HTTP, ● FTP, IPv6 FTP, HTTP, SSH,
SSH, TFTP: 1024 TFTP: 192512 bytes
kbit/s ● IKE: 12032 bytes
● IKE: 64 kbit/s ● IPSEC-ESP: 60160 bytes
● IPSEC-ESP: 320 kbit/s ● OSPF: 96256 bytes
● OSPF: 512 kbit/s ● TELNET: 12032 bytes
● TELNET: 64 kbit/s

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10239

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Product CIR CBS

S5735S-H, S5736-S ● BGP: 1024 kbit/s ● BGP: 192512 bytes

● FTP, IPv6 FTP, HTTP, ● FTP, IPv6 FTP, HTTP, SSH,
SSH, TFTP: 1536 TFTP: 288768 bytes
kbit/s ● IKE: 12032 bytes
● IKE: 64 kbit/s ● IPSEC-ESP: 770048 bytes
● IPSEC-ESP: 4096 kbit/s ● OSPF: 96256 bytes
● OSPF: 512 kbit/s ● TELNET: 12032 bytes
● TELNET: 64 kbit/s

S6735-S, S6720-EI, ● BGP: 1024 kbit/s ● BGP: 192512 bytes

S6720S-EI ● FTP, IPv6 FTP, HTTP, ● FTP, IPv6 FTP, HTTP,
HTTPS, SSH, TFTP: HTTPS, SSH, TFTP: 288768
1536 kbit/s bytes
● IKE: 64 kbit/s ● IKE: 12032 bytes
● IPSEC-ESP: 4096 kbit/s ● IPSEC-ESP: 770048 bytes
● BGP4+, ISIS, OSPF, ● BGP4+, ISIS, OSPF,
OSPFv3: 512 kbit/s OSPFv3: 96256 bytes
● TELNET: 64 kbit/s ● TELNET: 12032 bytes

S5731-H, S5731S-H, ● BGP: 1024kbit/s ● BGP: 192512bytes

S5731-S, S5731S-S, ● FTP, IPv6 FTP, HTTP, ● FTP, IPv6 FTP, HTTP,
S5732-H, S6730-H, HTTPS, SSH, TFTP: HTTPS, SSH, TFTP:
S6730S-H, S6730-S, 1536kbit/s 288768bytes
S6730S-S
● IPSEC-ESP: 800kbit/s ● IPSEC-ESP: 150400bytes
● BGP4+, ISIS, OSPF, ● BGP4+, ISIS, OSPF,
OSPFv3: 512kbit/s OSPFv3: 96256bytes
● TELNET: 64kbit/s ● TELNET: 12032bytes

Example
# Set the CIR and CBS for sending packets of FTP connections to 1000 kbit/s and
100000 bytes.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] linkup-car packet-type ftp cir 1000 cbs 100000

14.2.50 port type

Function
The port type command configures the interface type. The interface type can be
Network-to-Network Interface (NNI), User-to-Network Interface (UNI), or
Enhanced Network Interface (ENI).

The undo port type command cancels the configuration.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10240

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the interface type is NNI.

NOTE

Only the S6735-S, S6720S-EI and S6720-EI support this command.

Format
port type { uni | eni | nni }

undo port type

Parameters
Parameter Description Value

uni Indicates that the interface is a user-side interface on the -

device.

eni Indicates that the interface is connected to another switch or -

user.
An ENI supports all protocols that are supported by an UNI.

nni Indicates that the interface is a network-side interface on the -

device.
An NNI supports all protocol packets.

Views
40GE interface view, GE interface view, XGE interface view, port group view, Eth-
Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Generally, protocol packets that can be sent to the CPU are controlled by an ACL.
If protocol packets are sent to the device, packets received by interfaces cannot be
differentiated.

If an interface is attacked and the user disables the device to send packets,
packets cannot be sent from other interfaces, affecting communications of the
device. If an interface is attacked and the user does not disable the device to send
packets, attack packets occupy resources and valid packets cannot be sent.

For example, OSPF is enabled on an interface and OSPF packets are sent to the
device. If a non-OSPF interface is attacked, attack packets will occupy resources

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10241

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

and valid OSPF packets cannot be forwarded. As a result, OSPF negotiation

becomes slow or fails.
The port type command specifies the interface types according to the interface
location. Interfaces of different types support different protocols and send only the
packets of the supported protocols to the CPU. This reduces the workload of the
CPU and provides flexible ways to protect the CPU.
Precautions
If you run the port type command multiple times, only the latest configuration
takes effect.
Follow-up Procedure
This command differentiates packets from different types of interfaces so that the
attack packets are denied and valid packets are forwarded. If an attack occurs, you
can run the deny command to discard packets of a specified type or run the car
command to limit the rate of a specified type of protocol packets.

Example
# Configure GE0/0/1 as an NNI.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port type nni

14.2.51 port-type
Function
The port-type command maps interfaces to protocol types. The type can be User-
to-Network Interface (UNI), Enhanced Network Interface (ENI), or Network-to-
Network Interface (NNI).
The undo port-type command cancels the configuration.
By default, the type of interface sending protocol packets to the CPU is displayed
using the display cpu-defend configuration command.

NOTE

Only the S6735-S, S6720S-EI and S6720-EI support this command.

Format
port-type { uni | eni | nni } packet-type packet-type
undo port-type [ uni | eni | nni ] packet-type packet-type

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10242

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

uni Indicates that the interface is a user-side -

interface on the device.

eni Indicates that the interface is connected to -

another switch or user.
An ENI supports all protocols that are
supported by an UNI.

nni Indicates that the interface is a network- -

side interface on the device.
An NNI supports all protocol packets.

packet-type Specifies the protocol supported by an The supported

packet-type interface type. packet type
depends on the
A protocol is mapped to only one interface
device.
type.

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Generally, protocol packets that can be sent to the CPU are controlled by an ACL.
If protocol packets are sent to the device, packets received by interfaces cannot be
differentiated.
If an interface is attacked and the user disables the device to send packets,
packets cannot be sent from other interfaces, affecting communications of the
device. If an interface is attacked and the user does not disable the device to send
packets, attack packets occupy resources and valid packets cannot be sent.
The port-type command maps interfaces to protocol types. The port type
command specifies the interface types according to port locations. By using the
two commands, the interfaces send only the packets of the supported protocols.
This reduces the workload of CPU and provides ways to flexibly protect the CPU.

NOTE

Protocol packets are not supported by the UNI, ENI, or NNI interfaces. These protocol
packets are sent to the CPU for processing from any interface on the device.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10243

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Procedure
After you run the port type command to configure interface types, run the port-
type command to specify the protocols supported by the interfaces and the
method to process the protocol packets.
Precautions
If you run the port-type command multiple times, only the latest configuration
takes effect because a protocol is mapped to only one interface type.
Follow-up Procedure
This command differentiates packets from different types of interfaces so that the
attack packets are denied and valid packets are forwarded. If an attack occurs, you
can run the deny command to discard a specified type of packets. When receiving
packets of the type, the interfaces discard these packets. You can also run the car
(attack defense policy view) command to limit the rate of attack packets of a
specified type.

Example
# Configure UNI interfaces to send ARP Reply packets to the CPU.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] port-type uni packet-type arp-reply
[HUAWEI-cpu-defend-policy-test] quit
[HUAWEI] cpu-defend-policy test global

14.2.52 reset auto-defend attack-source

Function
The reset auto-defend attack-source command clears information about attack
sources.

Format
reset auto-defend attack-source [ history ] [ slot slot-id ]

Parameters
Parameter Description Value

history Deletes history attack source information. -

If history is not specified, all existing attack
source information is deleted.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10244

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

slot slot-id ● This parameter specifies the slot ID if The value must be
stacking is not configured. set according to the
● This parameter specifies the stack ID if device configuration.
stacking is enabled.
If slot slot-id is not specified, information
about attack sources is cleared.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To view the latest attack source information on the device, run the reset auto-
defend attack-source command to delete the existing attack source information,
wait for a period, and run the display auto-defend attack-source command.

To delete history attack source information, run the reset auto-defend attack-
source history command.

Precautions

After the reset auto-defend attack-source command is run, information about

attack sources is cleared and cannot be restored.

Example
# Delete existing attack source information on the device.
<HUAWEI> system-view
[HUAWEI] reset auto-defend attack-source

14.2.53 reset auto-defend attack-source trace-type

Function
The reset auto-defend attack-source trace-type command clears the counter of
packets traced after attack source tracing based on source MAC addresses, source
IP addresses, or source ports+VLANs is configured.

Format
reset auto-defend attack-source trace-type { source-mac [ mac-address ] |
source-ip [ ipv4-address | ipv6 ipv6-address ] | source-portvlan [ interface

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10245

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

interface-type interface-number vlan-id vlan-id [ cvlan-id cvlan-id ] ] } [ slot slot-

id ]

Parameters
Parameter Description Value
source-mac Clears the counter of packets The value of mac-address is
[ mac-address ] traced after attack source tracing in H-H-H format. An H
based on source MAC addresses is contains 1 to 4
configured. hexadecimal numbers.

If mac-address is specified, the

counter of traced packets sent
from the specified MAC address is
cleared.

source-ip Clears the counter of packets ● The value of ipv4-

[ ipv4-address | traced after attack source tracing address is in dotted
ipv6 ipv6- based on source IP addresses is decimal notation.
address ] configured. ● The value of ipv6-
address is in format
If an ip-address is specified, the X:X:X:X:X:X:X:X. The total
counter of traced packets sent length is 128 bit, which
from the specified IP address is is divided into eight
cleared. groups. The 16 bits of
● ipv4-address specifies the IPv4 each group are
address of an interface. represented by four
hexadecimal characters.
● ipv6 ipv6-address specifies the
IPv6 address of an interface.
source- Clears the counter of packets vlan-id is an integer that
portvlan traced after attack source tracing ranges from 1 to 4094.
[ interface based on source ports+VLANs is cvlan-id is an integer that
interface-type configured. ranges from 1 to 4094.
interface-
number vlan-id If a port or VLAN is specified, the
vlan-id [ cvlan- counter of traced packets sent
id cvlan-id ] ] from the specified port or VLAN is
cleared.
● interface-type specifies the
interface type.
● interface-number specifies the
interface number.
● vlan-id vlan-id specifies the ID
of the VLAN.
● cvlan-id cvlan-id specifies the
inner VLAN ID in a QinQ
packet.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10246

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

slot slot-id ● This parameter specifies the The value must be set
slot ID if stacking is not according to the device
configured. configuration.

● This parameter specifies the

stack ID if stack is enabled.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To view information about attack sources in a specified period, run the reset auto-
defend attack-source command to clear existing information about attack
sources and run the display auto-defend attack-source command. However, the
reset auto-defend attack-source clears information about all attack sources. You
can run the reset auto-defend attack-source trace-type command to clear
information about specified attack sources.

Precautions

After the reset auto-defend attack-source trace-type command is run,

information about attack sources is cleared and cannot be restored.

Example
# Clear the counter of traced packets sent from IP address 10.1.1.1.
<HUAWEI> system-view
[HUAWEI] reset auto-defend attack-source trace-type source-ip 10.1.1.1

14.2.54 reset auto-port-defend statistics

Function
The reset auto-port-defend statistics command deletes packet statistics on port
attack defense.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S1730S-H, S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S
support this command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10247

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
reset auto-port-defend statistics [ all | slot slot-id ]

Parameters
Parameter Description Value

all Deletes packet statistics of port attack defense -

on the interfaces of all stacked switches in a
stack environment or on all interfaces of the
local switch in a non-stack environment.
If all or slot slot-id is not specified, packet
statistics on the master device (stack
configured) or local device (stack not
configured) are deleted.

slot slot-id ● The value indicates the slot ID if stacking is The value depends
not configured. on the device
● The value indicates the stack ID when stack is configuration.
configured.

Views
All views

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Before viewing packet statistics of port attack defense in a certain period, delete
existing packet statistics, and then run the display auto-port-defend statistics
command to collect the latest statistics.

Precautions

The deleted packet statistics cannot be restored.

Example
# Delete packet statistics on the interfaces of the device.
<HUAWEI> reset auto-port-defend statistics

14.2.55 reset cpu-defend dynamic-car history-record

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10248

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The reset cpu-defend dynamic-car history-record command clears history
records on dynamic adjustment of the default CIR value of protocol packets.

NOTE

Format
reset cpu-defend dynamic-car history-record

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can run the reset cpu-defend dynamic-car history-record command to clear
the previous records and run the display cpu-defend dynamic-car history-record
command to view the history records on dynamic adjustment of the default CIR
value of protocol packets in a specified period.
Precautions
The reset cpu-defend dynamic-car history-record command clears history
records on dynamic adjustment of the default CIR value of protocol packets and
the records cannot be restored.

Example
# Clear the history records on dynamic adjustment of the default CIR value of
protocol packets.
<HUAWEI> reset cpu-defend dynamic-car history-record

14.2.56 reset cpu-defend host-car statistics

Function
The reset cpu-defend host-car statistics command clears packet statistics in the
user-level rate limiting.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10249

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Format
reset cpu-defend host-car [ mac-address mac-address ] statistics [ slot slot-id ]

Parameters

Parameter Description Value

mac-address mac-address Clears statistics on the packets from the -
specified MAC address.
slot slot-id Clears packet statistics on the specified slot. -

Views
User view

Default Level
2: Configuration level

Usage Guidelines
Before viewing the latest packet statistics in the user-level rate limiting, run this
command to clear existing packet statistics.

NOTICE

Packet statistics cannot be restored after they are deleted. Exercise caution when
you use the command.

Example
# Clear packet statistics in user-level rate limiting.
<HUAWEI> reset cpu-defend host-car statistics

14.2.57 reset cpu-defend statistics

Function
The reset cpu-defend statistics command clears statistics on packets sent to the
CPU.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10250

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
reset cpu-defend statistics [ packet-type packet-type ] [ all | slot slot-id ]

NOTE

The S1720GF, S1720GFR-P, S1720GW-E, and S1720GWR-E do not support this command.

Parameters
Parameter Description Value

packet-type Specifies the protocol type of packets. The supported

packet-type packet-type specifies the packet type. packet type
depends on the
● If packet-type packet-type is specified, device.
the statistics on the specified type of
protocol packets are cleared.
● If packet-type packet-type is not
specified, the statistics on all protocol
packets are cleared.

all This parameter indicates all switches in a -

stack if stacking is enabled, or the switch
itself if stack is disabled.
If all and slot are not specified, the CAR
statistics on the master switch in a stack
are cleared.

slot slot-id ● This parameter specifies the slot ID if The value must be
stacking is not configured. set according to
● This parameter specifies the stack ID if the device
stacking is enabled. configuration.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To view statistics on the packets sent to the CPU in a specified period, run the
reset cpu-defend statistics command to clear existing statistics and run the
display cpu-defend statistics command.
Precautions
The deleted packet statistics cannot be restored.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10251

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Clear statistics on BGP packets sent to the CPU.
<HUAWEI> reset cpu-defend statistics packet-type bgp slot 0

14.2.58 user-defined-flow

Function
The user-defined-flow command configures a user-defined flow.

The undo user-defined-flow command deletes a user-defined flow.

By default, no user-defined flow is configured.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.

Format
user-defined-flow flow-id acl acl-number

undo user-defined-flow flow-id

Parameters
Parameter Description Value

flow-id Specifies the ID of the The value is an integer

user-defined flow. that ranges from 1 to 8.

acl acl-number Specifies the number of The value is an integer

an Access Control List that ranges from 2000 to
(ACL). The ACL 4999.
referenced by a user- ● 2000 to 2999: basic
defined flow on the ACLs
device can be a basic
ACL, an advanced ACL, ● 3000 to 3999:
or a Layer 2 ACL. advanced ACLs
● 4000 to 4999: Layer 2
ACLs

Views
Attack defense policy view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10252

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
When unknown attacks occur on the network, you can run the user-defined-flow
command to bind an ACL rule with a user-defined flow. Then you can run the car
user-defined-flow flow-id cir cir-value [ cbs cbs-value ] command to limit the
rate of flows with the specific characteristic or run the deny user-defined-flow
flow-id command to discard these flows.
Precautions
If an ACL containing the deny action is applied to the user-defined flow, packets
matching the ACL are discarded.

Example
# Specify ACL 2001 as the rule of user-defined flow 2.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] user-defined-flow 2 acl 2001

14.2.59 whitelist
Function
The whitelist command configures a whitelist.
The undo whitelist command deletes a whitelist.
By default, no whitelist is configured.

Format
whitelist whitelist-id acl acl-number
undo whitelist whitelist-id

Parameters
Parameter Description Value

whitelist-id Specifies the ID of a The value is an integer

whitelist. that ranges from 1 to 8.

acl acl-number Specifies the number of The value is an integer

an Access Control List that ranges from 2000 to
(ACL). The ACL 4999.
referenced by a whitelist ● 2000 to 2999: basic
on the device can be a ACLs
basic ACL, an advanced
ACL, or a Layer 2 ACL. ● 3000 to 3999:
advanced ACLs
● 4000 to 4999: Layer 2
ACLs

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10253

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
Attack defense policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

You can create a whitelist and add users with specified characteristic to the
whitelist. The device processes packets sent from users in the whitelist first. You
can set the attributes of the whitelist flexibly by defining ACL rules.

A maximum of 8 whitelists can be configured in an attack defense policy on the

device.

Precautions

If an ACL containing the deny action is applied to the whitelist, packets sent from
users in the whitelist are discarded.

For X series cards, the packets from users in the whitelist are preferentially sent to
the CPU at a high rate, and the display cpu-defend statistics command cannot
collect statistics on these packets.

Example
# Specify ACL 2002 as the rule of whitelist 2.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] whitelist 2 acl 2002

14.3 MFF Configuration Commands

14.3.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.3.2 display mac-forced-forwarding

Function
The display mac-forced-forwarding command displays the MFF configuration.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10254

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
display mac-forced-forwarding { network-port | vlan vlan-id }

Parameters
Parameter Description Value

network-port Displays network interface -

information.

vlan vlan-id Displays the MFF configuration in The value is an integer that
a specified VLAN. ranges from 1 to 4094.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display mac-forced-forwarding command displays the MFF network
interface information and MFF configuration in a specified VLAN.

NOTE

When the user-bind static command is executed to configure a static binding entry for a non-
DHCP user, at least ip-address and vlan vlan-id [ ce-vlan ce-vlan-id ] must be specified. In this
case, the MFF entry that has the same IP address and VLAN ID as the static binding entry can
be deleted when the static binding entry is deleted.

Example
# Display information about the MFF network interface.
<HUAWEI> display mac-forced-forwarding network-port
--------------------------------------------------------------------------------
VLAN ID Network-ports
--------------------------------------------------------------------------------
VLAN 10 GigabitEthernet0/0/1
GigabitEthernet0/0/2
GigabitEthernet0/0/3
VLAN 100 GigabitEthernet0/0/4
GigabitEthernet0/0/5

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10255

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-39 Description of the display mac-forced-forwarding network-port

command output

Item Description

VLAN ID ID of the VLAN that the network interface

belongs to.

Network-ports Network interface.

# Display the MFF configuration in VLAN 100.

<HUAWEI> display mac-forced-forwarding vlan 100
[Vlan 100] MFF host total count = 3
--------------------------------------------------------------------------------
Servers 192.168.1.2
192.168.1.3
--------------------------------------------------------------------------------
User IP User MAC Gateway IP Gateway MAC
--------------------------------------------------------------------------------
192.168.1.10 00e0-fc01-0001 192.168.1.254 00e0-fc02-0001
192.168.1.11 00e0-fc01-0002 192.168.1.254 00e0-fc02-0001
192.168.1.12 00e0-fc01-0003 192.168.1.252 00e0-fc02-0003
--------------------------------------------------------------------------------

Table 14-40 Description of the display mac-forced-forwarding vlan command

output

Item Description

MFF host total count Number of users in VLAN 100.

Servers IP addresses of servers in VLAN 100.

User IP IP addresses of users in VLAN 100.

User MAC MAC addresses of users in VLAN 100.

Gateway IP Gateway IP address.

Gateway MAC Gateway MAC address.

14.3.3 mac-forced-forwarding arp-trigger

Function
The mac-forced-forwarding arp-trigger command enables an EAN to add or
update an MFF entry when receiving an ARP packet from a user.

The mac-forced-forwarding arp-trigger command disables an EAN from adding

or updating an MFF entry when receiving an ARP packet from a user.

By default, the EAN does not add or update an MFF entry when receiving an ARP
packet from a user.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10256

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
mac-forced-forwarding arp-trigger
undo mac-forced-forwarding arp-trigger

Parameters
N/A

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In a data center, users and virtual machine (VM) servers are isolated at Layer 2 on
EAN devices using MFF. If a VM connects to another EAN and does not send DHCP
request packets after migrating between servers, the backup binding table may
exist on the new EAN device and the original EAN may still reserve the MFF entry.
This cannot ensure security of Layer 2 isolation and Layer 3 communication
between users and servers. Run the mac-forced-forwarding arp-trigger
command on the new EAN to enable it to check binding entries when receiving an
ARP packet from the user. If an entry matches the user, the EAN updates the MFF
entry. If no entry matches the user, the EAN adds a new entry. The EAN broadcasts
the ARP packet to all network interfaces when receiving the first ARP packet
regardless of whether the user entry exists.
Prerequisite
MFF has been enabled in the system view and VLAN view using the mac-forced-
forwarding enable command.

Example
# Enable the EAN to add or update the MFF entries when receiving an ARP packet
from a user in VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding arp-trigger

14.3.4 mac-forced-forwarding dumb-terminal-compatible

Function
The mac-forced-forwarding dumb-terminal-compatible command configures a
device to forward the ARP packets from the gateway to dumb terminals.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10257

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo mac-forced-forwarding dumb-terminal-compatible command

disables a device from forwarding the ARP packets from the gateway to dumb
terminals.
By default, a device does not forward the ARP packets from gateway to dumb
terminals.

Format
mac-forced-forwarding dumb-terminal-compatible
undo mac-forced-forwarding dumb-terminal-compatible

Parameters
None

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When the MFF device connects to dumb terminals (which do not actively send
ARP request packets or send ARP request packets at a long interval), the MFF
device must transparently transmit the ARP packets from gateway to dumb
terminals after the MFF entries are aged out; otherwise, the user ARP entries on
gateway are aged out and user services are interrupted. Therefore, when the MFF
device connects to dumb terminals, the MFF device needs to be configured to
transparently transmit the ARP packets from gateway to dumb terminals.
Prerequisites
Global MFF has been enabled using the mac-forced-forwarding enable
command.
Precautions
After the MFF device is configured to transparently transmit ARP packets to dumb
terminals, run the mac-forced-forwarding static-gateway command to configure
an IP address for the static gateway; otherwise, this function does not take effect.
After this function is enabled, the MFF device searches the static binding table
when receiving ARP request packets from the gateway (configured using the user-
bind static command):
● If the outbound interface is found in the static binding table, the device
forwards the ARP request packets through this interface.
● If the outbound interface is not found in the static binding table, the device
broadcasts the ARP request packets in the VLAN. In this situation, all users in
the VLAN can receive the ARP packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10258

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure a device to transparently transmit ARP packets from gateway to
dumb terminals in VLAN 100.
<HUAWEI> system-view
[HUAWEI] mac-forced-forwarding enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding dumb-terminal-compatible

14.3.5 mac-forced-forwarding enable

Function
The mac-forced-forwarding enable command enables MFF.

The undo mac-forced-forwarding enable command disables MFF.

By default, MFF is disabled.

Format
mac-forced-forwarding enable

undo mac-forced-forwarding enable

Parameters
None

Views
System view, VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Many networks require that the gateway monitor data traffic and isolate users.
MFF isolates users at Layer 2 and connects users at Layer 3 on the same network
segment. MFF enables traffic to be forwarded through the gateway. This
implements traffic monitoring and accounting and ensures network security.

Precautions

You can run the mac-forced-forwarding enable command in the VLAN view and
perform other configurations only after you enable MFF globally in the system
view.

After MFF is disabled in the system view, other MFF configurations are
automatically deleted.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10259

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

MFF cannot be enabled in a VLAN where the super VLAN or VLANIF interface is
configured.

MFF cannot be enabled in a sub-VLAN where the super VLAN and VLANIF
interface are configured.

The MFF function is implemented based on ARP proxy, whereas the EAI function is
implemented based on ARP request packet forwarding. Therefore, the two
functions conflict with each other. If you have enabled both MFF and EAI in the
same VLAN, the MFF function takes effect.

NOTE

When you enable MFF, if ACL resources are insufficient, the MFF function does not take
effect.
MFF cannot be configured in the super-VLAN.
When DHCP relay is configured in a super VLAN, MFF cannot be enabled in its sub-VLANs.

Example
# Enable MFF in VLAN 100.
<HUAWEI> system-view
[HUAWEI] mac-forced-forwarding enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable

14.3.6 mac-forced-forwarding gateway-detect

Function
The mac-forced-forwarding gateway-detect command enables timed gateway
detection and sets the gateway detection interval.

The undo mac-forced-forwarding gateway-detect command disables timed

gateway detection.

By default, timed gateway detection is enabled and the default gateway detection
interval is 30s.

Format
mac-forced-forwarding gateway-detect [ interval interval-time ]

undo mac-forced-forwarding gateway-detect

Parameters
Parameter Description Value

interval interval-time Indicates the gateway The value is an integer

detection interval. that ranges from 30 to
17280, in seconds.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10260

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

On a practical network, services may be interrupted for a long time because the
MFF-enabled device cannot immediately detect the gateway MAC address change.
Timed gateway detection can solve this problem. After the detection function is
enabled (enabled by default), the MFF-enabled device scans recorded gateway
information every interval-time seconds. For each gateway recorded, the MFF-
enabled device uses user information to construct an ARP request packet and
sends it to the network interface. The MFF-enabled device then learns the
gateway MAC address from the ARP reply packet. If the gateway MAC address
changes, the MFF-enabled device immediately updates the gateway information
and broadcasts gratuitous ARP packets to users. Users can update the gateway
address.

Prerequisites

MFF has been enabled in a VLAN using the mac-forced-forwarding enable

command.

Precautions

When detecting multiple gateway addresses, the MFF-enabled device sends an

ARP reply packet with the first gateway address by default.

After MFF is enabled, timed gateway detection does not take effect if no ARP
request packet is received from the user or gateway or if no user is authorized by
the DHCP server to access the network.

If a gateway fails, traffic between users will be blocked. To avoid this situation, the
device considers a gateway invalid if it does not receive a response from the
gateway after five detection attempts. The device then deletes the MAC address
entry of the invalid gateway. If the gateway detection interval is changed during a
detection, the number of detection times is accumulated.

Example
# Enable timed gateway detection in VLAN 10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] mac-forced-forwarding enable
[HUAWEI-vlan10] mac-forced-forwarding gateway-detect

14.3.7 mac-forced-forwarding igmp-query discard

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10261

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The mac-forced-forwarding igmp-query discard command configures an MFF-
enabled device to discard the IGMP Query messages from users when both MFF
and IGMP snooping are enabled in a VLAN.
The undo mac-forced-forwarding igmp-query discard command disables an
MFF-enabled device from discarding the IGMP Query messages from users when
both MFF and IGMP snooping are enabled in a VLAN.
By default, an MFF-enabled device does not discard the IGMP Query messages
from users when both MFF and IGMP snooping are enabled in a VLAN.

Format
mac-forced-forwarding igmp-query discard
undo mac-forced-forwarding igmp-query discard

Parameters
None.

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
After MFF and IGMP snooping are enabled in a VLAN, the IGMP Query messages
are broadcast in the VLAN. To prevent IGMP Query message broadcasting, use the
mac-forced-forwarding igmp-query discard command.

Example
# Configure an MFF-enabled device to discard the IGMP Query messages from
users in VLAN10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] mac-forced-forwarding igmp-query discard

14.3.8 mac-forced-forwarding ipv6-isolate

Function
The mac-forced-forwarding ipv6-isolate command configures the user-side
inbound interface on a device to discard IPv6 packets.
The undo mac-forced-forwarding ipv6-isolate command disables a device from
discarding IPv6 packets from users.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10262

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the user-side inbound interface on a device does not discard IPv6
packets from users.

Format
mac-forced-forwarding ipv6-isolate
undo mac-forced-forwarding ipv6-isolate

Parameters
None.

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the mac-forced-forwarding ipv6-isolate command is used, the user-side
inbound interface on a device discards the IPv6 packets from users to prevent IPv6
packets from being broadcast on the VLAN. If the device does not discard IPv6
packets, users can learn the MAC addresses of each other, which makes MFF user
isolation function invalid.
Prerequisites
The MFF function has been enabled in the system view and the VLAN view.
The VLAN contains at least one network-side interface.

Example
# Configure the user-side inbound interface on a device to discard IPv6 packets
from users.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding ipv6-isolate

14.3.9 mac-forced-forwarding network-port

Function
The mac-forced-forwarding network-port command configures an interface as a
network interface.
The undo mac-forced-forwarding network-port command restores the interface
to be a user interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10263

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, an interface is a user interface.

Format
mac-forced-forwarding network-port
undo mac-forced-forwarding network-port

Parameters
None

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To make MFF in a VLAN effective, ensure that at least one network interface
belongs to the VLAN. Therefore, configure network interfaces for MFF.
The interface that is connected to the gateway and other network devices is
configured as a network interface.
Precautions
MFF has been enabled in the system view using the mac-forced-forwarding
enable command. Regardless of whether MFF is enabled in the VLAN that an
interface belongs to, the interface can be configured as a network interface.
Multiple interfaces can be configured as network interfaces.

Example
# Configure GE0/0/1 as a network interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] mac-forced-forwarding network-port
Info: This operation may take a few seconds. Please wait for a moment.....

14.3.10 mac-forced-forwarding network-port-arp-trigger

Function
The mac-forced-forwarding network-port-arp-trigger command enables the
network interface on an EAN to delete an MFF entry when the network port
receives an ARP packet.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10264

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo mac-forced-forwarding network-port-arp-trigger command disables

the network interface on an EAN from deleting an MFF entry when the network
port receives an ARP packet.

By default, the network interface on an EAN does not delete the MFF entry when
receiving an ARP packet.

Format
mac-forced-forwarding network-port-arp-trigger

undo mac-forced-forwarding network-port-arp-trigger

Parameters
N/A

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In a data center, users and VM servers are isolated at Layer 2 on EAN devices
using MFF. If a VM connects to another EAN after migrating between servers, and
the binding table on the original EAN is not aged out, the original EAN considers
the VM an MFF host. If an attacker accesses users or sends ARP request packets
using the IP address and MAC address of the VM, the original EAN allows the
request. Attacks are not defended. After you run the mac-forced-forwarding
network-port-arp-trigger command on the original EAN, the original EAN
determines that the VM has migrated to another EAN and deletes the MFF entry
mapping the VM when receiving ARP packets from this VM.

Prerequisites

MFF has been enabled in the system view and VLAN view using the mac-forced-
forwarding enable command.

Example
# Enable the network interface on an EAN to delete an MFF entry when receiving
an ARP packet.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding network-port-arp-trigger

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10265

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.3.11 mac-forced-forwarding server

Function
The mac-forced-forwarding server command configures the IP address for a
server on the MFF network.

The undo mac-forced-forwarding server command deletes the configured IP

address of a server.

By default, no IP address is configured for servers.

Format
mac-forced-forwarding server server-ip &<1–10>

undo mac-forced-forwarding server { server-ip | all }

Parameters
Parameter Description Value
server-ip Specifies the IP address The value is in dotted decimal notation.
for a server. NOTE
This IP address must be a class A, B, or C
address. If the IP address is a class A address,
it cannot be in the format 0.x.x.x.

all Specifies IP addresses for -

all servers.

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In addition to the gateway, application servers such as the DHCP, multicast, or

another server may be deployed on a network. You can configure IP addresses for
application servers and set a list of accessible application servers on the MFF-
enabled device.

● When a network interface on the MFF-enabled device receives an ARP request

from a specified application server, the MFF-enabled device responds with the
user MAC address by default. The packets sent from the server to the user are
directly forwarded without passing through the gateway.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10266

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● If the MFF-enabled device is configured to transparently transmit ARP request

packets, the device responds with the gateway MAC address. The packets sent
from the server to the user are forwarded through the gateway.
Prerequisites
MFF has been enabled in a VLAN using the mac-forced-forwarding enable
command.
Precautions
When the number of configured servers reaches the upper limit 10, run the undo
mac-forced-forwarding server { server-ip | all } command to delete unneeded
servers before you configure new servers.

NOTE

This command is required only when the application servers and clients are in the same VLAN.

Example
# Configure IP address 192.168.1.2 for a server in VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding server 192.168.1.2

14.3.12 mac-forced-forwarding static-gateway

Function
The mac-forced-forwarding static-gateway command configures a static
gateway IP address in a VLAN.
The undo mac-forced-forwarding static-gateway command cancels the
configuration.
By default, no static gateway IP address is configured in a VLAN.

Format
mac-forced-forwarding static-gateway ip-address &<1-16>
undo mac-forced-forwarding static-gateway { ip-address | all }

Parameters
Parameter Description Value
ip-address Specifies the static gateway IP The value is in dotted decimal
address in a VLAN. A maximum of notation.
16 static gateway IP addresses in a NOTE
VLAN can be specified in this This IP address must be a class A,
command. B, or C address. If the IP address is
a class A address, it cannot be in
the format 0.x.x.x.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10267

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

all Deletes all static gateway IP -
addresses in the VLAN.

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The static gateway is applicable when users are configured with static IP
addresses. These users cannot dynamically obtain gateway information through
DHCP packets. In this case, configure a static gateway address for each VLAN.
After you run the mac-forced-forwarding static-gateway command, the users
who are not authorized by the DHCP server can use the static gateway address to
access the network. The users who are authorized by the DHCP server can still
access the original gateway.
Prerequisites
Global MFF has been enabled using the mac-forced-forwarding enable
command.
Precautions
If a static gateway IP address is changed, users will fail to access the network. The
MAC address in the ARP table on the client belongs to the old gateway. After a
new gateway is configured, the ARP entry on client is not updated immediately
(that is, the MAC address in ARP table is not updated to the new gateway's MAC
address). Therefore, the user cannot access the network.

Example
# Configure static gateway IP address 10.1.1.10 in VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding static-gateway 10.1.1.10

14.3.13 mac-forced-forwarding user-detect transparent

Function
The mac-forced-forwarding user-detect transparent command enables
transparent transmission of ARP request packets.
The undo mac-forced-forwarding user-detect transparent command disables
transparent transmission of ARP request packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10268

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, transparent transmission of ARP request packets is disabled.

Format
mac-forced-forwarding user-detect transparent

undo mac-forced-forwarding user-detect transparent

Parameters
None

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In MFF networking, if the gateway performs accounting for users based on the
online duration, the gateway must know whether a user is online at a specified
moment. By default, the MFF-enabled device sends ARP reply packets in response
to ARP request packets sent from the gateway. The MFF-enabled device can
always send ARP reply packets as long as the MFF entry is not aged out. As a
result, the gateway always considers users online even if they have gone offline.

To solve this problem, configure the MFF-enabled device to transparently transmit

ARP request packets sent from the gateway to the user. Then, the MFF-enabled
device does not respond to the ARP packets. If the gateway does not receive the
ARP reply packet from a user, the gateway considers that the user has gone
offline. The gateway can monitor the user status in a timely manner and correctly
perform accounting.

Prerequisites

Global MFF has been enabled using the mac-forced-forwarding enable

command.

Precautions

In other scenarios, use the default configuration.

Example
# Enable transparent transmission of ARP request packets in VLAN 10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] mac-forced-forwarding enable
[HUAWEI-vlan10] mac-forced-forwarding user-detect transparent

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10269

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.4 Attack Defense Configuration Commands

14.4.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.4.2 anti-attack abnormal enable

Function
The anti-attack abnormal enable command enables defense against malformed
packet attacks.
The undo anti-attack abnormal enable command disables defense against
malformed packet attacks.
The anti-attack abnormal disable command disables defense against malformed
packet attacks.
By default, defense against malformed packet attacks is enabled.

Format
anti-attack abnormal enable
undo anti-attack abnormal enable
anti-attack abnormal disable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The malformed packet attack is to send malformed IP packets to the system. If
such an attack occurs, the system may break down when processing the
malformed IP packets. To prevent the system from breaking down and to ensure

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10270

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

normal network services, run the anti-attack abnormal enable command to

enable defense against malformed packets.

The device detects malformed packets after defense against malformed packets is
enabled.

The device directly discards packets of the following types:

● Flood attacks from IP null payload packets

● Attacks from IGMP null payload packets
● LAND attacks
● Smurf attacks
● Attacks from packets with invalid TCP flag bits

Precautions

You can also run the anti-attack enable command in the system view to enable
attack defense against all attack packets including malformed packets.

Example
# Enable defense against malformed packet attacks.
<HUAWEI> system-view
[HUAWEI] anti-attack abnormal enable

14.4.3 anti-attack enable

Function
The anti-attack enable command enables defense against all attack packets.

The undo anti-attack enable command disables defense against all attack
packets.

The anti-attack disable command disables defense against all attack packets.

By default, defense against all attack packets is enabled.

Format
anti-attack enable

undo anti-attack enable

anti-attack disable

Parameters
None

Views
System view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10271

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Different types of attacks on a network cause high device usage or system

breakdown, affecting network services. To prevent the system from breaking down
and to ensure normal network services, run the anti-attack enable command to
enable defense against all attack packets.

Precautions

Running the anti-attack enable command is equivalent to running all of the

following commands:
● anti-attack abnormal enable
● anti-attack fragment enable
● anti-attack tcp-syn enable
● anti-attack udp-flood enable
● anti-attack icmp-flood enable

Example
# Enable defense against all attack packets.
<HUAWEI> system-view
[HUAWEI] anti-attack enable

14.4.4 anti-attack fragment enable

Function
The anti-attack fragment enable command enables defense against packet
fragment attacks.

The undo anti-attack fragment enable command disables defense against

packet fragment attacks.

The anti-attack fragment disable command disables defense against packet

fragment attacks.

By default, defense against packet fragment attacks is enabled.

Format
anti-attack fragment enable

undo anti-attack fragment enable

anti-attack fragment disable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10272

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If an attacker sends error packet fragments to a device, the device consumes a

large number of resources to process the error packet fragments, affecting normal
services. To prevent the system from breaking down and to ensure normal
network services, run the anti-attack fragment enable command to enable
defense against packet fragment attacks.

The device detects error packet fragments after defense against error packet
fragments is enabled. If the device detects error packet fragments, the device
limits the rate of these fragments to ensure that the device CPU works properly.

Precautions

You can also run the anti-attack enable command in the system view to enable
attack defense against all attack packets including packet fragments.

Example
# Enable defense against packet fragment attacks.
<HUAWEI> system-view
[HUAWEI] anti-attack fragment enable

14.4.5 anti-attack fragment car

Function
The anti-attack fragment car command sets the rate limit of packet fragments.

The undo anti-attack fragment car command restores the rate limit of packet
fragments.

By default, the rate limit of packet fragments is 155000000 bit/s.

Format
anti-attack fragment car cir cir

undo anti-attack fragment car

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10273

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

cir cir Specifies the committed The value is an integer

information rate (CIR) of that ranges from 8000 to
packet fragments. 155000000, in bit/s.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After defense against packet fragment attacks is enabled, run the anti-attack
fragment car command to set the rate limit of packet fragments. If the rate of
received packet fragments exceeds the rate limit, the device discards excess packet
fragments to ensure that the device CPU works properly.

Prerequisites

Defense against packet fragment attacks has been enabled using the anti-attack
fragment enable command.

Example
# Set the rate limit of packet fragments to 8000 bit/s.
<HUAWEI> system-view
[HUAWEI] anti-attack fragment enable
[HUAWEI] anti-attack fragment car cir 8000

14.4.6 anti-attack icmp-flood enable

Function
The anti-attack icmp-flood enable command enables defense against ICMP
flood attacks.

The undo anti-attack icmp-flood enable command disables defense against

ICMP flood attacks.

The anti-attack icmp-flood disable command disables defense against ICMP

flood attacks.

By default, defense against ICMP flood attacks is enabled.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10274

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
anti-attack icmp-flood enable
undo anti-attack icmp-flood enable
anti-attack icmp-flood disable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If an attacker sends a large number of ICMP request packets to the target host in
a short time, the target host is busy with these ICMP request packets. As a result,
the target host is overloaded and cannot process normal services. To prevent ICMP
flood attacks, run the anti-attack icmp-flood enable command to enable defense
against ICMP flood attacks.
The device detects ICMP flood attack packets after defense against ICMP flood
attacks is enabled. If the device detects ICMP flood attack packets, the device
limits the rate of these ICMP flood attack packets to ensure that the device CPU
works properly.
Precautions
You can also run the anti-attack enable command in the system view to enable
attack defense against all attack packets including ICMP flood attack packets.

Example
# Enable defense against ICMP flood attacks.
<HUAWEI> system-view
[HUAWEI] anti-attack icmp-flood enable

14.4.7 anti-attack icmp-flood car

Function
The anti-attack icmp-flood car command sets the rate limit of ICMP flood attack
packets.
The undo anti-attack icmp-flood car command restores the default rate limit of
ICMP flood attack packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10275

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the rate limit of ICMP flood attack packets is 155000000 bit/s.

Format
anti-attack icmp-flood car cir cir
undo anti-attack icmp-flood car

Parameters
Parameter Description Value

cir cir Specifies the committed The value is an integer

information rate (CIR) of that ranges from 8000 to
ICMP flood attack 155000000, in bit/s.
packets.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After defense against ICMP flood attacks is enabled, run the anti-attack icmp-
flood car command to set the rate limit of ICMP flood attack packets. If the rate
of received ICMP flood attack packets exceeds the rate limit, the device discards
excess ICMP flood attack packets to ensure that its CPU works properly.
Prerequisites
Defense against ICMP flood attacks has been enabled using the anti-attack icmp-
flood enable command.

Example
# Set the rate limit of ICMP flood attack packets to 8000 bit/s.
<HUAWEI> system-view
[HUAWEI] anti-attack icmp-flood enable
[HUAWEI] anti-attack icmp-flood car cir 8000

14.4.8 anti-attack tcp-syn enable

Function
The anti-attack tcp-syn enable command enables defense against TCP SYN flood
attacks.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10276

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo anti-attack tcp-syn enable command disables defense against TCP
SYN flood attacks.
The anti-attack tcp-syn disable command disables defense against TCP SYN
flood attacks.
By default, defense against TCP SYN flood attacks is enabled.

Format
anti-attack tcp-syn enable
undo anti-attack tcp-syn enable
anti-attack tcp-syn disable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
An attacker sends a SYN packet to a target host to initiate a TCP connection but
does not respond to the SYN-ACK sent from the target host. If the target host
receives no ACK packet from the attacker, it keeps waiting for the ACK packet. A
half-open connection is formed. The attacker keeps sending SYN packets, so many
half-open connections are set up on the target host. This wastes a large number
of resources. To prevent TCP SYN flood attacks, run the anti-attack tcp-syn
enable command to enable defense against TCP SYN flood attacks.
The device detects TCP SYN flood attack packets after defense against TCP SYN
flood attacks is enabled. If the device detects TCP SYN flood attack packets, the
device limits the rate of these TCP SYN flood attack packets to ensure that the
device CPU works properly.
Precautions
You can also run the anti-attack enable command in the system view to enable
attack defense against all attack packets including TCP SYN flood attack packets.

Example
# Enable defense against TCP SYN flood attacks.
<HUAWEI> system-view
[HUAWEI] anti-attack tcp-syn enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10277

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.4.9 anti-attack tcp-syn car

Function
The anti-attack tcp-syn car command sets the rate limit at which TCP SYN
packets are received.

The undo anti-attack tcp-syn car command restores the default rate limit at
which TCP SYN packets are received.

By default, the rate limit at which TCP SYN packets are received is 155000000
bit/s.

Format
anti-attack tcp-syn car cir cir

undo anti-attack tcp-syn car

Parameters
Parameter Description Value

cir cir Specifies the committed The value is an integer

information rate (CIR) at that ranges from 8000 to
which TCP SYN packets 155000000, in bit/s.
are received.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After defense against TCP SYN flood attacks is enabled, run the anti-attack tcp-
syn car command to set the rate limit at which TCP SYN packets are received. If
the rate of received TCP SYN attack packets exceeds the rate limit, the device
discards excess TCP SYN flood attack packets to ensure that the device CPU works
properly.

Prerequisites

Defense against TCP SYN flood attacks has been enabled using the anti-attack
tcp-syn enable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10278

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the rate limit at which TCP SYN packets are received to 8000 bit/s.
<HUAWEI> system-view
[HUAWEI] anti-attack tcp-syn enable
[HUAWEI] anti-attack tcp-syn car cir 8000

14.4.10 anti-attack udp-flood enable

Function
The anti-attack udp-flood enable command enables defense against UDP flood
attacks.
The undo anti-attack udp-flood enable command disables defense against UDP
flood attacks.
The anti-attack udp-flood disable command disables defense against UDP flood
attacks.
By default, defense against UDP flood attacks is enabled.

Format
anti-attack udp-flood enable
undo anti-attack udp-flood enable
anti-attack udp-flood disable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If an attacker sends a large number of UDP packets to the target host in a short
time, the target host is busy with these UDP packets. As a result, the target host is
overloaded and cannot process normal services. To prevent UDP flood attacks, run
the anti-attack udp-flood enable command to enable defense against UDP flood
attacks.
The device detects UDP flood attack packets after defense against UDP flood
attacks is enabled. The device directly discards UDP flood attack packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10279

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Precautions

You can also run the anti-attack enable command in the system view to enable
attack defense against all attack packets including UDP flood attack packets.

Example
# Enable defense against UDP flood attacks.
<HUAWEI> system-view
[HUAWEI] anti-attack udp-flood enable

14.4.11 display anti-attack statistics

Function
The display anti-attack statistics command displays statistics about attack
packets of a specified type.

If no parameter is specified, the display anti-attack statistics command displays

statistics about attack packets of all types.

Format
display anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood |
icmp-flood ]

Parameters
Parameter Description Value

abnormal Displays statistics about -

malformed packets.

fragment Displays statistics about -

defense against packet
fragments.

tcp-syn Displays statistics about -

defense against TCP SYN
flood attacks.

udp-flood Displays statistics about -

defense against UDP
flood attacks.

icmp-flood Displays statistics about -

defense against ICMP
flood attacks.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10280

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
The display anti-attack statistics command displays statistics on attack packets
of the following types: malformed packet attack, packet fragment attack, TCP SYN
flood attack, UDP flood attack, ICMP flood attack.

Example
# Display attack defense statistics.
<HUAWEI> display anti-attack statistics
Packets Statistic Information:
-------------------------------------------------------------------------------
AntiAtkType TotalPacketNum DropPacketNum PassPacketNum
(H) (L) (H) (L) (H) (L)
-------------------------------------------------------------------------------
URPF 0 0 0 0 0 0
Abnormal 0 0 0 0 0 0
Fragment 0 0 0 0 0 0
Tcp-syn 0 58 0 0 0 58
Udp-flood 0 0 0 0 0 0
Icmp-flood 0 0 0 0 0 0
-------------------------------------------------------------------------------

Table 14-41 Description of the display anti-attack statistics command output

Item Description

Packets Statistic Information Attack defense statistics.

AntiAtkType Attack defense type:

● URPF: URPF check (The device does
not support this parameter.)
● Abnormal: defense against
malformed packets
● Fragment: defense against packet
fragments
● Tcp-syn: defense against TCP SYN
flood attacks
● Udp-flood: defense against UDP
flood attacks
● Icmp-flood: defense against ICMP
flood attacks

TotalPacketNum Total number of packets.

DropPacketNum Number of discarded packets.

PassPacketNum Number of forwarded packets.

(H) Highest-order bit display.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10281

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

(L) Lowest-order bit display.

14.4.12 reset anti-attack statistics

Function
The reset anti-attack statistics command clears attack defense statistics.

Format
reset anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmp-
flood ]

Parameters
Parameter Description Value

abnormal Clears statistics about -

defense against
malformed packets.

fragment Clears statistics about -

defense against packet
fragments.

tcp-syn Clears statistics about -

defense against TCP SYN
flood attacks.

udp-flood Clears statistics about -

defense against UDP
flood attacks.

icmp-flood Clears statistics about -

defense against ICMP
flood attacks.

Views
All views

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10282

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
If no attack defense is specified, statistics about all types of attack defense are
cleared.

NOTICE
The cleared statistics cannot be restored. Exercise caution when you use the
command.

Example
# Clear statistics about defense against malformed packets.
<HUAWEI> reset anti-attack statistics abnormal

14.5 Traffic Suppression and Storm Control

Configuration Commands

14.5.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.5.2 broadcast-suppression (interface view)

Function
The broadcast-suppression command sets the maximum traffic rate of broadcast
packets that can pass through an interface.
The undo broadcast-suppression command restores the default maximum traffic
rate of broadcast packets that can pass through an interface.
By default, the rate of broadcast packets is suppressed by bandwidth percentage,
and the percentage rate limit is 10%.

Format
broadcast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets
packets-per-second }
undo broadcast-suppression

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10283

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

percent-value Specifies the percentage of The value is an integer and the

bandwidth occupied by value range is as follows:
broadcast packets on an ● 40GE interface: 0 to 100 on
interface. the S5731-H, S5731-S,
If loopback detection is S5731S-H, S5731S-S,
enabled on an interface, the S5732-H, S6730-H, S6730S-
interface rate is set by user. If H, S6730-S, and S6730S-S
loopback detection is not ● Other interfaces: 0 to 100
enabled on an interface, the
interface rate is automatically
negotiated. You can run the
display this interface
command in the interface view
to check the interface rate
(value of the Speed field).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10284

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cir cir-value Specifies the committed The value is an integer, in

information rate (CIR), which kbit/s. The value range is as
is the allowed rate at which follows:
traffic can pass through. ● Ethernet interface: 0 to
NOTE 100000
Traffic suppression based on cir is
more precise than that based on ● GE interface: 0 or 16 to
packets. To specify the cir 1000000 for the S1730S-H,
parameter, ensure that the traffic S2730S-S, S5735-L-I, S5735-
suppression mode set in the L1,S300, S5735-L, S5735S-L,
system view is bits. S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735-S-I,
and S5735S-S, 0 to 1000000
for the others
● XGE interface: 0 or 16 to
10000000 for the S1730S-H,
S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735-S-I,
and S5735S-S, 0 to
10000000 for the others
● 25GE interface: 0 to
25000000
● MultiGE interface: 0 to X, X
indicates the negotiated
bandwidth
● 40GE interface: 0 to
40000000
● 100GE interface: 0 to
100000000
● Port group: 0 to 100000000
NOTE
When an interface is configured
with an optical module, the value
range is determined by the rate of
the optical module. For example,
when an XGE interface is
configured with a GE optical
module, the value range is 0 to
1000000.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10285

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cbs cbs-value Specifies the committed burst The value is an integer. For the
size (CBS), which is the S1730S-H, S2730S-S, S5735-L-
maximum size of traffic that I, S5735-L1,S300, S5735-L,
can pass through. S5735S-L, S5735S-L1, S5735S-
L-M, S5735-S, S500, S5735-S-I,
and S5735S-S: The value
ranges from 10000 to 65535,
in bytes. For other models: The
value ranges from 10000 to
4294967295, in bytes. By
default, the CBS value is 188
times the CIR value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10286

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

packets packets-per-second Specifies the number of The value is an integer and the
packets transmitted per value range is as follows:
second. ● Ethernet interface: 0 to
NOTE 148810
To specify the packets parameter,
ensure that the traffic suppression ● GE interface: 0 to 1488100
mode set in the system view is ● XGE interface: 0 to
packets. 14881000
● MultiGE interface: 0 to X. X
indicates the negotiated
bandwidth
● 25GE interface: 0 to
37202500
● 40GE interface: 0 to
59524000
● 100GE interface: 0 to
148810000
● Port group: 0 to 148810000
NOTE
● For S5731-H, S5731-S,
S5731S-H, S5731S-S, S5732-H,
S6730-H, S6730S-H, S6730-S,
and S6730S-S, if the
configured value is less than
24, traffic suppression is
performed based on 24. If the
configured value is greater
than or equal to 24, traffic
suppression is performed
based on the configured value.
● When an interface is
configured with an optical
module, the value range is
determined by the rate of the
optical module. For example,
when an XGE interface is
configured with a GE optical
module, the value range is 0
to 1488100.

Views
Ethernet interface view, 40GE interface view, 100GE interface view, GE interface
view, XGE interface view, 25GE interface view, MultiGE interface view, port group
view, Eth-Trunk member interface view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10287

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Guidelines

The accumulating broadcast packets on the network occupy more and more
network resources. This affects normal operation of services on the network.

To prevent broadcast storms, you can use the broadcast-suppression command to

set the threshold of broadcast traffic that an interface allows to pass through.
When the broadcast traffic rate reaches the rate limit, the system discards excess
broadcast packets to control the traffic rate in a proper range.

Precautions

If the rate limit in bit/s is set for a type of packets on an interface, the rate limit in
pps cannot be set for other types of packets on the same interface. In a similar
manner, if the rate limit in pps is set for a type of packets on an interface, the rate
limit in bit/s cannot be set for other types of packets on the same interface.

Setting the bandwidth percentage is the same as setting the rate limit in pps. Take
an interface of 1 Gbit/s as an example. If the bandwidth percentage is set to 50%,
the device converts the bandwidth percentage to rate limit in pps as follows:
(1000 x (50/100) x 1000 x 1000)/(84 x 8). In the preceding formula, 84 is the
average length of packets (including the 60-byte packet body, 20-byte frame
spacing, and 4-byte check information), and 8 is the number of bits in a byte.

NOTE

If a packet rate limit is configured for a type of packets on an interface, the percentage rate
limit for other types of packets is converted into the packet rate limit.

Example
# Set the broadcast packet rate to 100000 pps on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] broadcast-suppression packets 100000

14.5.3 broadcast-suppression block outbound

Function
The broadcast-suppression block outbound command blocks outgoing broadcast
packets on an interface.

The undo broadcast-suppression block outbound command unblocks outgoing

broadcast packets on an interface.

By default, an interface does not block outgoing broadcast packets.

Format
broadcast-suppression block outbound

undo broadcast-suppression block outbound

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10288

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Guidelines

After an interface receives a broadcast packet, it broadcasts the packet to all users
in the same VLAN. This may cause information leak. For example, if an
unauthorized user is connected to an interface in a VLAN, an unauthorized user
obtains a host's address from broadcast packets and uses the address to attack the
host. To prevent information leak, use the broadcast-suppression block
outbound command to block outgoing broadcast packets on an interface if users
connected to the interface do not need to receive broadcast packets. For example,
if users on an interface seldom change and require high security, you can use this
command on the interface.

Precautions

The broadcast-suppression block outbound command is applicable only to

interfaces on which users do not need to receive broadcast packets. This command
will affect network operations if it is used on an interface where users need to
receive broadcast packets.

Traffic suppression can be configured for incoming and outgoing packets on an

interface, and the configurations are independent of each other. On an interface,
you can use the broadcast-suppression command to limit the rate of incoming
broadcast packets and use the broadcast-suppression block outbound command
to block outgoing broadcast packets.

Example
# Block outgoing broadcast packets on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] broadcast-suppression block outbound

14.5.4 broadcast-suppression (VLAN view)

Function
The broadcast-suppression command sets the rate limit for broadcast packets in
a VLAN.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10289

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo broadcast-suppression command cancels broadcast packets

suppression in a VLAN.
By default, broadcast packets are not suppressed in a VLAN.

Format
broadcast-suppression threshold-value
undo broadcast-suppression

Parameters
Parameter Description Value

threshold-value Specifies the rate limit of The value is an integer

broadcast packets. that ranges from 64 to
10000000, in kbit/s.

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
The accumulating broadcast packets on the network occupy more and more
network resources. This affects normal operation of services on the network.
After you run the broadcast-suppression command, the device limits the rate of
broadcast packets based on the configured rate limit. If the rate limit is exceeded,
the device discards excess broadcast packets.

Example
# Set the rate limit to 1000 kbit/s for broadcast packets in VLAN 10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] broadcast-suppression 1000

14.5.5 display flow-suppression interface

Function
The display flow-suppression interface command displays the traffic suppression
configuration on an interface.

Format
display flow-suppression interface interface-type interface-number

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10290

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

interface interface-type Specifies the type and -

interface-number number of an interface.
● interface-type
specifies the type of
the interface.
● interface-number
specifies the interface
number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command can display the traffic suppression for broadcast, unknown
multicast, known multicast, unknown unicast, and known unicast packets on the
interface, including rate limiting mode and rate limit value.

Example
# Display the traffic suppression configuration on GE0/0/1.
<HUAWEI> display flow-suppression interface gigabitethernet 0/0/1
storm type rate mode set rate value
-------------------------------------------------------------------------------
unknown-unicast percent percent: 90%
multicast percent percent: 90%
broadcast percent percent: 90%
known-unicast percent percent: 100%
known-multicast percent percent: 100%
-------------------------------------------------------------------------------

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10291

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-42 Description of the display flow-suppression interface command

output

Item Description

storm type Traffic type:

● unknown-unicast: unknown unicast traffic
● multicast: unknown multicast traffic
● broadcast: broadcast traffic
● known-unicast: known-unicast traffic
● known-multicast: known-multicast traffic

rate mode Type of the rate limit.

● pps: packet mode
● percent: percentage mode

set rate value Configured rate limit. The rate can be set by the
following commands:
● broadcast-suppression
● multicast-suppression
● unicast-suppression
● known-unicast-suppression
● known-multicast-suppression

14.5.6 display storm-control

Function
The display storm-control command displays information about storm control on
an interface.

Format
display storm-control [ interface interface-type interface-number ]

Parameters
Parameter Description Value

interface interface-type Specifies the type and -

interface-number number of an interface.
● interface-type
specifies the type of
the interface.
● interface-number
specifies the interface
number.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10292

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command can display the storm control for broadcast, unknown multicast,
and unknown unicast packets on the interface, such as packet mode, storm
control action, and packet status.

Example
# Display information about storm control on GE0/0/1.
<HUAWEI> display storm-control interface gigabitethernet 0/0/1
PortName Type Rate Mode Action Punish- Trap Log Int Last-
(Min/Max) Status Punish-Time
--------------------------------------------------------------------------------
GE0/0/1 Multicast 1000 Pps Block Normal Off On 90 -
/2000
GE0/0/1 Broadcast 1000 Pps Block Normal Off On 90 -
/2000
GE0/0/1 Unicast 1000 Pps Block Normal Off On 90 -
/2000

Table 14-43 Description of the display storm-control command output

Item Description

PortName Interface name.

Type Packet type.

● Broadcast packets
● Unknown Multicast packets
● Unknown Unicast packets
To configure the type of packets on which storm
control is performed, run the storm-control
command.

Rate ● Min: lower rate threshold

● Max: upper rate threshold
To configure the rates, run the storm-control
command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10293

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Mode Storm control mode.

● Kbps: CIR in kbit/s
● Pps: packets in pps
● %: percentage in %
To configure the storm control mode, run the
storm-control command.

Action Storm control action.

● Block: blocks packets.
● Err-down: shuts down the interface.
● None: No action is configured.
To configure a storm control action, run the storm-
control action command.

Punish-Status Status of the interface.

● Block: When the rate of receiving packets is
greater than the value of MaxRate and the
storm control action is block, the status of the
interface is block.
● Normal: Packets are normally forwarded.
● Err-down: When the rate of receiving packets is
greater than the value of MaxRate and the
storm control action is error-down, the status of
the interface is error-down.

Trap Whether the alarm function for storm control is

enabled.
● on: The alarm function for storm control is
enabled.
● off: The alarm function for storm control is
disabled.
To configure the alarm function for storm control,
run the storm-control enable trap command.

Log Whether the log function for storm control is

enabled.
● on: The log function for storm control is enabled.
● off: The log function for storm control is
disabled.
To configure the alarm function for storm control,
run the storm-control enable log command.

Int Interval for detecting storms, in seconds. The

default value is 5.

Last-Punish-Time Last time storm control is performed.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10294

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.5.7 icmp rate-limit

Function
The icmp rate-limit command sets the rate threshold of ICMP packets.

The undo icmp rate-limit command restores the default rate threshold of ICMP
packets.

By default, the rate limits of ICMP packets in the system and on an interface
depend on the product model. The value is 128 on the S5731-H, S5731-S, S5731S-
H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-
S, and S6730S-S, and 190 on the other models, in pps.

Format
icmp rate-limit { total | interface interface-type interface-number1 [ to
interface-number2 ] } threshold threshold-value

undo icmp rate-limit { total | interface interface-type interface-number1 [ to

interface-number2 ] }

Parameters
Parameter Description Value

total Specifies the total rate -

threshold in the system.

interface interface-type Specifies the type and -

interface-number1 to number of an interface.
interface-number2 ● interface-type
specifies the interface
type.
● interface-number1
specifies the number
of the first interface.
● to interface-number2
specifies the number
of the last interface.
The value of
interface-number2
must be greater than
the value of interface-
number1. interface-
number1 and
interface-number2
specify the range of
interfaces.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10295

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

threshold threshold- Specifies the rate The value ranges from 0

value threshold of ICMP to 1000, in pps.
packets. NOTE
The value 0 indicates that
the rate of ICMP packets is
not limited.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Guidelines
A network often undergoes ICMP packet attacks. If a switch receives a large
number of broadcast ICMP request packets on user-side interfaces, these packets
are sent to the switch CPU for processing. Then the CPU usage becomes high,
affecting other services on the switch. You can use the icmp rate-limit command
to prevent the switch from being attacked by ICMP packets.
After the rate limit function is configured for ICMP packets on an interface, the
system automatically discards excess ICMP packets when the number of ICMP
packets sent by an interface every second exceeds the rate threshold.
Precautions
Before setting the rate threshold of ICMP packets, use the icmp rate-limit enable
command to enable the rate limit function for ICMP packets.

Example
# Set the rate threshold of ICMP packets on GE0/0/1 to GE0/0/5 to 20 pps.
<HUAWEI> system-view
[HUAWEI] icmp rate-limit interface gigabitethernet 0/0/1 to 0/0/5 threshold 20

14.5.8 icmp rate-limit enable

Function
The icmp rate-limit enable command enables the traffic suppression function for
ICMP packets.
The undo icmp rate-limit enable command disables the traffic suppression
function for ICMP packets.
By default, the traffic suppression function for ICMP packets is disabled.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10296

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
icmp rate-limit enable
undo icmp rate-limit enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Attackers may send a large number of ICMP packets to attack a network. If the
device sends all the received ICMP packets to the CPU for processing, a lot of CPU
usage resources are occupied and other services may be abnormal. To prevent
ICMP packet attacks, you can configure the device to suppress ICMP packets.
Before configuring traffic suppression for ICMP packets on an interface, run the
undo icmp-reply fast command to disable the ICMP reply fast function.

Example
# Enable the traffic suppression function for ICMP packets.
<HUAWEI> system-view
[HUAWEI] icmp rate-limit enable

14.5.9 known-multicast-suppression
Function
The known-multicast-suppression command sets the maximum traffic volume of
known multicast packets that can pass through an interface.
The undo known-multicast-suppression allows all known multicast packets to
pass.
By default, known multicast packets are not suppressed.

NOTE

S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,

S5735-S, S500, S5735-S-I, and S5735S-S do not support this command.

Format
known-multicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] |
packets packets-per-second }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10297

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo known-multicast-suppression

Parameters
Parameter Description Value

percent-value Specifies the percentage The value is an integer

of bandwidth occupied and the value range is as
by broadcast packets on follows:
an interface. ● 40GE interface: 0 to
If loopback detection is 100 on the S5731-H,
enabled on an interface, S5731-S, S5731S-H,
the interface rate is set S5731S-S, S5732-H,
by user. If loopback S6730-H, S6730S-H,
detection is not enabled S6730-S, and S6730S-
on an interface, the S
interface rate is ● Other interfaces: 0 to
automatically 100
negotiated. You can run
the display this
interface command in
the interface view to
check the interface rate
(value of the Speed
field).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10298

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cir cir-value Specifies the committed The value is an integer,

information rate (CIR), in kbit/s. The value range
which is the allowed rate is as follows:
at which traffic can pass ● Ethernet interface: 0
through. to 100000
NOTE
● GE interface: 0 to
Traffic suppression based
on cir is more precise than 1000000
that based on packets. To ● XGE interface: 0 to
specify the cir parameter, 10000000
ensure that the traffic
suppression mode set in ● 25GE interface: 0 to
the system view is bits. 25000000
● MultiGE interface: 0
to X, X indicates the
negotiated bandwidth
● 40GE interface: 0 to
40000000
● 100GE interface: 0 to
100000000
● Port group: 0 to
100000000
NOTE
When an interface is
configured with an optical
module, the value range is
determined by the rate of
the optical module. For
example, when an XGE
interface is configured with
a GE optical module, the
value range is 0 to
1000000.

cbs cbs-value Specifies the committed The value is an integer

burst size (CBS), which is that ranges from 10000
the maximum size of to 4294967295, in bytes.
traffic that can pass By default, the CBS value
through. is 188 times the CIR
value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10299

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

packets packets-per- Specifies the number of The value is an integer

second packets transmitted per and the value range is as
second. follows:
NOTE ● Ethernet interface: 0
To specify the packets to 148810
parameter, ensure that the
traffic suppression mode ● GE interface: 0 to
set in the system view is 1488100
packets.
● XGE interface: 0 to
14881000
● MultiGE interface: 0
to X. X indicates the
negotiated bandwidth
● 25GE interface: 0 to
37202500
● 40GE interface: 0 to
59524000
● 100GE interface: 0 to
148810000
● Port group: 0 to
148810000
NOTE
● For S5731-H, S5731-S,
S5731S-H, S5731S-S,
S5732-H, S6730-H,
S6730S-H, S6730-S,
and S6730S-S, if the
configured value is less
than 24, traffic
suppression is
performed based on 24.
If the configured value
is greater than or equal
to 24, traffic
suppression is
performed based on
the configured value.
● When an interface is
configured with an
optical module, the
value range is
determined by the rate
of the optical module.
For example, when an
XGE interface is
configured with a GE
optical module, the
value range is 0 to
1488100.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10300

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
Ethernet interface view, 40GE interface view, 100GE interface view, GE interface
view, XGE interface view, 25GE interface view, MultiGE interface view, port group
view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

You can use the known-multicast-suppression command to set the threshold of

known multicast traffic that an interface allows to pass through. When the known
multicast traffic volume exceeds the threshold, the system discards the excess
known multicast packets to control the traffic volume of known multicast packets
to a proper range.

Precautions

NOTE

If a packet rate limit is configured for a type of packets on an interface, the percentage rate
limit for other types of packets is converted into the packet rate limit.

Example
# known Set the maximum known multicast packet rate to 100000 pps on
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] known-multicast-suppression packets 100000

14.5.10 known-unicast-suppression

Function
The known-unicast-suppression command sets the maximum traffic volume of
known unicast packets that can pass through an interface.

The undo known-unicast-suppression allows all known unicast packets to pass.

By default, known unicast packets are not suppressed.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10301

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,

S5735-S, S500, S5735-S-I, and S5735S-S do not support this command.

Format
known-unicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] |
packets packets-per-second }
undo known-unicast-suppression

Parameters
Parameter Description Value

percent-value Specifies the percentage The value is an integer

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10302

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cir cir-value Specifies the committed The value is an integer,

cbs cbs-value Specifies the committed The value is an integer

burst size (CBS), which is that ranges from 10000
the maximum size of to 4294967295, in bytes.
traffic that can pass By default, the CBS value
through. is 188 times the CIR
value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10303

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

packets packets-per- Specifies the number of The value is an integer

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10304

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
Ethernet interface view, 40GE interface view, 100GE interface view, GE interface
view, XGE interface view, 25GE interface view, MultiGE interface view, port group
view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can use the known-unicast-suppression command to set the threshold of
known multicast traffic that an interface allows to pass through. When the known
unicast traffic rate exceeds the rate limit, the system discards excess known
unicast packets to control the traffic volume in a proper range.
Precautions
Setting the bandwidth percentage is the same as setting the rate limit in pps. Take
an interface of 1 Gbit/s as an example. If the bandwidth percentage is set to 50%,
the device converts the bandwidth percentage to rate limit in pps as follows:
(1000 x (50/100) x 1000 x 1000)/(84 x 8). In the preceding formula, 84 is the
average length of packets (including the 60-byte packet body, 20-byte frame
spacing, and 4-byte check information), and 8 is the number of bits in a byte.

NOTE

If a packet rate limit is configured for a type of packets on an interface, the percentage rate
limit for other types of packets is converted into the packet rate limit.

Example
#Set the maximum known unicast packet rate to 100000 pps on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] known-unicast-suppression packets 100000

14.5.11 multicast-suppression (interface view)

Function
The multicast-suppression command sets the maximum traffic volume of
unknown multicast packets that can pass through an interface.
The undo multicast-suppression allows all unknown multicast packets to pass.
By default, unknown multicast packets are not suppressed.

Format
multicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets
packets-per-second }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10305

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo multicast-suppression

Parameters
Parameter Description Value

percent-value Specifies the percentage The value is an integer

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10306

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cir cir-value Specifies the committed The value is an integer,

information rate (CIR), in kbit/s. The value range
which is the allowed rate is as follows:
at which traffic can pass ● Ethernet interface: 0
through. to 100000
NOTE
● GE interface: 0 or 16
Traffic suppression based
on cir is more precise than to 1000000 for the
that based on packets. To S1730S-H, S2730S-S,
specify the cir parameter, S5735-L-I, S5735-
ensure that the traffic L1,S300, S5735-L,
suppression mode set in S5735S-L, S5735S-L1,
the system view is bits.
S5735S-L-M, S5735-S,
S500, S5735-S-I, and
S5735S-S, 0 to
1000000 for the
others
● XGE interface: 0 or 16
to 10000000 for the
S1730S-H, S2730S-S,
S5735-L-I, S5735-
L1,S300, S5735-L,
S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S,
S500, S5735-S-I, and
S5735S-S, 0 to
10000000 for the
others
● 25GE interface: 0 to
25000000
● MultiGE interface: 0
to X, X indicates the
negotiated bandwidth
● 40GE interface: 0 to
40000000
● 100GE interface: 0 to
100000000
● Port group: 0 to
100000000
NOTE
When an interface is
configured with an optical
module, the value range is
determined by the rate of
the optical module. For
example, when an XGE
interface is configured with
a GE optical module, the
value range is 0 to
1000000.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10307

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cbs cbs-value Specifies the committed The value is an integer.

burst size (CBS), which is For the S1730S-H,
the maximum size of S2730S-S, S5735-L-I,
traffic that can pass S5735-L1,S300, S5735-L,
through. S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S,
S500, S5735-S-I, and
S5735S-S: The value
ranges from 10000 to
65535, in bytes. For
other models: The value
ranges from 10000 to
4294967295, in bytes. By
default, the CBS value is
188 times the CIR value.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10308

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

packets packets-per- Specifies the number of The value is an integer

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10309

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When an increasing number of unknown multicast packets are transmitted on a

network, more network resources are occupied and services are affected.

To prevent broadcast storms, you can use the multicast-suppression command to

set the threshold of unknown multicast traffic that an interface allows to pass
through. When the unknown multicast traffic volume exceeds the threshold, the
system discards the excess unknown multicast packets to control the traffic
volume of unknown multicast packets to a proper range.

Precautions

NOTE

If a packet rate limit is configured for a type of packets on an interface, the percentage rate
limit for other types of packets is converted into the packet rate limit.

Example
# Set the maximum unknown multicast packet rate to 100000 pps on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] multicast-suppression packets 100000

14.5.12 multicast-suppression block outbound

Function
The multicast-suppression block outbound command configures an interface to
block outgoing unknown multicast packets.

The undo multicast-suppression block outbound command cancels the

configuration.

By default, outgoing unknown multicast packets are not blocked on an interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10310

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
multicast-suppression block outbound

undo multicast-suppression block outbound

Parameters
None

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When an interface receives an unknown multicast packet, the interface broadcasts

the packet to all users in the same VLAN. This may cause information leak. For
example, if an unauthorized user is connected to an interface in a VLAN, the
unauthorized user obtains the host address in unknown multicast packets by
listening to unknown multicast packets and uses the host address to attack the
host. To prevent information leak, use the multicast-suppression block outbound
command to block outgoing unknown multicast packets on an interface if users
connected to the interface do not need to receive unknown multicast packets.

Precautions

The multicast-suppression block outbound command is applicable only to

interfaces where users do not need to receive unknown multicast packets. This
command will affect network operations if it is used on an interface where users
need to receive unknown multicast packets.

Traffic suppression can be configured for incoming and outgoing packets on an

interface, and the configurations are independent of each other. On an interface,
you can use the multicast-suppression command to limit the rate of incoming
unknown multicast packets and use the multicast-suppression block outbound
command to block outgoing unknown multicast packets.

Example
# Block outgoing unknown multicast packets onGE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] multicast-suppression block outbound

14.5.13 storm-control

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10311

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The storm-control command enables storm control for broadcast packets,
unknown multicast packets, and unknown unicast packets on an interface.
The undo storm-control command disables storm control.
By default, storm control is disabled on interfaces.

Format
storm-control { broadcast | multicast | unicast } min-rate min-rate-value max-
rate max-rate-value
storm-control { broadcast | multicast | unicast } min-rate cir min-rate-value-cir
max-rate cir max-rate-value-cir (Only the S5731-H, S5731-S, S5731S-H, S5731S-S,
S5732-H, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.)
storm-control { broadcast | multicast | unicast } min-rate percent min-rate-
value-percent max-rate percent max-rate-value-percent (Only the S5731-H,
S5731-S, S5731S-H, S5731S-S, S5732-H, S1730S-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and
S6730S-S support this command.)
undo storm-control { broadcast | multicast | unicast | all-packets }

Parameters
Parameter Description Value

broadcast Enables storm control for -

broadcast packets.

multicast Enables storm control for -

unknown multicast
packets.

unicast Enables storm control for -

unknown unicast
packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10312

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

min-rate min-rate-value Specifies the lower The value is an integer,

threshold in packet rate in pps. The value range is
limit mode. If the value as follows:
of min-rate-value is ● Ethernet interface: 1
specified, packets to 148810
received by an interface
are forwarded when the ● GE interface: 1 to
rate of receiving packets 1488100
is smaller than the value ● MultiGE interface: 1
of min-rate-value in to X. X indicates the
storm detection. negotiated bandwidth
● XGE interface: 1 to
14881000
● 25GE interface: 1 to
14881000
● 40GE interface: 1 to
59524000
● 100GE interface: 1 to
148810000
● Port group: 1 to
148810000
NOTE
The given value range
for port groups is the
maximum one. The
actually delivered value
range depends on the
minimum value range
allowed by member
interfaces in a port
group.
The actual value range
depends on the auto-
negotiated rates.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10313

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

min-rate cir min-rate- Specifies the lower The value is an integer,

value-cir threshold in byte rate in kbit/s. The value range
limit mode. If the value is as follows:
of min-rate-value-cir is ● Ethernet interface: 1
specified, packets to 100000
received by an interface
are forwarded when the ● GE interface: 1 to
rate of receiving packets 1000000
is smaller than the value ● XGE interface: 1 to
of min-rate-value-cir in 10000000
storm detection. ● 25GE interface: 1 to
14881000
● 40GE interface: 1 to
40000000
● 100GE interface: 1 to
100000000
● Port group: 1 to
100000000
NOTE
The given value range
for port groups is the
maximum one. The
actually delivered value
range depends on the
minimum value range
allowed by member
interfaces in a port
group.
The actual value range
depends on the auto-
negotiated rates.

min-rate percent min- Specifies the lower The value is an integer,

rate-value-percent threshold in percentage in percentage. The value
rate limit mode. If the ranges from 1 to 100.
value of min-rate-value-
percent is specified,
packets received by an
interface are forwarded
when the rate of
receiving packets is
lower than the value of
min-rate-value-percent
in storm detection.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10314

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

max-rate max-rate- Specifies the upper The value is an integer,

value threshold in packet rate in pps. The value range is
limit mode. Storm as follows:
control is performed on ● Ethernet interface: 1
an interface when the to 148810
rate of receiving packets
on the interface is ● GE interface: 1 to
greater than the value of 1488100
max-rate-value in storm ● MultiGE interface: 1
detection. to X. X indicates the
negotiated bandwidth
● XGE interface: 1 to
14881000
● 25GE interface: 1 to
14881000
● 40GE interface: 1 to
59524000
● 100GE interface: 1 to
148810000
● Port group: 1 to
148810000
NOTE
The given value range
for port groups is the
maximum one. The
actually delivered value
range depends on the
minimum value range
allowed by member
interfaces in a port
group.
The actual value range
depends on the auto-
negotiated rates.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10315

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

max-rate cir max-rate- Specifies the upper The value is an integer,

value-cir threshold in byte rate in kbit/s. The value range
limit mode. If the value is as follows:
of max-rate-value-cir is ● Ethernet interface: 1
specified, storm control to 100000
is performed on an
interface when the rate ● GE interface: 1 to
of receiving packets on 1000000
the interface is greater ● XGE interface: 1 to
than the value of max- 10000000
rate-value-cir in storm ● 25GE interface: 1 to
detection. 14881000
● 40GE interface: 1 to
40000000
● 100GE interface: 1 to
100000000
● Port group: 1 to
100000000
NOTE
The given value range
for port groups is the
maximum one. The
actually delivered value
range depends on the
minimum value range
allowed by member
interfaces in a port
group.
The actual value range
depends on the auto-
negotiated rates.

max-rate percent max- Specifies the upper The value is an integer,

rate-value-percent threshold in percentage in percentage. The value
rate limit mode. If the ranges from 1 to 100.
value of max-rate-value-
percent is specified,
storm control is
performed on an
interface when the rate
of receiving packets on
the interface is greater
than the value of max-
rate-value-percent in
storm detection.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10316

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

all-packets Disables storm control -

for all the broadcast
packets, unknown
multicast packets, and
unknown unicast
packets.

Views
Ethernet interface view, 40GE interface view, 100GE interface view, GE interface
view, XGE interface view, 25GE interface view, MultiGE interface view, port group
view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When the average rate of receiving packets on an interface is greater than the
value of max-rate-value, max-rate-value-cir, or max-rate-value-percent in storm
detection, storm control is performed on the packets.
NOTE

The storm detection interval can be set using the storm-control interval command.

Storm control actions include block and shutdown, which can be configured
using the storm-control action command. If the action is block on an interface,
packets on the interface are unblocked when the rate of receiving packets on the
interface is smaller than the value of min-rate-value, min-rate-value-cir or min-
rate-value-percent; if the action is shutdown on an interface, run the undo
shutdown command to enable the interface.
Precautions
For S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI, S5720I-SI, S5720-
LI, S5720S-LI, S5735S-H, S5736-S, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, and S5735-
S-I, when detecting unicast packets, a switch does not distinguish unknown
unicast packets from known unicast packets. The packet rate detected is the sum
of the rates of unknown and known unicast packets. When the storm control
action is block, the switch blocks only the unknown unicast packets. This rule also
applies to multicast packets.
You cannot configure storm control and traffic suppression simultaneously on an
interface. For example, if you configure traffic suppression for unknown multicast
packets, unknown unicast packets, or broadcast packets (including 100% traffic
suppression for broadcast packets) on an interface, then you cannot configure
storm control for broadcast packets simultaneously on the interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10317

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After storm control is configured on an interface, the device does not check the
VLAN IDs of packets when performing check on the packets. That is, the device
performs storm control on all the packets no matter whether the VLANs of the
packets are allowed by the interface.

Example
# Perform storm control on broadcast packets received on GE0/0/1. In the storm
detection interval, perform storm control on packets when the rate of receiving
packets on an interface is greater than 8000 pps and forward packets when the
rate of receiving packets on an interface is smaller than 5000 pps.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] storm-control broadcast min-rate 5000 max-rate 8000

14.5.14 storm-control action

Function
The storm-control action sets the storm control action to error-down or block.

The undo storm-control action command cancels the configuration.

By default, no storm control action is configured.

Format
storm-control action { block | error-down }

undo storm-control action

NOTE

S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI, S5720I-SI, S5720-LI, S5720S-LI,

S5735S-H, and S5736-S do not support error-down parameter.

Parameters
Parameter Description Value

block Blocks packets. -

error-down Shuts down an interface. -

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10318

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
You can control data packets and prevent flooding by running the storm-control
action command to configure a storm control action and the storm-control
command to set the upper and lower thresholds.
In a storm detection interval, when the average rate of receiving broadcast
packets, unknown multicast packets, and unknown unicast packets is greater than
the value of the specified upper threshold, packets are blocked or the interface is
shut down.
If the storm control action on an interface is block, the interface is restored when
the traffic falls below the lower threshold.
If the storm control action is error-down, the interface can be recovered using
either of the following methods:
● Manual recovery (after an Error-Down event occurs):
If a few interfaces need to be recovered, run the shutdown and undo
shutdown commands in the interface view. Alternatively, run the restart
command in the interface view to restart the interfaces.
● Automatic recovery (before an Error-Down event occurs):
If a large number of interfaces need to be recovered, manual recovery is time
consuming and some interfaces may be omitted. To avoid this problem, run
the error-down auto-recovery cause storm-control interval interval-value
command in the system view to enable automatic interface recovery and set
the recovery delay time. Run the display error-down recovery command to
view information about automatic interface recovery.
NOTE

This method does not take effect on interfaces that are already in Error-Down state. It
is effective only on interfaces that enter the Error-Down state after this configuration
is complete.

Precautions
For S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-E, S2720-EI, S5720I-SI, S5720-
LI, S5720S-LI, S5735S-H, S5736-S, S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, and S5735-
S-I, when detecting unicast packets, a switch does not distinguish unknown
unicast packets from known unicast packets. The packet rate detected is the sum
of the rates of unknown and known unicast packets. When the storm control
action is block, the switch blocks only the unknown unicast packets. This rule also
applies to multicast packets.

Example
# Configure the storm control action is block on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] storm-control action block

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10319

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.5.15 storm-control enable

Function
The storm-control enable command configures the system to record logs or
report traps during storm control.
The undo storm-control enable command configures the system not to record
logs or report traps during storm control.
By default, the system does not record logs or report traps.

Format
storm-control enable { log | trap }
undo storm-control enable { log | trap }

Parameters
Parameter Description Value

log Enables the log function. -

trap Enables the trap -

function.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
After storm control is configured, the switch monitors the broadcast, unknown
multicast, and unknown unicast packets received on an interface. When the
packet rate within a detection interval exceeds the upper limit, the switch executes
the storm control action (block packets or shut down the interface) on the
interface. This may affect services. You can configure the log or trap for storm
control so that the administrator can quickly take actions to protect the switch.
● After the logging function is enabled for storm control, the storm control log
information is recorded in the STORMCTRL log of the SECE module.
● After the trap function is enabled for storm control, the trap is
SECE_1.3.6.1.4.1.2011.5.25.32.4.1.14.1 hwXQoSStormControlTrap.

Example
# Enable the trap reporting function during storm control on GE0/0/1.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10320

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] storm-control broadcast min-rate 3000 max-rate 5000
[HUAWEI-GigabitEthernet0/0/1] storm-control action block
[HUAWEI-GigabitEthernet0/0/1] storm-control enable trap

14.5.16 storm-control interval

Function
The storm-control interval command sets the storm detection interval.
The undo storm-control interval command restores the default storm detection
interval.
By default, the storm detection interval is 5s.

Format
storm-control interval interval-value
undo storm-control interval

Parameters
Parameter Description Value

interval-value Specifies the storm The value is an integer

detection interval. that ranges from 1 to
180, in seconds. The
default value is 5s.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Before using the storm-control interval command to set the storm detection
interval, run the storm-control command in the interface view to configure storm
control. Otherwise, the storm detection interval does not take effect.

Example
# Configure storm control and set the storm detection interval to 10 seconds on
GE0/0/1. Block broadcast packets when the rate of receiving broadcast packets is
greater than 5000 pps and forward the packets when the rate of receiving
broadcast packets is smaller than 3000 pps in 10 seconds.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10321

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.5.17 storm-control whitelist protocol

Function
The storm-control whitelist protocol command adds specified protocol packets
to the traffic suppression and storm control whitelist.
The undo storm-control whitelist protocol command deletes specified protocol
packets from the traffic suppression and storm control whitelist.
By default, no protocol packet is not added to the traffic suppression and storm
control whitelist.

NOTE

This command is supported only on the S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300,

S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735-S-I, and S5735S-S.

Format
storm-control whitelist protocol { arp-request | bpdu | dhcp | igmp | rip }*

undo storm-control whitelist protocol { arp-request | bpdu | dhcp | igmp | rip }*

Parameters
Parameter Description Value

arp-request Adds ARP packets to the -

traffic suppression and
storm control whitelist.

bpdu Adds BPDU packets to -

the traffic suppression
and storm control
whitelist.

dhcp Adds DHCP packets to -

the traffic suppression
and storm control
whitelist.

igmp Adds IGMP packets to -

the traffic suppression
and storm control
whitelist.

rip Adds RIP packets to the -

traffic suppression and
storm control whitelist.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10322

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To free specified protocol packets from traffic suppression and storm control, you
can run the storm-control whitelist protocol command to add these packets to
the traffic suppression and storm control whitelist.

Precautions

● The storm-control whitelist protocol command configuration takes effect

only on protocol packets in the inbound direction of an interface. It does not
take effect on the packets that are blocked in the outbound direction of an
interface using the broadcast-suppression block outbound, multicast-
suppression block outbound, and unicast-suppression block outbound.
● The storm-control whitelist protocol command configuration does not take
effect on broadcast packets that are suppressed using the broadcast-
suppression command in the VLAN view.
● After the qos lr inbound whitelist protocol command is run to add specified
protocol packets to the whitelist for inbound interface-based rate limiting,
traffic suppression and storm control do not take effect on these protocol
packets in the inbound direction of the corresponding interface.

Example
# Add BPDU packets to the traffic suppression and storm control whitelist.
<HUAWEI> system-view
[HUAWEI] storm-control whitelist protocol bpdu

14.5.18 suppression mode

Function
The suppression mode command sets the global traffic suppression mode.

The undo suppression mode command restores the default traffic suppression
mode.

By default, the global traffic suppression mode is packets.

NOTE

Only the S1720GW, S1720GF, S1720GW-E, S1720GWR, S1720GFR-P, S1720GWR-E, S2720-EI,

S5720I-SI, S5720-LI, S5720S-LI, S5735S-H, and S5736-S support this command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10323

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
suppression mode { by-packets | by-bits }

undo suppression mode

Parameters
Parameter Description Value

by-packets Sets the traffic -

suppression mode to
packets.

by-bits Sets the traffic -

suppression mode to
bits.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The default traffic suppression mode on an interface is packets. To precisely

control traffic rate, run the suppression mode command in the system view to set
the traffic suppression mode to bits.

Precautions

If the packets mode has been set on an interface and the bits mode is set in the
system view, the device automatically converts the traffic rate values and
suppresses traffic based on bits. For example, if the maximum rate of broadcast
packets allowed by a GE interface is set to 1000 pps, the device converts the traffic
rate value as follows: 1000 x 84 x 8 = 672000 bits = 672 Kbit. In the preceding
formula, 84 is the average length of packets (including the 60-byte packet body,
20-byte frame spacing, and 4-byte check information), and 8 is the number of bits
in a byte.

If the traffic suppression mode set in the system view is packets, the cir
parameter cannot be specified when you set the maximum traffic rate on an
interface.

If the traffic suppression mode set in the system view is bits, the packets
parameter cannot be specified when you set the maximum traffic rate on an
interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10324

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the traffic suppression mode to by-bits.
<HUAWEI> system-view
[HUAWEI] suppression mode by-bits
Warning: All Interface supression mode will be changed. Continue? [Y/N]:y

14.5.19 unicast-suppression (interface view)

Function
The unicast-suppression command sets the maximum traffic volume of unknown
unicast packets that can pass through an interface.
The undo unicast-suppression allows all unknown unicast packets to pass.
By default, unknown unicast packets are not suppressed.

Format
unicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets
packets-per-second }
undo unicast-suppression

Parameters
Parameter Description Value

percent-value Specifies the percentage The value is an integer

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10325

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cir cir-value Specifies the committed The value is an integer,

information rate (CIR), in kbit/s. The value range
which is the allowed rate is as follows:
at which traffic can pass ● Ethernet interface: 0
through. to 100000
NOTE
● GE interface: 0 or 16
Traffic suppression based
on cir is more precise than to 1000000 for the
that based on packets. To S1730S-H, S2730S-S,
specify the cir parameter, S5735-L-I, S5735-
ensure that the traffic L1,S300, S5735-L,
suppression mode set in S5735S-L, S5735S-L1,
the system view is bits.
S5735S-L-M, S5735-S,
S500, S5735-S-I, and
S5735S-S, 0 to
1000000 for the
others
● XGE interface: 0 or 16
to 10000000 for the
S1730S-H, S2730S-S,
S5735-L-I, S5735-
L1,S300, S5735-L,
S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S,
S500, S5735-S-I, and
S5735S-S, 0 to
10000000 for the
others
● 25GE interface: 0 to
25000000
● MultiGE interface: 0
to X, X indicates the
negotiated bandwidth
● 40GE interface: 0 to
40000000
● 100GE interface: 0 to
100000000
● Port group: 0 to
100000000
NOTE
When an interface is
configured with an optical
module, the value range is
determined by the rate of
the optical module. For
example, when an XGE
interface is configured with
a GE optical module, the
value range is 0 to
1000000.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10326

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cbs cbs-value Specifies the committed The value is an integer.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10327

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

packets packets-per- Specifies the number of The value is an integer

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10328

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When an increasing number of unknown unicast packets are transmitted on the

network, more network resources are occupied and services are affected.

To prevent broadcast storms, you can use the unicast-suppression command to

set the threshold of unicast traffic that an interface allows to pass through. When
the unknown unicast traffic rate exceeds the rate limit, the system discards excess
unknown unicast packets to control the traffic volume in a proper range.

Precautions

NOTE

If a packet rate limit is configured for a type of packets on an interface, the percentage rate
limit for other types of packets is converted into the packet rate limit.

Example
#Set the maximum unknown unicast packet rate to 100000 pps on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] unicast-suppression packets 100000

14.5.20 unicast-suppression block outbound

Function
The unicast-suppression block outbound command configures an interface to
block outgoing unknown unicast packets.

The undo unicast-suppression block outbound command cancels the

configuration.

By default, an interface does not block outgoing unknown unicast packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10329

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
unicast-suppression block outbound

undo unicast-suppression block outbound

Parameters
None

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After an interface receives an unknown unicast packet, the interface broadcasts

the packet to all users in the same VLAN. This may cause information leak. For
example, if an unauthorized user is connected to an interface in a VLAN, the
unauthorized user obtains a host's address from unknown unicast packets and
uses the address to attack the host. To prevent information leak, use the unicast-
suppression block outbound command to block unknown unicast packets on an
interface if users connected to the interface do not need to receive broadcast
packets. For example, if users on an interface seldom change and require high
security, you can use this command on the interface.

Precautions

The unicast-suppression block outbound command is applicable only to

interfaces where users do not need to receive unknown unicast packets. This
command will affect network operations if it is used on an interface where users
need to receive unknown packets.

Traffic suppression can be configured for incoming and outgoing packets on an

interface, and the configurations are independent of each other. On an interface,
use the unicast-suppression command to limit the rate of incoming unknown
unicast packets and the unicast-suppression block outbound command to block
outgoing unknown unicast packets.

Example
# Block outgoing multicast packets on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] unicast-suppression block outbound

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10330

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.6 ARP Security Configuration Commands

14.6.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.6.2 arp anti-attack check user-bind alarm enable

Function
The arp anti-attack check user-bind alarm enable command enables the alarm
function for ARP packets discarded by DAI.

The undo arp anti-attack check user-bind alarm enable command disables the
alarm function for ARP packets discarded by DAI.

By default, the alarm function for ARP packets discarded by DAI is disabled.

Format
arp anti-attack check user-bind alarm enable

undo arp anti-attack check user-bind alarm enable

Parameters
None

Views
Ethernet interface view, GE interface view, 40GE interface view, XGE interface view,
25GE interface view, 100GE interface view, MultiGE interface view, port group
view, Eth-Trunk interface view, VLAN view, BD view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After DAI is enabled, if you want to receive an alarm when a large number of ARP
packets are discarded by DAI, you can run the arp anti-attack check user-bind
alarm enable command. After the alarm function is enabled, the device sends an
alarm when the number of discarded ARP packets exceeds the threshold.

Prerequisites

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10331

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

DAI has been enabled using the arp anti-attack check user-bind enable
command in the corresponding view.
Follow-up Procedure
The alarm threshold is set by the arp anti-attack check user-bind alarm
threshold command.
Precautions
If you run this command in multiple views, the configuration will takes effect in
the following sequence: BD view > interface view > VLAN view.

Example
# Enable the alarm function for ARP packets discarded by DAI on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable

14.6.3 arp anti-attack check user-bind alarm threshold

Function
The arp anti-attack check user-bind alarm threshold command sets the alarm
threshold for ARP packets discarded by DAI.
The undo arp anti-attack check user-bind alarm threshold command restores
the default alarm threshold for ARP packets discarded by DAI.
By default, the alarm threshold for ARP packets discarded by DAI is 100 packets.

Format
arp anti-attack check user-bind alarm threshold threshold
undo arp anti-attack check user-bind alarm threshold

Parameters
Parameter Description Value

threshold Specifies the alarm threshold for The value is an integer that
the ARP packets discarded by DAI. ranges from 1 to 1000.

Views
System view, Ethernet interface view, GE interface view, XGE interface view, 25GE
interface view, 40GE interface view, 100GE interface view, MultiGE interface view,
port group view, Eth-Trunk interface view, VLAN view, BD view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10332

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

You can use this command to set the alarm threshold for ARP packets discarded
by DAI. After the alarm threshold is set, the device sends an alarm when the
number of ARP packets discarded by DAI exceeds this threshold.

Prerequisites

DAI has been enabled using the arp anti-attack check user-bind enable
command in the corresponding view, and the alarm function for ARP packets
discarded by DAI has been enabled using the arp anti-attack check user-bind
alarm enable command in the corresopinding view.

Precautions

The arp anti-attack check user-bind alarm threshold command takes effect in
the system view only when DAI and the alarm function for ARP packets discarded
by DAI are enabled in the interface, BD, or VLAN view. The global alarm threshold
takes effect on all nterfaces, BDs, or VLANs enabled with the two functions.

The priority configured in the nterface, BD, or VLAN view is higher than that
configured globally. If the alarm threshold on an interface is not configured, the
global alarm threshold is used.

Example
# Set the alarm threshold for ARP packets discarded by DAI on GE0/0/1 to 200.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm threshold 200

14.6.4 arp anti-attack check user-bind check-item (interface

view)

Function
The arp anti-attack check user-bind check-item command configures check
items for ARP packet check based on binding entries on an interface.

The undo arp anti-attack check user-bind check-item command restores the
default check items.

By default, the check items consist of IP address, MAC address, and VLAN ID.

Format
arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } *

undo arp anti-attack check user-bind check-item

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10333

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

ip-address Indicates that the device checks IP addresses in ARP -

packets.

mac-address Indicates that the device checks MAC addresses in ARP -

packets.

vlan Indicates that the device checks VLAN IDs in ARP packets. -

Views
Ethernet interface view, GE interface view, 40GE interface view, XGE interface view,
25GE interface view, 100GE interface view, MultiGE interface view, port group
view, Eth-Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When a device receives an ARP packet, it compares the source IP address, source
MAC address, and VLAN ID of the ARP packet with binding entries. If the ARP
packet matches a binding entry, the device considers the ARP packet valid and
allows the packet to pass through. If the ARP packet matches no binding entry,
the device considers the ARP packet invalid and discards the packet.
To allow some special ARP packets that match only one or two items in binding
entries to pass through, use the arp anti-attack check user-bind check-item
command to configure the device to check ARP packets according to one or two
specified items in binding entries.
Prerequisites
DAI has been enabled on the interface using the arp anti-attack check user-bind
enable command.
Precautions
Check items configured for ARP packet check based on binding entries do not take
effect on hosts that are configured with static binding entries. These hosts check
ARP packets based on all items in static binding entries.

Example
# Configure GE0/0/1 to check IP addresses in ARP packets.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10334

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable

[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind check-item ip-address

14.6.5 arp anti-attack check user-bind check-item (VLAN or

BD view)
Function
The arp anti-attack check user-bind check-item command configures check
items for ARP packet check based on binding entries in a VLAN or BD.
The undo arp anti-attack check user-bind check-item command restores the
default check items.
By default, the check items consist of IP address, MAC address, and interface
number.

Format
arp anti-attack check user-bind check-item { ip-address | mac-address |
interface } *
undo arp anti-attack check user-bind check-item

Parameters
Parameter Description Value

ip-address Indicates that the device checks IP addresses in ARP -

packets.

mac-address Indicates that the device checks MAC addresses in ARP -

packets.

interface Indicates that the device checks interface numbers in ARP -

packets.

Views
VLAN view, BD view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When a device receives an ARP packet, it compares the source IP address, source
MAC address, and interface number of the ARP packet with binding entries. If the
ARP packet matches a binding entry, the device considers the ARP packet valid

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10335

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

and allows the packet to pass through. If the ARP packet matches no binding
entry, the device considers the ARP packet invalid and discards the packet.

To allow some special ARP packets that match only one or two items in binding
entries to pass through, configure the device to check ARP packets according to
one or two specified items in binding entries.

Prerequisites

DAI has been enabled in the VLAN or BD using the arp anti-attack check user-
bind enable command.

Precautions

Check items configured for ARP packet check based on binding entries do not take
effect on hosts that are configured with static binding entries. These hosts check
ARP packets based on all items in static binding entries.

Example
# Configure the device to check IP addresses in ARP packets from VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable
[HUAWEI-vlan100] arp anti-attack check user-bind check-item ip-address

14.6.6 arp anti-attack check user-bind enable

Function
The arp anti-attack check user-bind enable command enables dynamic ARP
inspection (DAI) for an interface, BD, or VLAN to check ARP packets against
binding entries.

The undo arp anti-attack check user-bind enable command disables DAI for an
interface, BD, or VLAN.

By default, DAI is disabled for an interface, BD, or VLAN.

Format
arp anti-attack check user-bind enable

undo arp anti-attack check user-bind enable

Parameters
None

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10336

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

DAI can be enabled in the BD view only for the S5731-H, S5731S-H, S5732-H, S5731-S,
S5731S-S, S6730-H, S6730S-H, S6730-S, and S6730S-S.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To defend against MITM attacks and prevent authorized users' data from being
intercepted, run the arp anti-attack check user-bind enable command to enable
DAI. When a device receives an ARP packet, it compares the source IP address,
source MAC address, interface number, BD, and VLAN ID of the ARP packet with
binding entries. If the ARP packet matches a binding entry, the device considers
the ARP packet valid and allows the packet to pass through. If the ARP packet
matches no binding entry, the device considers the ARP packet invalid and discards
the packet.

DAI can be enabled in the interface view, BD view, or VLAN view. When DAI is
enabled in the interface view, the device checks all ARP packets received on the
interface against binding entries. When DAI is enabled in the VLAN view or BD
view, the device checks ARP packets received on interfaces belong to the VLAN or
BD based on binding entries.

Follow-up Procedure

Run the arp anti-attack check user-bind check-item (interface view) or arp
anti-attack check user-bind check-item (VLAN or BD view) command to
configure check items for ARP packet check based on binding entries.

Precautions

When resources are sufficient, DAI can be enabled in a maximum of 400 VLANs.

After DAI is configured, the function of disabling the VLANIF interface from
sending ARP packets destined for other devices to the CPU is ineffective on the
VLANIF interface.

Example
# Enable DAI on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable

# Enable DAI in VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable

14.6.7 arp anti-attack entry-check enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10337

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The arp anti-attack entry-check enable command enables ARP entry fixing.

The undo arp anti-attack entry-check enable command disables ARP entry
fixing.

By default, ARP entry fixing is disabled.

Format
arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

undo arp anti-attack entry-check [ fixed-mac | fixed-all | send-ack ] enable

Parameters
Parameter Description Value
fixed-mac Indicates ARP entry fixing in fixed-mac mode. -

When receiving an ARP packet, the device discards the packet

if the MAC address does not match the MAC address in the
corresponding ARP entry. If the MAC address in the ARP
packet matches that in the corresponding ARP entry while
the interface number or VLAN ID does not match that in the
ARP entry, the device updates the interface number or VLAN
ID in the ARP entry.

fixed-all Indicates ARP entry fixing in fixed-all mode. -

When the MAC address, interface number, and VLAN ID of

an ARP packet match those in the corresponding ARP entry,
the device updates other information about the ARP entry.

send-ack Indicates ARP entry fixing in send-ack mode. -

When the device receives an ARP packet with a changed

MAC address, interface number, or VLAN ID, it does not
immediately update the corresponding ARP entry. Instead,
the device sends a unicast ARP Request packet to the user
with the IP address mapped to the original MAC address in
the ARP entry, and then determines whether to change the
MAC address, VLAN ID, or interface number in the ARP entry
depending on the response from the user.

Views
System view, VLANIF interface view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10338

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
To defend against ARP address spoofing attacks, enable ARP entry fixing. The
fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios
and are mutually exclusive:
● The fixed-mac mode applies to networks where user MAC addresses are
unchanged but user access locations often change. When a user connects to a
different interface on the device, the device updates interface information in
the ARP entry of the user timely.
● The fixed-all mode applies to networks where user MAC addresses and user
access locations are fixed.
● The send-ack mode applies to networks where user MAC addresses and user
access locations often change.
Precautions
After ARP entry fixing is enabled, the function that updates ARP entries when
MAC address entries change (configured by the mac-address update arp
command) becomes invalid.
In send-ack mode, the device can record a maximum of 100 ARP entries in the
ARP Request packets intended to trigger ARP entry modification.
If you run the arp anti-attack entry-check enable command in the system view,
ARP entry fixing is enabled on all interfaces. If you run the arp anti-attack entry-
check enable command in the interface view, ARP entry fixing is enabled on the
specified interface.
If ARP entry fixing is enabled globally and on a VLANIF interface simultaneously,
the configuration on the VLANIF interface takes precedence over the global
configuration.

Example
# Enable ARP entry fixing and specify the fixed-mac mode.
<HUAWEI> system-view
[HUAWEI] arp anti-attack entry-check fixed-mac enable

14.6.8 arp anti-attack gateway-duplicate enable

Function
The arp anti-attack gateway-duplicate enable command enables ARP gateway
anti-collision.
The undo arp anti-attack gateway-duplicate enable command disables ARP
gateway anti-collision.
By default, ARP gateway anti-collision is disabled.

Format
arp anti-attack gateway-duplicate enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10339

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo arp anti-attack gateway-duplicate enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If an attacker forges the gateway address to send ARP packets with the source IP
address being the gateway IP address on the LAN where the gateway is located,
ARP entries on hosts in the LAN record the incorrect gateway address. As a result,
all traffic from user hosts to the gateway is sent to the attacker and the attacker
can intercept user data, causing network access failures of these hosts.
To defend against attacks from bogus gateways, run the arp anti-attack
gateway-duplicate enable command to enable ARP gateway anti-collision on
gateways to which user hosts directly connect. A gateway considers that an ARP
gateway collision occurs when it receives an ARP packet meeting either of the
following conditions:
● The source IP address of the ARP packet is the same as the IP address of the
VLANIF interface matching the inbound interface of the packet.
● The source IP address of the ARP packet is the virtual IP address of the
inbound interface, but the source MAC address is not the VRRP virtual MAC
address.
The gateway generates an ARP anti-collision entry and discards the received ARP
packets with the same source MAC address and VLAN ID as those of the ARP
packet within a specified period of time. This function prevents ARP packets with a
bogus gateway address from being broadcast in a VLAN.
Precautions
The device supports a maximum of 100 ARP anti-collision entries. When the
maximum number is exceeded, the gateway cannot prevent new ARP gateway
collision attacks.
After DAI is configured, the function of disabling the VLANIF interface from
sending ARP packets destined for other devices to the CPU is ineffective on the
VLANIF interface.

Example
# Enable ARP gateway anti-collision.
<HUAWEI> system-view
[HUAWEI] arp anti-attack gateway-duplicate enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10340

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.6.9 arp anti-attack log-trap-timer

Function
The arp anti-attack log-trap-timer command sets the interval for sending ARP
alarms.
The undo arp anti-attack log-trap-timer command restores the default setting.
The default interval for sending alarms is 0, indicating that the device does not
send ARP alarms.

Format
arp anti-attack log-trap-timer time
undo arp anti-attack log-trap-timer

Parameters
Parameter Description Value

time Specifies the interval for The value is an integer that ranges
sending ARP alarms. from 0 to 1200, in seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After rate limiting on ARP packets based on source IP addresses is enabled, if the
number of ARP packets the device receives per second exceeds the limit, the
device discards the excess ARP packets. The device considers the excess ARP
packets as potential attacks. The device sends ARP alarms indicating potential
attacks to the NMS. To avoid excessive alarms when ARP attacks occur, reduce the
alarm quantity by setting a proper interval for sending alarms.
Precautions
In the insecure environment, you are advised to extend the interval for sending
ARP alarms. This prevents excessive ARP alarms. In the secure environment, you
are advised to shorten the interval for sending ARP alarms. This facilitates fault
rectification in real time.
After the interval is set, the device discards alarms generates in this interval;
therefore, some faults cannot be rectified in real time.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10341

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The command takes effect only on the alarm for ARP rate limit based on source IP
addresses (corresponding to arp speed-limit source-ip). The other ARP alarms are
generated at a fixed interval of 5 seconds.

Example
# Set the interval for sending ARP alarms to 20 seconds.
<HUAWEI> system-view
[HUAWEI] arp anti-attack log-trap-timer 20

14.6.10 arp anti-attack packet-check

Function
The arp anti-attack packet-check command enables ARP packet validity check
and specifies check items.
The undo arp anti-attack packet-check command disables ARP packet validity
check.
By default, ARP packet validity check is disabled.

Format
arp anti-attack packet-check { ip | dst-mac | sender-mac } *

undo arp anti-attack packet-check [ ip | dst-mac | sender-mac ] *

Parameters
Parameter Description Value
ip Indicates ARP packet validity check based on the IP address. -
dst-mac Indicates ARP packet validity check based on the destination -
MAC address.
sender-mac Indicates ARP packet validity check based on the source -
MAC address.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To avoid ARP attacks, you can use the arp anti-attack packet-check command to
enable ARP packet validity check on an access device or a gateway to filters out

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10342

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

ARP packets with invalid IP addresses or MAC addresses. The device checks validity
of an ARP packet based on each or any combination of the following items:
● Source and destination IP addresses: The device checks the source and
destination IP addresses in an ARP packet. If the source or destination IP
address is all 0s, all 1s, or a multicast IP address, the device discards the
packet as an invalid packet. The device checks both the source and
destination IP addresses in an ARP Reply packet but checks only the source IP
address in an ARP Request packet.
● Source MAC address: The device compares the source MAC address in an ARP
packet with that in the Ethernet frame header. If they are the same, the
packet is valid. If they are different, the device discards the packet.
● Destination MAC address: The device compares the destination MAC address
in an ARP packet with that in the Ethernet frame header. If they are the same,
the packet is valid. If they are different, the device discards the packet.
Precautions
Generally, packets with different source and destination MAC addresses in the ARP
packet and Ethernet frame header are allowed by the ARP protocol. When an
attack occurs, capture and analyze packets. If the attack is initiated by using
inconsistent source or destination MAC addresses in the ARP packet and Ethernet
frame header, enable ARP packet validity check based on the source or destination
MAC address.
If you run the arp anti-attack packet-check sender-mac command multiple
times, all the check items specified in these commands take effect.

Example
# Enable ARP packet validity check and configures the device to check the source
MAC address in an ARP packet.
<HUAWEI> system-view
[HUAWEI] arp anti-attack packet-check sender-mac

14.6.11 arp anti-attack rate-limit

Function
The arp anti-attack rate-limit command sets the maximum rate and rate limiting
duration of ARP packets globally, in a VLAN, or on an interface, and enables the
function of discarding all ARP packets received from the interface when the rate of
ARP packets exceeds the limit on an interface.
The undo arp anti-attack rate-limit command restores the default maximum
rate and rate limiting duration of ARP packets globally, in a VLAN, or on an
interface, and allows the device to send ARP packets to the CPU again.
By default, a maximum of 100 ARP packets are allowed to pass per second, and
the function of discarding all ARP packets received from the interface when the
rate of ARP packets exceeds the limit is disabled.

Format
System view, VLAN view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10343

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

arp anti-attack rate-limit packet packet-number [ interval interval-value ]

undo arp anti-attack rate-limit
Interface view
arp anti-attack rate-limit packet packet-number [ interval interval-value |
block-timer timer ] *
undo arp anti-attack rate-limit

Parameters
Parameter Description Value

packet packet- Specifies the maximum The value is an integer that

number rate of sending ARP ranges from 1 to 16384. The
packets, that is, the default value is 100.
number of ARP packets
allowed to pass through
in the rate limiting
duration.

interval Specifies the rate limiting The value is an integer that

interval-value duration of ARP packets. ranges from 1 to 86400, in
seconds. The default value is 1
second.

block-timer Specifies the duration for The value is an integer that

timer blocking ARP packets. ranges from 5 to 864000, in
seconds.

Views
System view, VLAN view, Ethernet interface view, GE interface view, XGE interface
view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE
interface view, port group view, Eth-Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit
command to set the maximum rate and rate limiting duration of ARP packets
globally, in a VLAN, or on an interface. In the rate limiting duration, if the number
of received ARP packets exceeds the limit, the device discards the excess ARP
packets.
If the parameter block-timer timer is specified, the device discards all ARP packets
received in the duration specified by timer.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10344

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Prerequisites

Rate limit on ARP packets has been enabled globally, in a VLAN, or on an interface
using the arp anti-attack rate-limit enable command.

Precautions

If the maximum rate and rate limiting duration are configured in the system view,
VLAN view, and interface view at the same time, the device uses the
configurations in the interface view, VLAN view, and system view in order.

NOTE

The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU
for processing in none-block mode, and does not affect ARP packet forwarding by the chip.
In block mode, the device discards subsequent ARP packets on an interface only when the
number of ARP packets sent to the CPU exceeds the limit.

Example
# Configure Layer 2 interface GE0/0/1 to allow 200 ARP packets to pass through
in 10 seconds, and configure GE0/0/1 to discard all ARP packets in 60 seconds
when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60

# Configure Layer 3 interface GE0/0/1 to allow 200 ARP packets to pass through
in 10 seconds, and configure GE0/0/1 to discard all ARP packets in 60 seconds
when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60

14.6.12 arp anti-attack rate-limit alarm enable

Function
The arp anti-attack rate-limit alarm enable command enables the alarm
function for ARP packets discarded when the rate of ARP packets exceeds the
limit.

The undo arp anti-attack rate-limit alarm enable command disables the alarm
function for ARP packets discarded when the rate of ARP packets exceeds the
limit.

By default, the alarm function for ARP packets discarded when the rate of ARP
packets exceeds the limit is disabled.

Format
arp anti-attack rate-limit alarm enable

undo arp anti-attack rate-limit alarm enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10345

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
System view, VLAN view, Ethernet interface view, GE interface view, 40GE interface
view, XGE interface view, 25GE interface view, 100GE interface view, MultiGE
interface view, port group view, Eth-Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After rate limit on ARP packets is enabled, if you want the device to generate
alarms for excessive discarded ARP packets, run the arp anti-attack rate-limit
alarm enable command. When the number of discarded ARP packets exceeds the
alarm threshold, the device generates an alarm.

You can set the alarm threshold using the arp anti-attack rate-limit alarm
threshold command.

Prerequisites

Rate limit on ARP packets has been enabled using the arp anti-attack rate-limit
enable command.

Example
# Enable rate limit on ARP packets globally and enable the alarm function.
<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable
[HUAWEI] arp anti-attack rate-limit alarm enable

# Enable rate limit for the ARP packets on Layer 2 interface GE0/0/1 and enable
the alarm function.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm enable

# Enable rate limit for the ARP packets on Layer 3 interface GE0/0/1 and enable
the alarm function.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10346

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.6.13 arp anti-attack rate-limit alarm threshold

Function
The arp anti-attack rate-limit alarm threshold command sets the alarm
threshold of ARP packets discarded when the rate of ARP packets exceeds the
limit.

The undo arp anti-attack rate-limit alarm threshold command restores the
default alarm threshold.

By default, the alarm threshold of ARP packets discarded when the rate of ARP
packets exceeds the limit is 100.

Format
arp anti-attack rate-limit alarm threshold threshold

undo arp anti-attack rate-limit alarm threshold

Parameters
Parameter Description Value

threshold Specifies the alarm threshold of ARP The value is an integer

packets discarded when the rate of ARP that ranges from 1 to
packets exceeds the limit. 16384.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

You can use the arp anti-attack rate-limit alarm threshold command to set the
alarm threshold. When the number of discarded ARP packets exceeds the alarm
threshold, the device generates an alarm.

Prerequisites

Rate limit on ARP packets has been enabled using the arp anti-attack rate-limit
enable command, and the alarm function has been enabled using the arp anti-
attack rate-limit alarm enable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10347

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Enable rate limit on ARP packets globally, enable the alarm function, and set the
alarm threshold to 50.
<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable
[HUAWEI] arp anti-attack rate-limit alarm enable
[HUAWEI] arp anti-attack rate-limit alarm threshold 50

# Enable rate limit for the ARP packets on Layer 2 interface GE0/0/1, enable the
alarm function, and set the alarm threshold to 50.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm threshold 50

# Enable rate limit for the ARP packets on Layer 3 interface GE0/0/1, enable the
alarm function, and set the alarm threshold to 50.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit alarm threshold 50

14.6.14 arp anti-attack rate-limit enable

Function
The arp anti-attack rate-limit enable command enables rate limit on ARP
packets.
The undo arp anti-attack rate-limit enable command disables rate limit on ARP
packets.
By default, rate limiting on ARP packets is disabled.

Format
arp anti-attack rate-limit enable
undo arp anti-attack rate-limit enable

Parameters
None

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10348

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
The device has no sufficient CPU resource to process other services when
processing a large number of ARP packets. To protect CPU resources of the device,
limit the rate of ARP packets.
You can run the arp anti-attack rate-limit enable command to enable rate limit
on ARP packets. When the rate of ARP packets exceeds the limit, excess ARP
packets are discarded. To set the rate limit and rate limiting duration of ARP
packets, run the arp anti-attack rate-limit command.
After the optimized ARP reply function (disabled by default) is enabled using the
undo arp optimized-reply disable command, rate limiting on ARP packets
globally, in a VLAN, or on an Interface does not take effect.

Example
# Enable rate limit on ARP packets globally.
<HUAWEI> system-view
[HUAWEI] arp anti-attack rate-limit enable

# Enable rate limit for the ARP packets on Layer 2 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable

# Enable rate limit for the ARP packets on Layer 3 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable

14.6.15 arp trust source

Function
The arp trust source command enables ARP gateway protection for the specified
IP address.
The undo arp trust source command disables ARP gateway protection for the
specified IP address.
By default, ARP gateway protection is disabled.

Format
arp trust source ip-address
undo arp trust source { ip-address | all }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10349

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

ip-address Specifies the protected gateway IP The value is in dotted

address. decimal notation.

all Disables ARP gateway protection for all IP -

addresses in the current view.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If an attacker poses as a gateway to send ARP packets, other users on the network
consider the attacker to be a gateway, causing a communication interruption
between authorized users and gateway. This situation will also happen if a user
incorrectly sets the host IP address as the gateway address. To prevent such bogus
gateway attacks, configure ARP gateway protection on the device's interfaces
connected to the gateway. When the ARP packets from a gateway address reach a
device:
● The interfaces with gateway protection enabled can receive and forward the
ARP packets.
● The interfaces without gateway protection enabled discard the ARP packets.

Precautions

A maximum of 8 protected gateway addresses can be specified on each interface,

and 32 can be specified on the entire device. If the same gateway IP address is
specified on different interfaces, the system considers that multiple protected
gateway IP addresses have been configured.

Example
# Enable ARP gateway protection on GE0/0/1 and set the protected gateway IP
address to 10.10.10.1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp trust source 10.10.10.1

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10350

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.6.16 arp gratuitous-arp send enable

Function
The arp gratuitous-arp send enable command enables gratuitous ARP packet
sending.
The undo arp gratuitous-arp send enable command disables gratuitous ARP
packet sending.
By default, gratuitous ARP packet sending is disabled.

Format
arp gratuitous-arp send enable
undo arp gratuitous-arp send enable

Parameters
None

Views
System view, VLANIF interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If an attacker forges the gateway address to send ARP packets to other user hosts,
ARP entries on the hosts record the incorrect gateway address. As a result, the
gateway cannot receive data sent from the hosts. You can enable gratuitous ARP
packet sending on the gateway. Then the gateway sends gratuitous ARP packets
at intervals to update the ARP entries of authorized users so that the ARP entries
contain the correct MAC address of the gateway.
By default, the device sends a gratuitous ARP packet every 60 seconds after this
function is enabled. You can also set the interval using the arp gratuitous-arp
send interval command.
Precautions
After you run the arp gratuitous-arp send enable command in the system view,
gratuitous ARP packet sending is enabled on all VLANIF interfaces.
After you run the undo arp gratuitous-arp send enable command in the system
view, gratuitous ARP packet sending is disabled on all VLANIF interfaces.

Example
# Enable gratuitous ARP packet sending on VLANIF 10.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10351

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp gratuitous-arp send enable

14.6.17 arp gratuitous-arp send interval

Function
The arp gratuitous-arp send interval command sets the interval for sending
gratuitous ARP packets.
The undo arp gratuitous-arp send interval command restores the default
interval for sending gratuitous ARP packets.
By default, the interval for sending gratuitous ARP packets is 60 seconds.

Format
arp gratuitous-arp send interval interval-time
undo arp gratuitous-arp send interval

Parameters
Parameter Description Value

interval-time Specifies the interval for The value is an integer that

sending gratuitous ARP ranges from 1 to 86400, in
packets. seconds.

Views
System view, VLANIF interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
By default, the device sends a gratuitous ARP packet every 60 seconds after
gratuitous ARP sending is enabled. You can set the interval for sending gratuitous
ARP packets using the arp gratuitous-arp send interval command.
If you set the interval in the system view, the configuration takes effect on all
VLANIF interfaces. If you set the interval in both the system view and VLANIF
interface view, the configuration on the VLANIF interface takes precedence over
the global configuration.
Prerequisites
Gratuitous ARP packet sending has been enabled using the arp gratuitous-arp
send enable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10352

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the interval for sending gratuitous ARP packets to 100 seconds on VLANIF
10.
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp gratuitous-arp send enable
[HUAWEI-Vlanif10] arp gratuitous-arp send interval 100

14.6.18 arp learning dhcp-trigger

Function
The arp learning dhcp-trigger command enables ARP learning triggered by
DHCP.
The undo arp learning dhcp-trigger command disables ARP learning triggered by
DHCP.
By default, ARP learning triggered by DHCP is disabled.

Format
arp learning dhcp-trigger
undo arp learning dhcp-trigger

Parameters
None

Views
VLANIF interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When many DHCP users connect to a network device, the device needs to learn
and maintain many ARP entries. This affects device performance.
To address this issue, you can configure ARP learning triggered by DHCP on the
gateway. When the DHCP server assigns an IP address to a user, the device
generates a DHCP snooping binding table and generates an ARP entry for the user
based on the binding table. When DHCP snooping binding entries are deleted, ARP
entries are also deleted.
Prerequisites
● DHCP has been enabled globally using the dhcp enable command in the
system view.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10353

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● DHCP snooping has been enabled globally using the dhcp snooping enable
command in the system view.
● DHCP snooping has been enabled using the dhcp snooping enable command
in the view of the interface or VLAN through which a user goes online.
Precautions
When both VRRP and DHCP relay are configured on the network, neither the dhcp
snooping enable command nor the arp learning dhcp-trigger command can be
configured on the VRRP master and backup devices.
The VLANIF interface must be assigned an IP address on the same network
segment as that of a user.
DHCP snooping for wireless users is deployed on APs. The AC enabled with DHCP
snooping does not process DHCP packets of wireless users. Therefore, ARP
learning takes effect only for wired users.

Example
# Enable ARP learning triggered by DHCP on VLANIF 100 and assign an IP address
on the same network segment as that of a user.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable
[HUAWEI] quit
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip address 10.1.0.1 255.255.255.0
[HUAWEI-Vlanif100] arp learning dhcp-trigger

14.6.19 arp learning disable

Function
The arp learning disable command disables an interface from learning dynamic
ARP entries.
The undo arp learning disable command enables an interface to learn dynamic
ARP entries.
By default, an interface is enabled to learn dynamic ARP entries.

Format
arp learning disable
undo arp learning disable

Parameters
None

Views
VLANIF interface view, VBDIF interface view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10354

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To ensure security and facilitate management, you can enable an interface to
learn or disable an interface from learning dynamic ARP entries. You can also use
the arp learning strict or arp learning strict commands to strictly control ARP
entry learning on an interface.
Precautions
If an interface is disabled from learning ARP entries, the network will be
interrupted.
If an interface has learned some dynamic ARP entries, the system does not delete
these entries after the interface is disabled from learning dynamic ARP entries. You
can manually delete or reserve these learned dynamic ARP entries (deleted by the
reset arp command).

Example
# Disable VLANIF10 from learning dynamic ARP entries.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp learning disable

14.6.20 arp learning strict (interface view)

Function
The arp learning strict command enables strict ARP learning on the interface.
The undo arp learning strict command restores the global configuration on the
interface.
By default, strict ARP learning is disabled on the interface.

Format
arp learning strict { force-enable | force-disable | trust }
undo arp learning strict

Parameters
Parameter Description Value

force-enable Indicates that strict ARP learning is enabled. -

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10355

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

force-disable Indicates that strict ARP learning is disabled. -

trust Indicates that the configuration of strict ARP learning is -

the same as the global configuration.
NOTE
The effect of the trust parameter is the same as the effect of the
undo arp learning strict command.

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If many user hosts send a large number of ARP packets to a device

simultaneously, or attackers send bogus ARP packets to the device, the following
problems occur:
● Processing ARP packets consumes many CPU resources. The device learns
many invalid ARP entries, which exhaust ARP entry resources and prevent the
device from learning ARP entries for ARP packets from authorized users.
Consequently, communication of authorized users is interrupted.
● After receiving bogus ARP packets, the device incorrectly modifies the ARP
entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This
function indicates that the device learns only ARP entries for ARP Reply packets in
response to ARP Request packets sent by itself, but does not allow the device to
learn the ARP entries for the ARP packets received from other devices. In this way,
the device can defend against most ARP attacks.

Prerequisites

On an Ethernet interface working in Layer 2 mode, the undo portswitch

command has been run to switch the interface to Layer 3 mode.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3
modes.

Precautions

The configuration on an interface takes precedence over the global configuration.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10356

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

When ARP attacks occur on many interfaces of the device, you can run the arp
learning strict command to enable strict ARP learning globally.

Example
# Enable strict ARP learning on VLANIF 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] quit
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning strict force-enable

# Enable strict ARP learning on Layer 3 interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp learning strict force-enable

14.6.21 arp learning strict (system view)

Function
The arp learning strict command enables strict ARP learning.
The undo arp learning strict command disables strict ARP learning.
By default, strict ARP learning is disabled.

Format
arp learning strict
undo arp learning strict

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If many user hosts send a large number of ARP packets to a device
simultaneously, or attackers send bogus ARP packets to the device, the following
problems occur:
● Processing ARP packets consumes many CPU resources. The device learns
many invalid ARP entries, which exhaust ARP entry resources and prevent the

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10357

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

device from learning ARP entries for ARP packets from authorized users.
Consequently, communication of authorized users is interrupted.
● After receiving bogus ARP packets, the device incorrectly modifies the ARP
entries. As a result, authorized users cannot communicate with each other.
To avoid the preceding problems, enable strict ARP learning on the gateway. This
function indicates that the device learns only ARP entries for ARP Reply packets in
response to ARP Request packets sent by itself. In this way, the device can defend
against most ARP attacks.
Precautions
The configuration on an interface takes precedence over the global configuration.

Example
# Enable strict ARP learning.
<HUAWEI> system-view
[HUAWEI] arp learning strict

14.6.22 arp optimized-passby enable

Function
The arp optimized-passby enable command configures the device not to send
ARP packets destined for other devices to the CPU.
The undo arp optimized-passby enable command configures the device to send
ARP packets destined for other devices to the CPU.
By default, a device does not send ARP packets destined for other devices to the
CPU.

Format
arp optimized-passby enable
undo arp optimized-passby enable

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Parameters
None

Views
VLANIF interface view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10358

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
If an interface receives a large number of ARP packets whose destination IP
addresses are different from the IP address of this interface and sends these ARP
packets to the CPU for processing, the CPU usage is high and the CPU cannot
process services properly.
To prevent this issue, you can configure the device to directly forward ARP packets
destined for other devices without sending them to the CPU. This improves the
device's capability of defending against ARP flood attacks.
Precautions
If any of the following configurations is performed, the configuration of disabling
the device from sending ARP packets destined for other devices to the CPU does
not take effect on a VLANIF interface:
● Run the arp anti-attack gateway-duplicate enable to enable ARP gateway
anti-collision.
● Run the arp ip-conflict-detect enable command to enable IP address conflict
detection.
● Run the arp anti-attack check user-bind enable command to enable the
dynamic ARP inspection (DAI) function.
● Run the dhcp snooping arp security enable command to enable the egress
ARP inspection (EAI) function.
● Run the arp over-vpls enable command to enable proxy ARP on a VPLS
network.
● Run the arp-proxy enable command to enable routed proxy ARP.
● Run the arp-proxy inner-sub-vlan-proxy enable command to enable intra-
VLAN proxy ARP.
● Run the arp-proxy inter-sub-vlan-proxy enable command to enable inter-
VLAN proxy ARP.
● Perform an NAC-related configuration. For details, see the User Access and
Authentication Configuration Guide.

Example
# Configure the device to send ARP packets destined for other devices to the CPU.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] undo arp optimized-passby enable

14.6.23 arp optimized-reply disable

Function
The arp optimized-reply disable command disables the optimized ARP reply
function.
The undo arp optimized-reply disable command enables the optimized ARP
reply function.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10359

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the optimized ARP reply function is enabled.

Format
arp optimized-reply disable
undo arp optimized-reply disable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When a stack of multiple switches functions as an access gateway, the stack can
receive a large number of ARP packets requesting for the stack's interface MAC
address. If all these ARP Request packets are sent to the master switch, the CPU
usage of the switch increases, and other services are affected.
To address the preceding problem, enable optimized ARP reply, which improves
the switch's capability of defending against ARP flood attack. After this function is
enabled, the stack performs the following operations:
● When receiving an ARP Request packet of which the destination IP address is
the local interface address, the switch where the interface is located directly
returns an ARP Reply packet.
● When a stack system receives an ARP Request packet of which the destination
IP address is not the local interface address and intra-VLAN proxy ARP is
enabled on the master switch, the switch where the interface is located
checks whether the ARP Request packet meets the proxy condition. If so, the
switch returns an ARP Reply packet. If not, the switch discards the packet.
NOTE
The optimized ARP reply function can be configured on a stand-alone fixed switch, but does
not take effect.

By default, the optimized ARP reply function is enabled. After a device receives an
ARP Request packet, the device checks whether an ARP entry corresponding to the
source IP address of the ARP Request packet exists.
● If there is a corresponding ARP entry, the stack performs optimized ARP reply
to this ARP Request packet.
● If there is no corresponding ARP entry, the stack does not perform optimized
ARP reply to this ARP Request packet.
Precautions

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10360

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● The optimized ARP reply function does not take effect for ARP Request
packets with double VLAN tags.
● The optimized ARP reply function takes effect for ARP Request packets sent
by wireless users.
● The optimized ARP reply function takes effect only for the ARP Request
packets received by VLANIF interfaces, VBDIF interfaces, Eth-Trunk sub-
interfaces, and physical sub-interfaces. The optimized ARP reply function does
not take effect for the ARP Request packets sent from the VLANIF interfaces
of super VLANs. The optimized ARP reply function takes effect for the ARP
Request packets sent from the VLANIF interfaces of MUX VLANs, but it do not
take effect when the ARP request packet carries the Group VLAN or Separate
VLAN.
NOTE

The optimized ARP reply function takes effect only for the ARP Request packets
received by the Eth-Trunk sub-interfaces and physical sub-interfaces of the S5731-H,
S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S.
● The optimized ARP reply function does not take effect globally or on
interfaces after you run any of the following commands:
– ip address ip-address { mask | mask-length } sub: configures secondary
IP addresses for interfaces.
– arp anti-attack gateway-duplicate enable: enables the ARP gateway
anti-collision function.
– arp ip-conflict-detect enable: enables IP address conflict detection.
– arp anti-attack check user-bind enable: enables dynamic ARP
inspection (DAI).
NOTE

When DAI is enabled in the physical interface view, the optimized ARP reply
function does not take effect on the device where the physical interface resides.
When DAI is enabled in the Eth-Trunk view or VLAN view, the optimized ARP
reply function does not take effect globally.
– dhcp snooping arp security enable: enables egress ARP inspection (EAI).
– arp over-vpls enable: enables ARP proxy on the device on a VPLS
network.
– arp-proxy enable: configures the routed ARP proxy function.
– arp-proxy inter-sub-vlan-proxy enable configures inter-VLAN proxy ARP
function.
● After the optimized ARP reply function is enabled, the following functions
become invalid:
– ARP rate-limiting based on source MAC addresses (configured using the
arp speed-limit source-mac command)
– ARP rate-limiting based on source IP addresses (configured using the arp
speed-limit source-ip command)
– Global ARP rate-limiting, ARP rate-limiting in VLANs, as well as ARP rate-
limiting on interfaces (configured using the arp anti-attack rate-limit
enable command)

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10361

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Disable the optimized ARP reply function.
<HUAWEI> system-view
[HUAWEI] arp optimized-reply disable

14.6.24 arp over-vpls enable

Function
The arp over-vpls enable command enables ARP proxy on a device in a VPLS
network.

The undo arp over-vpls enable command disables ARP proxy on a device in a
VPLS network.

By default, ARP proxy is disabled on a device in a VPLS network.

NOTE

Only the S5731-H, S5731S-H, S5732-H, S6730S-H, and S6730-H support this command.

Format
arp over-vpls enable

undo arp over-vpls enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To prevent bogus ARP packets at the PW side from being broadcast to the AC side
on a VPLS network, enable ARP proxy over VPLS on a PE.

ARP packets at the PW side are sent to the CPU for processing.
● If the ARP packets are ARP request packets and the destination IP addresses
in the packets match DHCP snooping binding entries, the device constructs
ARP reply packets based on the DHCP snooping binding entries and sends
them to the requester at the PW side.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10362

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● If the ARP packets are not ARP request packets or the destination IP addresses
in the packets match no DHCP snooping binding entry, the device forwards
these ARP packets to the destination.

Precautions

Before using this command, ensure that DHCP snooping on the device in a VPLS
network is enabled using the dhcp snooping over-vpls enable command.

After DAI is configured, the function of disabling the VLANIF interface from
sending ARP packets destined for other devices to the CPU is ineffective on the
VLANIF interface.

Example
# Enable ARP proxy on a device in a VPLS network.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping over-vpls enable
[HUAWEI] arp over-vpls enable

14.6.25 arp snooping anti-attack check enable

Function
The arp snooping anti-attack check enable command enables ARP snooping
detection on an interface.

The undo arp snooping anti-attack check enable command disables ARP
snooping detection on an interface.

By default, ARP snooping detection is disabled on an interface.

Format
arp snooping anti-attack check enable

undo arp snooping anti-attack check enable

Parameters
None

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group interface

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10363

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

If forged ARP packets are sent in a man-in-the-middle (MITM) attack, two

communicating devices learn an incorrect address mapping of each other and the
data of authorized users is intercepted by the attacker. To prevent this problem,
you can enable ARP snooping detection on the device. After ARP snooping
detection is enabled, the device compares the source IP address, source MAC
address, port number, and VLAN information in a received ARP packet with those
in the ARP snooping table. If no ARP snooping entry with the same source IP
address and VLAN information as the ARP packet is found, the device creates an
ARP snooping entry. If an ARP snooping entry with the same source IP address and
VLAN information is found and other information matches, the device determines
that the user who sends the ARP packet is a valid user and allows the ARP packet
to pass. If an ARP snooping entry with the same source IP address and VLAN
information is found but other information does not match, the device discards
the ARP packet.

Prerequisites

Before running this command, ensure that you have completed the following
configurations:
1. Run the arp snooping enable command in the system view to enable ARP
snooping globally.
2. Run the arp snooping anti-attack entry-check enable command in the
system view to enable ARP snooping entry fixing.
3. Run the arp snooping enable command in the interface view to enable ARP
snooping on an interface.

Example
# Enable ARP snooping detection on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] arp snooping enable
[HUAWEI] arp snooping anti-attack entry-check fixed-mac enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp snooping enable
[HUAWEI-GigabitEthernet0/0/1] arp snooping anti-attack check enable

14.6.26 arp snooping anti-attack entry-check enable

Function
The arp snooping anti-attack entry-check enable command enables ARP
snooping entry fixing.

The undo arp snooping anti-attack entry-check enable command disables ARP
snooping entry fixing.

By default, ARP snooping entry fixing is disabled.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10364

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
arp snooping anti-attack entry-check { fixed-mac | fixed-all | send-ack }
enable
undo arp snooping anti-attack entry-check [ fixed-mac | fixed-all | send-ack ]
enable

Parameters
Parameter Description Value

fixed-mac Indicates ARP snooping -

entry fixing in fixed-mac
mode.
When receiving an ARP
packet, the device
discards the packet if its
MAC address does not
match the MAC address
in the corresponding ARP
snooping entry. If the
MAC address in the ARP
packet matches that in
the corresponding ARP
snooping entry while the
interface information
does not match that in
the ARP snooping entry,
the device updates the
interface information in
the ARP snooping entry.

fixed-all Indicates ARP snooping -

entry fixing in fixed-all
mode.
When the MAC address
and interface
information of an ARP
packet match those in
the corresponding ARP
snooping entry, the
device updates other
information in the ARP
snooping entry.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10365

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

send-ack Indicates ARP snooping -

entry fixing in send-ack
mode.
When the device receives
an ARP packet with a
changed MAC address or
different interface
information, it does not
immediately update the
corresponding ARP
snooping entry. Instead,
the device sends a
unicast ARP Request
packet to the user
corresponding to the
original MAC address in
the ARP snooping entry.
If the device receives an
ARP Reply packet from
the user, the device does
not update the ARP
snooping entry. If the
device does not receive
an ARP Reply packet
from the user, the device
sends a unicast ARP
Request packet to the
user corresponding to
the new MAC address.
Regardless of whether
the device receives an
ARP Reply packet from
this user, the device
updates the ARP
snooping entry based on
the ARP packets sent
from the user if this user
continuously sends ARP
Request packets to the
device.

Views
System view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10366

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

If an attacker forges ARP packets, the device learns incorrect ARP snooping entries.
As a result, users cannot receive data packets. To prevent this problem, you can
enable the ARP snooping entry fixing function on the device. Once the device
enabled with this function learns an ARP snooping entry, it does not update the
ARP snooping entry, only updates some information in the ARP snooping entry, or
sends a unicast ARP Request packet to check the validity of the new ARP snooping
entry. The device provides three ARP snooping entry fixing modes, which are
applicable to different scenarios.

● fixed-mac: This mode applies to networks where user MAC addresses are
unchanged but user access locations often change. When a user connects to a
different interface on the device, the device updates interface information in
the ARP snooping entry of the user timely.
● fixed-all: This mode applies to networks where user MAC addresses and user
access locations are fixed.
● send-ack: This mode applies to networks where user MAC addresses and user
access locations often change.

Prerequisites

ARP snooping has been enabled by running the arp snooping enable command
in the system view.

Precautions

● An ARP snooping entry is created based on the source IP address and VLAN
information of an ARP packet. Therefore, ARP snooping entry fixing is
performed only when the source IP address and VLAN information of an ARP
packet are the same as those in an existing ARP snooping entry.
● The three ARP snooping entry fixing modes are mutually exclusive.
● Before disabling ARP snooping entry fixing, ensure that ARP snooping
detection is disabled on all interfaces.

Example
# Enable ARP snooping entry fixing and specify the fixed-mac mode.
<HUAWEI> system-view
[HUAWEI] arp snooping enable
[HUAWEI] arp snooping anti-attack entry-check fixed-mac enable

14.6.27 arp snooping enable

Function
The arp snooping enable command enables ARP snooping.

The undo arp snooping enable command disables ARP snooping.

By default, ARP snooping is disabled on the device.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10367

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
arp snooping enable
undo arp snooping enable

Parameters
None

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
During video network O&M, the NMS needs to obtain the IP addresses and MAC
addresses of NEs to draw a network topology for subsequent O&M. For LLDP-
incapable NEs, you can configure the ARP snooping function on the access switch.
This function enables the device to obtain the IP addresses and MAC addresses of
NEs from the ARP packets sent from the NEs, and generate ARP snooping entries.
After ARP snooping is enabled, the device sends the received ARP packets to the
CPU. The CPU analyzes the ARP packets to obtain the source IP address, source
MAC address, VLAN ID, and inbound interface of the packets, and creates an ARP
snooping entry to record user information.
After an ARP snooping entry is created, it ages after 900 seconds by default. An
ARP snooping entry is created based on the source IP address and VLAN
information of an ARP packet. If no ARP snooping entry matches the source IP
address and VLAN information of a received ARP packet, the device creates a new
ARP snooping entry. If the source IP address and VLAN information of a received
ARP packet are the same as those in an existing ARP snooping entry, the device
updates the MAC address and interface information in the entry and resets the
aging timer.
Precautions
● You must enable ARP snooping in the system view, and then enable ARP
snooping in a VLAN or on an interface.
● When a switch is managed by the analyzer, you need to enable ARP snooping
globally and on an interface so that the analyzer can parse user access port
information.

Example
# Enable ARP snooping on GE0/0/1.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10368

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] arp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp snooping enable

# Enable ARP snooping in VLAN 100.

<HUAWEI> system-view
[HUAWEI] arp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp snooping enable

14.6.28 arp snooping detect default-ip

Function
The arp snooping detect default-ip command configures the source IP address of
ARP probe packets sent by the device.
The undo arp snooping detect default-ip command restores the default setting.
By default, the source IP address of ARP probe packets is 0.0.0.0.

Format
arp snooping detect default-ip ip-address
undo arp snooping detect default-ip

Parameters
Parameter Description Value

ip-address Specifies the source IP address The value is in dotted

of ARP probe packets. decimal notation.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After generating ARP snooping entries, the device performs ARP probe on the
entries that are about to be aged out. By default, the device sends ARP probe
packets with the source IP address being 0.0.0.0. After a terminal obtains an IP
address when going online, it also sends an ARP probe packet with the source IP
address being all 0s to check whether the obtained IP address conflicts with other
IP addresses. If the terminal receives an all-0 ARP packet, the terminal considers
that an IP address conflict occurs and therefore re-applies for an IP address. In this

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10369

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

case, you need to run this command to change the source IP address of the
device's ARP probe packets to prevent terminals from repeatedly applying for IP
addresses.

Configuration Impact

If this command is run more than once, the latest configuration overrides the
previous one.

Precautions

You are advised to set the IP address to be different from the IP address of the
user gateway.

Example
# Set the source IP address of ARP probe packets to 10.1.1.1.
<HUAWEI> system-view
[HUAWEI] arp snooping detect default-ip 10.1.1.1

14.6.29 arp snooping detect ignored-ip

Function
The arp snooping detect ignored-ip command configures the device not to
perform ARP probe for ARP snooping entries of a specified IP address.

The undo arp snooping detect ignored-ip command restores the default setting.

By default, the device performs ARP probe for ARP snooping entries of all IP
addresses.

Format
arp snooping detect ignored-ip ip-address

undo arp snooping detect ignored-ip { ip-address | all }

Parameters
Parameter Description Value

ip-address Specifies the IP address for ARP The value is in dotted

probe. decimal notation.

all Performs ARP probe for all IP -

addresses.

Views
System view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10370

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
The device performs ARP probe for the generated ARP snooping entries that are
about to age. Specifically, it sends ARP probe packets with the source IP addresses
being all 0s and the destination IP addresses being the IP addresses of the entries
that are about to age. If the peer device is a gateway, it identifies the received ARP
packets as gratuitous ARP packets sent by itself, performs IP address conflict
detection, and frequently generates conflict alarms and logs. To prevent this
problem, you can run the arp snooping detect ignored-ip command to configure
the device not to perform ARP probe for ARP snooping entries of a specified IP
address.

Example
# Disable ARP probe for ARP snooping entries of the IP address 10.1.1.1.
<HUAWEI> system-view
[HUAWEI] arp snooping detect ignored-ip 10.1.1.1

14.6.30 arp speed-limit source-mac

Function
The arp speed-limit source-mac command sets the maximum rate of ARP
packets based on source MAC addresses.
The undo arp speed-limit source-mac command restores the default setting.
By default, the maximum rate of ARP packets from each source MAC address is
set to 0, that is, the rate of ARP packets is not limited based on source MAC
addresses.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S1730S-H, S2730S-S, S5735-L-I,
S5735-L1,S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6735-
S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.

Format
arp speed-limit source-mac [ mac-address ] maximum maximum
undo arp speed-limit source-mac [ mac-address ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10371

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

mac- Specifies the source MAC The value is in the H-H-H format.
address address. If this parameter is H is a hexadecimal number of 1
specified, the rate of ARP to 4 digits.
packets from the MAC address
is limited.
If this parameter is not
specified, the rate of ARP
packets from each MAC
address is limited.

maximum Specifies the maximum rate of The integer form, in pps, is as

maximum ARP packets from a specified follows:
MAC address. ● S5731-S, S5731S-S: 0 to 16384
● S5731-H, S5731S-H: 0 to
61440
● S5732-H, S6730-H, S6730S-H,
S6730-S, S6730S-S: 0 to 65536
● S6735-S, S6720-EI, S6720S-EI:
0 to 131072
● S5735-L-I, S5735-L1,S300,
S500, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M: 0 to
4096
● S5735-S, S5735S-S, S5735-S-I:
0 to 8180
● S1730S-H: 0 to 2048
● S2730S-S: 0 to 2048

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When processing a large number of ARP packets with fixed source MAC addresses
but variable source IP addresses, the CPU is overloaded and ARP entries are
exhausted. To prevent this problem, limit the rate of ARP packets based on source
MAC addresses.
After the arp speed-limit source-mac command is run, the device collects
statistics on ARP packets from a specified source MAC address. If the number of

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10372

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

ARP packets from a specified source IP address per second exceeds the threshold,
the device discards the excess ARP packets.
Precautions
Limiting the rate of all ARP packets is not recommended. You are advised to find
out the attack source according to packet statistics, and then limit the rate of ARP
packets from the specified source MAC address.
If the source MAC address is not specified, the rate of ARP packets from each MAC
address is limited. If the rate of ARP packets from each source IP address is set
using the arp speed-limit source-ip command at the same time and the rate is
the same as that set using the arp speed-limit source-mac command, both
commands take effect. When receiving ARP packets from a fixed source, the
device limits the rate of these packets based on the maximum rate set by the arp
speed-limit source-mac command.
After the optimized ARP reply function (disabled by default) is enabled using the
undo arp optimized-reply disable command, rate limiting on ARP packets based
on the source MAC address does not take effect.

Example
# Set the maximum rate of ARP packets from any source MAC address to 100 pps.
<HUAWEI> system-view
[HUAWEI] arp speed-limit source-mac maximum 100

# Set the maximum rate of ARP packets from a specified MAC address 0-0-1 to 50
pps.
<HUAWEI> system-view
[HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50

14.6.31 arp speed-limit source-ip

Function
The arp speed-limit source-ip command sets the maximum rate of ARP packets
based on the source IP address.
The undo arp speed-limit source-ip command restores the default setting.
By default, the device allows a maximum of 30 ARP packets from the same source
IP address to pass through per second.

Format
arp speed-limit source-ip [ ip-address ] maximum maximum
undo arp speed-limit source-ip [ ip-address ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10373

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

ip-address Specifies the source IP address. The value is in dotted decimal

If this parameter is specified, notation.
the rate of ARP packets from
the IP address is limited.
If this parameter is not
specified, the rate of ARP
packets from each IP address is
limited.

maximum Specifies the maximum rate of The integer form, in pps, is as

maximum ARP packets from a specified follows:
source IP address. ● S1720GW, S1720GWR,
NOTE S1720GF, S1720GW-E,
If the rate of all ARP packets is S1720GFR-P, S1720GWR-E,
limited, a large value is
S1730S-H, S2720-EI,
recommended because valid
packets may be discarded if the S2730S-S, S5720-LI,
value is small. However, a too large S5720S-LI: 0 to 2048
value will deteriorate the system ● S5720I-SI, S5735-L-I,
performance. If an IP address
S5735-L1,S300, S500,
initiates attacks, you can set the
maximum number of ARP Miss S5735-L, S5735S-L,
messages triggered by packets S5735S-L1, S5735S-L-M: 0
from this IP address to a small to 4096
value.
● S5735-S, S5735S-S, S5735-
S-I: 0 to 8180
● S5731-S, S5731S-S: 0 to
16384
● S5731-H, S5731S-H: 0 to
61440
● S5732-H, S6730-H,
S6730S-H, S6730-S,
S6730S-S: 0 to 65536
● S5735S-H, S5736-S: 0 to
20000
● S6735-S, S6720-EI,
S6720S-EI: 0 to 131072

Views
System view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10374

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

When processing a large number of ARP packets with fixed IP addresses (for
example, the ARP packets with the same source IP addresses but frequently
changing MAC addresses or outbound interfaces), the CPU is overloaded and
cannot process other services. To prevent this problem, limit the rate of ARP
packets based on the source IP address.

After the arp speed-limit source-ip command is run, the device collects statistics
on ARP packets based on the source IP address. If the number of ARP packets
from a specified source IP address per second exceeds the threshold, the device
discards the excess ARP packets.

Precautions

Limiting the rate of all ARP packets is not recommended. You are advised to find
out the attack source according to packet statistics, and then limit the rate of ARP
packets from the specified source IP address.

When you confirm that the network is secure, set the rate limit to 0 to increase
ARP learning speed. After the rate limit is set to 0, the device does not limit the
ARP packet rate based on source IP addresses.

If the source IP address is not specified, the rate of ARP packets from each IP
address is limited. If the rate of ARP packets from each source MAC address is set
using the arp speed-limit source-mac command at the same time and the rate is
the same as that set using the arp speed-limit source-ip command, both
commands take effect. When receiving ARP packets from a fixed source, the
device limits the rate of these packets based on the maximum rate set by the arp
speed-limit source-mac command.

After the optimized ARP reply function (disabled by default) is enabled using the
undo arp optimized-reply disable command, rate limiting on ARP packets based
on the source IP address does not take effect.

Example
# Set the maximum rate of ARP packets from a source IP address to 100 pps.
<HUAWEI> system-view
[HUAWEI] arp speed-limit source-ip maximum 100

# Set the maximum rate of ARP packets from a specified IP address 10.0.0.1 to 50
pps.
<HUAWEI> system-view
[HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50

14.6.32 arp validate (interface view)

Function
The arp validate command enables MAC address consistency check in an ARP
packet on an interface. This function compares the source and destination MAC
addresses in ARP packets with those in the Ethernet frame header.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10375

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo arp validate command disables MAC address consistency check in an
ARP packet on an interface.

By default, MAC address consistency check in an ARP packet is disabled.

Format
arp validate { source-mac | destination-mac } *

undo arp validate { source-mac | destination-mac } *

Parameters
Parameter Description Value

source-mac Indicates that the device compares the source MAC -

address in a received ARP packet with that in the
Ethernet frame header.

destination-mac Indicates that the device compares the destination -

MAC address in a received ARP packet with that in the
Ethernet frame header.

Default Level
2: Configuration level

Usage Guidelines
The MAC address consistency check function for ARP packets prevents attacks
from bogus ARP packets in which the source and destination MAC addresses are
different from those in the Ethernet frame header. This function is usually
configured on gateways.

After the arp validate command is run, the gateway checks the MAC address
consistency in an ARP packet before ARP learning. If the source and destination
MAC addresses in an ARP packet are different from those in the Ethernet frame
header, the device discards the packet as an attack. If the source and destination
MAC addresses in an ARP packet are the same as those in the Ethernet frame
header, the device performs ARP learning.

When using this command, note the following points:

● If source-mac is specified:
– When receiving an ARP Request packet, the device checks only the source
MAC address consistency.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10376

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

– When receiving an ARP Reply packet, the device checks only the source
MAC address consistency.
● If destination-mac is specified:
– When receiving an ARP Request packet, the device does not check the
destination MAC address consistency because the ARP Request packet is
broadcast.
– When receiving an ARP Reply packet, the device checks the destination
MAC address consistency.
● If source-mac and destination-mac are specified:
– When receiving an ARP Request packet, the device checks only the source
MAC address consistency.
– When receiving an ARP Reply packet, the device checks the source and
destination MAC address consistency.

Example
# Enable MAC address consistency check in an ARP packet on Layer 2 interface
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac

# Enable MAC address consistency check in an ARP packet on Layer 3 interface

GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp validate source-mac destination-mac

14.6.33 arp-fake expire-time

Function
The arp-fake expire-time command sets the aging time of temporary ARP
entries.
The undo arp-fake expire-time command restores the default aging time of
temporary ARP entries.
By default, the aging time of temporary ARP entries is 3 seconds.

Format
arp-fake expire-time expire-time
undo arp-fake expire-time

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10377

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

expire-time Specifies the aging time of The value is an integer that ranges
temporary ARP entries. from 1 to 36000, in seconds.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
40GE interface view, 100GE interface view, MultiGE interface view, Eth-Trunk
interface view, VLANIF interface view, VBDIF interface view, VE interface view, port
group view

Default Level
2: Configuration level

Usage Guidelines
When IP packets trigger ARP Miss messages, the device generates temporary ARP
entries and sends ARP Request packets to the destination network.
● In the aging time of temporary ARP entries:
– Before receiving an ARP reply packet, the device discards the IP packets
matching the temporary ARP entry and does not generate ARP Miss
messages.
– After receiving an ARP Reply packet, the device generates a correct ARP
entry to replace the temporary entry.
● When temporary ARP entries age out, the device clears them. If no ARP entry
matches the IP packets forwarded by the device, ARP Miss messages and
temporary ARP entries are repeatedly generated

When a device undergoes an ARP Miss attack, you can run the arp-fake expire-
time command to extend the aging time of temporary ARP entries to reduce the
frequency of triggering ARP Miss messages and minimize the impact on the
device.

Example
# Set the aging time of temporary ARP entries to 10 seconds on VLANIF10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-fake expire-time 10

# Set the aging time of temporary ARP entries to 10 seconds on Layer 3 interface
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-fake expire-time 10

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10378

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.6.34 arp-limit

Function
The arp-limit command sets the maximum number of ARP entries that an
interface can dynamically learn.
The undo arp-limit command deletes the maximum number of ARP entries that
an interface can dynamically learn.
By default, the maximum number of ARP entries that an interface can dynamically
learn is the same as the number of ARP entries supported by the device.

Format
VLANIF interface, VBDIF interface, VE sub-interface, Layer 3 interface, and
Ethernet sub-interface:
arp-limit maximum maximum
undo arp-limit
VE sub-interface, Layer 2 interface and port group:
arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum
undo arp-limit vlan vlan-id1 [ to vlan-id2 ]

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support Layer 3 interfaces and sub-interfaces.
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support VE sub-interfaces.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10379

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

vlan vlan-id1 Specifies the ID of a VLAN The values of vlan-id1 and

[ to vlan-id2 ] from which the maximum vlan-id2 are integers that
number of ARP entries an range from 1 to 4094.
interface can dynamically
learn is limited.
● vlan-id1 specifies the first
VLAN ID.
● to vlan-id2 specifies the
last VLAN ID. vlan-id2
must be larger than vlan-
id1. vlan-id1 and vlan-id2
specify a range of VLANs.
If to vlan-id2 is not
specified, the device limits
the maximum number of
ARP entries an interface
dynamically learns from
the VLAN vlan-id1. If to
vlan-id2 is specified, the
device limits the maximum
number of ARP entries an
interface dynamically
learns from each VLAN
from vlan-id1 to vlan-id2.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10380

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

maximum Specifies the maximum The integer form, is as

maximum number of ARP entries that follows:
an interface can dynamically ● S1720GW, S1720GWR,
learn. S1720GF, S1720GW-E,
S1720GFR-P, S1720GWR-E,
S2720-EI, S2730S-S,
S5720-LI, S5720S-LI: 1 to
2048
● S5720I-SI, S1730S-H,
S5735-L-I, S5735-L1,S300,
S500, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M: 1
to 4096
● S5735-S, S5735S-S, S5735-
S-I: 1 to 8000
● S5731-S, S5731S-S: 1 to
16384
● S5731-H, S5731S-H: 1 to
61440
● S5732-H, S6730-H,
S6730S-H, S6730-S,
S6730S-S: 1 to 65536
● S5735S-H, S5736-S: 1 to
20000
● S6735-S, S6720-EI,
S6720S-EI: 1 to 131072

Views
Interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To prevent ARP entries from being exhausted by ARP attacks from a host
connecting to an interface on the device, set the maximum number of ARP entries
that the interface can dynamically learn. When the number of the ARP entries
learned by a specified interface reaches the maximum number, no dynamic ARP
entry can be added.

Precautions

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10381

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

If the number of ARP entries learned by an interface exceeds the maximum

number, the device neither learns new ARP entries nor clears the learned ARP
entries. Instead, the device asks users to delete the excess ARP entries.

If the arp-limit vlan vlan-id1 to vlan-id2 maximum maximum command is run

more than once, the following situations are available:
● If maximum maximum is the same in multiple command instances, all
configurations take effect. For example, if the arp-limit vlan 10 to 30
maximum 200 command and then the arp-limit vlan 35 to 40 maximum
200 command are run, both configurations take effect. If the VLAN ranges
specified in multiple command instances are overlapping, the system
automatically merges the VLAN ranges. For example, if the arp-limit vlan 50
to 80 maximum 200 command and then the arp-limit vlan 70 to 100
maximum 200 command are run, both configurations take effect, and the
system merges the configurations into arp-limit vlan 50 to 100 maximum
200.
● If maximum maximum is different in multiple command instances, the latest
configuration overrides the previous one for the same VLAN range. For
example, if the arp-limit vlan 10 to 30 maximum 200 command and then
the arp-limit vlan 15 to 25 maximum 300 command are run, the system
automatically divides the configurations into arp-limit vlan 10 to 14
maximum 200, arp-limit vlan 15 to 25 maximum 300, and arp-limit vlan
26 to 30 maximum 200.

Example
# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] arp-limit maximum 20

# Configure that Layer 3 interface GE0/0/1 can dynamically learn a maximum of

20 ARP entries.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20

# Configure that Layer 2 interface GE0/0/1 can dynamically learn a maximum of

20 ARP entries corresponding to VLAN 10.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20

14.6.35 arp-miss anti-attack rate-limit

Function
The arp-miss anti-attack rate-limit command sets the maximum rate and rate
limiting duration of ARP Miss messages globally, in a VLAN, or on an interface.

The undo arp-miss anti-attack rate-limit command restores the default

maximum rate and rate limiting duration of ARP Miss messages globally, in a
VLAN, or on an interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10382

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the device can process a maximum of 100 ARP Miss messages per
second.

NOTE

Only the S1730S-H, S5720I-SI, S2730S-S, S5735-L-I, S5735-L1,S5735-L, S5735S-L, S5735S-L1,

S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731-S, S5731S-H,
S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S
support this command.

Format
arp-miss anti-attack rate-limit packet packet-number [ interval interval-value ]
undo arp-miss anti-attack rate-limit

Parameters
Parameter Description Value

packet packet- Specifies the maximum The value is an integer that

number rate of ARP Miss ranges from 1 to 16384. The
messages, that is, the default value is 100.
number of ARP Miss
messages the device
processes in the rate
limiting duration.

interval Specifies the rate limiting The value is an integer that

interval-value duration of ARP Miss ranges from 1 to 86400, in
messages. seconds. The default value is 1
second.

Views
System view, VLAN view, GE interface view, 40GE interface view, XGE interface
view, 25GE interface view, 100GE interface view, MultiGE interface view, port
group view, Eth-Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After rate limit on ARP Miss messages is enabled, you can set maximum rate and
rate limiting duration of ARP Miss messages globally, in a VLAN, or on an
interface. If the number of ARP Miss messages triggered by IP packets in the rate
limiting duration exceeds the limit, the device does not process the excess ARP
Miss packets and discards the IP packets triggering the excess ARP Miss messages.
Prerequisites

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10383

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Rate limit on ARP Miss messages has been enabled globally, in a VLAN, or on an
interface using the arp-miss anti-attack rate-limit enable command.

Precautions

If rate limit on ARP Miss messages is configured in the system view, VLAN view,
and interface view, the device uses the configurations in the interface view, VLAN
view, and system view in order.

Example
# Configure the device to process a maximum of 200 ARP Miss messages
triggered by IP packets from Layer 2 interface GE0/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10

# Configure the device to process a maximum of 200 ARP Miss messages

triggered by IP packets from Layer 3 interface GE0/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10

14.6.36 arp-miss anti-attack rate-limit alarm enable

Function
The arp-miss anti-attack rate-limit alarm enable command enables the alarm
function for ARP Miss messages discarded when the rate of ARP Miss messages
exceeds the limit.

The undo arp-miss anti-attack rate-limit alarm enable command disables the
alarm function for ARP Miss messages discarded when the rate of ARP Miss
messages exceeds the limit.

By default, the alarm function is disabled.

NOTE

Only the S1730S-H, S5720I-SI, S2730S-S, S5735-L-I, S5735-L1,S5735-L, S5735S-L, S5735S-L1,

Format
arp-miss anti-attack rate-limit alarm enable

undo arp-miss anti-attack rate-limit alarm enable

Parameters
None

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10384

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view, VLAN view, GE interface view, 40GE interface view, XGE interface
view, 25GE interface view, 100GE interface view, MultiGE interface view, port
group view, Eth-Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After rate limit on ARP Miss messages is enabled, if you want that the device can
generate alarms to notify the network administrator of a large number of
discarded excess ARP Miss messages, run the arp-miss anti-attack rate-limit
alarm enable command. When the number of discarded ARP Miss packets
exceeds the alarm threshold, the device generates an alarm.
You can set the alarm threshold using the arp-miss anti-attack rate-limit alarm
threshold command.
Prerequisites
Rate limit on ARP Miss messages has been enabled using the arp-miss anti-
attack rate-limit enable command.

Example
# Enable the alarm function for ARP Miss messages discarded when the rate of
ARP Miss messages exceeds the limit on Layer 2 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm enable

# Enable the alarm function for ARP Miss messages discarded when the rate of
ARP Miss messages exceeds the limit on Layer 3 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm enable

14.6.37 arp-miss anti-attack rate-limit alarm threshold

Function
The arp-miss anti-attack rate-limit alarm threshold command sets the alarm
threshold for ARP Miss messages discarded when the rate of ARP Miss packets
exceeds the limit.
The undo arp-miss anti-attack rate-limit alarm threshold command restores
the default alarm threshold.
By default, the alarm threshold for ARP Miss packets discarded is 100.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10385

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

Only the S1730S-H, S5720I-SI, S2730S-S, S5735-L-I, S5735-L1,S5735-L, S5735S-L, S5735S-L1,

Format
arp-miss anti-attack rate-limit alarm threshold threshold
undo arp-miss anti-attack rate-limit alarm threshold

Parameters
Parameter Description Value

threshold Specifies the alarm The value is an integer that

threshold for ARP Miss ranges from 1 to 16384, in pps.
messages discarded when
the rate of ARP Miss
messages exceeds the
limit.

Views
System view, VLAN view, GE interface view, 40GE interface view, XGE interface
view, 25GE interface view, 100GE interface view, MultiGE interface view, port
group view, Eth-Trunk interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can use the arp-miss anti-attack rate-limit alarm threshold command to
set the alarm threshold. When the number of discarded ARP Miss packets exceeds
the alarm threshold, the device generates an alarm.
Prerequisites
Rate limit on ARP Miss messages has been enabled using the arp-miss anti-
attack rate-limit enable command, and the alarm function has been enabled
using the arp-miss anti-attack rate-limit alarm enable command.

Example
# Enable rate limit on ARP Miss messages globally, enable the alarm function, and
set the alarm threshold to 200.
<HUAWEI> system-view
[HUAWEI] arp-miss anti-attack rate-limit enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10386

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI] arp-miss anti-attack rate-limit alarm enable

[HUAWEI] arp-miss anti-attack rate-limit alarm threshold 200

# Enable rate limit on ARP Miss messages on Layer 2 interface GE0/0/1, enable
the alarm function, and set the alarm threshold to 200.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm threshold 200

# Enable rate limit on ARP Miss messages on Layer 3 interface GE0/0/1, enable
the alarm function, and set the alarm threshold to 200.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm enable
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit alarm threshold 200

14.6.38 arp-miss anti-attack rate-limit enable

Function
The arp-miss anti-attack rate-limit enable command enables rate limit on ARP
Miss messages globally, in a VLAN, or on an interface.

The undo arp-miss anti-attack rate-limit enable command disables rate limit on
ARP Miss messages globally, in a VLAN, or on an interface.

By default, rate limit on ARP Miss messages is disabled globally, in a VLAN, or on

an interface.

NOTE

Only the S1730S-H, S5720I-SI, S2730S-S, S5735-L-I, S5735-L1,S5735-L, S5735S-L, S5735S-L1,

Format
arp-miss anti-attack rate-limit enable

undo arp-miss anti-attack rate-limit enable

Parameters
None

Views
System view, VLAN view, GE interface view, 40GE interface view, XGE interface
view, 25GE interface view, 100GE interface view, MultiGE interface view, port
group view, Eth-Trunk interface view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10387

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If a host sends a large number of IP packets with unresolvable destination IP

addresses to attack a device, that is, if the device has a route to the destination IP
address of a packet but has no ARP entry matching the next hop of the route, the
device triggers a large number of ARP Miss messages. IP packets triggering ARP
Miss messages are sent to the CPU for processing. The device generates a large
number of temporary ARP entries and sends many ARP Request packets to the
network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, configure rate limit on ARP Miss messages
globally, in a VLAN, or on an interface. The device collects statistics on ARP Miss
messages. If the number of ARP Miss messages generated within the rate limiting
duration exceeds the threshold (the maximum number of ARP Miss messages),
the gateway discards the IP packets triggering the excess ARP Miss messages.

Follow-up Procedure

Run the arp-miss anti-attack rate-limit command to set the maximum rate and
rate limiting duration of ARP Miss messages.

Example
# Enable rate limit on ARP Miss messages on Layer 2 interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable

# Enable rate limit on ARP Miss messages on Layer 3 interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable

14.6.39 arp-miss speed-limit source-ip

Function
The arp-miss speed-limit source-ip command sets the maximum number of ARP
Miss messages based on source IP addresses and specifies the mode for processing
ARP Miss packets.

The undo arp-miss speed-limit source-ip command restores the default setting.

By default, the device processes a maximum of 30 ARP Miss messages triggered

by IP packets from the same source IP address per second.

If the number of ARP Miss messages triggered by IP packets from the same source
IP address per second exceeds the limit, the device discards the excess ARP Miss
messages, that is, the device discards the excess ARP Miss packets. The device then

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10388

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

uses the block mode to discard all ARP Miss packets from the source IP address
within 5 seconds by default.

NOTE

Only the S1730S-H, S5720I-SI, S2730S-S, S5735-L-I, S5735-L1,S5735-L, S5735S-L, S5735S-L1,

Format
arp-miss speed-limit source-ip ip-address [ mask mask ] maximum maximum
[ none-block | block timer timer ]
arp-miss speed-limit source-ip maximum maximum
undo arp-miss speed-limit source-ip [ ip-address [ mask mask ] ]

NOTE

Parameters
Parameter Description Value

ip-address Specifies the source IP address. The value is in dotted decimal

If this parameter is specified, notation.
the maximum number of ARP
Miss messages triggered by
packets from this IP address is
limited.
If this parameter is not
specified, the maximum
number of ARP Miss messages
triggered by packets from
each IP address is limited.

mask mask Specifies the mask of the IP The value is an integer that
address. If this parameter is ranges from 1 to 32.
specified, the maximum
number of ARP Miss messages
triggered by packets from IP
addresses in the network
segment is limited.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10389

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

maximum Specifies the maximum The integer form, in pps, is as

maximum number of ARP Miss messages follows:
based on the source IP ● S1720GW, S1720GWR,
address. S1720GF, S1720GW-E,
NOTE S1720GFR-P, S1720GWR-E,
If the maximum number of ARP S2720-EI, S2730S-S, S5720-
Miss messages triggered by
LI, S5720S-LI: 0 to 2048
packets from each IP address is
limited, a large value is ● S5720I-SI, S1730S-H,
recommended for this parameter S5735-L-I, S5735-L1,S5735-
because a small value may cause L, S5735S-L, S5735S-L1,
discarding of valid packets.
S5735S-L-M: 0 to 4096
However, a too large value will
deteriorate the system ● S5735-S, S5735S-S, S5735-
performance. S-I: 0 to 8000
If an IP address initiates attacks, ● S5731-S, S5731S-S: 0 to
you can set the maximum
number of ARP Miss messages
16384
triggered by packets from this IP ● S5731-H, S5731S-H: 0 to
address to a small value. 61440
● S5732-H, S6730-H, S6730S-
H, S6730-S, S6730S-S: 0 to
65536
● S5735S-H, S5736-S: 0 to
20000
● S6735-S, S6720-EI, S6720S-
EI: 0 to 131072
NOTE
If the maximum rate of ARP Miss
messages is set to 0, ARP Miss
messages are not rate-limited
based on source IP addresses.

none-block Indicates that ARP Miss -

packets are processed in
none-block mode. If the
number of ARP Miss messages
triggered by IP packets from a
source IP address per second
exceeds the limit, the CPU of
the device discards the excess
ARP Miss messages, that is,
the CPU discards the excess
ARP Miss packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10390

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

block timer Indicates that ARP Miss The value ranges from 5 to
timer packets are processed in block 864000, in seconds. The
mode. If the number of ARP default value is 5 seconds.
Miss messages triggered by IP
packets from a source IP
address per second exceeds
the limit, the device discards
the excess ARP Miss messages
and delivers an ACL to enable
the chip to discard all packets
that are sent from this source
IP address within the period
specified by timer. When the
period specified by timer
expires, the ACL ages out and
the chip does not discard ARP
Miss packets from the source
IP address and sends them to
the CPU for processing.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If the number of ARP Miss messages triggered by IP packets from a source IP
address per second exceeds the limit, the device considers that an attack is
initiated from the source IP address. If the ARP Miss message processing mode is
set to block, the device discards excess ARP Miss packets from this source IP
address and delivers an ACL to discard all subsequent packets sent from this
source IP address. If the ARP Miss message processing mode is set to none-block,
the device only discards excess ARP Miss packets.
The administrator can use the arp-miss speed-limit source-ip command to set
the maximum number of ARP Miss packets and specify the mode for processing
ARP Miss packets based on the actual network environment.
If the number of ARP Miss messages triggered by IP packets from a source IP
address per second exceeds the limit, the device considers that an attack is
initiated from the source IP address. The administrator can use the arp-miss
speed-limit source-ip command to set the maximum number of ARP Miss
messages that the device can process within a specified duration, protecting the
system resources and ensuring proper running of other services.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10391

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Precautions
You can set the maximum number of ARP Miss messages for a maximum of 512
IP addresses.
If the ARP Miss packet processing mode is set to none-block, the device discards
ARP Miss packets triggering excess ARP Miss messages to reduce CPU load. The
non-block action can cause a high CPU usage, and the block action uses ACL
resources. The default ARP Miss packet processing mode is recommended.
In the process of setting the maximum number of ARP Miss messages based on
source IP addresses, if the ARP Miss packet processing mode is not specified, the
device use the default processing mode block.
When the maximum number of ARP Miss packets exceeds the limit, the delivered
ACL discards only the ARP Miss packets from the source IP address. Other packets
can still be sent to the CPU.
A maximum of 16 ACLs can be delivered to the chip to discard ARP Miss packets
from a specified IP address or network segment. When the device delivers 16 ACLs
and all ACLs do not age out, and the number of ARP Miss packets from other IP
addresses or network segments per second exceeds the limit, the device does not
deliver any ACL to discard all subsequent packets and the CPU discards excess ARP
packets.

NOTE

The S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S cannot deliver ACLs to
discard ARP Miss packets.

Example
# Set the maximum number of ARP Miss messages triggered by each source IP
address per second to 60.
<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 60

# Set the maximum number of ARP Miss messages triggered by the IP address
10.0.0.1 per second to 100, and set the maximum number of ARP Miss messages
triggered by other source IP addresses per second to 60.
<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 60
[HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100

14.6.40 display arp anti-attack arpmiss-record-info

Function
The display arp anti-attack arpmiss-record-info command displays information
recorded by the device when rate limit on ARP Miss messages is triggered.

NOTE

Only the S1730S-H, S5720I-SI, S2730S-S, S5735-L-I, S5735-L1,S5735-L, S5735S-L, S5735S-L1,

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10392

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
display arp anti-attack arpmiss-record-info [ ip-address ]

Parameters
Parameter Description Value

ip-address Displays the IP address The value is in dotted

of discarded ARP Miss decimal notation.
packets.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After rate limit on ARP Miss messages is triggered, the device discards excess ARP
Miss messages. You can run this command to view information recorded by the
device when rate limit on ARP Miss messages is triggered. The information helps
locate and rectify faults.
The device can record a maximum of 256 records about rate limit on ARP Miss
messages. If a new round of rate limit on ARP Miss messages is triggered when
the number of records reaches 256, the device takes the following actions:
1. If the source IP address of the attacker already exists in a record, the device
updates the block time in the record using the discarding time of the new ARP
Miss message.
2. If the source IP address of the attacker does not exist in any record, the device
deletes the first record and adds a new record for this attacker.

Example
# Display information recorded by the device when rate limit on ARP Miss
messages is triggered.
<HUAWEI> display arp anti-attack arpmiss-record-info
Interface IP address Attack time Block time Aging-time
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
The number of record(s) in arp-miss table is 0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10393

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-44 Description of the display arp anti-attack arpmiss-record-info

command output
Item Description

Interface Interface where ARP Miss packets are discarded.

IP address Source IP address of discarded ARP Miss packets.

Attack time First time when rate limit on ARP Miss messages is
triggered, that is, time when the number of ARP Miss
messages exceeds the limit.

Block time Last time when the device discards the ARP Miss
messages of the attacker.

Aging-time Period during which the device discards ARP Miss

packets.
If the ARP Miss packet processing mode is set to
none-block, the values of Block time and Aging-
time are both 0. If the ARP Miss packet processing
mode is set to block, the value of Aging-time is
configured by the arp-miss speed-limit source-ip
command, and the default value is 5 seconds.

14.6.41 display arp anti-attack configuration check user-bind

Function
The display arp anti-attack configuration check user-bind command displays
the configuration of DAI in a VLAN or on an interface.

Format
display arp anti-attack configuration check user-bind [ vlan [ vlan-id ] |
interface [ interface-type interface-number ] ]

Parameters
Parameter Description Value

vlan [ vlan-id ] Displays DAI vlan-id is an integer that

configuration in the ranges from 1 to 4094.
specified VLAN.
If vlan-id is not specified,
the DAI configurations in
all VLANs are displayed.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10394

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

interface [ interface- Displays DAI on the -

type interface-number ] specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.
If interface-type
interface-number is not
specified, the DAI
configurations on all
interfaces are displayed.
If neither vlan [ vlan-id ]
nor interface [ interface-
type interface-number ]
is specified, the DAI
configurations in all
VLANs and on all
interfaces are displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to view the configuration of DAI in a VLAN or on an
interface, including whether the function is enabled, check items, whether the
alarm function is enabled for discarded ARP packets, and alarm threshold.
Only after DAI and the alarm function are enabled, output of this command is
displayed.

Example
# Display DAI configuration on GE0/0/1.
<HUAWEI> display arp anti-attack configuration check user-bind interface gigabitethernet 0/0/1
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
arp anti-attack check user-bind alarm threshold 50
arp anti-attack check user-bind check-item ip-address

# Display ARP check configurations in all VLANs and on all interfaces.

<HUAWEI> display arp anti-attack configuration check user-bind
#

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10395

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

vlan 2
arp anti-attack check user-bind enable
arp anti-attack check user-bind check-item ip-address
#
vlan 3
arp anti-attack check user-bind enable
#
GigabitEthernet0/0/1
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
arp anti-attack check user-bind alarm threshold 50
arp anti-attack check user-bind check-item ip-address
#

Table 14-45 Description of the display arp anti-attack configuration check user-
bind command output
Item Description

arp anti-attack check DAI has been enabled.

user-bind enable You can run the arp anti-attack check user-bind
enable command to enable DAI.

arp anti-attack check The alarm function for ARP packets discarded by DAI
user-bind alarm enable has been enabled.
You can run the arp anti-attack check user-bind
alarm enable command to enable the alarm
function.

arp anti-attack check Alarm threshold of discarded ARP packets matching

user-bind alarm no binding entry.
threshold 50 You can run the arp anti-attack check user-bind
alarm threshold command to set the alarm
threshold.

arp anti-attack check Only the IP address is checked during ARP packet
user-bind check-item ip- check based on binding entries.
address You can run the arp anti-attack check user-bind
check-item command or arp anti-attack check
user-bind check-item command to specify the check
item for ARP packet check based on binding entries.

14.6.42 display arp anti-attack configuration

Function
The display arp anti-attack configuration command displays the ARP anti-attack
configuration.

Format
display arp anti-attack configuration { arp-rate-limit | arp-speed-limit | entry-
check | arpmiss-rate-limit | arpmiss-speed-limit | gateway-duplicate | log-trap-
timer | packet-check | all } (Only the S1730S-H, S5720I-SI, S2730S-S, S5735-L-I,

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10396

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

S5735-L1,S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S5735S-S, S5735-

S-I, S5735S-H, S5736-S, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-
S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support
arpmiss-rate-limit, arpmiss-speed-limit and gateway-duplicate.)

Parameters
Parameter Description Value

arp-rate-limit Displays the -

configuration of rate
limit on ARP packets
globally, in a VLAN, or
on an interface.

arp-speed-limit Displays the -

configuration of rate
limit on ARP packets
based on the source IP
address or source MAC
address.

entry-check Displays the ARP entry -

fixing mode.

arpmiss-rate-limit Displays the -

configuration of rate
limit on ARP Miss
messages globally, in a
VLAN, or on an interface.

arpmiss-speed-limit Displays the -

configuration of rate
limit on ARP Miss
messages based on the
source IP address.

gateway-duplicate Displays whether -

gateway anti-collision is
enabled.

log-trap-timer Displays the interval for -

sending ARP alarms.

packet-check Displays whether ARP -

packet validity check is
enabled.

all Displays all ARP anti- -

attack configurations.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10397

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
After all ARP anti-attack functions are configured, you can run this command to
check all configurations.

Example
# Display the configuration of rate limit on ARP packets based on the source IP
address or source MAC address.
<HUAWEI> display arp anti-attack configuration arp-speed-limit
ARP speed-limit for source-MAC configuration:
MAC-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All 0
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 0, spec is 512.

ARP speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.1.1.1 100
Others 0
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 512.

# Display the configuration of rate limit on ARP Miss messages based on the
source IP address.
<HUAWEI> display arp anti-attack configuration arpmiss-speed-limit
ARP miss speed-limit for source-IP configuration:
IP-address suppress-rate(pps)(rate=0 means function disabled)
------------------------------------------------------------------------
10.0.0.30/32 400
Others 0
------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 512.

# Display the ARP entry fixing mode.

<HUAWEI> display arp anti-attack configuration entry-check
ARP anti-attack entry-check mode:
Vlanif Mode
-------------------------------------------------------------------------------
All send-ack
-------------------------------------------------------------------------------

# Display all ARP anti-attack configurations.

<HUAWEI> display arp anti-attack configuration all
ARP anti-attack packet-check configuration:
-------------------------------------------------------------------------------
Sender-MAC checking function: disable
Dst-MAC checking function: disable
IP checking function: disable
-------------------------------------------------------------------------------

ARP gateway-duplicate anti-attack function: disabled

ARP anti-attack log-trap-timer: 0 second(s)

(The log and trap timer of speed-limit, default is 0 and means disabled.)

ARP anti-attack entry-check mode:

Vlanif Mode
-------------------------------------------------------------------------------

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10398

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

All disabled
-------------------------------------------------------------------------------

ARP rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
GigabitEthernet0/0/10 :
arp anti-attack rate-limit enable
arp anti-attack rate-limit packet 10 interval 1
VLAN configuration:
-------------------------------------------------------------------------------

ARP miss rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
VLAN configuration:
-------------------------------------------------------------------------------

ARP speed-limit for source-MAC configuration:

MAC-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All 0
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 0, spec is 512.

ARP speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All 0
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 0, spec is 512.

ARP miss speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
All 500
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 0, spec is 512.

Table 14-46 Description of the display arp anti-attack configuration all command
output
Item Description

ARP anti-attack packet- Whether ARP packet validity check is enabled.

check configuration ● Sender-mac checking function indicates that the
source MAC address is checked.
● Dst-mac checking function indicates that the
destination MAC address is checked.
● Ip checking function indicates that the IP address
is checked.
You can run the arp anti-attack packet-check
command to enable ARP packet validity check.

ARP gateway-duplicate Whether ARP gateway anti-collision is enabled.

anti-attack function You can run the arp anti-attack gateway-duplicate
enable command to enable ARP gateway anti-
collision.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10399

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

ARP anti-attack log- Interval for sending ARP alarms

trap-timer You can run the arp anti-attack log-trap-timer
command to set the interval for sending ARP alarms.

ARP anti-attack entry- ARP entry fixing mode. Vlanif specifies the interface
check mode to which the ARP entry fixing mode is applied. The
modes include:
● fixed-mac
● fixed-all
● send-ack
● disabled
You can run the arp anti-attack entry-check enable
command to set the ARP entry fixing mode.

ARP rate-limit Configuration of rate limit on ARP packets.

configuration ● Global configuration indicates the global
configuration of rate limit on ARP packets.
● Interface configuration indicates the
configuration of rate limit on ARP packets on an
interface.
● Vlan configuration indicates the configuration of
rate limit on ARP packets in a VLAN.
You can run the arp anti-attack rate-limit command
to configure rate limit on ARP packets.

ARP miss rate-limit Configuration of rate limit on ARP Miss messages.

configuration ● Global configuration indicates the global
configuration of rate limit on ARP Miss messages.
● Interface configuration indicates the
configuration of rate limit on ARP Miss messages
on an interface.
● Vlan configuration indicates the configuration of
rate limit on ARP Miss messages in a VLAN.
You can run the anti-attack rate-limit command to
configure rate limit on ARP Miss messages.

ARP speed-limit for Rate limit on ARP packets based on the source MAC
source-MAC address.
configuration You can run the arp speed-limit source-mac
command to configure rate limit on ARP packets
based on the source MAC address.

ARP speed-limit for Rate limit on ARP packets based on the source IP
source-IP configuration address.
You can run the arp speed-limit source-ip command
to configure rate limit on ARP packets based on the
source IP address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10400

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

ARP miss speed-limit for Rate limit on ARP Miss messages based on source IP
source-IP configuration addresses.
You can run the arp-miss speed-limit source-ip
command to configure rate limit on ARP Miss
messages based on the source IP address.

The number of Number (0) of the configured source MAC addresses

configured specified based on which the rate of ARP packets or ARP Miss
MAC address(es) is 0, messages is limited, and the maximum value (512)
spec is 512. allowed.

The number of Number (1) of the configured source IP addresses

configured specified IP based on which the rate of ARP packets or ARP Miss
address(es) is 1, spec is messages is limited, and the maximum value (512)
512. allowed.

MAC-address Rate limit on ARP packets based on a specified MAC

address.
● ALL indicates all MAC addresses.
● Others indicates other MAC addresses except for
the specified MAC address.

IP-address Rate limit on ARP packets and ARP Miss messages

based on a specified IP address.
● ALL indicates all IP addresses.
● Others indicates other IP addresses except for the
specified IP address.

suppress-rate Rate limit on ARP packets and ARP Miss messages.

Value 0 indicates that the rate limit function is
disabled for ARP packets and ARP Miss messages.
You can run the arp anti-attack rate-limit packet
packet-number command to configure the rate limit
of ARP packets, and run the arp-miss anti-attack
rate-limit packet packet-number command to
configure the rate limit of ARP Miss messages.

14.6.43 display arp anti-attack gateway-duplicate item

Function
The display arp anti-attack gateway-duplicate item command displays ARP
gateway anti-collision entries.

Format
display arp anti-attack gateway-duplicate item

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10401

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After ARP gateway anti-collision is enabled, you can run this command to view
ARP anti-collision entries.

Example
# Display ARP gateway anti-collision entries.
<HUAWEI> display arp anti-attack gateway-duplicate item
Interface IP address MAC address VLANID Aging time
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 10.1.1.1 00e0-fc12-3456 2 150
GigabitEthernet0/0/2 10.1.1.2 00e0-fc12-3478 2 170
-------------------------------------------------------------------------------
The number of record(s) in gateway conflict table is 2

Table 14-47 Description of the display arp anti-attack gateway-duplicate item

command output

Item Description

Interface Inbound interface of ARP packets.

IP address IP address of the gateway.

MAC address Source MAC address of ARP packets.

VLANID VLAN ID of ARP packets.

Aging time Aging time of entries. The maximum value is 180

seconds. This parameter cannot be configured.

14.6.44 display arp anti-attack packet-check statistics

Function
The display arp anti-attack packet-check statistics command displays the
statistics on invalid ARP packets that are filtered out during ARP packet validity
check.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10402

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
display arp anti-attack packet-check statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After ARP packet validity check is enabled, if you want to view the statistics on
invalid ARP packets that are filtered out, you can run this command.

Example
# Display the statistics on invalid ARP packets that are filtered out in ARP packet
validity check is displayed.
<HUAWEI> display arp anti-attack packet-check statistics
Number of ARP packet(s) checked: 5
Number of ARP packet(s) dropped by sender-mac checking: 0
Number of ARP packet(s) dropped by dst-mac checking: 0
Number of ARP packet(s) dropped by src-ip checking: 2
Number of ARP packet(s) dropped by dst-ip checking: 0

Table 14-48 Description of the display arp anti-attack packet-check statistics

command output

Item Description

Number of ARP packet(s) checked Number of ARP packets whose validity is

checked.

Number of ARP packet(s) dropped Number of invalid ARP packets that are
by sender-mac checking filtered out because the source MAC
address in the packet is different from that
in the Ethernet frame header.

Number of ARP packet(s) dropped Number of invalid ARP packets that are
by dst-mac checking filtered out because the destination MAC
address in the packet is different from that
in the Ethernet frame header.

Number of ARP packet(s) dropped Number of invalid ARP packets with

by src-ip checking invalid source IP addresses that are filtered
out.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10403

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Number of ARP packet(s) dropped Number of invalid ARP packets with

by dst-ip checking invalid destination IP addresses that are
filtered out.

14.6.45 display arp anti-attack statistics check user-bind

interface
Function
The display arp anti-attack statistics check user-bind interface command
displays the statistics on discarded ARP packets matching no binding entry.

Format
display arp anti-attack statistics check user-bind interface interface-type
interface-number

Parameters
Parameter Description Value

interface interface-type Specifies the type and -

interface-number number of an interface.
Where,
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
After dynamic ARP inspection (DAI) is enabled in the interface view, you can run
this command to check statistics about discarded ARP packets matching no
binding entry on the interface. If the alarm function for ARP packets discarded by

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10404

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

DAI is enabled, you can also check statistics about discarded ARP packets
matching no binding entry on the interface after the latest alarm is generated.

Precautions

● If DAI is enabled only in the VLAN view, this command cannot be run to
display statistics about discarded ARP packets matching no binding entry on
the interfaces in the VLAN.
● This command cannot check statistics about discarded ARP packets matching
no binding entry on the management interface.

Example
# Display the statistics on discarded ARP packets matching no binding entry on
GE0/0/1.
<HUAWEI> display arp anti-attack statistics check user-bind interface gigabitethernet 0/0/1
Dropped ARP packet number is 966
Dropped ARP packet number since the latest warning is 605

Table 14-49 Description of the display arp anti-attack statistics check user-bind
interface command output

Item Description

Dropped ARP packet Number of discarded ARP packets matching no DHCP

number is 966 snooping binding entry.

Dropped ARP packet Statistics on discarded ARP packets matching no

number since latest DHCP snooping binding entry after the latest alarm is
warning is 605 generated.

14.6.46 display arp learning strict

Function
The display arp learning strict command displays strict ARP learning globally and
on all interfaces.

Format
display arp learning strict

Parameters
None

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10405

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
After strict ARP learning is configured, you can run this command to check the
configuration.

Example
# Display strict ARP learning globally and on all interfaces.
<HUAWEI> display arp learning strict
The global configuration:arp learning strict
Interface LearningStrictState
------------------------------------------------------------
Vlanif100 force-disable
Vlanif200 force-enable
------------------------------------------------------------
Total:2
Force-enable:1
Force-disable:1

Table 14-50 Description of the display arp learning strict command output

Item Description

The global configuration Global strict ARP learning. The value arp
learning strict indicates that strict ARP
learning has been enabled. If the
parameter is left blank, strict ARP learning
is disabled.
You can run the arp learning strict
command to enable strict ARP learning.

Interface Interface name.

LearningStrictState Strict ARP learning.

● The value force-enable indicates that
strict ARP learning is enabled.
● The value force-disable indicates that
strict ARP learning is disabled.
You can run the arp learning strict
command to enable strict ARP learning.

Total Total number of interfaces to which strict

ARP learning is applied.

Force-enable Number of the interfaces on which strict

ARP learning is enabled.

Force-disable Number of the interfaces on which strict

ARP learning is disabled.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10406

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.6.47 display arp optimized-passby status

Function
The display arp optimized-passby status command displays whether the device
is configured not to send ARP packets destined for other devices to the CPU and
whether the configuration takes effect.

Format
display arp optimized-passby status interface vlanif vlanif-id slot slot-id

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,
and S6730S-S support this command.

Parameters
Parameter Description Value

interface vlanif vlanif-id Displays whether the The value is an integer

device is configured not and the value range
to send ARP packets depends on the range of
destined for other existing VLANIF
devices to the CPU and interfaces. You can
whether the enter ? to obtain the
configuration takes range of VLANIF
effect on a specified interface numbers.
VLANIF interface.

slot slot-id Displays whether the The value must be set

device is configured not according to the device
to send ARP packets configuration.
destined for other
devices to the CPU and
whether the
configuration takes
effect in a specified slot.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If an interface receives a large number of ARP packets whose destination IP
addresses are different from the IP address of this interface and sends these ARP

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10407

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

packets to the CPU for processing, the CPU usage is high and the CPU cannot
process services properly.
To prevent this issue, you can configure the device to directly forward ARP packets
destined for other devices without sending them to the CPU. This improves the
device's capability of defending against ARP flood attacks.
When the device is configured not to send ARP packets destined for other devices
to the CPU, the configuration does not take effect if a conflict configuration exists
on the device. You can use the display arp optimized-passby status command to
check whether the device is configured not to send ARP packets destined for other
devices to the CPU and whether the configuration takes effect. For details about
conflict configurations, see arp optimized-passby enable.

Example
# Display whether the device is configured not to send ARP packets destined for
other devices to the CPU and whether the configuration takes effect on VLANIF
100.
<HUAWEI> display arp optimized-passby status interface Vlanif 100 slot 0
Current configuration:Enable
Actual status:Inactive
Related configuration:
NAC configuration (for example, dot1x enable)

Table 14-51 Description of the display arp optimized-passby status command

output
Item Description

Current configuration Whether the device is configured not to send ARP

packets destined for other devices to the CPU.
● Enable: The device is configured not to send ARP
packets destined for other devices to the CPU.
● Disable: The device is configured to send ARP
packets destined for other devices to the CPU.

Actual status Whether the configuration of disabling the device

from sending ARP packets destined for other devices
to the CPU takes effect.
● Inactive
● Active

Related configuration Conflict configuration. For details, see arp

optimized-passby enable.

14.6.48 display arp optimized-reply statistics

Function
The display arp optimized-reply statistics command displays statistics on
optimized ARP Reply packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10408

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
display arp optimized-reply statistics [ slot slot-id ]

Parameters

Parameter Description Value

slot slot-id ● This parameter specifies the slot ID The value must be set
if stacking is not configured. according to the device
● This parameter specifies the stack ID configuration.
if stacking is enabled.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to check statistics on optimized ARP Reply packets
after the optimized ARP reply function is enabled on the device.

Example
# Display statistics on optimized ARP Reply packets.
<HUAWEI> display arp optimized-reply statistics
Slot Received Processed Dropped
----------------------------------------------------------------
0 11 9 7

Table 14-52 Description of the display arp optimized-reply statistics command

output

Item Description

Slot Stack ID.

Received Number of ARP Request packets entering

the processing procedure of the optimized
ARP reply function.

Processed Number of optimized ARP Reply packets.

Dropped Number of ARP Request packets discarded.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10409

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.6.49 display arp optimized-reply status

Function
The display arp optimized-reply status command displays the status of the
optimized ARP reply function.

Format
display arp optimized-reply status

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to check the status of the optimized ARP reply
function.

Example
# Check the status of the optimized ARP reply function.
<HUAWEI> display arp optimized-reply status
Current configuration:Disable
Actual status:Inactive
Related configuration:
arp optimized-reply disable
arp anti-attack check user-bind enable
arp anti-attack gateway-duplicate enable

Table 14-53 Description of the display arp optimized-reply status command

output

Item Description

Current configuration Configuration of the optimized ARP reply

function.
● Enable
● Disable
To set this field, run the arp optimized-
reply disable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10410

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Actual status Status of the optimized ARP reply function.

● Active
● Inactive

Related configuration Configuration that results in the invalid

optimized ARP reply function.
If the optimized ARP reply function has
taken effect, this field is not displayed.

14.6.50 display arp packet statistics

Function
The display arp packet statistics command displays the statistics on ARP packets.

Format
display arp packet statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
To locate and rectify ARP faults, you can run this command to view the statistics
on ARP packets.
This command displays the ARP packet statistics on the active switch in a stack
system.

Example
# Display the statistics on ARP packets.
<HUAWEI> display arp packet statistics
ARP Pkt Received: sum 420066
ARP Received In Message-cache: sum 0
ARP-Miss Msg Received: sum 0
ARP Learnt Count: sum 5
ARP Pkt Discard For Limit: sum 0
ARP Pkt Discard For SpeedLimit: sum 0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10411

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

ARP Pkt Discard For Proxy Suppress: sum 179578

ARP Pkt Discard For Other: sum 90347
ARP-Miss Msg Discard For SpeedLimit: sum 0
ARP Discard In Message-cache For SpeedLimit: sum 0
ARP-Miss Msg Discard For Other: sum 0

Table 14-54 Description of the display arp packet statistics command output

Item Description

ARP Pkt Received Number of the received ARP packets.

ARP Received In Message-cache Number of ARP packets received within

each second when a switch encapsulates
multiple ARP request packets into one
packet.

ARP-Miss Msg Received Total number of ARP Miss messages

triggered by ARP Miss packets sent to the
CPU.

ARP Learnt Count Times of ARP learning.

ARP Pkt Discard For Limit Number of ARP packets discarded due to
the ARP entry limit.
To configure the maximum number of
dynamic ARP entries that an interface can
learn, run the arp-limit command.

ARP Pkt Discard For SpeedLimit Number of ARP packets discarded when
the number of ARP packets from a
specified source IP address exceeds the
limit.
To configure a rate limit for ARP packets
based on the source IP address, run the
arp speed-limit source-ip command.

ARP Pkt Discard For Proxy Suppress Number of packets discarded for the
speed limit.

ARP Pkt Discard For Other Number of the packets discarded due to
other causes.

ARP-Miss Msg Discard For Number of ARP Miss messages discarded

SpeedLimit when the number of ARP Miss messages
triggered by IP packets from a specified
source IP address exceeds the limit.

ARP Discard In Message-cache For Number of ARP packets discarded due to

SpeedLimit software rate limit when a switch
encapsulates multiple ARP request packets
into one packet.
To configure a rate limit for ARP Miss
messages based on the source IP address,
run the arp-miss speed-limit source-ip
command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10412

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

ARP-Miss Msg Discard For Other Number of the ARP Miss messages
discarded due to other causes.

14.6.51 display arp-limit

Function
The display arp-limit command displays the maximum number of ARP entries
that an interface can dynamically learn.

Format
display arp-limit [ interface interface-type interface-number[.subinterface-
number ] ] [ vlan vlan-id ]

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support sub-interface.

Parameters
Parameter Description Value

interface interface-type Specifies the type and -

interface- number of an interface.
number[.subinterface- ● interface-type
number ] specifies the interface
type.
● interface-number
specifies the interface
number.
● subinterface-number
specifies the sub-
interface number.

vlan vlan-id Specifies a VLAN ID. The value is an integer

that ranges from 1 to
4094.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10413

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
After the maximum number of ARP entries that an interface can dynamically learn
is set, you can run this command to check the configuration.

If interface interface-type interface-number[.subinterface-number ] and vlan

vlan-id are specified, you can view the maximum number of ARP entries that the
specified interface can dynamically learn in the specified VLAN. If the two
parameters are not specified, the maximum number of ARP entries that each
interface can dynamically learn is displayed.

Example
# Display the number of ARP entries that each interface can dynamically learn.
<HUAWEI> display arp-limit
Interface LimitNum VlanID LearnedNum(Mainboard)
---------------------------------------------------------------------------
Vlanif100 1000 0 0
GigabitEthernet0/0/1 16384 10 0
---------------------------------------------------------------------------
Total:2

Table 14-55 Description of the display arp-limit command output

Item Description

Interface Interface name.

LimitNum Maximum number of ARP entries that an

interface can dynamically learn.
To configure the maximum number of
dynamic ARP entries that an interface can
learn, run the arp-limit command.

VlanID ID of the VLAN that the interface belongs

to.

LearnedNum(Mainboard) Number of ARP entries that an interface

has learned.

14.6.52 display arp-miss speed-limit source-ip

Function
The display arp-miss speed-limit source-ip command displays the configuration
of rate limit on ARP Miss message based on the source IP address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10414

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

Only the S1730S-H, S5720I-SI, S2730S-S, S5735-L-I, S5735-L1,S5735-L, S5735S-L, S5735S-L1,

Format
display arp-miss speed-limit source-ip

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After ARP Miss rate limiting based on source IP address is configured, you can run
this command to check the configuration.

Example
# Display the configuration of rate limit on ARP Miss messages based on the
source IP address.
<HUAWEI> display arp-miss speed-limit source-ip
Slot SuppressType SuppressValue
---------------------------------------------------
0 ARP-miss 600

Table 14-56 Description of the display arp-miss speed-limit source-ip command

output

Item Description

Slot ● The value indicates the slot ID if stacking is not

configured.
● The value indicates the stack ID if stacking is
configured.

SuppressType Suppression type.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10415

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

SuppressValue Maximum rate of ARP Miss messages from a

specified source IP address.
To configure a rate limit for ARP Miss messages
based on the source IP address, run the arp-miss
speed-limit source-ip command.

14.6.53 display arp snooping

Function
The display arp snooping command displays ARP snooping entries.

Format
display arp snooping { all | interface interface-type interface-number | vlan vlan-
id | ip-address ip-address | mac-address mac-address }

Parameters
Parameter Description Value

all Displays all ARP -

snooping entries.

interface interface-type Displays the ARP -

interface-number snooping entry of a
specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

vlan vlan-id Displays the ARP The value is an integer in

snooping entry of a the range from 1 to
specified VLAN. 4094.

ip-address ip-address Displays the ARP The value is in dotted

snooping entry of a decimal notation.
specified IP address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10416

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

mac-address mac- Displays the ARP The value is a 12-digit

address snooping entry of a hexadecimal number, in
specified MAC address. the format of H-H-H.
Each H is 4 digits. If an H
contains fewer than 4
digits, the left-most
digits are padded with
zeros. For example, e0 is
displayed as 00e0. The
MAC address cannot be
FFFF-FFFF-FFFF,
0000-0000-0000, or a
multicast MAC address.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After ARP snooping is enabled, the device generates ARP snooping entries that
contain the IP address, MAC address, VLAN ID, inbound interface, and aging time.
You can run the display arp snooping command to view the ARP snooping
entries.

Example
# Display all ARP snooping entries.
<HUAWEI> display arp snooping all
VLAN/CEVLAN IP ADDRESS MAC ADDRESS INTERFACE EXPIRE(S)
----------------------------------------------------------------------
2/- 192.168.10.1 xxxx-xxxx-xxx1 Eth1/0/0 20
2/- 192.168.10.2 xxxx-xxxx-xxx2 Eth1/0/0 10
13/- 10.1.1.1 xxxx-xxxx-xxx3 Eth-Trunk0 18
12/10 172.16.1.1 xxxx-xxxx-xxx4 40GE5/0/4 5
----------------------------------------------------------------------
Total Count:4

Table 14-57 Description of the display arp snooping command output

Item Description

VLAN/CEVLAN VLAN information.

IP ADDRESS IP address.

MAC ADDRESS MAC address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10417

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

INTERFACE Inbound interface.

EXPIRE(S) Aging time.

14.6.54 reset arp anti-attack packet-check statistics

Function
The reset arp anti-attack packet-check statistics command clears the statistics
on invalid ARP packets that are filtered out during ARP packet validity check.

Format
reset arp anti-attack packet-check statistics

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
You can run this command to clear existing statistics, and run the display arp
anti-attack packet-check statistics command to view the statistics on follow-up
invalid ARP packets that are filtered out.

Example
# Clear the statistics on invalid ARP packets that are filtered out in ARP packet
validity check.
<HUAWEI> reset arp anti-attack packet-check statistics

14.6.55 reset arp anti-attack statistics check user-bind

Function
The reset arp anti-attack statistics check user-bind command clears the
statistics on discarded ARP packets matching no binding entry.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10418

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
reset arp anti-attack statistics check user-bind interface interface-type
interface-number

Parameters
Parameter Description Value

interface interface-type Specifies the type and -

interface-number number of an interface.
Where,
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Views
User view, system view

Default Level
2: Configuration level

Usage Guidelines
After DAI is enabled and some ARP packets matching no binding entry are
discarded, you can run this command to clear the statistics on the discarded ARP
packets.

Example
# Clear the statistics on discarded ARP packets on GE0/0/1.
<HUAWEI> reset arp anti-attack statistics check user-bind interface gigabitethernet 0/0/1

14.6.56 reset arp anti-attack statistics rate-limit

Function
The reset arp anti-attack statistics rate-limit command clears the statistics on
ARP packets discarded when the rate of ARP packets exceeds the limit.

Format
reset arp anti-attack statistics rate-limit

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10419

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
User view, system view

Default Level
2: Configuration level

Usage Guidelines
After rate limit on ARP packets is enabled globally, the device discards the excess
packets when the rate of ARP packets exceeds the limit. You can run this
command to clear the statistics on the discarded ARP packets.

Example
# Clear the statistics on ARP packets discarded when the rate of ARP packets
exceeds the limit.
<HUAWEI> reset arp anti-attack statistics rate-limit

14.6.57 reset arp optimized-reply statistics

Function
The reset arp optimized-reply statistics command clears statistics on optimized
ARP Reply packets.

Format
reset arp optimized-reply statistics [ slot slot-id ]

Parameters
Parameter Description Value

slot slot-id Specifies the stack ID. The value must be set according to the device
configuration.

Views
User view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10420

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
To collect statistics on optimized ARP Reply packets on the device, you can run the
reset arp optimized-reply statistics [ slot slot-id ] command to clear statistics on
optimized ARP Reply packets of the device.

Example
# Clears statistics on optimized ARP Reply packets.
<HUAWEI> reset arp optimized-reply statistics

14.6.58 reset arp packet statistics

Function
The reset arp packet statistics command clears the statistics on ARP packets.

Format
reset arp packet statistics

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
You can run the display arp packet statistics command to display the statistics
on ARP packets. To obtain correct statistics, run the reset arp packet statistics
command to clear existing statistics first.
The reset arp packet statistics command clears the ARP packet statistics on the
active switch in a stack system.

Example
# Clear the statistics on all ARP packets.
<HUAWEI> reset arp packet statistics

14.6.59 reset arp snooping

Function
The reset arp snooping command clears ARP snooping entries.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10421

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
reset arp snooping { all | interface interface-type interface-number | vlan vlan-id
| ip-address ip-address | mac-address mac-address }

Parameters
Parameter Description Value

all Clears all ARP snooping -

entries.

interface interface-type Clears ARP snooping -

interface-number entries on an interface
that has the specified
interface type and
number.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

vlan vlan-id Clears ARP snooping The value is an integer in

entries in a specified the range from 1 to
VLAN. 4094.

ip-address ip-address Clears ARP snooping The value is in dotted

entries of the specified IP decimal notation.
address.

mac-address mac- Clears ARP snooping The value is in H-H-H

address entries of the specified format, in which H is a
MAC address. hexadecimal number of
1 to 4 bits, such as 00e0
and fc01. If you enter
less than four
alphanumeric characters,
0s are added before the
input digits. For example,
if e0 is entered, 00e0 is
displayed. The MAC
address cannot be FFFF-
FFFF-FFFF,
0000-0000-0000, and a
multicast MAC address.

Views
User view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10422

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
3: Management level

Usage Guidelines
To view ARP snooping entries in a specified period, you need to generate new ARP
snooping entries from a specified time. You can run the reset arp snooping
command to clear ARP snooping entries.

Example
# Clear ARP snooping entries.
<HUAWEI> reset arp snooping all

14.7 Port Security Configuration Commands

14.7.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.7.2 display mac-address sec-config

Function
The display mac-address sec-config command displays secure static MAC address
entries.

Format
display mac-address sec-config [ vlan vlan-id | interface-type interface-number ]
*[ verbose ]

Parameters
Parameter Description Value

vlan vlan-id Displays the secure static The value is an integer

MAC address entries in a that ranges from 1 to
specified VLAN. 4094.

interface-type interface- Displays the secure static -

number MAC address entries on
a specified interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10423

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

verbose Displays detailed -

information about secure
static MAC address
entries.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After secure static MAC address entries are configured by the command port-
security mac-address, you can run the display mac-address sec-config
command to check these entries.

Example
# Display all secure static MAC address entries.
<HUAWEI> display mac-address sec-config
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
xxxx-xxxx-xxx1 100/-/- GE0/0/1 sec-config

-------------------------------------------------------------------------------
Total items displayed = 1

Table 14-58 Description of the display mac-address sec-config command output

Item Description

MAC Address Destination MAC address in a secure static MAC address

entry.

VLAN/VSI/BD ID of the VLAN, name of the VSI, or the ID of the BD that a

MAC address belongs to.

Learned-From Interface that learns a MAC address.

Type Type of a MAC address entry. The value is sec-config, which

indicates a secure static MAC address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10424

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.7.3 display mac-address security

Function
The display mac-address security command displays secure dynamic MAC
address entries.

Format
display mac-address security [ vlan vlan-id | interface-type interface-number ] *

[ verbose ]

Parameters
Parameter Description Value

vlan vlan-id Displays secure dynamic The value is an integer

MAC address entries in a that ranges from 1 to
specified VLAN. 4094.

interface-type interface- Displays secure dynamic -

number MAC address entries
with a specified
outbound interface.
● interface-type
specifies the type of
the outbound
interface.
● interface-number
specifies the number
of the outbound
interface.

verbose Displays detailed -

information about secure
dynamic MAC address
entries.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
After port security is enabled on an interface by using the port-security enable
command, MAC address entries learned by the interface are stored in the MAC

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10425

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

address table as secure dynamic MAC address entries. The learned secure dynamic
MAC address entries are deleted after the device restarts.
After configuring the port security function, you can run the display mac-address
security command to check whether the learned secure dynamic MAC address
entries are correct.
Follow-up Procedure
If the displayed secure dynamic MAC address entries are invalid, run the undo
mac-address security command to delete secure dynamic MUX MAC address
entries.
Precautions
If you run the display mac-address security command without parameters, all
secure dynamic MAC address entries are displayed.
If the MAC address table does not contain any secure dynamic MAC address entry,
no information is displayed.
When the device has a large number of secure dynamic MAC address entries, it is
recommended that you specify parameters in the command to filter the output
information. Otherwise, the following problems may occur due to excessive output
information:
● The displayed information is repeatedly refreshed, so you cannot find the
required information.
● The system traverses and retrieves information for a long time, and does not
respond to any request.

Example
# Display all secure dynamic MAC address entries.
<HUAWEI> display mac-address security
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
xxxx-xxxx-xxx1 100/-/- GE0/0/1 security
xxxx-xxxx-xxx2 200/-/- GE0/0/2 security

-------------------------------------------------------------------------------
Total items displayed = 2

# Display detailed information about all secure dynamic MAC address entries in
VLAN 10.
<HUAWEI> display mac-address security vlan 10 verbose
-------------------------------------------------------------------------------
MAC Address : xxxx-xxxx-xxx1 VLAN : 10
Learned-From: GE0/0/1 Type : security
Aging-Time : 200s

-------------------------------------------------------------------------------
Total items displayed = 1

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10426

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-59 Description of the display mac-address security command output

Item Description

MAC Address Destination MAC address in a secure dynamic MAC address

entry.

VLAN/VSI/BD ID of the VLAN, name of the VSI, or the ID of the BD that a

MAC address belongs to.

Learned-From Interface that learns a MAC address.

Type Type of a MAC address entry. The value is security, which

indicates a secure dynamic MAC address.

Aging-Time How soon a secure dynamic MAC address entry will be

aged out.

14.7.4 display mac-address sticky

Function
The display mac-address sticky command displays sticky VLAN MAC address
entries.

Format
display mac-address sticky [ vlan vlan-id | interface-type interface-number ] *

[ verbose ]

Parameters
Parameter Description Value

vlan vlan-id Displays sticky MAC The value is an integer

address entries in a that ranges from 1 to
specified VLAN. 4094.

interface-type interface- Displays sticky MAC -

number address entries with a
specified outbound
interface.
● interface-type
specifies the type of
the outbound
interface.
● interface-number
specifies the number
of the outbound
interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10427

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

verbose Displays detailed -

information about sticky
MAC address entries.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
The MAC address table of the switch stores MAC addresses of other devices. When
forwarding an Ethernet frame, the switch searches the MAC address table for the
outbound interface according to the destination MAC address and VLAN ID in the
Ethernet frame.
After port security is enabled on an interface by using the port-security enable
command, MAC address entries learned by the interface are stored in the MAC
address table as secure dynamic MAC address entries. The learned secure dynamic
MAC address entries are deleted after the switch restarts. If the sticky MAC
function is also enabled on the interface by using the port-security mac-address
sticky command, secure dynamic MAC address entries change to sticky MAC
address entries. Sticky MAC address entries are not deleted after the switch
restarts.
To check the sticky MAC configuration or the learned sticky MAC address entries,
run the display mac-address sticky command.
Follow-up Procedure
If the displayed sticky MAC address entries are invalid, run the undo mac-address
sticky command to delete sticky MAC address entries.
Precautions
If you run the display mac-address sticky command without parameters, all
sticky MAC address entries are displayed.
If the MAC address table does not contain any sticky MAC address, no information
is displayed.
When the switch has a large number of sticky MAC address entries, it is
recommended that you specify parameters in the command to filter the output
information. Otherwise, the following problems may occur due to excessive output
information:
● The displayed information is repeatedly refreshed, so you cannot find the
required information.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10428

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● The system traverses and retrieves information for a long time, and does not
respond to any request.

Example
# Display all sticky MAC address entries.
<HUAWEI> display mac-address sticky
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
xxxx-xxxx-xxx1 100/-/- GE0/0/1 sticky
xxxx-xxxx-xxx2 200/-/- GE0/0/2 sticky

-------------------------------------------------------------------------------
Total items displayed = 2

# Display detailed information about all sticky MAC address entries in VLAN 10.
<HUAWEI> display mac-address sticky vlan 10 verbose
-------------------------------------------------------------------------------
MAC Address : xxxx-xxxx-xxx1 VLAN : 10
Learned-From: GE0/0/1 Type : sticky

-------------------------------------------------------------------------------
Total items displayed = 1

Table 14-60 Description of the display mac-address sticky command output

Item Description

MAC Address MAC address in a sticky MAC address entry.

VLAN/VSI/BD ID of the VLAN, name of the VSI, or the ID of the BD that a

MAC address belongs to.

Learned-From Interface that learns a MAC address.

Type Type of a MAC address entry. The value is sticky, which

indicates a sticky MAC address.

14.7.5 display mac-address sticky-config

Function
The display mac-address sticky-config command displays MAC address entries of
the Sticky-Config type.

Format
display mac-address sticky-config [ vlan vlan-id | interface-type interface-
number ] * [ verbose ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10429

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

vlan vlan-id Displays MAC address The value is an integer in

entries in a specified the range from 1 to
VLAN. 4094.

interface-type interface- Displays MAC address -

number entries with a specified
outbound interface.
● interface-type
specifies the type of
the outbound
interface.
● interface-number
specifies the number
of the outbound
interface.

verbose Displays detailed -

information about MAC
address entries.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
After secure static MAC address entries are configured using the port-security
mac-address sticky-config command, you can run the display mac-address
sticky-config command to check these entries.
Follow-up Procedure
After you run this command to check MAC address entries of the Sticky-Config
type and consider that a MAC address entry is invalid, you can run the undo port-
security mac-address [ sticky-config ] mac-address vlan vlan-id command to
delete it.
Precautions
If you run the display mac-address sticky-config command without specifying
any parameters, all MAC address entries of the Sticky-Config type are displayed.
If the MAC address table does not contain any MAC address of the Sticky-Config
type, no information is displayed in the command output.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10430

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

When the device has a large number of MAC address entries of the Sticky-Config
type, it is recommended that you specify parameters in the command to filter the
output information. If you do not specify these parameters, the following faults
may occur:
● The displayed information is repeatedly refreshed, so you cannot find the
required information.
● The system traverses and retrieves information for a long time, and does not
respond to any request.

Example
# Display all MAC address entries of the Sticky-Config type.
<HUAWEI> display mac-address sticky-config
------------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
------------------------------------------------------------------------------------
0022-0022-0033 100/-/- GE0/0/1 sticky-config
0000-0000-0001 200/-/- GE0/0/2 sticky-config
------------------------------------------------------------------------------------
Total items displayed = 2

# Display detailed information about all MAC address entries of the Sticky-Config
type in VLAN 10.
<HUAWEI> display mac-address sticky-config vlan 10 verbose
-------------------------------------------------------------------------------
MAC Address : 0000-0000-0001 VLAN : 10
Learned-From: GE0/0/1 Type : sticky-config

-------------------------------------------------------------------------------
Total items displayed = 1

Table 14-61 Description of the display mac-address sticky-config command

output
Item Description

MAC Address MAC address in a MAC address entry of the Sticky-Config

type.

VLAN/VSI/BD ID of the VLAN, name of the virtual switch instance (VSI),

or ID of the BD to which the MAC address belongs.

Learned-From Interface that learns a MAC address.

Type Type of a MAC address entry. The value is sticky-config,

which indicates a MAC address of the Sticky-Config type.

14.7.6 port-security aging-time

Function
The port-security aging-time command sets the aging time of secure dynamic
MAC addresses on an interface.
The undo port-security aging-time command restores the default configuration.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10431

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, secure dynamic MAC addresses will not be aged out.

Format
port-security aging-time time [ type { absolute | inactivity } ]
undo port-security aging-time

NOTE

The S1730S-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-

L-M, S5735-S, S500, S5735S-S, and S5735-S-I do not support inactivity parameter.

Parameters
Parameter Description Value

time Specifies the aging time The value is an integer

of secure dynamic MAC that ranges from 1 to
addresses. 1440, in minutes.

type Specifies the type of the The default type is

aging time. absolute, indicating the
absolute aging time.

absolute Indicates the absolute -

aging time. After the
aging time of secure
dynamic MAC addresses
is set, the system
calculates the lifetime of
each MAC address every
minute. If the lifetime of
a MAC address plus 1 is
greater than or equal to
time minutes, the secure
dynamic MAC address is
aged immediately. If the
lifetime is smaller than
time minutes, the system
determines whether to
delete the secure
dynamic MAC address
after 1 minute.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10432

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

inactivity Indicates the relative -

aging time. After the
relative aging time is set
to time minutes, the
system checks traffic
from each secure
dynamic MAC address
every 1 minute. If there
is traffic, the aging is not
performed. If no traffic is
received from a secure
dynamic MAC address,
this MAC address is aged
out after time minutes.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After you run the port-security enable command to enable port security on an
interface, MAC address entries learned by the interface are saved in the MAC
address table as secure dynamic MAC addresses. The learned secure dynamic MAC
addresses will not be aged by default. When the number of learned MAC
addresses reaches the limit, the interface cannot learn new MAC addresses.
If MAC addresses learned by an interface can be trusted only for a certain period,
run the port-security aging-time command to set the aging time of secure
dynamic MAC addresses on the interface. Then secure dynamic MAC addresses
can be aged out and the interface can learn new MAC addresses.
Prerequisites
Port security is enabled on the interface.
Precautions
If the aging time of secure dynamic MAC addresses on an interface is shorter than
the global aging time of dynamic MAC addresses, secure dynamic MAC addresses
are aged out when the global aging time expires.
If you run the port-security aging-time command multiple times in the same
interface view, only the latest configuration takes effect.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10433

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the aging time of secure dynamic MAC addresses on GE0/0/1 to 30 minutes.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security aging-time 30

14.7.7 port-security enable

Function
The port-security enable command enables the port security function on an
interface.
The undo port-security enable command disables the port security function on
an interface.
By default, port security is disabled on an interface.

Format
port-security enable
undo port-security enable

Parameters
None

Views
GE interface view, Ethernet interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After port security is enabled on an interface, MAC address entries learned by the
interface are stored in the MAC address table as secure dynamic MAC address
entries. By default, secure dynamic MAC addresses will not be aged out. If the
aging time of secure dynamic MAC address entries is set, these entries will be
aged out. After the device restarts, secure dynamic MAC address entries are lost
and need to be relearned. You can also create secure static MAC addresses which
do not age out.
Port security has the following functions:
● Prevent unauthorized guests from using their computers to connect to an
enterprise network.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10434

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● Prevent employees of a company from moving their computers without

permission.
Precautions
● The total number of MAC addresses on interfaces enabled with port security
cannot exceed 4096. For example, if the numbers of MAC addresses learned
on interfaces 1, 2, 3, and 4 are 1000 respectively, interface 5 can learn a
maximum of 96 MAC addresses.
● The protection action, secure static MAC addresses, and sticky MAC function
can be configured only after port security is enabled.
● Port security and MAC address limiting conflict on an interface; therefore, the
port-security enable and mac-limit maximum commands cannot be used
on the same interface.
● Port security and MUX VLAN conflict on an interface; therefore, the port-
security enable and port mux-vlan enable commands are not advised to be
used on the same interface.
● Port security and GVRP conflict on an interface; therefore, the port-security
enable and gvrp commands cannot be used on the same interface.
● Port security and generating snooping MAC entries conflict on an interface;
therefore, the port-security enable and user-bind ip sticky-mac commands
cannot be used on the same interface.
● If port security is enabled after MAC address learning is disabled using the
mac-address learning disable command, the dynamic port security function
does not take effect. If port security is enabled before MAC address learning is
disabled on an interface, the device no longer learns MAC addresses on the
interface, but secure MAC addresses that have been learned are reserved
(including secure static MAC addresses).
● When multiple NAC users are online under one interface, if you want to
enable port security function on the interface, you need to first run the port-
security max-mac-num command to set the maximum number of MAC
addresses learned by the interface, and then run the port-security enable
command. Otherwise, only one user is reserved and other users are logged
out.

Example
# Enable port security on GigabitEthernet0/0/2.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] port-security enable

14.7.8 port-security mac-address

Function
The port-security mac-address command configures a static secure MAC address.
The undo port-security mac-address command deletes a static secure MAC
address.
By default, no static secure MAC address is configured.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10435

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
port-security mac-address mac-address vlan vlan-id
undo port-security mac-address mac-address vlan vlan-id

Parameters
Parameter Description Value

mac-address Specifies a static secure The value is in the

MAC address. format of H-H-H, in
which H is a
hexadecimal number of
1 to 4 digits. The value
cannot be FFFF-FFFF-
FFFF, 0000-0000-0000, or
a multicast MAC address.

vlan vlan-id Specifies the ID of a The value is an integer in

VLAN. the range from 1 to
4094.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface
view,MultiGE interface view,40GE interface view,100GE interface view, Eth-Trunk
interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After port security is enabled on an interface using the port-security enable
command, MAC address entries learned by the interface are stored in the MAC
address table as secure dynamic MAC address entries.
When the interface becomes Down or the device is reset, static secure MAC
addresses are not affected, and dynamic secure MAC addresses need to be learned
again. Static secure MAC addresses are not aged out. Static secure MAC addresses
have a higher priority than dynamic secure MAC addresses.
Prerequisites
Port security has been enabled by using the port-security enable command on
the interface.
Precautions
Running the port-security mac-address mac-address vlan vlan-id command
multiple times configures multiple static secure MAC addresses.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10436

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

A static secure MAC address cannot be a VRRP virtual MAC address or system
MAC address.

Example
# Configure a static secure MAC address entry on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address 00e0-fc12-3456 vlan 10

14.7.9 port-security mac-address sticky-config

Function
The port-security mac-address command configures a static secure MAC address
of the Sticky-Config type.

The undo port-security mac-address command deletes a static secure MAC

address of the Sticky-Config type.

By default, no static secure MAC address of the Sticky-Config type is configured.

Format
port-security mac-address sticky-config mac-address vlan vlan-id

undo port-security mac-address sticky-config mac-address vlan vlan-id

Parameters
Parameter Description Value

mac-address Specifies a static secure The value is in the

MAC address. format of H-H-H, in
which H is a
hexadecimal number of
1 to 4 digits. The value
cannot be FFFF-FFFF-
FFFF, 0000-0000-0000, or
a multicast MAC address.

vlan vlan-id Specifies the ID of a The value is an integer in

VLAN. the range from 1 to
4094.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface
view,MultiGE interface view,40GE interface view,100GE interface view, Eth-Trunk
interface view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10437

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After port security is enabled on an interface using the port-security enable

command, MAC address entries learned by the interface are stored in the MAC
address table as secure dynamic MAC address entries.

When the interface becomes Down or the device is reset, static secure MAC
addresses are not affected, and dynamic secure MAC addresses need to be learned
again. Static secure MAC addresses are not aged out. Static secure MAC addresses
have higher priority than dynamic secure MAC addresses. You can run this
command to configure a static secure MAC address of the Sticky-Config type.

Prerequisites

1. Port security has been enabled using the port-security enable command.
2. The sticky MAC function on an interface has been enabled using the port-
security mac-address sticky command.

Precautions

You can manually configure one or more static secure MAC address entries of the
Sticky-Config type. You run the port-security mac-address sticky-config mac-
address vlan vlan-id command multiple times to configure multiple static secure
MAC address entries of the Sticky-Config type.

A static secure MAC address of the Sticky-Config type cannot be a VRRP virtual
MAC address or a system MAC address.

Example
# Configure a static secure MAC address entry of the Sticky-Config type on
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky-config 00e0-fc12-3456 vlan 10

14.7.10 port-security mac-address sticky

Function
The port-security mac-address sticky command enables the sticky MAC function
on an interface.

The undo port-security mac-address sticky command disables the sticky MAC
function on an interface.

By default, the sticky MAC function is disabled on an interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10438

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
port-security mac-address sticky [ mac-address vlan vlan-id ]
undo port-security mac-address sticky [ mac-address vlan vlan-id ]

Parameters
Parameter Description Value

mac-address Specifies the MAC The value is in the

address in a sticky MAC format of H-H-H, in
address entry. which H is a
NOTE hexadecimal number of
This parameter is not 1 to 4 digits. A MAC
supported in the port address cannot be FFFF-
group view. FFFF-FFFF,
0000-0000-0000, or a
multicast MAC address.

vlan vlan-id Specifies the ID of a The value is an integer in

VLAN. the range from 1 to
NOTE 4094.
This parameter is not
supported in the port
group view.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface
view,MultiGE interface view,40GE interface view,100GE interface view, Eth-Trunk
interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After port security is enabled on an interface using the port-security enable
command, MAC address entries learned by the interface are stored in the MAC
address table as secure dynamic MAC address entries.
After the sticky MAC function is enabled on an interface, the dynamic MAC
addresses learned by the interface change to sticky MAC addresses.
Before the number of sticky MAC addresses reaches the limit on the interface, the
MAC addresses learned subsequently are still converted into sticky MAC addresses.
When the number of sticky MAC addresses reaches the limit, non-sticky MAC
addresses are discarded. In addition, the system determines whether to send a
trap message based on the configuration of the interface protection mode.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10439

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After enabling the sticky MAC function on an interface using the port-security
mac-address sticky command, you can run the port-security mac-address sticky
mac-address vlan vlan-id command to manually configure a sticky MAC address
entry.

The sticky MAC function has the following functions:

● Prevent non-employees from using their own computers to access the

company intranet without the permission of the network administrator.
● Prevent employees from moving network devices or computers of the
company without the permission of the network administrator.

Prerequisites

Port security has been enabled by using the port-security enable command on
the interface.

Precautions

Running the undo port-security mac-address sticky command will convert the
sticky MAC addresses on the interface into secure dynamic MAC addresses.

The configuration information is not displayed after you run the port-security
mac-address sticky mac-address vlan vlan-id command to configure sticky MAC
address entries.

Manually configured and auto-generated sticky MAC address entries are

automatically saved in a .ztbl or .ctbl file every 10 minutes. Alternatively, you can
run the save command to manually save them. The saved file is not discarded
after the device restarts. The file name must be the same as that of the system
configuration file. For example, if the name of the system configuration file is
test.cfg, the name of the sticky MAC address entry file must be test.ctbl.
Otherwise, sticky MAC address entries will fail to be restored after the device
restarts.

If you run the port-security mac-address sticky mac-address vlan vlan-id

command multiple times, multiple sticky MAC address entries are configured.

A sticky MAC address cannot be a VRRP virtual MAC address or a system MAC
address.

Example
# Enable the sticky MAC function on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky

14.7.11 port-security max-mac-num

Function
The port-security max-mac-num command sets the maximum number of secure
MAC addresses that can be learned on an interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10440

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo port-security max-mac-num command restores the default maximum

number of secure MAC addresses that can be learned on an interface.

By default, only one MAC addresses can be learned on an interface.

Format
port-security max-mac-num max-number

undo port-security max-mac-num

Parameters
Parameter Description Value

max-number Specifies the The value is an integer that

maximum number of ranges from 1 to 1024.
secure MAC addresses
that can be learned
by an interface.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After enabling port security on an interface, you can run the port-security max-
mac-num command to limit the number of MAC addresses that the interface can
learn. If the switch receives packets with a nonexistent source MAC address after
the number of secure MAC addresses reaches the limit, the switch considers that
the packets are sent from an unauthorized user, regardless of whether the
destination MAC address of packets is valid, and takes the action configured using
the port-security protect-action command on the interface. This prevents
untrusted users from accessing these interfaces, improving security of the switch
and the network.

Precautions

● The total number of MAC addresses on interfaces enabled with port security
cannot exceed 4096. For example, if the numbers of MAC addresses learned
on interfaces 1, 2, 3, and 4 are 1000 respectively, interface 5 can learn a
maximum of 96 MAC addresses.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10441

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● If the sticky MAC function is disabled, max-number limits the number of

secure dynamic MAC addresses learned by the interface and secure static
MAC addresses configured manually.
● If the sticky MAC function is enabled, max-number limits the number of sticky
MAC addresses learned by the interface, and sticky MAC addresses and secure
static MAC addresses configured manually.
● When multiple NAC users are online under one interface, if you want to
enable port security function on the interface, you need to first run the port-
security max-mac-num command to set the maximum number of MAC
addresses learned by the interface, and then run the port-security enable
command. Otherwise, only one user is reserved and other users are logged
out.
● If you run the port-security max-mac-num command multiple times in the
same interface view, only the latest configuration takes effect.

Example
# Set the maximum number of MAC addresses that can be learned by
GigabitEthernet0/0/1 to 5.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 5

14.7.12 port-security protect-action

Function
The port-security protect-action command configures the protection action to be
used when the number of learned MAC addresses on an interface exceeds the
upper limit or static MAC address flapping is detected.
The undo port-security protect-action command restores the default protection
action.
The default action is restrict.

Format
port-security protect-action { protect | restrict | shutdown }
undo port-security protect-action

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10442

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

protect ● Discards packets with -

new source MAC
addresses when the
number of learned
MAC addresses
exceeds the limit.
● When static MAC
address flapping
occurs, the interface
discards the packets
with this MAC
address.

restrict ● Discards packets with -

new source MAC
addresses and sends a
trap message when
the number of
learned MAC
addresses exceeds the
limit.
● When static MAC
address flapping
occurs, the interface
discards the packets
with this MAC address
and sends a trap.

shutdown ● Set the interface -

status to error down
and sends a trap
message when the
number of learned
MAC addresses
exceeds the limit.
● When static MAC
address flapping
occurs, the interface
takes the error down
action and sends a
trap.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10443

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After enabling port security, you can run the port-security protect-action
command to configure the action performed on the interface when the number of
learned MAC addresses on an interface exceeds the upper limit or static MAC
address flapping is detected.
The default action restrict is recommended. If the action is set to shutdown on an
interface connected to a downstream device, the interface discards packets from
trusted MAC addresses. Select the shutdown action only when the interface is
directly connected to a user terminal.
Prerequisites
Port security has been enabled by using the port-security enable command on
the interface.
Precautions
The interface takes protection actions when detecting static MAC address flapping
only after the port-security static-flapping protect command is executed.
If the action is set to shutdown, the interface takes the error down action when
the number of learned MAC addresses exceeds the limit or static MAC address
flapping is detected. In addition, the interface status will not be automatically
recovered.
If you run the port-security protect-action command multiple times in the same
interface view, only the latest configuration takes effect.
If both port security and traffic policy-based VLAN translation are configured on
an interface of the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S,
S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, the interface
can forward protocol packets with source MAC addresses out of the MAC address
table when the number of learned MAC addresses exceeds the limit.

Example
# Set the protection action on GigabitEthernet0/0/1 to protect.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action protect

14.7.13 port-security static-flapping protect

Function
The port-security static-flapping protect command enables static MAC address
flapping detection.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10444

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo port-security static-flapping protect command disables static MAC

address flapping detection.
By default, static MAC address flapping detection is disabled.

Format
port-security static-flapping protect
undo port-security static-flapping protect

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Secure MAC addresses are also static MAC address. When an interface receives a
packet whose source MAC address exists in the static MAC address table on
another interface, the interface discards this packet. This affects customer services.
For example, if PC 1 connects to GE0/0/1 where the sticky MAC address function is
enabled, the static MAC address table of GE0/0/1 includes PC 1's MAC address.
After PC 1 is disconnected from GE0/0/1 and then connected to GE0/0/2, GE0/0/2
discards the packets from PC 1. In this situation, you can enable static MAC
address flapping detection. The interface will then take the configured action for
the GE0/0/2.
Precautions
Static MAC address flapping detection needs to be enabled only on the interfaces
with port security enabled.

Example
# Enable static MAC address flapping detection.
<HUAWEI> system-view
[HUAWEI] port-security static-flapping protect

14.7.14 undo mac-address security

Function
The undo mac-address security command deletes secure MAC address entries.
Secure MAC address entries include dynamic and static secure MAC address
entries and sticky MAC address entries.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10445

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
undo mac-address { sec-config | security | sticky } [ interface-type interface-
number | vlan vlan-id ] *

Parameters
Parameter Description Value

interface-type interface- Specifies the outbound -

number interface in a secure
MAC address entry to
be deleted.

vlan vlan-id Specifies the VLAN ID in The value is an integer

a secure MAC address that ranges from 1 to
entry to be deleted. 4094.

sec-config Deletes static secure -

MAC address entries.

security Deletes dynamic secure -

MAC address entries,
that is, MAC address
entries learned by an
interface enabled with
port security.

sticky Deletes sticky MAC -

address entries, that is,
MAC address entries
learned by an interface
enabled with the sticky
MAC function.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After port security is enabled on an interface, dynamic MAC address entries
learned by the interface turn into secure MAC address entries. Secure MAC address
entries are not aged out. After the number of MAC address entries learned by an
interface reaches the limit, the interface cannot learn new MAC address entries.
Packets matching no MAC address entry are broadcast, wasting bandwidth
resources. This command can delete useless secure MAC address entries to release
the MAC address table space.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10446

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

You can delete some of secure MAC address entries as required. For example:
● If you do not specify interface-type interface-number, the command deletes
MAC address entries of the specified type on all interfaces.
● If you do not specify vlan vlan-id, the command deletes MAC address entries
of the specified type in all VLANs.

Example
# Delete all static secure MAC address entries.
<HUAWEI> system-view
[HUAWEI] undo mac-address sec-config

# Delete all dynamic secure MAC address entries on gigabitethernet0/0/1.

<HUAWEI> system-view
[HUAWEI] undo mac-address security gigabitethernet 0/0/1

# Delete all sticky MAC address entries.

<HUAWEI> system-view
[HUAWEI] undo mac-address sticky

14.8 DHCP Snooping Configuration Commands

14.8.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.8.2 arp dhcp-snooping-detect enable

Function
The arp dhcp-snooping-detect enable command enables association between
the Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol
(DHCP) snooping.

The undo arp dhcp-snooping-detect enable command disables association

between ARP and DHCP snooping.

By default, association between ARP and DHCP snooping is disabled.

Format
arp dhcp-snooping-detect enable

undo arp dhcp-snooping-detect enable

Parameters
None

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10447

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After a DHCP client sends a DHCP Release message to release its IP address, the
DHCP snooping-enabled device immediately deletes the binding entry of the
DHCP client. If a DHCP client is abnormally disconnected and cannot send a DHCP
Release message, the DHCP snooping-enabled device cannot immediately delete
the binding entry of the DHCP client.

If association between ARP and DHCP snooping is enabled using this command
and no ARP entry corresponding to the IP address in the DHCP snooping binding
entry is found, the DHCP snooping-enabled device performs an ARP probe on the
IP address. If no user is detected for consecutive four times, the DHCP snooping-
enabled device deletes the DHCP snooping binding entry corresponding to the IP
address. (The probe interval is 20 seconds, and the probe times and probe interval
are fixed values and cannot be modified.) If the DHCP snooping-enabled device
supports the DHCP relay function, this device then sends a DHCP Release message
in place of the DHCP client to notify the DHCP server to release the IP address.

Prerequisites

Before association between the ARP and DHCP snooping is enabled, ensure that
an IP address configured on the device is on the same network segment as the IP
address of the client for ARP probe.

Example
# Enable association between ARP and DHCP snooping on the device.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] arp dhcp-snooping-detect enable

14.8.3 dhcp option82 append vendor-specific

Function
The dhcp option82 append vendor-specific command inserts the Sub9 suboption
into Option 82.

The undo dhcp option82 append vendor-specific command restores the default
configuration.

By default, Sub9 suboption is not inserted into the Option 82 field of DHCP
messages.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10448

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
dhcp option82 append vendor-specific

undo dhcp option82 append vendor-specific

Parameters
None

Views
Interface view, VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After the dhcp option82 append vendor-specific command is run on a DHCP

relay agent or DHCP snooping device, the device will insert the Sub9 suboption
into the Option 82 field of a received DHCP message. When this DHCP message is
forwarded to the DHCP server, the server obtains the DHCP client location
information from the Sub9 suboption.

The Sub9 suboption has old and new formats. The old format contains the vendor
ID, for example, hwid. The new format does not contain the vendor ID.

Both the dhcp option82 append vendor-specific and dhcp option82 vendor-
specific format commands can insert the Sub9 into the Option 82 field of the
DHCP message, except that the Sub9 formats are different:
● dhcp option82 append vendor-specific: inserts the Sub9 of the new format.
The new format includes the location information such as the node identifier,
node chassis ID, node slot ID, node port number, and user VLAN.
● dhcp option82 vendor-specific format: inserts the Sub9 of the old format.
The old format includes the DHCP client information such as user IP address
and device name.

Prerequisites

DHCP has been enabled globally using the dhcp enable command.

Precautions

● When both the dhcp option82 append vendor-specific and dhcp option82
vendor-specific format commands are run, the dhcp option82 append
vendor-specific command takes effect.
● The Sub9 suboption can be inserted into Option 82 only when the Sub9
format is the same as the DHCP packet format. If the formats are different:
– If the dhcp option82 vendor-specific format command has been run,
the Sub9 of the new format cannot be inserted into Option 82.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10449

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

– If the dhcp option82 append vendor-specific command has been run,

whether the Sub9 of the old format can be inserted depends on the
Option 82 insertion method (which is configured using the dhcp
option82 enable command).

▪ When the Option 82 insertion method is Insert, the Sub9 is not

inserted.

▪ When the Option 82 insertion method is Rebuild, the Sub9 is

reconstructed and then inserted into Option 82.
● The total length of the Option 82 field cannot exceed 255 bytes.

Example
# Insert the Sub9 suboption into the Option 82 field of DHCP messages.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 append vendor-specific

14.8.4 dhcp option82 enable

Function
The dhcp option82 enable command enables a device to insert the Option 82
field to a DHCP message.
The undo dhcp option82 enable command disables a device from inserting the
Option 82 field to a DHCP message.
By default, a device does not insert the Option 82 field to a DHCP message.

Format
In the interface view, BD view and port group view
dhcp option82 { insert | rebuild } enable
undo dhcp option82 { insert | rebuild } enable
In the VLAN view
dhcp option82 { insert | rebuild } enable interface interface-type interface-
number1 [ to interface-number2 ]
undo dhcp option82 { insert | rebuild } enable interface interface-type
interface-number1 [ to interface-number2 ]

Parameters
Parameter Description Value

insert Enables a device to insert the -

Option 82 field to a DHCP message.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10450

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

rebuild Enables a device to forcibly insert -

the Option 82 field to a DHCP
message.

interface interface- Specifies the interface type and If this command is

type interface- number. run in the VLAN view,
number1 [ to the specified
interface-number2 ] ● interface-type specifies the interface must have
interface type.
been added to the
● interface-number specifies the VLAN.
interface number.

Views
VLAN view, Ethernet interface view, GE interface view, MultiGE interface view, XGE
interface view, 25GE interface view, 40GE interface view, 100GE interface view,
Eth-Trunk interface view, port group view, BD view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The Option 82 field records the location of a DHCP client. A device inserts the
Option 82 field to a DHCP Request message to notify the DHCP server of the
DHCP client location. The DHCP server can assign an IP address and other
configurations to the DHCP client, ensuring DHCP client security.

The device inserts the Option 82 field to a DHCP message in two modes:
● Insert mode: Upon receiving a DHCP Request message without the Option 82
field, the device inserts the Option 82 field. If the DHCP Request message
contains the Option 82 field, the device checks whether the Option 82 field
contains the remote ID. If so, the device retains the Option 82 field; if not, the
device inserts the remote ID.
● Rebuild mode: Upon receiving a DHCP Request message without the Option
82 field, the device inserts the Option 82 field. If the DHCP Request message
contains the Option 82 field, the device deletes the original Option 82 field
and inserts the Option 82 field set by the administrator.

The device handles the reply packets from the DHCP server in the same way
regardless of whether the Insert or Rebuild method is used.

● The DHCP reply packets contain Option 82:

– If the DHCP request packets received by the device do not contain Option
82, the device deletes Option 82 from the DHCP reply packets, and
forwards the packets to the DHCP client.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10451

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

– If the DHCP request packets contain Option 82, the device changes the
Option 82 format in the DHCP reply packets into the Option 82 format in
the DHCP request packets, and forwards the packets to the DHCP client.
● If the DHCP reply packets do not contain Option 82, the device directly
forwards the packets.
NOTE

The physical interface can insert Option82 to the DHCP packets directly forwarded, but does not
insert Option82 to the DHCP packets forwarded through a tunnel.

Prerequisites

DHCP snooping has been enabled on the device, or the device has been
configured as a DHCP relay agent.

Precautions

● When receiving a DHCP Request message, the device checks whether the field
GIADDR in the packet is 0. If so, the dhcp option82 enable command takes
effect; if not, this command does not take effect.
● DHCP Option 82 must be configured on the user-side of a device; otherwise,
the DHCP messages sent to the DHCP server will not carry Option 82.

Example
# Enable the device to insert the Option 82 field to DHCP messages on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 insert enable

14.8.5 dhcp option82 encapsulation

Function
The dhcp option82 encapsulation command configures suboptions inserted into
the DHCP Option 82 field.

The undo dhcp option82 encapsulation command restores the default

suboptions inserted into the DHCP Option 82 field.

By default, the circuit-id (CID), remote-id (RID), subscriber-id (SID), and Sub9
suboptions are inserted into the DHCP Option 82 field in the system view.

By default, suboptions of the DHCP Option 82 field are not inserted in other views.

Format
dhcp option82 encapsulation { circuit-id | remote-id | subscriber-id | vendor-
specific-id } *

undo dhcp option82 encapsulation

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10452

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

circuit-id Inserts the circuit-id suboption. -

remote-id Inserts the remote-id suboption. -

subscriber-id Inserts the subscriber-id (SID) suboption. -

vendor-specific-id Inserts the vendor-specific suboption in the Sub9 -

field.

Views
System view, VLAN view, interface view, BD view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
This function applies to a DHCP relay agent or a DHCP snooping-enabled device.
The Option 82 field records the location of a DHCP client. A device inserts the
Option 82 field to a DHCP Request message to notify the DHCP server of the
DHCP client location. The DHCP server can assign an IP address and other
configurations to the DHCP client, ensuring DHCP client security. The
administrator can run this command to configure the device to insert one or more
of the circuit-id suboption, remote-id suboption, subscriber-id suboption, and
vendor-specific suboption in the Sub9 field into the DHCP Option 82 field. After
the command is run, suboptions that are not configured to be inserted are not
inserted into the DHCP Option 82 field by default.
Prerequisites
The DHCP function has been enabled in the system view using the dhcp enable
command.

Example
# Insert the circuit-id suboption into the DHCP Option 82 field.
<HUAWEI> system-view
[HUAWEI] dhcp option82 encapsulation circuit-id

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10453

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.8.6 dhcp option82 format

Function
The dhcp option82 format command configures the format of the Option 82
field in a DHCP message.
The undo dhcp option82 format command restores the default format of the
Option 82 field in a DHCP message.
By default, the Option 82 field in a DHCP message is in the format of default.

Format
dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ]
format { default | common | extend | user-defined text }
undo dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-
id ] format

Parameters
Parameter Description Value

circuit-id Indicates the circuit ID (CID) in the Option 82 -

field. If the CID is not specified, the format of
the Option 82 field is default.

remote-id Indicates the remote ID (RID) in the Option 82 -

field. If the RID is not specified, the format of
the Option 82 field is default.

default Indicates the default format of the Option 82 -

field.
● CID format: interface name:svlan.cvlan host
name/0/0/0/0/0, in ASCII format
● RID format: device MAC address, in
hexadecimal notation

common Indicates the common format of the Option 82 -

field.
● CID format: {eth|trunk}slot ID/subcard ID/
port ID:svlan.cvlan host name0/0/0/0/0, in
ASCII format
● RID format: device MAC address (6 bytes),
in ASCII format

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10454

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

extend Indicates the extended format of the Option 82 -

field.
● CID format: circuit-id type (0) + length (4) +
S-VLAN ID (2 bytes) + slot ID (5 bits) +
subslot ID (3 bits) + port (1 byte), in
hexadecimal notation
● RID format: remote-id type (0) + length (6)
+ device MAC address (6 bytes), in
hexadecimal notation
In the CID and RID formats, the values without
a unit are fixed values of the fields; the values
with a unit indicate the field lengths.

user-defined Indicates the user-defined format of the Option The value is a

text 82 field. string of 1 to
255 characters.
For details, see
the description
in "Usage
Guideline."

vlan vlan-id Indicates an outer VLAN ID. If a VLAN ID is The value is an

specified, only the format of the Option 82 integer that
field in the DHCP messages sent from the ranges from 1
specified VLAN is configured. If no VLAN is to 4094.
specified, the format of the Option 82 field in
all the DHCP messages received by the
interface is configured.

ce-vlan ce- Indicates an inner VLAN ID. The value is an

vlan-id integer that
ranges from 1
to 4094.

Views
System view, Ethernet interface view, GE interface view, XGE interface view, 25GE
interface view, MultiGE interface view, 40GE interface view, 100GE interface view,
Eth-Trunk interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10455

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After the function of inserting the Option 82 field to DHCP messages is enabled,
you can use the dhcp option82 format command to configure the format of the
Option 82 field.
If you run the dhcp option82 format command in the system view, the command
takes effect for all the DHCP messages on all the interfaces of the device.
You can use the following keywords to define the Option 82 field. The format
string can use the hexadecimal notation, ASCII format, or combination of the two
formats.
● sysname: indicates the ID of the access point. This keyword is valid only in
ASCII format.
● portname: indicates the name of a port, for example, GE0/0/1. This keyword is
valid only in ASCII format.
● porttype: indicates the type of a port. This keyword is a character string or in
hexadecimal notation. For example, if the value is Ethernet in ASCII format, it
is 15 in hexadecimal notation.
● iftype: indicates the type of an interface, which can be eth or trunk. This
keyword is valid only in ASCII format.
● mac: indicates the MAC address of a port. In ASCII format, the value is in the
format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
● slot: indicates the slot ID. This keyword is valid in ASCII format or in
hexadecimal notation.
● subslot: indicates the subslot ID. This keyword is valid in ASCII format or in
hexadecimal notation.
● port: indicates the port number. This keyword is valid in ASCII format or in
hexadecimal notation.
● svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this
field is not required, this field is 0. This keyword is valid in ASCII format or in
hexadecimal notation.
● cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this
field is not required, this field is 0. This keyword is valid in ASCII format or in
hexadecimal notation.
● length: indicates the total length of the keywords following the keyword
length.
● n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN
does not exist. The keyword n is on the left of the keyword svlan or cvlan. If
the corresponding VLAN does not exist, the default value of the keyword
svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If
the n keyword is added to the left of the keyword svlan or cvlan, the keyword
svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal
notation.
NOTE

Delimiters must be added between keywords; otherwise, the device cannot parse the
keywords. The delimiters cannot be numbers.
The keyword length can be configured only once.

The symbols used in the format string are as follows:

● The symbol % followed by a keyword indicates the format of the keyword.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10456

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● A number to the left of the symbol % indicates the length of the keyword
following the symbol %. In an ASCII character string, %05 has the same
meaning as %05d in the C language. In a hexadecimal character string, the
number indicates the keyword length in bits.
● The symbol [] indicates an optional keyword. Each pair of brackets can
contain only one keyword, svlan or cvlan. The keyword in the symbol [] is
added to the Option 82 field only if the corresponding VLAN ID exists. To
facilitate syntax check, the system does not support nesting of symbols [].
● The symbol \ indicates an escape character. The symbols %, \, and []
following the escape character indicate themselves. For example, \\ represents
\.
● The contents in quotation marks (" ") are encapsulated in a character string,
and the contents outside the quotation marks are encapsulated in
hexadecimal notation.
● Other symbols are processed as common characters. The rules for setting the
format string in ASCII format or hexadecimal notation are as follows:
– An ASCII character string can contain Arabic numerals, uppercase letters,
lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - =
\ [ ] { } ; : ' " / . , < > `.
– By default, the length of each keyword in an ASCII character string is the
actual length of the keyword.
– A hexadecimal notation string can contain numerals, spaces, and % +
keywords.
– In a hexadecimal notation string, numbers are encapsulated in the
Option 82 field in hexadecimal notation. A number from 0 to 255
occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number
from 65536 to 4294967295 occupies 4 bytes. Numbers larger than
4294967295 are not supported. Multiple numbers must be separated by
spaces; otherwise, they are considered as one number.
– All the spaces in a hexadecimal character string are ignored.
– By default, the slot ID, subslot ID, port number, and VLAN ID in a
hexadecimal character string occupy 2 bytes; the field length occupies 1
byte.
– If the length of each keyword in a hexadecimal character string is
specified, the total length of the hexadecimal character string must be a
multiple of 8. If the length of a specified keyword is longer than 32 bits,
the first 32 bits of the keyword are the actual keyword value, and other
bits are set to 0.
– A hexadecimal notation string can contain only the keywords whose
values are numbers. Other keywords, such as port name, cannot be
added to the hexadecimal notation string.
– If a string is not contained in quotation marks, it is encapsulated in
hexadecimal notation. To encapsulate the string in the ASCII format, use
a pair of quotation marks to contain the string. For example, the slot ID
is 3, and the port number is 4. If the string is in the %slot %port format,
the value of the encapsulated string is a hexadecimal number 00030004.
If the string is in the "%slot %port" format, the value of the encapsulated
string is 3 4.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10457

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

– A format string can contain both hexadecimal strings and ASCII strings,
for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Prerequisites

DHCP has been enabled globally using the dhcp enable command.

Precautions
● All Option82 fields configured in the system view or in the same interface
view share a length of 1-255 bytes. If their total length exceeds 255 bytes,
some Option82 information will be lost.
● There is no limit on the number of Option 82 fields configured on the device.
However, a large number of Option 82 fields will occupy a lot of memory and
prolong the device processing time. To ensure device performance, you are
advised to configure Option 82 fields based on the service requirements and
device memory size.

Example
# Configure the default format for the CID in the Option 82 field.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp option82 circuit-id format default

# Configure the extended format for the CID and RID in the Option 82 field.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp option82 format extend

# Configure the user-defined string for the CID in the Option 82 field and
encapsulate the port name, outer VLAN ID, inner VLAN ID, and host name in ASCII
format.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp option82 circuit-id format user-defined "%portname:%svlan.%cvlan %sysname"

# Configure a hexadecimal notation string for the CID of the Option 82 field and
encapsulate the CID type (fixed as 0, indicating the hexadecimal notation), length
(excluding the lengths of the CID type and the keyword length itself), outer VLAN
ID, slot ID (5 bits), subcard ID (3 bits), and port ID (8 bits).
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp option82 circuit-id format user-defined 0 %length %svlan %5slot %3subslot %8port

# Configure the user-defined string for the RID in the Option 82 field and
encapsulate the device MAC address in hexadecimal notation.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp option82 remote-id format user-defined %mac

# On GE0/0/1, configure the default format for the CID in the Option 82 field.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 circuit-id format default

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10458

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

# On GE0/0/1, configure the extended format for the CID and RID in the Option
82 field of DHCP messages from VLAN 10.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 vlan 10 format extend

# On GE0/0/1, configure a user-defined format for the CID in the Option 82 field
and encapsulate the port name, outer VLAN ID, inner VLAN ID, and host name in
ASCII format.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 circuit-id format user-defined "%portname:%svlan.
%cvlan %sysname"

# On GE0/0/1, configure a hexadecimal notation string for the CID of the Option
82 field and encapsulate the CID type (fixed as 0, indicating the hexadecimal
notation), length (excluding the lengths of the CID type and the keyword length
itself), outer VLAN ID, slot ID (5 bits), subcard ID (3 bits), and port ID (8 bits).
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 circuit-id format user-defined 0 %length %svlan %5slot
%3subslot %8port

# On GE0/0/1, configure the user-defined format for the RID in the Option 82
field and encapsulate the device MAC address in hexadecimal notation.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 remote-id format user-defined %mac

14.8.7 dhcp option82 subscriber-id format

Function
The dhcp option82 subscriber-id format command inserts the Sub6 suboption
into the DHCP Option 82 field of DHCP messages and configures the format of
the Sub6 suboption.

The undo dhcp option82 subscriber-id format command cancels the

configuration of the Sub6 suboption inserted into the DHCP Option 82 field of
DHCP messages.

By default, the Sub6 suboption is not inserted into the DHCP Option 82 field of
DHCP messages.

Format
dhcp option82 subscriber-id format { ascii ascii-text | hex hex-text }

undo dhcp option82 subscriber-id format

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10459

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

ascii ascii-text Specifies the ASCII The value is an ASCII character string
character string in the and contains fewer than 129 characters.
Sub6 field.

hex hex-text Specifies the HEX The value is in hexadecimal notation. The
character string in the value can contain only digits 0 to 9,
Sub6 field. uppercase letters A to F, and lowercase
letters a to f. If no space is included, the
value length must be an even number
smaller than 257.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In an authentication system for wired Ethernet access based on DHCP, DHCP

snooping, and Option82, a device can insert suboptions (suboption 1, suboption 2,
suboption 6, and suboption 9) into the Option 82 field in DHCP Request messages.
These suboptions in DHCP Request messages help locate user devices.
Unauthorized users cannot access the network by using static IP addresses or
stealing accounts of authorized users. You can run the dhcp option82 subscriber-
id format command to configure the Sub6 suboption.

Prerequisites

DHCP has been enabled using the dhcp enable command.

Example
# Configure the Sub6 suboption inserted into the DHCP Option 82 field of DHCP
messages on GE0/0/1 and specify the ASCII character string in the Sub6 suboption.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 subscriber-id format ascii hw

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10460

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.8.8 dhcp option82 vendor-specific format

Function
The dhcp option82 vendor-specific format command configures the Sub9 field in
the Option 82 field.
The undo dhcp option82 vendor-specific format command deletes the
configuration of the Sub9 field inserted into the DHCP Option 82 field.
By default, the Sub9 field inserted into the Option 82 field is not configured.

Format
dhcp option82 vendor-specific format vendor-sub-option sub-option-num
{ ascii ascii-text | hex hex-text | ip-address ip-address &<1-8> | sysname }
undo dhcp option82 vendor-specific format vendor-sub-option sub-option-num

Parameters
Parameter Description Value

vendor-sub- Specifies the vendor-specific The value is an integer that

option sub- suboption in the Sub9 field. ranges from 1 to 255.
option-num

ascii ascii-text Specifies the ASCII character The value is an ASCII character
string in the vendor-specific string and must be smaller
suboption in the Sub9 field. than 129 characters.

hex hex-text Specifies the HEX character The value is in hexadecimal

string in the vendor-specific notation. The value can
suboption in the Sub9 field. contain only numerals 0 to 9,
lowercase letters a to f, and
uppercase letters A to F. If no
space is included, the value
length must be an even
number smaller than 257.

ip-address ip- Specifies the IP address in -

address the vendor-specific
suboption in the Sub9 field.

sysname Specifies the device name in -

the vendor-specific
suboption in the Sub9 field.

Views
System view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10461

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In authentication for wired Ethernet access using DHCP, DHCP snooping, and
Option 82, a device can insert suboptions (suboption 1, suboption 2, and
suboption 9) to the Option 82 field in DHCP Request messages. These suboptions
in DHCP Request messages carry information about user device locations.
Unauthorized users cannot access the network by static IP addresses or embezzled
accounts of authorized users. The dhcp option82 vendor-specific format
command configures the suboptions in the Sub9 field.

Prerequisites

DHCP has been enabled using the dhcp enable command.

Example
# Insert the device name to the vendor-specific suboption 1 in the Sub9 field.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp option82 vendor-specific format vendor-sub-option 1 sysname

14.8.9 dhcp server detect

Function
The dhcp server detect command enables detection of DHCP servers.

The undo dhcp server detect command disables detection of DHCP servers.

By default, detection of DHCP servers is disabled.

Format
dhcp server detect

undo dhcp server detect

Parameters
None

Views
System view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10462

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
If bogus DHCP servers exist on the network, they send incorrect information to
DHCP clients, such as the incorrect gateway address, incorrect DNS server, and
incorrect IP address. As a result, DHCP clients cannot access the network or access
incorrect networks.
After detection of DHCP servers is enabled, a DHCP snooping device checks and
stores all information about DHCP servers in the DHCP Reply messages, such as
DHCP server address and DHCP client port number, in the log. Based on logs, the
network administrator checks for bogus DHCP servers on the network to maintain
the network.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Example
# Enable detection of DHCP servers.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp server detect

14.8.10 dhcp snooping alarm dhcp-rate enable

Function
The dhcp snooping alarm dhcp-rate enable command enables the device to
generate an alarm when the number of discarded DHCP messages reaches the
threshold.
The undo dhcp snooping alarm dhcp-rate enable command disables the device
from generating an alarm when the number of discarded DHCP messages reaches
the threshold.
By default, the device is disabled from generating an alarm when the number of
discarded DHCP messages reaches the threshold.

Format
dhcp snooping alarm dhcp-rate enable [ threshold threshold ]
undo dhcp snooping alarm dhcp-rate enable [ threshold ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10463

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

threshold threshold Specifies the alarm The value is an integer

threshold. If the number that ranges from 1 to
of discarded DHCP 1000. The default value
messages reaches the is 100.
threshold, an alarm is
generated. For details,
see the dhcp snooping
alarm dhcp-rate
threshold.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After DHCP snooping is enabled, the device sends all the received DHCP Request
messages and Reply messages to the processing unit. If the rate of sending DHCP
messages is high, processing efficiency of the processing unit is affected. After the
dhcp snooping check dhcp-rate enable command is run, the device checks the
rate of sending DHCP messages. DHCP messages that are sent in a specified rate
are sent to the processing unit and those that exceed the rate are discarded.
If the number of discarded DHCP messages reaches the threshold, an alarm is
generated. To set the alarm threshold, run the dhcp snooping alarm dhcp-rate
threshold command.
If you run the dhcp snooping alarm dhcp-rate enable command in the system
view, the command takes effect on all the interfaces of the device. If you run the
dhcp snooping alarm dhcp-rate enable command in the interface view, the
command only takes effect on the specified interface.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.
Precautions
To ensure that alarms can be properly reported, you need to run the snmp-agent
trap enable feature-name dhcp command to enable the DHCP module to report
the corresponding alarm. You can check whether the DHCP module is enabled to

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10464

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

report the corresponding alarm using the display snmp-agent trap feature-name
dhcp all command.

Example
# In the system view, enable the device to generate an alarm when the number of
discarded DHCP messages reaches the threshold.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcp-rate enable
[HUAWEI] dhcp snooping alarm dhcp-rate enable

# Enable the device to generate an alarm when the number of discarded DHCP
messages reaches the threshold on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-rate enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-rate enable

14.8.11 dhcp snooping alarm dhcpv6-rate enable

Function
The dhcp snooping alarm dhcpv6-rate enable command enables a device to
generate an alarm when the number of discarded DHCPv6 messages reaches the
threshold.
The undo dhcp snooping alarm dhcpv6-rate enable command disables a device
from generating an alarm when the number of discarded DHCPv6 messages
reaches the threshold.
By default, a device is disabled from generating an alarm when the number of
discarded DHCPv6 messages reaches the alarm threshold.

Format
dhcp snooping alarm dhcpv6-rate enable
undo dhcp snooping alarm dhcpv6-rate enable

Parameters
None

Views
System view, Ethernet interface view, GE interface view, XGE interface view, 25GE
interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface
view, port group view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10465

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

After DHCP snooping is enabled, the device sends all the received DHCPv6
messages to the processing unit. If the rate of sending DHCPv6 messages is high,
processing efficiency of the processing unit is affected. After the device is enabled
to check the rate of sending DHCPv6 messages to the processing unit using the
dhcp snooping check dhcpv6-rate enable command, DHCPv6 messages that are
sent in a specified rate are sent to the processing unit and those that exceed the
rate are discarded.

If the dhcp snooping alarm dhcpv6-rate enable command is run, the device
generates an alarm when the number of discarded DHCPv6 messages reaches the
threshold. You can configure the alarm threshold using the dhcp snooping alarm
dhcpv6-rate threshold command.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Precautions

If the dhcp snooping alarm dhcpv6-rate enable command is run in the system
view, the configuration takes effect for all the interfaces on the device. If this
command is run in the interface view, the configuration takes effect only for the
specified interface.

To ensure that alarms can be properly reported, you need to run the snmp-agent
trap enable feature-name dhcp command to enable the DHCP module to report
the corresponding alarm. You can check whether the DHCP module is enabled to
report the corresponding alarm using the display snmp-agent trap feature-name
dhcp all command.

Example
# In the system view, enable the device to generate an alarm when the number of
discarded DHCPv6 messages reaches the alarm threshold.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping alarm dhcpv6-rate enable

14.8.12 dhcp snooping alarm dhcp-rate threshold

Function
The dhcp snooping alarm dhcp-rate threshold command sets the alarm
threshold for the number of discarded DHCP messages.

The undo dhcp snooping alarm dhcp-rate threshold command restores the
default alarm threshold for the number of discarded DHCP messages.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10466

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the global alarm threshold for the number of discarded DHCP
messages is 100, and the alarm threshold for the number of discarded DHCP
messages on an interface is the same as that configured in the system view.

Format
dhcp snooping alarm dhcp-rate threshold threshold
undo dhcp snooping alarm dhcp-rate threshold

Parameters
Parameter Description Value

threshold Specifies the alarm threshold. If the The value is an integer that
number of discarded DHCP messages ranges from 1 to 1000. The
reaches the threshold, an alarm is default value is 100.
generated.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After you run the dhcp snooping alarm dhcp-rate enable command to enable a
device to generate an alarm when the number of discarded DHCP messages
reaches the threshold, you can set the alarm threshold using the dhcp snooping
alarm dhcp-rate threshold command. An alarm is generated when the number
of discarded DHCP messages reaches the threshold.
If the alarm threshold is set in the system view and interface view, the smaller
value takes effect.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.
Precautions
To ensure that alarms can be properly reported, you need to run the snmp-agent
trap enable feature-name dhcp command to enable the DHCP module to report
the corresponding alarm. You can check whether the DHCP module is enabled to
report the corresponding alarm using the display snmp-agent trap feature-name
dhcp all command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10467

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the alarm threshold for the number of discarded DHCP messages on
GE0/0/1 to 50.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-rate threshold 50

14.8.13 dhcp snooping alarm dhcpv6-rate threshold

Function
The dhcp snooping alarm dhcpv6-rate threshold command sets the alarm
threshold for the number of discarded DHCPv6 messages.

The undo dhcp snooping alarm dhcpv6-rate threshold command restores the
default setting.

By default, the alarm threshold for globally discarded DHCPv6 messages is 100
packets, and the alarm threshold for discarded DHCPv6 messages on an interface
is the same as the configured value in the system view.

Format
dhcp snooping alarm dhcpv6-rate threshold threshold

undo dhcp snooping alarm dhcpv6-rate threshold

Parameters
Parameter Description Value

threshold Specifies the alarm threshold. When The value is an integer that
the number of discarded DHCPv6 ranges from 1 to 1000, in
messages reaches the threshold, the packets.
device generates an alarm.

Views
System view, Ethernet interface view, GE interface view, XGE interface view, 25GE
interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface
view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10468

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After the device is enabled to generate an alarm when the number of discarded
DHCPv6 messages reaches the threshold using the dhcp snooping alarm dhcpv6-
rate enable command, you can run the dhcp snooping alarm dhcpv6-rate
threshold threshold command to configure the alarm threshold for discarded
DHCPv6 messages. The device generates an alarm when the number of discarded
DHCPv6 messages reaches the configured alarm threshold.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Precautions

● If the dhcp snooping alarm dhcpv6-rate threshold command is run in the

system view, the configuration takes effect for all the interfaces on the device.
If this command is run in the interface view, the configuration takes effect
only for the specified interface.
● If an alarm threshold is configured in the system view and interface view
simultaneously, the smaller one takes effect.

Example
# Set the alarm threshold for discarded DHCPv6 messages to 500 packets in the
system view.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping alarm dhcpv6-rate threshold 500

14.8.14 dhcp snooping alarm enable

Function
The dhcp snooping alarm enable command enables alarm for discarded DHCP
messages.

The undo dhcp snooping alarm enable command disables alarm for discarded
DHCP messages.

By default, the alarm function for discarded DHCP messages is disabled.

Format
dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable
[ threshold threshold ]

undo dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable

[ threshold ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10469

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

dhcp snooping alarm dhcpv6-request enable

undo dhcp snooping alarm dhcpv6-request enable

Parameters
Parameter Description Value

dhcp-request Generates an alarm when the number of -

DHCPv4 Request messages discarded because
they do not match DHCP snooping binding
entries reaches the threshold.

dhcp-chaddr Generates an alarm when the number of -

DHCPv4 request messages discarded because
the CHADDR field in the DHCP messages does
not match the source MAC address in the data
frame header reaches the threshold.

dhcp-reply Generates an alarm when the number of -

DHCPv4 Response messages discarded by
untrusted interfaces reaches the threshold.

dhcpv6-request Generates an alarm when the number of -

DHCPv6 Request messages discarded because
they do not match DHCP snooping binding
entries reaches the threshold.

threshold Specifies the alarm threshold. When the The value is

threshold number of discarded DHCPv4 messages reaches an integer
the threshold, an alarm is generated. that ranges
from 1 to
1000.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the alarm function is enabled, alarm messages are displayed if DHCP attacks
occur and the number of discarded attack messages reaches the threshold. The
minimum interval for sending alarm messages is 1 minute. You can run the dhcp
snooping alarm threshold command to set the alarm threshold.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10470

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.
Precautions
By default, a device does not check messages received by the clients. Therefore, to
make the command take effect, ensure the following is ready:
● The device has been enabled to check DHCP messages against the binding
entries using the dhcp snooping check dhcp-request enable command
before the dhcp snooping alarm [ dhcp-request | dhcpv6-request ] enable
command is run.
● The device has been enabled to check whether the CHADDR field is the same
as the source MAC address in the header of a DHCPv4 Request message using
the dhcp snooping check dhcp-chaddr enable command before the dhcp
snooping alarm dhcp-chaddr enable command is run.
To ensure that alarms can be properly reported, you need to run the snmp-agent
trap enable feature-name dhcp command to enable the DHCP module to report
the corresponding alarm. You can check whether the DHCP module is enabled to
report the corresponding alarm using the display snmp-agent trap feature-name
dhcp all command.

Example
# On GE0/0/1, enable DHCP snooping, enable the device to check whether the
CHADDR field in the DHCP message matches the source MAC address in the
Ethernet frame header, and enable alarm for the DHCP messages discarded
because the CHADDR field in the DHCP message does not match the source MAC
address.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable

14.8.15 dhcp snooping alarm threshold

Function
The dhcp snooping alarm threshold command sets the alarm threshold for the
number of DHCP messages discarded by DHCP snooping.
The undo dhcp snooping alarm threshold command restores the default alarm
threshold.
By default, an alarm is generated in the system when at least 100 DHCP snooping
messages are discarded, and the alarm threshold on an interface is set using the
dhcp snooping alarm threshold command in the system view.

Format
In the system view:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10471

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

dhcp snooping alarm threshold threshold

undo dhcp snooping alarm threshold

In the interface view, VLAN view and BD view:

dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply | dhcpv6-

request } threshold threshold

undo dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply | dhcpv6-

request } threshold

Parameters
Parameter Description Value

threshold Specifies the alarm threshold for the number of The value is
DHCP snooping-discarded messages. an integer
that ranges
from 1 to
1000.

dhcp-request Specifies the alarm threshold for the number of -

DHCPv4 Request messages discarded because
they do not match the DHCP snooping binding
entries.

dhcp-chaddr Specifies the alarm threshold for the number of -

DHCP messages discarded because the
CHADDR field in the DHCPv4 request messages
does not match the source MAC address in the
data frame header.

dhcp-reply Specifies the alarm threshold for the number of -

DHCPv4 Response messages discarded by
untrusted interfaces.

dhcpv6-request Specifies the alarm threshold for the number of -

DHCPv6 Request messages discarded because
they do not match the DHCP snooping binding
entries.

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10472

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

After trap for discarded DHCP messages is enabled, run the dhcp snooping alarm
threshold command to specify the alarm threshold for the number of DHCP
messages discarded by DHCP snooping. If the alarm threshold is not set on an
interface, the interface uses the global alarm threshold.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

The DHCP snooping alarm function has been enabled using the dhcp snooping
alarm { dhcp-request | dhcp-chaddr | dhcp-reply | dhcpv6-request } enable
command.

Precautions

If you run the dhcp snooping alarm threshold command in the system view, the
command takes effect on all the interfaces of the device.

If you specify an alarm threshold for the number of DHCP messages discarded by
DHCP snooping in the system view, an alarm is generated when the number of all
the discarded DHCP messages reaches the threshold.

Example
# Set the global alarm threshold for the number of discarded DHCP messages to
200.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping alarm threshold 200

# On GE0/0/1, enable DHCP snooping, enable the device to check whether the
CHADDR field in the DHCP message matches the source MAC address in the
Ethernet frame header, and enable alarm for the DHCP messages discarded
because the CHADDR field in the DHCP message does not match the source MAC
address. Set the alarm threshold to 1000.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 1000

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10473

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.8.16 dhcp snooping check dhcp-giaddr enable

Function
The dhcp snooping check dhcp-giaddr enable command enables the device to
check whether the GIADDR field in DHCP messages is 0.
The undo dhcp snooping check dhcp-giaddr enable command disables the
device from checking whether the GIADDR field in DHCP messages is 0.
By default, the device does not check whether the GIADDR field in DHCP
messages is 0.

Format
In the system view:
dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10>
undo dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10>
In the VLAN view and interface view:
dhcp snooping check dhcp-giaddr enable
undo dhcp snooping check dhcp-giaddr enable

Parameters
Parameter Description Value

vlan { vlan-id1 [ to Enables the device to check whether the The value is an
vlan-id2 ] } GIADDR field in DHCP messages sent from integer that
&<1-10> a specified VLAN is 0. ranges from 1
to 4094.
● vlan-id1 specifies the first VLAN ID.
● to vlan-id2 specifies the last VLAN ID.
vlan-id2 must be larger than vlan-id1.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10474

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

To ensure that the device obtains parameters such as MAC addresses for
generating a binding table, DHCP snooping needs to be applied to Layer 2 access
devices or the first DHCP relay agent from the device. Therefore, the GIADDR field
in the DHCP messages received by the DHCP snooping-enabled device is 0. If the
GIADDR field is not 0, the message is unauthorized and then discarded. This
function is recommended if DHCP snooping is enabled on the DHCP relay agent.
In normal situations, the GIADDR field in DHCP messages sent by user PCs is 0. If
the GIADDR field is not 0, the DHCP server cannot correctly allocate IP addresses.
To prevent attackers from applying IP addresses with the DHCP messages
containing a non-0 GIADDR field, you are advised to configure this function.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.
Precautions
If you run the dhcp snooping check dhcp-giaddr enable command in the VLAN
view, the command takes effect on all the DHCP messages from the specified
VLAN. If you run the dhcp snooping check dhcp-giaddr enable command in the
interface view, the command takes effect on all the DHCP messages received by
the specified interface.

Example
# Enable the device to check whether the GIADDR field in DHCP messages from
VLAN10 is 0.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping check dhcp-giaddr enable

# Enable the device to check whether the GIADDR field in DHCP messages
received on GE0/0/1 is 0.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-giaddr enable

14.8.17 dhcp snooping check dhcp-rate

Function
The dhcp snooping check dhcp-rate command sets the maximum rate of sending
DHCP messages to the processing unit.
The undo dhcp snooping check dhcp-rate command restores the default
maximum rate of sending DHCP messages to the processing unit.
By default, the maximum rate of sending global DHCP messages to the processing
unit is 100 pps, which is the same as the maximum rate of sending DHCP
messages on interfaces to the processing unit.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10475

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
In the system view:
dhcp snooping check dhcp-rate rate [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]
undo dhcp snooping check dhcp-rate
In the VLAN view and interface view:
dhcp snooping check dhcp-rate rate
undo dhcp snooping check dhcp-rate

Parameters
Parameter Description Value

rate Specifies the maximum rate of sending The value is an

DHCP messages to the processing unit. integer that
ranges from 1 to
100, in pps.

vlan { vlan-id1 Specifies the maximum rate of sending The value is an

[ to vlan-id2 ] } DHCP messages from a specified VLAN to integer that
&<1-10> the processing unit. ranges from 1 to
● vlan-id1 specifies the first VLAN ID. 4094.
● to vlan-id2 specifies the last VLAN ID.
vlan-id2 must be larger than vlan-id1.
If this parameter is not specified, the
command takes effect on all the DHCP
messages.

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10476

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

of sending DHCP messages to the processing unit. DHCP messages that exceed
the rate are discarded.
Prerequisites
The device has been enabled to check the rate of sending DHCP messages to the
processing unit using the dhcp snooping check dhcp-rate enable command.
Precautions
If the maximum rates of sending DHCP messages to the processing unit are set in
the system view, VLAN view, and interface view, the smallest value takes effect.

Example
# In the system view, set the maximum rate of sending DHCP messages to the
processing unit to 50 pps.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcp-rate enable
[HUAWEI] dhcp snooping check dhcp-rate 50

14.8.18 dhcp snooping check dhcpv6-rate

Function
The dhcp snooping check dhcpv6-rate command sets the maximum rate of
sending DHCPv6 messages to the processing unit.
The undo dhcp snooping check dhcpv6-rate command restores the default
maximum rate of sending DHCPv6 messages to the processing unit.
By default, the maximum rate of DHCPv6 messages sent to the processing unit is
100 pps.

Format
dhcp snooping check dhcpv6-rate rate
undo dhcp snooping check dhcpv6-rate

Parameters
Parameter Description Value

rate Specifies the maximum rate of The value is an integer that

DHCPv6 messages sent to the ranges from 1 to 400, in pps.
processing unit.

Views
System view, VLAN view, Ethernet interface view, GE interface view, XGE interface
view, 25GE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk
interface view, port group view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10477

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After DHCP snooping is enabled, the device sends all the received DHCPv6
messages to the processing unit. If the rate of sending DHCPv6 messages is high,
processing efficiency of the processing unit is affected. After the device is enabled
to check the rate of sending DHCPv6 messages to the processing unit, DHCPv6
messages that exceed the specified rate are discarded.

Before the maximum rate of DHCP messages sent to the DHCP message
processing unit is configured, ensure that the dhcp snooping check dhcpv6-rate
enable command has been executed to enable the device to check the rate of
sending DHCPv6 messages to the processing unit. Otherwise, the configuration
does not take effect.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Precautions

● If you run the dhcp snooping check dhcpv6-rate command in the system
view, the configuration takes effect for all the interfaces on the device. If you
run this command in the interface view, the configuration takes effect only for
the specified interface. If you run this command in the VLAN view, the
configuration takes effect for all the interfaces in this VLAN.
● If the maximum rates of sending DHCPv6 messages to the processing unit are
set in the system view, VLAN view, and interface view simultaneously, the
smallest value takes effect.

Example
# In the system view, set the maximum rate of sending DHCPv6 messages to the
processing unit to 50 pps.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcpv6-rate 50

14.8.19 dhcp snooping check dhcp-rate enable

Function
The dhcp snooping check dhcp-rate enable command enables the device to
check the rate of sending DHCP messages to the processing unit.

The undo dhcp snooping check dhcp-rate enable command disables the device
from checking the rate of sending DHCP messages to the processing unit.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10478

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the device does not check the rate of sending DHCP messages to the
processing unit.

Format
In the system view:
dhcp snooping check dhcp-rate enable [ rate ] [ vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> ]
undo dhcp snooping check dhcp-rate enable [ vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> ]
In the VLAN view and interface view:
dhcp snooping check dhcp-rate enable [ rate ]
undo dhcp snooping check dhcp-rate enable

Parameters
Parameter Description Value

rate Specifies the maximum rate of sending The value ranges

DHCP messages to the processing unit. from 1 to 100, in
pps. The default
For the function of rate, see the command
value is 100.
dhcp snooping check dhcp-rate.

vlan { vlan-id1 Enables the device to check the rate of The value is an
[ to vlan-id2 ] } sending DHCP messages from a specified integer that
&<1-10> VLAN to the processing unit. ranges from 1 to
● vlan-id1 specifies the first VLAN ID. 4094.
● to vlan-id2 specifies the last VLAN ID.
vlan-id2 must be larger than vlan-id1.
If this parameter is not specified, the
command takes effect on all the DHCP
messages.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10479

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After DHCP snooping is enabled, the device sends all the received DHCP Request
messages and Reply messages to the processing unit. If the rate of sending DHCP
messages is high, processing efficiency of the processing unit is affected. After the
device is enabled to check the rate of sending DHCP messages to the processing
unit, DHCP messages that exceed the specified rate are discarded.

The default maximum rate of sending DHCP messages is 100 pps. To set the
maximum rate, run the dhcp snooping check dhcp-rate command.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Example
# In the system view, enable the device to check the rate of sending DHCP
messages to the processing unit.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcp-rate enable

# In VLAN 10, enable the device to check the rate of sending DHCP messages to
the processing unit.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] dhcp snooping check dhcp-rate enable

14.8.20 dhcp snooping check dhcpv6-rate enable

Function
The dhcp snooping check dhcpv6-rate enable command enables the device to
check the rate of sending DHCPv6 messages to the processing unit.

The undo dhcp snooping check dhcpv6-rate enable command disables the
device from checking the rate of sending DHCPv6 messages to the processing unit.

By default, the device does not check the rate of DHCPv6 messages sent to the
processing unit.

Format
dhcp snooping check dhcpv6-rate enable

undo dhcp snooping check dhcpv6-rate enable

Parameters
None

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10480

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After DHCP snooping is enabled, the device sends all the received DHCPv6
messages to the processing unit. If the rate of sending DHCPv6 messages is high,
processing efficiency of the processing unit is affected. After the device is enabled
to check the rate of sending DHCPv6 messages to the processing unit, DHCPv6
messages that exceed the specified rate are discarded.
After the device is enabled to check the rate of sending DHCPv6 messages to the
processing unit, the default maximum rate of sending DHCPv6 messages is set to
100 pps. To set the maximum rate, run the dhcp snooping check dhcpv6-rate
command.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.
Precautions
If you run the dhcp snooping check dhcpv6-rate enable command in the system
view, the configuration takes effect for all the interfaces on the device. If you run
this command in the interface view, the configuration takes effect only for the
specified interface. If you run this command in the VLAN view, the configuration
takes effect for all the interfaces in this VLAN.

Example
# In the system view, enable the device to check the rate of DHCPv6 messages
sent to the processing unit.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcpv6-rate enable

14.8.21 dhcp snooping check dhcpv6-request mac

Function
The dhcp snooping check dhcpv6-request mac command enables the function
of checking the validity of DHCPv6 messages based on MAC addresses.
The undo dhcp snooping check dhcpv6-request mac command disables the
function of checking the validity of DHCPv6 messages based on MAC addresses.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10481

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the function of checking the validity of DHCPv6 messages based on

MAC addresses is disabled.

Format
dhcp snooping check dhcpv6-request mac
undo dhcp snooping check dhcpv6-request mac

Parameters
None

Views
System view, VLAN view, GE interface view, XGE interface view, 25GE interface
view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view, port
group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After binding entries generated, the device searches for the binding entries based
on the MAC address entry that is used as the key. The device checks whether the
DHCPv6 Request and DHCPv6 Release messages match any binding entry. If they
match, the device forwards the messages; otherwise, the device discards the
messages. This prevents unauthorized users from sending bogus DHCPv6
messages to extend the IP address lease or release IP addresses.
The rules for checking DHCPv6 Request and DHCPv6 Release messages based on
binding entries are as follows:
● When receiving a DHCPv6 Request message, the device searches the binding
table based on the user's MAC address. If no corresponding binding entry is
found or the binding entry found is a temporary one, the device forwards the
message. Otherwise, the device considers the message as the one used for
extending the IP address lease and checks whether the VLAN ID, IP address,
and interface number of the message match the corresponding binding entry.
If so, the device forwards the message. If not, the device discards the
message.
● When receiving a DHCPv6 Release message, the device checks whether the
VLAN ID, IP address, and interface number of the message match a dynamic
binding entry. If so, the device forwards the message; otherwise, the device
discards the message.
Prerequisites
DHCPv6 snooping has been enabled on the device using the dhcp snooping
enable command.
Follow-up Procedure

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10482

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Run the dhcpv6 snooping user-bind mac-conflict detect enable command to

enable DHCPv6 snooping to detect whether a user is online. If a user's DHCPv6
message fails the match check, the device detects whether the user is online. If
the user is offline, the device deletes the DHCPv6 snooping entry of the offline
user in a timely manner.

Precautions

If you run this command in the VLAN view, the command configuration takes
effect only for the DHCPv6 messages from the specified VLAN. If you run this
command in the interface view, the command configuration takes effect for all
DHCPv6 messages on the specified interface.

This command cannot be used together with dhcp snooping enable no-user-
binding; otherwise, online users may fail to go offline.

Example
# Enable the function of checking the validity of DHCPv6 messages based on MAC
addresses in VLAN 10.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping check dhcpv6-request mac

14.8.22 dhcp snooping check dhcp-chaddr enable

Function
The dhcp snooping check dhcp-chaddr enable command enables the device to
check whether the CHADDR field matches the source MAC address in the header
of a DHCP Request message.

The undo dhcp snooping check dhcp-chaddr enable command disables the
device from checking whether the CHADDR field matches the source MAC address
in the header of a DHCP Request message.

By default, the device does not check whether the CHADDR field is the same as
the source MAC address in the header of a DHCP Request message.

Format
In the system view:

dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] }

&<1-10>

undo dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] }

&<1-10>

In the VLAN view, BD view and interface view:

dhcp snooping check dhcp-chaddr enable

undo dhcp snooping check dhcp-chaddr enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10483

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

vlan { vlan-id1 [ to Enables the device to check whether the The value is an
vlan-id2 ] } CHADDR field matches the source MAC integer that
&<1-10> address in the header of a DHCP Request ranges from 1
message. to 4094.
● vlan-id1 specifies the first VLAN ID.
● to vlan-id2 specifies the last VLAN ID.
vlan-id2 must be larger than vlan-id1.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
In normal situations, the CHADDR field in a DHCP Request message matches the
MAC address of the DHCP client that sends the message. The DHCP server
identifies the client MAC address based on the CHADDR field in the DHCP Request
message. If attackers continuously apply for IP addresses by changing the
CHADDR field in the DHCP Request message, addresses in the address pool on the
DHCP server may be exhausted. As a result, authorized users cannot obtain IP
addresses.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.
Precautions
If you run the dhcp snooping check dhcp-chaddr enable command in the VLAN
view, the command takes effect on all the DHCP messages in the specified VLAN
received by all the interfaces on the device. If you run the dhcp snooping check
dhcp-chaddr enable command in the interface view, the command takes effect
for all the DHCP messages received on the interface.

Example
# Enable the device to check whether the CHADDR field in the DHCP message
matches the source MAC address on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] dhcp enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10484

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI] dhcp snooping enable

[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable

14.8.23 dhcp snooping check dhcp-request enable

Function
The dhcp snooping check dhcp-request enable command enables the device to
check DHCP messages against the DHCP snooping binding table.

The undo dhcp snooping check dhcp-request enable command disables the
device from checking DHCP messages against the DHCP snooping binding table.

By default, the device does not check DHCP messages against the DHCP snooping
binding table.

Format
System view:

dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] }

&<1-10>

undo dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] }

&<1-10>

VLAN view, interface view, BD view:

dhcp snooping check dhcp-request enable

undo dhcp snooping check dhcp-request enable

Parameters

Parameter Description Value

vlan { vlan-id1 [ to vlan- Enables the device to check The value is an

id2 ] } &<1-10> DHCP messages from a integer in the range
specified VLAN against the from 1 to 4094.
DHCP snooping binding table.

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10485

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
After a DHCP snooping binding table is generated, the device checks DHCPv4
Request, DHCPv6 Request, or DHCPv4 Release messages against the DHCP
snooping binding table. Only DHCP messages that match entries are forwarded,
and those that do not match entries are discarded. This prevents unauthorized
users from sending bogus DHCP packets to renew or release IP addresses.
The device checks DHCPv4 Request, DHCPv6 Request, or DHCPv4 Release
messages against the DHCP snooping binding table based on the following rules:
● For a DHCPv4 Request message:
a. Checks whether the destination MAC address is all Fs. If so, the device
considers the message a broadcast message requesting a lease renewal
or a broadcast message a user sends on the first login and directly
forwards the message. If not, the device considers the user to have sent
the DHCPv4 Request message to renew the IP address lease and checks
the message against the DHCP snooping binding table.
b. Checks whether the CHADDR field in the DHCPv4 Request message
matches a DHCP snooping binding entry. If not, the device considers the
user to have gone online for the first time and directly forwards the
message. If so, the device checks whether the VLAN ID, IP address, and
interface number of the message match any DHCP snooping binding
entry. If all these fields match a DHCP snooping binding entry, the device
forwards the message; otherwise, the device discards the message.
● When receiving a DHCPv4 Release message, the device checks whether the
VLAN ID, IP address, MAC address, and interface number of the message
match a dynamic DHCP snooping binding entry. If so, the device forwards the
message; otherwise, the device discards the message.
● When receiving a DHCPv6 Request message, the device searches the DHCP
snooping binding table based on the user's MAC address. If no corresponding
binding entry is found or the binding entry found is a temporary one, the
device forwards the message. Otherwise, the device considers the message as
the one used for requesting a lease renewal and checks whether the VLAN ID,
IP address, and interface number of the message match any binding entry. If
so, the device forwards the message. If not, the device discards the message.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.
Precautions
If you run the dhcp snooping enable command in the VLAN view, the command
takes effect for all the DHCP messages from the specified VLAN. If you run this
command in the interface view, the command takes effect for all the DHCP
messages received on the specified interface.
After defense against bogus DHCPv6 message attacks is configured using the
dhcp snooping check dhcpv6-request mac command, the device does not check
DHCPv6 messages against the DHCP snooping binding table when the dhcp
snooping check dhcp-request command is executed.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10486

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Enable the device to check DHCP messages against the DHCP snooping binding
table in VLAN 10.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] dhcp snooping check dhcp-request enable

14.8.24 dhcp snooping check server-vlan enable

Function
The dhcp snooping check server-vlan enable command enables the DHCP
snooping-enabled device to check VLAN information in DHCP Reply messages.
The undo dhcp snooping check server-vlan enable command disables the DHCP
snooping-enabled device from checking VLAN information in DHCP Reply
messages.
By default, the DHCP snooping-enabled device does not check VLAN information
in DHCP Reply messages.

Format
dhcp snooping check server-vlan enable
undo dhcp snooping check server-vlan enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
By default, the DHCP snooping-enabled device identifies devices by checking
DHCP reply messages only based on MAC addresses. If devices cannot be
identified based on MAC addresses, run the dhcp snooping check server-vlan
enable command to enable the DHCP snooping-enabled device to identify devices
by checking DHCP reply messages based on MAC addresses and VLAN IDs.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10487

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

DHCP server detection has been enabled using the dhcp server detect command.

Example
# Enable the DHCP snooping-enabled device to check VLAN information in DHCP
Relay messages.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp server detect
[HUAWEI] dhcp snooping check server-vlan enable

14.8.25 dhcp snooping disable

Function
The dhcp snooping disable command disables DHCP snooping on an interface.
The undo dhcp snooping disable command cancels the configuration.
By default, if the dhcp snooping enable command is used on an interface or in a
VLAN that an interface belongs to, DHCP snooping is enabled on this interface.

Format
dhcp snooping disable
undo dhcp snooping disable

Parameters
None

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If you run the dhcp snooping enable command to enable DHCP snooping in a
VLAN, DHCP snooping is enabled on all the interfaces in the VLAN. If you do not
run the dhcp snooping enable command to enable DHCP snooping on an
interface, you cannot run the undo dhcp snooping enable command to disable
DHCP snooping on the interface. To address this problem, run the dhcp snooping
disable command to disable DHCP snooping on the interface. Users can properly
go online from this interface, but no dynamic binding entry is generated.
Precautions

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10488

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● The dhcp snooping disable command does not only disable DHCP snooping
on an interface, but also clears the DHCP snooping configuration and the
dynamic binding table. The undo dhcp snooping enable command, however,
only disables DHCP snooping on the interface and does not clear the
configuration or the dynamic binding table.
● The undo dhcp snooping disable command enables DHCP snooping on an
interface. To enable DHCP snooping, run the dhcp snooping enable
command.

Example
# Disable DHCP snooping on GE0/0/1 in VLAN 10.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping disable

14.8.26 dhcp snooping enable

Function
The dhcp snooping enable command enables DHCP snooping.
The undo dhcp snooping enable command disables DHCP snooping.
By default, DHCP snooping is disabled on the device.

Format
In the system view:
dhcp snooping enable [ ipv4 | ipv6 | vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]
undo dhcp snooping enable [ ipv4 | ipv6 | vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> ]
In the VLAN view, BD view, and interface view:
dhcp snooping enable
undo dhcp snooping enable

Parameters
Parameter Description Value

ipv4 Indicates that the device processes only -

DHCPv4 messages.

ipv6 Indicates that the device processes only -

DHCPv6 messages.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10489

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

vlan { vlan-id1 [ to Enables DHCP snooping in a specified The specified

vlan-id2 ] } VLAN. VLAN ID must
● vlan-id1 specifies the first VLAN ID. exist.
● to vlan-id2 specifies the last VLAN ID.
The value of vlan-id2 must be greater
than the value of vlan-id1.

NOTE

Only the S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-H, S6730S-H, S6730-S,
and S6730S-S supports the BD view.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
DHCP snooping is a security function to protect DHCP. When you run the dhcp
snooping enable command to enable DHCP snooping on a device, the device can
process both DHCPv4 and DHCPv6 messages. In practice, however, if the DHCP
snooping device needs to process only DHCPv4 or DHCPv6 messages, you can run
the dhcp snooping enable ipv4 or dhcp snooping enable ipv6 command, which
improves CPU efficiency.
You must enable DHCP snooping in the system view before enabling DHCP
snooping on an interface, in a BD, or in a VLAN.
Prerequisites
DHCP has been enabled globally using the dhcp enable command.
Follow-up Procedure
After DHCP snooping is enabled on an interface connected to users, in a BD, or in
a VLAN, run the dhcp snooping trusted command to configure the interface
connected to the DHCP server as a trusted interface. Then a DHCP snooping
binding table can be generated.
Precautions
The dhcp snooping enable command in the system view is the prerequisite for
DHCP snooping-related functions. After the undo dhcp snooping enable
command is run, all DHCP snooping-related configurations of the device are
deleted. After DHCP snooping is enabled again using the dhcp snooping enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10490

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

command, all DHCP snooping-related configurations of the device are restored to

the default configurations.
If you run the dhcp snooping enable command in the VLAN view, the command
takes effect for all the DHCP messages from the specified VLAN. If you run this
command in the interface view, the command takes effect for all the DHCP
messages received on the specified interface.
If both DHCP relay and VRRP are configured on a device, DHCP snooping cannot
be enabled.
If the DHCP server is at the subordinate VLAN side and the DHCP client is at the
principal VLAN side, DHCP snooping cannot be enabled.
If DHCP snooping is enabled on the device, do not configure 2:2 VLAN mapping.
Otherwise, DHCP users cannot go online.

Example
# Enable DHCP snooping globally and configure the device to process only IPv4
messages.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4

# Enable DHCP snooping on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable

# Enable DHCP snooping in VLAN 100.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable

# Enable DHCP snooping in VLANs ranging from VLAN 20 to VLAN 25 in a batch.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan batch 20 to 25
[HUAWEI] dhcp snooping enable vlan 20 to 25

14.8.27 dhcp snooping enable no-user-binding

Function
The dhcp snooping enable no-user-binding command disables the interfaces
from generating DHCP snooping binding entries after DHCP snooping is enabled.
The undo dhcp snooping enable no-user-binding command restores the default
setting.
By default, an interface generates DHCP snooping binding entries after DHCP
snooping is enabled.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10491

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
System view:

dhcp snooping enable no-user-binding vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping enable no-user-binding vlan { vlan-id1 [ to vlan-id2 ] }

&<1-10>

VLAN view and interface view:

dhcp snooping enable no-user-binding

undo dhcp snooping enable no-user-binding

Parameters
Parameter Description Value

vlan { vlan-id1 [ to Disables the interfaces in the specified The value is an

vlan-id2 ] } VLANs from generating DHCP snooping integer in the
binding entries. range from 1 to
● vlan-id1 specifies the first VLAN ID. 4094.
● to vlan-id2 specifies the last VLAN ID.
The value of vlan-id2 must be greater
than the value of vlan-id1.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After DHCP snooping is enabled on a device, the device generates DHCP snooping
binding entries for users by default. If the number of binding entries on the device
reaches the upper limit, new users cannot go online. In certain scenarios, for
example, on a trusted DHCP network, if you do not want to limit the number of
online users but want to record user location information, run the dhcp snooping
enable no-user-binding command to disable the device from generating DHCP
snooping binding entries.

When the command is executed in an interface view, the command takes effect
for all DHCP users connected to the interface. When the command is executed in
the VLAN view, the command takes effect for all the DHCP users belonging to this
VLAN on all interfaces. When the command is executed in the system view, the

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10492

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

command takes effect in the same way as it is executed in the VLAN view, except
that multiple VLANs can be specified.
Prerequisites
DHCP snooping has been enabled using the dhcp snooping enable command.
Precautions
After this command is executed, the device deletes the binding entries from the
corresponding VLAN or interface.
If the DHCP snooping binding entry-dependent function such as IPSG or DAI is
configured on the device, the corresponding function does not take effect after
this command is run.
This command cannot be used together with dhcp snooping check dhcp-request
enable and dhcp snooping check dhcpv6-request mac. Otherwise, online users
may fail to go offline.

Example
# In the system view, disable the interfaces in VLAN 10 and VLAN 20 from
generating DHCP snooping binding entries.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping enable vlan 10 20
[HUAWEI] dhcp snooping enable no-user-binding vlan 10 20

# In the VLAN view, disable the interfaces in VLAN 10 from generating DHCP
snooping binding entries.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] dhcp snooping enable no-user-binding

# In the interface view, disable GE0/0/1 from generating DHCP snooping binding
entries.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable no-user-binding

14.8.28 dhcp snooping max-user-number

Function
The dhcp snooping max-user-number command sets the maximum number of
DHCP snooping binding entries to be learned on an interface.
The undo dhcp snooping max-user-number command restores the default
maximum number of DHCP snooping binding entries to be learned on an
interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10493

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the maximum number of DHCP snooping binding entries that can be
learned on an interface is 512 for S1720GF, S1720GW-E, S1720GFR-P, S1720GWR-
E, and S2720-EI, 2048 for S5720-LI, S1730S-H, S2730S-S, S5735-L1, S300, S5735-L,
S5735-L-I, S5735S-L1, S5735S-L, S5735S-L-M, S5720S-LI, S500, S5735-S, S5735S-S,
S5735-S-I, , S5735S-H, S5736-S, and S5720I-SI, and 8192 for other models.

NOTE

The maximum number of DHCP snooping binding entries configured using this command is
the sum of DHCPv4 snooping and DHCPv6 snooping binding entries.

Format
In the system view:
dhcp snooping max-user-number max-user-number [ vlan { vlan-id1 [ to vlan-
id2 ] } &<1-10> ]
undo dhcp snooping max-user-number [ vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> ]
In the VLAN view and interface view:
dhcp snooping max-user-number max-user-number
undo dhcp snooping max-user-number

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10494

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

max-user-number Specifies the maximum The value is an integer

number of DHCP that ranges from 1 to
snooping binding entries 512 for S1720GF,
that can be learned on S1720GW-E, S1720GFR-
an interface. P, S1720GWR-E, and
S2720-EI, from 1 to 2048
for S5720-LI, S1730S-H,
S2730S-S, S5735-L1,
S300, S5735-L, S5735S-
L1, S5735S-L, S5735S-L-
M, S5720S-LI, S500,
S5735-S, S5735S-S,
S5735-S-I, , S5735S-H,
S5736-S, and S5720I-SI,
and from 1 to 8192 for
other models.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10495

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

NOTE
If the maximum number of
DHCP snooping binding
entries to be learned by
interfaces is N in the
system or VLAN view, for a
stack, the value in system
view and VLAN view
ranges from 1 to N *
Number of stacked devices.
That is, by default, a
maximum of N * Number
of stacked devices DHCP
users are allowed to access
the entire device or VLAN.
For S5720-LI, S1730S-H,
S2730S-S, S5735-L1, S300,
S5735-L, S5735S-L1,
S5735S-L, S5735S-L-M,
S5720S-LI, S500, S5735-S,
S5735S-S, S5735-S-I,
S5720I-SI, S5735S-H,
S5736-S, S5731-H, S5731S-
H, S5731-S, S5731S-S,
S6720-EI, S5732-H, S6730-
H, S6730S-H, S6730-S,
S6730S-S, S6735-S, and
S6720S-EI: A stack of these
switches can learn a
maximum of 9216 DHCP
snooping binding entries.
For example, a stack of
two S5731-H switches can
learn a maximum of 8192
DHCP snooping binding
entries globally and in
VLANs by default. When
three of these switches set
up a stack, the stack can
learn a maximum of 9216
DHCP snooping binding
entries globally and in
VLANs by default.

vlan { vlan-id1 [ to vlan- Specifies the maximum The value is an integer

id2 ] } number of DHCP that ranges from 1 to
snooping binding entries 4094.
can be learned in a
VLAN.
● vlan-id1 specifies the
first VLAN ID.
● to vlan-id2 specifies
the last VLAN ID.
vlan-id2 must be
larger than vlan-id1.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10496

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The dhcp snooping max-user-number command sets the maximum number of

DHCP snooping binding entries to be learned on an interface. If the number of
DHCP snooping binding entries reaches the maximum value, subsequent users
cannot access.

When the command is executed in the system view, the value specified in this
command is the total number of DHCP snooping binding entries to be learned by
all interfaces on the device. If you run the dhcp snooping max-user-number
command in the VLAN view, the command takes effect on all the interfaces in the
VLAN. If you run the dhcp snooping max-user-number command in the system
view, VLAN view and the interface view, the smallest value takes effect.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Precautions

The maximum number of DHCP snooping binding entries to be learned in a stack

environment will still be valid if the stack is split. For example, the maximum
number of DHCP snooping binding entries to be learned by interfaces is set to N
in the system or VLAN view. After the stack splits, run the display dhcp snooping
command. You will find that the maximum number of entries learned by
interfaces in the system or VLAN view is still N (even if N is greater than the
maximum number (M) of entries supported by a stand-along device). Pay
attention to the following points:
● For the users requiring to go online: The users are allowed to go online when
the number of binding entries on the device is smaller than M, and not
allowed to go online when the number of binding entries on the device is
equivalent to or larger than M.
● For online users: The users are kept online no matter whether the number of
binding entries on the device is larger than M. However, if the number of
binding entries is larger than M, the users cannot go online again after they
go offline.
● Binding entries that have been backed up: After the device restarts, all binding
entries on the device can be restored no matter whether the number of
binding entries is smaller than M, and the users matching these binding
entries can go online.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10497

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the maximum number of DHCP users to 100 on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping max-user-number 100

# Set the maximum number of DHCP users in VLAN 100 to 100.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable
[HUAWEI-vlan100] dhcp snooping max-user-number 100

14.8.29 dhcp snooping over-vpls enable

Function
The dhcp snooping over-vpls enable command enables DHCP snooping on the
device on a Virtual Private LAN Service (VPLS) network.

The undo dhcp snooping over-vpls enable command disables DHCP snooping on
the device on a VPLS network.

By default, DHCP snooping is disabled on the device on a VPLS network.

NOTE

Only the S6730-H, S6730S-H, S5732-H, S5731S-H, and S5731-H support this command.

Format
dhcp snooping over-vpls enable

undo dhcp snooping over-vpls enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10498

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The DHCP packets on a VPLS network are different from common DHCP packets.
Therefore, DHCP snooping cannot take effect for the device on the VPLS network
even if the function is enabled globally using the dhcp snooping enable
command in the system view. To make DHCP snooping take effect for the device
applied to the VPLS network, run the dhcp snooping over-vpls enable command
to enable the function.

To enable DHCP snooping for the device on the VPLS network, enable it on the
device closed to the user side so that the DHCP packets from the user side to the
VPLS network can be controlled.

Prerequisites

DHCP has been enabled globally using the dhcp enable command in the system
view.

Precautions

The device management interfaces do not support DHCP snooping on a VPLS

network.

After you run the dhcp snooping over-vpls enable command, the maximum
number of concurrent users is 50 in the default CPCAR configuration.

When the device is applied to a VPLS network, you only need to run the dhcp
snooping over-vpls enable command to enable DHCP snooping on the device
and other DHCP snooping command have no changes.

Example
# Enable DHCP snooping on the device on a VPLS network.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping over-vpls enable

14.8.30 dhcp snooping packet-flow log enable

Function
The dhcp snooping packet-flow log enable command enables the function of
recording logs when DHCP messages are exchanged.

The undo dhcp snooping packet-flow log enable command disables the
function of recoding logs when DHCP messages are exchanged.

By default, the function of recording logs when DHCP messages are exchanged is
disabled.

Format
dhcp snooping packet-flow log enable

undo dhcp snooping packet-flow log enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10499

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the function of recording logs when DHCP messages are exchanged is
enabled using the dhcp snooping packet-flow log enable command, the device
records a DHCP/6/SNP_RCV_MSG log each time it receives a DHCP message. This
log can be used in smart O&M and other scenarios. The network analyzer can
perform smart analysis on whether the user obtains an IP address through this
log.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Example
# Enable the function of recording logs when DHCP messages are exchanged.
<HUAWEI> system-view
[HUAWEI] dhcp snooping packet-flow log enable

14.8.31 dhcp snooping trusted

Function
The dhcp snooping trusted command configures an interface as a trusted
interface.
The undo dhcp snooping trusted command configures an interface as an
untrusted interface.
By default, all interfaces are untrusted interfaces.

Format
In the VLAN view:
dhcp snooping trusted interface interface-type interface-number
undo dhcp snooping trusted interface interface-type interface-number
In the interface view and BD view:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10500

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

dhcp snooping trusted

undo dhcp snooping trusted

Parameters
Parameter Description Value

interface interface- Specifies the type and number of an interface in -

type interface-number a VLAN.
● interface-type specifies the interface type.
● interface-number specifies the interface
number.

Views
VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE
interface view, MultiGE interface view, 40GE interface view, 100GE interface view,
Eth-Trunk interface view, port group view, BD view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To enable DHCP clients to obtain IP addresses from authorized DHCP servers,
DHCP snooping supports the trusted interface and untrusted interfaces. The
trusted interface forwards DHCP messages while untrusted interfaces discard
received DHCP ACK messages and DHCP Offer messages.
An interface directly or indirectly connected to the DHCP server trusted by the
administrator needs to be configured as the trusted interface, and other interfaces
are configured as untrusted interfaces. This ensures that DHCP clients obtain IP
addresses from authorized DHCP servers.
Prerequisites
In the system view, run the dhcp snooping enable command to enable DHCP
snooping.
Precautions
If an interface has been configured as a DHCP trusted interface using the dhcp
snooping trusted command, the device will not consider DHCP packets received
by this interface as attack packets or perform attack defense operations on the
DHCP packets received by this interface.
If you run the dhcp snooping trusted command in the VLAN view, the command
takes effect for all the DHCP messages received from the specified VLAN. If you
run the dhcp snooping trusted command in the interface view, the command
takes effect for all the DHCP messages received on the specified interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10501

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

You are advised not to configured more than 15 trusted ports in a VLAN.

Example
# Configure GE0/0/1 in VLAN 100 as the trusted interface.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping trusted interface gigabitethernet 0/0/1

# Configure GE0/0/1 as the trusted interface.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping trusted

14.8.32 dhcp snooping user-alarm percentage

Function
The dhcp snooping user-alarm percentage command configures the alarm
thresholds for the percentage of DHCP snooping binding entries.
The undo dhcp snooping user-alarm percentage command restores the default
alarm thresholds for the percentage of DHCP snooping binding entries.
By default, the lower and upper alarm thresholds for the percentage of DHCP
snooping binding entries are 50 and 100, respectively.

Format
dhcp snooping user-alarm percentage percent-lower-value percent-upper-value
undo dhcp snooping user-alarm percentage

Parameters
Parameter Description Value

percent-lower- Specifies the lower alarm The value is an integer in the

value threshold for the percentage range from 1 to 100.
of DHCP snooping binding
entries.

percent-upper- Specifies the upper alarm The value is an integer that

value threshold for the percentage ranges from 1 to 100, but must
of DHCP snooping binding be greater than or equal to the
entries. lower alarm threshold.

Views
System view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10502

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
After you run the dhcp snooping max-user-number command to set the
maximum number of DHCP snooping binding entries on an interface, you can run
the dhcp snooping user-alarm percentage command to set the alarm thresholds
for the percentage of DHCP snooping binding entries.
When the percentage of learned DHCP snooping binding entries against the
maximum number of DHCP snooping entries allowed by the device reaches or
exceeds the upper alarm threshold, the device generates an alarm. When the
percentage of learned DHCP snooping binding entries against the maximum
number of DHCP snooping entries allowed by the device reaches or falls below the
lower alarm threshold later, the device generates a clear alarm.

Example
# Set the lower alarm threshold for the DHCP user count percentage to 30 and
the upper alarm threshold to 80.
<HUAWEI> system-view
[HUAWEI] dhcp snooping user-alarm percentage 30 80

14.8.33 dhcp snooping user-bind autosave

Function
The dhcp snooping user-bind autosave command enables local automatic
backup of the DHCP snooping binding table.
The undo dhcp snooping user-bind autosave command disables local automatic
backup of the DHCP snooping binding table.
By default, local automatic backup of the DHCP snooping binding table is
disabled.

Format
dhcp snooping user-bind autosave file-name [ write-delay delay-time ]
undo dhcp snooping user-bind autosave

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10503

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

file-name Specifies the path for storing the The value is a string of 1 to
file that backs up the binding 51 case-insensitive characters
table and the file name. The file without spaces.
path and name supported by the
device must be both entered.

write-delay Specifies the interval for local The value is an integer that
delay-time automatic backup of the DHCP ranges from 60 to
snooping binding table. 4294967295, in seconds. By
default, the interval for local
If this parameter is not specified, automatic backup of the
the backup interval is the default DHCP snooping binding table
value. is 86400 seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The dhcp snooping user-bind autosave command can retain the configured
DHCP snooping binding entries after the device restarts. After a DHCP snooping
binding table is generated, you can run the dhcp snooping user-bind autosave
command to enable local automatic backup of the DHCP snooping binding table.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.
Precautions
This prevents data loss in the DHCP snooping binding table. The suffix of the file
must be .tbl.
If the system restarts within one day after the system time is changed,
immediately run the dhcp snooping user-bind autosave command again to back
up the latest dynamic binding entries because it is not the time to update the
binding table. If you do not run this command, the lease will be inconsistent with
the current system time after the dynamic binding table is restored.
If a device where the DHCP snooping binding table is backed up is powered off
and then restarted after the lease of DHCP snooping binding table expires, the
DHCP snooping entries cannot be restored.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10504

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After this function is enabled, if the interface goes down, the DHCP snooping
binding table on the interface will be deleted from the backup binding table file.

Example
# Configure the device to back up the DHCP snooping binding table to the file
backup.tbl in the flash every 5000 seconds.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind autosave flash:/backup.tbl write-delay 5000

14.8.34 dhcp snooping user-bind ftp

Function
The dhcp snooping user-bind ftp command enables the device to automatically
back up DHCP snooping binding entries on the remote FTP server.

The undo dhcp snooping user-bind ftp command disables the device from
automatically backing up DHCP snooping binding entries on the remote FTP
server.

By default, the device is not enabled to automatically back up DHCP snooping

binding entries on the remote FTP server.

Format
dhcp snooping user-bind ftp remotefilename filename host-ip ip-address [ port
port-number ] username username password password [ write-delay delay-
time ]
undo dhcp snooping user-bind ftp

Parameters
Parameter Description Value

remotefilename Specifies the name of The value is a string of 1 to 64

filename the file where DHCP case-sensitive characters without
snooping binding spaces. The string cannot contain
entries will be backed the following characters: ~ * \ | :
up on the remote FTP " ? < >.
server.

host-ip ip-address Specifies the IP address The value is in dotted decimal

of the remote FTP notation.
server.

port port-number Specifies the port The value is an integer that

number of the FTP ranges from 1 to 65535. By
server. default, the port number is 21.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10505

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

username Specifies the user name The value is a string of 1 to 64

username to connect to the FTP case-sensitive characters without
server. spaces.

password password Specifies the password The value is a string of case-

to connect to the FTP sensitive characters without
server. spaces. It can be a cipher-text
password of 48 characters or a
plain-text password of 1 to 16
characters.
NOTE
To improve security, it is
recommended that the password
contains at least two types of lower-
case letters, upper-case letters,
numerals, and special characters,
and contains at least 8 characters.

write-delay delay- Specifies the interval The value is an integer that

time for automatically ranges from 300 to 4294967295,
backing up DHCP in seconds.
snooping binding
entries. By default, the system backs up
DHCP snooping binding entries
If this parameter is not every two days.
used, the default
interval is used.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When the device restarts, to prevent loss of generated DHCP snooping binding
entries on the device, run the dhcp snooping user-bind ftp command to enable
the device to automatically back up DHCP snooping binding entries on the remote
FTP server.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10506

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The FTP protocol will bring risk to device security. The SFTP protocol configured
using the dhcp snooping user-bind sftp command is recommended.

Example
# Enable the device to automatically back up DHCP snooping binding entries to
the backup file on the FTP server at 10.137.12.10 with the FTP user name test
and password test@123.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind ftp remotefilename backup host-ip 10.137.12.10 username test
password test@123

14.8.35 dhcp snooping user-bind ftp load

Function
The dhcp snooping user-bind ftp load command configures the device to obtain
and restore backup DHCP snooping binding entries on the remote FTP server.

Format
dhcp snooping user-bind ftp load remotefilename filename host-ip ip-address
[ port port-number ] username username password password

Parameters
Parameter Description Value

remotefilename Specifies the name of The value is a string of 1 to 64

filename the file from which characters without spaces. The
the device obtains string cannot contain the following
DHCP snooping characters: ~ * \ | : " ? < >.
binding entries.

host-ip ip-address Specifies the IP The value is in dotted decimal

address of the notation.
remote FTP server.

port port-number Specifies the port The value is an integer that ranges
number of the FTP from 1 to 65535. By default, the
server. port number is 21.

username username Specifies the user The value is a string of 1 to 64

name to connect to characters without spaces.
the FTP server.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10507

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

password password Specifies the The value is a string of characters

password to connect without spaces. It can be a cipher-
to the FTP server. text password of 48 characters or a
plain-text password of 1 to 16
characters.
NOTE
To improve security, it is recommended
that the password contains at least
two types of lower-case letters, upper-
case letters, numerals, and special
characters, and contains at least 8
characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After running the dhcp snooping user-bind ftp command to enable the device to
automatically back up DHCP snooping binding entries on the remote FTP server,
you can run the dhcp snooping user-bind ftp load command to configure the
device to obtain and restore backup DHCP snooping binding entries on the remote
FTP server.
Prerequisites
DHCP snooping has been enabled using the dhcp snooping enable command.
Precautions
The FTP protocol will bring risk to device security. The SFTP protocol configured
using the dhcp snooping user-bind sftp load command is recommended.

Example
# Configure the device to obtain and restore backup DHCP snooping binding
entries from the backup file on the remote FTP server at 10.137.12.10 with the
FTP user name test and password test@123.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind ftp load remotefilename backup host-ip 10.137.12.10 username
test password test@123
Warning: FTP is not a secure protocol, and it is recommended to use SFTP.
Info: Downloading the file from the remote FTP server. Please wait...done.
Total number of dynamic binding table in remote file: 30
Recovering dynamic binding table, please wait for a moment....

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10508

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

10 successful, 20 failed.
Binding Collisions : 20 Exceeds max limits : 0
Invalid interfaces : 0 Invalid vlans : 0
Invalid snp configurations : 0 Expired leases : 0
Parse failures : 0

Table 14-62 Description of the dhcp snooping user-bind ftp load command
output
Item Description

Total number of dynamic binding table Number of DHCP snooping binding

in remote file entries stored on the remote server.

m successful, n failed m DHCP snooping binding entries are

recovered successfully, and n DHCP
snooping binding entries fail to be
recovered.

Binding Collisions Number of DHCP snooping binding

entries that cannot be restored
because of collision between local
entries and remote entries.

Exceeds max limits Number of DHCP snooping binding

entries that cannot be restored
because the number of local entries
reaches the upper limit.

Invalid interfaces Number of DHCP snooping binding

entries that cannot be restored
because the local interface becomes
invalid, for example, Down.

Invalid vlans Number of DHCP snooping binding

entries that cannot be restored
because the VLAN on local device
becomes invalid, for example,
unavailable VLAN.

Invalid snp configurations Number of DHCP snooping binding

entries that cannot be restored
because the DHCP snooping function
is not enabled.

Expired leases Number of DHCP snooping binding

entries that cannot be restored
because the lease of DHCP snooping
binding table expires.

Parse failures Number of DHCP snooping binding

entries that cannot be restored
because the device fails to parse the
binding table file.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10509

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.8.36 dhcp snooping user-bind http https

Function
The dhcp snooping user-bind http https command enables the device to
automatically back up DHCP snooping binding entries on the remote HTTP or
HTTPS server.

The undo dhcp snooping user-bind http https command disables the device
from automatically backing up DHCP snooping binding entries on the remote
HTTP or HTTPS server.

By default, the device is not enabled to automatically back up DHCP snooping

binding entries on the remote HTTP or HTTPS server.

Format
dhcp snooping user-bind http { remotefilename filename host-ip ip-address
[ port port-number ] | url url-string } [ username username password password ]
[ write-delay delay-time ]

dhcp snooping user-bind https ssl-policy ssl-policy-name { remotefilename

filename host-ip ip-address [ port port-number ] | url url-string } [ username
username password password ] [ write-delay delay-time ]

undo dhcp snooping user-bind { http | https }

Parameters
Parameter Description Value

ssl-policy ssl-policy- Specifies the name of The value is a string of 1

name the SSL policy used by to 23 case-insensitive
the HTTPS protocol. characters without
spaces. The value can
contain digits, letters,
and underscores (_).

remotefilename Specifies the name of The value is a string of 1

filename the file where DHCP to 64 case-sensitive
snooping binding entries characters without
will be backed up on the spaces. The string cannot
HTTP or HTTPS server. contain the following
characters: ~ * \ | : " ? <
>.

host-ip ip-address Specifies the IP address The value is in dotted

of the HTTP or HTTPS decimal notation.
server.

port port-number Specifies the port The value is an integer

number of the HTTP or that ranges from 1 to
HTTPS server. 65535.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10510

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

url url-string Specifies the URL of the The value is a string of 1

HTTP or HTTPS server, in to 200 case-sensitive
the format http:// characters without
server_location/ spaces.
file_location, for
example, http://
10.1.1.1:70/32768snp.txt.

username username Specifies the user name The value is a string of 1

to connect to the HTTP to 64 case-sensitive
or HTTPS server. characters without
spaces.

password password Specifies the password to The value is a string of

connect to the HTTP or case-sensitive characters
HTTPS server. without spaces. It can be
a ciphertext password of
48 characters or a
plaintext password of 1
to 16 characters.
NOTE
For security purposes, it is
recommended that the
password contains at least
two types of lowercase
letters, uppercase letters,
numerals, and special
characters, and contains at
least 8 characters.

write-delay delay-time Specifies the interval for The value is an integer

automatically backing up that ranges from 300 to
DHCP snooping binding 4294967295, in seconds.
entries. By default, the system
If this parameter is not backs up DHCP snooping
used, the default interval binding entries every two
is used. days.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When the device restarts, to prevent loss of generated DHCP snooping binding
entries on the device, run the dhcp snooping user-bind http https command to

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10511

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

enable the device to automatically back up DHCP snooping binding entries on the
remote HTTP or HTTPS server.
Prerequisites
DHCP snooping has been enabled using the dhcp snooping enable command.
Precautions
The HTTP protocol will bring risk to device security. The HTTPS protocol is
recommended for file operations.

Example
# Configure the device to automatically back up DHCP snooping binding entries to
the backup file on the HTTP server at 10.1.1.1 with the HTTP user name test and
password test@123.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind http remotefilename backup host-ip 10.1.1.1 username test
password test@123

# Configure the device to back up DHCP snooping binding entries to the HTTPS
server at 10.1.1.1 and specify the SSL policy name as s1, backup file name as
backup, HTTPS user name as test, and HTTPS password as test@123.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind https ssl-policy s1 remotefilename backup host-ip 10.1.1.1
username test password test@123

14.8.37 dhcp snooping user-bind http https load

Function
The dhcp snooping user-bind http https load command configures the device to
obtain and restore backup DHCP snooping binding entries on the remote HTTP or
HTTPS server.

Format
dhcp snooping user-bind http load { remotefilename filename host-ip ip-
address [ port port-number ] | url url-string } [ username username password
password ]
dhcp snooping user-bind https ssl-policy ssl-policy-name load
{ remotefilename filename host-ip ip-address [ port port-number ] | url url-
string } [ username username password password ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10512

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

ssl-policy ssl-policy- Specifies the name of The value is a string of 1

name the SSL policy used by to 23 case-insensitive
the HTTPS protocol. characters without
spaces. The value can
contain digits, letters,
and underscores (_).

remotefilename Specifies the name of The value is a string of 1

filename the file from which the to 64 characters without
device obtains DHCP spaces. The string cannot
snooping binding entries. contain the following
characters: ~ * \ | : " ? <
>.

host-ip ip-address Specifies the IP address The value is in dotted

of the HTTP or HTTPS decimal notation.
server.

port port-number Specifies the port The value is an integer

number of the HTTP or that ranges from 1 to
HTTPS server. 65535.

url url-string Specifies the URL of the The value is a string of 1

HTTP or HTTPS server, in to 200 case-sensitive
the format http:// characters without
server_location/ spaces.
file_location, for
example, http://
10.1.1.1:70/32768snp.txt.

username username Specifies the user name The value is a string of 1

to connect to the HTTP to 64 characters without
or HTTPS server. spaces.

password password Specifies the password to The value is a string of

connect to the HTTP or characters without
HTTPS server. spaces. It can be a
ciphertext password of
48 characters or a
plaintext password of 1
to 16 characters.
NOTE
For security purposes, it is
recommended that the
password contains at least
two types of lowercase
letters, uppercase letters,
numerals, and special
characters, and contains at
least 8 characters.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10513

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After running the dhcp snooping user-bind http https command to enable the
device to automatically back up DHCP snooping binding entries on the remote
HTTP or HTTPS server, you can run the dhcp snooping user-bind http https load
command to configure the device to obtain and restore backup DHCP snooping
binding entries on the remote HTTP or HTTPS server.
Prerequisites
DHCP snooping has been enabled using the dhcp snooping enable command.
Precautions
The HTTP protocol will bring risk to device security. The HTTPS protocol is
recommended for file operations.

Example
# Configure the device to obtain and restore backup DHCP snooping binding
entries from the backup file on the remote HTTP server at 10.1.1.1 with the HTTP
user name test and password test@123.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind http load remotefilename backup host-ip 10.1.1.1 username test
password test@123
Info: Downloading the file from the remote HTTP server. Please wait...done.
Total number of dynamic binding table in remote file: 10
Recovering dynamic binding table, please wait for a moment....
10 successful, 0 failed.
Binding Collisions : 0 Exceeds max limit : 0
Invalid interfaces : 0 Invalid vlan : 0
Snooping not enable : 0 Lease expired : 0
Parse failures : 0

# Configure the device to obtain and restore backup DHCP snooping binding
entries from the backup file on the remote HTTPS server at 10.1.1.1 and specify
the SSL policy name as s1, HTTPS user name as test, and HTTPS password as
test@123.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind https ssl-policy s1 load remotefilename backup host-ip 10.1.1.1
username test password test@123
Info: Downloading the file from the remote HTTPS server. Please wait...done.
Total number of dynamic binding table in remote file: 10
Recovering dynamic binding table, please wait for a moment....
10 successful, 0 failed.
Binding Collisions : 0 Exceeds max limit : 0
Invalid interfaces : 0 Invalid vlan : 0
Snooping not enable : 0 Lease expired : 0
Parse failures : 0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10514

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-63 Description of the dhcp snooping user-bind http https load
command output
Item Description

Total number of dynamic binding table Number of DHCP snooping binding

in remote file entries stored on the remote server.

m successful, n failed m DHCP snooping binding entries are

recovered successfully, and n DHCP
snooping binding entries fail to be
recovered.

Binding Collisions Number of DHCP snooping binding

entries that cannot be restored
because of collision between local
entries and remote entries.

Exceeds max limit Number of DHCP snooping binding

entries that cannot be restored
because the number of local entries
reaches the upper limit.

Invalid interfaces Number of DHCP snooping binding

entries that cannot be restored
because the local interface becomes
invalid, for example, Down.

Invalid vlan Number of DHCP snooping binding

entries that cannot be restored
because the VLAN on local device
becomes invalid, for example,
unavailable VLAN.

Snooping not enable Number of DHCP snooping binding

entries that cannot be restored
because the DHCP snooping function
is not enabled.

Lease expired Number of DHCP snooping binding

entries that cannot be restored
because the lease of DHCP snooping
binding table expires.

Parse failures Number of DHCP snooping binding

entries that cannot be restored
because the device fails to parse the
binding table file.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10515

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.8.38 dhcp snooping user-bind sftp

Function
The dhcp snooping user-bind sftp command enables the device to automatically
back up DHCP snooping binding entries on the remote SFTP server.
The undo dhcp snooping user-bind sftp command disables the device from
automatically backing up DHCP snooping binding entries on the remote SFTP
server.
By default, the device is not enabled to automatically back up DHCP snooping
binding entries on the remote SFTP server.

Format
dhcp snooping user-bind sftp remotefilename filename host-ip ip-address
[ port port-number ] username username password password [ write-delay
delay-time ]
undo dhcp snooping user-bind sftp

Parameters
Parameter Description Value

remotefilename Specifies the name of The value is a string of 1 to 64

filename the file where DHCP characters without spaces. The
snooping binding string cannot contain the
entries will be backed following characters: ~ * \ | : " ? <
up on the remote SFTP >.
server.

host-ip ip-address Specifies the IP address The value is in dotted decimal

of the remote SFTP notation.
server.

port port-number Specifies the port The value is an integer that

number of the SFTP ranges from 1 to 65535. By
server. default, the port number is 22.

username Specifies the user name The value is a string of 1 to 64

username to connect to the SFTP case-sensitive characters without
server. spaces.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10516

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

password password Specifies the password The value is a string of case-

to connect to the SFTP sensitive characters without
server. spaces. It can be a cipher-text
password of 48 characters or a
plain-text password of 1 to 16
characters.
NOTE
To improve security, it is
recommended that the password
contains at least two types of lower-
case letters, upper-case letters,
numerals, and special characters,
and contains at least 8 characters.

write-delay delay- Specifies the interval for The value is an integer that
time automatically backing ranges from 300 to 4294967295,
up DHCP snooping in seconds.
binding entries.
By default, the system backs up
If this parameter is not DHCP snooping binding entries
used, the default every two days.
interval is used.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When the device restarts, to prevent loss of generated DHCP snooping binding
entries on the device, run the dhcp snooping user-bind sftp command to enable
the device to automatically back up DHCP snooping binding entries on the remote
SFTP server.
Prerequisites
DHCP snooping has been enabled using the dhcp snooping enable command.
Precautions
The suffix of the file must be .tbl.

Example
# Enable the device to automatically back up DHCP snooping binding entries to
the backup file on the SFTP server at 10.137.12.10 with the SFTP user name test
and password test@123.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10517

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind sftp remotefilename backup host-ip 10.137.12.10 username test
password test@123

14.8.39 dhcp snooping user-bind sftp load

Function
The dhcp snooping user-bind sftp load command configures the device to obtain
and restore backup DHCP snooping binding entries on the remote SFTP server.

Format
dhcp snooping user-bind sftp load remotefilename filename host-ip ip-address
[ port port-number ] username username password password

Parameters
Parameter Description Value

remotefilename Specifies the name of The value is a string of 1 to 64

filename the file from which characters without spaces. The
the device obtains string cannot contain the following
DHCP snooping characters: ~ * \ | : " ? < >.
binding entries.

host-ip ip-address Specifies the IP The value is in dotted decimal

address of the notation.
remote SFTP server.

port port-number Specifies the port The value is an integer that ranges
number of the SFTP from 1 to 65535. By default, the
server. port number is 22.

username username Specifies the user The value is a string of 1 to 64

name to connect to characters without spaces.
the SFTP server.

password password Specifies the The value is a string of characters

password to connect without spaces. It can be a cipher-
to the SFTP server. text password of 48 characters or a
plain-text password of 1 to 16
characters.
NOTE
To improve security, it is recommended
that the password contains at least
two types of lower-case letters, upper-
case letters, numerals, and special
characters, and contains at least 8
characters.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10518

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After running the dhcp snooping user-bind sftp command to enable the device
to automatically back up DHCP snooping binding entries on the remote SFTP
server, you can run the dhcp snooping user-bind sftp load command to
configure the device to obtain and restore backup DHCP snooping binding entries
on the remote SFTP server.
Prerequisites
DHCP snooping has been enabled using the dhcp snooping enable command.

Example
# Configure the device to obtain and restore backup DHCP snooping binding
entries from the backup file on the remote SFTP server at 10.137.12.10 with the
SFTP user name test and password test@123.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind sftp load remotefilename backup host-ip 10.137.12.10 username
test password test@123
Info: Downloading the file from the remote SFTP server. Please wait...done.
Total number of dynamic binding table in remote file: 30
Recovering dynamic binding table, please wait for a moment....
10 successful, 20 failed.
Binding Collisions : 20 Exceeds max limits : 0
Invalid interfaces : 0 Invalid vlans : 0
Invalid snp configurations : 0 Expired leases : 0
Parse failures : 0

Table 14-64 Description of the dhcp snooping user-bind sftp load command
output

Item Description

Total number of dynamic binding table Number of DHCP snooping binding

in remote file entries stored on the remote server.

m successful, n failed m DHCP snooping binding entries are

recovered successfully, and n DHCP
snooping binding entries fail to be
recovered.

Binding Collisions Number of DHCP snooping binding

entries that cannot be restored
because of collision between local
entries and remote entries.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10519

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Exceeds max limits Number of DHCP snooping binding

entries that cannot be restored
because the number of local entries
reaches the upper limit.

Invalid interfaces Number of DHCP snooping binding

entries that cannot be restored
because the local interface becomes
invalid, for example, Down.

Invalid vlans Number of DHCP snooping binding

entries that cannot be restored
because the VLAN on local device
becomes invalid, for example,
unavailable VLAN.

Invalid snp configurations Number of DHCP snooping binding

entries that cannot be restored
because the DHCP snooping function
is not enabled.

Expired leases Number of DHCP snooping binding

entries that cannot be restored
because the lease of DHCP snooping
binding table expires.

Parse failures Number of DHCP snooping binding

entries that cannot be restored
because the device fails to parse the
binding table file.

14.8.40 dhcp snooping user-bind tftp

Function
The dhcp snooping user-bind tftp command enables the device to automatically
back up DHCP snooping binding entries on the remote TFTP server.
The undo dhcp snooping user-bind tftp command disables the device from
automatically backing up DHCP snooping binding entries on the remote TFTP
server.
By default, the device is not enabled to automatically back up DHCP snooping
binding entries on the remote TFTP server.

Format
dhcp snooping user-bind tftp remotefilename filename host-ip ip-address
[ write-delay delay-time ]
undo dhcp snooping user-bind tftp

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10520

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
remotefilename Specifies the name of the The value is a string of 1 to
filename file where DHCP snooping 64 case-sensitive characters
binding entries will be without spaces. The string
backed up on the remote cannot contain the following
TFTP server. characters: ~ * \ | : " ? < >.

host-ip ip-address Specifies the IP address of The value is in dotted decimal

the TFTP server. notation.

write-delay delay- Specifies the interval for The value is an integer that
time automatically backing up ranges from 300 to
DHCP snooping binding 4294967295, in seconds.
entries.
By default, the interval for
If this parameter is not local automatic backup of the
used, the default interval is DHCP snooping binding table
used. is 86400 seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When the device restarts, to prevent loss of generated DHCP snooping binding
entries on the device, run the dhcp snooping user-bind tftp command to enable
the device to automatically back up DHCP snooping binding entries on the remote
TFTP server.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

The TFTP protocol will bring risk to device security. The SFTP protocol configured
using the dhcp snooping user-bind sftp command is recommended.

Example
# Enable the device to automatically back up DHCP snooping binding entries to
the backup file on the TFTP server at 10.137.12.10 at intervals of 5000s.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10521

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind tftp remotefilename backup host-ip 10.137.12.10 write-delay 5000

14.8.41 dhcp snooping user-bind tftp load

Function
The dhcp snooping user-bind tftp load command configures the device to obtain
and restore backup DHCP snooping binding entries on the remote TFTP server.

Format
dhcp snooping user-bind tftp load remotefilename filename host-ip ip-address

Parameters
Parameter Description Value
remotefilename Specifies the name of the The value is a string of 1 to
filename file from which the device 64 characters without spaces.
obtains DHCP snooping The string cannot contain the
binding entries. following characters: ~ * \ | :
" ? < >.

host-ip ip-address Specifies the IP address of The value is in dotted

the remote TFTP server. decimal notation.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After running the dhcp snooping user-bind tftp command to enable the device
to automatically back up DHCP snooping binding entries on the remote TFTP
server, you can run the dhcp snooping user-bind tftp load command to configure
the device to obtain and restore backup DHCP snooping binding entries on the
remote TFTP server.
Prerequisites
DHCP snooping has been enabled using the dhcp snooping enable command.
Precautions
The TFTP protocol will bring risk to device security. The SFTP protocol configured
using the dhcp snooping user-bind sftp load command is recommended.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10522

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the device to obtain and restore backup DHCP snooping binding
entries from the backup file on the remote TFTP server at 10.137.12.10.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind tftp load remotefilename backup host-ip 10.137.12.10
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
100%
TFTP: Downloading the file successfully.
656 byte(s) received in 1 second(s).
Total number of dynamic binding table in remote file: 20
Recovering dynamic binding table, please wait for a moment....
10 successful, 10 failed.
Binding Collisions : 10 Exceeds max limit : 0
Invalid interfaces : 0 Invalid vlan : 0
Invalid snp configurations : 0 Expired leases : 0
Parse failures : 0

Table 14-65 Description of the dhcp snooping user-bind tftp load command
output

Item Description

Total number of dynamic binding table Number of DHCP snooping binding

in remote file entries stored on the remote server.

Binding Collisions Number of DHCP snooping binding

entries that cannot be restored
because of collision between local
entries and remote entries.

Exceeds max limit Number of DHCP snooping binding

entries that cannot be restored
because the number of local entries
reaches the upper limit.

Invalid interfaces Number of DHCP snooping binding

entries that cannot be restored
because the local interface becomes
invalid, for example, Down.

Invalid vlan Number of DHCP snooping binding

entries that cannot be restored
because the VLAN on local device
becomes invalid, for example,
unavailable VLAN.

Invalid snp configurations Number of DHCP snooping binding

entries that cannot be restored
because the DHCP snooping function
is not enabled.

Expired leases Number of DHCP snooping binding

entries that cannot be restored
because the lease of DHCP snooping
binding table expires.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10523

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Parse failures Number of DHCP snooping binding

entries that cannot be restored
because the device fails to parse the
binding table file.

14.8.42 dhcp snooping user-offline remove mac-address

Function
The dhcp snooping user-offline remove mac-address command enables the
device to delete the MAC address entry of a user whose DHCP snooping binding
entry is deleted.
The undo dhcp snooping user-offline remove mac-address command disables
the device from deleting the MAC address entry of a user whose binding entry is
deleted.
By default, the device does not delete the MAC address entry of a user whose
DHCP snooping binding entry is deleted.

Format
dhcp snooping user-offline remove mac-address
undo dhcp snooping user-offline remove mac-address

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If a user goes offline but its MAC address entry is not aged, the device forwards
the packet whose destination address is the IP address of the user based on the
dynamic MAC address entry. After the dhcp snooping user-offline remove mac-
address command is executed, the user MAC address entry is deleted when the
DHCP snooping binding entry is deleted. With the function of discarding unknown
unicast packets on the network-side interface, the device discards packets destined
to offline users.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10524

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Example
# Enable the device to delete the MAC address entry of a user whose DHCP
snooping binding entry is deleted.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-offline remove mac-address

14.8.43 dhcp snooping user-bind upload format ascii

Function
The dhcp snooping user-bind upload format ascii command configures DHCP
snooping binding entries to be backed up in both ASCII and binary formats.
The undo dhcp snooping user-bind upload format ascii command restores the
default configuration.
By default, DHCP snooping binding entries are backed up only in binary format
when the automatic backup of DHCP snooping binding entries on the remote
server is enabled.

Format
dhcp snooping user-bind upload format ascii
undo dhcp snooping user-bind upload format ascii

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
By default, DHCP snooping binding entries are backed up only in binary format
when the automatic backup of DHCP snooping binding entries on the remote
server is enabled. Huawei switches can restore DHCP snooping binding entries in
binary format. However, customers cannot read backup DHCP snooping binding
entries in binary format. To resolve this problem, run the dhcp snooping user-

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10525

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

bind upload format ascii command to configure the device to back up DHCP
snooping binding entries in ASCII and binary formats. Customers then can read
DHCP snooping binding entries in ASCII format and store the entries to the local
database.

Prerequisites

Backup of DHCP snooping binding entries must be enabled for the remote FTP,
HTTP, HTTPS, SFTP, and TFTP servers. Otherwise, the configuration of the dhcp
snooping user-bind upload format ascii command does not take effect.

Example
# Enable the device to back up DHCP snooping binding entries to the file named
backup on the FTP server at 10.137.12.10 with the FTP user name test and
password test@123. DHCP snooping binding entries can be backed up in both
ASCII and binary formats.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind ftp remotefilename backup host-ip 10.137.12.10 username test
password test@123
[HUAWEI] dhcp snooping user-bind upload format ascii

14.8.44 dhcp snooping user-transfer enable

Function
The dhcp snooping user-transfer enable command enables location transition
for DHCP snooping users.

The undo dhcp snooping user-transfer enable command disables location

transition for DHCP snooping users.

By default, location transition is enabled for DHCP snooping users.

Format
dhcp snooping user-transfer enable

undo dhcp snooping user-transfer enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10526

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
When a mobile user goes online through interface A, goes offline, and then goes
online through interface B, the user sends a DHCP Discover message to apply an
IP address. By default, if DHCP snooping is enabled on the device, the device
allows the user to go online and updates the DHCP snooping binding entries.
However, this may bring security risks. For example, if an attacker pretends an
authorized user to send a DHCP Discover message, the authorized user cannot
access the network after the DHCP snooping binding table is updated. To prevent
such attacks, you can disable the DHCP snooping location transition function.
After this function is disabled, the device discards the DHCP Discover messages
sent by a user who has an entry in the DHCP snooping binding table (user's MAC
address exists in the DHCP snooping binding table) through another interface.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Example
# Disable location transition for DHCP snooping users.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] undo dhcp snooping user-transfer enable

14.8.45 dhcpv6 interface-id format

Function
The dhcpv6 interface-id format command configures the Interface-ID format in
DHCPv6 packets.
The undo dhcpv6 interface-id format command restores the default Interface-ID
format in DHCPv6 packets.
By default, the Interface-ID format in DHCPv6 packets is default.

Format
dhcpv6 interface-id format { default | user-defined text }
undo dhcpv6 interface-id format

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10527

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

default Specifies the default Interface-ID format. -

The default Interface-ID format is %04svlan.
%04cvlan.%mac:%portname. The values of the S-
VLAN and C-VLAN are integers containing four
characters. If the length is fewer than four
characters, the value is prefixed with 0s. For example,
if the outer VLAN value in the DHCPv6 packets
received by the device is 11, the inner VLAN value is
22, the inbound interface is VLANIF100, and the
device MAC address is 00e0-fc12-3456, the Interface-
ID generated during the system parsing process is
0011.0022.00e0fc123456:vlanif100.

user- Specifies a user-defined format as the Interface-ID The value is

defined format. A user-defined format can be: a string of
text ● Format defined by keywords: The Interface-ID is case-
defined based on the keywords supported by the sensitive
user-defined format. For example, if the name of characters
the device to which the users are connected and without
the outer VLAN to which the users belong need to spaces. The
be recorded, the user-defined format can be character
%sysname %svlan. If the device name is HUAWEI string
and the S-VLAN is 100, the user location contains 1 to
information recorded by the Interface-ID is 251
HUAWEI 100. characters,
excluding
For description of the keywords supported by the the
user-defined format, see Table 14-66. quotation
● Format defined by common character strings: The marks.
Interface-ID is directly defined as a character
string. For example, if all users on an interface are
located in the office building named N8, the
Interface-ID can be directly defined as N8.
● Mixed format: The Interface-ID is defined by both
the keywords and common character strings. For
example, the Interface-ID can be defined as
%sysname N8.

Views
System view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10528

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
The Interface-ID records user access information such as the inbound interfaces of
the DHCPv6 packets sent from the clients to the device. The device functions as a
DHCPv6 relay or lightweight DHCPv6 relay agent (LDRA). When receiving the
request packets sent from the DHCPv6 clients and forwarding the packets to the
DHCPv6 server, the device can insert the Interface-ID to the packets to identify the
DHCPv6 client location information. The location information can be used by the
DHCPv6 server to assign IPv6 addresses and network parameters. You can run the
dhcpv6 interface-id format command to configure the format of the Interface-ID
inserted into DHCPv6 packets.

Table 14-66 Description of the keywords supported by the user-defined format

Keyword Description

duid Specifies the client ID, including information

such as the client MAC address.

sysname Specifies the device name of the client.

portname Specifies the name of the inbound interface

that receives the DHCPv6 packets sent from
the client to the device.

porttype Specifies the type of the inbound interface

that receives the DHCPv6 packets sent from
the client to the device. The interface type is
specified when the NAS interface is configured
in certain scenarios.

iftype Specifies the type of the inbound interface

that receives the DHCPv6 packets sent from
the client to the device. The interface type is
usually GE.

mac Specifies the device MAC address.

slot Specifies the slot number of the DHCPv6

packet sent from the client to the device.

subslot Specifies the sub-slot number of the DHCPv6

packet sent from the client to the device.

port Specifies the port number of the DHCPv6

packet sent from the client to the device.

svlan Specifies the outer VLAN of the DHCPv6

packet sent by the client.

cvlan Specifies the inner VLAN of the DHCPv6

packet sent by the client.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10529

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Keyword Description

length Specifies the total length of the keywords

following the length keyword. The length of
the length keyword is excluded.

Prerequisites
DHCP has been enabled globally using the dhcp enable command.
Precautions
● The user-defined format content must be specified between the double
quotation marks (""). For example, to configure the user-defined format
content as mac, run the dhcpv6 interface-id format user-defined "%mac"
command.
● Separators that cannot be digits must be added between the keywords in the
user-defined format. Otherwise, the keywords cannot be parsed.
● The symbol % must be prefixed to the keywords in the user-defined format to
differentiate them from common character strings. If a digit exists before the
symbol % and keyword, the digit refers to the number of characters in the
keyword.
● The self-defined content is encapsulated in ASCII format. In addition to the
preceding precautions, note the following rules:
– The symbol \ is an escape character. The symbols %, \, and [] following
the escape character indicate themselves. For example, \\ represents the
character \.
– An ASCII character string can contain Arabic numerals, uppercase letters,
lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - =
\ [ ] { } ; : ' " / . , < > `.
– By default, the length of each keyword in an ASCII character string is the
actual length of the keyword.

Example
# Configure a user-defined format as the format of the Interface-ID in DHCPv6
packets and the device MAC address as the encapsulated content.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcpv6 interface-id format user-defined "%mac"

14.8.46 dhcpv6 option18 format

Function
The dhcpv6 option18 format command configures the format of the Option 18
field in a DHCPv6 message.
The undo dhcpv6 option18 format command restores the default format of the
Option 18 field in a DHCPv6 message.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10530

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the format of the Option 18 field is not configured in a DHCPv6

message.

Format
dhcpv6 option18 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format user-defined text

undo dhcpv6 option18 { [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format | format

all }

Parameters
Parameter Description Value

user-defined Indicates the user-defined format of the The value is a string

text Option 18 field. of 1 to 251
characters.
The details about the
user-defined format
string are provided in
the Usage Guidelines.

vlan vlan-id Specifies the outer VLAN ID. The value is an

integer that ranges
NOTE
from 1 to 4094.
● If a VLAN is specified, only the format of
the Option 18 field in DHCPv6 messages
that belong to this VLAN is configured. If
no VLAN is specified, the format of the
Option 18 field in all DHCPv6 messages
received by the interface is configured.
● If the format of the Option 18 field is
configured on an interface and the VLAN
to which it belongs, the configuration on
the interface takes effect.
● This parameter is not supported in the
VLAN view.

ce-vlan ce- Specifies the inner VLAN ID. The value is an

vlan-id NOTE integer that ranges
This parameter is not supported in the VLAN
from 1 to 4094.
view.

all Deletes all formats of the Option 18 -

field.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10531

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the dhcpv6 option18 { insert | rebuild } enable command is executed to
enable the device to insert the Option 18 field to a DHCPv6 message, you can run
the dhcpv6 option18 format command to configure the format of the Option 18
field in a DHCPv6 message.
You can use the following keywords to define the Option 18 field. The format
string can use the hexadecimal notation, ASCII format, or combination of the two
formats.
● duid: indicates the ID of the client. This keyword is valid only in the string
format.
● sysname: indicates the ID of the access point. This keyword is valid only in
ASCII format.
● portname: indicates the name of a port, for example, GE0/0/1. This keyword is
valid only in ASCII format.
● porttype: indicates the type of a port. This keyword is a character string or in
hexadecimal notation. For example, if the value is Ethernet in ASCII format, it
is 15 in hexadecimal notation.
● iftype: indicates the type of a port, including eth and trunk. This keyword is
valid only in ASCII format.
● mac: indicates the MAC address of a port. In ASCII format, the value is in the
format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
● slot: indicates the slot ID. This keyword is valid in ASCII format or in
hexadecimal notation.
● subslot: indicates the subslot ID. This keyword is valid in ASCII format or in
hexadecimal notation.
● port: indicates the port number. This keyword is valid in ASCII format or in
hexadecimal notation.
● svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this
field is not required, this field is 0. This keyword is valid in ASCII format or in
hexadecimal notation.
● cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this
field is not required, this field is 0. This keyword is valid in ASCII format or in
hexadecimal notation.
● length: indicates the total length of the keywords following the keyword
length.
● n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN
does not exist. The keyword n is on the left of the keyword svlan or cvlan. If
the corresponding VLAN does not exist, the default value of the keyword
svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If
the n keyword is added to the left of the keyword svlan or cvlan, the keyword
svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal
notation.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10532

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

Delimiters must be added between keywords; otherwise, the device cannot parse the
keywords. The delimiters cannot be numbers.

The symbols used in the format string are as follows:

● The symbol % followed by a keyword indicates the format of the keyword.
● A number to the left of the symbol % indicates the length of the keyword
following the symbol %. In an ASCII character string, %05 has the same
meaning as %05d in the C language. In a hexadecimal character string, the
number indicates the keyword length in bits.
● The symbol [] indicates an optional keyword. Each pair of brackets can
contain only one keyword, svlan or cvlan. The keyword in the symbol [] is
added to the Option 18 field only if the corresponding VLAN ID exists. To
facilitate syntax check, the system does not support nesting of symbols [].
● The symbol \ indicates an escape character. The symbols %, \, and []
following the escape character indicate themselves. For example, \\ represents
\.
● "" indicates that the contents in the double quotation marks are encapsulated
in ASCII format. Contents that are not enclosed in double quotation marks are
encapsulated in hexadecimal notation.
● Other symbols are processed as common characters. The rules for setting the
format string in ASCII format or hexadecimal notation are as follows:
– An ASCII character string can contain Arabic numerals, uppercase letters,
lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - =
\ [ ] { } ; : ' " / . , < > `.
– By default, the length of each keyword in an ASCII character string is the
actual length of the keyword.
– A hexadecimal notation string can contain numerals, spaces, and % +
keywords.
– In a hexadecimal notation string, numbers are encapsulated in the
Option 18 field in hexadecimal notation. A number from 0 to 255
occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number
from 65536 to 4294967295 occupies 4 bytes. Numbers larger than
4294967295 are not supported. Multiple numbers must be separated by
spaces; otherwise, they are considered as one number.
– All the spaces in a hexadecimal character string are ignored.
– By default, the slot ID, subslot ID, port number, and VLAN ID in a
hexadecimal character string occupy 2 bytes; the field length occupies 1
byte.
– If the length of each keyword in a hexadecimal character string is
specified, the total length of the hexadecimal character string must be a
multiple of 8. If the length of a specified keyword is longer than 32 bits,
the first 32 bits of the keyword are the actual keyword value, and other
bits are set to 0.
– A hexadecimal notation string can contain only the keywords whose
values are numbers. Other keywords, such as port name, cannot be
added to the hexadecimal notation string.
– If a string is not contained in quotation marks, it is encapsulated in
hexadecimal notation. To encapsulate the string in the ASCII format, use

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10533

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

a pair of quotation marks to contain the string. For example, the slot ID
is 3, and the port number is 4. If the string is in the %slot %port format,
the value of the encapsulated string is a hexadecimal number 00030004.
If the string is in the "%slot %port" format, the value of the encapsulated
string is 3 4.
– A format string can contain both hexadecimal strings and ASCII strings,
for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Example
# Configure the format of the Option 18 field in a DHCPv6 message in VLAN 10.
<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcpv6 option18 format user-defined "%length %svlan %5slot %3subslot %8port"

# Configure the format of the Option 18 field in a DHCPv6 message on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcpv6 option18 format user-defined "%length %svlan %5slot
%3subslot %8port"

14.8.47 dhcpv6 option37 format

Function
The dhcpv6 option37 format command configures the format of the Option 37
field in a DHCPv6 message.
The undo dhcpv6 option37 format command restores the default format of the
Option 37 field in a DHCPv6 message.
By default, the format of the Option 37 field is not configured in a DHCPv6
message.

Format
dhcpv6 option37 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format user-defined text
undo dhcpv6 option37 { [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format | format
all }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10534

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

user-defined Indicates the user-defined format of the The value is a string

text Option 37 field. of 1 to 247
characters.
The details about the
user-defined format
string are provided in
the Usage Guidelines.

vlan vlan-id Specifies the outer VLAN ID. The value is an

integer that ranges
NOTE
from 1 to 4094.
● If a VLAN is specified, only the format of
the Option 37 field in DHCPv6 messages
that belong to this VLAN is configured. If
no VLAN is specified, the format of the
Option 37 field in all DHCPv6 messages
received by the interface is configured.
● If the format of the Option 37 field is
configured on an interface and the VLAN
to which it belongs, the configuration on
the interface takes effect.
● This parameter is not supported in the
VLAN view.

ce-vlan ce- Specifies the inner VLAN ID. The value is an

vlan-id NOTE integer that ranges
This parameter is not supported in the VLAN
from 1 to 4094.
view.

all Deletes all formats of the Option 37 -

field.

Default Level
2: Configuration level

Usage Guidelines
After the dhcpv6 option37 { insert | rebuild } enable command is executed to
enable the device to insert the Option 37 field to a DHCPv6 message, you can run
the dhcpv6 option37 format command to configure the format of the Option 37
field in a DHCPv6 message.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10535

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

You can use the following keywords to define the Option 37 field. The format
string can use the hexadecimal notation, ASCII format, or combination of the two
formats.
● duid: indicates the ID of the client. This keyword is valid only in the string
format.
● sysname: indicates the ID of the access point. This keyword is valid only in
ASCII format.
● portname: indicates the name of a port, for example, GE0/0/1. This keyword is
valid only in ASCII format.
● porttype: indicates the type of a port. This keyword is a character string or in
hexadecimal notation. For example, if the value is Ethernet in ASCII format, it
is 15 in hexadecimal notation.
● iftype: indicates the type of a port, including eth and trunk. This keyword is
valid only in ASCII format.
● mac: indicates the MAC address of a port. In ASCII format, the value is in the
format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
● slot: indicates the slot ID. This keyword is valid in ASCII format or in
hexadecimal notation.
● subslot: indicates the subslot ID. This keyword is valid in ASCII format or in
hexadecimal notation.
● port: indicates the port number. This keyword is valid in ASCII format or in
hexadecimal notation.
● svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this
field is not required, this field is 0. This keyword is valid in ASCII format or in
hexadecimal notation.
● cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this
field is not required, this field is 0. This keyword is valid in ASCII format or in
hexadecimal notation.
● length: indicates the total length of the keywords following the keyword
length.
● n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN
does not exist. The keyword n is on the left of the keyword svlan or cvlan. If
the corresponding VLAN does not exist, the default value of the keyword
svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If
the n keyword is added to the left of the keyword svlan or cvlan, the keyword
svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal
notation.
NOTE

Delimiters must be added between keywords; otherwise, the device cannot parse the
keywords. The delimiters cannot be numbers.

The symbols used in the format string are as follows:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10536

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● The symbol [] indicates an optional keyword. Each pair of brackets can

contain only one keyword, svlan or cvlan. The keyword in the symbol [] is
added to the Option 37 field only if the corresponding VLAN ID exists. To
facilitate syntax check, the system does not support nesting of symbols [].
● The symbol \ indicates an escape character. The symbols %, \, and []
following the escape character indicate themselves. For example, \\ represents
\.
● "" indicates that the contents in the double quotation marks are encapsulated
in ASCII format. Contents that are not enclosed in double quotation marks are
encapsulated in hexadecimal notation.
● Other symbols are processed as common characters. The rules for setting the
format string in ASCII format or hexadecimal notation are as follows:
– An ASCII character string can contain Arabic numerals, uppercase letters,
lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - =
\ [ ] { } ; : ' " / . , < > `.
– By default, the length of each keyword in an ASCII character string is the
actual length of the keyword.
– A hexadecimal notation string can contain numerals, spaces, and % +
keywords.
– In a hexadecimal notation string, numbers are encapsulated in the
Option 37 field in hexadecimal notation. A number from 0 to 255
occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number
from 65536 to 4294967295 occupies 4 bytes. Numbers larger than
4294967295 are not supported. Multiple numbers must be separated by
spaces; otherwise, they are considered as one number.
– All the spaces in a hexadecimal character string are ignored.
– By default, the slot ID, subslot ID, port number, and VLAN ID in a
hexadecimal character string occupy 2 bytes; the field length occupies 1
byte.
– If the length of each keyword in a hexadecimal character string is
specified, the total length of the hexadecimal character string must be a
multiple of 8. If the length of a specified keyword is longer than 32 bits,
the first 32 bits of the keyword are the actual keyword value, and other
bits are set to 0.
– A hexadecimal notation string can contain only the keywords whose
values are numbers. Other keywords, such as port name, cannot be
added to the hexadecimal notation string.
– If a string is not contained in quotation marks, it is encapsulated in
hexadecimal notation. To encapsulate the string in the ASCII format, use
a pair of quotation marks to contain the string. For example, the slot ID
is 3, and the port number is 4. If the string is in the %slot %port format,
the value of the encapsulated string is a hexadecimal number 00030004.
If the string is in the "%slot %port" format, the value of the encapsulated
string is 3 4.
– A format string can contain both hexadecimal strings and ASCII strings,
for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Example
# Configure the format of the Option 37 field in a DHCPv6 message in VLAN 10.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10537

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcpv6 option37 format user-defined "%length %svlan %5slot %3subslot %8port"

# Configure the format of the Option 37 field in a DHCPv6 message on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcpv6 option37 format user-defined "%length %svlan %5slot
%3subslot %8port"

14.8.48 dhcpv6 { option18 | option37 } enable

Function
The dhcpv6 { option18 | option37 } enable command enables the device to
insert the Option 18 or Option 37 field to a DHCPv6 message.

The undo dhcpv6 { option18 | option37 } enable command disables the device
from inserting the Option 18 or Option 37 field to a DHCPv6 message.

By default, the device does not insert the Option 18 or Option 37 field to a
DHCPv6 message.

Format
dhcpv6 { option18 | option37 } { insert | rebuild } enable

undo dhcpv6 { option18 | option37 } { insert | rebuild } enable

Parameters
Parameter Description Value

insert Enables the device to insert -

the Option 18 or Option 37
field to a DHCPv6 message.

rebuild Enables the device to -

forcibly insert the Option 18
or Option 37 field to a
DHCPv6 message.

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10538

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

The function of the Option 18 and Option 37 field is similar to the function of the
Option 82 field (see the dhcp option82 enable command). The Option 18 field
contains the port number of a client and the Option 37 field contains the MAC
address of the client. A device inserts the Option 18 or Option 37 field to a
DHCPv6 Request message to notify the DHCP server of the DHCPv6 client
location. The DHCP server can properly assign an IP address and other
configurations to the DHCPv6 client, ensuring DHCP client security.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable
command.

Precautions

If you run the dhcpv6 { option18 | option37 } enable command in the VLAN
view, the command takes effect for all the DHCPv6 messages received from the
specified VLAN. If you run the dhcpv6 { option18 | option37 } enable command
in the interface view, the command takes effect for all the DHCPv6 messages
received on the specified interface.

Example
# Insert the Option 37 field to DHCPv6 Request messages sent by GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcpv6 option37 insert enable

14.8.49 dhcpv6 remote-id format

Function
The dhcpv6 remote-id format command sets the format of the Remote-ID in
DHCPv6 messages.

The undo dhcpv6 remote-id format command restores the default format of the
Remote-ID in DHCPv6 messages.

By default, the default format of the Remote-ID in DHCPv6 messages is used.

Format
dhcpv6 remote-id format { default | user-defined text }

undo dhcpv6 remote-id format

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10539

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

default Indicates to adopt the -

default format of the
remote ID. The default
format of the remote ID
is %duid %portname:
%04svlan.%04cvlan,
where the values of the
outer VLAN ID and inner
VLAN ID are integers
and composed of four
characters. If the length
is shorter than four
characters, 0s are
prefixed to the value. For
example, if the outer
VLAN value in the
DHCPv6 packets received
by the device is 11, the
inner VLAN value is 22,
the inbound interface is
GE0/0/1, and the client
DUID is
0003000180FB063545B3,
the Remote-ID option
generated during the
system parsing process is
0003000180FB063545B3
GigabitEthernet
0/0/1:0011.0022.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10540

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

user-defined text Specifies a user-defined The value is a string of 3

format as the Remote-ID to 247 case-sensitive
format. A user-defined characters with spaces.
format can be:
● Format defined by
keywords: The
Remote-ID is defined
based on the
keywords supported
by the user-defined
format. For example,
if the name of the
device to which the
users are connected
and the outer VLAN
to which the users
belong need to be
recorded, the user-
defined format can be
%sysname %svlan. If
the device name is
HUAWEI and the S-
VLAN is 100, the user
location information
recorded by the
Remote-ID is HUAWEI
100.
For description of the
keywords supported
by the user-defined
format, see Table
14-67.
● Format defined by
common character
strings: The Remote-
ID is directly defined
as a character string.
For example, if all
users on an interface
are located in the
office building named
N8, the Remote-ID
can be directly
defined as N8.
● Mixed format: The
Remote-ID is defined
by both the keywords
and common
character strings. For

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10541

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

example, the Remote-

ID can be defined as
%sysname N8.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Use Scenario

The Remote-ID records user access information such as the DUID of the DHCPv6
packets sent from the clients to the device. The device functions as a DHCPv6
relay or lightweight DHCPfv6 relay agent (LDRA). When receiving the request
packets sent from the DHCPv6 clients and forwarding the packets to the DHCPv6
server, the device can insert the Remote-ID to the packets to identify the DHCPv6
client location information. The location information can be used by the DHCPv6
server to assign IPv6 addresses and network parameters. You can run the dhcpv6
remote-id format command to configure the format of the Remote-ID inserted
into DHCPv6 packets.

Table 14-67 Description of the keywords supported by the user-defined format

Keyword Description

duid Specifies the client ID, including information

such as the client MAC address.

sysname Specifies the device name of the client.

portname Specifies the name of the inbound interface

that receives the DHCPv6 packets sent from
the client to the device.

porttype Specifies the type of the inbound interface

that receives the DHCPv6 packets sent from
the client to the device. The interface type is
specified when the NAS interface is configured
in certain scenarios.

iftype Specifies the type of the inbound interface

that receives the DHCPv6 packets sent from
the client to the device. The interface type is
usually GE.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10542

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Keyword Description

mac Specifies the device MAC address.

slot Specifies the slot number of the DHCPv6

packet sent from the client to the device.

subslot Specifies the sub-slot number of the DHCPv6

packet sent from the client to the device.

port Specifies the port number of the DHCPv6

packet sent from the client to the device.

svlan Specifies the outer VLAN of the DHCPv6

packet sent by the client.

cvlan Specifies the inner VLAN of the DHCPv6

packet sent by the client.

length Specifies the total length of the keywords

following the length keyword. The length of
the length keyword is excluded.

Prerequisites
The DHCP function has been enabled using the dhcp enable command in the
system view.
Follow-up Procedure
When the device functions as a DHCPv6 relay, you must run the dhcpv6 remote-
id insert enable or dhcpv6 remote-id rebuild enable command to enable the
function of inserting the Remote-ID into DHCPv6 relay packets after running the
dhcpv6 remote-id format command to configure the Remote-ID format in
DHCPv6 packets.

NOTE

When the device functions as an LDRA, the Remote-ID is inserted into DHCPv6 relay packets by
default and the function does not need to be enabled.

Precautions
● The user-defined format content must be specified between the double
quotation marks (""). For example, to configure the user-defined format
content as mac, run the dhcpv6 interface-id format user-defined "%mac"
command.
● Separators that cannot be digits must be added between the keywords in the
user-defined format. Otherwise, the keywords cannot be parsed.
● The symbol % must be prefixed to the keywords in the user-defined format to
differentiate them from common character strings. If a digit exists before the
symbol % and keyword, the digit refers to the number of characters in the
keyword.
● The self-defined content is encapsulated in ASCII format. In addition to the
preceding precautions, note the following rules:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10543

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

– The symbol \ is an escape character. The symbols %, \, and [] following

the escape character indicate themselves. For example, \\ represents the
character \.
– An ASCII character string can contain Arabic numerals, uppercase letters,
lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - =
\ [ ] { } ; : ' " / . , < > `.
– By default, the length of each keyword in an ASCII character string is the
actual length of the keyword.

Example
# Set the customized format for the remote ID carried in DHCPv6 messages and
encapsulate the MAC address of the device into the remote ID.
<HUAWEI> system-view
[HUAWEI] dhcpv6 remote-id format user-defined "%mac"

14.8.50 dhcpv6 snooping check relay-forward enable

Function
The dhcpv6 snooping check relay-forward enable command enables the
function of discarding DHCPv6 Relay-Forward messages.
The undo dhcpv6 snooping check relay-forward enable command disables the
function of discarding DHCPv6 Relay-Forward messages.
By default, the function of discarding DHCPv6 Relay-Forward messages is disabled.

Format
In the system view:
dhcpv6 snooping check relay-forward enable vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10>
undo dhcpv6 snooping check relay-forward enable vlan { vlan-id1 [ to vlan-
id2 ] } &<1-10>
In the VLAN view or interface view:
dhcpv6 snooping check relay-forward enable
undo dhcpv6 snooping check relay-forward enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10544

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

vlan { vlan-id1 [ to Discards DHCPv6 Relay-Forward The value is an

vlan-id2 ] } &<1-10> messages received in specified VLANs. integer in the
range from 1 to
● vlan-id1 specifies the first VLAN ID. 4094.
● to vlan-id2 specifies the last VLAN ID.
The value of vlan-id2 must be greater
than the value of vlan-id1.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

DHCPv6 snooping needs to be deployed on access devices on a Layer 2 network or

the first DHCPv6 relay agent. Therefore, the device that has DHCPv6 snooping
configured should not receive the DHCPv6 Relay-Forward messages forwarded by
the relay agent. If the device receives the DHCPv6 Relay-Forward messages, it
considers the messages invalid and discards them.

Prerequisites

DHCPv6 snooping has been enabled on the device using the dhcp snooping
enable command.

Precautions

If you run the dhcp snooping enable command in the VLAN view, the command
configuration takes effect only for the DHCP messages from the specified VLAN. If
you run this command in the interface view, the command configuration takes
effect for all DHCP messages on the specified interface.

Example
# Enable the function of discarding DHCPv6 Relay-Forward messages in VLAN 10.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcpv6 snooping check relay-forward enable

# Enable the function of discarding DHCPv6 Relay-Forward messages on GE0/0/1.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10545

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcpv6 snooping check relay-forward enable

14.8.51 dhcpv6 snooping relay-information enable

Function
The dhcpv6 snooping relay-information enable command enables Lightweight
DHCPv6 Relay Agent (LDRA) for DHCPv6 snooping.
The undo dhcpv6 snooping relay-information enable command disables LDRA.
By default, LDRA is disabled for DHCPv6 snooping.

Format
dhcpv6 snooping relay-information enable [ trust ]
undo dhcpv6 snooping relay-information enable [ trust ]

Parameters
Parameter Description Value

trust Configures the device to trust the received Relay-Forward -

messages.
If this parameter is not specified, the device does not trust
the received Relay-Forward messages.

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Use Scenario
In some scenarios, for example, interfaces in the same VLAN have different
network access rights and QoS requirements, the DHCPv6 server must be able to
detect user access locations, and assign corresponding access control and QoS
policies. The DHCPv6 relay agent is usually configured on the gateway. The relay
agent can record user access locations; however, if access devices are located
between the relay agent and users, the relay agent cannot detect the access
locations of users.
LDRA can meet the requirements of these scenarios. LDRA is configured on the
user-side access device. The LDRA-enabled device can forward user access

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10546

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

locations (such as the network-side interfaces on clients) to the DHCPv6 server.

The DHCPv6 server delivers policies to users accordingly.
This command enables LDRA for DHCPv6 snooping and configures the handling
methods for received Relay-Forward messages:
● Trust: The device forwards the received Relay-Forward messages to the
DHCPv6 server. This method is usually used when multiple LDRA-enabled
devices are directly connected. If the downstream LDRA-enabled device trusts
the Relay-Forward messages from the upstream LDRA-enabled device, this
method can be used.
● Untrust: The device discards the received Relay-Forward messages. This
method is usually used when an LDRA-enabled device directly connects to
users, and the users may send invalid Relay-Forward messages.
Prerequisites
DHCP snooping has been enabled using the dhcp snooping enable command.
Precautions
The LDRA function only records the client location information and forwards the
information to the DHCPv6 server. The differentiated policies for IP address
allocation, accounting, access control, and QoS are configured on the DHCPv6
server.

Example
# Enable LDRA for DHCPv6 snooping in VLAN10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcpv6 snooping relay-information enable

14.8.52 dhcpv6 snooping user-bind detect confirm-client

enable
Function
The dhcpv6 snooping user-bind detect confirm-client enable command enables
the confirm-client probing function of DHCPv6 snooping.
The undo dhcpv6 snooping user-bind detect confirm-client enable command
disables the confirm-client probing function of DHCPv6 snooping.
By default, the confirm-client probing function is enabled.

Format
dhcpv6 snooping user-bind detect confirm-client enable
undo dhcpv6 snooping user-bind detect confirm-client enable

Parameters
None

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10547

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After a binding entry is generated for a client using the DHCPv6 Confirm packet,
this client is a confirm-client. When the client goes online again, it sends a
DHCPv6 Confirm packet.
When a user-side interface receives the DHCPv6 Confirm packet, a DHCPv6
snooping binding entry is generated for the client. Because the DHCPv6 Confirm
packet does not contain lease information, the binding entry of the client cannot
be deleted immediately when the client goes offline. This occupies binding table
space and new users may fail to go online.
After the confirm-client probing function is enabled, DHCPv6 snooping periodically
sends DAD NS packets to detect whether the confirm-client is online. The DHCPv6
snooping entries are promptly deleted when the confirm-clients go offline.
Prerequisites
The dhcp snooping enable ipv6 command has been executed to enable DHCPv6
snooping.

Example
# Enable confirm-client probing of DHCPv6 snooping.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv6
[HUAWEI] dhcpv6 snooping user-bind detect confirm-client enable

14.8.53 dhcpv6 snooping user-bind detect retransmit

Function
The dhcpv6 snooping user-bind detect retransmit command sets the number of
times and interval at which the DAD NS packets are sent for DHCPv6 snooping.
The undo dhcpv6 snooping user-bind detect retransmit command restores the
default number of times and interval at which the DAD NS packets are sent for
DHCPv6 snooping.
By default, a DAD NS packet is sent up to three times at the interval of 180
seconds.

Format
dhcpv6 snooping user-bind detect retransmit times interval interval

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10548

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo dhcpv6 snooping user-bind detect retransmit

Parameters
Parameter Description Value
times Specifies the number of times The value is an integer that
a DAD NS packet is sent. ranges from 1 to 10.

interval Specifies the interval for The value is an integer that

interval sending DAD NS packets. ranges from 60 to 86400, in
seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the function of enabling DHCPv6 snooping to detect whether the confirm-
client is online is enabled using the dhcpv6 snooping user-bind detect confirm-
client enable command, the DHCPv6 snooping-enabled device will periodically
send DAD NS packets to detect whether the confirm-client is online and delete the
DHCPv6 snooping entry of the offline confirm-client. You can change the number
of times and interval at which the DHCPv6 snooping-enabled device sends DAD
NS packets as required.
Prerequisites
The dhcp snooping enable ipv6 command has been executed to enable DHCPv6
snooping.

Example
# Set the number of times and interval at which the DAD NS packets are sent to 2
and 60 seconds, respectively.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv6
[HUAWEI] dhcpv6 snooping user-bind detect retransmit 2 interval 60

14.8.54 dhcpv6 snooping user-bind mac-conflict detect enable

Function
The dhcpv6 snooping user-bind mac-conflict detect enable command enables
DHCPv6 snooping for detecting whether a user is online.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10549

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo dhcpv6 snooping user-bind mac-conflict detect enable command

disables DHCPv6 snooping from detecting whether a user is online.
By default, DHCPv6 snooping is disabled from detecting whether a user is online.

Format
dhcpv6 snooping user-bind mac-conflict detect enable
undo dhcpv6 snooping user-bind mac-conflict detect enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After binding entries are generated, you can run the dhcp snooping check
dhcpv6-request mac command to enable the function of checking the validity of
DHCPv6 messages based on MAC addresses. Then the device searches for the
binding entries based on the MAC address entry that is used as the key. The device
checks whether the DHCPv6 Request and DHCPv6 Release messages match any
binding entry. If they match, the device forwards the messages; otherwise, the
device discards the messages. This prevents unauthorized users from sending
bogus DHCPv6 messages to extend the IP address lease or release IP addresses.
When determining that a DHCPv6 message is invalid, the device discards it. In this
case, you can enable the function of detecting whether DHCPv6 users are online.
DHCPv6 snooping then sends DAD NS packets at an interval of 3 seconds for
three times to detect whether a DHCPv6 user is online. If no response packet is
received from the DHCPv6 user within the timeout period, the device considers
that the user is offline and deletes the DHCPv6 snooping entry of the offline user.
Prerequisites
1. The dhcp snooping enable ipv6 command has been run to enable DHCPv6
snooping globally.
2. The dhcp snooping check dhcpv6-request mac command has been run to
enable the function of checking the validity of DHCPv6 messages based on
MAC addresses.

Example
# Enable DHCPv6 snooping for detecting whether a user is online.
<HUAWEI> system-view
[HUAWEI] dhcp enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10550

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI] dhcp snooping enable ipv6

[HUAWEI] dhcpv6 snooping user-bind mac-conflict detect enable

14.8.55 display dhcp option82 configuration

Function
The display dhcp option82 configuration command displays the DHCP Option
82 configuration.

Format
display dhcp option82 configuration [ vlan vlan-id | interface interface-type
interface-number ]

Parameters
Parameter Description Value

vlan vlan-id Displays the DHCP The value is an integer

Option 82 configuration that ranges from 1 to
in a specified VLAN. 4094.

interface interface-type Displays the DHCP -

interface-number Option 82 configuration
on a specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The Option 82 field records the location of a DHCP client. A device inserts the
Option 82 field to a DHCP Request message to notify the DHCP server of the
DHCP client location. The DHCP server can properly assign an IP address and
other configurations to the DHCP client, ensuring DHCP client security.

After the Option 82 field is inserted to a DHCP message, run the display dhcp
option82 configuration command to display the DHCP Option 82 configuration.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10551

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Display all the DHCP Option82 configurations.
<HUAWEI> display dhcp option82 configuration
#
dhcp option82 vendor-specific format vendor-sub-option 1 ascii 22
#
interface GigabitEthernet0/0/1
dhcp option82 subscriber-id format ascii 222
dhcp option82 insert enable
dhcp option82 encapsulation circuit-id
dhcp option82 append vendor-specific
dhcp option82 circuit-id format common
#

Table 14-68 Description of the display dhcp option82 configuration command

output

Item Description

interface ifn Option 82 configuration on interface ifn.

dhcp option82 vendor-specific The Sub9 of the old format is inserted into
format vendor-sub-option i ascii the Option 82 field of DHCP messages.
text1 To specify the parameter, run the dhcp
option82 vendor-specific format
command.

dhcp option82 subscriber-id format The Sub6 suboption is inserted into the
ascii text2 Option 82 field of DHCP messages.
To specify the parameter, run the dhcp
option82 subscriber-id format command.

dhcp option82 insert enable The function of inserting Option 82 to

DHCP messages is enabled and the
insertion method is configured:
● dhcp option82 rebuild enable: Rebuild
mode
● dhcp option82 insert enable: Insert
mode
To specify the parameter, run the dhcp
option82 enable command.

dhcp option82 encapsulation The suboption inserted into the Option 82

circuit-id field of DHCP messages is configured.
To specify the parameter, run the dhcp
option82 encapsulation command.

dhcp option82 append vendor- The Sub9 of the new format is inserted
specific into the Option 82 field of DHCP
messages.
To specify the parameter, run the dhcp
option82 append vendor-specific
command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10552

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

dhcp option82 circuit-id format Format of the circuit-id suboption.

common To specify the parameter, run the dhcp
option82 format command.

14.8.56 display dhcp snooping

Function
The display dhcp snooping command displays DHCP snooping running
information.

Format
display dhcp snooping [ interface interface-type interface-number | vlan vlan-id
| bridge-domain bd-id ]

NOTE

Only the S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H,
S5731-H, S6720-EI, S6735-S and S6720S-EI support the bridge-domain parameter.

Parameters
Parameter Description Value

interface interface- Displays DHCP snooping running -

type interface- information on a specified interface.
number
● interface-type specifies the
interface type.
● interface-number specifies the
interface number.

vlan vlan-id Displays DHCP snooping running The value is an

information in a specified VLAN. integer that ranges
from 1 to 4094.

bridge-domain bd-id Displays DHCP snooping running The BD ID must

information in a specified BD. already exist.

Views
All views

Default Level
1: Monitoring level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10553

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
The display dhcp snooping command displays DHCP snooping running
information. If no interface or VLAN is specified, global DHCP snooping running
information is displayed. If an interface or a VLAN ID is specified, DHCP snooping
running information of the interface or VLAN is displayed.

Example
# Display global DHCP snooping running information.
<HUAWEI> display dhcp snooping
DHCP snooping global running information :
DHCPv4 snooping : Enable
DHCPv6 snooping : Enable
Static user max number : 1024
Current static user number :1
Dhcp user(dhcpv4/dhcpv6/nd) max number : 4096
Dhcp user(dhcpv4/dhcpv6) max number : 3000
Nd user max number : 1000
Current dhcpv4 user number :0
Current dhcpv6 user number :0
Current nd user number :0
Arp dhcp-snooping detect : Disable (default)
Alarm threshold : 100 (default)
Check dhcp-rate : Disable (default)
Dhcp-rate limit(pps) : 100 (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100 (default)
Discarded dhcp packets for rate limit :0
Bind-table autosave : Disable (default)
Client position transfer allowed : Enable (default)
DHCPv6 confirm-client online detection : Enable (default)
DHCPv6 client online detection times :3 (default)
DHCPv6 client online detection interval : 180 (default)
Check dhcpv6-rate : Disable (default)
Dhcpv6-rate limit(pps) : 100 (default)
Alarm dhcpv6-rate : Enable
Alarm dhcpv6-rate threshold : 10
Discarded dhcpv6 packets for rate limit : 0
DHCP snooping packet-flow log : Disable (default)

DHCP snooping running information for interface GigabitEthernet0/0/1 :

DHCP snooping : Enable
Trusted interface : No
Dhcp user(dhcpv4/dhcpv6/nd) max number : 4096
Current dhcpv4 user number :0
Current dhcpv6 user number :0
Current nd user number :0
Check dhcp-giaddr : Enable
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
Check dhcp-rate : Enable
Dhcp-rate limit(pps) : 100
Alarm dhcp-rate : Enable
Alarm dhcp-rate threshold : 100
Discarded dhcp packets for rate limit :0
Alarm dhcp-reply : Disable (default)
Check dhcpv6-rate : Enable
Dhcpv6-rate limit(pps) : 100
Alarm dhcpv6-rate : Enable
Alarm dhcpv6-rate threshold : 10
Discarded dhcpv6 packets for rate limit : 0
Alarm dhcpv6-request : Enable
Alarm dhcpv6-request threshold : 100

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10554

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Discarded dhcpv6 packets for check request : 0

DHCPv6 snooping check relay-forward : Enable
Check dhcpv6-request : Disable (default)

Table 14-69 Description of the display dhcp snooping command output

Item Description

DHCPv4 snooping Whether DHCPv4 snooping is enabled

globally.
To enable DHCP snooping, run the
dhcp snooping enable command.

DHCPv6 snooping Whether DHCPv6 snooping is enabled

globally.
To enable DHCP snooping, run the
dhcp snooping enable command.

DHCP snooping Whether DHCP snooping is enabled on

an interface or in a VLAN.
To enable DHCP snooping, run the
dhcp snooping enable command.

Static user max number Maximum number of static users.

Current static user number Number of current static users.

Dhcp user(dhcpv4/dhcpv6/nd) max Shared specifications of the DHCPv4

number snooping, ND snooping, and DHCPv6
snooping binding tables.

Dhcp user(dhcpv4/dhcpv6) max Maximum number of DHCPv4

number snooping and DHCPv6 snooping users
that can be set using a command.
To configure this item, run the dhcp
snooping max-user-number
command. If this command is not
configured, the item is not displayed.

Nd user max number Maximum number of ND snooping

users that can be set using a
command.
To configure this item, run the nd
snooping max-user-number
command. If this command is not
configured, the item is not displayed.

Current dhcpv4 user number Number of currently online DHCPv4

users.

Current dhcpv6 user number Number of currently online DHCPv6

users.

Current nd user number Number of currently online ND users.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10555

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Arp dhcp-snooping detect Whether association between ARP and

DHCP snooping is enabled.
To enable association between ARP
and DHCP snooping, run the arp
dhcp-snooping-detect enable
command.

Alarm threshold Global alarm threshold for the number

of discarded DHCP snooping messages.
To set the global alarm threshold for
the number of discarded DHCP
snooping messages, run the dhcp
snooping alarm threshold command.

Check dhcp-rate Whether a device is enabled to check

the rate of sending DHCP messages.
To enable the device to check the rate
of sending DHCP messages, run the
dhcp snooping check dhcp-rate
enable command.

Dhcp-rate limit(pps) Rate limit of DHCP messages, in pps.

To set the rate limit of DHCP
messages, run the dhcp snooping
check dhcp-rate command.

Alarm dhcp-rate Whether trap for checking the rate of

sending DHCP messages to the
processing unit is enabled.
To enable trap for checking the rate of
sending DHCP messages to the
processing unit, run the dhcp
snooping alarm dhcp-rate enable
command.

Alarm dhcp-rate threshold Alarm threshold for the number of

discarded DHCP messages. An alarm is
generated if the number of discarded
DHCP messages reaches the alarm
threshold.
To set the alarm threshold for the
number of discarded DHCP messages,
run the dhcp snooping alarm dhcp-
rate threshold command.

Discarded dhcp packets for rate limit Number of discarded DHCP messages
whose rate exceeds the rate limit.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10556

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Bind-table autosave Whether a device is enabled to save

the DHCP snooping binding table.
To enable the device to save the
binding table, run the dhcp snooping
user-bind autosave command.

Client position transfer allowed Whether location transition is enabled

for DHCP snooping users.
To enable location transition for DHCP
snooping users, run the dhcp
snooping user-transfer enable
command.

DHCPv6 confirm-client online Whether the confirm-client probing

detection function of DHCPv6 snooping is
enabled.
To configure the confirm-client
probing function of DHCPv6 snooping,
run the dhcpv6 snooping user-bind
detect confirm-client enable
command.

DHCPv6 client online detection times Number of times that the DAD NS
messages are sent for DHCPv6
snooping to detect whether the user is
online.
To configure the number of times that
the DAD NS messages are sent for
DHCPv6 snooping to detect whether
the user is online, run the dhcpv6
snooping user-bind detect
retransmit command.

DHCPv6 client online detection Interval at which the DAD NS

interval messages are sent for DHCPv6
snooping to detect whether the user is
online.
To configure the number of times that
the DAD NS messages are sent for
DHCPv6 snooping to detect whether
the user is online, run the dhcpv6
snooping user-bind detect
retransmit command.

Check dhcpv6-rate Whether a device is enabled to check

the rate of sending DHCPv6 messages.
To enable a device to check the rate of
sending DHCPv6 messages, run the
dhcp snooping check dhcpv6-rate
enable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10557

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Dhcpv6-rate limit(pps) Rate limit of DHCPv6 messages, in pps.

To configure the rate limit of DHCPv6
messages, run the dhcp snooping
check dhcpv6-rate command.

Alarm dhcpv6-rate Whether a device is enabled to

generate an alarm when the rate of
sending DHCPv6 messages to the
processing unit exceeds the alarm
threshold.
To enable the device to generate an
alarm when the rate of sending
DHCPv6 messages to the processing
unit exceeds the alarm threshold, run
the dhcp snooping alarm dhcpv6-
rate enable command.

Alarm dhcpv6-rate threshold Alarm threshold for the number of

discarded DHCPv6 messages. An alarm
is generated if the number of
discarded DHCPv6 messages reaches
the alarm threshold.
To configure the alarm threshold for
the number of discarded DHCPv6
messages, run the dhcp snooping
alarm dhcpv6-rate threshold
command.

Discarded dhcpv6 packets for rate limit Number of discarded DHCPv6

messages whose rate exceeds the rate
limit.

DHCP snooping packet-flow log Whether the log function is enabled

for DHCP message exchange:
● Enable: The function is enabled.
● Disable: The function is disabled.
To configure this function, run the
dhcp snooping packet-flow log
enable command.

Trusted interface Whether an interface is a trusted

interface.
To configure an interface as a trusted
interface, run the dhcp snooping
trusted command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10558

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Check dhcp-giaddr Whether a device is enabled to check

the GIADDR field in a DHCP Request
message.
To enable the device to check the
GIADDR field in a DHCP Request
message, run the dhcp snooping
check dhcp-giaddr enable command.

Check dhcp-chaddr Whether a device is enabled to check

whether the CHADDR field in a DHCP
Request message matches the source
MAC address in the Ethernet frame
header.
To enable the device to check whether
the CHADDR field in a DHCP Request
message matches the source MAC
address in the Ethernet frame header,
run the dhcp snooping check dhcp-
chaddr enable command.

Alarm dhcp-chaddr Whether a device is enabled to

generate an alarm when the number
of discarded DHCP Request messages
with the CHADDR field different from
the source MAC address in the
Ethernet frame header exceeds the
alarm threshold.
To enable the device to generate an
alarm when the number of discarded
DHCP Request messages with the
CHADDR field different from the
source MAC address in the Ethernet
frame header exceeds the alarm
threshold, run the dhcp snooping
alarm enable command.

Check dhcp-request Whether an interface is enabled to

check DHCP Request messages.
To enable the interface to check DHCP
Request messages, run the dhcp
snooping check dhcp-request enable
command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10559

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Alarm dhcp-request Whether a device is enabled to

generate an alarm when the number
of DHCP Request messages discarded
within a specified period reaches the
alarm threshold.
To enable the device to generate an
alarm when the number of DHCP
Request messages discarded within a
specified period reaches the alarm
threshold, run the dhcp snooping
alarm enable command.

Alarm dhcp-reply Whether a device is enabled to

generate an alarm when an interface
discards a DHCP Reply message from
an untrusted interface.
To enable the device to generate an
alarm when an interface discards a
DHCP Reply message from an
untrusted interface, run the dhcp
snooping alarm enable command.

Alarm dhcpv6-request Whether a device is enabled to

generate an alarm when an interface
discards a DHCPv6 Request message
from an untrusted interface.
To enable the device to generate an
alarm when an interface discards a
DHCPv6 Request message from an
untrusted interface, run the dhcp
snooping alarm enable command.

Alarm dhcpv6-request threshold Alarm threshold for the number of

discarded DHCPv6 Request messages
that are received from untrusted
interfaces.
To configure the alarm threshold, run
the dhcp snooping alarm threshold
command.

Discarded dhcpv6 packets for check Number of discarded DHCPv6

request messages whose rate exceeds the rate
limit.

DHCPv6 snooping check relay-forward Whether the function of discarding

DHCPv6 Relay-Forward messages is
enabled.
To configure this function, run the
dhcpv6 snooping check relay-
forward enable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10560

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Check dhcpv6-request Whether the function of checking the

validity of DHCPv6 messages based on
MAC addresses is enabled.
To configure this function, run the
dhcp snooping check dhcpv6-request
mac command.

14.8.57 display dhcp snooping configuration

Function
The display dhcp snooping configuration command displays the DHCP snooping
configuration.

Format
display dhcp snooping configuration [ vlan vlan-id | interface interface-type
interface-number | bridge-domain bd-id ]

NOTE

Only the S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H,
S5731-H, S6720-EI, S6735-S and S6720S-EI support the bridge-domain parameter.

Parameters
Parameter Description Value

vlan vlan-id Displays the DHCP The value is an integer

snooping configuration that ranges from 1 to
in a specified VLAN. 4094.

interface interface-type Displays the DHCP -

interface-number snooping configuration
on a specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

bridge-domain bd-id Displays DHCP snooping The BD ID must already

running information in a exist.
specified BD.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10561

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After DHCP snooping configuration is complete, run the display dhcp snooping
configuration command to view the DHCP snooping configuration. If no VLAN or
interface is specified, all the DHCP snooping configurations are displayed. If a
VLAN or an interface is specified, only the DHCP snooping configuration in the
VLAN or on the interface is displayed.

Example
# Display all the DHCP snooping configurations.
<HUAWEI> display dhcp snooping configuration
#
dhcp snooping enable
#
vlan 3
dhcp snooping enable
dhcp snooping check dhcp-giaddr enable
#
interface GigabitEthernet0/0/1
dhcp snooping enable
#

14.8.58 display dhcp snooping statistics

Function
The display dhcp snooping statistics command displays statistics about received
DHCP messages.

Format
display dhcp snooping statistics { global | interface interface-type interface-
number [ vlan vlan-id ] | vlan vlan-id [ interface interface-type interface-
number ] }

Parameters
Parameter Description Value

global Displays all DHCP -

snooping statistics on
the device.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10562

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

vlan vlan-id Displays DHCP snooping The value is an integer in

statistics in a specified the range from 1 to
VLAN. 4094.

interface interface-type Displays DHCP snooping -

interface-number statistics on a specified
interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
To view statistics about the received DHCP messages of all types, run the display
dhcp snooping statistics command.

Example
# Display DHCP snooping statistics on a specified interface.
<HUAWEI> display dhcp snooping statistics interface gigabitethernet 0/0/1
DHCP Snooping Statistics:
Dropped by mac-address check: 0
Dropped by untrust reply: 0
Dropped by request check: 0
Dropped by requestv6 check: 0
Dropped by no trust port: 0

# Display all DHCP snooping statistics on the device.

<HUAWEI> display dhcp snooping statistics global
DHCP Snooping Statistics:

Client Request:
Dhcp Discover: 0
Dhcp Request: 0
Dhcp Decline: 0
Dhcp Release: 0
Dhcp Inform: 0
Server Reply:
Dhcp Offer: 0
Dhcp Ack: 0
Dhcp Nak: 0
Drop Packet:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10563

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Dropped by mac-address check: 0

Dropped by untrust reply: 0
Dropped by request conflict: 0
Dropped by no trust port: 0
Delete DHCP snooping table:
Receive release packet: 0
Receive decline packet: 0
Lease expired: 0
User command: 0
Client transfers: 0
Interface down: 0
Arp detect: 0
Ucm notify: 0
Terminal Identity:
Single upload count: 0
Batch get count: 0
Batch upload count: 0

Table 14-70 Description of the display dhcp snooping statistics command

output
Item Description

DHCP Snooping Statistics DHCP snooping statistics

Client Request Number of messages sent by DHCP

clients:
● DHCP Discover messages
● DHCP Request messages
● DHCP Decline messages
● DHCP Release messages
● DHCP Inform messages

Server Reply Number of messages sent by the DHCP

server:
● DHCP Offer messages
● DHCP ACK messages
● DHCP NAK messages

Drop Packet Number of discarded messages.

Dropped by mac-address check Number of discarded DHCP messages

whose MAC address is different from the
CHADDR field.

Dropped by untrust reply Number of untrusted reply messages that

are discarded.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10564

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Dropped by request check Remainder obtained by dividing the

number of DHCP Request messages
discarded on an interface due to mismatch
of any DHCP snooping binding entry by
the alarm threshold. For example, when
the alarm threshold is set to 10 and a
total of 27 messages are discarded due to
mismatch of any binding entry on an
interface, this field is displayed as 7.

Dropped by requestv6 check Remainder obtained by dividing the

number of DHCPv6 Request messages
discarded on an interface due to mismatch
of any DHCPv6 snooping binding entry by
the alarm threshold. For example, when
the alarm threshold is set to 10 and a
total of 27 messages are discarded due to
mismatch of any binding entry on an
interface, this field is displayed as 7.

Dropped by request conflict Number of packets that are discarded

because the client and server MAC
addresses conflict.

Dropped by untrust relay-forw Number of untrusted Relay-Forward

messages that are discarded.

Dropped by no trust port Number of messages discarded because

no trusted interface is configured.

Dropped by relay-forward check Number of discarded DHCPv6 Relay-

Forward messages.

Delete DHCP snooping table Number of DHCP snooping binding entries

deleted by the device.

Receive release packet Number of DHCP snooping binding entries

deleted by the device after the device
receives DHCP Release messages.

Receive decline packet Number of DHCP snooping binding entries

deleted by the device after the device
receives DHCP Decline messages.

Lease expired Number of DHCP snooping binding entries

deleted by the device because of lease
expiry.

User command Number of DHCP snooping binding entries

deleted using commands.

Client transfers Number of DHCP snooping binding entries

deleted because the client connects to
another interface on the device.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10565

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Interface down Number of DHCP snooping binding entries

deleted because the port is shut down.

Arp detect Number of DHCP snooping binding entries

deleted due to ARP probe.

Ucm notify Number of times the UCM module

requests DHCP snooping to delete user
binding entries.

Terminal Identity Terminal identity.

Single upload count Number of times that the DHCP snooping

module reports a single user entry.

Batch get count Number of times that the device requests

to obtain entry information in a batch
from the DHCP snooping module.

Batch upload count Number of times that the DHCP snooping

module reports entry information in a
batch.

14.8.59 display dhcp snooping user-bind

Function
The display dhcp snooping user-bind command displays information about the
DHCP snooping dynamic binding table.

Format
display dhcp snooping user-bind { { interface interface-type interface-number |
ip-address ip-address | mac-address mac-address | vlan vlan-id | bridge-domain
bd-id } * | all } [ verbose ]

NOTE

Only the S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H,
S5731-H, S6720-EI, S6735-S and S6720S-EI support the bridge-domain parameter.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10566

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

interface interface-type Displays binding entries -

interface-number mapping a specified
interface.
In the preceding
information:
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

ip-address ip-address Displays binding entries The value is in dotted

mapping a specified IP decimal notation.
address.

mac-address mac- Displays binding entries The value is in H-H-H

address mapping a specified format. Each H is a
MAC address. hexadecimal number of
4 digits.

vlan vlan-id Displays binding entries The value is an integer in

mapping a specified the range from 1 to
VLAN ID. 4094.

bridge-domain bd-id Displays DHCP snooping The BD ID must already

running information in a exist.
specified BD.

all Displays all entries in the -

binding table.

verbose Displays detailed -

information about the
binding table.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After DHCP snooping is enabled, the device generates a DHCP snooping binding
table. A binding entry contains the MAC address, IP address, interface connecting
to the DHCP client, and ID VLAN to which the interface belongs. You can run the

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10567

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

display dhcp snooping user-bind command to view the DHCP snooping binding
table.

Example
# Display information about the DHCP snooping binding table.
● Display information about all binding entries.
<HUAWEI> display dhcp snooping user-bind all
DHCP Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address MAC Address VSI/VLAN(O/I/P)/(BD-VLAN) Interface Lease
-----------------------------------------------------------------------------------------
10.1.28.141 00e0-fc12-3456 10 GE0/0/1 2008.10.17-07:31
-----------------------------------------------------------------------------------------
Print count: 1 Total count: 1

● Display detailed information about the DHCP snooping binding table by

specifying the verbose parameter.
<HUAWEI> display dhcp snooping user-bind all verbose
DHCP Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
--------------------------------------------------------------------------------
IP Address : 10.10.21.254
MAC Address : 00e0-fc12-3456
Bridge-domain : 1
VSI : --
VLAN(O/I/P) : 10 /-- /--
Interface : GE0/0/1
Renew time : 2020.08.26-11:58
Expire time : 2019.08.27-11:58
IPSG Status : IPv4 effective slot: <3>
Gateway : 10.10.21.1
Server-ip : 10.10.21.1
Discover time : 2020.08.26-11:58:20:920
Ack time : 2020.08.26-11:58:23:660
Option12 : Tesgine2000
Option55 : 1 15 3 6 44 46 47 43 77
Option60 : DEC
OptionList : 12 50 53 54 55 60 61 255
--------------------------------------------------------------------------------
Print count: 1 Total count: 1

Table 14-71 Description of the display dhcp snooping user-bind command

output
Item Description

DHCP Dynamic Bind- DHCP snooping dynamic binding table.

table

Flags:O - outer vlan ,I - O indicates the outer VLAN ID; I indicates the inner
inner vlan ,P - Vlan- VLAN ID; P indicates the mapped VLAN ID.
mapping

IP Address User IP address.

MAC Address User MAC address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10568

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

VSI Name of the VPN instance that the online user

belongs to.
NOTE
If verbose is not specified, only one of VSI, (BD-VLAN), and
VLAN (O/I/P) is displayed.

VLAN (O/I/P) Outer VLAN ID, inner VLAN ID, or mapped VLAN ID
of the online user.
NOTE
If verbose is not specified, only one of VSI, (BD-VLAN), and
VLAN (O/I/P) is displayed.

(BD-VLAN) BD and the VLAN to which the BD is bound.

NOTE
If verbose is not specified, only one of VSI, (BD-VLAN), and
VLAN (O/I/P) is displayed.

Bridge-domain Broadcast domain.

Interface Interface through which a user goes online.

Renew time Entry update time.

Expire time Aging time of entries.

IPSG Status IPv4 effective indicates that IPv4 packet check takes
effect. slot: <3> indicates that the slot ID is 3.

Lease Time when the lease of the IP address used by a user

expires.

Gateway Gateway IP address.

Server-ip IP addresses of the DHCP server.

Discover time Time when the access device receives a DHCP request
message.

Ack time Time when the access device receives a DHCP ACK
message.

Option12 DHCP Option 12 information carried by a user

packet. This field is displayed only when a user
packet carries this attribute.

Option55 DHCP Option 55 information carried by a user

packet. This field is displayed only when a user
packet carries this attribute.

Option60 DHCP Option 60 information carried by a user

packet. This field is displayed only when a user
packet carries this attribute.

OptionList DHCP Option information carried by a user packet.

This field is displayed only when a user packet carries
this attribute.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10569

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.8.60 display dhcpv6 snooping statistics

Function
The display dhcpv6 snooping statistics command displays DHCPv6 snooping
statistics.

Format
display dhcpv6 snooping statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

Example
# Display DHCPv6 snooping statistics.
<HUAWEI> display dhcpv6 snooping statistics
DHCPV6 Snooping Statistics:
--------------------------------------------------------------------------------
DHCPV6 packets received from clients:
Solicit :3
Request :3
Renew : 36
Rebind :0
Inform :0
Release :2
Confirm : 394213
Decline :0
Relay-forward :0
DHCPV6 packets received from servers:
Advertise :3
Reply : 43
Relay-reply :0
DHCPV6 Packets Dropped:
LDRA distrust relay-forward : 0
Src mac conflict with server : 0
Not allow client transfer :0
Fake server :0
Reach savi user max number :0
Reach dhcp user max number :0
untrust relay-forw :0

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10570

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

relay-forward check :0
Check dhcpv6-request mac :0
DHCPV6 snooping user-bind table deleted:
Receive release packet :2
Receive decline packet :0
Exceed lifetime :0
User command :0
Client transfer :0
Interface down :1
Confirm-reply with error code : 0
Confirm-client offline :2
Check mac client offline :0
DAD NS packets sent to clients : 16
NA packets received from clients : 0
--------------------------------------------------------------------------------

Table 14-72 Description of the display dhcpv6 snooping statistics command

output
Item Description

DHCPV6 Snooping Statistics DHCPv6 snooping statistics.

DHCPV6 packets received from Number of DHCPv6 packets received from

clients clients.

Solicit Number of received Solicit packets.

Request Number of received Request packets.

Renew Number of received Renew packets.

Rebind Number of received Rebind packets.

Inform Number of received Inform packets.

Release Number of received Release packets.

Confirm Number of received Confirm packets.

Decline Number of received Decline packets.

Relay-forward Number of received Relay-forward

packets.

DHCPV6 packets received from Number of DHCPv6 packets received from

servers servers.

Advertise Number of received Advertise packets.

Reply Number of received Reply packets.

Relay-reply Number of received Relay-reply packets.

DHCPV6 Packets Dropped Number of discarded DHCPv6 packets.

LDRA distrust relay-forward Number of Relay-Forward packets

discarded by the LDRA untrusted port
from the upstream LDRA.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10571

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Src mac conflict with server When the source MAC address of a
DHCPv6 packet from a client conflicts with
the DHCPv6 server's MAC address, the
DHCPv6 packet is discarded. The field
indicates the number of DHCPv6 packets
discarded for this reason.

Not allow client transfer After clients are not allowed to change
access interfaces, if a DHCPv6 snooping
binding entry of a client exists on the
original interface and the client attempts
to change the access interface, the
DHCPv6 packets from this client are
discarded. The field indicates the number
of DHCPv6 packets discarded for this
reason.
To configure this item, run the undo dhcp
snooping user-transfer enable command.

Fake server Number of packets discarded by the DHCP

Snooping-enabled interface from the
DHCPv6 server.
To configure this item, run the dhcp
snooping enable command.

Reach savi user max number Number of packets from clients discarded
because the maximum number of SAVI
binding entries that can be learned by the
interface is reached.

Reach dhcp user max number Number of packets from clients discarded
because the maximum number of DHCP
snooping binding entries that can be
learned by the interface is reached.

untrust relay-forw Number of Relay-Forward packets

discarded by an LDRA untrusted interface.

relay-forward check Number of discarded DHCPv6 Relay-

Forward packets after the dhcpv6
snooping check relay-forward enable
command is executed.

Check dhcpv6-request mac Number of DHCPv6 packets that are

discarded after the function of checking
the validity of DHCPv6 packets based on
MAC addresses is enabled.

DHCPV6 snooping user-bind table Number of deleted DHCPv6 snooping

deleted binding entries.

Receive release packet Number of binding entries deleted after

receiving Release packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10572

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Receive decline packet Number of binding entries deleted after

receiving Decline packets.

Exceed lifetime Number of binding entries that are aged

out (the lease time is the same as that on
client).

User command Number of deleted binding entries.

To configure this item, run the reset dhcp
snooping user-bind command.

Client transfer After a client disconnects from one

interface and connects to another one, the
binding entry of the client on the original
interface is deleted. The field indicates the
number of binding entries deleted on
original interfaces.

Interface down Number of binding entries deleted

because the interface physical status
becomes Down.

Confirm-reply with error code After a Confirm packet is received, a

binding entry is generated. If a Reply
packet in which the status code is not 0 is
received within the timeout period (10
seconds), the generated binding entry is
deleted. The field indicates the number of
binding entries deleted for this reason.

Confirm-client offline After the confirm-client probing function

is enabled, an NA packet is returned for
every DAD NS packet. If no NA packet is
received when the maximum number of
retransmission times of a DAD NS packet
is reached, the binding entry is deleted.
The field indicates the number of binding
entries deleted for this reason.

Check mac client offline Number of binding entries deleted

because the device detects that users have
gone offline after DHCPv6 snooping is
enabled for detecting whether users are
online.

DAD NS packets sent to clients Number of DAD NS packets sent for

confirm-client probing.

NA packets received from clients Number of NA packets received from

confirm-client probing.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10573

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.8.61 display dhcpv6 snooping user-bind

Function
The display dhcpv6 snooping user-bind command displays the DHCPv6 snooping
binding table.

Format
display dhcpv6 snooping user-bind { { interface interface-type interface-number
| ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * |
confirm-client | all } [ verbose ]

display dhcpv6 snooping user-bind ipv6-prefix { prefix/prefix-length | all }

[ verbose ]

Parameters
Parameter Description Value

interface interface-type Displays the binding -

interface-number entry mapping a
specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

ipv6-address ipv6- Displays the binding The address is a 32-digit

address entry mapping a hexadecimal number, in
specified IPv6 address. the format of
X:X:X:X:X:X:X:X.

mac-address mac- Displays the binding The value is in

address entry mapping a hexadecimal notation.
specified MAC address.

vlan vlan-id Displays the binding The value is an integer

entry mapping a that ranges from 1 to
specified VLAN ID. 4094.

ipv6-prefix Displays an IPv6 suffix -

binding entry.

prefix/prefix-length Displays the binding prefix is a 32-digit

entry mapping a hexadecimal number, in
specified IPv6 prefix. the format of X:X::X:X.
prefix-length is an
integer that ranges from
1 to 128.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10574

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

confirm-client Displays the DHCPv6 -

snooping binding entries
generated using DHCPv6
Confirm packets.

all Displays all entries in the -

binding table.

verbose Displays detailed -

information about the
binding table.
If the parameter is not
specified, brief
information about the
binding table is
displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After DHCP snooping is enabled, the device generates a DHCP snooping binding
table by listening to DHCP Request messages and Reply messages. A binding entry
contains the MAC address, IP address, number of the interface connected to the
DHCP client, and VLAN ID. You can run the display dhcpv6 snooping user-bind
command to view the DHCPv6 snooping binding table.
If prefix delegation (PD) users exist on the network, the device generates an IPv6
prefix binding entry. The display dhcpv6 snooping user-bind ipv6-prefix
command displays IPv6 prefix binding entries.

Example
# Display the DHCPv6 binding table.
● Display all the dynamic binding entries.
<HUAWEI> display dhcpv6 snooping user-bind all
DHCPV6 Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address MAC Address VSI/VLAN(O/I/P)/(BD-VLAN) Lease
--------------------------------------------------------------------------------
FC00:1::1 00e0-fc12-3456 500 /-- /-- 2008.10.01-00:26
--------------------------------------------------------------------------------
print count: 1 total count: 1

● Display detailed information about the DHCPv6 binding table.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10575

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> display dhcpv6 snooping user-bind all verbose

DHCPV6 Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
--------------------------------------------------------------------------------
IP Address : FC00:1::1
MAC Address : 00e0-fc12-3456
VSI : --
VLAN(O/I/P) : 500 /-- /--
Interface : GE0/0/1
Lease : 2008.10.01-00:27
IPSG Status : ineffective
User State : BOUND
--------------------------------------------------------------------------------
print count: 1 total count: 1

# Display the IPv6 prefix binding table.

● Display all binding entries.
<HUAWEI> display dhcpv6 snooping user-bind ipv6-prefix all
PD Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IPv6 Prefix MAC Address VSI/VLAN(O/I/P)/(BD-VLAN) Lease
--------------------------------------------------------------------------------
FC00:2::/36 00e0-fc12-3456 500 /-- /-- 2008.10.03-00:30
--------------------------------------------------------------------------------
print count: 1 total count: 1

● Display detailed information about the IPv6 prefix binding table by specifying
the verbose parameter.
<HUAWEI> display dhcpv6 snooping user-bind ipv6-prefix all verbose
PD Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
--------------------------------------------------------------------------------
IP Address : FC00:2::/36
MAC Address : 00e0-fc12-3456
VSI : --
VLAN(O/I/P) : 500 /-- /--
Interface : GE0/0/1
Lease : 2008.10.03-00:30
User State : BOUND
--------------------------------------------------------------------------------
print count: 1 total count: 1

Table 14-73 Description of the display dhcpv6 snooping user-bind command

output

Item Description

DHCPV6 Dynamic Bind- DHCPv6 snooping dynamic binding table.

table

PD Dynamic Bind-table IPv6 prefix binding table.

Flags:O - outer vlan ,I - VLAN ID.

inner vlan ,P - Vlan- ● O: Outer VLAN
mapping
● I: Inner VLAN
● P: VLAN mapping

IP Address User IPv6 address.

IPv6 Prefix User IPv6 prefix.

MAC Address User MAC address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10576

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

VSI Name of the VPN instance that the online user

belongs to.
NOTE
If verbose is not specified, only one of VSI, (BD-VLAN), and
VLAN (O/I/P) is displayed.

VLAN(O/I/P) Outer VLAN ID, inner VLAN ID, or VLAN mapping

information of the online user.
NOTE
If verbose is not specified, only one of VSI, (BD-VLAN), and
VLAN (O/I/P) is displayed.

(BD-VLAN) BD and the VLAN to which the BD is bound.

NOTE
If verbose is not specified, only one of VSI, (BD-VLAN), and
VLAN (O/I/P) is displayed.

Interface User access interface.

Lease Time when the lease of the IP address used by a user

expires.

IPSG Status Whether the binding table is effective for IP packet

checking after IP packet checking is enabled. The
value can be:
● IPv6 effective slot: <0> indicates that the binding
table is effective for IPv6 packet checking in slot 0.
● ineffective
This field is invalid if IP packet checking is not
enabled.

User State Status of a DHCPv6 snooping binding entry is as

follows:
● START
● DETECTION
● BOUND
● LIVE

14.8.62 reset dhcp snooping statistics

Function
The reset dhcp snooping statistics command clears DHCP snooping statistics.

Format
reset dhcp snooping statistics { global | interface interface-type interface-
number [ vlan vlan-id ] | vlan vlan-id [ interface interface-type interface-
number ] }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10577

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

global Clears global DHCP snooping statistics. -

interface interface- Clears DHCP snooping statistics on the -

type interface- specified interface.
number
● interface-type specifies the interface
type.
● interface-number specifies the
interface number.

vlan vlan-id Clears DHCP snooping statistics in the vlan-id is an

specified VLAN. vlan-id specifies a integer that
VLAN ID. ranges from 1 to
4094.

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If statistics are collected after DHCP snooping is enabled, you can run the reset
dhcp snooping statistics command to clear the statistics.
Precautions
If both interface and vlan are specified, the specified interface must have been
added to the specified VLAN. The reset dhcp snooping statistics command is
used to clear DHCP snooping statistics in the VLAN to which the specified
interface is added.

Example
# Clear DHCP snooping statistics on GE0/0/1.
<HUAWEI> reset dhcp snooping statistics interface gigabitethernet 0/0/1

14.8.63 reset dhcp snooping user-bind

Function
The reset dhcp snooping user-bind command clears DHCP snooping binding
entries.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10578

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
reset dhcp snooping user-bind [ vlan vlan-id | interface interface-type interface-
number ] * [ ipv4 | ipv6 ]
reset dhcp snooping user-bind [ ip-address [ ip-address ] | ipv6-address [ ipv6-
address ] | vpls vpls-name ]
reset dhcp snooping user-bind bridge-domain bd-id
reset dhcp snooping user-bind [ ipv6-prefix [ prefix/prefix-length ] ]

NOTE

Only the , S5731-H, S5731S-H, S5732-H, S6730-H, S6730S-H support vpls parameter.
Only the S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H,
S5731-H, S6720-EI, S6735-S and S6720S-EI support the bridge-domain parameter.

Parameters
Parameter Description Value

vlan vlan-id Clears DHCP snooping binding The value is an integer

entries mapping a specified VLAN that ranges from 1 to
ID. 4094.

interface Clears DHCP snooping binding -

interface-type entries mapping a specified
interface-number interface.
● interface-type specifies the
interface type.
● interface-number specifies the
interface number.

bridge-domain Clears DHCP snooping binding The BD ID must already

bd-id entries in a specified BD. exist.

ipv4 or ip- Clears DHCP snooping binding -

address entries mapping IPv4 addresses.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10579

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

ipv6-address, Clears DHCP snooping binding -

ipv6 or ipv6- entries mapping IPv6 addresses or
prefix IPv6 prefixes.
● ipv6 indicates that DHCP
snooping binding entries
mapping IPv6 addresses or IPv6
prefixes are cleared.
● ipv6-address indicates that
DHCP snooping binding entries
mapping IPv6 addresses are
cleared.
● ipv6-prefix indicates that
DHCP snooping binding entries
mapping IPv6 prefixes are
cleared.

ip-address Clears DHCP snooping binding The value is in dotted

entries mapping a specified IPv4 decimal notation.
address.

ipv6-address Clears DHCP snooping binding The value consists of 128

entries mapping a specified IPv6 octets, which are
address. classified into 8 groups.
Each group contains 4
hexadecimal numbers in
the format X:X:X:X:X:X:X:X.

prefix/prefix- Clears DHCP snooping binding prefix is a 32-digit

length entries mapping a specified IPv6 hexadecimal characters in
prefix. the format of X:X::X:X.
● prefix specifies the IPv6 prefix. prefix-length is an integer
that ranges from 1 to
● prefix-length specifies the IPv6
128.
prefix length.

vpls vpls-name Clears DHCP snooping binding The value must be an

entries mapping a specified VPLS existing VPLS name.
name.

Views
User view

Default Level
3: Management level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10580

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

After DHCP snooping is enabled, the mapping DHCP snooping binding entries are
generated after DHCP users log in. The reset dhcp snooping user-bind command
clears binding entries mapping a specified parameter. If no parameter is specified,
all the binding entries are cleared.

Precautions

If both interface interface-type interface-number and vlan vlan-id are configured,

the interface specified by interface interface-type interface-number must have
been added to the VLAN specified by vlan vlan-id. In this case, the command
clears the DHCP snooping binding entries on a specified interface belonging to a
certain VLAN.

Example
# Clear DHCP snooping binding entries in VLAN 100.
<HUAWEI> reset dhcp snooping user-bind vlan 100

14.8.64 reset dhcpv6 snooping statistics

Function
The reset dhcpv6 snooping statistics command deletes DHCPv6 snooping
statistics.

Format
reset dhcpv6 snooping statistics

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
When you locate faults in DHCPv6 services, you need to collect statistics on
DHCPv6 snooping packets and deleted entries within a certain period of time.
Before collecting statistics using the display dhcpv6 snooping statistics
command, run the reset dhcpv6 snooping statistics command to delete historical
statistics.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10581

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Delete DHCPv6 snooping statistics.
<HUAWEI> reset dhcpv6 snooping statistics

14.9 ND Snooping Configuration Commands

14.9.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.9.2 display nd snooping configuration

Function
The display nd snooping configuration command displays the ND snooping
configuration.

Format
display nd snooping configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
ND snooping configuration includes whether ND snooping is enabled or disabled
and information about ND snooping trusted interfaces.
To view ND snooping configuration, run the display nd snooping configuration
command.

Example
# Display ND snooping configuration.
<HUAWEI> display nd snooping configuration
#

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10582

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

nd snooping enable
#
interface GigabitEthernet0/0/1
nd snooping trusted
#

14.9.3 display nd snooping prefix

Function
The display nd snooping prefix command displays prefix management entries of
users.

Format
display nd snooping [ static | dynamic ] prefix [ verbose ]

Parameters
Parameter Description Value

static Displays statically -

configured prefix
management entries.

dynamic Displays dynamically -

generated prefix
management entries.

verbose Displays details about -

prefix management
entries.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
A device can establish a prefix management table which can be used to
implement duplicate address detection for users with IPv6 addresses and establish
a dynamic ND snooping binding table. A prefix management entry can be
statically configured or dynamically generated.
● Dynamic generation: The device obtains an RA packet received from an ND
snooping trusted interface and automatically generates a prefix management
entry based on the RA packet.
● Static configuration: When a gateway device does not send RA packets, you
can run the nd snooping static-prefix command to configure a static prefix
management entry.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10583

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

You can run the display nd snooping prefix command to check prefix
management entries.

Example
# Display prefix management entries of users.
<HUAWEI> display nd snooping prefix
prefix-table:
Prefix Length Valid-Time Vlan(O/I)/BD Prefix-
Type
--------------------------------------------------------------------------------
FC00:1:: 64 - 10 /24/- static
FC00:2:: 64 2592000 1 /-/- dynamic
--------------------------------------------------------------------------------
Prefix table total count: 2 Print count: 2

Table 14-74 Description of the display nd snooping prefix command output

Item Description

prefix-table Prefix management table of users.

Prefix Prefix. The value is a 32-digit hexadecimal

number, in the X:X:X:X:X:X:X:X format.

Length Prefix length. The value is an integer that

ranges from 1 to 128.

Valid-Time Valid lifetime of a prefix. The value ranges

from 0 to 4294967295, in seconds.

Vlan(O/I)/BD VLAN or BD information in a prefix

management entry.

Prefix-Type Type of a prefix management entry. The

value can be:
● static: The prefix management entry is
statically configured.
● dynamic: The prefix management entry is
dynamically generated.

Prefix table total count Total number of entries in the prefix

management table.

Print count Number of displayed prefix management

entries.

# Display prefix management entries of users.

<HUAWEI> display nd snooping prefix verbose
prefix-table:
--------------------------------------------------------------------------------
Prefix : FC00:1::
Prefix Length : 64
Valid Lifetime(sec) :-
Preferred Lifetime(sec) : -
Interface :-

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10584

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

VLAN ID(Outer/Inner) : 10/24

Prefix Type : static
--------------------------------------------------------------------------------
Prefix : FC00:2::
Prefix Length : 64
Valid Lifetime(sec) : 2592000
Preferred Lifetime(sec) : 2592000
Interface : GE0/0/1
VLAN ID(Outer/Inner) : 1/-
Prefix Type : dynamic
--------------------------------------------------------------------------------
Prefix table total count: 2 Print count: 2

Table 14-75 Description of the display nd snooping prefix verbose command

output
Item Description

prefix-table Prefix management table of users.

Prefix Prefix. The value is a 32-digit hexadecimal

number, in the X:X:X:X:X:X:X:X format.

Prefix Length Prefix length. The value is an integer that

ranges from 1 to 128.

Valid Lifetime(sec) Valid lifetime of a prefix. The value ranges

from 0 to 4294967295, in seconds.

Preferred Lifetime(sec) Preferred lifetime of a prefix. The value

ranges from 0 to 4294967295, in seconds.

Interface Interface information in a prefix

management entry.

VLAN ID(Outer/Inner) VLAN information in a prefix management

entry.

Prefix-Type Type of a prefix management entry. The

value can be:
● static: The prefix management entry is
statically configured.
● dynamic: The prefix management entry is
dynamically generated.

Prefix table total count Total number of entries in the prefix

management table.

Print count Number of printed entries.

14.9.4 display nd snooping statistics

Function
The display nd snooping statistics command displays statistics about the ND
snooping packets received, sent, and discarded by the device.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10585

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
display nd snooping statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After ND snooping is enabled, the device records statistics on the received, sent,
and discarded ND snooping packets to facilitate maintenance.

Example
# Display statistics on the ND snooping packets received, sent, and discarded on
the device.
<HUAWEI> display nd snooping statistics
Input: total 203 packets, discarded 14 packets
ns : 178
na : 21
rs : 4
ra : 0
other : 0
Drop Packet:
The local link address is incorrect : 7
It does not match the binding table : 1
The destination IP address is incorrect : 6
Output: total 50 packets
ns : 50

Table 14-76 Description of the display nd snooping statistics command output

Item Description

Input: total n packets, discarded Number (n) of ND packets received by the

m packets device and number (m) of discarded ND
packets.

ns Number of sent or received NS packets on a

device.

na Number of received NA packets.

rs Number of received RS packets.

ra Number of received RA packets.

other Number of received other packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10586

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Drop Packet Number of dropped packets.

The displayed information varies according
to the packet drop reasons.

The local link address is Number of packets dropped due to incorrect

incorrect link-local address.

It does not match the binding Number of packets dropped because the
table packets do not match the binding entries.

The destination IP address is Number of packets dropped due to incorrect

incorrect destination IP addresses.

Output: total x packets Number (x) of ND packets sent by a device.

14.9.5 display nd snooping user-bind

Function
The display nd snooping user-bind command displays the ND snooping dynamic
binding table.

Format
display nd snooping user-bind all [ verbose ]
display nd snooping user-bind { ipv6-address ipv6-address | mac-address mac-
address | interface interface-type interface-number | vlan vlan-id | bridge-
domain bd-id } * [ verbose ]

NOTE

Only the S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H,
S5731-H, S6720-EI, S6735-S and S6720S-EI support the bridge-domain parameter.

Parameters
Parameter Description Value

all Displays all ND snooping -

dynamic binding entries.

verbose Displays detailed -

information about ND
snooping dynamic binding
entries.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10587

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

ipv6-address ipv6- Displays information about The value is a 32-digit

address the IPv6 address in the ND hexadecimal number
snooping dynamic binding in X:X:X:X:X:X:X:X
table. format.

mac-address mac- Displays information about The value is in the

address the MAC address in the ND format of H-H-H. An
snooping dynamic binding H is a hexadecimal
table. number of 1 to 4
digits.

vlan vlan-id Displays information about The value is an integer

the VLAN in the ND ranging from 1 to
snooping dynamic binding 4094.
table.

interface interface-type Displays interface -

interface-number information in the ND
snooping dynamic binding
table.
● interface-type specifies
the interface type.
● interface-number
specifies the interface
number.

bridge-domain bd-id Displays information about The value is an integer

the BD in the ND snooping ranging from 1 to
dynamic binding table. 16777215.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
An ND snooping dynamic binding entry includes the source IPv6 address and
source MAC address of a user, and the VLAN that a user belongs to. You can run
the display nd snooping user-bind command to view details in the ND snooping
dynamic binding table.

Example
# Display all ND snooping dynamic binding entries.
<HUAWEI> display nd snooping user-bind all
ND Dynamic Bind-table:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10588

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

IP Address MAC Address VSI/VLAN(O/I/P)/(BD-VLAN) Lease
------------------------------------------------------------------------------------------
00e0-fc12-3456 00e0-4c7c-af8f 10 /-- /-- 2011.05.06-20:09
------------------------------------------------------------------------------------------
Print count: 1 Total count: 1

# Display detailed information about ND snooping dynamic binding entries.

<HUAWEI> display nd snooping user-bind all verbose
ND Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
-------------------------------------------------------------------------------------------
IP Address : FE80::6BD:70FF:FEE0:733
MAC Address : 00e0-fc12-3456
Bridge-domain : 50
VSI : --
VLAN(O/I/P) : 200 /-- /--
Interface : GE0/0/1
Renew time : 2019.10.28-15:02
Expire time : 2019.10.28-16:02
DadTimerId : --
DadPktNum : --
User State : BOUND
-------------------------------------------------------------------------------------------
Print count: 1 Total count: 1

Table 14-77 Description of the display nd snooping user-bind command output

Item Description

ND Dynamic Bind-table ND snooping dynamic binding table.

Flags:O - outer vlan ,I - inner O indicates the outer VLAN ID; I indicates the
vlan ,P - Vlan-mapping inner VLAN ID; P indicates the mapped VLAN
ID.

IP Address IPv6 address of a user.

MAC Address MAC address of a user.

Bridge-domain Broadcast domain.

VSI VPN instance that a user belongs to.

VLAN(O/I/P) Inner VLAN ID, outer VLAN ID, or VLAN

mapping information of the online user.
NOTE
The ND snooping binding table does not contain
VLAN mapping information. Therefore, no value is
displayed in the P field.

Interface User access interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10589

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

User State Status of an ND snooping dynamic binding

entry is as follows:
● START: The binding entry is being created
and is in the initialization state.
● DETECTION: The system is performing
detection for the binding entry to check
whether the user is online.
● BOUND: The binding entry has been
successfully created.

14.9.6 nd snooping alarm binding-table check enable

Function
The nd snooping alarm binding-table check enable command enables the
alarm function for checking packets against the ND snooping binding table.
The undo nd snooping alarm binding-table check enable command disables
the alarm function for checking packets against the ND snooping binding table.
By default, the alarm function for checking packets against the ND snooping
binding table is disabled.

Format
nd snooping alarm binding-table check enable
undo nd snooping alarm binding-table check enable

Parameters
None

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After ND protocol packet validity check is enabled using the nd snooping check
enable command, the device checks the NA, NS, and RS packets received from

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10590

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

untrusted interfaces against the ND snooping binding table and discards the
packets that do not match the binding table. If the number of discarded packets
exceeds the threshold, the corresponding alarm is generated. The minimum
interval for sending alarm messages is 1 minute. You can run the nd snooping
alarm binding-table check threshold command to set the alarm threshold.
Prerequisites
ND snooping has been enabled on the device using the nd snooping enable
command.
Precautions
To ensure that alarms can be properly reported, you need to run the snmp-agent
trap enable feature-name dhcp command to enable the DHCP module to report
the corresponding alarm. You can check whether the DHCP module is enabled to
report the corresponding alarm using the display snmp-agent trap feature-name
dhcp all command.

Example
# Enable the alarm function for checking packets against the ND snooping
binding table on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping alarm binding-table check enable

14.9.7 nd snooping alarm binding-table check threshold

Function
The nd snooping alarm binding-table check threshold command configures the
alarm threshold for the number of ND snooping-discarded packets.
The undo nd snooping alarm binding-table check threshold command restores
the default alarm threshold.
By default, the global alarm threshold for the number of ND snooping-discarded
packets is 100, and the alarm threshold for the number of ND snooping-discarded
packets on an interface is the value configured in the system view.

Format
nd snooping alarm binding-table check threshold threshold
undo nd snooping alarm binding-table check threshold

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10591

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

threshold Specifies the alarm threshold for the The value is an integer that
number of ND snooping-discarded ranges from 1 to 1000.
packets.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After the alarm function for checking packets against the ND snooping binding
table is enabled using the nd snooping alarm binding-table check enable
command, you can run the nd snooping alarm binding-table check threshold
command to configure the alarm threshold for the number of ND snooping-
discarded packets.

Prerequisites

ND snooping has been enabled on the device using the nd snooping enable
command.

Precautions

If this command is run in the system view, it takes effect on all the interfaces of
the device.

Example
# Set the alarm threshold for the number of ND snooping-discarded packets on
GE0/0/1 to 1000.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping alarm binding-table check threshold 1000

14.9.8 nd snooping check enable

Function
The nd snooping check enable command enables ND protocol packet validity
check.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10592

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo nd snooping check enable command disables ND protocol packet

validity check.

By default, ND protocol packet validity check is disabled.

Format
nd snooping check { na | ns | rs } enable

undo nd snooping check { na | ns | rs } enable

Parameters
Parameter Description Value

na Enables validity check for -

Neighbor Advertisement
(NA) packets.

ns Enables validity check for -

Neighbor Solicitation
(NS) packets.

rs Enables validity check for -

Router Solicitation (RS)
packets.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

ND packet validity check prevents forged NA/NS/RS packets.

After ND packet validity check is enabled, the device verifies the NA/NS/RS
packets received by untrusted interfaces against the ND snooping binding table, to
determine whether the NA/NS/RS packets are sent from valid users in the VLAN
on the interface. The device forwards the ND packets from valid users and drops
invalid ND packets.

Prerequisites

ND snooping has been enabled globally using the nd snooping enable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10593

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Enable NA packet validity check on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping check na enable

14.9.9 nd snooping check dad-ns retransmit-rate rate

Function
The nd snooping check dad-ns retransmit-rate rate command configures the
maximum retransmission rate of DAD NS packets.
The undo nd snooping check dad-ns retransmit-rate rate command restores the
default retransmission rate of DAD NS packets.
By default, the maximum retransmission rate of DAD NS packets is 50 packets per
second.

Format
nd snooping check dad-ns retransmit-rate rate rate-value
undo nd snooping check dad-ns retransmit-rate rate

Parameters
Parameter Description Value

rate-value Specifies the maximum The value is an integer

retransmission rate of that ranges from 1 to
DAD NS packets. 100, in packet per
second. The default
value is 50.

Views
System view, VLAN view, Eth-Trunk view, Ethernet interface view, GE interface
view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE
interface view, 100GE interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When the ND snooping binding entry is not established, an untrusted interface on
a device forwards a DAD NS packet after receiving it. After the nd snooping check

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10594

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

dad-ns retransmit-rate enable command is configured, the device checks the

retransmission rate of DAD NS packets. You can run the nd snooping check dad-
ns retransmit-rate rate rate-value command to configure the retransmission rate
of DAD NS packets. If the number of DAD NS packets retransmitted per second
exceeds the value of the rate-value parameter, the device directly discards
excessive packets instead of forwarding these packets.
Prerequisites
ND snooping has been enabled using the nd snooping enable command in the
system view.

Example
# Set the retransmission rate of DAD NS packets to 60 packets per second in the
system view.
<HUAWEI> system-view
[HUAWEI] nd snooping check dad-ns retransmit-rate rate 60

14.9.10 nd snooping check dad-ns retransmit-rate enable

Function
The nd snooping check dad-ns retransmit-rate enable command enables the
function of checking the retransmission rate of DAD NS packets.
The undo nd snooping check dad-ns retransmit-rate enable command disables
the function of checking the retransmission rate of DAD NS packets.
By default, the function of checking the retransmission rate of DAD NS packets is
disabled.

Format
nd snooping check dad-ns retransmit-rate enable
undo nd snooping check dad-ns retransmit-rate enable

Parameters
None

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10595

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

If an untrusted interface on a device receives a DAD NS packet, the interface

forwards the packet for the duplicate address detection and bogus user check. To
avoid the situation that the remote interface cannot receive packets forwarded by
the local device because of packet loss when the ND snooping binding entry is not
established, configure the untrusted interface on the local device to forward a
DAD NS packet after receiving it. By default, a device does not control the
retransmission rate of DAD NS packets. When excessive packets are received,
packet retransmission may affect normal operation of network services. To solve
this problem, you can run the nd snooping check dad-ns retransmit-rate enable
command to enable the function of checking the retransmission rate of DAD NS
packets. After this function is enabled, the device limits the retransmission rate of
DAD NS packets.
You can run the nd snooping check dad-ns retransmit-rate rate rate-value
command to configure the retransmission rate of DAD NS packets. If the number
of DAD NS packets retransmitted per second exceeds the value of the rate-value
parameter, the device directly discards excessive packets instead of forwarding
these packets.
Prerequisites
ND snooping has been enabled using the nd snooping enable command in the
system view.

Example
# Enable the function of checking the retransmission rate of DAD NS packets in
the system view.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] nd snooping check dad-ns retransmit-rate enable

14.9.11 nd snooping disable

Function
The nd snooping disable command disables ND snooping on an interface.
The undo nd snooping disable command restores the default configuration.
By default, ND snooping is disabled on an interface.

Format
nd snooping disable
undo nd snooping disable

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720S-EI, S6730-H,
S6730S-H, S6735-S, S6730-S, and S6730S-S support this command.

Parameters
None.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10596

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If ND snooping is enabled in a specific VLAN using the nd snooping enable

command, ND snooping is enabled on all the interfaces in this VLAN. The nd
snooping enable command is configured in the VLAN, and interfaces in the VLAN
do not have the command configuration. Therefore, the undo nd snooping
enable command cannot disable ND snooping on a specific interface in this VLAN.
To solve this problem, run the nd snooping disable command on this interface to
disable ND snooping on it.

Precautions

● Running the nd snooping disable command will disable ND snooping on an

interface and clear the ND snooping configuration and the dynamic ND
snooping binding table. Running the undo nd snooping enable command
will disable ND snooping on an interface will the dynamic ND snooping
binding table, but will not clear the ND snooping configuration.
● Running the undo nd snooping disable command on an interface will disable
ND snooping on the interface. To enable ND snooping on the interface, run
the nd snooping enable command.

Example
# Disable ND snooping on GE0/0/1 that has been added to VLAN 10.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] nd snooping enable
[HUAWEI-vlan10] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping disable

14.9.12 nd snooping enable

Function
The nd snooping enable command enables ND snooping.

The undo nd snooping enable command disables ND snooping.

By default, ND snooping is disabled.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10597

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
nd snooping enable
undo nd snooping enable

Parameters
None

Default Level
2: Configuration level

Usage Guidelines
ND provides powerful functions but has no security mechanism. Attackers often
use ND to attack network devices. Common ND attacks are as follows:
● An attacker uses the IP address of host A to send NS, NA, or RS packets to
host B or the gateway. Host B or the gateway then modifies their ND entries.
As a result, all packets sent from host B or the gateway to host A are sent to
the attacker.
● An attacker uses the gateway IP address to send RA packets to hosts. Then
the hosts incorrectly set IPv6 parameters and modify their ND entries.
To prevent ND attacks, enable ND snooping on the device. The device detects NS
packets in the DAD process to establish an ND snooping dynamic binding table
that includes source IPv6 addresses, source MAC addresses, VLANs, and inbound
ports. When receiving ND packets, the device checks the validity of ND packets
based on the ND snooping binding table and checks whether the user is an
authorized user in the VLAN that the port receiving ND packets belongs to. The
device forwards valid ND packets and discards invalid ND packets to defend
against ND attacks from bogus hosts or gateways.

NOTE

By default, the system reports a port-Up event 2 seconds after a user-side interface transits from
Down to Up state. If ND snooping is enabled before the port-Up event is reported, the system
cannot generate the ND snooping entry of the user connected to this interface. To avoid this
problem, run the carrier up-hold-time interval command to change the delay in reporting the
port-Up event to 0.

Example
# Enable ND snooping globally and on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10598

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.9.13 nd snooping enable dhcpv6 only

Function
The nd snooping enable dhcpv6 only command enables ND snooping in the
DHCPv6 Only scenario.
The undo nd snooping enable command disables ND snooping in the DHCPv6
Only scenario.
By default, ND snooping is disabled in the DHCPv6 Only scenario.

Format
nd snooping enable dhcpv6 only
undo nd snooping enable

Parameters
None

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The device checks the validity of ND protocol packets against the IPv6 static
binding table, DHCPv6 dynamic binding table, and ND snooping binding table.
The IPv6 static binding table is manually configured by the administrator, the
DHCPv6 dynamic binding table is automatically generated by extracting
information from DHCPv6 Reply packets, and the ND snooping binding table is
automatically generated by extracting information from DAD NS packets. At the
same time, the ND protocol packet validity check function depends on the ND
snooping function (including enabling ND snooping and configuring ND snooping
trusted interfaces). In the DHCPv6 Only scenario, users are only allowed to obtain
IPv6 addresses using DHCPv6 and IPv6 addresses that are privately configured by
users and automatically generated using the PD address prefix are considered as
invalid addresses. In this scenario, ND snooping is disabled to prevent ND
snooping binding entries from being generated for such invalid addresses. In this
case, the ND protocol packet validity check function cannot be performed, so that
address spoofing attacks may exist on the network.
To resolve this problem, you can run the nd snooping enable dhcpv6 only and nd
snooping trusted dhcpv6 only commands to enable the ND snooping function in

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10599

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

the DHCPv6 Only scenario. After the nd snooping enable dhcpv6 only command
is configured, no ND snooping binding entry is generated for the IPv6 global
unicast addresses that are manually configured by users and automatically
generated using the PD address prefixes. The device checks the validity of ND
protocol packets against the IPv6 static binding table and DHCPv6 dynamic
binding table.

Prerequisites

ND snooping has been enabled globally using the nd snooping enable command.

Precautions

● In the DHCPv6 Only scenario, ND snooping binding entries are generated for
the IPv6 link-local addresses that are manually configured by users and
automatically generated. To be specific, only records corresponding to the
IPv6 link-local addresses exist in the ND snooping binding table in the
DHCPv6 Only scenario.
● IPv6 addresses obtained using DHCPv6 PD also apply to the DHCPv6 Only
scenario.

Example
# Enable ND snooping globally and on interface GE0/0/1.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping enable dhcpv6 only

14.9.14 nd snooping max-user-number

Function
The nd snooping max-user-number command sets the maximum number of ND
snooping dynamic binding entries to be learned by an interface.

The undo nd snooping max-user-number command restores the default

maximum number of ND snooping dynamic binding entries to be learned by an
interface.

By default, the maximum number of ND snooping binding entries that can be

learned on an interface is 512 for S200, S1720GW, S1720GWR, S1720GF,
S1720GW-E, S1720GFR-P, S1720GWR-E, and S2720-EI, 2048 for S5720-LI, S1730S-
H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-
M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-S-I, S5720I-SI, S5735S-H, S5736-S,
S6735-S, and 8192 for other models.

Format
nd snooping max-user-number max-user-number

undo nd snooping max-user-number

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10600

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

max-user-number Specifies the maximum The value is an integer

number of ND snooping that ranges from 1 to
dynamic binding entries 512 for S1720GF,
to be learned by an S1720GW-E, S1720GFR-
interface. P, S1720GWR-E, and
S2720-EI, from 1 to 2048
for S5720-LI, S1730S-H,
S2730S-S, S5735-L1,
S300, S5735-L, S5735S-
L1, S5735S-L, S5735S-L-
M, S5720S-LI, S500,
S5735-S, S5735S-S,
S5735-S-I, , S5735S-H,
S5736-S, and S5720I-SI,
and from 1 to 8192 for
other models.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If a lot of users go online through an interface, the device consumes many ND
snooping dynamic binding entries to process the NS packets. To prevent this
problem, you can set the maximum number of ND snooping dynamic binding
entries to be learned by an interface. If the number of the ND snooping dynamic
binding entries learned by an interface reaches the maximum number, no entry
can be added.
You can set the maximum number ND snooping entries in the system view or
interface view. The configuration in the system view is valid for all interfaces. The
settings in the interface view only take effect on the specified interface. If the
settings are performed in both the interface view and system view, the smaller
value is adopted.
Prerequisites
Before setting the maximum number of ND snooping dynamic binding entries to
be learned by an interface, ensure that ND snooping has been enabled in the
system view using the nd snooping enable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10601

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the maximum number of ND snooping binding entries to 200 on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping max-user-number 200

14.9.15 nd snooping static-prefix

Function
The nd snooping static-prefix command configures a static prefix management
entry.

The undo nd snooping static-prefix command deletes a configured static prefix

management entry.

By default, no static prefix management entry is configured on a device.

Format
nd snooping static-prefix ipv6-address/prefix-length [ vlan vlan-id [ ce-vlan ce-
vlan-id ] ]
undo nd snooping static-prefix ipv6-address/prefix-length [ vlan vlan-id [ ce-
vlan ce-vlan-id ] ]

Parameters
Parameter Description Value

ipv6-address/prefix- Specifies the IPv6 address ● ipv6-address: The

length prefix. Descriptions of each total length of the
part in this parameter are as value is 128 bits.
follows: The string is
● ipv6-address: Specifies an divided into eight
IPv6 address. groups, each of
which consists of
● prefix-length: Specifies four hexadecimal
the IPv6 address prefix digits. The address
length. is in the
X:X:X:X:X:X:X:X
format.
● prefix-length: The
value is an integer
that ranges from 1
to 128.

vlan vlan-id Specifies the outer VLAN ID. The value is an integer
NOTE that ranges from 1 to
By default, the outer VLAN ID 4094.
is 1 and no inner VLAN is
configured.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10602

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

ce-vlan ce-vlan-id Specifies the inner VLAN ID. The value is an integer
that ranges from 1 to
4094.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After receiving an NS packet from a user, a device can generate a dynamic ND
snooping binding entry only after the value of the Target Address field in the
packet matches the user's prefix management entry. The device obtains an RA
packet received from an ND snooping trusted interface and automatically
generates a prefix management entry based on the RA packet. However, if a
gateway device does not send RA packets, the device cannot automatically
generate a prefix management entry and then cannot establish a corresponding
dynamic ND snooping binding entry, affecting services. In this case, you can run
the nd snooping static-prefix ipv6-address/prefix-length [ vlan vlan-id [ ce-vlan
ce-vlan-id ] ] command to manually configure a prefix management entry.
Prerequisites
ND snooping has been enabled using the nd snooping enable command in the
system view.
Precautions
The total number of statically configured and dynamically generated prefix
management entries cannot exceed the maximum number of entries allowed on a
device. Otherwise, no prefix management entry can be further statically
configured or dynamically generated.

Example
# Configure a static prefix management entry with the IPv6 address prefix
FC00:1::/64.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] nd snooping static-prefix fc00:1::/64

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10603

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.9.16 nd snooping trusted

Function
The nd snooping trusted command configures the trusted interface.
The undo nd snooping trusted command restores the trusted interface to an
untrusted interface.

Format
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view, BD view
nd snooping trusted
undo nd snooping trusted
VLAN view
nd snooping trusted interface interface-type interface-number
undo nd snooping trusted interface interface-type interface-number

Parameters
Parameter Description Value

interface interface-type Specifies the type and -

interface-number number of the trusted
interface.
● interface-type specifies
the interface type.
● interface-number
specifies the interface
number.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
ND snooping classifies interfaces connected to IPv6 nodes into trusted and
untrusted interfaces. The trusted interfaces connect to trusted IPv6 nodes and

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10604

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

untrusted interfaces connect to untrusted IPv6 nodes. By default, all interfaces are
untrusted.

● You must configure the interface connected to a trusted IPv6 node as a

trusted interface so that the device can forward the ND packets received by
this interface. In addition, the device creates a prefix management table
according to the received RA packet to help network administrators manage
IPv6 addresses.
● The interface connected to an untrusted IPv6 node must be configured as an
untrusted interface. The device discards the RA packets received by the
untrusted interface to prevent RA attacks.
NOTE

Generally, the interface connecting to the gateway is configured as the trusted interface, and
other interfaces are all untrusted interfaces.

Prerequisites

ND snooping has been enabled using the nd snooping enable command in the
system view.

Precautions

After the nd snooping trusted command is executed, ND snooping is enabled on

the interface.

When you run the nd snooping trusted command in the VLAN view, the specified
interface must belong to the VLAN.

Example
# Configure GE0/0/1 as a trusted interface.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping trusted

# Configure GE0/0/1 in VLAN 10 as a trusted interface.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] nd snooping trusted interface gigabitethernet 0/0/1

14.9.17 nd snooping trusted dhcpv6 only

Function
The nd snooping trusted dhcpv6 only command configures the interfaces in the
DHCPv6 Only scenario as ND snooping trusted interfaces.

The undo nd snooping trusted command restores the interfaces to untrusted.

By default, all interfaces are untrusted.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10605

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view, BD view
nd snooping trusted dhcpv6 only
undo nd snooping trusted
VLAN view
nd snooping trusted interface interface-type interface-number dhcpv6 only
undo nd snooping trusted interface interface-type interface-number

Parameters
Parameter Description Value

interface interface-type Specifies the type and -

interface-number number of the interface
that will be configured
as an ND snooping
trusted interface in the
DHCPv6 Only scenario.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Default Level
2: Configuration level

Usage Guidelines
The device checks the validity of ND protocol packets against the IPv6 static
binding table, DHCPv6 dynamic binding table, and ND snooping binding table.
The IPv6 static binding table is manually configured by the administrator, the
DHCPv6 dynamic binding table is automatically generated by extracting
information from DHCPv6 Reply packets, and the ND snooping binding table is
automatically generated by extracting information from DAD NS packets. At the
same time, the ND protocol packet validity check function depends on the ND
snooping function (including enabling ND snooping and configuring ND snooping

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10606

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

trusted interfaces). In the DHCPv6 Only scenario, users are only allowed to obtain
IPv6 addresses using DHCPv6 and IPv6 addresses that are privately configured by
users and automatically generated using the PD address prefix are considered as
invalid addresses. In this scenario, ND snooping is disabled to prevent ND
snooping binding entries from being generated for such invalid addresses. In this
case, the ND protocol packet validity check function cannot be performed, so that
address spoofing attacks may exist on the network.

To resolve this problem, you can run the nd snooping enable dhcpv6 only and nd
snooping trusted dhcpv6 only commands to enable the ND snooping function in
the DHCPv6 Only scenario. After the nd snooping trusted dhcpv6 only command
is configured, no prefix management entry is generated when the trusted interface
receives an RA packet, which is different from the nd snooping trusted command.
This is because the prefix management entries need to be matched before the
corresponding ND snooping binding entries are generated for the IPv6 addresses
excluding the IPv6 link-local addresses. However, only records corresponding to the
IPv6 link-local addresses exist in the ND snooping binding table in the DHCPv6
Only scenario. Therefore, the prefix management entries do not need to be
generated.

Example
# Configure GE0/0/1 as an ND snooping trusted interface.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd snooping trusted dhcpv6 only

# Configure GE0/0/1 as an ND snooping trusted interface in VLAN 2.

<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] vlan 2
[HUAWEI-vlan2] nd snooping trusted interface gigabitethernet 0/0/1 dhcpv6 only

14.9.18 nd snooping user-alarm percentage

Function
The nd snooping user-alarm percentage command configures the alarm
thresholds for the percentage of ND snooping dynamic binding entries.

The undo nd snooping user-alarm percentage command restores the default

alarm thresholds for the percentage of ND snooping dynamic binding entries.

By default, the lower alarm threshold for the percentage of ND snooping dynamic
binding entries is 50, and the upper alarm threshold for the percentage of ND
snooping dynamic binding entries is 100.

Format
nd snooping user-alarm percentage percent-lower-value percent-upper-value

undo nd snooping user-alarm percentage

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10607

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
percent-lower- Specifies the lower alarm The value is an integer that
value threshold for the percentage ranges from 1 to 100.
of ND snooping dynamic
binding entries.

percent-upper- Specifies the upper alarm The value is an integer that

value threshold for the percentage ranges from 1 to 100, but must
of ND snooping dynamic be greater than or equal to the
binding entries. lower alarm threshold.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After you run the nd snooping max-user-number command to set the maximum
number of ND snooping dynamic binding entries on an interface, you can run the
nd snooping user-alarm percentage command to set the alarm thresholds for
the percentage of ND snooping dynamic binding entries.
When the percentage of learned ND snooping dynamic binding entries against the
maximum number of ND snooping dynamic entries allowed by the device reaches
or exceeds the upper alarm threshold, the device generates an alarm. When the
percentage of learned ND snooping dynamic binding entries against the maximum
number of ND snooping dynamic entries allowed by the device reaches or falls
below the lower alarm threshold later, the device generates a clear alarm. The
alarm information helps network administrators monitor the status of ND
snooping binding table in real time.

Example
# Set the lower alarm threshold for the percentage of ND snooping dynamic
binding entries to 30 and the upper alarm threshold to 80.
<HUAWEI> system-view
[HUAWEI] nd snooping user-alarm percentage 30 80

14.9.19 nd snooping wait-time life-time

Function
The nd snooping wait-time life-time command configures the wait time for a
device to send an NS packet to detect the user status and the lifetime of an ND
snooping binding entry when a device detects the user status.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10608

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo nd snooping wait-time life-time command restores the default

settings.

By default, the wait time for a device to send an NS packet to detect the user
status is 250 milliseconds and the lifetime of an ND snooping binding entry when
a device detects the user status is 500 milliseconds.

Format
nd snooping wait-time wait-time life-time life-time

undo nd snooping wait-time life-time

Parameters
Parameter Description Value

wait-time Specifies the wait time for a The value is an integer

device to send an NS packet that ranges from 1 to
to detect the user status. 5000, in milliseconds.
The default value is
250 milliseconds.

life-time Specifies the lifetime of an The value is an integer

ND snooping binding entry that ranges from 1 to
when a device detects the 10000, in milliseconds.
user status. The default value is
500 milliseconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A device updates the ND snooping binding table by detecting the received NA

packets. If an ND snooping binding entry exists and the device receives an NA
packet with the IP address the same as that in the corresponding entry and
inbound port number different from that in the entry, the NA packet conflicts with
the entry. The device is then triggered to send an NS packet to detect whether the
user corresponding to the entry is online. You can run the nd snooping wait-time
wait-time life-time life-time command to configure the wait time for a device to
send an NS packet to detect the user status and the lifetime of an ND snooping
binding entry when a device detects the user status.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10609

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● If the entry is within the lifetime and the device receives an NA packet from
the port corresponding to the entry, the user corresponding to the entry is still
online and the device updates the IP address lease in the corresponding entry.
● If the entry is within the lifetime and the device does not receive an NA
packet from the port corresponding to the entry, the user corresponding to
the entry is offline and the device updates the user's IP address lease time in
the entry and updates the port number in the entry to that in the previously
received NA packet.
Prerequisites
ND snooping has been enabled using the nd snooping enable command in the
system view.
Precautions
After the device receives an NA packet conflicting with an ND snooping binding
entry and user status detection is enabled, periodic user status detection is
suspended.

Example
# Set the wait time for a device to send an NS packet to detect the user status to
300 milliseconds and the lifetime of an ND snooping binding entry when a device
detects the user status to 2000 milliseconds.
<HUAWEI> system-view
[HUAWEI] nd snooping enable
[HUAWEI] nd snooping wait-time 300 life-time 2000

14.9.20 nd user-bind detect

Function
The nd user-bind detect command configures the number of times and interval
for sending NS packets to detect the user status.
The undo nd user-bind detect command restores the default setting.
After automatic user status detection is enabled for users mapping ND snooping
dynamic binding entries, the default number of detection times is 2, and the
default detection interval is 1000 milliseconds.

Format
nd user-bind detect retransmit retransmit-times interval retransmit-interval
undo nd user-bind detect retransmit interval

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10610

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

retransmit retransmit- Specifies the number of The value is an integer

times times for sending NS ranging from 1 to 10.
packets to detect the user The default value is 2.
status.

interval retransmit- Specifies the interval for The value is an integer

interval sending NS packets to ranging from 1 to
detect the user status. 10000, in milliseconds.
The default value is
1000 milliseconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After automatic user status detection for users mapping ND snooping dynamic
binding entries is enabled, the device sends NS packets to users based on the
configured detection times and interval. If no NA packet is returned from a user
after NS packets are sent for configured times, the device considers the user to be
offline and deletes the mapping ND snooping dynamic binding entry.

You can run the nd user-bind detect command to change the number of times
and interval for sending NS packets to detect the user status. On a small network
with good network quality, the user returns an NA packet quickly. In this scenario,
you can set the interval for sending NS packets to a small value. On a large
network with poor network quality, the user returns an NA packet slowly. You can
set the interval to a large value to prevent the device from sending the next NS
packet before receiving the NA packet. You can change the interval based on the
actual network environment.

Prerequisites

Automatic user status detection for users mapping ND snooping dynamic binding
entries has been enabled using the nd user-bind detect enable command.

Precautions

After you run the nd user-bind detect enable command, the device sends an NS
packet after a period of time. The maximum value of this period is 20 seconds.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10611

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the number of times for sending NS packets to 10, and the interval for
sending NS packets to 1000 milliseconds.
<HUAWEI> system-view
[HUAWEI] nd user-bind detect enable
[HUAWEI] nd user-bind detect retransmit 10 interval 1000

14.9.21 nd user-bind detect enable

Function
The nd user-bind detect enable command enables the function for automatically
detecting status of users mapping ND snooping dynamic binding entries.
The undo nd user-bind detect enable command disables the function for
automatically detecting status of users mapping ND snooping dynamic binding
entries.
By default, the function for automatically detecting status of users mapping ND
snooping dynamic binding entries is disabled.

Format
nd user-bind detect enable
undo nd user-bind detect enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After ND snooping is enabled, the device snoops NS packets in the DAD process to
establish ND dynamic binding entries. The aging time of an ND snooping dynamic
binding table depends on the IPv6 address lease. If the address lease does not
expire but the user is offline, the ND snooping dynamic entry mapping the user
cannot be deleted, which occupies binding entry resources on the device.
To prevent this problem, you can enable the automatic user status detection for
users mapping ND snooping dynamic binding entries on the device. After this
function is enabled, the device sends NS packets to the user according to the
detection times (n) specified in nd user-bind detect and detection interval. If the
device receives no NA packet from the user after sending the NS packets n times,

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10612

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

the device considers the user to be offline and deletes the dynamic ND snooping
binding entry matching the user.
Precautions
After you run the nd user-bind detect enable command, the device sends an NS
packet after a period of time. The maximum value of this period is 20 seconds.

Example
# Enable the function for automatically detecting status of users mapping ND
snooping dynamic binding entries.
<HUAWEI> system-view
[HUAWEI] nd user-bind detect enable

14.9.22 reset nd snooping prefix

Function
The reset nd snooping prefix command clears prefix management entries of
users.

Format
reset nd snooping prefix [ ipv6-address/prefix-length ]

Parameters
Parameter Description Value

ipv6-address Specifies an IPv6 address. The value is a 32-digit

hexadecimal number
in X:X:X:X:X:X:X:X
format.

prefix-length Specifies the prefix length. The value is an integer

ranging from 1 to 128.
If the global unicast
address needs to be
set in EUI-64 format,
the value of prefix-
length ranges from 1
to 64.

Views
User view

Default Level
3: Management level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10613

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
The ND server that functions as the gateway router sends RA packets periodically
to instruct users to update prefixes. The switch that functions as the access device
establishes prefix management entries based on RA packets to maintain and
manage user prefixes.
Generally, do not delete prefix management entries of users manually. Run the
reset nd snooping prefix command to delete prefix management entries of users
if the following requirements are met:
● The user lease does not expire and the prefix management table cannot age
automatically.
● The user is no longer connected to the network.
Precautions
After a prefix management entry is deleted, the switch cannot establish the ND
snooping dynamic binding table for new users with the prefix management entry.

Example
# Delete the prefix management entry with the prefix address being fc00:1::1 and
the prefix length being 64.
<HUAWEI> reset nd snooping prefix fc00:1::1/64

14.9.23 reset nd snooping statistics

Function
The reset nd snooping statistics command deletes statistics on ND snooping
packets.

Format
reset nd snooping statistics

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
Use Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10614

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After ND snooping is enabled, the device records statistics on the sent and
received ND packets. This command deletes the statistics on ND packets.

Precautions

Deleted statistics cannot be restored. Exercise caution.

Example
# Delete statistics on ND snooping packets.
<HUAWEI> reset nd snooping statistics

14.9.24 reset nd snooping user-bind

Function
The reset nd snooping user-bind command clears ND snooping dynamic binding
entries on the device.

Format
reset nd snooping user-bind [ interface interface-type interface-number | ipv6-
address ipv6-address | mac-address mac-address | vlan vlan-id | bridge-domain
bd-id ]

NOTE

Only the S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H,
S5731-H, S6720-EI, S6735-S and S6720S-EI support the bridge-domain parameter.

Parameters
Parameter Description Value

interface interface-type Specifies the interface in the -

interface-number ND snooping dynamic
binding entry to be cleared.
● interface-type specifies
the interface type.
● interface-number
specifies the interface
number.

ipv6-address ipv6- Specifies the IPv6 address in The value is a 32-digit

address the ND snooping dynamic hexadecimal number
binding entry to be cleared. in X:X:X:X:X:X:X:X
format.

mac-address mac- Specifies the MAC address in The value is in the

address the ND snooping dynamic format of H-H-H. An
binding entry to be cleared. H is a hexadecimal
number of 1 to 4
digits.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10615

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

vlan vlan-id Specifies the VLAN ID in the The value is an integer

ND snooping dynamic ranging from 1 to
binding entry to be cleared. 4094.

bridge-domain bd-id Specifies the BD ID in the The value is an integer

ND snooping dynamic ranging from 1 to
binding entry to be cleared. 16777215.

Views
User view

Default Level
3: Management level

Usage Guidelines
You need to manually delete ND snooping dynamic binding entries if the following
requirements are met:

● The ND snooping dynamic binding entry does not reach the aging time, so
the entry cannot age automatically.
● The user is no longer connected to the network.
● The user VLAN or interface information changes.

The networking environment change may lead to the change in the VLAN or
interface information, while the ND snooping dynamic binding entry mapping a
user does not age out and cannot update in real time. As a result, the device
discards valid ND packets that do not match the old ND snooping dynamic
binding entries. Before changing the networking environment, clear all ND
snooping dynamic binding entries manually so that a device generates a new ND
snooping dynamic binding table based on the new networking environment.

Example
# Delete the ND snooping dynamic binding entry that contains the IPv6 address
being fc00:1::1.
<HUAWEI> reset nd snooping user-bind ipv6-address fc00:1::1

# Delete the ND snooping dynamic binding entry that contains the MAC address
being 00e0-fc11-2222.
<HUAWEI> reset nd snooping user-bind mac-address 00e0-fc11-2222

14.10 IPv6 RA Guard Configuration Command

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10616

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.10.1 Command Support

All models of S300, S500, S2700, S5700, and S6700 series switches support IPv6
RA Guard.

14.10.2 display nd raguard policy

Function
The display nd raguard policy command displays the configuration of an IPv6 RA
guard policy.

Format
display nd raguard policy [ policy-name ]

Parameters

Parameter Description Value

policy-name Displays the configuration of the The value must be the name
IPv6 RA guard policy with the of an existing IPv6 RA guard
specified name. policy.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
To view the matching rules configured in a specified IPv6 RA guard policy, run the
display nd raguard policy command. RA messages can be forwarded only when
they match all rules.

Example
# Display the IPv6 RA guard policy configured on the device.
<HUAWEI> display nd raguard policy
------------------------------------------------
ID nd-raguard-policy name
0 p1
1 p2
2 p3
------------------------------------------------
Total 3, printed 3

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10617

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-78 Description of the display nd raguard policy command output

Item Description

ID ID.

nd-raguard-policy name Name of an IPv6 RA guard policy.

Total m, printed n There are a total of m entries and n

entries are printed.

# Display the configuration of the IPv6 RA guard policy named p1.

<HUAWEI> display nd raguard policy p1
ND raguard policy: p1
if-match source-mac-address acl 4000
if-match ipv6-source-address acl 2000
if-match ra-prefix acl 2000
hop-limit minimum 10
hop-limit maximum 20
router-preference maximum medium
managed-address-flag on
other-config-flag on

Table 14-79 Description of the display nd raguard policy policy-name command

output
Item Description

ND raguard policy Name of an IPv6 RA guard policy.

To set the value, run the nd raguard
policy command.

if-match source-mac-address acl Number of the Layer 2 ACL that is

used to match the source MAC address
of RA messages.
To set the value, run the if-match
source-mac-address command.

if-match ipv6-source-address acl Number of the basic ACL6 that is used

to match the source IPv6 address of
RA messages.
To set the value, run the if-match
ipv6-source-address command.

if-match ra-prefix acl Number of the basic ACL6 that is used

to match the IPv6 prefix of RA
messages.
To set the value, run the if-match
prefix command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10618

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

hop-limit minimum Minimum hop limit used to match RA

messages.
To set the value, run the hop-limit
minimum command.

hop-limit maximum Maximum hop limit used to match RA

messages.
To set the value, run the hop-limit
maximum command.

router-preference maximum Highest route preference used to

match RA messages:
● high: high preference
● medium: medium preference
● low: low preference
To set the value, run the router-
preference maximum command.

managed-address-flag M flag used to match RA messages:

● on: The M flag is set to 1.
● off: The M flag bit is set to 0.
To set the value, run the managed-
address-flag command.

other-config-flag O flag used to match RA messages:

● on: The O flag is set to 1.
● off: The O flag bit is set to 0.
To set the value, run the other-config-
flag command.

14.10.3 display nd raguard statistic

Function
The display nd raguard statistic command displays statistics about RA messages
discarded by interfaces.

Format
display nd raguard statistic [ interface interface-type interface-number ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10619

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

interface interface-type Displays statistics about RA messages -

interface-number discarded by a specified interface.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When the interface role of an interface is a host interface or when an IPv6 RA
guard policy is applied to an interface and RA messages received on the interface
do not match the rules configured in the policy, the interface discards RA
messages. The device supports the display of discarded RA message statistics
based on interfaces.

Example
# Display statistics about RA messages discarded by a specified interface.
<HUAWEI> display nd raguard statistic
RA messages dropped by RA guard:
Interface Dropped
Eth-trunk10 1221

Table 14-80 Description of the display nd raguard statistic command output

Item Description

Interface Interface that discards RA messages.

Dropped Number of discarded RA messages.

14.10.4 hop-limit

Function
The hop-limit command configures a rule to match RA messages against the
maximum and minimum hop limits in RA messages.

The undo hop-limit command restores the default hop limits.

By default, the maximum and minimum hop limits in an RA message are 255 and
1 respectively.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10620

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
hop-limit { maximum max-value | minimum min-value }

undo hop-limit { maximum | minimum }

Parameters

Parameter Description Value

maximum max- Specifies the maximum hop The value is an integer in

value limit used to match RA the range from 1 to 255.
messages.

minimum min- Specifies the minimum hop The value is an integer in

value limit used to match RA the range from 1 to 255.
messages.

NOTE

In the same IPv6 RA guard policy, if both max-value and min-value are configured, min-
value must be less than or equal to max-value.

Views
IPv6 RA guard policy view

Default Level
2: Configuration level

Usage Guidelines
The Hop Limit field in an RA message indicates the maximum number of hops
that the message can pass through. The value is decremented by 1 each time the
message passes through a device. The message is discarded when the field value is
0. After the maximum or minimum hop limit is configured in the IPv6 RA guard
policy view, the interface to which the policy is applied forwards only the RA
messages whose hop limit is within the configured range and discards those
whose hop limit is outside the configured range.

Example
# In the IPv6 RA guard policy p1, set the maximum and minimum hop limits in RA
messages to 10 and 5 respectively.
<HUAWEI> system-view
[HUAWEI] nd raguard policy p1
[HUAWEI-nd-raguard-policy-p1] hop-limit maximum 10
[HUAWEI-nd-raguard-policy-p1] hop-limit minimum 5

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10621

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.10.5 if-match source-mac-address

Function
The if-match source-mac-address command configures an ACL to match RA
messages against the source MAC address in RA messages.

The undo if-match source-mac-address command deletes the ACL used to match
RA messages against the source MAC address in RA messages.

By default, no ACL is configured to match RA messages against the source MAC

address in RA messages.

Format
if-match source-mac-address acl acl-number

undo if-match source-mac-address acl

Parameters
Parameter Description Value

acl acl-number Specifies the number of a The value is an integer in the

Layer 2 ACL. range from 4000 to 4999.

Views
IPv6 RA guard policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After an ACL is configured in an IPv6 RA guard policy to match RA messages

against the source MAC address in RA messages, the interface to which the policy
is applied checks the source MAC address of the received RA messages and
forwards only the RA messages that match the ACL.

Precautions

● If the ACL specified as a matching rule is not created, no rule is configured in

the ACL, or the rule configured in the ACL is not a source MAC address, RA
messages will not match against the ACL.
● In the matching process, the permit and deny actions configured in the ACL
are ignored, and the focus is only on the rule configured in the ACL. That is,
RA messages are forwarded as long as they match the rule.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10622

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# In the IPv6 RA guard policy p1, configure the switch to forward RA messages
with the source MAC address 0001-0001-0001 or 0022-0022-0022.
<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule 1 permit source-mac 0001-0001-0001
[HUAWEI-acl-L2-4001] rule 2 permit source-mac 0022-0022-0022
[HUAWEI-acl-L2-4001] quit
[HUAWEI] nd raguard policy p1
[HUAWEI-nd-raguard-policy-p1] if-match source-mac-address acl 4001

14.10.6 if-match ipv6-source-address

Function
The if-match ipv6-source-address command configures an ACL to match RA
messages against the source IPv6 address in RA messages.

The undo if-match ipv6-source-address command deletes the ACL used to match
RA messages against the source IPv6 address in RA messages.

By default, no ACL is configured to match RA messages against the source IPv6

address in RA messages.

Format
if-match ipv6-source-address acl acl-number

undo if-match ipv6-source-address acl

Parameters
Parameter Description Value

acl acl-number Specifies the number of a The value is an integer in the

basic ACL6. range from 2000 to 2999.

Views
IPv6 RA guard policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After an ACL is configured in an IPv6 RA guard policy to match RA messages

against the source IPv6 address in RA messages, the interface to which the policy
is applied checks whether the source IPv6 address of the received RA messages is

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10623

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

within the network segment configured in the ACL and forwards only the RA
messages that match the ACL.

Precautions

● If the ACL specified as a matching rule is not created, no rule is configured in

the ACL, or the rule configured in the ACL is not a source IP address or prefix,
RA messages will not match against the ACL.
● In the matching process, the permit and deny actions configured in the ACL
are ignored, and the focus is only on the rule configured in the ACL. That is,
RA messages are forwarded as long as they match the rule.

Example
# In the IPv6 RA guard policy p1, configure the switch to forward RA messages
with the source IPv6 address FC00:1::10/64.
<HUAWEI> system-view
[HUAWEI] acl ipv6 2000
[HUAWEI-acl6-basic-2000] rule 1 permit source fc00:1::/64
[HUAWEI-acl6-basic-2000] quit
[HUAWEI] nd raguard policy p1
[HUAWEI-nd-raguard-policy-p1] if-match ipv6-source-address acl 2000

14.10.7 if-match prefix

Function
The if-match prefix command configures an ACL to match RA messages against
the IPv6 prefix in RA messages.

The undo if-match prefix command deletes the ACL used to match RA messages
against the IPv6 prefix in RA messages.

By default, no ACL is configured to match RA messages against the IPv6 prefix in

RA messages.

Format
if-match prefix acl acl-number

undo if-match prefix acl

Parameters
Parameter Description Value

acl acl-number Specifies the number of a The value is an integer in the

basic ACL6. range from 2000 to 2999.

Views
IPv6 RA guard policy view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10624

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After an ACL is configured in an IPv6 RA guard policy to match RA messages

against the IPv6 prefix in RA messages, the interface to which the policy is applied
checks whether the IPv6 prefix of the received RA messages is within the network
segment configured in the ACL and forwards the RA messages only when the
messages match the ACL. Otherwise, the interface discards the messages.

Precautions

● If the ACL specified as a matching rule is not created, no rule is configured in

Example
# In the IPv6 RA guard policy p1, configure the switch to forward RA messages
with the IPv6 prefix FC00:1::/64.
<HUAWEI> system-view
[HUAWEI] acl ipv6 2000
[HUAWEI-acl6-basic-2000] rule 1 permit source fc00:1::/64
[HUAWEI-acl6-basic-2000] quit
[HUAWEI] nd raguard policy p1
[HUAWEI-nd-raguard-policy-p1] if-match prefix acl 2000

14.10.8 managed-address-flag

Function
The managed-address-flag command configures a rule to match RA messages
against the M flag in RA messages.

The undo managed-address-flag command deletes the rule used to match RA

messages against the M flag in RA messages.

By default, no rule is configured to match RA messages against the M flag in RA

messages.

Format
managed-address-flag { on | off }

undo managed-address-flag

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10625

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

on Indicates that the M flag is set to 1. -

off Indicates that the M flag is set to 0. -

Views
IPv6 RA guard policy view

Default Level
2: Configuration level

Usage Guidelines
The M flag in an RA message determines whether users use stateful
autoconfiguration to obtain IPv6 addresses. When the M flag is set to 1, a user
obtains an IPv6 address using stateful autoconfiguration (for example, a DHCPv6
server). When the M flag is set to 0, a user obtains an IPv6 address using stateless
autoconfiguration. That is, an IPv6 address is generated for the user according to
the prefix information advertised by the router and the link-layer address of the
user.

After a rule is configured to match RA messages against the M flag in RA

messages in the IPv6 RA guard policy view, the interface to which the policy is
applied checks the M flag in the received RA messages and forwards the messages
only when the messages match the rule. Otherwise, the interface discards the
messages.

Example
# In the IPv6 RA guard policy p1, set the matching rule of the M flag to on. That
is, users obtain IPv6 addresses using stateful autoconfiguration.
<HUAWEI> system-view
[HUAWEI] nd raguard policy p1
[HUAWEI-nd-raguard-policy-p1] managed-address-flag on

14.10.9 nd raguard role

Function
The nd raguard role command configures an interface role for IPv6 RA guard.

The undo nd raguard role command deletes the interface role configured for IPv6
RA guard.

By default, no interface role is configured for IPv6 RA guard.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10626

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
nd raguard role { host | router }
undo nd raguard role

Parameters
Parameter Description Value

host Specifies the interface role as a host interface. -

router Specifies the interface role as a router interface. -

Views
Layer 2 Ethernet interface view, Eth-Trunk interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Administrators can configure an interface role based on the network location of
interfaces. If an interface is connected to a user host, administrators can configure
the interface role of the interface as a host interface. If the interface is connected
to a router, administrators can configure the interface role of the interface as a
router interface.
● If the interface role of the interface is a router interface, the system forwards
the RA messages received by the interface.
● If the interface role of the interface is a host interface, the system discards the
RA messages.

Example
# On GE0/0/1, configure the interface role as a router interface for IPv6 RA guard.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd raguard role router

14.10.10 nd raguard policy

Function
The nd raguard policy command creates an IPv6 RA guard policy and displays the
IPv6 RA guard policy view.
The undo nd raguard policy command deletes a created IPv6 RA guard policy.
By default, no IPv6 RA guard policy is created.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10627

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
nd raguard policy policy-name

undo nd raguard policy policy-name

Parameters
Parameter Description Value

policy-name Specifies the name of an IPv6 The value is a string of 1 to 31

RA guard policy. case-insensitive characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

You can configure an IPv6 RA guard policy for an interface to filter RA messages in
the following situations:

● The type of the device or terminal connected to the interface cannot be

determined. That is, no interface role can be configured for the interface to
help determine whether to discard or forward RA messages.
● The interface is connected to a router and needs to filter RA messages based
on specific conditions instead of forwarding RA messages immediately.

Follow-up Procedure

Configure a matching rule in the IPv6 RA guard policy view and run the nd
raguard attach-policy command to apply the IPv6 RA guard policy to an
interface.

Example
# Create an IPv6 RA guard policy named p1.
<HUAWEI> system-view
[HUAWEI] nd raguard policy p1

14.10.11 nd raguard attach-policy

Function
The nd raguard attach-policy command binds an IPv6 RA guard policy to an
interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10628

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The nd raguard attach-policy command unbinds an IPv6 RA guard policy from an

interface.
By default, no IPv6 RA guard policy is applied to an interface.

Format
nd raguard attach-policy policy-name
undo nd raguard attach-policy

Parameters
Parameter Description Value

policy-name Specifies the name of an IPv6 The value must be the name of
RA guard policy. an existing IPv6 RA guard policy.

Views
Layer 2 Ethernet interface view, Eth-Trunk interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
After an IPv6 RA guard policy is bound to an interface, the interface filters
received RA messages based on the matching rules configured in the policy.

Example
# Bind the IPv6 RA guard policy p1 to GE0/0/1.
<HUAWEI> system-view
[HUAWEI] nd raguard policy p1
[HUAWEI-nd-raguard-policy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] nd raguard attach-policy p1

14.10.12 nd raguard log enable

Function
The nd raguard log enable command enables the IPv6 RA guard log function.
The nd raguard log enable command disables the IPv6 RA guard log function.
By default, the IPv6 RA guard log function is disabled.

Format
nd raguard log enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10629

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo nd raguard log enable

Parameters
None.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
The IPv6 RA guard log function records RA message processing information to
meet the audit requirements of administrators. After this function is enabled, the
device generates the ND_RAGUARD/3/ND_RAGUARD_DROP log when detecting
invalid RA messages. The log content includes the name of the attacked interface,
source IP address and source MAC address of RA messages, and total number of
RA messages discarded on the interface.
The IPv6 RA guard logs generated by the device are sent to the information center
module for processing. The configuration of the information center module
determines the output rules and output directions of the logs. For details about
the information center, see Information Center Configuration in the S300, S500,
S2700, S5700, and S6700 V200R021C10 Configuration Guide - Device
Management.

Example
# Enable the IPv6 RA guard log function.
<HUAWEI> system-view
[HUAWEI] nd raguard log enable

14.10.13 other-config-flag
Function
The other-config-flag command configures a rule to match RA messages against
the O flag in RA messages.
The undo other-config-flag command deletes the rule used to match RA
messages against the O flag in RA messages.
By default, no rule is configured to match RA messages against the O flag in RA
messages.

Format
other-config-flag { on | off }
undo other-config-flag

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10630

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

on Indicates that the O flag is set to 1. -

off Indicates that the O flag is set to 0 -

Views
IPv6 RA guard policy view

Default Level
2: Configuration level

Usage Guidelines
The O flag in an RA message determines whether users use stateful
autoconfiguration to obtain information other than IPv6 addresses. When the O
flag is set to 1, a user obtains information other than an IPv6 address using
stateful autoconfiguration (for example, a DHCPv6 server). When the O flag is set
to 0, a user obtains information other than an IPv6 address using stateless
autoconfiguration.
After a rule is configured to match RA messages against the O flag in RA
messages in the IPv6 RA guard policy view, the interface to which the policy is
applied checks the O flag in the received RA messages and forwards the messages
only when the messages match the rule. Otherwise, the interface discards the
messages.

Example
# In the IPv6 RA guard policy p1, set the matching rule of the O flag to on. That
is, users obtain information other than IPv6 addresses using stateful
autoconfiguration.
<HUAWEI> system-view
[HUAWEI] nd raguard policy p1
[HUAWEI-nd-raguard-policy-p1] other-config-flag on

14.10.14 router-preference maximum

Function
The router-preference maximum command configures a rule to match RA
messages against the highest route preference in RA messages.
The undo router-preference maximum command deletes the rule used to match
RA messages against the highest route preference in RA messages.
By default, no rule is configured to match RA messages against the highest route
preference in RA messages.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10631

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
router-preference maximum { high | medium | low }

undo router-preference maximum

Parameters

Parameter Description Value

high Sets the highest route preference in RA messages to high -

preference.

medium Sets the highest route preference in RA messages to medium -

preference.

low Sets the highest route preference in RA messages to low -

preference.

Views
IPv6 RA guard policy view

Default Level
2: Configuration level

Usage Guidelines
RA messages carry the route preference field. Route preferences are classified into
high preference (with the value 1), medium preference (with the value 0), and low
preference (with the value 3). After receiving an RA message, a host updates its
default route list and selects a route in descending order of the route preference.

After a rule is configured in an IPv6 RA guard policy to match RA messages

against the highest route preference in RA messages, the interface to which the
policy is applied checks the route preference of the received RA messages and
forwards the RA messages only when the route preference of the messages is
lower than or equal to that configured in the rule. Otherwise, the interface
discards the messages.

Example
# In the IPv6 RA guard policy p1, set the highest route preference used to match
RA messages to medium preference.
<HUAWEI> system-view
[HUAWEI] nd raguard policy p1
[HUAWEI-nd-raguard-policy-p1] router-preference maximum medium

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10632

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.10.15 reset nd raguard statistic

Function
The reset nd raguard statistic command clears statistics about RA messages
discarded by interfaces.

Format
reset nd raguard statistic [ interface interface-type interface-number ]

Parameters

Parameter Description Value

interface interface-type Clears statistics about RA messages -

interface-number discarded by a specified interface.

Views
User view

Default Level
3: Management level

Usage Guidelines
To collect statistics about RA messages discarded on interfaces within a certain
period, run the reset nd raguard statistic command to clear the existing statistics
and then run the display nd raguard statistic command.

Example
# Clear statistics about RA messages discarded by interfaces.
<HUAWEI> reset nd raguard statistic

14.11 PPPoE+ Configuration Commands

14.11.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10633

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.11.2 display pppoe intermediate-agent information

encapsulation
Function
The display pppoe intermediate-agent information encapsulation command
displays the fields and vendor ID added to PPPoE packets.

Format
display pppoe intermediate-agent information encapsulation

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
To view the fields and vendor ID added to PPPoE packets, you can run display
pppoe intermediate-agent information encapsulation command to view the
information.

Example
# Display the fields and vendor ID added to PPPoE packets.
<HUAWEI> display pppoe intermediate-agent information encapsulation
The vendor id is: 2011
Encapsulation content contains: Circuit-id and Remote-id

Table 14-81 Description of the display pppoe intermediate-agent information

encapsulation command output

Item Description

The vendor id is Vendor ID added to PPPoE packets.

You can run the pppoe intermediate-agent
information vendor-id vendor-id command to set this
parameter.

Encapsulation Fields added to PPPoE packets.

content contains You can run the pppoe intermediate-agent
information encapsulation { circuit-id | remote-id } *

command to set this parameter.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10634

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.11.3 display pppoe intermediate-agent information format

Function
The display pppoe intermediate-agent information format command displays
formats of circuit ID and remote ID that are configured globally.

Format
display pppoe intermediate-agent information format

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After PPPoE+ is enabled globally, you can run the display pppoe intermediate-
agent information format command to check whether the configuration of the
circuit ID or remote ID added to PPPoE packets is correct.

Example
# Display formats of circuit ID and remote ID that are configured globally.
<HUAWEI> display pppoe intermediate-agent information format
The current information format :
Circuit ID : EXTEND
Remote ID : COMMON
For example:
interface GigabitEthernet0/0/1 SVLAN:200 CVLAN:100
The PPPOE Intermediate Agent information is as follows:
Circuit ID:00 04 00 c8 00 00
Remote ID:0022-0033-0044

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10635

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-82 Description of the display pppoe intermediate-agent information

format command output

Item Description

Circuit ID Format of the circuit ID

● COMMON: indicates the standard fill format.
● EXTEND: indicates the extended fill format.
● USER DEFINE: indicates user-defined fill format.
You can run the pppoe intermediate-agent
information format command to set this parameter.
If the portdescription keyword is specified in the user-
defined circuit-id and no interface description is
configured, the Circuit ID in For example displays
portdescription.

Remote ID Format of the remote ID

● COMMON: indicates the standard fill format.
● EXTEND: indicates the extended fill format.
● USER DEFINE: indicates user-defined fill format.
You can run the pppoe intermediate-agent
information format command to set this parameter.
Remote IDs vary according to devices.
If the portdescription keyword is specified in the user-
defined remote-id and no interface description is
configured, the Remote ID in For example displays
portdescription.

14.11.4 display pppoe intermediate-agent information policy

Function
The display pppoe intermediate-agent information policy command displays
the global policy for processing original fields in PPPoE packets at the user side
and PPPoE server side.

Format
display pppoe intermediate-agent information policy

Parameters
None

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10636

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
The display pppoe intermediate-agent information policy command displays
the global policy for processing original fields in PPPoE packets at the user side
and PPPoE server side.

Example
# Display the global policy for processing original information fields in PPPoE
packets at the user side and PPPoE server side.
<HUAWEI> display pppoe intermediate-agent information policy
The current information Policy :REPLACE
The current ignore-reply Policy:ENABLE

Table 14-83 Description of the display pppoe intermediate-agent information

policy command output
Item Description

The current information Policy Global policy for processing original

information fields in PPPoE packets at the
user side:
● DROP: removes original information fields
from PPPoE packets.
● REPLACE: replaces original fields in PPPoE
packets according to the field format.
● KEEP: reserves the content and format of
original fields in PPPoE packets.
You can run the pppoe intermediate-agent
information policy (system view)
command to set this parameter.

The current ignore-reply Policy Global policy for processing PPPoE reply
packets sent by the PPPoE server:
● ENABLE: indicates that the device does
not process PPPoE reply packets sent by
the PPPoE server.
● DISABLE: indicates that the device
processes PPPoE reply packets sent by the
PPPoE server.
You can run the pppoe intermediate-agent
information ignore-reply command to set
this parameter.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10637

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.11.5 pppoe intermediate-agent information enable

Function
The pppoe intermediate-agent information enable command enables PPPoE+
globally.

The undo pppoe intermediate-agent information enable command disables

PPPoE+.

By default, PPPoE+ is disabled.

Format
pppoe intermediate-agent information enable

undo pppoe intermediate-agent information enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
After PPPoE+ is enabled globally, the device can add information about the
interface connected to the PPPoE client such as the slot ID/subcard ID/interface
number to PPPoE packets. The user account and access interface information are
both authenticated, preventing user account embezzling.

After the pppoe intermediate-agent information enable command is executed

in the system view, PPPoE+ is enabled on all interfaces.

NOTE

If PPPoE+ is enabled on the device that has no ACL resources, the system displays the
following message "Warning: Allocate acl resources failed." In this case, PPPoE+ does not
work.

Example
# Enable PPPoE+ globally.
<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10638

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.11.6 pppoe intermediate-agent information encapsulation

Function
The pppoe intermediate-agent information encapsulation command configures
fields added to PPPoE packets.

The undo pppoe intermediate-agent information encapsulation command

restores the default fields added to PPPoE packets.

By default, the device adds the circuit-id and remote-id fields to PPPoE packets.

Format
pppoe intermediate-agent information encapsulation { circuit-id | remote-id }
*

undo pppoe intermediate-agent information encapsulation

Parameters
Parameter Description Value

circuit-id Indicates the circuit ID -

(CID).

remote-id Indicates the remote ID -

(RID).

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After PPPoE+ is enabled, the device adds the circuit-id and remote-id fields to
PPPoE packets by default. If the remote non-Huawei PPPoE server can identify
only the circuit-id or remote-id field, run the pppoe intermediate-agent
information encapsulation command to configure the device only to add the
circuit-id or remote-id fields to PPPoE packets.

Prerequisites

The PPPoE+ function has been enabled by running the pppoe intermediate-
agent information enable command in the system view.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10639

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the device only to add the circuit-id field to PPPoE packets.
<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable
[HUAWEI] pppoe intermediate-agent information encapsulation circuit-id

14.11.7 pppoe intermediate-agent information format

Function
The pppoe intermediate-agent information format command configures the
format of fields added to PPPoE packets.

The undo pppoe intermediate-agent information format command restores the

format of fields added to PPPoE packets to default values.

By default, the format of fields circuit-id and remote-id added to PPPoE packets
is common.

Format
pppoe intermediate-agent information [ vlan vlan-id ] [ ce-vlan cevlan-id ]
format { circuit-id | remote-id } { common | extend | user-defined text }

undo pppoe intermediate-agent information format all

undo pppoe intermediate-agent information [ vlan vlan-id ] [ ce-vlan cevlan-

id ] format { circuit-id | remote-id }

Parameters
Parameter Description Value

vlan vlan-id Indicates the outer VLAN The value is an integer

ID. that ranges from 1 to
NOTE 4094.
This parameter is not
supported in the system
view.

ce-vlan cevlan-id Indicates the end inner The value is an integer

VLAN ID. that ranges from 1 to
NOTE 4094.
This parameter is not
supported in the system
view.

circuit-id Indicates the circuit ID -

(CID).

remote-id Indicates the remote ID -

(RID).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10640

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

common Indicates the standard fill -

format.
● CID format: {eth|
trunk}slot ID/subcard
ID/port ID:svlan.cvlan
host name0/0/0/0/0,
in ASCII format
● RID format: device
MAC address (6
bytes), in ASCII
format

extend Indicates the extended -

format.
● CID format: circuit-id
type (0) + length (4)
+ S-VLAN ID (2 bytes)
+ slot ID (5 bits) +
subslot ID (3 bits) +
port (1 byte), in
hexadecimal notation
● RID format: remote-id
type (0) + length (6)
+ MAC address (6
bytes), in hexadecimal
notation
In the format of the CID
or RID, the values in
parentheses without a
unit are fixed values of
the fields, and the values
in parentheses with a
unit indicate the length
of the corresponding
fields.

user-defined text Indicates the user- The text parameter

defined format. specifies a user-defined
format, and the value is
a string of 1 to 127
characters. The details
about the customized
format string are
provided in Precautions.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10641

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

all Indicates the all format -

of fields.
NOTE
This parameter is not
supported in the system
view.

Views
System view and interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After PPPoE+ is enabled globally, the default policy for processing user-side PPPoE
packets is replace. The device replaces original information fields in the PPPoE
packets received at the user side with those in common format. You can run the
pppoe intermediate-agent information format command to change the format
of information fields.
When the policy for processing user-side PPPoE packets is replace and the pppoe
intermediate-agent information format command is executed, all interfaces add
fields in a specified format to received PPPoE packets in the system view.
When the pppoe intermediate-agent information format command is
configured, the device uses the following matching rules to encapsulate the
information fields in PPPoE packets:
● For a double-tagged packet, the device matches the VLAN IDs in both the
outer and inner VLAN tags. If the match fails, the device matches the VLAN
ID in the inner VLAN tag, followed by that in the outer VLAN tag. If the
match still fails, the device considers the packet does not carry a VLAN ID,
and does not encapsulate the packet.
● For a single-tagged packet, the device matches the VLAN ID in the outer
VLAN tag. If the match fails, the device considers the packet does not carry a
VLAN ID, and does not encapsulate the packet.
If the pppoe intermediate-agent information format command is configured in
both the interface and system views, the configuration in the interface view takes
effect.

NOTE

Fields in PPPoE Intermediate-Agent Information packets support the following formats:

common, extend, and user-defined. The formats are the same as those of DHCP Option
82. For description of the three parameters, see dhcp option82 format.

Prerequisites

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10642

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

PPPoE+ has been enabled globally by running the pppoe intermediate-agent

information enable command.
Precautions
You can use the following keywords to define the format. The format string can
use the hexadecimal notation, ASCII format, or combination of the two formats.
● sysname: indicates the ID of the access point. This keyword is valid only in
ASCII format.
● portname: indicates the name of a port. For example, GigabitEthernet0/0/1.
This keyword is valid only in ASCII format.
● porttype: indicates the type of a port. This keyword is valid in ASCII or
hexadecimal notation.
● iftype: indicates the type of an interface. This keyword is valid only in ASCII
format.
● mac: indicates the MAC address of an interface. In ASCII format, the value is
expressed as H-H-H in hexadecimal notation, and the value is a number of six
bytes.
● Slot: specifies the slot ID. This keyword is valid in ASCII or hexadecimal
notation.
● subslot: indicates the subslot ID. This keyword is valid in ASCII or hexadecimal
notation.
● port: indicates the port number. This keyword is valid in ASCII or hexadecimal
notation.
● svlan: indicates the outer VLAN ID. The value ranges from 0 to 4095. This
keyword is valid in ASCII or hexadecimal notation.
● cvlan: indicates the inner VLAN ID. The value ranges from 0 to 4095. This
keyword is valid in ASCII or hexadecimal notation.
● n: specifies the value of the svlan or cvlan keyword if the outer VLAN tag or
inner VLAN tag does not exist. The n keyword is on the left of the svlan or
cvlan keyword. If the corresponding VLAN does not exist, the default value of
the svlan or cvlan keyword is 4096 in ASCII format and is all Fs in
hexadecimal notation. If the keyword n is added to the left of the svlan or
cvlan keyword, the svlan or cvlan keyword is set to 0. This keyword is valid in
ASCII or hexadecimal notation.
● length: indicates the total length of the keywords following the length
keyword.
● portdescription: indicates the interface description. It is available only in ASCII
format.
NOTE

Separators must be added between keywords; otherwise, they cannot be parsed. The
separators cannot be numbers.

The symbols used in the format string are as follows:

● The symbol % followed by a keyword indicates the format of the keyword.
● A number between the % symbol and a keyword indicates the length of the
keyword. In an ASCII character string, %05 has the same meaning as %05d in
the C language. In a hexadecimal character string, the number indicates the
length of the corresponding keyword in bits.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10643

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● The [] symbol indicates an optional keyword. Each pair of brackets can

contain only one keyword, svlan or cvlan. The keyword in the [] symbol is
added to information fields only if the corresponding VLAN ID exists. To
facilitate syntax check, the system does not support nested [] symbols.
● The \ symbol is an escape character. The %, \, and [] symbols following the
escape character indicate themselves. For example, \\ represents \.
● The content in quotation marks (" ") is expressed in a character string, and
the content outside the quotation marks are expressed in hexadecimal
notation.
● Other symbols are processed as common characters. The rules for setting the
format string in ASCII format or hexadecimal notation are as follows:
– An ASCII character string can contain letters, numerals, and symbols ! @
# $ % ^ & * () _ + | - = \ [] {} ; : '" / . , <> `.
– By default, the length of each keyword in an ASCII character string is the
actual length of the keyword.
– A hexadecimal notation string can contain numerals, space characters, %,
and the keywords.
– In a hexadecimal notation string, numbers are encapsulated in
information fields. A number in the range of 0-255 occupies one byte; a
number in the range of 256-65535 occupies two bytes; a number in the
range of 65536-4294967295 occupies four bytes. Numbers larger than
4294967295 are not supported. Multiple numbers must be separated by
space characters; otherwise, they are considered as a number.
– All the space characters in a hexadecimal character string are ignored.
– By default, each slot ID, subslot ID, port number, and VLAN ID in a
hexadecimal notation string occupy two bytes. The length field occupies
one byte.
– If the length of each keyword in a hexadecimal character string is
specified, the total length of the hexadecimal character string must be a
multiple of 8. If the specified length of a keyword is longer than 32 bits,
the first 32 bits of the keyword are the actual keyword value, and other
bits are set to 0.
– A hexadecimal character string can contain only the keywords whose
values are numbers. Other keywords, such as the port name, cannot be
added to the hexadecimal character string.
– If a string is not contained in quotation marks, it is encapsulated in
hexadecimal notation. To encapsulate to the string in the ASCII format,
add the string into a pair of quotation marks. For example, the slot ID is
3, and the port ID is 4. If the format string is %slot %port, the value of
the string after encapsulation is a hexadecimal number 00030004. If the
format string is "%slot %port", the value of the string after encapsulation
is 3 4.
– A format string can contain both hexadecimal strings and ASCII strings,
for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Example
# Configure the extended format for the remote-id field added to PPPoE packets.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10644

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable
[HUAWEI] pppoe intermediate-agent information format remote-id extend

# Configure the user-defined format for the circuit-id field added to PPPoE
packets and encapsulate the port name, outer VLAN ID, inner VLAN ID, and host
name in ASCII format.
<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable
[HUAWEI] pppoe intermediate-agent information format circuit-id user-defined "%portname:%svlan.
%cvlan %sysname"

# Configure the extended format for the remote-id field added to PPPoE packets
on GE1/0/1.
<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] pppoe intermediate-agent information format remote-id extend

14.11.8 pppoe intermediate-agent information ignore-reply

Function
The pppoe intermediate-agent information ignore-reply command configures
the device whether to directly forward PPPoE reply packets sent by the PPPoE
server.
The undo pppoe intermediate-agent information ignore-reply command
restores the default policy for processing PPPoE packets sent by the PPPoE server.
By default, the device does not process PPPoE reply packets sent by the PPPoE
server.

Format
pppoe intermediate-agent information ignore-reply { disable | enable }
undo pppoe intermediate-agent information ignore-reply

Parameters
Parameter Description Value
disable Indicates that the device processes PPPoE reply packets sent -
by the PPPoE server.
enable Indicates that the device does not process PPPoE reply -
packets sent by the PPPoE server.

Views
System view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10645

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
Generally, the device does not process PPPoE reply packets and directly forwards
them to the PPPoE client. Only when the PPPoE client cannot identify PPPoE
packets that the device directly forwards, the device needs to process the PPPoE
reply packets sent by the PPPoE server to ensure communication between the
PPPoE server and PPPoE client. The PPPoE reply packets are processed as follows:
● When the policy for processing original fields in PPPoE packets is replace or
keep:
– If fields are not contained in PPPoE reply packets sent by the PPPoE
server, the device directly forwards PPPoE reply packets.
– If fields are contained in PPPoE reply packets sent by the PPPoE server
and the format and content are consistent with those of the fields added
to the user-side PPPoE packets, the device removes the original fields
from PPPoE packets and forwards the packets. If the format and content
are different from those of the fields added to the user-side PPPoE
packets, the device directly forwards PPPoE reply packets.
● When the policy for processing original fields in PPPoE packets is drop, the
device directly forwards the PPPoE packets:
Precautions
The pppoe intermediate-agent information ignore-reply command takes effect
only after PPPoE+ is enabled globally. To modify the configuration, disable PPPoE+
globally first.
If the device is configured to process the PPPoE reply packets sent by the PPPoE
server, the user access rate is reduced when the PPPoE server sends a large
number of PPPoE+ packets.

Example
# Configure the device to process PPPoE reply packets sent by the PPPoE server.
<HUAWEI> system-view
[HUAWEI] undo pppoe intermediate-agent information enable
[HUAWEI] pppoe intermediate-agent information ignore-reply disable
[HUAWEI] pppoe intermediate-agent information enable

14.11.9 pppoe intermediate-agent information policy

(interface view)
Function
The pppoe intermediate-agent information policy command configures the
policy for a specified interface to process original fields in user-side PPPoE packets.
The undo pppoe intermediate-agent information policy command restores the
default policy for a specified interface to process original fields in user-side PPPoE
packets.
By default, the policy configured on an interface to process original fields in user-
side PPPoE packets is replace.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10646

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
pppoe intermediate-agent information policy { drop | replace | keep }
undo pppoe intermediate-agent information policy

Parameters
Parameter Description Value

drop Removes the original -

fields from PPPoE
packets.

replace Replaces original fields in -

PPPoE packets according
to the field format.

keep Reserves the content and -

format of original fields
in PPPoE packets.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the policy for processing original fields in user-side PPPoE packets is
configured, the device can add information about the interface connected to the
PPPoE client such as the slot ID/subcard ID/interface number, VLAN ID, and MAC
address to PPPoE packets. The user account and access interface information are
both authenticated, preventing user account embezzling. If received PPPoE packets
contain fields related to the interface that connected to the PPPoE client, the
device removes or reserves original fields as required.
You can run the pppoe intermediate-agent information policy (system view)
command to configure the PPPoE packet processing policy for all interfaces in the
system view. To use a different policy on a specified interface, run the pppoe
intermediate-agent information policy command. In this case, the policy for
processing PPPoE packets on the interface depends on the interface configuration.
Prerequisites
PPPoE+ has been enabled globally by running the pppoe intermediate-agent
information enable command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10647

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure GE0/0/1 to replace original fields in the received PPPoE packets with
the circuit ID and remote ID of the local device.
<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] pppoe intermediate-agent information policy replace

14.11.10 pppoe intermediate-agent information policy

(system view)

Function
The pppoe intermediate-agent information policy command configures the
policy for all interfaces to process original fields in user-side PPPoE packets.

The undo pppoe intermediate-agent information policy command restores the

policy for all interfaces to process original fields in user-side PPPoE packets.

By default, the policy configured on all interfaces to process original fields in user-
side PPPoE packets is replace.

Format
pppoe intermediate-agent information policy { drop | replace | keep }

undo pppoe intermediate-agent information policy

Parameters
Parameter Description Value

drop Removes the original -

fields from PPPoE
packets.

replace Replaces original -

information fields in
PPPoE packets according
to the field format.

keep Reserves the content and -

format of original fields
in PPPoE packets. If a
PPPoE packet does not
contain the fields, the
device adds the fields to
the packet according to
the configuration.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10648

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the policy for processing original fields in user-side PPPoE packets is
configured, the device can add information about the interface connected to the
PPPoE client such as the slot ID/subcard ID/interface number, VLAN ID, and MAC
address to PPPoE packets. The user account and access interface information are
both authenticated, preventing user account embezzling. If received PPPoE packets
contain fields related to the interface that connected to the PPPoE client, the
device removes or reserves original fields as required.
After the command is executed, the policy for processing PPPoE packets takes
effect on all interfaces. To configure a policy on a specified interface, run the
pppoe intermediate-agent information policy (interface view) command. In
this case, the policy for processing PPPoE packets on the interface depends on the
interface configuration.
Prerequisites
PPPoE+ has been enabled globally by running the pppoe intermediate-agent
information enable command.

Example
# Configure all interfaces to replace original fields in the received PPPoE packets
with the circuit ID and remote ID of the local device.
<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable
[HUAWEI] pppoe intermediate-agent information policy replace

14.11.11 pppoe intermediate-agent information vendor-id

Function
The pppoe intermediate-agent information vendor-id command sets the vendor
ID that the device adds to PPPoE packets.
The undo pppoe intermediate-agent information vendor-id command restores
the default vendor ID that the device adds to PPPoE packets.
The default vendor ID that the device adds to PPPoE packets is 2011.

Format
pppoe intermediate-agent information vendor-id vendor-id
undo pppoe intermediate-agent information vendor-id

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10649

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

vendor-id vendor-id Specifies a vendor ID The value is an integer ranging

added to PPPoE packets. from 0 to 4294967295. The
default value is 2011.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After PPPoE+ is enabled, the device must negotiate with the PPPoE server using
PPPoE packets containing the vendor ID. By default, the device adds vendor ID
2011 to PPPoE packets. If the device is connected to a non-Huawei PPPoE server,
the vendor ID may not be 2011; for example, the vendor ID is 3561. In this case,
run the pppoe intermediate-agent information vendor-id vendor-id command
to set the vendor ID to be the same as that in PPPoE packets sent from the non-
Huawei PPPoE server.

Prerequisites

PPPoE+ has been enabled globally by running the pppoe intermediate-agent

information enable command.

Example
# Set the vendor ID added to PPPoE packets to 3561.
<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable
[HUAWEI] pppoe intermediate-agent information vendor-id 3561

14.11.12 pppoe uplink-port trusted

Function
The pppoe uplink-port trusted command configures an interface as a trusted
interface.

The undo pppoe uplink-port trusted command restores an interface to be

untrusted.

By default, all interfaces are untrusted interfaces.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10650

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
pppoe uplink-port trusted
undo pppoe uplink-port trusted

Parameters
None

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To prevent bogus PPPoE servers and the security risk caused by PPPoE packets
forwarded to non-PPPoE service interfaces, the interface connecting the device
and the PPPoE server must be configured as the trusted interface. Then PPPoE
protocol packets are forwarded to the PPPoE server through the trusted interface
only. In addition, only the PPPoE protocol packets received on the trusted interface
can be forwarded to the PPPoE client.
Prerequisites
PPPoE+ has been enabled globally by running the pppoe intermediate-agent
information enable command.
Precautions
The trusted interface controls PPPoE protocol packets at the PPPoE discovery stage
only. PPPoE service packets at the PPPoE session stage are not controlled.
If the trusted interface is configured on the device that has no ACL resources, the
system displays the following message "Warning: Allocate acl resources failed." In
this case, the trusted interface fails to be configured.

Example
# Configure GE0/0/1 as the PPPoE trusted interface.
<HUAWEI> system-view
[HUAWEI] pppoe intermediate-agent information enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] pppoe uplink-port trusted

14.12 IP Source Guard Configuration Commands

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10651

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.12.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.12.2 display dhcp static user-bind

Function
The display dhcp static user-bind command displays information about a static
binding table.

Format
display dhcp static user-bind { { interface interface-type interface-number | ip-
address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]

Parameters
Parameter Description Value

interface interface-type Displays binding entries -

interface-number mapping a specified
interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

ip-address ip-address Displays the binding The value is in dotted

entry mapping a decimal notation.
specified IP address.

mac-address mac- Displays the binding The value is in

address entry mapping a hexadecimal notation.
specified MAC address.

vlan vlan-id Displays the binding The value is an integer

entry mapping a that ranges from 1 to
specified VLAN ID. 4094.

all Displays all entries in the -

binding table.

verbose Displays detailed -

information about the
binding table.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10652

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command is used to view information about a configured static binding table.
The information includes the IP address, MAC address, VLAN information, and
interface information.

Example
# Display information about the static binding table.
<HUAWEI> display dhcp static user-bind all
DHCP static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address MAC Address VSI/VLAN(O/I/P) Interface
--------------------------------------------------------------------------------
10.1.1.1 00e0-fc02-0003 10 /-- /-- GE0/0/1
--------------------------------------------------------------------------------
Print count: 1 Total count: 1

# Display detailed information about the static binding table.

<HUAWEI> display dhcp static user-bind all verbose
DHCP static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
--------------------------------------------------------------------------------
IP Address : 10.21.21.254
MAC Address : --
VSI : --
VLAN(O/I/P) : 10 /-- /--
Interface : GE0/0/1
IPSG Status : IPv4 effective slot: <0>
--------------------------------------------------------------------------------
Print count: 1 Total count: 1

Table 14-84 Description of the display dhcp static user-bind command output

Item Description

DHCP static Bind-table Static DHCP binding entries.

To configure a static DHCP binding table, run the
user-bind static command.

Flags:O - outer vlan ,I - VLAN ID.

inner vlan ,P - Vlan- ● O: Outer VLAN
mapping
● I: Inner VLAN
● P: Vlan-mapping

IP Address User IP address.

MAC Address User MAC address.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10653

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

VSI Name of the VSI that the online user belongs to.

VLAN(O/I/P) Inner VLAN ID, outer VLAN ID, or VLAN mapping

information of the online user.

Interface User access interface.

IPSG Status Whether the binding table is effective for IP packet

checking after IP packet checking is enabled. The
value can be:
● IPv4 effective slot: <0> indicates that the binding
table is effective for IPv4 packet checking in slot 0.
● Ineffective
This field is invalid if IP packet checking is not
enabled.

14.12.3 display dhcpv6 static user-bind

Function
The display dhcpv6 static user-bind command displays the IPv6 binding table.

Format
display dhcpv6 static user-bind { { interface interface-type interface-number |
ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * |
all } [ verbose ]
display dhcpv6 static user-bind ipv6-prefix { prefix/prefix-length | all }
[ verbose ]

Parameters
Parameter Description Value

interface interface-type Displays the binding -

interface-number entry mapping a
specified interface.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

ipv6-address ipv6- Displays the binding The address is a 32-digit

address entry mapping a hexadecimal number, in
specified IPv6 address. the format of X:X::X:X.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10654

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

mac-address mac- Displays the binding The value is in

address entry mapping a hexadecimal notation.
specified MAC address.

vlan vlan-id Displays the binding The value is an integer

entry mapping a that ranges from 1 to
specified VLAN ID. 4094.

ipv6-prefix Displays an IPv6 suffix -

binding entry.

prefix/prefix-length Displays the binding prefix is a 32-digit

entry mapping a hexadecimal number, in
specified IPv6 prefix. the format of X:X::X:X.
prefix-length is an
integer that ranges from
1 to 128.

all Displays all entries in the -

binding table.

verbose Displays detailed -

information about the
binding table.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command is used to view information about a configured DHCPv6 static
binding table. The information includes the IPv6 address, MAC address, VLAN
information, and interface information. If prefix delegation (PD) users exist on the
network, the device generates an IPv6 prefix binding entry. The display dhcpv6
static user-bind ipv6-prefix command displays the static IPv6 prefix binding
entries.

Example
# Display the DHCPv6 static binding table.
<HUAWEI> display dhcpv6 static user-bind all
DHCPV6 static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
IP Address MAC Address VSI/VLAN(O/I/P)/(BD-VLAN) Interface
--------------------------------------------------------------------------------
fc00:1::1 0001-0002-0003 10 /-- /-- --

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10655

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

--------------------------------------------------------------------------------
Print count: 1 Total count: 1

# Display detailed information about the DHCPv6 static binding table.

<HUAWEI> display dhcpv6 static user-bind all verbose
DHCPV6 static Bind-table:
--------------------------------------------------------------------------------
IP Address : fc00:1::1
MAC Address : 0001-0002-0003
VSI : --
VLAN(O/I/P) : 10 /-- /--
Interface : --
IPSG Status : IPv6 effective slot: <0>
--------------------------------------------------------------------------------
Print count: 1 Total count: 1

# Display the IPv6 prefix static binding table.

<HUAWEI> display dhcpv6 static user-bind ipv6-prefix all
PD static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
IPv6 Prefix MAC Address VSI/VLAN(O/I/P)/(BD-VLAN) Interface
--------------------------------------------------------------------------------
fc00:1000::12/32 0001-0002-0003 10 /-- /-- --
--------------------------------------------------------------------------------
Print count: 1 Total count: 1

Table 14-85 Description of the display dhcpv6 static user-bind command output
Item Description

DHCPV6 static Bind- Static DHCPv6 binding entries.

table To configure a static DHCPv6 binding table, run the
user-bind static command.

Flags:O - outer vlan ,I - VLAN ID.

inner vlan ,P - map vlan ● O: Outer VLAN
● I: Inner VLAN
● P: Map VLAN

IPv6 Prefix User IPv6 prefix.

IP Address User IPv6 address.

MAC Address User MAC address.

VSI Name of the VPN instance that the online user

belongs to.

VLAN(O/I/P) Outer VLAN ID, inner VLAN ID, or VLAN mapping

information of the online user.

(BD-VLAN) BD and the VLAN to which the BD is bound.

Interface User access interface.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10656

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

IPSG Status Whether the binding table is effective for IP packet

14.12.4 display ip source check user-bind

Function
The display ip source check user-bind command displays the IPSG
configurations.

Format
display ip source check user-bind interface interface-type interface-number

Parameters

Parameter Description Value

interface interface- Displays the IP packet check configuration on a -
type interface- specified interface. The interface is specified by the
number interface type and number.
● interface-type specifies the interface type.
● interface-number specifies the interface number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display ip source check user-bind command displays the IP packet check
configuration on an interface, including IP packet check items and the alarm
function of IP packet check.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10657

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Display the IP packet check configuration on GE0/0/1.
<HUAWEI> display ip source check user-bind interface gigabitethernet 0/0/1
ipv4 source check user-bind enable
ipv6 source check user-bind enable
ip source check user-bind check-item ip-address
ip source check user-bind alarm enable
ip source check user-bind alarm threshold 200

Table 14-86 Description of the display ip source check user-bind command output
Item Description

ipv4 source IPv4 packet check is enabled.

check user-bind
enable

ipv6 source IPv6 packet check is enabled.

check user-bind
enable

ip source check IP packet check items.

user-bind check- An IP packet check item can contain the IP address, MAC
item ip-address address, VLAN ID, and interface number.
To specify check items, run the ip source check user-bind
check-item (interface view) or ip source check user-bind
check-item (VLAN view) commands.

ip source check Alarm function of IP packet check is enabled.

user-bind alarm To enable the alarm function of IP packet check, run the ip
enable source check user-bind alarm enable command.

ip source check Alarm threshold for IP packet check.

user-bind alarm To set the alarm threshold for IP packet check, run the ip
threshold 200 source check user-bind alarm threshold command.

14.12.5 display mac-address snooping

Function
The display mac-address snooping command displays snooping MAC address
entries generated based on the snooping binding table.

Format
display mac-address snooping [ interface-type interface-number | vlan vlan-id ] *

[ verbose ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10658

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

interface-type interface- Displays the static MAC -

number address entry on a
specified interface.
● interface-type specifies
the interface type.
● interface-number
specifies the interface
number.

vlan vlan-id Displays all the static MAC The value is an

address entries on all the integer that ranges
interfaces in a specified from 1 to 4094.
VLAN.

verbose Displays detailed -

information about static
MAC address entries.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When you run the user-bind ip sticky-mac command in the interface view, the
device generates snooping MAC address entries based on the snooping binding
table. A snooping MAC address entry includes the user MAC address and VLAN ID.
The display mac-address snooping command displays snooping MAC address
entries generated based on the snooping binding table. If no interface or VLAN is
specified, all the snooping MAC address entries generated based on the snooping
binding table are displayed.

Example
# Display the snooping MAC address entries generated based on the snooping
binding table on the device.
<HUAWEI> display mac-address snooping
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
00e0-fc02-0602 10/-/- GE0/0/1 snooping
-------------------------------------------------------------------------------
Total items displayed = 1

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10659

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-87 Description of the display mac-address snooping command output

Item Description

MAC Address User MAC address.

VLAN/VSI/BD ID of the VLAN, name of the VSI, or ID of the BD that

the user belongs to.

Learned-From Port number.

Type Type of a MAC address entry, including:

● static: indicates a static MAC address entry.
● blackhole: indicates a blackhole MAC address
entry.
● dynamic: indicates a dynamic MAC address entry.
● security: indicates a security MAC address entry.
● sticky: indicates a sticky MAC address entry.
● snooping: indicates a MAC address entry
generated based on the snooping binding table.

14.12.6 ip anti-attack source-ip equals destination-ip drop

Function
The ip anti-attack source-ip equals destination-ip drop command enables the
device to discard IP packets with the same source and destination IP addresses.

The undo ip anti-attack source-ip equals destination-ip drop command disables

the device from discarding IP packets with the same source and destination IP
addresses.

By default, the device does not discard IP packets with the same source and
destination IP addresses.

NOTE

Format
ip anti-attack source-ip equals destination-ip drop

undo ip anti-attack source-ip equals destination-ip drop

Parameters
None

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10660

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Generally, IP packets with the same source and destination IP addresses can be
forwarded. When you determine that the IP packets are attack packets, you can
use the ip anti-attack source-ip equals destination-ip drop command to enable
the device to discard the IP packets.

Example
# Enable the device to discard IP packets with the same source and destination IP
addresses.
<HUAWEI> system-view
[HUAWEI] ip anti-attack source-ip equals destination-ip drop

14.12.7 ip source check user-bind alarm enable

Function
The ip source check user-bind alarm enable command enables the alarm
function of IP packet check.
The undo ip source check user-bind alarm enable command disables the alarm
function of IP packet check.
By default, the alarm function of IP packet check is disabled.

Format
ip source check user-bind alarm enable
undo ip source check user-bind alarm enable

Parameters
None

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10661

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
The ip source check user-bind alarm enable command enables the log and
alarm function for IP packet check. If the number of discarded packets reaches the
threshold, the device sends an alarm to the NMS device.
Prerequisites
IP packet check has been enabled using the ip source check user-bind enable
command on the interface.
Follow-up Procedure
Run the ip source check user-bind alarm threshold command to set the alarm
threshold.
Precautions
If the alarm function of IP packet check is enabled both in the VLAN view and in
the view of the interface added to the VLAN, it takes effect in the view where it
was first enabled. To change the order in which the function takes effect, disable it
in the view where it has taken effect, and then enable it in the desired view.

Example
# Enable the alarm function for IP packet check on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable

14.12.8 ip source check user-bind alarm threshold

Function
The ip source check user-bind alarm threshold command sets the alarm
threshold for IP packet check.
The undo ip source check user-bind alarm threshold command restores the
default alarm threshold for IP packet check.
By default, the alarm threshold is 100.

Format
ip source check user-bind alarm threshold threshold
undo ip source check user-bind alarm threshold

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10662

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
threshold Specifies an alarm threshold for The value is an integer that
IP packet check. ranges from 1 to 1000.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the alarm function of IP packet check is enabled, run the ip source check
user-bind alarm threshold command to set the alarm threshold for IP packet
check.
Prerequisites
The alarm function of IP packet check has been enabled using the ip source check
user-bind alarm enable command.

Example
# Set the alarm threshold for IP packet check to 200 on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm enable
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 200

14.12.9 ip source check user-bind check-item (interface view)

Function
The ip source check user-bind check-item command configures IP packet check
items on an interface.
The undo ip source check user-bind check-item command restores the default IP
packet check items.
By default, the check items contain the IP address, MAC address, VLAN and
interface information..

Format
ip source check user-bind check-item { ip-address | mac-address | vlan } *

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10663

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo ip source check user-bind check-item

Parameters
Parameter Description Value
ip-address Checks whether the IP address of an IP packet matches a -
binding entry.
mac-address Checks whether the MAC address of an IP packet matches -
a binding entry.
vlan Checks whether VLAN information of an IP packet matches -
a binding entry.

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When you check an IP packet against the binding table, run the ip source check
user-bind check-item (interface view) command to specify items in the IP
packet to be checked on a specified interface. When the device receives an IP
packet, it checks the items against the binding table. Only packets that match the
binding entries can be forwarded; otherwise, packets are discarded. The optional
check items of an IP packet contain the source IP address, source MAC address,
and VLAN information. Interface information is a mandatory check item.
Prerequisites
IP packet check has been enabled using the ip source check user-bind enable
command in the interface view.
Precautions
When a large number of binding entries exist, it may take a long time to check IP
packets, reducing forwarding efficiency.
This command is valid only for dynamic binding entries. The device checks the
received packets against entries in the static binding table.

Example
# Enable IP packet check on GE0/0/1 to check whether the IP address in the IP
packet matches the binding entry.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10664

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable

[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind check-item ip-address

14.12.10 ip source check user-bind check-item (VLAN view)

Function
The ip source check user-bind check-item command configures IP packet check
items in a VLAN.
The undo ip source check user-bind check-item command restores the default IP
packet check items in a VLAN.
By default, the check items contain the IP address, MAC address, VLAN and
interface information.

Format
ip source check user-bind check-item { ip-address | mac-address | interface } *

undo ip source check user-bind check-item

Parameters
Parameter Description Value
ip-address Checks whether the IP address of an IP packet matches a -
binding entry.
mac-address Checks whether the MAC address of an IP packet matches -
a binding entry.
interface Checks whether interface information of an IP packet -
matches a binding entry.

Views
VLAN view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When you check an IP packet against the binding table, run the ip source check
user-bind check-item (VLAN view) command to configure IP packet check items
in a specified VLAN. When the device receives an IP packet, it checks the items
against the binding table. Only packets that match the binding entries can be
forwarded; otherwise, packets are discarded. The optional check items of an IP
packet contain the source IP address, source MAC address, and interface
information. VLAN information is a mandatory check item.
Prerequisites

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10665

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

IP packet check has been enabled using the ip source check user-bind enable
command in the VLAN view.
Precautions
When a large number of binding entries exist, it may take a long time to check IP
packets, reducing forwarding efficiency.
This command is valid only for dynamic binding entries. The device checks the
received packets against entries in the static binding table.

Example
# Enable IP packet check in VLAN 100 and check whether the IP address in the IP
packet matches the binding entry.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] ip source check user-bind enable
[HUAWEI-vlan100] ip source check user-bind check-item ip-address

14.12.11 ip source check user-bind enable

Function
The ip source check user-bind enable command enables IP packet check.
The undo ip source check user-bind enable command disables IP packet check.
By default, IP packet check is disabled.

Format
ip source check user-bind enable
undo ip source check user-bind enable
ipv4 source check user-bind enable
undo ipv4 source check user-bind enable
ipv6 source check user-bind enable
undo ipv6 source check user-bind enable

Parameters
None

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10666

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario
Unauthorized users often send bogus packets with the source IP address and MAC
address of authorized users to access or attack the network. Then authorized users
cannot access stable and secure networks. To address this problem, you can
configure IP packet check.
When IP packet check is enabled, the device checks the IP address, MAC address,
VLAN information, and interface information against the binding table. You can
run the ip source check user-bind check-item or ip source check user-bind
check-item command to specify IP packet check items. Only packets that match
the binding entries can be forwarded; otherwise, packets are discarded.
Prerequisites
The IP packet check is based by binding table. So,
● The dynamic DHCP snooping binding table has been generated for DHCP
users.
● The static binding table has been configured manually for users using static IP
addresses.
● The dynamic ND snooping binding table has been generated for users
dynamically obtaining IPv6 addresses through Stateless Address
Autoconfiguration.
Precautions
After IP packet check is enabled using the ip source check user-bind enable
command, the device checks the source IPv4 and IPv6 addresses of users' IP
packets. The configuration file is displayed as follows:
ipv4 source check user-bind enable
ipv6 source check user-bind enable

To check only IPv4 or IPv6 packets, run the ipv4 source check user-bind enable
or ipv6 source check user-bind enable command.

Example
# Enable IPv4 and IPv6 packet check on GE0/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable

# Enable IPv4 packet check on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ipv4 source check user-bind enable

14.12.12 user-bind static

Function
The user-bind static command configures a static binding table.
The undo user-bind static command deletes a static binding table.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10667

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, no static binding table is configured.

Format
user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10>
| ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface
interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]
undo user-bind static [ { ip-address { start-ip [ to end-ip ] } &<1-10> | ipv6-
address [ start-ip [ to end-ip ] ] &<1-10> | ipv6-prefix [ prefix/prefix-length ] } |
mac-address mac-address | interface interface-type interface-number | vlan vlan-
id [ ce-vlan ce-vlan-id ] ] *

Parameters
Parameter Description Value
interface Specifies the interface connected -
interface-type to a user in a static binding entry.
interface- ● interface-type specifies the
number interface type.
● interface-number specifies the
interface number.
ip-address Indicates the static IPv4 address. -
ipv6-address Indicates the static IPv6 address. -
start-ip [ to Specifies the user IP address in a The IPv4 address is in
end-ip ] static binding entry. dotted decimal notation in
● start-ip specifies the first IP the format of X.X.X.X. The
address. value is a 32-digit
hexadecimal number, in
● to end-ip specifies the last IP the format X:X:X:X:X:X:X:X.
address. The value of end-ip
must be larger than the value
of start-ip. start-ip and end-ip
identify a VLAN range.
If to end-ip is not specified, only
the start IP address is added to
the static binding entry.
You can specify a maximum of 10
VLAN ranges at a time. The
entered VLAN ranges cannot
overlap.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10668

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

ipv6-prefix Specifies the prefix of an IPv6 The prefix consists of 128
prefix/prefix- address octets, which are classified
length into 8 groups. Each group
contains 4 hexadecimal
numbers in the format
X:X:X:X:X:X:X:X. prefix-
length is an integer that
ranges from 1 to 128.
mac-address Specifies the user MAC address in The value is in hexadecimal
mac-address a static binding entry. notation.
The value is in the format
of H-H-H.

vlan vlan-id Specifies the user VLAN ID in a The value is an integer that
static binding entry. ranges from 1 to 4094.
ce-vlan ce-vlan- Specifies the inner VLAN tag of a The value is an integer that
id QinQ packet in a static binding ranges from 1 to 4094.
entry.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When DHCP snooping is enabled, a dynamic binding table is automatically
generated for dynamic users. However, a static binding table cannot be generated
for static users. If IP source guard is enabled but no static binding table is
available, the device discards all static users' forwarding packets. To enable the
device to forward static users' packets, run the user-bind static command to
configure a static binding table.
Precautions
After a static binding table is configured and IP source guard is enabled, the
device performs a match check on IP packets based on the configured binding
entries. If the match check fails, the device discards the IP packets.

Example
# Configure a static binding entry for a user in VLAN 2 with the IP address
10.1.1.1.
<HUAWEI> system-view
[HUAWEI] user-bind static ip-address 10.1.1.1 vlan 2

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10669

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.12.13 user-bind ip sticky-mac

Function
The user-bind ip sticky-mac command enables the device to generate snooping
MAC entries.
The undo user-bind ip sticky-mac command disables the device from generating
snooping MAC entries.
By default, the device does not generate snooping MAC entries.

Format
user-bind ip sticky-mac
undo user-bind ip sticky-mac

Parameters
None

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To prevent the users with unauthorized MAC addresses from attacking the
network, run the user-bind ip sticky-mac command to configure the device to
generate snooping MAC entries on the interface that is prone to attack. After the
device is configured to generate snooping MAC entries, it translates the dynamic
MAC entries learned by the interface into snooping MAC entries (snooping MAC
entries are a type of static MAC entries) based on the DHCP snooping binding
table and ND snooping binding table, or generates snooping MAC entries based
on the static binding entries.
After the configuration is complete, the interface forwards only the IP packets of
which the source MAC addresses are included in the static MAC entries (static and
snooping), and discards other IP packets.

NOTE

● To view MAC entry information on the device, see display mac-address.

● If a binding entry is modified, the matching snooping MAC entry is also modified.

Prerequisites

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10670

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Before using the user-bind ip sticky-mac command, ensure that the DHCP
snooping function has been enabled by the dhcp snooping enable command.

Precautions

● To ensure correct packet forwarding for authorized static users on an

interface, you can run the user-bind static command to configure static
binding entries, which generate static MAC entries, or run the mac-address
static command to configure static MAC entries.
● When configuring a static binding entry, specify the MAC address, VLAN ID,
and interface number. The VLAN ID must already exist on the device. If you
do not specify the three parameters, a snooping MAC entry cannot be
generated based on this static binding entry.
● To allow DHCPv6 users to go online, enable both DHCP snooping and ND
snooping.
● To check whether the snooping MAC address entries is successfully delivered,
you can use display mac-address summary to check the total number of
snooping MAC address entries. If the snooping MAC address entries fails to be
delivered, the possible cause is a hash conflict.
● The user-bind ip sticky-mac command cannot be used together with the
following commands.

Command Description

dot1x enable Enables 802.1X authentication on an

interface.

mac-authen Enables MAC address-based

authentication on an interface.

authentication-profile (Interface Applies an authentication profile to

view or VAP profile view) the interface or VAP profile.

mac-address learning disable Enables MAC address learning.

(Interface view and VLAN view)

mac-limit Sets the maximum number of MAC

addresses to be learned.

port vlan-mapping vlan map-vlan Enables VLAN mapping.

port vlan-mapping vlan inner-vlan

port-security enable Enables port security.

Example
# Configure the GE0/0/1 interface to generate snooping MAC entries based on the
snooping binding table.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] user-bind ip sticky-mac

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10671

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.13 SAVI Configuration Commands

14.13.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.13.2 savi max dad-delay

Function
The savi max dad-delay command sets the time for listening to an NA packet
responding to address conflicts.

The undo savi max dad-delay command restores the default setting.

By default, the time for listening to an NA packet responding to address conflicts

is 2 seconds.

Format
savi max dad-delay value

undo savi max dad-delay

Parameters
Parameter Description Value
value Specifies the time for listening to The value is an integer that
an NA packet responding to ranges from 1 to 100, in
address conflicts. seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The savi max dad-delay command is applicable only for SLAAC-Only scenarios
and DHCPv6+SLAAC scenarios.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10672

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● In SLAAC-Only scenarios:
When obtaining an IP address in SLAAC mode, an ND client generates the
IPv6 address based on the prefix in the RA packet. After the IPv6 address is
generated, the ND client sends an NS packet to check whether duplicate
addresses exist on the network. When detecting the NS packet in the DAD
process from the ND client, the device generates an ND snooping entry, sets
the entry to the detect state, and listens to the mapping NA packet.
– If a mapping NA packet is detected in the configured listening period,
IPv6 address conflict occurs and the device deletes this ND snooping
entry.
– If no mapping NA packet is detected in the configured listening period,
the IPv6 address is available and the device sets the ND snooping entry
to the bound state. The device deletes the ND snooping entry only when
the entry ages out. If automatic user status detection for users mapping
ND snooping dynamic binding entries is enabled using the nd user-bind
detect enable command on the device, and no NA packet is returned
from the user after NS packets are sent for times configured using the nd
user-bind detect retransmit retransmit-times interval retransmit-
interval command, the device considers the user to be offline and deletes
the mapping ND snooping entry.
● In DHCPv6+SLAAC scenarios:
– The procedure for processing packets by SAVI in SLAAC mode is the same
as that in SLAAC-Only scenarios.
– When obtaining an IP address in DHCPv6 mode, a DHCPv6 client may
send an NS packet to check whether duplicate addresses exist on the
network. When detecting the NS packet in the DAD process from the
DHCPv6 client, the device sets the mapping DHCPv6 snooping entry to
the detect state, and listens to the mapping NA packet.

▪ If a mapping NA packet is detected in the configured listening

period, IPv6 address conflict occurs and the device deletes this
DHCPv6 snooping entry.

▪ If no mapping NA packet is detected in the configured listening

period, the IPv6 address is available and the device sets the DHCPv6
snooping entry to the bound state.
When the DHCPv6 Snooping entry is in detection state, the device deletes
this entry after detecting the NA packets within the time of listening on
NA packets with response address conflicts. When the DHCPv6 Snooping
entry is in bound state, the device deletes this entry after detecting the
DHCPv6 Decline or DHCPv6 Release packets sent from the DHCPv6
clients.
Prerequisites
The SAVI function has been enabled using the savi enable command.
Precautions
This command is used together with ND snooping and DHCPv6 snooping.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10673

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the time for listening to an NA packet responding to address conflicts to 5
seconds.
<HUAWEI> system-view
[HUAWEI] savi enable
[HUAWEI] savi max dad-delay 5

14.13.3 savi max dad-prepare-delay

Function
The savi max dad-prepare-delay command sets the time for listening to the
duplicate address detection performed by the DHCPv6 client.
The undo savi max dad-prepare-delay command restores the default setting.
By default, the time for listening to the duplicate address detection performed by
the DHCPv6 client is 2 seconds.

Format
savi max dad-prepare-delay value
undo savi max dad-prepare-delay

Parameters
Parameter Description Value
value Specifies the time for listening to the The value is an integer that
duplicate address detection ranges from 1 to 100, in
performed by the DHCPv6 client. seconds.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The savi max dad-prepare-delay command is applicable only for DHCPv6-Only
scenarios and DHCPv6+SLAAC scenarios.
After detecting that the DHCPv6 client obtains the IPv6 address, the device detects
whether the DHCPv6 client sends an NS packet for duplicate address detection.
● In DHCPv6-Only scenarios:
– If no NS packet in the DAD process is detected in the configured listening
period, the device sets the DHCPv6 snooping entry to the bound state. It

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10674

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

indicates that the DHCPv6 does not perform the duplicate address
detection on the obtained IPv6 address or no duplicate IPv6 address
exists.
– If an NS packet in the DAD process is detected in the configured listening
period, the device does not change the status of the mapping DHCPv6
snooping entry. The device sets the DHCPv6 snooping entry to the bound
state only when the listening period expires.
In DHCPv6-Only scenarios, when detecting the DHCPv6 Decline packet or
DHCPv6 Release packet from the DHCPv6 client, the device deletes the
corresponding DHCPv6 snooping entry.
● In DHCPv6+SLAAC scenarios:
– If no NS packet in the DAD process is detected in the configured listening
period, the device sets the DHCPv6 snooping or ND snooping entry to the
bound state. It indicates that the client does not perform the duplicate
address detection on the obtained IPv6 address or no duplicate IPv6
address exists, and the client can use this IPv6 address.
– If an NS packet in the DAD process is detected in the configured listening
period, the device sets the mapping DHCPv6 snooping or ND snooping
entry to the detection state, and listens to the mapping NA packet. For
the listening method, see savi max dad-delay.
Prerequisites
The SAVI function has been enabled using the savi enable command.
Precautions
This command is used together with ND snooping and DHCPv6 snooping.

Example
# Set the time for listening to the duplicate address detection performed by the
DHCPv6 client to 5 seconds.
<HUAWEI> system-view
[HUAWEI] savi enable
[HUAWEI] savi max dad-prepare-delay 5

14.13.4 savi max-binding-table

Function
The savi max-binding-table command sets the maximum number of SAVI
binding entries on an interface.
The undo savi max-binding-table command restores the default maximum
number of SAVI binding entries on an interface.
By default, the maximum number of SAVI binding entries is the same as the
number of binding entries supported by the device.

Format
savi max-binding-table max-number

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10675

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo savi max-binding-table

Parameters
Parameter Description Value

max-number Specifies the maximum The value is an integer

number of SAVI binding that varies depending on
entries on an interface. product models.

Views
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view,
MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk
interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
An SAVI binding table is a set of the ND snooping binding table and DHCPv6
snooping binding table. When the sum of ND snooping binding entries and
DHCPv6 snooping binding entries on an interface reaches the configured
maximum number of SAVI binding entries, subsequent users cannot connect to
the network. After the maximum number of SAVI binding entries is set, the device
does not process many ND packets and DHCPv6 packets with invalid source
addresses to defend against attacks.
Prerequisites
Ensure that SAVI has been enabled globally using the savi enable command.

Example
# Set the maximum number of SAVI binding entries on the GE0/0/1 to 8.
<HUAWEI> system-view
[HUAWEI] savi enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] savi max-binding-table 8

14.13.5 savi enable

Function
The savi enable command enables the SAVI function.
The undo savi enable command disables the SAVI function.
By default, the SAVI function is disabled.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10676

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
savi enable
undo savi enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the SAVI function is enabled, the device checks the validity of the source
addresses in the ND, DHCPv6, and IPv6 data packets based on the bindings
between IP addresses and ports and filters out invalid packets. The bindings
between IP addresses and ports are generated based on ND snooping and
DHCPv6 snooping.
Precautions
The SAVI function must be used together with ND snooping, DHCPv6 snooping, or
IP source guard.
After the SAVI function is enabled, only when both ND snooping and IP source
guard are enabled or both DHCPv6 snooping and IP source guard are enabled on
an interface, the device checks the validity of the source addresses in IPv6 data
packets received on this interface.

Example
# Enable the SAVI function.
<HUAWEI> system-view
[HUAWEI] savi enable

14.14 URPF Configuration Commands

14.14.1 Command Support

Only the following switch models support URPF:
S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H, S5731-S,
S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10677

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.14.2 urpf (interface view)

Function
The urpf command enables URPF on an interface and configures the URPF mode.

The undo urpf command disables URPF on an interface.

By default, URPF is disabled on an interface.

NOTE

Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-S, S5735S-S, S5735-S-I,
S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this
command.
For the S6735-S, S6720-EI, and S6720S-EI, only Layer 2 Ethernet interfaces support URPF
strict check.

Format
urpf { loose | strict } [ allow-default-route ]

undo urpf

Parameters

Parameter Description Value

loose Indicates URPF check in loose mode. A packet passes the -

check as long as the device has a route to the source IP
address of the packet in the routing table, and the
inbound interface of the packet is not required to be the
same as the outbound interface of the route.

strict Indicates URPF check in strict mode. A packet passes the -

check only when the device has a route to the source IP
address of the packet in the routing table, and the
inbound interface of the packet should be the same as the
outbound interface of the route.

allow- Allows the route to the source IP address of the packet to -

default- be configured as the default route.
route
If this parameter is not configured, the device does not
allow the route to the source IP address of the packet to
be configured as the default route during the URPF check.

Views
Interface view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10678

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A Denial of Service (DoS) attack disables users from connecting to a server. DoS
attacks aim to occupy many resources by sending a large number of connection
requests to a specified server. The attacked server cannot respond to authorized
users.
URPF searches for the route to the source IP address in the routing table based on
the source IP address of the packet, and checks whether the inbound interface of
the packet is the same as the outbound interface of the route. If no route to the
source IP address of the packet exists in the routing table, or the inbound interface
of the packet is different from the outbound interface of the route, the packet is
discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus
source IP address.
In a complicated networking environment, asymmetric routes may exist. That is,
the routes recorded on the local end and remote end are different. A URPF-
enabled device on this network may discard the packets transmitted along the
correct path, but forward the packets transmitted along incorrect paths. The
device provides the following two URPF modes to solve this problem:
● Strict mode
In strict mode, a packet passes the check only when the device has a route to
the source IP address of the packet in the routing table, and the inbound
interface of the packet should be the same as the outbound interface of the
route.
If route symmetry is ensured, you are advised to use the URPF strict mode.
For example, if there is only one path between two network edge devices,
URPF strict mode can be used to ensure network security.
● Loose mode
In loose mode, a packet passes the check as long as the device has a route to
the source IP address of the packet in the routing table, and the inbound
interface of the packet is not required to be the same as the outbound
interface of the route.
If route symmetry is not ensured, you are advised to use the URPF loose
mode. For example, if there are multiple paths between two network edge
devices, URPF loose mode can be used to ensure network security and prevent
the packets transmitted along the correct path from being discarded.
Prerequisites
For the S5735-S, S5735S-S, S5735-S-I, S6735-S, S6720-EI, and S6720S-EI,
configurations on the interface take effect only after global URPF is enabled using
the urpf command.
Precautions
In the Eth-Trunk interface view, this command conflicts with the service type
tunnel, service type multicast-tunnel, or service type vxlan-tunnel command
and cannot be run in the same Eth-Trunk interface view.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10679

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

For the S6720-EI, S6735-S and S6720S-EI, even if no default route is configured,
the urpf loose allow-default-route command takes effect when the resource
allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign
resource-mode command. The device allows the route to the source IP address of
the packet to be configured as the default route during the URPF loose check.

For the S5735-S-I, only URPF check in loose mode is supported. For the S5735-S
and S5735S-S, V200R019C10 and later versions support only URPF check in loose
mode. If URPF check in strict mode is configured in V200R019C00, the
configuration will be changed to URPF check in loose mode after the version is
upgraded to V200R019C10 or later.

Example
# Enable URPF strict check on a Layer 2 interface GE0/0/1 and allow the route to
the source IP address of the packet to be configured as the default route.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] urpf strict allow-default-route

# Enable URPF loose check on a Layer 3 interface GE0/0/2 and allow the route to
the source IP address of the packet to be configured as the default route.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] undo portswitch
[HUAWEI-GigabitEthernet0/0/2] urpf loose allow-default-route

14.14.3 urpf (system view)

Function
The urpf command enables global URPF.

The undo urpf command disables global URPF.

By default, the switch does not enable global URPF.

NOTE

Only S5720I-SI, S5735-S, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S6735-S, S6720-EI, and
S6720S-EI support this command.

Format
For S5720I-SI, S5735S-H, and S5736-S:

urpf [ slot slot-id ]

undo urpf [ slot slot-id ]

For S5735-S, S5735S-S, S5735-S-I, S6735-S, S6720-EI, and S6720S-EI:

urpf slot slot-id [ based-logic-port ]

undo urpf slot slot-id [ based-logic-port ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10680

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

slot slot-id ● Specifies the slot ID if stacking is not Set the value
configured. according to the
● Specifies the stack ID if stacking is device
configured. configuration.

based-logic- ● If this parameter is specified, URPF check -

port configured on logical interfaces takes
effect, including VLANIF interfaces and
subinterfaces, and URPF check configured
on Ethernet interfaces does not take
effect, including Layer 2 and Layer 3
Ethernet interfaces.
● If this parameter is not specified, URPF
check configured on Ethernet interfaces
takes effect, and URPF check configured
on logical interfaces does not take effect.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A Denial of Service (DoS) attack disables users from connecting to a server. DoS
attacks aim to occupy many resources by sending a large number of connection
requests to a specified server. The attacked server cannot respond to authorized
users.

URPF searches for the route to the source IP address in the routing table based on
the source IP address of the packet, and checks whether the inbound interface of
the packet is the same as the outbound interface of the route. If no route to the
source IP address of the packet exists in the routing table, or the inbound interface
of the packet is different from the outbound interface of the route, the packet is
discarded. This prevents IP spoofing attacks, especially DoS attacks with bogus
source IP address.

In a complicated networking environment, asymmetric routes may exist. That is,

the routes recorded on the local end and remote end are different. A URPF-
enabled device on this network may discard the packets transmitted along the
correct path, but forward the packets transmitted along incorrect paths. The
device provides the following two URPF modes to solve this problem:
● Strict mode

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10681

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

In strict mode, a packet passes the check only when the device has a route to
the source IP address of the packet in the routing table, and the inbound
interface of the packet should be the same as the outbound interface of the
route.
If route symmetry is ensured, you are advised to use the URPF strict mode.
For example, if there is only one path between two network edge devices,
URPF strict mode can be used to ensure network security.
● Loose mode
In loose mode, a packet passes the check as long as the device has a route to
the source IP address of the packet in the routing table, and the inbound
interface of the packet is not required to be the same as the outbound
interface of the route.
If route symmetry is not ensured, you are advised to use the URPF loose
mode. For example, if there are multiple paths between two network edge
devices, URPF loose mode can be used to ensure network security and prevent
the packets transmitted along the correct path from being discarded.
Precautions
● Enabling or disabling global URPF will affect packet forwarding in a short
period of time.
● The S5720I-SI, S5735S-H, and S5736-S only support URPF strict check.
● For the S5720I-SI, S5735S-H, and S5736-S, after a stack is set up, if slot slot-
id is not specified when the urpf (system view) command is executed, URPF
takes effect only on the master switch.
● For theS6720-EI and S6720S-EI, the number of FIB entries are reduced by half
if URPF is enabled. You are advised to enable URPF before services are
deployed. If you need to enable URPF after services are deployed, configure
URPF when less traffic is transmitted and ensure that network requirements
are met if the number of FIB entries is reduced by half.
● If both the urpf slot slot-id and urpf slot slot-id based-logic-port commands
are executed, the last configured one takes effect.
Follow-up Procedure
For the S5735-S, S5735S-S, S5735-S-I, S6735-S, S6720-EI, and S6720S-EI, run the
urpf(interface view) command to enable URPF on an interface and configure the
URPF mode.

Example
# Enable global URPF on the device.
<HUAWEI> system-view
[HUAWEI] urpf slot 0
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries
supported may be reduced. Continue? [Y/N]:y

# Change URPF from Ethernet interface-based to logical interface-based.

<HUAWEI> system-view
[HUAWEI] urpf slot 0 based-logic-port
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries
supported may be reduced. Continue? [Y/N]: y
Warning: The global URPF mode will be changed from physical interface-based to logical interface-based.
The URPF configuration on all Layer 2 or Layer 3 physical interfaces of the card will become invalid. Are
you sure to continue? [Y/N]: y

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10682

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

# Change URPF from logical interface-based to Ethernet interface-based.

<HUAWEI> system-view
[HUAWEI] urpf slot 0
Warning: Changing the global URPF status may interrupt some services for several seconds and FIB entries
supported may be reduced. Continue? [Y/N]: y
Warning: The global URPF mode will be changed from logical interface-based to physical interface-based.
The URPF configuration on all sub-interfaces or VLANIF interfaces of the card will become invalid. Are you
sure to continue? [Y/N]: y

14.15 Keychain Configuration Commands

14.15.1 Command Support

Only the following switch models support Keychain:

S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,

S6730-H, S6730S-H, S6730-S, and S6730S-S

14.15.2 algorithm

Function
The algorithm command configures the authentication algorithm of a key.

The undo algorithm command deletes the authentication algorithm of a key.

By default, no authentication algorithm is configured.

Format
algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 |
sha-1 | sha-256 | simple | sm3 }

undo algorithm

Parameters
Parameter Description Value

hmac-md5 Specifies HMAC-MD5 as -

the authentication
algorithm.

hmac-sha-256 Specifies HMAC-SHA-256 -

as the authentication
algorithm.

hmac-sha1-12 Specifies HMAC-SHA1-12 -

as the authentication
algorithm.

hmac-sha1-20 Specifies HMAC-SHA1-20 -

as the authentication
algorithm.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10683

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

md5 Specifies MD5 as the -

authentication
algorithm.

sha-1 Specifies SHA-1 as the -

authentication
algorithm.

sha-256 Specifies SHA-256 as the -

authentication
algorithm.

simple Indicates that the -

configured key is used
for packet
authentication.

sm3 Specifies SM3 as the -

authentication
algorithm.

Views
Key-ID view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing

the authentication algorithm and key string. A keychain consists of multiple keys,
each of which needs to be configured with an authentication algorithm. Different
keys are valid within different time periods, ensuring dynamic change of keychain
authentication algorithms.

Packets are authenticated and encrypted based on the authentication algorithm

and key string associated with a specified key. This improves the packet
transmission security.

The characteristics of each authentication algorithm are as follows:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10684

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● HMAC-MD5(Keyed-Hashing for Message Authentication-md5): The 128-bit

HMAC-MD5 message digest is calculated based on the 512-bit message that
is converted from the entered message of any length.
NOTE

If the length of an entered message is less than 512 bits, 0s are added to make up a
512-bit message. If the length of an entered message is greater than 512 bits, the
message is converted into a 128-bit message based on the MD5 algorithm. Then, 0s
are added to make up a 512-bit message.
● HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated
based on the 512-bit message that is converted from the entered message of
any length. The leftmost 96 bits (12 x 8) are used as the authentication code.
● HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated
based on the 512-bit message that is converted from the entered message of
any length. All the 160 bits are used as the authentication code.
● SHA-256: The 256-bit SHA-2 message digest is calculated based on the
entered message with the length shorter than the 64th power of 2.
● HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated
based on the 512-bit message that is converted from the entered message of
any length. All the 256 bits are used as the authentication code.
● SM3: The 256-bit SM3 message digest is calculated based on the entered
message of any length. All the 256 bits are used as the authentication code.
Prerequisites
key-id has been configured.
Precautions
SHA-1 has low security, for higher security purposes, you are advised to specify the
hmac-sha-256 or sha2-256 parameter.
Keys configured on the sender and receiver of packets must correspond to the
same authentication and encryption algorithms. Otherwise, packet transmission
fails for not passing the authentication.
If algorithm is not configured, key will never be active.
Different protocols support different algorithms.
● RIP supports MD5 and simple.
● BGP and BGP4+ support MD5.
● IS-IS supports HMAC-MD5 and simple.
● OSPF supports MD5, simple and HMAC-MD5.
● MSDP supports MD5.
● MPLS LDP supports MD5. MPLS TE supports HMAC-MD5.

Example
# Specify sha-256 as the authentication algorithm of key-id 1.
<HUAWEI> system-view
[HUAWEI] keychain test mode absolute
[HUAWEI-keychain-test] key-id 1
[HUAWEI-keychain-test-keyid-1] algorithm sha-256

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10685

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.15.3 default send-key-id

Function
The default send-key-id command configures a particular key as the default send
key for that keychain.
The undo default send-key-id command deletes default send key.
By default, no key is configured as default send key.

Format
default send-key-id
undo default send-key-id

Parameters
None

Views
Key-ID view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario
In keychain authentication mode, secure protocol packet transmission is provided
by changing the authentication algorithm and key sting dynamically. This can
reduce the workload of changing the algorithm and key manually. A keychain
consists of multiple authentication keys, each of which is valid within different
time periods. When a key becomes valid, the authentication algorithm
corresponding to the key is used, and packets passing the authentication will be
sent or received.
If a key for packet sending is not configured in a keychain or no key for packet
sending is valid within a certain period, protocol packets cannot be authenticated
and encrypted. As a result, protocol packet transmission fails. To address such a
problem, configure a default key for packet sending. If no key is valid, the default
key for packet sending is used.
Precautions
Each keychain can have only one default key for packet sending.
● If the default key for packet sending is an existing key, the authentication and
encryption algorithms, and key corresponding to the key are used.
● If the default key for packet sending is a newly created key, configure the
authentication and encryption algorithms.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10686

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the key-1 as default send key in keychain test.
<HUAWEI> system-view
[HUAWEI] keychain test mode absolute
[HUAWEI-keychain-test] key-id 1
[HUAWEI-keychain-test-keyid-1] default send-key-id

14.15.4 display keychain

Function
The display keychain command displays the configuration of a specified keychain.

Format
display keychain keychain-name [ key-id key-id ]

Parameters
Parameter Description Value

keychain-name Displays the configuration of a The keychain must

keychain with a specified name. already exist.

key-id key-id Displays the configuration of a The key must already

specified key in the keychain. exist.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
To troubleshoot a keychain authentication failure or collect required information
before configuration, run the display keychain command to view configurations
of a specified keychain.

Example
# Display the configuration of keychain test when no key ID is configured for the
keychain.
<HUAWEI> display keychain test
Keychain Information:
---------------------
Keychain Name : test
Timer Mode : Absolute
Time Type : Lmt

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10687

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Receive Tolerance(min) : 0
TCP Kind : 254
TCP Algorithm IDs :
HMAC-MD5 :5
HMAC-SHA1-12 :2
HMAC-SHA1-20 :6
HMAC-SHA-256 :7
SHA-256 :8
MD5 :3
SHA1 :4
Number of Key IDs :0
Active Send Key ID : None
Active Receive Key IDs : None
Default send Key ID : Not configured

# Display the configuration of keychain test when a key ID is configured for the
keychain.
<HUAWEI> display keychain test
Keychain Information:
---------------------
Keychain Name : test
Timer Mode : Absolute
Time Type : Lmt
Receive Tolerance(min) : 100
TCP Kind : 182
TCP Algorithm IDs :
HMAC-MD5 :5
HMAC-SHA1-12 :2
HMAC-SHA1-20 :6
HMAC-SHA-256 :7
SHA-256 :8
MD5 :3
SHA1 :4
Number of Key IDs :1
Active Send Key ID :1
Active Receive Key IDs : 01
Default send Key ID :1

Key ID Information:
-------------------
Key ID :1
Key string : ******
Algorithm : MD5
SEND TIMER :
Start time : 2012-03-14 00:00
End time : 2012-08-08 23:59
Status : Active
RECEIVE TIMER :
Start time : 2012-03-14 00:00
End time : 2012-08-08 23:59
Status : Active

Key ID :2
Key string :-
Algorithm :-
SEND TIMER :
Status : Inactive
RECEIVE TIMER :
Status : Inactive

# Display the configuration of key-id 1 in the keychain test.

<HUAWEI> display keychain test key-id 1
Keychain Information:
---------------------
Keychain Name : test
Timer Mode : Absolute
Time Type : Lmt

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10688

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Receive Tolerance(min) : 100

TCP Kind : 182
TCP Algorithm IDs :
HMAC-MD5 :5
HMAC-SHA1-12 :2
HMAC-SHA1-20 :6
HMAC-SHA-256 :7
SHA-256 :8
MD5 :3
SHA1 :4

Table 14-88 Description of the display keychain command output

Item Description

Keychain Name Name of a keychain.

To set the keychain name, run the keychain
command.

Timer Mode Time mode of a keychain.

● Absolute: The keychain takes effect in an absolute
time range.
● Daily periodic: The keychain is valid on a daily
basis.
● Weekly periodic: The keychain is valid on a weekly
basis.
● Monthly periodic: The keychain is valid on a
monthly basis.
● Yearly periodic: The keychain is valid on a yearly
basis.
To set the time mode, run the keychain command.

Time Type Specifies the timing type of the keychain.

Receive Tolerance(min) Receive tolerance time configured for a keychain.

To set the receive tolerance time, run the receive-
tolerance command.

TCP Kind TCP kind value configured for a keychain.

To set the TCP kind value, run the tcp-kind command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10689

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

TCP Algorithm IDs TCP algorithm ID configured for a keychain.

The characteristics of each authentication algorithm
are as follows:
● MD5(Message Digest 5): The 128-bit MD5
message digest is calculated based on the entered
message of any length.
● SHA-1(Secure Hash Algorithm): The 160-bit SHA-1
message digest is calculated based on the entered
message with the length shorter than the 64th
power of 2.
● HMAC-MD5(Keyed-Hashing for Message
Authentication-md5): The 128-bit HMAC-MD5
message digest is calculated based on the 512-bit
message that is converted from the entered
message of any length.
NOTE
If the length of an entered message is less than 512 bits,
0s are added to make up a 512-bit message. If the length
of an entered message is greater than 512 bits, the
message is converted into a 128-bit message based on
the MD5 algorithm. Then, 0s are added to make up a
512-bit message.
● HMAC-SHA1-12: The 160-bit HMAC-SHA1-12
message digest is calculated based on the 512-bit
message that is converted from the entered
message of any length. The leftmost 96 bits (12 x
8) are used as the authentication code.
● HMAC-SHA1-20: The 160-bit HMAC-SHA1-20
message digest is calculated based on the 512-bit
message that is converted from the entered
message of any length. All the 160 bits are used as
the authentication code.
● SHA-256: The 256-bit SHA-2 message digest is
calculated based on the entered message with the
length shorter than the 64th power of 2.
● HMAC-SHA-256: The 256-bit HMAC-SHA-256
message digest is calculated based on the 512-bit
message that is converted from the entered
message of any length. All the 256 bits are used as
the authentication code.
● SM3: The 256-bit SM3 message digest is calculated
based on the entered message of any length. All
the 256 bits are used as the authentication code.
To set the TCP algorithm ID, run the tcp-algorithm-id
command.

Number of Key IDs Number of key IDs.

Active Send Key ID ID of the active send key.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10690

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Active Receive Key IDs ID of the active receive key.

Default send Key ID ID of the default send key.

Key ID Key configured in a keychain.

To set the key ID, run the key-id command.

Key string Key string configured for the key.

To set the key string, run the key-string command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10691

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Algorithm Algorithm configured for the key.

To set the algorithm for a key, run the algorithm
command.
The characteristics of each authentication algorithm
are as follows:
● MD5(Message Digest 5): The 128-bit MD5
message digest is calculated based on the entered
message of any length.
● SHA-1(Secure Hash Algorithm): The 160-bit SHA-1
message digest is calculated based on the entered
message with the length shorter than the 64th
power of 2.
● HMAC-MD5(Keyed-Hashing for Message
Authentication-md5): The 128-bit HMAC-MD5
message digest is calculated based on the 512-bit
message that is converted from the entered
message of any length.
NOTE
If the length of an entered message is less than 512 bits,
0s are added to make up a 512-bit message. If the length
of an entered message is greater than 512 bits, the
message is converted into a 128-bit message based on
the MD5 algorithm. Then, 0s are added to make up a
512-bit message.
● HMAC-SHA1-12: The 160-bit HMAC-SHA1-12
message digest is calculated based on the 512-bit
message that is converted from the entered
message of any length. The leftmost 96 bits (12 x
8) are used as the authentication code.
● HMAC-SHA1-20: The 160-bit HMAC-SHA1-20
message digest is calculated based on the 512-bit
message that is converted from the entered
message of any length. All the 160 bits are used as
the authentication code.
● SHA-256: The 256-bit SHA-2 message digest is
calculated based on the entered message with the
length shorter than the 64th power of 2.
● HMAC-SHA-256: The 256-bit HMAC-SHA-256
message digest is calculated based on the 512-bit
message that is converted from the entered
message of any length. All the 256 bits are used as
the authentication code.
● SM3: The 256-bit SM3 message digest is calculated
based on the entered message of any length. All
the 256 bits are used as the authentication code.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10692

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

SEND TIMER Send time of a key.

To set the send time of a key, run the send-time
command.

Start time Time when a key becomes valid.

End time Time when a key becomes invalid.

Status Status of send/receive keys:

● Active
● Inactive

RECEIVE TIMER Receive time of a key.

To set the receive time of a key, run the receive-time
command.

DEFAULT SEND KEY ID Information about the default send key.

INFORMATION

Default Configuration of the default send key:

● Not configured
● Configured

Status Status of the default send key:

● Active
● Inactive

14.15.5 keychain
Function
The keychain command creates a new set of keychain rules or displays the
keychain view.
The undo keychain command deletes the keychain configuration.
By default, no keychain is configured.

Format
keychain keychain-name [ mode { absolute | periodic { daily | weekly | monthly
| yearly } } ]
undo keychain keychain-name

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10693

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

keychain-name Specifies the keychain name. All the The value is a string of
applications identify the set of 1 to 47 case-insensitive
keychain rules by keychain name. characters. Except the
question mark (?) and
space. However, when
double quotation marks
(") are used around the
string, spaces are
allowed in the string.

mode Indicates the time mode of a keychain. -

NOTE
● The time mode of a keychain must be
specified when a keychain is created.
● You do not need to specify the time
mode for a created keychain.

absolute Indicates that the given keychain is -

non-periodic.

periodic Indicates that the given keychain is -

periodic.

daily Indicates that the given keychain is -

day-periodic.

weekly Indicates that the given keychain is -

week-periodic.

monthly Indicates that the given keychain is -

month-periodic.

yearly Indicates that the given keychain is -

year-periodic.

Views
System view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10694

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

In keychain authentication mode, secure protocol packet transmission is provided

by dynamically changing the authentication algorithm and key string. This can
prevent unauthorized users from obtaining the key string, and authentication and
encryption algorithms, and reduce the workload of manually changing the
algorithm and key string.

Each keychain consists of multiple keys that are valid within different time periods
and each key is configured with an authentication algorithm. When a key
becomes valid, the corresponding authentication algorithm is used.

There are two keychain time modes:

● Absolute time range: In this mode, keychains are valid within a certain period.
● Periodic time range: In this mode, keychains are valid periodically.

Follow-up Procedure

Run the key-id command to configure a key. If the key is not configured, the
keychain cannot authenticate and encrypt protocol packets.

The time mode of a key must be the same as the time mode of the keychain.

Precautions

A keychain supports a maximum of 64 keys.

The keychain keychain-name command displays a specific keychain view. If the

keychain specified by keychain-name does not exist, the keychain keychain-name
command cannot be executed. To create a keychain, run the keychain keychain-
name mode { absolute | periodic { daily | weekly | monthly | yearly } }
command.

Example
# Configure the keychain test and enter keychain view.
<HUAWEI> system-view
[HUAWEI] keychain test mode absolute
[HUAWEI-keychain-huawei]

14.15.6 key-id

Function
The key-id command creates a new set of key-ids or displays the key-id view.

The undo key-id command deletes the key-id configuration.

By default, no key-id is configured.

Format
key-id key-id

undo key-id key-id

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10695

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

key-id Specifies the key identification The integer value ranges from
number of a keychain. 0 to 63.

Views
Keychain view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario
In keychain authentication mode, secure protocol packet transmission is provided
by changing the authentication algorithm and key string dynamically. This can
reduce the workload of manually changing the algorithm and key.
The dynamic change of the keychain authentication algorithm is implemented
based on the keys. Each keychain consists of multiple keys that are valid within
different time periods and each key is configured with an authentication
algorithm. When a key becomes valid, the corresponding authentication algorithm
is used.
Follow-up Procedure
After key-id is specified, perform the following operations:
● Run the algorithm command to configure an algorithm used by the key.
● Run the key-string command to specify a key string.
● Run the send-time command to specify the send time of the key.
● Run the receive-time command to specify the receive time of the key.
Precautions
A key-id represents a key on the device.
A keychain supports 64 keys, but only one key takes effect during one period.
No active key can be used to authenticate and encrypt protocol packets at the
intervals of keys. Therefore, run the default send-key-id command to specify a
default key.
The time mode of the key must be the same as the time mode of Keychain.

Example
# Configure key-id 1.
<HUAWEI> system-view
[HUAWEI] keychain test mode absolute

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10696

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI-keychain-test] key-id 1
[HUAWEI-keychain-test-keyid-1]

14.15.7 key-string
Function
The key-string command specifies a key used for keychain authentication.
The undo key-string command deletes a key used for keychain authentication.
By default, no key is configured for keychain authentication.

Format
key-string { plain plain-text | [ cipher ] cipher-text }
undo key-string

Parameters
Parameter Description Value

plain plain- Indicates the plain text used The value is case-sensitive and
text for authentication. The ranges from 1 to 255 characters.
configured text will be Spaces are not supported.
stored as unencrypted text
and displayed as If a password contains a space, the
unencrypted text. password must be placed into a pair
of double quotation marks. Only one
NOTE pair of double quotation marks can
If plain is selected, the be used for each user name.
password is saved in the
configuration file in plain text.
This brings security risks. It is
recommended that you select
cipher to save the password in
cipher text.

cipher Specifies the cipher key -

string used for encryption
and decryption.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10697

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cipher-text Indicates the cipher text The value is a string of case-sensitive

used for authentication. characters that can be letters or
digits. The authentication password
can be a string of 1 to 255
characters in plaintext or a string of
20 to 392 characters in ciphertext.
If a password contains a space, the
password must be placed into a pair
of double quotation marks. Only one
pair of double quotation marks can
be used for each user name.

Views
Key-ID view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided

Precautions

An authentication key configured in cipher text mode will be also displayed in

cipher text mode. Therefore, remember the plaintext key string when configuring
the key in cipher text mode.

If the authentication key is not configured, the corresponding key remains in

inactive state.

Example
# Configure the key string test@1234.
<HUAWEI> system-view
[HUAWEI] keychain test mode absolute
[HUAWEI-keychain-test] key-id 1
[HUAWEI-keychain-test-keyid-1] key-string cipher test@1234

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10698

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.15.8 receive-time
Function
The receive-time command configures a key as a receive key for the specified
interval of time.
The undo receive-time command deletes the receive time configuration.
By default, no receive time is configured.

Format
receive-time start-time start-date { duration { duration-value | infinite } | to end-
time end-date }
receive-time daily start-time to end-time
receive-time day { start-day-name to end-day-name | day-name &<1-7> }
receive-time date { start-date-value to end-date-value | date-value &<1-31> }
receive-time month { start-month-name to end-month-name | month-name
&<1-12> }
undo receive-time

Parameters
Parameter Description Value

start-time Specifies the start receive In HH:MM format. The

time. value ranges from 00:00
to 23:59.

start-date Specifies the start date. In YYYY-MM-DD format.

The value ranges from
1970-01-01 to
2050-12-31.

duration duration-value Specifies the duration of The value ranges from 1

the receive time in to 26280000.
minutes.

infinite Indicates that the key -

will be acting as an
active receive key forever
from the configured start
time.

to Indicates a separator. -

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10699

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

end-time Specifies the end receive In HH:MM format. The

time. value ranges from 00:00
to 23:59. The end time
must be later than the
start time.

end-date Specifies the end date. In YYYY-MM-DD format.

The value ranges from
1970-01-01 to
2050-12-31.

daily Specifies the daily -

receive time for the
given key.

day Specifies the days of the -

week.

start-day-name Specifies the day of the It can be Mon, Tue, Wed,

week to be configured as Thur, Fri, Sat, and Sun.
the start receive day for
the given key.

end-day-name Specifies the end receive It can be Tue, Wed, Thur,

day for the given key. Fri, Sat, and Sun. The
end day must be later
than the start day.

day-name &<1-7> Specifies the day of the It can be Mon, Tue, Wed,
week to be configured as Thur, Fri, Sat, and Sun.
the receive day for the One or more days can be
given key. configured.

date Specifies the date of the -

month.

start-date-value Specifies the start date The value ranges from 1

of the month to be to 31.
configured as the receive
date for the given key.

end-date-value Specifies the end receive The value ranges from 2

date of the month. to 31. The end date must
be later than the start
date.

date-value &<1-31> Specifies the date of the The value ranges from 1
month to be configured to 31. One or more dates
as the receive date for can be configured.
the given key.

month Specifies the months of -

the year.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10700

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

start-month-name Specifies the month of It can be Jan, Feb, Mar,

the year to be configured Apr, May, Jun, Jul, Aug,
as the start receive Sep, Oct, Nov, and Dec.
month for the given key.

end-month-name Specifies the end receive The end month must be

month. The end month later than the start
must be greater than the month.
start month. It can be Feb, Mar, Apr,
May, Jun, Jul, Aug, Sep,
Oct, Nov, and Dec.

month-name &<1-12> Specifies the month of It can be Jan, Feb, Mar,

the year to be configured Apr, May, Jun, Jul, Aug,
as the receive month for Sep, Oct, Nov, and Dec.
the given key. One or more months can
be configured.

Views
Key-ID view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario

Each keychain consists of multiple keys that are valid within different time periods
and each key is configured with an authentication algorithm and key string. When
a key becomes valid, the corresponding authentication algorithm and the key
string are used. Configure different keys for packet sending and receiving to be
valid within different time periods.

When the system time is within the specified interval, the receive key is in active
state.

There are two keychain validity modes:

● Absolute time range: In this mode, keychains are valid within a certain period.
● Periodic time range: In this mode, keychains are valid periodically.

The mode in which receive keys become valid must be the same as that
configured for the keychain.

Precautions

Multiple receive keys can be active at the same time. The device will select a key
for decryption based on the received packet.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10701

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the time for packet receiving with the timing mode as absolute and
range as infinite.
<HUAWEI> system-view
[HUAWEI] keychain one mode absolute
[HUAWEI-keychain-one] key-id 5
[HUAWEI-keychain-one-keyid-5] receive-time 14:52 2014-11-1 duration infinite

# Configure the time for packet receiving with the timing mode as absolute.
<HUAWEI> system-view
[HUAWEI] keychain two mode absolute
[HUAWEI-keychain-two] key-id 5
[HUAWEI-keychain-two-keyid-5] receive-time 14:52 2014-11-1 to 14:52 2040-10-1

# Configure the time for packet receiving with the timing mode as daily periodic.
<HUAWEI> system-view
[HUAWEI] keychain three mode periodic daily
[HUAWEI-keychain-three] key-id 5
[HUAWEI-keychain-three-keyid-5] receive-time daily 14:52 to 18:10

# Configure the time for packet receiving with the timing mode as weekly
periodic.
<HUAWEI> system-view
[HUAWEI] keychain four mode periodic weekly
[HUAWEI-keychain-four] key-id 5
[HUAWEI-keychain-four-keyid-5] receive-time day mon

# Configure the time for packet receiving with the timing mode as monthly
periodic.
<HUAWEI> system-view
[HUAWEI] keychain five mode periodic monthly
[HUAWEI-keychain-five] key-id 5
[HUAWEI-keychain-five-keyid-5] receive-time date 12 to 25

# Configure the time for packet receiving with the timing mode as yearly periodic.
<HUAWEI> system-view
[HUAWEI] keychain six mode periodic yearly
[HUAWEI-keychain-six] key-id 5
[HUAWEI-keychain-six-keyid-5] receive-time month oct to dec

14.15.9 receive-tolerance
Function
The receive-tolerance command sets receive tolerance for all the receive keys in
the keychain.

The undo receive-tolerance command deletes the receive tolerance configuration.

By default, no receive tolerance is configured.

Format
receive-tolerance { value | infinite }

undo receive-tolerance

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10702

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

value Specifies the receive tolerance value for a The integer value ranges
keychain. from 1 to 14400 in
minutes.

infinite Indicates that the receive tolerance is -

infinite. That is, the receive key is always
valid.

Views
Keychain view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided

by changing the authentication algorithm and key string dynamically. Each key is
configured with an authentication algorithm and a key string. When a key
becomes valid, the corresponding authentication algorithm is used.

Due to the networking environment or clock asynchronization on the packet

sender and receiver, packets may be delayed. The receiver may receive a packet
sent from the sender after its key for packet receiving becomes invalid. As a result,
the receiver discards the packet and packet transmission is interrupted. To address
this problem, set a tolerance time to ensure that the validity period of the receive
key on the receiver expires after all packets sent from the sender reach the
receiver.

Implementation Procedure

After a tolerance time is set, the tolerance time is added to the start time and end
time when the key ID for packet receiving becomes valid.

Precautions

A tolerance time is required for each keychain. The configured tolerance time
takes effect for all keys in the keychain.

Example
# Configure the receive tolerance time as 570 minutes.
<HUAWEI> system-view
[HUAWEI] keychain test mode absolute
[HUAWEI-keychain-test] receive-tolerance 570

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10703

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.15.10 send-time

Function
The send-time command configures a key as a send key at a specified interval.

The undo send-time command deletes the send time configuration.

By default, no send-time is configured.

Format
send-time start-time start-date { duration { duration-value | infinite } | to end-
time end-date }
send-time daily start-time to end-time

send-time day { start-day-name to end-day-name | day-name &<1-7> }

send-time date { start-date-value to end-date-value | date-value &<1-31> }

send-time month { start-month-name to end-month-name | month-name

&<1-12> }

undo send-time

Parameters
Parameter Description Value

start-time Specifies the start send The value is in HH:MM

time. format. The value ranges
from 00:00 to 23:59.

start-date Specify the start date. The value is in YYYY-

MM-DD format. The
value ranges from
1970-01-01 to
2050-12-31.

duration duration-value Specifies the duration of The value ranges from 1

the send time, in to 26280000.
minutes.

infinite Indicates that the key -

will act as a send key
forever from the
configured start time.

to Indicates a separator. -

end-time Specifies the end send The value is in HH:MM

time. format. The value ranges
from 00:00 to 23:59. The
end time must be later
than the start time.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10704

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

end-date Specifies the end date. The value is in YYYY-

MM-DD format. The
value ranges from
1970-01-01 to
2050-12-31.

daily Specifies the daily send -

time for the given key.

day Specifies the days of the -

week.

start-day-name Specifies the day of the It can be Mon, Tue, Wed,

week to be configured as Thur, Fri, Sat, and Sun.
the start send day for
the given key.

end-day-name Specifies the end send It can be Tue, Wed, Thur,

day for the given key. Fri, Sat, and Sun. The
end day must be later
than the start day.

day-name &<1-7> Specifies the day of the It can be Mon, Tue, Wed,
week to be configured as Thur, Fri, Sat, and Sun.
the send day for the
given key. One or more days can be
configured.

date Specifies the date of the -

month.

start-date-value Specifies the start date The value ranges from 1

of the month to be to 31.
configured as the send
date for the given key.

end-date-value Specifies the end date of The value ranges from 2

the month to be to 31. The end date must
configured as the send be greater than the start
date for the given key. date.

date-value &<1-31> Specifies the date of the The value ranges from 1
month to be configured to 31. One or more dates
as the send date for the can be configured.
given key.

month Specifies the months of -

the year.

start-month-name Specifies the month of It can be Jan, Feb, Mar,

the year to be configured Apr, May, Jun, Jul, Aug,
as the start send month Sep, Oct, Nov, and Dec.
for the given key.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10705

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

end-month-name Specifies the end send It can be Feb, Mar, Apr,

month. The end month May, Jun, Jul, Aug, Sep,
must be greater than the Oct, Nov, and Dec.
start month.
The end month must be
later than the start
month.

month-name &<1-12> Specifies the month of It can be Jan, Feb, Mar,

the year to be configured Apr, May, Jun, Jul, Aug,
as the send month for Sep, Oct, Nov, and Dec.
the given key.
One or more months can
be configured.

Views
Key-ID view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario
Each keychain consists of multiple keys that are valid within different time periods
and each key is configured with an authentication algorithm and a key string.
When a key becomes valid, the corresponding authentication algorithm and the
key string are used. Configure different send and receive keys to be valid within
different time periods.
When the system is within the send time range of the key, the device will use the
algorithm and key of the configured key to encrypt the packet.
There are two keychain validity modes:
● Absolute time range: In this mode, keychains are valid within a certain period.
● Periodic time range: In this mode, keychains are valid periodically.
The mode in which send keys become valid must be the same as that configured
for the keychain.
Precautions
Multiple receive keys cannot be active at the same time. Only one key takes effect
during a period in a keychain.

Example
# Configure the time for packet sending with the timing mode as absolute.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10706

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] keychain one mode absolute
[HUAWEI-keychain-one] key-id 5
[HUAWEI-keychain-one-keyid-5] send-time 14:52 2014-11-1 to 14:52 2040-10-1

# Configure the time for packet sending with the timing mode as daily periodic.
<HUAWEI> system-view
[HUAWEI] keychain two mode periodic daily
[HUAWEI-keychain-two] key-id 5
[HUAWEI-keychain-two-keyid-5] send-time daily 14:52 to 18:10

# Configure the time for packet sending with the timing mode as weekly periodic.
<HUAWEI> system-view
[HUAWEI] keychain three mode periodic weekly
[HUAWEI-keychain-three] key-id 5
[HUAWEI-keychain-three-keyid-5] send-time day mon

# Configure the time for packet sending with the timing mode as monthly
periodic.
<HUAWEI> system-view
[HUAWEI] keychain four mode periodic monthly
[HUAWEI-keychain-four] key-id 5
[HUAWEI-keychain-four-keyid-5] send-time date 12

# Configure the time for packet sending with the timing mode as yearly periodic.
<HUAWEI> system-view
[HUAWEI] keychain five mode periodic yearly
[HUAWEI-keychain-five] key-id 5
[HUAWEI-keychain-five-keyid-5] send-time month apr

# Configure the time for packet sending with the timing mode as yearly periodic,
and a few months are available.
<HUAWEI> system-view
[HUAWEI] keychain six mode periodic yearly
[HUAWEI-keychain-six] key-id 5
[HUAWEI-keychain-six-keyid-5] send-time month oct to dec

14.15.11 tcp-algorithm-id

Function
The tcp-algorithm-id command specifies an algorithm ID to represent a TCP
authentication algorithm supported by the keychain.

The undo tcp-algorithm-id command restores the default settings.

By default, mapping between the TCP authentication algorithm and algorithm ID

supported by IANA is used.

Format
tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 |
md5 | sha-1 | sha-256 } algorithm-id

undo tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-

sha1-20 | md5 | sha-1 | sha-256 }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10707

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

hmac-md5 Specifies the HMAC-MD5 -

authentication algorithm.

hmac-sha-256 Specifies the HMAC-SHA-256 -

authentication algorithm.

hmac-sha1-12 Specifies the HMAC-SHA1-12 -

authentication algorithm.

hmac-sha1-20 Specifies the HMAC-SHA1-20 -

authentication algorithm.

md5 Specifies the MD5 authentication -

algorithm.

sha-1 Specifies the SHA-1 -

authentication algorithm.

sha-256 Specifies the SHA-256 -

authentication algorithm.

algorithm-id Specifies the algorithm ID to The value ranges from 1 to

represent a TCP authentication 63. Default algorithm IDs for
algorithm. algorithm types are: md5 is
3, hmac-sha-256 is 7, hmac-
md5 is 5, hmac-sha1-12 is 2,
hmac-sha1-20 is 6 and
sha-256 is 8.

Views
Keychain view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario
A keychain ensures secure protocol packet transmission by dynamically changing
the authentication algorithm and key string. Packets to be transmitted over non-
TCP and TCP connections are authenticated using authentication and encryption
algorithms and key string corresponding to a key. The TCP connection needs to be
authenticated to enhance security.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10708

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The TCP connection is authenticated using the authentication algorithm specified

by the algorithm ID. The algorithm ID is not defined by IANA. Different vendors
use different algorithm IDs to identify authentication algorithms. When two
devices of different vendors are connected, ensure that algorithm IDs configured
on the two devices are the same.

The characteristics of each authentication algorithm are as follows:

● MD5(Message Digest 5): The 128-bit MD5 message digest is calculated based
on the entered message of any length.
● SHA-1(Secure Hash Algorithm): The 160-bit SHA-1 message digest is
calculated based on the entered message with the length shorter than the
64th power of 2.
● HMAC-MD5(Keyed-Hashing for Message Authentication-md5): The 128-bit
HMAC-MD5 message digest is calculated based on the 512-bit message that
is converted from the entered message of any length.
NOTE

Prerequisites

Before configuring algorithm IDs for the communicating parties, run the tcp-kind
command to configure TCP types for the communicating parties.

Precautions

SHA-1 has low security, for higher security purposes, you are advised to specify the
hmac-sha-256 or sha2-256 parameter.

Each algorithm has a unique algorithm ID. And the algorithm IDs configured for
the two communication devices must be identical.

Example
# Specify 1 as the algorithm ID of hmac-sha-256.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10709

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] keychain test mode absolute
[HUAWEI-keychain-test] tcp-algorithm-id hmac-sha-256 1

14.15.12 tcp-kind

Function
The tcp-kind command specifies the option type in the TCP enhanced
authentication option.

The undo tcp-kind command restores the default TCP kind value.

By default, the default kind value is 254.

Format
tcp-kind kind-value

undo tcp-kind

Parameters
Parameter Description Value

kind-value Specifies the TCP kind value to be used The value ranges from 28
for that keychain. to 255.

Views
Keychain view

Default Level
2: Configuration Level

Usage Guidelines
Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing

the authentication algorithm and key string. Packets to be transmitted over non-
TCP and TCP connections are authenticated using authentication and encryption
algorithms and key string corresponding to a key. The TCP connection needs to be
authenticated to enhance security.

TCP connection request packets carry enhanced authentication options and are
authenticated by a specified authentication algorithm. Different vendors use
different kind values to specify the enhanced authentication option. Kind values
configured for the communicating parties must be the same.

Follow-up Procedure

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10710

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After configuring the same TCP kind value for the communicating parties, run the
tcp-algorithm-id command to specify TCP algorithm IDs for the communicating
parties.

Precautions

Communicating parties using the keychain authentication must establish a TCP

connection when configuring the kind value. Otherwise, the TCP authentication
does not take effect.

If TCP connection request packets carry enhanced authentication options, the kind
value must be specified in the packets.

Example
# Configure the TCP kind value as 252 for the keychain test.
<HUAWEI> system-view
[HUAWEI] keychain test mode absolute
[HUAWEI-keychain-test] tcp-kind 252

14.15.13 time mode

Function
The time mode command configures the time mode for Keychain.

The undo time mode command restores the default time mode for Keychain.

By default, the time mode of Keychain is Local Mean Time (LMT).

Format
time mode { utc | lmt }

undo time mode

Parameters
Parameter Description Value

utc Specifies that the configured time is in Universal Time -

Coordinated (UTC) format.

lmt Specifies that the configured time is in LMT format. -

Views
Keychain view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10711

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Each keychain consists of multiple key IDs that are valid within different time
periods and each key ID is configured with an authentication algorithm. When a
key ID becomes valid, the corresponding authentication algorithm is used,
ensuring the dynamic change of authentication algorithms. Configure different
key IDs for packet sending and receiving to be valid within different time periods.

To configure the time mode for Keychain, run the time mode command. You can
configure UTC or LMT for Keychain based on the network planning. Ensure that
the time mode remains the same on the entire network.

Example
# Configure the time mode for Keychain as UTC.
<HUAWEI> system-view
[HUAWEI] keychain test mode absolute
[HUAWEI-keychain-test] time mode utc

14.16 MPAC Configuration Commands

14.16.1 Command Support

Only the following switch models support MPAC:

S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,

S6730-H, S6730S-H, S6730-S, and S6730S-S

14.16.2 description (MPAC policy)

Function
The description command configures the description for an MPAC policy.

The undo description command deletes the description of an MPAC policy.

By default, an MPAC policy does not have a description.

Format
description text

undo description

Parameters
Parameter Description Value

text Specifies the description of The value is a string of 1 to 255 case-

an MPAC policy. sensitive characters with spaces
supported.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10712

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
MPAC policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To configure description for a created MPAC policy, use the description command.
The descriptions facilitate MPAC policy management on the device.
Prerequisites
An MPAC policy has been created using the service-security policy command.

Example
# Configure a description for an MPAC policy.
<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 test
[HUAWEI-service-sec-test] description SwitchA-GE0/0/1 to SwitchB-GE0/0/1

14.16.3 display service-security binding

Function
The display service-security binding command displays the MPAC policies bound
to an interface or bound globally.

Format
display service-security binding { ipv4 | ipv6 } [ interface interface-type
interface-number ]

Parameters
Parameter Description Value

ipv4 Indicates the IPv4 MPAC policy. -

ipv6 Indicates the IPv6 MPAC policy. -

interface interface-type Indicates the interface to which MPAC -

interface-number policies are bound.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10713

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
To check information about bound MPAC policies, run this command.
The display service-security binding { ipv4 | ipv6 } command displays all MPAC
policies bound to interfaces and bound globally.
The display service-security binding { ipv4 | ipv6 } interface interface-type
interface-number command displays the MPAC policies bound to a specified
interface.

Example
# Display all IPv4 MPAC policies bound on the device.
<HUAWEI> display service-security binding ipv4
Configured : Global
Policy Name : test

Interface : GigabitEthernet0/0/1
Policy Name: A1

Interface : Eth-Trunk1
Policy Name: A2

# Display the IPv4 MPAC policies bound to GE0/0/1.

<HUAWEI> display service-security binding ipv4 interface GigabitEthernet 0/0/1
Interface : GigabitEthernet0/0/1
Policy Name: A1

Table 14-89 Description of the display service-security binding command output

Item Description

Configured The MPAC policy bound globally. This field has a

fixed value of Global. If no MPAC policy is bound
globally, this field is not displayed.

Interface Interface to which MPAC policies are bound.

Policy Name Name of an MPAC policy.

14.16.4 display service-security policy

Function
The display service-security policy command displays MPAC policy
configurations.

Format
display service-security policy { ipv4 | ipv6 } [ security-policy-name ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10714

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

ipv4 Displays the specified IPv4 -

MPAC policy.

ipv6 Displays the specified IPv6 -

MPAC policy.

security-policy- Specifies the name of an The value is a string of 1 to

name MPAC policy to be displayed. 31 case-sensitive characters
without spaces. It must start
with a letter.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
An MPAC policy protects device security by controlling the packets destined for the
CPUs.

To check the MPAC rules, step, and description configured on a device, run the
display service-security policy command.

Example
# Display all IPv4 MPAC policy configurations on a device.
<HUAWEI> display service-security policy ipv4
Policy Name : A1
Step :5

Policy Name : test

Description : RouterA-GE0/0/1 to ROUTERB-GE0/0/1
Step :5
rule 5 permit protocol udp source-port 3503

# Display the configuration of the IPv4 MPAC policy test.

<HUAWEI> display service-security policy ipv4 test
Policy Name : test
Step :5
rule 5 permit protocol tcp source-ip 127.1.1.1 0 source-port 1000
rule 10 permit protocol ip source-ip 10.10.1.0 0.0.0.255

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10715

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-90 Description of the display service-security policy command output

Item Description

Policy Name Name of an MPAC policy.

Description Description of an MPAC policy.

Step Step between two MPAC rule IDs.

rule MPAC rules.

14.16.5 display service-security statistics

Function
The display service-security statistics command displays statistics about
matched rules in MPAC policies.

Format
display service-security statistics { ipv4 | ipv6 } [ security-policy-name ]

Parameters

Parameter Description Value

ipv4 Displays statistics about -

matched rules in IPv4 MPAC
policy.

ipv6 Displays statistics about -

matched rules in IPv6 MPAC
policy.

security-policy- Indicates the name of an MPAC The value is a string of 1 to

name policy. 31 case-sensitive characters
without spaces. It must start
with a letter.

Views
All views

Default Level
1: Monitoring level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10716

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
An MPAC policy protects device security by controlling the packets destined for the
CPUs.

The display service-security statistics command displays MPAC policy

information and how many times MPAC rules are matched.

Example
# Display statistics about matched rules in all IPv4 MPAC policies.
<HUAWEI> display service-security statistics ipv4
Policy Name : A1
Step :5

Policy Name : beijing

Description : mpac policy for ipv4
Step :2
rule 2 permit protocol any (0 times matched)
rule 4 deny protocol any (0 times matched)
rule 6 permit protocol bgp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (1 times matched)
rule 12 permit protocol ftp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
rule 14 permit protocol ip source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
rule 16 permit protocol ldp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
rule 20 permit protocol ntp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
rule 22 permit protocol ospf source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0times matched)
rule 24 permit protocol rip source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
rule 26 permit protocol rsvp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0times matched)
rule 28 permit protocol snmp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0times matched)
rule 30 permit protocol ssh source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
rule 32 permit protocol tcp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
rule 34 permit protocol telnet source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)
rule 36 permit protocol tftp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0times matched)
rule 38 permit protocol udp source-ip 10.1.1.1 0 destination-ip 10.1.1.2 0 (0 times matched)

Policy Name : test

Step :5
rule 5 permit protocol tcp source-ip 127.1.1.1 0 source-port 1000 (10 times matched)
rule 10 permit protocol ip source-ip 10.10.1.0 0.0.0.255 (1 times matched)

# Display statistics about matched rules in the IPv4 MPAC policy named test.
<HUAWEI> display service-security statistics ipv4 test
Policy Name : test
Step :5
rule 5 permit protocol tcp source-ip 127.1.1.1 0 source-port 1000 (10 times matched)
rule 10 permit protocol ip source-ip 10.10.1.0 0.0.0.255 (1 times matched)

Table 14-91 Description of the display service-security statistics command output

Item Description

Policy Name Name of an MPAC policy.

Description Description of an MPAC policy.

Step Step between two MPAC rule IDs.

rule MPAC rules.

(0 times matched) Number of times the MPAC rules are matched.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10717

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.16.6 reset service-security counters

Function
The reset service-security counters command deletes MPAC policy statistics.

Format
reset service-security counters { ipv4 | ipv6 } [ security-policy-name ]

Parameters
Parameter Description Value

ipv4 Deletes IPv4 MPAC policy -

statistics.

ipv6 Deletes IPv6 MPAC policy -

statistics.

security-policy- Specifies the name of an The value is a string of 1 to

name MPAC policy to be deleted. 31 case-sensitive characters
without spaces. It must start
with a letter.

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If excess MPAC policy statistics are generated on a device and you want to view
new MPAC information, run the reset service-security counters to delete the
existing statistics first.
With the security-policy-name parameter specified, you can delete statistics about
the specified IPv4 or IPv6 MPAC policy. Without the security-policy-name
parameter specified, you can delete statistics about all IPv4 or IPv6 MPAC policies.
Precautions
All existing MPAC policy statistics will be deleted after this command is executed.

Example
# Delete statistics about the IPv4 MPAC policy test.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10718

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> reset service-security counters ipv4 test

14.16.7 rule (MPAC policy)

Function
The rule command adds a rule to the MPAC policy view.

The undo rule command deletes a rule or some configurations from the MPAC
policy view.

By default, an MPAC policy does not have a rule.

Format
rule [ rule-id ] { permit | deny } protocol { protocol-number | ftp | ssh | snmp |
telnet | tftp | bgp | ldp | rsvp | ospf | rip | ntp | lsp-ping | dhcp-c | dhcp-r | ip }
[ [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] |
[ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ]
*

rule [ rule-id ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-

protocol-number } [ [ source-port source-port-number ] | [ destination-port
destination-port-number ] | [ source-ip { source-ipv4-address { source-ipv4-mask |
0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask |
0 } | any } ] ] *

rule [ rule-id ] { deny | permit } protocol { any | isis }

rule [ rule-id ] { permit | deny } protocol { protocol-number | ftp | ssh | snmp |

telnet | tftp | bgp | ldp | rsvp | ospf | rip | ntp | lsp-ping | dhcp-c | dhcp-r | ip }
[ [ source-ip { source-ipv6-address source-ipv6-prefix-length | source-ipv6-
address/prefix-length | any } ] | [ destination-ip { destination-ipv6-address
destination-ipv6-prefix-length | destination-ipv6-address/prefix-length | any } ] ] *

rule [ rule-id ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-

protocol-number } [ [ source-port source-port-number ] | [ destination-port
destination-port-number ] | [ source-ip { source-ipv6-address source-ipv6-prefix-
length | source-ipv6-address/prefix-length | any } ] | [ destination-ip
{ destination-ipv6-address destination-ipv6-prefix-length | destination-ipv6-
address/prefix-length | any } ] ] *

undo rule rule-id [ source-ip | destination-ip | source-port | destination-port ] *

Parameters

Parameter Description Value

rule-id Indicates the MPAC rule The value is an integer

ID. that ranges from 0 to
4294967294.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10719

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

deny Prevents protocol -

packets matching the
rules from being sent to
the CPU.

permit Allows the protocol -

packets matching the
rules to be sent to the
CPU.

protocol Specifies the protocol -

name or number.

tcp Indicates the -

Transmission Control
Protocol (TCP).

tcp-protocol-number Indicates the TCP It has a fixed value of 6.

protocol number.

udp Indicates the User -

Datagram Protocol
(UDP).

udp-protocol-number Indicates the UDP It has a fixed value of 17.

protocol number.

source-port source-port- Specifies the source port The value is an integer

number number of protocol that ranges from 1 to
packets. 65535.

destination-port Specifies the destination The value is an integer

destination-port-number port number of protocol that ranges from 1 to
packets. 65535.

protocol-number Specifies a protocol The value is an integer

number. that ranges from 1 to
255.

ftp Indicates the File -

Transfer Protocol (FTP).

ssh Indicates the Secure -

Shell (SSH) protocol.

snmp Indicates the Simple -

Network Management
Protocol (SNMP).

telnet Indicates the Telnet -

protocol.

tftp Indicates the Trivial File -

Transfer Protocol (TFTP).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10720

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

bgp Indicates the Border -

Gateway Protocol (BGP).

ldp Indicates the Label -

Distribution Protocol
(LDP).

rsvp Indicates the Resource -

Reservation Protocol
(RSVP).

ospf Indicates the Open -

Shortest Path First
(OSPF) protocol.

rip Indicates the Routing -

Information Protocol
(RIP).

ntp Indicates the Network -

Time Protocol (NTP).

lsp-ping Indicates the Label -

Switched Path (LSP)-
PING protocol.

dhcp-c Indicates the Dynamic -

Host Configuration
Protocol-C (DHCP-C)
protocol.

dhcp-r Indicates the DHCP-R -

protocol.

ip Indicates the Internet -

Protocol (IP).

source-ip Indicates the source -

address of protocol
packets.

source-ipv4-address Specifies a source IPv4 The value is in dotted

address. decimal notation.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10721

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source-ipv4-mask | 0 Specifies the mask of the The value is in dotted

source IPv4 address. The decimal notation.
protocol packets from
the specified subnet are
allowed to be sent to the
CPU or discarded.
0 Specifies the source
host name. The protocol
packets from the
specified host are
allowed to be sent to the
CPU or discarded.

destination-ip Indicates the destination -

address of protocol
packets.

destination-ipv4-address Specifies a destination The value is in dotted

IPv4 address. decimal notation.

destination-ipv4-mask | 0 Specifies the mask of the The value is in dotted

destination IPv4 address. decimal notation.
The protocol packets
destined for the specified
subnet are sent to the
CPU or discarded.
0 Specifies the
destination host name.
The protocol packets
destined for the specified
host are sent to the CPU
or discarded.

any Indicates any IP address. -

isis Indicates the -

Intermediate System to
Intermediate System (IS-
IS) protocol.

source-ipv6-address Specifies a source IPv6 The value is a 32-digit

address. hexadecimal number, in
the format
X:X:X:X:X:X:X:X.

source-ipv6-prefix-length Specifies the prefix The value is an integer

length of a source IPv6 that ranges from 1 to
address. 128.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10722

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

source-ipv6-address/ Specifies the source IPv6 The value is a 32-digit

prefix-length address and prefix hexadecimal number, in
length. the format
X:X:X:X:X:X:X:X/M. M is an
integer that ranges from
1 to 128.

destination-ipv6-address Specifies a destination The value is a 32-digit

IPv6 address. hexadecimal number, in
the format
X:X:X:X:X:X:X:X.

destination-ipv6-prefix- Specifies the prefix The value is an integer

length length of a destination that ranges from 1 to
IPv6 address. 128.

destination-ipv6-address/ Specifies the destination The value is a 32-digit

prefix-length IPv6 address and prefix hexadecimal number, in
length. the format
X:X:X:X:X:X:X:X/M. M is an
integer that ranges from
1 to 128.

Views
MPAC policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

To match specific users or packets, run the rule command with the protocol name
or five packet attributes specified.

The MPAC matching rules for TCP/UDP are described in Table 14-92.

Table 14-92 Description of the MPAC matching rules for TCP/UDP

Protocol TCP/UDP Description

FTP TCP The source/destination port number

is 21.

SSH TCP The source/destination port number

is 22.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10723

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Protocol TCP/UDP Description

Telnet TCP The source/destination port number

is 23.

BGP TCP The source/destination port number

is 179.

LDP TCP/UDP TCP: The source/destination port

number is 646.
UDP: The destination port number is
646.

DHCP-R UDP IPv4: The destination port number is

67.
IPv6: The destination port number is
547.

DHCP-C UDP IPv4: The destination port number is

68.
IPv6: The destination port number is
546.

NTP UDP The destination port number is 123.

SNMP UDP The destination port number is 161.

RIP UDP IPv4: The destination port number is

520.
IPv6: The destination port number is
521.

LSP-PING UDP The source/destination port number

is 3503.

Prerequisites
An MPAC policy has been created using the service-security policy command.
Precautions
● The MPAC rules configured in the service6-sec policy view do not support ISIS.
● Exercise caution when using the rule [ rule-id ] deny protocol any command.
If this command is executed in the system view, no protocol packets can be
sent to the CPU, causing the device to be out of management.
● If a whitelist is configured for an MPAC IPv6 policy, run the rule permit
protocol 58 command to allow ICMPv6 packets to pass.

Example
# Add a rule to an MPAC policy.
<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 test

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10724

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI-service-sec-test] rule 5 permit protocol udp source-port 3503 destination-ip 127.0.0.1

255.255.255.255

14.16.8 service-security binding

Function
The service-security binding command binds an MPAC policy to an interface.

The undo service-security binding command unbinds an MPAC policy from an

interface.

By default, no MPAC policy is applied to an interface.

Format
service-security binding { ipv4 | ipv6 } security-policy-name

undo service-security binding { ipv4 | ipv6 }

NOTE

The ipv6 parameter is not supported in the subinterface view.

Parameters

Parameter Description Value

ipv4 Binds an IPv4 MPAC policy to -

an interface.

ipv6 Binds an IPv6 MPAC policy to -

an interface.

security-policy- Specifies the name of an MPAC The value is a string of 1 to

name policy. 31 case-sensitive characters
without spaces. It must start
with a letter.

Views
Ethernet interface view, Ethernet sub-interface view, GE interface view, MultiGE
interface view, MultiGE sub-interface view, GE sub-interface view, XGE interface
view, 25GE interface view, XGE sub-interface view, 25GE sub-interface view, 40GE
interface view, 40GE sub-interface view, 100GE interface view, 100GE sub-interface
view, Eth-Trunk interface view, Eth-Trunk sub-interface view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10725

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

Some attackers may pose as authorized users to send protocol packets to network
devices or control these devices. Such attacks affect network running. You can
configure MPAC on network devices to allow the specified protocol packets to be
sent to the CPUs or discard these packets, improving device security and reliability.

After an MPAC policy is created, run the service-security binding command to

bind it to interfaces.

Prerequisites

An MPAC policy has been created using the service-security policy command.

Example
# Create an IPv4 MPAC policy and apply it to an interface.
<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 test
[HUAWEI-service-sec-test] rule 5 permit protocol tcp source-port 1000 source-ip 127.1.1.1 0
[HUAWEI-service-sec-test] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] service-security binding ipv4 test

# Create an IPv6 MPAC policy and apply it to an interface.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv6 test1
[HUAWEI-service6-sec-test1] rule 10 deny protocol tcp
[HUAWEI-service6-sec-test1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo portswitch
[HUAWEI-GigabitEthernet0/0/1] service-security binding ipv6 test1

14.16.9 service-security global-binding

Function
The service-security global-binding command binds an MPAC policy to a device
globally.

The undo service-security global-binding command unbinds an MPAC policy

from a device.

By default, no MPAC policy is globally applied.

Format
service-security global-binding { ipv4 | ipv6 } security-policy-name

undo service-security global-binding { ipv4 | ipv6 }

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10726

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

ipv4 Binds an IPv4 MPAC policy to a -

device globally.

ipv6 Binds an IPv6 MPAC policy to a -

device globally.

security-policy- Specifies the name of an MPAC The value is a string of 1 to

name policy to be bound. 31 case-sensitive characters
without spaces. It must
start with a letter.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Some attackers may pose as authorized users to send protocol packets to network
devices or control these devices. Such attacks affect network running. You can
configure MPAC on network devices to allow the specified protocol packets to be
sent to the CPUs or discard these packets, improving device security and reliability.
After an MPAC policy is created, run the service-security global-binding
command to bind it to a device globally.
Prerequisites
An MPAC policy has been created using the service-security policy command.

Example
# Create an IPv4 MPAC policy and apply it to a device globally.
<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 test
[HUAWEI-service-sec-test] rule 5 permit protocol tcp source-port 1000 source-ip 127.1.1.1 0
[HUAWEI-service-sec-test] quit
[HUAWEI] service-security global-binding ipv4 test

# Create an IPv6 MPAC policy and apply it to a device globally.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv6 test1
[HUAWEI-service6-sec-test1] rule 10 deny protocol tcp
[HUAWEI-service6-sec-test1] quit
[HUAWEI] service-security global-binding ipv6 test1

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10727

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.16.10 service-security policy

Function
The service-security policy command creates an MPAC policy and displays its
view.

The undo service-security policy command deletes an MPAC policy.

By default, no MPAC policy exists on a device.

Format
service-security policy { ipv4 | ipv6 } security-policy-name

undo service-security policy { ipv4 | ipv6 } [ security-policy-name ]

Parameters
Parameter Description Value

ipv4 Creates an IPv4 MPAC policy -

and displays its view.

ipv6 Creates an IPv6 MPAC policy -

and displays its view.

security-policy- Specifies the name of an MPAC The value is a string of 1 to

name policy. 31 case-sensitive characters
without spaces. It must start
with a letter.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Some attackers may pose as authorized users to send protocol packets to network
devices or control these devices. Such attacks affect network running. You can
configure MPAC on network devices to allow the specified protocol packets to be
sent to the CPUs or discard these packets, improving device security and reliability.

Example
# Create an IPv4 MPAC policy.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10728

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 test
[HUAWEI-service-sec-test]

# Create an IPv6 MPAC policy.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv6 test1
[HUAWEI-service6-sec-test1]

14.16.11 step (MPAC policy)

Function
The step command sets the step between two MPAC rule IDs.
The undo step command restores the default step between MPAC rule IDs.
By default, the step between two MPAC rule IDs is 5.

Format
step step-value
undo step

Parameters
Parameter Description Value

step-value Specifies the step between two The value is an integer that
MPAC rule IDs. ranges from 1 to 20.

Views
MPAC policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
A step is an increment between neighboring MPAC rule IDs automatically
allocated by the system. For example, if the step is 5, the system allocates MPAC
rules with IDs 5, 10, 15, 20...
To allow insertion of new rules, set a step for MPAC rule IDs by using the step
command.
Prerequisites
MPAC policies have been created using the service-security policy command.
Configuration Impact

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10729

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After you set a step, all the rule IDs in the MPAC policy are re-arranged using the
new step.
Precautions
Setting the step only changes rule IDs, but will not change the rule priorities.

Example
# Set the step for MPAC rule IDs to 10.
<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 test
[HUAWEI-service-sec-test] step 10

14.17 Traffic Isolation Between the Service and

Management planes Configuration Commands

14.17.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.17.2 management-plane isolate enable

Function
The management-plane isolate enable command enables management plane
separation.
The undo management-plane isolate enable command disables the function.
By default, management plane separation is enabled.

Format
management-plane isolate enable
undo management-plane isolate enable

Parameters
None

Views
System view

Default Level
3: Management level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10730

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

The management-plane isolate enable command enables separation of the

management plane to prevent unauthorized users from attacking the
management network through the service network. After the command is run, the
switch prevents unauthorized users from accessing the management interface
through a service interface. That is, if the destination address of a packet received
by a service interface is the management interface address, the user cannot access
the switch. The access from the management interface to service interface is not
restricted.

Precautions

● Disabling this function may cause the management network port to be

attacked. Therefore, you are advised not to disable this function.
● The management-port isolate enable and management-plane isolate
enable command functions are different. The management-port isolate
enable command isolates traffic between the management and service
interfaces by marking the network segment routes with the outbound
interfaces being the management interface as the blackhole route, whereas
the management-plane isolate enable command isolates service interfaces
from the management interface by marking the host and broadcast routes
with the outbound interfaces being the management interface as the
blackhole route.
● When a version earlier than V200R005C02 (except V200R005C00SPC500) is
upgraded to V200R005C02, a version later than V200R005C02, or
V200R005C00SPC500, the undo management-plane isolate enable
configuration is automatically generated.

Example
# Enables management plane separation.
<HUAWEI> system-view
[HUAWEI] management-plane isolate enable

14.17.3 management-port isolate enable

Function
The management-port isolate enable command isolates management interfaces
from service interfaces.

The undo management-port isolate enable command disables the function.

By default, management interface separation is enabled.

Format
management-port isolate enable

undo management-port isolate enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10731

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The management-port isolate enable command enables separation of the

management interface to prevent unauthorized users from attacking the packet
forwarding service. After the command is run, the switch forbids packet exchange
between the management and service interfaces. That is, the packets received by
the management interface will not be sent out through a service interface, and
the packets received by a service interface will not be sent out through the
management interface.

Precautions

● Disabling this function may cause the management network port to be

attacked. Therefore, you are advised not to disable this function.
● For the S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-H, S6730S-H,
S6730-S, and S6730S-S, when disabling this function, also run the arp-miss
message-cache disable command to disable the function of packetizing ARP
Miss messages. Otherwise, disabling management interface separation cannot
take effect. After management interface separation is disabled, the device
needs to send ICMP unreachable and redirection packets, which however
cannot be sent when the function of packetizing ARP Miss messages is
enabled.
● The interval between management-port isolate enable and undo
management-port isolate enable command must be longer than 30 seconds.
● When a version earlier than V200R005C02 (except V200R005C00SPC500) is
upgraded to V200R005C02, a version later than V200R005C02, or
V200R005C00SPC500, the undo management-port isolate enable
configuration is automatically generated.

Example
# Isolate management interfaces from service interfaces.
<HUAWEI> system-view
[HUAWEI] management-port isolate enable

14.18 Security Risk Commands

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10732

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.18.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.18.2 display security risk

Function
The display security risk command displays security risks in the system and
suggested solutions for the risks.

Format
display security risk [ trap-info ] [ feature feature-name ] [ level { high |
medium | low } ]

Parameters
Parameter Description Value

trap-info Displays alarm informations of -

security risk.

feature feature- Displays security risks of a Enumerated type. The

name specified feature. value depends on the
registered module.

level high Displays security risks of High -

level.

level medium Displays security risks of Medium -

level.

level low Displays security risks of Low -

level.

Views
All views

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10733

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Protocols have different security performances, and some protocols may have
security risks. Run the display security risk command to identify security risks in
the system. Then clear the security risks according to the repair action in the
command output. For example, if SNMPv1 is configured, the display security risk
command output will prompt for the use of SNMPv3.
You can filter the security risks by specifying the security level, feature, or both.
Precautions
The security risks that are displayed vary with user levels. The system
administrators can view all security risks in the system. Other users can only view
the security risks matching their levels.

Example
# Display security risks in the system.
<HUAWEI> display security risk
Risk level : high
Feature name : SNMP
Risk information : SNMPv1/SNMPv2c is enabled.
Repair action : Use SNMPv3.

Risk level : high

Feature name : TELNET
Risk information : None authentication is configured for Telnet
users.
Repair action : Use AAA authentication.

Risk level : medium

Feature name : CONSOLE
Risk information : No authentication is configured, password authentication is configured but no password
is specified, or none auth
entication is configured on the console interface.
Repair action : Use AAA authentication.

Risk level : medium

Feature name : TELNET
Risk information : The Telnet server function is used.
Repair action : Use Stelnet.

# Display security risks of the TELNET feature.

<HUAWEI> display security risk feature telnet
Risk level : high
Feature name : TELNET
Risk information : None authentication is configured for Telnet
users.
Repair action : Use AAA authentication.

Risk level : medium

Feature name : TELNET
Risk information : The Telnet server function is used.
Repair action : Use Stelnet.

# Display security risks of Medium level.

<HUAWEI> display security risk level medium
Risk level : medium
Feature name : CONSOLE
Risk information : No authentication is configured, password authentication is configured but no password
is specified, or none auth
entication is configured on the console interface.
Repair action : Use AAA authentication.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10734

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Risk level : medium

Feature name : TELNET
Risk information : The Telnet server function is used.
Repair action : Use Stelnet.

NOTE

The command output provided here is used for reference only. The actual output information
depends on the situation.

Table 14-93 Description of the display security risk command output

Item Description

Risk level Security risk level. It can be any value of the

following:
● high;
● medium;
● low.

Feature name Feature name.

Risk information Information about the security risks.

Repair action Suggested solutions for the security risks.

14.19 PKI Configuration Commands

14.19.1 Command Support

All models of S300, S500, S2700, S5700, and S6700 series switches support PKI.

14.19.2 auto-enroll

Function
The auto-enroll command enables automatic certificate enrollment and update.

The undo auto-enroll command disables automatic certificate enrollment and

update.

By default, the automatic certificate enrollment and update are disabled.

Format
auto-enroll [ percent ] [ regenerate [ key-bit ] ] [ updated-effective ]

undo auto-enroll [ updated-effective ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10735

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

percent Specifies the The value is an integer that ranges from 10

percentage of the to 100. The default value is 100. When the
certificate's old certificate expires, the system requests
validity period a new certificate.
after which a new
certificate is
requested
automatically.

regenerate Indicates the RSA -

key pair will be
generated during
certificate
updates.

key-bit Specifies the The value is an integer that ranges from

number of bits in 2048 to 4096. The default value is 2048.
the RSA key pair
generated during
certificate
updates.

updated- Indicates that the -

effective certificate takes
effect
immediately after
being updated. By
default, an
updated
certificate takes
effect only after
the old one
expires.

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
Automatic certificate enrollment: When the certificates are unavailable, will expire,
or have expired, an entity automatically requests a new certificate or renews the
certificate using the Simple Certification Enrollment Protocol (SCEP).

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10736

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the automatic certificate enrollment and update function is disabled.

When a certificate has expired, you must request a certificate for an entity
manually. You can still request a certificate for an entity manually when the
automatic certificate enrollment and update function is enabled.

Precautions

● If you do not specify regenerate, the system uses the original RSA key pairs
during automatic updates.
● If you specify regenerate, the system generates new RSA key pairs during
certificate updates for certificate requests and overwrites the original
certificates and RSA key pairs with the new ones.
● After this command is run, the device checks whether the certificate has
expired every 60 minutes. If the certificate has expired, the device updates the
certificate.

Example
# Enable automatic certificate enrollment and update for the PKI realm abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] auto-enroll 50 regenerate

14.19.3 ca id

Function
The ca id command specifies a certificate authority (CA) trusted by a PKI realm.

The undo ca id command deletes the CA trusted by a PKI realm.

By default, no trusted CA is configured in a PKI realm.

Format
ca id ca-name

undo ca id

Parameters
Parameter Description Value

ca-name Specifies the name of a CA trusted The value is a string of 1

by a PKI realm. to 64 case-insensitive
characters.

Views
PKI realm view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10737

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
After the ca id command is executed to specify the CA trusted by the device, the
device's local certificate is requested, obtained, revoked, or queried through the
CA.

Example
# Specify the CA root_ca trusted by the PKI realm abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] ca id root_ca

14.19.4 cdp-url

Function
The cdp-url command configures the CRL distribution point (CDP) URL.

The undo cdp-url command deletes the configured CDP URL.

By default, no CDP URL is configured.

Format
cdp-url [ esc ] url-addr

cdp-url from-ca

undo cdp-url

Parameters
Parameter Description Value

esc Indicates that the URL -

address is in ASCII mode.

url-addr Specifies the CDP URL. The value is a string

starting with http:// and
consisting of 1 to 128
case-sensitive characters
without spaces.

from-ca Specifies that the CDP -

URL address is obtained
from the CA certificate.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10738

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When a PKI entity needs to use HTTP to update CRL, it must set up a connection
with the HTTP server based on CDP URL, and obtain the CRL from the HTTP
server. By default, a PKI entity locates and downloads CRL based on the method
(HTTP) in the CDP information of the local certificate. If you do not want to
download CRL based on the CDP URL in the local certificate, run this command to
configure the PKI entity to obtain CDP URL from the CA certificate or manually
configure the CDP URL.

When CRL is automatically updated by SCEP, you can also manually configure a
CDP URL address.

Precautions

Manually configuring a CDP URL address overwrites the CDP carried in the
certificate. If the certificate does not contain CDP information and no CDP URL
address is manually configured, the device requests the CRL from the CA server
using SCEP.

Keyword esc only supports the URLs that include the question mark (?) in ASCII
code. The URL must be in \x3f format, and 3f is the hexadecimal ASCII code for
the question mark (?). For example, if a user wants to enter http://***.com?
page1, the URL is http://***.com\x3fpage1. If a user wants to enter http://
www.***.com?page1\x3f that includes both a question mark (?) and \x3f, the
URL is http://www.***.com\x3fpage1\\x3f.

Example
# Set the CDP URL to http://10.1.1.1/certenroll/ca_root.crl.
<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl scep
[HUAWEI-pki-realm-d1] cdp-url http://10.1.1.1/certenroll/ca_root.crl

# Set the CDP URL to http://www.***.com/certenroll/ca_root.crl.

<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl scep
[HUAWEI-pki-realm-d1] cdp-url http://www.***.com/certenroll/ca_root.crl

14.19.5 certificate-check

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10739

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The certificate-check command sets the method of checking whether a certificate
in the PKI realm is revoked.
The undo certificate-check command cancels the method of checking whether a
certificate in the PKI realm is revoked.
By default, the system checks using CRLs whether a certificate in the PKI realm is
revoked.

Format
certificate-check { { crl | ocsp } * [ none ] | none }
undo certificate-check

NOTE

Only devices in NETCONF mode support the ocsp parameter.

Parameters
Parameter Description Value

crl Sets the check method to Certificate Revocation List (CRL). -

ocsp Sets the check method to Online Certificate Status Protocol -

(OCSP).

none Indicates that the system does not check whether a -

certificate is revoked.

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
After this command is executed, the PKI entity validates the peer certificate, for
example, whether the peer certificate has expired and whether it is added to CRL.
In this case, you can run the certificate-check command to check the peer
certificate status.
The system supports the following methods to check whether a certificate in the
PKI realm is revoked:
● CRL
– If the CA server can function as a CDP, the certificate issued by CA
contains the CDP information about obtaining the certificate CRL. The PKI

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10740

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

entity then uses the specified method (HTTP) to find the CRL from the
specified location and download the CRL. If the CDP URL is configured in
the PKI realm, the PKI entity obtains the CRL from the specified URL.
– If the CA does not support CDPs and no CDP URL is configured on the PKI
entity, the PKI entity uses the SCEP protocol to obtain the CRL.
● OCSP
The PKI entity can use OCSP to check certificate status online, and you do not
need to frequently download CRLs.
When two PKI entities use certificates to perform IPSec negotiation, they
check the peer certificate status through OCSP in real time.
● None
This mode is used when no CRL or OCSP server is available to the PKI entity
or the PKI entity does not need to check the peer certificate status. In this
mode, the PKI entity does not check whether a certificate has been revoked.

Select the following configurations:

● If the certificate-check crl command is configured for a certificate, the CRL

mode is used.
● If the certificate-check ocsp command is configured for a certificate, the
OCSP mode is used.
● If the certificate-check crl none command is configured for a certificate, the
CRL mode is used first. If the CRL mode is unavailable, the certificate is
regarded as valid.
● If the certificate-check ocsp none command is configured for a certificate,
the OCSP mode is used first. If the OCSP mode is unavailable, the certificate is
regarded as valid.
● If the certificate-check crl ocsp command is configured for a certificate, the
CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is
used. If the OCSP mode is unavailable, the certificate is regarded as invalid.
● If the certificate-check ocsp crl command is configured for a certificate, the
OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is
used. If the CRL mode is unavailable, the certificate is regarded as invalid.
● If the certificate-check crl ocsp none command is configured for a
certificate, the CRL mode is used first. If the CRL mode is unavailable, the
OCSP mode is used. If the OCSP mode is unavailable, the certificate is
regarded as valid.
● If the certificate-check ocsp crl none command is configured for a
certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the
CRL mode is used. If the CRL mode is unavailable, the certificate is regarded
as valid.
● If the certificate-check none command is configured for a certificate, the
certificate is regarded as valid.

Precautions

After the certificate-check crl command is configured, if the device does not have
the CRL file, the device fails the certificate verification, and the certificate becomes
invalid.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10741

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

It is not recommended that the none parameter be specified in the certificate-

check command, because such a configuration poses security risks.

Example
# Set the certificate check method to crl none in PKI realm test. If the CRL mode
is unavailable, the certificate is regarded as valid.
<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] certificate-check crl none

14.19.6 certificate auto-update enable

Function
The certificate auto-update enable command enables CMPv2-based automatic
certificate update.
The undo certificate auto-update enable command disables CMPv2-based
automatic certificate update.
By default, the CMPv2-based automatic certificate update is disabled.

Format
certificate auto-update enable
undo certificate auto-update enable

Parameters
None

Views
CMP session view

Default Level
2: Configuration level

Usage Guidelines
If a certificate obtained through CMPv2 is about to expire, run this command to
enable CMPv2-based automatic certificate update to ensure certificate validity.
After the command is executed, the system performs checks (for example,
referenced PKI entity, URL for the CMPv2 server, RSA key pair for CMPv2-based
certificate application). The configuration is successful only when the conditions
are met.
When the system detects that the remaining validity period of the local certificate
has reached the value specified in certificate update expire-time, the system
automatically initiates the certificate update request and decides whether to

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10742

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

create an RSA key pair based on the cmp-request rsa local-key-pair

configuration. After the new certificate is obtained, the system replaces the
previous certificate and RSA key pair with the new ones. The replacement files
include the files in device storage, certificate in memory, and configuration used in
IKE negotiation.

Example
# Enable CMPv2-based automatic certificate update.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] certificate auto-update enable

14.19.7 certificate update expire-time

Function
The certificate update expire-time command specifies when the certificate starts
to update. The time is represented by a percentage of the total validity period.
The undo certificate update expire-time command restores the default
certificate update time.
By default, the certificate is automatically updated when the validity period is only
50% left.

Format
certificate update expire-time valid-percent
undo certificate update expire-time

Parameters
Parameter Description Value
valid-percent Specifies the remaining The value is an integer that ranges
percentage of the validity from 10 to 100. The default value is
period. 50.

Views
CMP session view

Default Level
2: Configuration level

Usage Guidelines
If the automatic certificate update through CMPv2 is enabled, the system sends an
update request to the CMPv2 server when the specified updated time is reached.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10743

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

This command sets the time (percentage of the total validity period) to update
the certificate.

Example
# Enable the automatic certificate update when the used time is 60% of the
validity period of the certificate.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] certificate update expire-time 60

14.19.8 cmp-request authentication-cert

Function
The cmp-request authentication-cert command configures the certificate for
identity authentication in the request through CMPv2.

The undo cmp-request authentication-cert command deletes the certificate for

identity authentication in the request through CMPv2.

By default, no certificate for identity authentication in the request through CMPv2

is configured.

Format
cmp-request authentication-cert cert-name

undo cmp-request authentication-cert

Parameters
Parameter Description Value
cert-name Specifies the name of a The value must be an existing
certificate file. certificate file name.

Views
CMP session view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Run this command to configure the certificate for identity authentication if you
need to apply for a certificate through CMPv2. For different requests through
CMPv2, the required certificates are as follows:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10744

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● For Initialization Requests (IR), the required certificate is an external identity

certificate.
● For certification requests (CR), the required certificate is the one that the CA
has already issued to the device.
● For the key update requests (KUR), the required certificate is the one that the
CA has already issued to the device and is also the one to be updated.
Prerequisites
An identity authentication in the request through CMPv2 exists.

Example
# Configure the certificate for identity authentication in the request through
CMPv2.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request authentication-cert bb.cer

14.19.9 cmp-request ca-name

Function
The cmp-request ca-name command sets a CA name for the CMP session.
The undo cmp-request ca-name command deletes the CA name of the CMP
session.
By default, no CA name is configured for a CMP session.

Format
cmp-request ca-name ca-name
undo cmp-request ca-name

Parameters
Parameter Description Value
ca-name Indicates the name of the The value starts and ends with the
CA and is the field of quotation mark (") and is a string of 1
subject in the CA to 128 characters (including the
certificate. quotation marks). A comma (,) is used
to separate adjacent fields in the string.

Views
CMP session view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10745

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
A trusted authority enrolls and issues certificates to entities. Therefore, a trusted
CA name must be configured.
The field order in the CA name must be the same as that in the actual CA
certificate. Otherwise, the server regards the name as incorrect.

Example
# Set the CA name for CMP session test.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request ca-name "C=cn,ST=beijing,L=shangdi,O=BB,OU=BB,CN=BB"

14.19.10 cmp-request entity

Function
The cmp-request entity command sets the entity name used to apply for
certificate through CMPv2.
The undo cmp-request entity command deletes the entity name used to apply
for certificate through CMPv2.
By default, the entity name used to apply for certificate through CMPv2 is not
configured.

Format
cmp-request entity entity-name
undo cmp-request entity

Parameters
Parameter Description Value

entity-name Specifies the entity name for The value must be an existing
certificate application through PKI entity name.
CMPv2.

Views
CMP session view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10746

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

To apply for a certificate through CMPv2, create a CMP session and specify the
entity name in the CMP session.

Prerequisites

1. A PKI entity has been created using the pki entity command.
2. A PKI entity common name has been created using the common-name
command.

Precautions

The specified entity can be referenced only by one CMP session or PKI realm.

Example
# Set the entity name the device uses when applying for a certificate through
CMPv2 to entity1.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] common-name test1
[HUAWEI-pki-entity-entity1] quit
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request entity entity1

14.19.11 cmp-request message-authentication-code

Function
The cmp-request message-authentication-code command configures the
reference value and secret value of the message authentication code (MAC).

The undo cmp-request message-authentication-code command deletes the

reference value and secret value of the MAC.

By default, the reference value and secret value of the MAC are not configured.

Format
cmp-request message-authentication-code reference-value secret-value

undo cmp-request message-authentication-code

Parameters

Parameter Description Value

reference- Specifies the The value is a string of 1 to 128 case-
value reference value of sensitive characters without spaces and
the MAC. question marks. If the character string is
enclosed in double quotation marks, it can
contain spaces.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10747

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

secret-value Specifies the secret The length of the plaintext ranges from 1
value of the MAC. to 128. The length of the encrypted
ciphertext ranges from 48 to 188. The value
is a case-sensitive character string without
question marks.

Views
CMP session view

Default Level
2: Configuration level

Usage Guidelines
When a device is configured to use MAC for initial request (IR), you need to check
the reference value and secret value of the MAC from the CMPv2 server in out-of-
band mode, and then run this command to set the values on the device.

Example
# Configure the reference value and secret value of the MAC.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request message-authentication-code 1234 123456

14.19.12 cmp-request origin-authentication-method

Function
The cmp-request origin-authentication-method command configures the
authentication method used for initial request (IR) through CMPv2.

The undo cmp-request origin-authentication-method command restores the

default authentication method used for IR through CMPv2.

By default, the authentication method used for IR through CMPv2 is MAC.

Format
cmp-request origin-authentication-method { message-authentication-code |
signature }

undo cmp-request origin-authentication-method

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10748

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
message-authentication- Indicates the MAC method for the IR. -
code
signature Indicates the signature method for the IR. -

Views
CMP session view

Default Level
2: Configuration level

Usage Guidelines
During the IR using CMPv2, a security protection measure needs to be taken:

● After you select the MAC method, run the cmp-request message-
authentication-code command to configure the reference value and secret
value. The device uses the reference value and secret value to protect
messages during the IR.
● After you select the signature method, run the cmp-request authentication-
cert command to configure the external certificate. The device uses the
external certificate to protect signatures during the IR.

Example
# Configure the authentication method used for IR through CMPv2.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request origin-authentication-method signature

14.19.13 cmp-request realm

Function
The cmp-request realm command specifies a PKI realm to which the CMPv2
server certificate belongs.

The undo cmp-request realm command deletes the specified PKI realm.

By default, no PKI realm is specified for the CMP server certificate.

Format
cmp-request realm realm-name

undo cmp-request realm

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10749

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

realm realm-name Specifies the PKI realm The value must be an

name of the imported existing PKI realm name.
certificate. NOTE
If the specified PKI realm is
the default realm, there
may be security risks.

Views
CMP session view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When applying for a certificate through CMPv2, run the cmp-request realm
command to specify the PKI realm to which the CMPv2 server certificate belongs.

Prerequisites

A PKI realm has been created using the pki realm command.

Example
# Set a PKI realm name of the CMPv2 server certificate to abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request realm abc

14.19.14 cmp-request rsa local-key-pair

Function
The cmp-request rsa local-key-pair command configures the RSA key pair used
for certificate application through CMPv2.

The undo cmp-request rsa local-key-pair command deletes the RSA key pair
used for certificate application through CMPv2.

By default, the RSA key pair used to apply for certificate through CMPv2 is not
configured.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10750

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
cmp-request rsa local-key-pair key-name [ regenerate [ key-bit ] ]
undo cmp-request rsa local-key-pair

Parameters
Parameter Description Value

key-name Specifies the name of the RSA key The value must be an
pair. existing RSA key pair name.

regenerate Indicates that the RSA key pair is -

updated together with certificate
update.

key-bit Specifies the bits of the RSA key pair The value is an integer that
generated during the certificate ranges from 2048 to 4096.
update. The default value is 2048.

Views
CMP session view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When CMPv2 is used to apply for a certificate, the certificate request message sent
by the PKI entity to CA must contain public key information. Therefore, you need
to configure an RSA key pair for certificate application through CMPv2. Note the
following during the configuration:
● If regenerate is unspecified, the system uses the original RSA key pairs during
automatic updates.
● If regenerate is specified, the system generates new RSA key pairs during
certificate updates for the application for certificates and overwrites the
original certificates and RSA key pairs with the new ones.
Prerequisites
The RSA key pair for certificate application has been created using the pki rsa
local-key-pair create command or the RSA key pair has been imported to the
memory using the pki import rsa-key-pair command.
Precautions
One RSA key pair can be referenced only by one CMP session.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10751

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the RSA key pair to be referenced by CMP session test and update the
RSA key pair during the certificate update.
<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create test
Info: The name of the new key-pair will be: test
The size of the public key ranges from 2048 to 4096.
Input the bits in the modules:2048
Generating key-pairs...
.........................+++
................................................................................
........+++
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request rsa local-key-pair test regenerate 2048

14.19.15 cmp-request server url

Function
The cmp-request server url command specifies the URL address of a CMPv2
server.

The undo cmp-request server url command deletes the URL address of a CMPv2
server.

By default, the URL of a CMPv2 server is not configured.

Format
cmp-request server url [ esc ] url-addr

undo cmp-request server url

Parameters
Parameter Description Value

esc Specifies the entering of URLs -

in the ASCII code.

url-addr Specifies the URL of the CMPv2 The value is a string starting with
server. http:// and consisting of 1 to 128
case-insensitive characters without
spaces.

Views
CMP session view

Default Level
2: Configuration level

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10752

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Configure a URL for the CMPv2 server before certificate application. Then the PKI
entity sends a request message to the server's URL.
A user cannot enter command lines that include a question mark (?). Therefore,
keyword esc supports the entering of URLs that include the question mark (?) in
the ASCII code. The URL must be in \x3f format, and 3f is the hexadecimal ASCII
code for the question mark (?). For example, if a user wants to enter http://
***.com?page1, the URL is http://***.com\x3fpage1. If a user wants to enter
http://www.***.com?page1\x3f that includes both a question mark (?) and \x3f,
the URL is http://www.***.com\x3fpage1\\x3f.

Example
# Set the URL of the CMPv2 server for CMP session test to http://10.1.1.1:8080.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request server url http://10.1.1.1:8080

# Set the URL of the CMPv2 server for CMP session test to http://www.***.com?
page1\x3f.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request server url esc http://www.***.com\x3fpage1\\x3f

14.19.16 cmp-request verification-cert

Function
The cmp-request verification-cert command configures the certificate file for
verifying the CA response signature.
The undo cmp-request verification-cert command deletes the certificate file for
verifying the CA response signature.
By default, no certificate file for verifying the CA response signature is configured.

Format
cmp-request verification-cert cert-file-name
undo cmp-request verification-cert

Parameters
Parameter Description Value
cert-file-name Specifies the certificate file The value must be an existing
name. certificate file name.

Views
CMP session view

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10753

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After this command is executed, the device uses the configured certificate to verify
the CA response signature. This command configures the CA certificate.
If this command is not executed and the CA response mode is signature, the
device constructs a certificate chain based on the certificates in the response
messages sent by the device itself and CA to verify the CA response signature. If
the MAC mode is set, the device uses the MAC to verify the CA response signature.
That is, this command does not take effect.
Prerequisites
The certificate file for verifying the CA response signature exists.

Example
# Configure the certificate file for verifying the CA response signature.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] cmp-request verification-cert aa.der

14.19.17 common-name

Function
The common-name command configures a common name for a PKI entity.
The undo common-name command cancels the configuration.
By default, a PKI entity does not have a common name.

Format
common-name common-name
undo common-name

Parameters
Parameter Description Value
common- Specifies the The value is a string of 1 to 64 case-
name common name of a sensitive characters, including letters,
PKI entity. numerals, apostrophes ('), equal signs (=),
parentheses (), plus signs (+), commas (,),
minus signs (-), periods (.), slashes (/),
colons (:), and spaces.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10754

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
PKI entity view

Default Level
2: Configuration level

Usage Guidelines
After a PKI entity is created, a common name must be configured to uniquely
identify the PKI entity.
After the common name is configured for a PKI entity, the certificate request
packet sent by the device to the CA server carries this name. The CA server verifies
every received certificate request packet. For each valid packet, the CA server
generates a digital certificate carrying the common name of the PKI entity.

Example
# Set the common name to test for a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] common-name test

14.19.18 country (PKI entity view)

Function
The country command configures a country code for a PKI entity.
The undo country command deletes the country code of a PKI entity.
By default, no country code is configured for a PKI entity.

Format
country country-code
undo country

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10755

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

country-code Specifies the country A country code must be

code of a PKI entity. two-character long. If
the entered country code
contains lower case
letters, the system
automatically changes
the lower case letters
into upper case letters
when you create a
certificate request file.
You can query country
codes in ISO3166. For
example, CN is the
legitimate country code
of China, and US is the
legitimate country code
of the USA.

Views
PKI entity view

Default Level
2: Configuration level

After the country code is configured for a PKI entity, the certificate request packet
sent by the device to the CA server carries this country code. The CA server verifies
every received certificate request packet. For each valid packet, the CA server
generates a digital certificate carrying the country code of the PKI entity.

Example
# Configure the country code to CN for a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] country CN

14.19.19 crl auto-update enable

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10756

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The crl auto-update enable command enables the automatic CRL update
function.
The undo crl auto-update enable command disables the automatic CRL update
function.
By default, automatic CRL update is enabled.

Format
crl auto-update enable
undo crl auto-update enable

Parameters
None

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
To configure the automatic CRL update function, enable the function first.

Example
# Enable the automatic CRL update function.
<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl auto-update enable

14.19.20 crl cache

Function
The crl cache command configures the device to use the cached CRL.
The undo crl cache command configures the device to retrieve the latest CRL
each time.
By default, the PKI realm is allowed to use cached CRLs.

Format
crl cache
undo crl cache

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10757

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
The system overwrites the CRL in memory with the cached URL for certificate
verification. If the PKI realm is not allowed to use cached CRL, the system must
download the latest CRL every time to overwrite the CRL in memory.

Example
# Allow the device to use the cached CRL in the PKI realm abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] crl cache

14.19.21 crl http

Function
The crl http command enables automatic CRL update using HTTP.
By default, the CRL is updated automatically using HTTP.

Format
crl http

Parameters
None

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
This command is required when CRL is updated using HTTP, and ensure that there
is sufficient space in the device storage for the CRL file.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10758

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure automatic CRL update using HTTP.
<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl http

14.19.22 crl scep

Function
The crl scep command configures a device to use SCEP to automatically update a
CRL.
By default, a device uses HTTP to automatically update a CRL.

Format
crl scep

Parameters
None

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
This command is required when CRL is updated using SCEP, and ensure that there
is sufficient space in the device storage for the CRL file.

Example
# Use SCEP to automatically update a CRL.
<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl scep

14.19.23 crl update-period

Function
The crl update-period command sets the interval for automatic CRL update.
The undo crl update-period command restores the default interval for automatic
CRL update.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10759

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the automatic CRL update interval is 8 hours.

Format
crl update-period interval

undo crl update-period

Parameters

Parameter Description Value

interval Specifies the interval at which a The value is an integer that
CRL is automatically updated. ranges from 1 to 720, in hours.

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
The CRL update interval is the interval at which a PKI entity using a certificate
downloads a CRL from the CRL storage server. The CA/RA does not issue the CRL
to an entity. Instead, the entity initiates CRL query to obtain a CRL.

Example
# Set the interval at which a CRL is automatically updated to 21 hours.
<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl update-period 21

14.19.24 display pki ca-capability

Function
The display pki ca-capability command displays the CA capabilities of a PKI
realm.

Format
display pki ca-capability realm realm-name

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10760

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

realm realm-name Indicates the name of a The PKI realm name

PKI realm. must already exist.

Views
All views

Default Level
3: Management level

Usage Guidelines
The display pki ca-capability command displays the CA capabilities of a PKI
realm.

Example
# Display the CA capabilities of the PKI realm asdf.
<HUAWEI> display pki ca-capability realm asdf
PKI CA Capabilities :
GetNextCACert : ----
POSTPKIOperation : ----
Renewal : ----
SHA-512 : ----
SHA-256 : ----
SHA-1 : ----
DES3 : ----

Table 14-94 Description of the display pki ca-capability command output

Item Description

PKI CA Capabilities PKI CA capabilities.

GetNextCACert Get next CA certificate.

POSTPKIOperation Post PKI operation messages.

Renewal Certificate renewal.

SHA-512 SHA-512 algorithm.

SHA-256 SHA-256 algorithm.

SHA-1 SHA-1 algorithm.

DES3 DES3 algorithm.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10761

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.19.25 display pki cert-req

Function
The display pki cert-req command displays the content of a certificate request
file.

Format
display pki cert-req filename file-name

Parameters
Parameter Description Value

filename file-name Specifies the name of a The certificate request file

certificate request file. name must already exist.

Views
All views

Default Level
3: Management level

Usage Guidelines
This command displays content of a certificate request file, including the subject,
public key algorithm, key modulus, attributes, and signature algorithm.

Example
# Display the content of a certificate request file named test.req.
<HUAWEI> display pki cert-req filename test.req
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, ST=Jiangsu, L=Beijing, O=org1, OU=Group1,Sale, CN=huawei
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:01:cf:95:bb:fb:35:f0:3e:cd:1d:10:9e:11:
08:2e:77:48:ba:1b:e6:00:1b:43:30:56:f9:9a:6b:
ed:8b:fe:3e:03:57:38:02:48:88:e3:9b:39:d0:1c:
2b:8f:6a:9b:91:17:9b:ce:cb:fc:87:40:78:39:08:
1c:53:c3:71:cc:db:64:6f:ec:5a:cd:33:a5:68:5e:
e6:52:61:ad:a1:58:55:f0:a0:0f:db:ab:05:eb:a4:
fe:e1:68:61:8c:af:2c:3a:34:95:d2:41:ee:09:e7:
b0:fc:59:d9:f4:12:00:de:ab:14:b6:a3:fe:29:75:
f7:dd:7b:aa:03:81:fc:ae:41:8c:e4:ad:e3:d9:65:
d4:be:a0:c1:e0:43:8a:91:ad:20:7b:6f:12:25:6e:
0d:67:7d:4c:fe:8d:1b:6d:f3:96:07:31:ed:73:d3:
71:6b:51:18:64:bd:41:d6:18:2d:2d:86:b7:fa:26:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10762

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

eb:cc:cb:a3:0f:0b:61:22:fd:dd:5f:b4:4d:9b:7d:
bc:fa:af:e6:95:d7:27:f1:60:31:56:83:58:2c:40:
1a:5e:6a:94:63:aa:70:2f:9b:00:e0:a3:9e:fb:73:
62:5e:1c:3c:5f:48:42:7c:26:8f:5f:cf:39:b9:5d:
25:90:8e:6c:e0:04:ec:e2:1b:1f:a8:0d:d2:ef:20:
41:79
Exponent: 65537 (0x10001)
Attributes:
challengePassword :******
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:10.1.1.1, DNS:example.com, email:test@example.com
Signature Algorithm: sha256WithRSAEncryption
71:e7:c0:5f:36:c9:16:eb:fc:0c:8e:d1:4f:3d:ee:25:6b:47:
65:86:4b:89:ec:22:01:42:a5:0e:5c:aa:01:0a:57:a9:25:ba:
1b:59:6d:77:5f:74:80:3b:af:f9:37:75:97:9a:ca:80:73:8b:
36:14:2c:4b:9a:2f:53:5c:5b:4a:93:31:88:94:0f:4d:58:84:
36:41:e8:a8:6c:cd:f0:bb:9f:51:50:b2:a4:40:f4:ec:37:c5:
42:08:69:b5:c5:fd:af:3d:8a:aa:47:53:d3:ce:bc:76:ec:47:
ca:36:90:0b:49:2b:2f:04:c4:1f:f1:12:b6:99:d0:f8:33:d8:
08:d0:32:ac:ee:34:0f:07:ef:72:9f:6b:71:80:3e:8d:37:cc:
ca:b5:c1:56:3d:65:c7:e6:99:1b:2b:53:01:69:f5:8a:18:05:
d1:b1:48:3e:50:e0:4c:7f:db:dc:b7:cd:a2:37:f9:96:cd:0d:
ee:61:c2:80:61:6b:99:c0:76:0d:ab:2c:46:ce:b7:aa:6a:12:
72:b7:6f:64:cc:78:b7:16:bd:c5:32:45:79:42:cf:4c:28:91:
ce:cd:7d:da:eb:2b:3a:cf:90:1f:61:5e:02:25:fe:3c:82:66:
d4:e8:c7:f8:5e:84:2c:f6:b2:f0:ba:ee:7a:c1:9b:d4:68:02:
a4:e3:27:89

Table 14-95 Description of the display pki cert-req command output

Item Description

Certificate Request Information about a certificate request

file.

Data Data of a certificate request file.

Version Version of a certificate request file.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10763

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Subject Subject of a certificate request file. The

subject includes the following
attributes:
● C: country code of a PKI entity. It is
configured using the country(PKI
entity view) command.
● ST: name of the state or province to
which a PKI entity belongs. It is
configured using the state(PKI
entity view) command.
● L: geographic area where a PKI
entity is located. It is configured
using the locality command.
● O: organization to which a PKI
entity belongs. It is configured
using the organization command.
● OU: department to which a PKI
entity belongs. It is configured
using the organization-unit
command.
● CN: common name of a PKI entity.
It is configured using the common-
name command.

Subject Public Key Info Information about the subject public

key of a certificate request file.

Public Key Algorithm Public key algorithm.

Public-Key RSA public key. It is configured using

the rsa local-key-pair command.

Modulus Key modulus.

Exponent Key exponent.

Attributes Attributes of a certificate request file.

challengePassword The challenge password used in

certificate application. It is configured
using the pki enroll-certificate
command.

Requested Extensions Certificate request extension.

X509v3 Subject Alternative Name Alternative name of the X.509v3

subject.

IP Address IP address of a PKI entity. It is

configured using the ip-address
command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10764

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

DNS DNS name of a PKI entity. It is

configured using the fqdn command.

email Email address of a PKI entity. It is

configured using the email command.

Signature Algorithm Signature algorithm. It is configured

using the enrollment-request
signature message-digest-method
command.

14.19.26 display pki certificate

Function
The display pki certificate command displays the content about the CA or local
certificate loaded to the device and OCSP server certificate.

Format
display pki certificate { ca | local | ocsp } realm realm-name

NOTE

Only devices in NETCONF mode support the ocsp parameter.

Parameters
Parameter Description Value

ca Displays content about the CA -

certificate.

local Displays content about the local -

certificate.

ocsp Displays content about the Online -

Certificate Status Protocol (OCSP)
server's certificate.

realm realm-name Specifies the PKI realm name of a The PKI realm
certificate to be checked. name must
already exist.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10765

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
This command shows information about the CA certificate, local certificate, and
OCSP server's certificate, including signature algorithm, issuer, validity period,
subject, and subject public key.

Example
# Display information about the CA certificate.
<HUAWEI> display pki certificate ca realm abc
The x509 object type is certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:f0:1a:f3:67:21:44:9a:4a:eb:ec:63:75:5d:d7:5f
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=ca_root
Validity
Not Before: Jun 4 14:58:17 2015 GMT
Not After : Jun 4 15:07:10 2020 GMT
Subject: CN=ca_root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:5f:2a:93:cb:66:18:59:8c:26:80:db:cd:73:
d5:68:92:1b:04:9d:cf:33:a2:73:64:3e:5f:fe:1a:
53:78:0e:3d:e1:99:14:aa:86:9b:c3:b8:33:ab:bb:
76:e9:82:f6:8f:05:cf:f6:83:8e:76:ca:ff:7d:f1:
bc:22:74:5e:8f:4c:22:05:78:d5:d6:48:8d:82:a7:
5d:e1:4c:a4:a9:98:ec:26:a1:21:07:42:e4:32:43:
ff:b6:a4:bd:5e:4d:df:8d:02:49:5d:aa:cc:62:6c:
34:ab:14:b0:f1:58:4a:40:20:ce:be:a5:7b:77:ce:
a4:1d:52:14:11:fe:2a:d0:ac:ac:16:95:78:34:34:
21:36:f2:c7:66:2a:14:31:28:dc:7f:7e:10:12:e5:
6b:29:9a:e8:fb:73:b1:62:aa:7e:bd:05:e5:c6:78:
6d:3c:08:4c:9c:3f:3b:e0:e9:f2:fd:cb:9a:d1:b7:
de:1e:84:f4:4a:7d:e2:ac:08:15:09:cb:ee:82:4b:
6b:bd:c6:68:da:7e:c8:29:78:13:26:e0:3c:6c:72:
39:c5:f8:ad:99:e4:c3:dd:16:b5:2d:7f:17:e4:fd:
e4:51:7a:e6:86:f0:e7:82:2f:55:d1:6f:08:cb:de:
84:da:ce:ef:b3:b1:d6:b3:c0:56:50:d5:76:4d:c7:
fb:75
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
...C.A
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C5
X509v3 CRL Distribution Points:

Full Name:
URI:http://vasp-e6000-127.china.huawei.com/CertEnroll/ca_root.
crl
URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
t.crl

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10766

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
52:21:46:b8:67:c8:c3:4a:e7:f8:cd:e1:02:d4:24:a7:ce:50:
be:33:af:8a:49:47:67:43:f9:7f:79:88:9c:99:f5:87:c9:ff:
08:0f:f3:3b:de:f9:19:48:e5:43:0e:73:c7:0f:ef:96:ef:5a:
5f:44:76:02:43:83:95:c4:4e:06:5e:11:27:69:65:97:90:4f:
04:4a:1e:12:37:30:95:24:75:c6:a4:73:ee:9d:c2:de:ea:e9:
05:c0:a4:fb:39:ec:5c:13:29:69:78:33:ed:d0:18:37:6e:99:
bc:45:0e:a3:95:e9:2c:d8:50:fd:ca:c2:b3:5a:d8:45:82:6e:
ec:cc:12:a2:35:f2:43:a5:ca:48:61:93:b9:6e:fe:7c:ac:41:
bf:88:70:57:fc:bb:66:29:ae:73:9c:95:b9:bb:1d:16:f7:b4:
6a:da:03:df:56:cf:c7:c7:8c:a9:19:23:61:5b:66:22:6f:7e:
1d:26:92:69:53:c8:c6:0e:b3:00:ff:54:77:5e:8a:b5:07:54:
fd:18:39:0a:03:ac:1d:9f:1f:a1:eb:b9:f8:0d:21:25:36:d5:
06:de:33:fa:7b:c8:e9:60:f3:76:83:bf:63:c6:dc:c1:2c:e4:
58:b9:cb:48:15:d2:a8:fa:42:72:15:43:ef:55:63:39:58:77:
e8:ae:0f:34

Pki realm name: abc

Certificate file name: abc_ca.cer
Certificate peer name: -

Table 14-96 Description of the display pki certificate command output

Item Description

The x509 object type is certificate X.509 object type is certificate.

Certificate Information about a certificate.

Data Data of a certificate.

Version Version of a certificate.

Serial Number Serial number of a certificate.

Signature Algorithm Signature algorithm of a certificate.

Issuer Issuer of a certificate.

Validity Validity period of a certificate.

Subject Subject of a certificate. The subject

includes the following attributes:
● C: country code of a PKI entity.
● ST: name of the state or province to
which a PKI entity belongs.
● L: geographic area where a PKI
entity is located.
● O: organization to which a PKI
entity belongs.
● OU: department to which a PKI
entity belongs.
● CN: common name of a PKI entity.

Subject Public Key Info Information about the public key of a

certificate.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10767

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Public Key Algorithm Public key algorithm.

Public-Key Public key.

Modulus Key modulus.

Exponent Key exponent.

X509v3 extensions X.509v3 certificate extensions.

X509v3 Key Usage X509v3 key usage.

X509v3 Basic Constraints Basic constraints.

CA Whether the CA can be trusted.

X509v3 Subject Key Identifier Identifier of a subject key.

X509v3 CRL Distribution Points CRL distribution points.

Full Name Full name of CRL.

Pki realm name PKI realm name.

Certificate file name Certificate file name.

Certificate peer name Certificate peer name.

14.19.27 display pki certificate enroll-status

Function
The display pki certificate enroll-status command displays the certificate
enrollment status.

Format
display pki certificate enroll-status [ realm realm-name ]

Parameters

Parameter Description Value

realm realm-name Specifies the PKI realm name of a The PKI realm name
certificate to be checked. must already exist.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10768

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
The display pki certificate enroll-status command displays the certificate
enrollment status.

Example
# Display the certificate enrollment status.
<HUAWEI> display pki certificate enroll-status realm abc
Certificate Request Transaction 1
Status: Pending
Key Usage: ENC&SIG
Entity name: test
Remain polling count: 1
Next polling after : 35 seconds
<HUAWEI> display pki certificate enroll-status realm abc
info: No certificate request transaction in realm abc.

Table 14-97 Description of the display pki certificate enroll-status command

output

Item Description

Certificate Request Transaction Certificate enrollment request process.

Status Certificate enrollment status.

Pending: A certificate is being enrolled.

Key Usage Functions of a certificate public key:

● ENC: The public key is used for
encryption.
● SIG: The public key is used for
signature.

Entity name Entity name.

Remain polling count Number of times a certificate

enrollment request can be initiated
again.

Next polling after Next time a certificate enrollment

request is initiated.

No certificate request transaction There is no certificate enrollment

request process.

14.19.28 display pki certificate filename

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10769

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The display pki certificate filename command displays the content of a
certificate.

Format
display pki certificate filename file-name

Parameters
Parameter Description Value

filename file-name Specifies the name of a The value must be an existing

certificate file. certificate file name.

Views
All views

Default Level
3: Management level

Usage Guidelines
This command shows information about the certificate including signature
algorithm, issuer, validity period, subject, and subject public key.

Example
# Display information about the certificate ca.cer.
<HUAWEI> display pki certificate filename ca.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f3:a3:3a:46:f6:09:8d:18
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=JS, L=NJ, O=HW, OU=VPN, CN=CA-210235G7G410FB000060
Validity
Not Before: May 16 11:48:04 2017 GMT
Not After : May 14 11:48:04 2027 GMT
Subject: C=CN, ST=JS, L=NJ, O=HW, OU=VPN, CN=CA-210235G7G410FB000060
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ba:cc:ef:2f:55:9c:d0:09:c5:1b:d2:52:63:92:
c8:f0:88:ed:1b:88:f1:e4:3c:90:07:85:01:8c:d5:
80:d9:91:ef:64:e9:79:0c:7d:0e:b9:6c:00:a2:72:
e2:1b:aa:9b:2d:11:6b:6f:2d:de:5d:58:22:cf:9e:
2f:7d:f1:ad:71:e9:25:0e:bc:26:f1:77:57:02:3d:
7f:09:8f:49:63:ae:11:75:57:65:a0:bd:9c:94:c6:
df:21:f7:c8:5a:4d:5e:f8:5e:84:b0:b0:fd:a6:c7:
e0:78:d1:1c:8a:55:d9:e9:66:1c:e5:4e:ce:88:dd:
fa:0f:60:d0:7e:86:a1:ec:b1:34:aa:f7:dd:72:c6:

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10770

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

0a:90:c7:4a:6b:a0:86:01:30:b6:6f:23:ff:ce:ae:
39:fb:de:18:ce:2f:b9:d7:17:09:8c:29:19:34:7a:
69:75:dc:ee:bf:2e:d4:93:fb:f6:a6:5b:f8:2a:6d:
fe:bd:f4:8b:30:49:5c:a8:94:76:12:9d:64:78:4a:
48:d3:2d:63:da:0a:79:b2:ee:8e:2d:5a:a0:71:99:
cf:b9:68:77:d3:d9:cf:12:64:80:bb:42:8c:28:1f:
d9:bf:7c:4b:8f:39:1e:dc:92:a4:ff:8e:b3:02:58:
c5:79:96:f2:a1:f9:17:cb:ea:49:57:b0:b0:3c:af:
db:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
83:08:A4:F4:BC:EC:1B:B6:7D:B0:27:F6:10:47:77:AA:2A:66:59:D5
Netscape Cert Type:
SSL CA
Signature Algorithm: sha256WithRSAEncryption
1e:6b:2a:76:7e:8e:b0:0e:72:4e:02:53:b0:77:0d:13:28:4e:
c3:e5:f8:0b:76:fd:56:2c:e6:5b:d1:f8:48:19:17:95:1a:79:
5e:d9:50:b9:68:bd:36:c4:ce:7b:ce:0c:98:55:b1:44:9f:20:
66:66:33:3c:b5:40:ad:50:c8:64:1c:07:0e:08:42:72:88:35:
d4:af:f0:8d:5d:64:90:5d:ec:f0:5c:07:76:10:ed:9b:22:18:
ef:44:4e:c2:29:32:40:68:fe:04:dc:0e:f6:2b:25:c2:73:f5:
9b:64:df:25:56:c6:bb:6e:a4:2f:07:b3:9d:c0:18:60:72:cb:
51:62:94:ee:f7:21:0a:a0:92:58:a1:bf:c8:30:0e:0c:0a:91:
cb:f4:8f:07:52:ba:df:25:88:8a:b3:3f:f0:68:fa:4c:b7:31:
c8:97:e0:49:08:8a:74:fc:c2:90:d7:3c:0b:00:38:90:3b:19:
ab:66:96:24:1f:86:b9:62:49:6d:9c:2d:02:99:38:bb:96:b6:
dd:0f:3c:6e:24:7b:3d:1e:77:58:e7:46:2b:42:cc:14:6a:a4:
16:45:ed:3c:b1:d6:30:94:c0:30:d0:46:fa:bc:da:9a:2b:f1:
fa:f3:df:1b:84

Table 14-98 Description of the display pki certificate filename command output
Item Description

Certificate Information about a certificate.

Data Data of a certificate.

Version Version of a certificate.

Serial Number Serial number of a certificate.

Signature Algorithm Signature algorithm of a certificate.

Issuer Issuer of a certificate.

Validity Validity period of a certificate.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10771

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Subject Subject of a certificate. The subject

Subject Public Key Info Information about the public key of a

certificate.

Public Key Algorithm Public key algorithm.

RSA Public-Key Public key.

Modulus Key modulus.

Exponent Key exponent.

X509v3 extensions X.509v3 certificate extensions.

X509v3 Basic Constraints Basic constraints.

CA Whether the CA can be trusted.

X509v3 Key Usage X.509v3 key usage.

X509v3 Subject Key Identifier Identifier of a subject key.

Netscape Cert Type Netscape certificate type.

14.19.29 display pki cmp statistics

Function
The display pki cmp statistics command displays CMP session statistics.

Format
display pki cmp statistics [ session session-name ]

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10772

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

session session- Specifies the name of a CMP The value must be an

name session. existing CMP session name.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command displays CMP session statistics, including the number of sent IR
packets, sent CR packets, sent KUR packets, and received IP packets.

If a CMP session is specified, the statistics of the session are displayed. If no CMP
session is specified, the statistics of all sessions are displayed.

Example
# Display the statistics of the CMP session test.
<HUAWEI> display pki cmp statistics session test
CMP Context Name: test
Ir Send Counts :0
Cr Send Counts :0
Kur Send Counts :0
PollReq Send Counts : 0
Ip Receive Counts :0
Cp Receive Counts :0
Kup Receive Counts : 0
PollRep Receive Counts: 0

Table 14-99 Description of the display pki cmp statistics command output

Item Description

CMP Context Name Name of the CMP session.

Ir Send Counts Total number of IR packets sent during

the session.

Cr Send Counts Total number of CR packets sent

during the session.

Kur Send Counts Total number of KUR packets sent

during the session.

PollReq Send Counts Total number of requests sent in

polling mode during the session.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10773

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Ip Receive Counts Number of IP packets received during

the session.

Cp Receive Counts Number of CP packets received during

the session.

Kup Receive Counts Number of KUP packets received

during the session.

PollRep Receive Counts Number of responses received in

polling mode during the session.

14.19.30 display pki credential-storage-path

Function
The display pki credential-storage-path command displays the default path
where a PKI certificate is stored.

By default, the certificate file is stored in flash:/.

Format
display pki credential-storage-path

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The display pki credential-storage-path command displays the default path
where a PKI certificate is stored.

Example
# Display the default path where a PKI certificate is stored.
<HUAWEI> display pki credential-storage-path
The pki credential-storage-path is flash:/ .

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10774

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.19.31 display pki crl

Function
The display pki crl command displays the content of the CRL in the device.

Format
display pki crl { realm realm-name | filename filename }

Parameters
Parameter Description Value

realm realm-name Specifies the name of the PKI The PKI realm name
realm associated with the CRL. must already exist.

filename filename Specifies the file name of the The certificate file name
certificate to be imported. must already exist.

Views
All views

Default Level
3: Management level

Usage Guidelines
This command shows information about local CRL, including signature algorithm,
issuer, update time, revoked certificate, CRL sequence number, and revocation
time.

Example
# Display information about the CRL associated with the PKI realm abc.
<HUAWEI> display pki crl realm abc
The x509 object type is CRL:
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /CN=ca_root
Last Update: Dec 15 08:24:28 2015 GMT
Next Update: Dec 22 20:44:28 2015 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C
5
1.3.6.1.4.1.311.21.1:
...
X509v3 CRL Number:
365

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10775

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

1.3.6.1.4.1.311.21.4:
151222083428Z .
Revoked Certificates:
Serial Number: 28C63371000000003E04
Revocation Date: Dec 15 08:34:27 2015 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Serial Number: 28C2AB44000000003E01
Revocation Date: Dec 15 08:30:35 2015 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Serial Number: 2364247C000000003D48
Revocation Date: Dec 14 07:29:05 2015 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Serial Number: 23627E0F000000003D47
Revocation Date: Dec 14 07:27:29 2015 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Serial Number: 2360F397000000003D46
Revocation Date: Dec 14 07:25:48 2015 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Signature Algorithm: sha1WithRSAEncryption
7a:71:54:d1:66:13:6f:9f:62:03:ac:9a:5f:42:10:15:87:46:
e2:a1:49:0f:44:19:ce:ed:6f:c3:0e:9f:31:fe:62:d5:08:0b:
a4:a7:7e:80:4d:9a:5b:a9:55:5c:1a:73:30:62:48:e1:28:0e:
5b:bd:ae:04:7e:83:36:43:62:fc:f7:12:0d:f9:f6:ac:2b:be:
9c:50:6c:67:19:43:12:31:67:c2:06:31:97:e1:34:75:1c:87:
53:5f:e6:15:a1:33:ad:00:e7:14:68:59:05:67:28:78:a0:91:
49:7b:ab:87:9f:9e:53:18:4b:54:53:1c:b7:1c:2d:3e:b3:57:
63:95:1d:01:29:9e:6c:41:07:40:2d:28:d8:82:7b:d6:22:e6:
0d:0c:4c:af:84:96:8e:f1:29:28:d4:9e:1c:37:3b:1b:2e:34:
a7:15:e3:29:d1:c0:69:0a:7f:24:b1:ce:00:f1:b3:da:ef:8a:
1b:14:36:f9:14:6c:b0:66:86:a8:92:95:fc:e3:78:aa:d6:d0:
cb:4d:26:b4:bc:41:c4:47:19:d0:2a:0c:ac:c6:aa:95:c2:03:
33:8a:39:45:3e:c3:ad:46:7d:8a:03:4d:08:e2:d0:9a:ae:39:
fa:8d:61:d0:1c:6c:03:d4:48:2e:4d:37:60:a1:06:a4:ea:c8:
0d:20:59:c2

Pki realm name: abc

CRL file name: abc.crl

Table 14-100 Description of the display pki crl command output

Item Description

The x509 object type is CRL x509 object type is CRL.

Certificate Revocation List (CRL) Information about the CRL.

Signature Algorithm Algorithm of signature.

Issuer Information of issuer.

Last Update Last time the CRL has been updated.

Next Update Next time the CRL will be updated.

CRL extensions CRL extended attribute.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10776

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

X509v3 Authority Key Identifier X.509v3 authority key identifier.

X509v3 CRL Number X.509v3 CRL number.

Revoked Certificates Certificate that is revoked.

Serial Number Serial number of the CRL.

Revocation Date Date when the certificate was revoked.

CRL entry extensions CRL entry extensions.

X509v3 CRL Reason Code Reason why CRL is revoked.

Signature Algorithm Signature algorithm. It is configured

using the enrollment-request
signature message-digest-method
command.

Pki realm name PKI realm name. It is configured using

the pki realm(system view)
command.

CRL file name CRL file name. It is configured using

the pki import-crl command.

14.19.32 display pki entity

Function
The display pki entity command displays information about PKI entities.

Format
display pki entity [ entity-name ]

Parameters

Parameter Description Value

entity-name Specifies the name of a PKI entity. If the The value must be an
entity-name parameter is not specified, existing PKI entity
information about all entities is displayed. name.

Views
All views

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10777

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
This command displays information about PKI entities, including names, common
names, countries, province, and location where the entities reside, and
organizations to which entities belong.

Example
# Display information about all PKI entities.
<HUAWEI> display pki entity
PKI Entity Information:

Entity Name :a
Common name : chi
Country :-
State :A
Locality :-
Organization :A
Organization unit: -
FQDN : www. e
IP address :-
Email :-
Serial-number : -
Total Number: 1

Table 14-101 Description of the display pki entity command output

Item Description

PKI Entity Information Information of the PKI entity.

Entity Name Entity name. It is configured using the

pki entity command.

Common name Common name of the entity. It is

configured using the common-name
command.

Country Country where a PKI entity resides. It is

configured using the country (PKI
entity view) command.

State Province where a PKI entity resides. It

is configured using the state (PKI
entity view) command.

Locality Location of a PKI entity. It is

configured using the locality
command.

Organization Organization to which a PKI entity

belongs. It is configured using the
organization command.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10778

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Organization unit Organization unit to which a PKI entity

belongs. It is configured using the
organization-unit command.

FQDN FQDN name of a PKI entity. It is

configured using the fqdn command.

IP address IP address of a PKI entity. It is

configured using the ip-address
command.

Email Email address. It is configured using

the email command.

Serial-number Serial number of the entity. It is

configured using the serial-number
command.

14.19.33 display pki ocsp cache statistics

Function
The display pki ocsp cache statistics command displays statistics about cached
OCSP responses.

Format
display pki ocsp cache statistics

NOTE

This command is available only on NETCONF-supporting switch models.

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command shows statistics about cached OCSP responses, including the
maximum number of OCSP responses that can be cached, cache update interval,
and number of cached responses.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10779

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Display statistics about cached OCSP responses.
<HUAWEI> display pki ocsp cache statistics

=====================================================
OCSP Cache Function: Enable
OCSP Cache Max Number: 2
OCSP Cache Refresh Interval: 5 minutes
OCSP Cache Current Number: 0
=====================================================

Table 14-102 Description of the display pki ocsp cache statistics command
output

Item Description

OCSP Cache Function Whether OCSP caching is enabled.

● Enable
● Disable
It is configured using the pki ocsp
response cache enable command.

OCSP Cache Max Number Maximum size of OCSP cache. It is

configured using the pki ocsp
response cache number command.

OCSP Cache Refresh Interval OCSP cache update interval. It is

configured using the pki ocsp
response cache refresh interval
command.

OCSP Cache Current Number Number of cached OCSP responses.

14.19.34 display pki ocsp cache detail

Function
The display pki ocsp cache detail displays the detail information of the OCSP
cache.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
display pki ocsp cache detail

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10780

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
You can run this command to view detail information of the OCSP cache.

Example
# Display the detail information of the OCSP cache.
<HUAWEI> display pki ocsp cache detail
=====================================================
Cache Hash Status Info:
num_items =0
num_nodes =8
num_alloc_nodes = 16
num_expands =0
num_expand_reallocs = 0
num_contracts =0
num_contract_reallocs = 0
num_hash_calls =0
num_comp_calls =0
num_insert =0
num_replace =0
num_delete =0
num_no_delete =0
num_retrieve =0
num_retrieve_miss =0
num_hash_comps =0
Cache Hash Node Status Info:

node 0 -> 0
node 1 -> 0
node 2 -> 0
node 3 -> 0
node 4 -> 0
node 5 -> 0
node 6 -> 0
node 7 -> 0
Cache Hash Node Usage Status Info:

0 nodes used out of 8

0 items
=====================================================

Table 14-103 Description of the display pki ocsp cache detail command output

Item Description

Cache Hash Status Info Hash status of the OCSP cache.

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10781

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

num_items Number of available hash elements.

num_nodes Number of requested hash nodes.

num_alloc_nodes Maximum number of hash nodes that can be

expanded.

num_expands Number of hash node expansion application

times.

num_expand_reallocs Number of expanded hash nodes.

num_contracts Number of hash node reduction times.

num_contract_reallocs Number of reduced hash nodes.

num_hash_calls Number of times the hash function is

invoked.

num_comp_calls Number of times the hash comparison

function is invoked.

num_insert Number of inserted hash nodes.

num_replace Number of replaced hash nodes.

num_delete Number of deleted hash nodes.

num_no_delete Number of undeleted hash nodes.

num_retrieve Number of times the hash nodes in the OCSP

cache are matched.

num_retrieve_miss Number of times the hash nodes in the OCSP

cache are not matched.

num_hash_comps Number of times the hash nodes in the OCSP

cache are compared.

Cache Hash Node Status Info Hash node status in the OCSP cache. For
example, node 0 -> 0 indicates that the
number 0 node is unused; node 0 -> 1
indicates that the number 0 node is in use.

Cache Hash Node Usage Status Hash node use status in the OCSP cache.
Info

n nodes used out of 8 There are 8 hash nodes, and n nodes are in
use.

n items nth hash element.

14.19.35 display pki ocsp server down-information

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 10782

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The display pki ocsp server down-information command displays the Down
state information of the OCSP server recorded on the device.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
display pki ocsp server down-information

Parameters
None

Views
All views

Default Level
1: Monitoring level

Example
# Display the Down state information of the OCSP server.
<HUAWEI> display pki ocsp server down-information

=====================================================

Server URL: http://10.1.1.1/ocsp

Timeout Times: 1
Last timeout until now: 5 seconds
=====================================================

Table 14-104 Description of the display pki ocsp server down-information

command output

Item Description

Server URL URL of an unreachable OCSP server. It is

configured using the ocsp url command.

Timeout Times Connection timeouts.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Last timeout until now Time elapsed since the last connection
timeout and now.

14.19.36 display pki peer-certificate

Function
The display pki peer-certificate command displays the imported certificates of
the remote device.

Format
display pki peer-certificate { name peer-name | all }

Parameters
Parameter Description Value

name peer-name Specifies the name of The value must be an

peer certificate. existing peer certificate
file name.

all Displays brief -

information about all
certificates of the remote
device.

Views
All views

Default Level
2: Configuration level

Usage Guidelines
This command shows information about imported certificates of the remote
device, including signature algorithm, issuer, validity period, subject, public key,
and PKI realm.

Example
# Display brief information about all certificates of the remote device.
<HUAWEI> display pki peer-certificate all
Peer certificate name :abcd

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Serial Number:
12 19 3c d3 00 00 00 00 04 9a
Subject:
CN=a

Total Number: 1

# Display detailed information about the certificate abcd of the remote device.
<HUAWEI> display pki peer-certificate name abcd
The x509 object type is certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:19:3c:d3:00:00:00:00:04:9a
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=CA_ROOT
Validity
Not Before: Feb 19 13:00:22 2013 GMT
Not After : Feb 19 13:10:22 2014 GMT
Subject: CN=a
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:b9:8b:47:65:a9:99:ed:58:b2:63:74:65:56:d1:
08:bb:1d:8f:4e:ed:72:a2:4a:ef:d8:45:3d:53:db:
c8:eb:df:53:9e:5f:c7:96:46:65:14:1a:ab:72:e9:
a2:71:c8:7a:f0:51:0c:cc:39:bb:14:75:7d:f1:bc:
88:2c:a7:2e:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E2:5B:8A:03:58:01:C8:E3:14:BC:18:5B:F9:BD:00:68:5B:D1:90:4E
X509v3 Authority Key Identifier:
keyid:CE:BA:CA:39:C7:AD:6A:CB:85:17:D0:8A:8E:28:02:0B:52:D4:D9:2
B

X509v3 CRL Distribution Points:

Full Name:
URI:http://10.1.1.1:8080/CertEnroll/CA_ROOT.crl

Authority Information Access:

CA Issuers - URI:ldap:///CN=CA_ROOT,CN=AIA,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=esap,DC=com?cACertificate?base?objectClass
=certificationAuthority
CA Issuers - URI:http://www.example.com/CertEnroll/www.example.com
_CA_ROOT.crt

1.3.6.1.4.1.311.20.2:
.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e
Signature Algorithm: sha1WithRSAEncryption
bb:8b:77:af:ae:df:2e:0c:bd:7a:29:6e:76:23:ad:7d:69:6d:
0d:16:d9:18:82:ad:4f:52:b3:cd:1c:1a:fc:34:00:33:36:8d:
47:2a:20:24:52:b7:02:75:cc:ab:3b:4c:f8:2a:a9:a9:4f:46:
fb:c2:21:00:c1:b5:c2:67:0c:b1:99:2a:62:7b:71:4d:e7:c2:
93:29:bb:ec:b1:e9:28:82:2f:77:61:ec:28:66:35:cb:5f:15:
04:73:77:d8:26:91:7b:a2:56:74:51:33:0b:f1:04:28:24:b2:
71:58:ad:5c:f8:96:17:0d:f7:b7:5f:4b:b9:ed:09:79:bc:54:
21:c5:9b:90:f7:7b:21:aa:5a:aa:6f:51:e4:79:ce:b8:35:8b:
19:90:51:94:e6:c2:61:f8:24:46:85:4c:a9:69:bd:8a:ef:c2:
64:b8:19:ab:0b:6b:ec:34:41:8d:43:43:44:d1:1b:4c:4a:23:
cd:40:52:7a:2e:8c:5d:b6:62:55:93:45:c8:3e:de:b1:51:82:
d0:bb:7c:b8:09:7b:97:08:7b:93:17:40:a8:6f:2d:ed:f4:3e:
36:10:2a:20:e3:47:e1:fb:ad:fe:97:73:a7:53:d0:f8:52:ca:
b6:0e:e8:f1:df:6c:7a:37:39:bb:82:f9:03:c9:4a:71:65:df:
6f:37:e6:b7

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Pki realm name: -

Certificate file name: -
Certificate peer name: abcd

Table 14-105 Description of the display pki peer-certificate command output

Item Description

Peer certificate Peer certificate name.

name

The x509 object type X.509 object type is certificate.

is certificate

Certificate Information about a certificate.

Data Data of a certificate.

Version Version of a certificate.

Serial Number Serial number of a certificate.

Signature Algorithm Signature algorithm of a certificate.

Issuer Issuer of a certificate.

Validity Validity period of a certificate.

Subject Subject of the certificate.

Subject Public Key Public key of the certificate.

Info

Public Key Algorithm Algorithm of the Public key.

Public-Key Information about the RSA public key.

Modulus Key modulus.

Exponent Key exponent.

X509v3 extensions X.509v3 certificate extensions.

X509v3 Subject Key Identifier of a subject key.

Identifier

X509v3 CRL CRL distribution points.

Distribution Points

Full Name Full name of CDP.

Authority Authority information access.

Information Access

Pki realm name PKI realm name.

Certificate file name Certificate file name.

Certificate peer Certificate peer name.

name

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.19.37 display pki realm

Function
The display pki realm command displays PKI realm information.

Format
display pki realm [ realm-name ]

Parameters
Parameter Description Value

realm-name Displays detailed The PKI realm name

information about a PKI must already exist.
realm. If the parameter
is left blank, information
about all PKI realms is
displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
This command displays details about PKI realms, including PKI realm name,
associated CA, CA certificate subject name, URL of the certificate enrolled through
SCEP, PKI entity name, digital fingerprint algorithm of CA certificate, and digital
fingerprint of CA certificate.

Example
# Display information about all PKI realms.
<HUAWEI> display pki realm abc
Realm Name : abc
CA ID: CA_ROOT
CA Name: "/CN=ca_root"
Enrollment URL: http://10.136.7.196:8080/certsrv/mscep/mscep.dll
Certificate Request Interval(Minutes): 1
Certificate Request Times: 5
Enrollment Mode: RA
Enrollment Method: SCEP
Entity Name: abc

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

CA Certificate Fingerprint Arithmetic: sha256

CA Certificate Fingerprint: e71add0744360e91186b828412d279e06dcc15a4ab4bb3d1384
2820396b526a0
OCSP Nonce: Enable
OCSP URL: -
Method for Getting CRL: HTTP
CDP URL: -
Certificate Revocation Check Method: -
RSA Key Name: abc
Auto-enroll: Enable
Auto-enroll Percent: 100%
Auto-enroll Regenerate: Enable
Auto-enroll Regenerate Key-size: 2048
Auto-enroll Updated-effective: Disable
Password Cipher: Enable
Password: ******
Crl Update-period(Hours): 8
Crl Cache: Enable
Key-usage: -
Vpn-instance: -
Source IP: -
Enrollment-request Signature Message-digest-method: SHA256

Total Number: 1

Table 14-106 Description of the display pki realm command output

Item Description

Realm Name PKI realm name. It is configured using the pki realm
(system view) command.

CA ID ID of the CA associated with the PKI realm.

CA Name Subject name of a CA certificate.

Enrollment URL URL of the certificate enrolled on the SCEP server. It is

configured using the enrollment-url command.

Certificate Request Interval between two certificate enrollment status

Interval(Minutes) queries.

Certificate Request Maximum number of certificate enrollment status

Times queries.

Enrollment Mode Certificate enrollment mode (whether enrolled through

RA). It is configured using the enrollment-url command.

Enrollment Method Certificate enrollment method, including:

● SCEP: obtains certificate from CA using the SCEP
protocol.
● Self-Signed: obtains certificate using self-signature.

Entity Name PKI entity name. It is configured using the entity

command.

CA Certificate Fingerprint algorithm of the CA certificate. It is

Fingerprint configured using the fingerprint command.
Arithmetic

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

CA Certificate Digital fingerprint of the CA certificate. It is configured

Fingerprint using the fingerprint command.

OCSP Nonce Whether a nonce extension is added to the OCSP request

sent by a PKI entity.
● Enable: A nonce extension is added to the OCSP
request sent by a PKI entity.
● Disable: A nonce extension is not added to the OCSP
request sent by a PKI entity.
It is configured using the ocsp nonce enable command.

OCSP URL OCSP server's URL. It is configured using the ocsp url
command.

Method for Getting Method of obtaining CRL.

CRL ● SCEP: updates the CRL automatically using SCEP. It is
configured using the crl scep command.
● HTTP: updates the CRL automatically using HTTP. It is
configured using the crl http command.

CDP URL URL of the CDP. It is configured using the cdp-url

command.

Crl Cache Whether the PKI realm is allowed to use the CRL in
cache.
● Enable: The PKI realm is allowed to use the CRL in
cache.
● Disable: The PKI realm is not allowed to use the CRL
in cache.
To configure whether to allow the PKI realm to use the
CRL in cache, run the crl cache command.

Certificate Certificate status check method. It is configured using

Revocation Check the certificate-check command.
Method

RSA Key Name RSA key. It is configured using the rsa local-key-pair
command.

Auto-enroll Whether automatic certificate enrollment is enabled:

● Enable: Automatic certificate enrollment is enabled.
● Disable: Automatic certificate enrollment is disabled.
It is configured using the auto-enroll command.

Auto-enroll Percent The percentage of the certificate's validity period. It is

configured using the auto-enroll command.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Auto-enroll Whether the RSA key pair will be generated during

Regenerate certificate updates:
● Enable: The RSA key pair will be generated during
certificate updates.
● Disable: The RSA key pair will not be generated
during certificate updates.
It is configured using the auto-enroll command.

Auto-enroll RSA key length. It is configured using the auto-enroll

Regenerate Key-size command.

Auto-enroll Whether the certificate takes effect immediately after

Updated-effective being updated.
● Enable: The certificate takes effect immediately after
being updated.
● Disable: The certificate does not take effect
immediately after being updated.
It is configured using the auto-enroll command.

Password Cipher Whether the challenge password can be used:

● Enable: The challenge password can be used.
● Disable: The challenge password cannot be used.

Password Password used to apply for or revoke a certificate. It is

configured using the password (PKI realm view)
command.

Crl Update- CRL update interval. It is configured using the crl

period(Hours) update-period command.

Key-usage Purpose information carried in a certificate request

packet. It is configured using the key-usage command.

Vpn-instance VPN to which the PKI realm is added. It is configured

using the vpn-instance command.

Source IP Source IP address used by the device to communicate

with the PKI server. It is configured using the source
command.

Enrollment-request Digest method used for the enrollment request packet of

Signature Message- signed certificate. It is configured using the enrollment-
digest-method request signature message-digest-method command.

14.19.38 display pki rsa local-key-pair

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The display pki rsa local-key-pair command displays RSA key pairs and public
keys.

Format
display pki rsa local-key-pair { pem | pkcs12 } filename [ password password ]

display pki rsa local-key-pair [ name key-name ] public [ temporary ]

NOTE

The pem file-name parameter is supported only when the WEAKEA plug-in is installed. For
details about how to install the plug-in, see the plug-in installation guide.

Parameters

Parameter Description Value

pem Indicates that the file format is PEM. -

pkcs12 Indicates that the file format is -

PKCS12.

filename Specifies the name of the file that The file name must
contains the RSA key pair. already exist.

password Specifies the decryption password for The value must be the
password the RSA key pair file. The value must name of an existing
be the same as the password decryption password of
configured using the pki export rsa- the RSA key pair.
key-pair command.

name key-name Specifies the RSA key pair name. The RSA key pair name
must already exist.

temporary Displays information about the RSA -

key pair saved in the temporary zone.

Views
All views

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
This command shows information about the RSA key pair and public key, including
key pair creation time, key pair name, whether the key can be exported, and
public key information.

If key-name is not specified, all RSA key pairs and public keys are displayed. If key-
name is specified, the specified RSA key pair and public key are displayed.

Example
# Display information about all RSA key pairs.
<HUAWEI> display pki rsa local-key-pair public

=====================================================
Time of Key pair created: 17:43:42 2016/4/18
Key Name: abc
Key Index: 0
Key Modules: 2048 bit
Key Exportable: Yes
Key Type: RSA signature key
=====================================================
Key code:
30820109
02820100
C23344E1 B2C2D653 EB134011 9266C6CC 7C18C45F
440AF31F 98B29D4C D436757B F6785BB5 09EFA2A1
09FDBB24 62F1914D 4F10678F 3BE8E3C0 E6F02FC9
AFE2ADDE 98E07D2C A5732288 A5280D2B 6A785F59
A8D19D37 9B80F7EF 1B15FB77 BD9C54D0 01AF270F
90258F65 1A631282 50002C4F 23EF0482 1F62E356
AC700041 B31AB3B4 5C7EB4C0 AFF2E5AF 3DDA4F4E
F5B86502 08BA7AFE 37204C67 7149AE52 1462F25E
16B777E8 E71BCFBE 0E9E02A7 C5FE6120 304BE6C3
CEB2575A EA24EBB6 BA420994 C50F3662 D8F24F25
0D833865 5A127754 2E954F7F 16292DAA AF9D2371
E669ADFF 4EA9FFF8 CE8488D7 344EBCEB AAA74116
B30EF506 C64A726E B1013CB4 E8FA6707
0203
010001

Table 14-107 Description of the display pki rsa local-key-pair command output

Item Description

Time of Key pair created Time when the RSA key pair is created.

Key Name Name of a key pair. It is configured

using the pki rsa local-key-pair
create command.

Key Index Index of the key.

Key Modules Number of bits of the key.

Key Exportable Whether the key can be exported.

Key Type Type of the key.

Key code Public key in the RSA key pair.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.19.39 email

Function
The email command configures an email address for a PKI entity.
The undo email command cancels the configuration.
By default, no email address is configured for a PKI entity.

Format
email email-address
undo email

Parameters
Parameter Description Value
email-address Specifies the email The value is a string of 1 to 128 case-
address of a PKI sensitive characters, including letters,
entity. numerals, apostrophes ('), equal signs (=),
parentheses (), plus signs (+), minus signs
(-), periods (.), slashes (/), colons (:), at signs
(@), underscores (_), and spaces.

Views
PKI entity view

Default Level
2: Configuration level

Usage Guidelines
The parameters of a PKI entity contain the identity information of the entity. The
CA identifies a certificate applicant based on identity information provided by the
entity. To facilitate applicant identification, configure an email address for the PKI
entity, which is used as an alias of the entity.
After the email address is configured for a PKI entity, the certificate request packet
sent by the device to the CA server carries this email address. The CA server
verifies every received certificate request packet. For each valid packet, the CA
server generates a digital certificate carrying the email address of the PKI entity.

Example
# Set the email address to test@example.com for a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] email test@example.com

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.19.40 enrollment self-signed

Function
The enrollment self-signed command configures self-signed certificate obtaining
in the PKI realm.
The undo enrollment self-signed command restores the default certificate
obtaining method.
By default, self-signed certificate obtaining in the PKI realm is not configured.

Format
enrollment self-signed
undo enrollment self-signed

Parameters
None

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The enrollment self-signed command configures self-signed certificate obtaining
in the PKI realm. The device can use the self-signed certificate obtained from the
PKI realm to support default HTTPS functions. The certificate issuer name is in the
format: device name-Self-Signed-Certificate-ESN.
Prerequisites
The RSA key pair has been configured by using the rsa local-key-pair command.
Precautions
The device generates a self-signed certificate only when the PKI domain is applied
to the service.
The device does not support lifecycle management for self-signed certificates. For
example, self-signed certificates cannot be registered, updated, or revoked on the
device. To ensure security of the device and certificates, it is recommended the
user's certificate be used.
To configure self-signed certificate obtaining, delete the certificate in the PKI
realm.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After the enrollment self-signed command is run, the device will not generate
certificate expiration logs when its self-signed certificate expires.

Example
# Configure self-signed certificate obtaining in the PKI realm abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] enrollment self-signed

14.19.41 enrollment-request signature message-digest-

method

Function
The enrollment-request signature message-digest-method command
configures the digest algorithm used to sign certificate enrollment requests.

The undo enrollment-request signature message-digest-method command

restores the default digest algorithm used to sign certificate enrollment requests.

By default, the digest algorithm used to sign certificate enrollment requests is

sha-256.

Format
enrollment-request signature message-digest-method { md5 | sha1 | sha-256 |
sha-384 | sha-512 }

undo enrollment-request signature message-digest-method

Parameters

Parameter Description Value

md5 Specifies the digest algorithm used to sign certificate -

enrollment requests to MD5.

sha1 Specifies the digest algorithm used to sign certificate -

enrollment requests to SHA1.

sha-256 Specifies the digest algorithm used to sign certificate -

enrollment requests to SHA2-256.

sha-384 Specifies the digest algorithm used to sign certificate -

enrollment requests to SHA2-384.

sha-512 Specifies the digest algorithm used to sign certificate -

enrollment requests to SHA2-512.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
In SCEP local certificate application mode, after a CA server receives a certificate
enrollment request from a PKI entity, the CA server requests a signature for
authentication, and generates a local certificate only after the authentication is
successful.

For security purposes, SHA2 is recommended. You are not advised to configure
MD5 and SHA1.

Example
# Set the digest algorithm used to sign certificate enrollment requests to sha-384.
<HUAWEI> system-view
[HUAWEI] pki realm e
[HUAWEI-pki-realm-e] enrollment-request signature message-digest-method sha-384

14.19.42 enrollment-url

Function
The enrollment-url command configures the URL of the CA server.

The undo enrollment-url command deletes the URL of the CA server.

By default, the URL of the CA server is not configured.

Format
enrollment-url [ esc ] url [ interval minutes ] [ times count ] [ ra ]

undo enrollment-url

Parameters
Parameter Description Value

esc Indicates that the URL -

address is in ASCII mode.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

url Specifies the URL of the The value is a string

CA server. The URL is in starting with http:// and
the format of http:// consisting of 1 to 128
server_location/ case-sensitive characters
ca_script_location. without spaces.
server_location can use
only the IP address
format and domain
name resolution.
ca_script_location is the
path where CA server
host's application script
is located, for example,
http://
10.137.145.158:8080/
certsrv/mscep/
mscep.dll.

interval minutes Specifies the interval The value is an integer

between two certificate that ranges from 1 to
enrollment status 1440, in minutes. The
queries. default value is 1.

times count Specifies the maximum The value is an integer

number of certificate that ranges from 1 to
enrollment status 4294967295. The default
queries. value is 5.

ra Configures an RA to -
authenticate a PKI
entity's identity
information during local
certificate application. By
default, a CA
authenticates a PKI
entity's identity
information during local
certificate application.

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
The URL refers to the address provided by a CA server for certificate application.
For example, a CA server running Windows Server 2008 uses a URL address in the

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

format http://host:port/certsrv/mscep/mscep.dll, in which host indicates the IP

address of the CA server and port indicates the port number.

The keyword esc supports the entering of URLs that include the question mark (?)
in ASCII code. The URL must be in \x3f format, and 3f is the hexadecimal ASCII
code for the question mark (?). For example, if a user wants to enter http://
***.com?page1, the URL is http://***.com\x3fpage1. If a user wants to enter
http://www.***.com?page1\x3f that includes both a question mark (?) and \x3f,
the URL is http://www.***.com\x3fpage1\\x3f.

Example
# Create a PKI realm test and configure the URL in HTTP mode for the CA server.
<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] enrollment-url http://10.13.14.15:8080/certsrv/mscep/mscep.dll ra

14.19.43 entity

Function
The entity command specifies a PKI entity that applies for a certificate.

The undo entity command cancels a PKI entity.

By default, no PKI entity is specified.

Format
entity entity-name

undo entity

Parameters
Parameter Description Value

entity-name Specifies the name of a PKI The value must be an existing

entity. PKI entity name.

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

When a PKI entity requests the local certificate in the PKI realm, the device
encapsulates the configuration of the specified PKI entity into the certificate
request.
Prerequisites
1. The specified PKI entity has been configured by using the pki entity
command.
2. The common name of the PKI entity has been configured using the common-
name command.
Precautions
A PKI realm can be bound to only one PKI entity.

Example
# Bind the PKI entity a to the PKI realm abc.
<HUAWEI> system-view
[HUAWEI] pki entity a
[HUAWEI-pki-entity-a] common-name test
[HUAWEI-pki-entity-a] quit
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] entity a

14.19.44 fingerprint

Function
The fingerprint command configures the CA certificate fingerprint used in CA
certificate authentication.
The undo fingerprint command deletes the CA certificate fingerprint used in CA
certificate authentication.
By default, no CA certificate fingerprint is configured for CA certificate
authentication.

Format
fingerprint { md5 | sha1 | sha256 } fingerprint
undo fingerprint

Parameters
Parameter Description Value

md5 Sets the digital -

fingerprint algorithm to
MD5.

sha1 Sets the digital -

fingerprint algorithm to
SHA1.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

sha256 Sets the digital -

fingerprint algorithm to
SHA256.

fingerprint Specifies the digital The digital fingerprint

fingerprint value. value is a hexadecimal
This value needs to be string of case-insensitive
obtained from the CA characters.
server offline. For ● An MD5 fingerprint
example, from a CA consists of 32
server running Windows characters (16 bytes).
Server 2008, you can ● An SHA1 fingerprint
obtain the digital consists of 40
fingerprint at http:// characters (20 bytes).
host:port/certsrv/
mscep_admin/, in which ● An SHA256
host indicates the fingerprint consists of
server's IP address and 64 characters (32
port indicates the port bytes).
number.

Views
PKI realm view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

When obtaining a CA certificate, the device uses an algorithm to calculate the CA

certificate fingerprint and compares the CA certificate fingerprint with the
configured fingerprint. If the two values are the same, the device receives the CA
certificate. When verifying a certificate, the device uses the public key of the CA
certificate to authenticate the digital signature. If the digital signature can be
decrypted, the certificate is verified.

Precautions

You can configure an algorithm to calculate the CA certificate fingerprint. If you

run the fingerprint command multiple times in the same PKI realm view, only the
latest configuration takes effect.

The MD5 and SHA1 algorithms have a low security level. SHA256 is
recommended.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the CA certificate fingerprint used in CA certificate authentication.
<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] fingerprint sha256
e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0

14.19.45 fqdn

Function
The fqdn command configures a fully qualified domain name (FQDN) for a PKI
entity.
The undo fqdn command cancels the configuration.
By default, no FQDN is configured for a PKI entity.

Format
fqdn fqdn-name
undo fqdn

Parameters
Parameter Description Value
fqdn-name Specifies the FQDN The value is a string of 1 to 255 case-sensitive
of a PKI entity. characters, including letters, numerals,
apostrophes ('), equal signs (=), parentheses (),
plus signs (+), minus signs (-), periods (.),
slashes (/), colons (:), at signs (@), underscores
(_), and spaces.

Views
PKI entity view

Default Level
2: Configuration level

Usage Guidelines
The parameters of a PKI entity contain the identity information of the entity. The
CA identifies a certificate applicant based on identity information provided by the
entity. To facilitate applicant identification, configure an FQDN for the PKI entity,
which is used as an alias of the entity.
An FQDN is the unique identifier of a PKI entity. It consists of a host name and a
domain name, and can be translated into an IP address. A sample of an FQDN is
www.example.com.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After the FQDN is configured for a PKI entity, the certificate request packet sent by
the device to the CA server carries this FQDN. The CA server verifies every received
certificate request packet. For each valid packet, the CA server generates a digital
certificate carrying the FQDN of the PKI entity.

Example
# Set the FQDN to example.com for a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] fqdn example.com

14.19.46 ip-address

Function
The ip-address command configures an IP address for a PKI entity.
The undo ip-address command deletes the configuration.
By default, a PKI entity does not have an IP address.

Format
ip-address { ipv4-address | interface-type interface-number }
undo ip-address

Parameters
Parameter Description Value

ipv4-address Specifies the IPv4 The value is in dotted

address of a PKI entity. decimal notation.

interface-type interface- Specifies an interface IP -

number address of a PKI entity.
● interface-type
specifies the interface
type.
● interface-number
specifies the interface
number.

Views
PKI entity view

Default Level
2: Configuration level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
The parameters of a PKI entity include the identity information of the PKI entity.
The CA identifies a certificate applicant based on identity information provided by
a PKI entity. To facilitate applicant identification, configure an IP address for the
PKI entity, which is used as an alias of the PKI entity.

After an IP address is configured for a PKI entity, the certificate request packet
sent by the device to the CA server carries this IP address. After receiving the
certificate request packet, the CA server verifies the packet. For each valid packet,
the CA server generates a digital certificate carrying the device IP address.

Example
# Set an IP address 10.1.1.1 for a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] ip-address 10.1.1.1

14.19.47 key-usage

Function
The key-usage command configures the purpose description for a certificate
public key.

The undo key-usage command deletes the purpose description of a certificate

public key.

By default, a certificate public key does not have a purpose description.

Format
key-usage { ike | ssl-client | ssl-server } *

undo key-usage { ike | ssl-client | ssl-server } *

Parameters
Parameter Description Value

ike Specifies the usage of a key as ike. -

That is, the key is used to set up an
IPSec tunnel.

ssl-client Specifies the usage of a key as ssl- -

client. That is, the key is used by the
SSL client to set up an SSL session.

ssl-server Specifies the usage of a key as ssl- -

server. That is, the key is used by the
SSL server to set up an SSL session.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
To improve certificate security, you can add the usage information of a key to the
certificate request packet sent from the device to the CA server.
After receiving the certificate request packet, the CA server verifies the packet. For
each valid packet, the CA server generates a digital certificate carrying the usage
information of the key.
For example, when setting up an SSL session, the SSL client adds a digital
signature and encrypts the key by using the certificate. After you specify the usage
of a key as ssl-client by using the key-usage ssl-client command, the certificate
generated by the CA server carries the usage information, including a digital
signature and encrypted key. If you use this key to encrypt data, the key will be
invalid.

Example
# Specify the usage of a key as ssl-client.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] key-usage ssl-client

14.19.48 locality

Function
The locality command configures a locality name for a PKI entity.
The undo locality command cancels the configuration.
By default, a PKI entity does not have a locality name.

Format
locality locality-name
undo locality

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
locality-name Specifies the The value is a string of 1 to 32 case-
locality name of a sensitive characters, including letters,
PKI entity. numerals, apostrophes ('), equal signs (=),
parentheses (), plus signs (+), commas (,),
minus signs (-), periods (.), slashes (/),
colons (:), and spaces.

Views
PKI entity view

Default Level
2: Configuration level

After the locality name is configured for a PKI entity, the certificate request packet
sent by the device to the CA server carries this locality name. The CA server
verifies every received certificate request packet. For each valid packet, the CA
server generates a digital certificate carrying the locality name of the PKI entity.

Example
# Set the locality name to Beijing for a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] locality Beijing

14.19.49 ocsp nonce enable

Function
The ocsp nonce enable command adds a nonce extension to the OCSP request
sent by a PKI entity.

The undo ocsp nonce enable command cancels the configuration.

By default, the OCSP request sent by a PKI entity contains a nonce extension.

NOTE

This command is available only on NETCONF-supporting switch models.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
ocsp nonce enable

undo ocsp nonce enable

Parameters
None

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
To improve security and reliability of communication between a PKI entity and
OCSP server, this command adds a nonce extension (a random value) to the OSCP
request sent by the PKI entity. If the nonce extension values on the PKI entity and
OCSP server are different, communication fails.

Example
# Add a nonce extension to the OCSP request sent by a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] ocsp nonce enable

14.19.50 ocsp signature enable

Function
The ocsp signature enable command enables the function of signing OCSP
request packets.

The undo ocsp signature enable command disables the function of signing OCSP
request packets.

By default, the function of signing OCSP request packets is disabled.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
ocsp signature enable

undo ocsp signature enable

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
When the certificate check mode is set to OCSP, the device sends OCSP request
packets to the OCSP server. To improve access security, run the ocsp signature
enable command to enable the function of signing OCSP request packets.

Example
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] ocsp signature enable

14.19.51 ocsp url

Function
The ocsp url command configures the Uniform Resource Locator (URL) address
for an Online Certificate Status Protocol (OCSP) server.

The undo ocsp url command deletes the URL address of an OCSP server.

By default, an OCSP server does not have a URL address.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
ocsp url [ esc ] url-address

undo ocsp url

Parameters
Parameter Description Value

esc Indicates that the URL -

address is in ASCII mode.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

url-address Indicates the OCSP The value is a string

server's URL address. starting with http:// and
consisting of 1 to 128
case-sensitive characters
without spaces.

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
If a certificate to be checked through OCSP does not contain the AIA option, run
this command to configure the OCSP server's URL. If the certificate contains the
AIA option, run the ocsp-url from-ca command to configure the PKI entity to
obtain OSCP server's URL from the AIA option.
The keyword esc supports the entering of URLs that include the question mark (?)
in ASCII code, and 3f is the hexadecimal ASCII code for the question mark (?).
Therefore, the entered URL must be in \x3f format. For example, the URL that an
administrator needs to enter is http://www.***.com\x3fpage1, instead of http://
www.***.com?page1. If the administrator wants to configure http://
www.***.com?page1\x3f that includes both a question mark (?) and \x3f, the
administrator should add an escape character (\) to \x3f and enter http://
www.***.com\x3fpage1\\x3f.

Example
# Set the OCSP server's URL address to http://10.1.1.1.
<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] ocsp url http://10.1.1.1

14.19.52 ocsp-url from-ca

Function
The ocsp-url from-ca command configures a PKI entity to obtain the OCSP
server's URL from the Authority Info Access (AIA) option in a CA certificate.
The undo ocsp-url from-ca command disables a PKI entity from obtaining the
OCSP server's URL from the AIA option in a CA certificate.
By default, a PKI entity does not obtain OCSP server's URL from a CA certificate's
AIA option.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

This command is available only on NETCONF-supporting switch models.

Format
ocsp-url from-ca
undo ocsp-url from-ca

Parameters
None

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
If a certificate to be checked through OCSP contains the AIA option, run this
command to configure the PKI entity to obtain OSCP server's URL from the AIA
option. If the certificate does not contain the AIA option, run the ocsp url
command to configure the OCSP server's URL.

Example
# Configure a PKI entity to obtain OCSP server's URL from a CA certificate's AIA
option.
<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] ocsp-url from-ca

14.19.53 organization-unit

Function
The organization-unit command configures the department name for a PKI
entity.
The undo organization-unit command restores the default setting.
By default, no department name is configured for a PKI entity.

Format
organization-unit organization-unit-name
undo organization-unit

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

organization-unit-name Specifies the department The department name is

name for a PKI entity. a string of 1 to 31 case-
sensitive characters.
Names of departments
are separated by
commas (,). The total
length of all department
names ranges from 1 to
191.
The characters can be
letters, integers,
apostrophe ('), equal
sign (=), brackets (), plus
sign (+), comma (,),
minus sign (-), dot (.),
slash (/), colon (:), and
spaces.

Views
PKI entity view

Default Level
2: Configuration level

Usage Guidelines
The parameters of a PKI entity contain the identity information of the entity. The
CA identifies a certificate applicant based on identity information provided by the
entity. To facilitate applicant identification, configure a department name for the
PKI entity, which is used as an alias of the entity.
After the department name is configured for a PKI entity, the certificate request
packet sent by the device to the CA server carries this department name. The CA
server verifies every received certificate request packet. For each valid packet, the
CA server generates a digital certificate carrying the department name of the PKI
entity.

Example
# Configure the department name of a PKI entity to Group1,Sale.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] organization-unit Group1,Sale

14.19.54 organization

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The organization command configures a PKI entity's organization name.

The undo organization command deletes a PKI entity's organization name.

By default, a PKI entity does not have an organization name.

Format
organization organization-name

undo organization

Parameters
Parameter Description Value
organization- Specifies the The value is a string of 1 to 32 case-
name organization name sensitive characters, including letters,
of a PKI entity. numerals, apostrophes ('), equal signs (=),
parentheses (), plus signs (+), commas (,),
minus signs (-), periods (.), slashes (/),
colons (:), and spaces.

Views
PKI entity view

Default Level
2: Configuration level

After the organization name is configured for a PKI entity, the certificate request
packet sent by the device to the CA server carries this organization name. The CA
server verifies every received certificate request packet. For each valid packet, the
CA server generates a digital certificate carrying the organization name of the PKI
entity.

Example
# Set the organization name of a PKI entity to org1.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] organization org1

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.19.55 password (PKI realm view)

Function
The password command sets the challenge password used for certificate
application through SCEP, which is also used to revoke a certificate.
The undo password command deletes the challenge password used for certificate
application through SCEP.
By default, no challenge password is configured.

Format
password cipher password
undo password

Parameters
Parameter Description Value

cipher password Specifies the challenge The value is a string of

password used for case-sensitive characters.
certificate application It cannot contain
through SCEP. The question marks (?).
password is displayed in password is in plaintext
ciphertext. that contains 1 to 64
characters or in
ciphertext that contains
48 to 108 characters.
NOTE
To improve communication
security, it is recommended
that the password contain
at least three types of
lowercase letters,
uppercase letters,
numerals, and special
characters, and contain at
least 8 characters.

Views
PKI realm view

Default Level
3: Management level

Usage Guidelines
When a PKI entity uses SCEP to apply for a certificate from a CA, the CA needs to
verify the challenge password of the entity. The CA accepts the certificate

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

application request only when the challenge password is correct. You need to run
this command to set a challenge password for the PKI entity.

The challenge password is also used to revoke a certificate. It avoids misoperations

in certificate revocation.

Example
# Set the challenge password used to apply for certificate through SCEP.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] password cipher 6AE73F21E6D3571D

14.19.56 pki cmp certificate-request session

Function
The pki cmp certificate-request session command configures a device to send a
certificate request (CR) to the CMPv2 server based on CMP session information.

Format
pki cmp certificate-request session session-name

Parameters
Parameter Description Value
session-name Specifies the name of a CMP The value must be an existing
session. CMP session name.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When a device has a certificate issued by a CA, the device can send a CR to apply
for a certificate for another device.

After this command is executed, the system checks whether the configuration in
the CMP session can be used for certificate application. If not, the system displays
an error message. If so, the system initiates the CR according to the configuration.
The obtained certificate is saved in a file on the CF card or Hda1, but not imported
to the memory.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

The device does not support the message authentication code mode. If the CMP session mode is
set to message authentication code, the system displays an error message.

Prerequisites
A CMP session has been created using the pki cmp session command.

Example
# Send a CR to the CMPv2 server.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] quit
[HUAWEI] pki cmp certificate-request session test
Info: Initializing configuration.
Info: Creatting certification request packet.
Info: Connectting to CMPv2 server.
Info: Sending certification request packet.
Info: Waitting for certification response packet.
Info: Creatting confirm packet.
Info: Connectting to CMPv2 server.
Info: Sending confirm packet.
Info: Waitting for confirm packet from server.
Info: CMPv2 operation finish.

14.19.57 pki cmp initial-request session

Function
The pki cmp initial-request session command configures a device to send an
initial request (IR) to the CMPv2 server based on CMP session information.

Format
pki cmp initial-request session session-name

Parameters
Parameter Description Value
session-name Specifies the name of a CMP The value must be an existing
session. CMP session name.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After the command is executed, the system checks whether the configuration in
the CMP session can be used for certificate application. If not, the system displays
an error message. If so, the system performs an IR according to the configuration.
The obtained certificate is saved in a file on the CF card or Hda1, but not imported
to the memory. If the server issues the CA certificate during the response period,
the CA certificate is also saved in a file.

Prerequisites

A CMP session has been created using the pki cmp session command.

Example
# Send an IR to the CMPv2 server.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] quit
[HUAWEI] pki cmp initial-request session test
Info: Initializing configuration.
Info: Creatting initial request packet.
Info: Connectting to CMPv2 server.
Info: Sending initial request packet.
Info: Waitting for initial response packet.
Info: Creatting confirm packet.
Info: Connectting to CMPv2 server.
Info: Sending confirm packet.
Info: Waitting for confirm packet from server.
Info: CMPv2 operation finish.

14.19.58 pki cmp keyupdate-request session

Function
The pki cmp keyupdate-request session command configures a device to send a
key update request (KUR) to the CMPv2 server based on CMP session information.

Format
pki cmp keyupdate-request session session-name

Parameters
Parameter Description Value
session-name Specifies the name of a CMP The value must be an existing
session. CMP session name.

Views
System view

Default Level
2: Configuration level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

When a device has a certificate issued by a CA, the device can send a KUR to
update the certificate.

After the command is executed, the system checks whether the configuration in
the CMP session can be used for certificate update application. If not, the system
displays an error message. If so, the system initiates a KUR according to the
configuration. The updated certificate is saved in a file on the device storage, but
not imported to the memory.

NOTE

The device does not support the message authentication code mode. If the CMP session mode is
set to message authentication code, the system displays an error message.

Prerequisites

A CMP session has been created using the pki cmp session command.

Example
# Send a KUR to the CMPv2 server.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] quit
[HUAWEI] pki cmp keyupdate-request session test
Info: Initializing configuration.
Info: Creatting key update request packet.
Info: Connectting to CMPv2 server.
Error: CMPv2 server connect failed.
Info: CMPv2 operation finish.

14.19.59 pki cmp session

Function
The pki cmp session command creates a CMP session and displays the CMP
session view, or displays the view of an existing CMP session.

The undo pki cmp session command deletes a CMP session.

By default, no CMP session exists.

Format
pki cmp session session-name

undo pki cmp session session-name

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
session-name Specifies the name of a The value is a string of 1 to 63 case-
CMP session. insensitive characters without spaces
or question marks.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Before choosing CMPv2 for certificate application, run the pki cmp session
command to create a CMP session. CMPv2 configuration is performed in the CMP
session view.

Example
# Create the CMP session test and enter the CMP session view.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test]

14.19.60 pki create-certificate

Function
The pki create-certificate command creates a self-signed certificate.

Format
pki create-certificate self-signed filename file-name

Parameters
Parameter Description Value

self-signed Creates a self-signed certificate. -

filename file- Specifies the name of a certificate The value is a string of 1

name file. to 64 case-insensitive
characters without
spaces or question
marks.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After a self-signed certificate or local certificate is generated by the device, the

certificate file is saved in the storage device as a PEM file. You can export the
certificate for other devices to use. This simplifies certificate issue process.

When you run the pki create-certificate command, the system asks you to enter
certificate information, for example, PKI entity parameters, certificate file name,
certificate validity period, and RSA key length.

Precautions

The device does not provide lifecycle management for self-signed certificates. For
example, self-signed certificates cannot be updated or revoked on the device. To
ensure security of the device and certificates, a local certificate is recommended.

Example
# Create a self-signed certificate test.
<HUAWEI> system-view
[HUAWEI] pki create-certificate self-signed filename test

14.19.61 pki delete replaced-file to recycle-bin enable

Function
The pki delete replaced-file to recycle-bin enable command moves overwritten
files to the recycle bin.

The undo pki delete replaced-file to recycle-bin enable command cancels

moving overwritten files to the recycle bin.

By default, overwritten files are permanently deleted.

Format
pki delete replaced-file to recycle-bin enable

undo pki delete replaced-file to recycle-bin enable

Parameters
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Overwritten files are permanently deleted by default and cannot be restored. If
you want to restore overwritten files in case that new files are unavailable, run the
pki delete replaced-file to recycle-bin enable command to move these files to
the recycle bin.
The pki delete replaced-file to recycle-bin enable command applies only to the
following scenarios:
● The existing certificates have been overwritten using the pki get-certificate
command.
● The existing certificates and CRL have been overwritten using the pki http
command.
● The existing certificates have been overwritten using the pki cmp initial-
request session command.
● The existing certificates have been overwritten using the pki cmp certificate-
request session command.
● The existing certificates have been overwritten using the pki cmp keyupdate-
request session command.
● The existing CRL has been overwritten using the pki get-crl command.
● The existing certificates have been overwritten using the pki enroll-
certificate command.
● The existing certificates have been overwritten using the pki create-
certificate command.
● The existing certificates have been overwritten using the pki export-
certificate command.
● The existing RSA key pair has been overwritten using the pki export rsa-key-
pair command.
● The existing certificates have been overwritten using the pki import-
certificate peer command.
● The existing CRL has been overwritten using the pki import-crl command.
● The existing RSA key pair and certificates have been overwritten using the pki
import rsa-key-pair command.

Example
# Enable the function of moving overwritten files to the recycle bin.
<HUAWEI> system-view
[HUAWEI] pki delete replaced-file to recycle-bin enable

14.19.62 pki delete-certificate

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The pki delete-certificate command deletes a certificate from the memory.

Format
pki delete-certificate { ca | local | ocsp } realm realm-name

NOTE

Only devices in NETCONF mode support the ocsp parameter.

Parameters
Parameter Description Value

ca Deletes a CA certificate. -

local Deletes a local certificate. -

ocsp Deletes an Online Certificate Status -

Protocol (OCSP) server's certificate.

realm realm-name Specifies the name of the PKI realm The value must be
to which a certificate belongs. an existing PKI realm
name.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
When the certificate expires or you want to apply for a new certificate, run this
command to delete the CA certificate, OCSP server certificate, or local certificate
from the memory.
Prerequisites
A PKI realm has been created using the pki realm (system view) command.
Precautions
Deleting a certificate may interrupt certificate-related services.

Example
# Delete the local certificate from the memory.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] pki delete-certificate local realm abc

14.19.63 pki delete-crl

Function
The pki delete-crl command deletes a CRL from the memory.

Format
pki delete-crl realm realm-name

Parameters
Parameter Description Value

realm realm- Specifies the name of the PKI realm The value must be an
name that the certificate belongs to. existing PKI realm
name.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

When a CRL expires, run this command to delete a CRL file from the memory. This
command will not delete the CRL files in storage card.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Example
# Delete the CRL of PKI realm abc from the memory.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki delete-crl realm abc

14.19.64 pki enroll-certificate

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The pki enroll-certificate command configures manual certificate enrollment.

Format
pki enroll-certificate realm realm-name [ pkcs10 [ filename filename ] ]
[ password password ]

Parameters
Parameter Description Value

realm realm-name Specifies the name of a The PKI realm name

PKI realm. must already exist.

pkcs10 Uses the PKCS#10 -

format to display the
local certificate request
information. It can be
used to request
certificates in offline
mode.

filename filename Saves the certificate The value is a string of 1

request information in a to 64.
specified file. The
certificate request
information is saved in
the file in PKCS#10
format and is sent to the
CA in outband mode.

password password Indicates a challenge The value is a string of

password, which is used case-sensitive characters
to request certificates in without question marks
online mode. When the (?) or spaces. It can be a
CA server processes the plain-text string of 1 to
certificate request using 64 characters or a
the challenge password, cipher-text string of 48
you must set a challenge to 108 characters.
password on the entity, NOTE
and the challenge To improve certificate
password must be the security, it is recommended
same as the password that a password consist of
at least two of the
configured on the CA
following: lowercase
server. letters, uppercase letters,
numerals and special
characters. In addition, the
password must contain at
least eight characters.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
Manual certificate application is online or offline.
● Online mode (in-band mode)
The device requests certificates online by communicating with the CA server
through SCEP. Then the device stores the obtained certificates on the flash.
● Offline mode (outband mode)
The device generates a certificate request file. The administrator sends the file
to the CA server using methods such as disks and emails.
Prerequisites
A PKI realm has been created using the pki realm (system view) command.
Precautions
● If pkcs10 is specified, an entity applies to a CA for a certificate in offline
mode. The entity saves the certificate request information in a file in PKCS#10
format and sends the file to the CA in outband mode.
● If pkcs10 is not specified, an entity applies to a CA for a certificate in online
mode.
● In online mode, a PKI entity obtains a CA certificate and imports it to
memory, and then obtains a local certificate and imports it to memory.
● After the enrollment self-signed command is used in the PKI realm, it is not
allowed to use the pki enroll-certificate command to configure manual
certificate enrollment.

Example
# Enroll a certificate for the PKI realm abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki enroll-certificate realm abc

14.19.65 pki entity

Function
The pki entity command creates a PKI entity and displays the PKI entity view, or
displays the view of an existing PKI entity.
The undo pki entity command deletes a PKI entity.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, no PKI entity is configured.

Format
pki entity entity-name

undo pki entity entity-name

Parameters
Parameter Description Value
entity-name Specifies the name of a PKI The value is a string of 1 to 64 case-
entity. sensitive characters without spaces.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
A PKI entity refers to the applicant or user of a certificate. A PKI entity is required
when you use PKI features. After a PKI entity is created, you can configure
attributes for it, for example, common name, country code, email address, FQDN,
IP address, geographic area, organization, department, state, and province. These
attributes include identity information of the PKI entity. The identity information
will be added to the subject of a PKI entity.

NOTE

Windows Server 2003 has a low processing performance. For the device to connect to a
Windows Server 2003, the device cannot have too many entities configured or use a large-sized
key pair.

Example
# Configure a PKI entity entity1 and enter the PKI entity view.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1]

14.19.66 pki export-certificate

Function
The pki export-certificate command exports a certificate to the device storage.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
pki export-certificate { ca | local | ocsp } realm realm-name { pem | pkcs12 }

NOTE

Only devices in NETCONF mode support the ocsp parameter.

Parameters
Parameter Description Value

ca Exports a CA certificate. -

local Exports a local certificate. -

ocsp Exports the Online Certificate Status -

Protocol (OCSP) certificate.

realm realm- Specifies the PKI realm name of a The PKI realm name
name certificate. must already exist.

pem Exports a certificate in PEM format. -

pkcs12 Exports a certificate in P12 format. -

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To copy a certificate to another device, run the pki export-certificate command

to export a certificate to the flash of the local device first, and then transfer the
certificate to another device using a file transfer protocol.

Before using this command, run the display pki certificate command to view
information about certificates on the device.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Precautions

When the exported certificate file does not contain a private key, the device does
not encrypt this file.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

If the exported certificate is in .pem format, you need to install the WEAKEA plug-
in to export the certificate that contains the private key. For details about how to
install the plug-in, see the plug-in installation guide.

When you export the private key, the system asks you to enter the private key file
name. If the private key file name and the certificate file name are the same, the
private key and certificate are stored in the same file. If they are different, they are
stored in different files.

When you export the private key, the system asks you to enter the private key file
format and set the password. The password will be used when you run the pki
import-certificate command to import this private key.

After the enrollment self-signed command is used in the PKI realm, you cannot
use the pki export-certificate command to export certificates to files.

Example
# Export the local certificate in the PKI realm abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki export-certificate local realm abc pem
Please enter the name of certificate file <length 1-127>: aa
If you only export the certificate, do not export the private key.
You can directly enter empty of private key file.
Please enter the name of private key file <length 1-127>:
Info: Succeeded in exporting the certificate.

14.19.67 pki export rsa-key-pair

Function
The pki export rsa-key-pair command exports the RSA key pair to the flash and
allows the export of the associated certificate.

Format
pki export rsa-key-pair key-name [ and-certificate certificate-name ] { pem file-
name aes | pkcs12 file-name } password password

NOTE

The pem file-name parameter is supported only when the WEAKEA plug-in is installed. For
details about how to install the plug-in, see the plug-in installation guide.

Parameters
Parameter Description Value

key-name Specifies the name of The value must be an

the RSA key pair on the existing RSA key pair
device. name.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

and-certificate Indicates that the The value must be an

certificate-name certificate related to the existing certificate file
RSA key pair are name.
exported.

pem file-name Indicates that the RSA The value is a string of 1

key pair to be exported is to 64 case-insensitive
in the PEM format and characters without
specifies the name of the spaces and question
file to be exported. marks (?). When the
value contains a
directory, it is a string of
1 to 127 characters, for
example, flash:/8ab3/
ab3.pem.

pkcs12 file-name Indicates that the RSA The value is a string of 1

key pair to be exported is to 64 case-insensitive
in the PKCS12 format characters without
and specifies the name spaces and question
of the file to be marks (?). When the
exported. value contains a
directory, it is a string of
1 to 127 characters, for
example, flash:/8ab3/
ab3.pem.

aes Sets the encryption -

algorithm to AES if a file
is exported in the PEM
format. The default
value is AES.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

password password Specifies the encryption The value is a string of 8

password for the RSA to 32 case-sensitive
key pair file. This characters without
password is used when question marks (?).
you import an RSA key For security purposes, a
pair file. password must meet the
minimum strength
requirements, that is, the
password needs to
contain at least three
types of the following
characters: uppercase
letters, lowercase letters,
numerals, and special
characters, such as
exclamation points (!), at
signs (@), number signs
(#), dollar signs ($), and
percent signs (%).

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To transfer or back up an RSA key pair, run this command to generate the PEM or
PKCS12 file carrying this RSA key pair (which may include the certificate) in the
flash.

Before using this command, run the display pki rsa local-key-pair command to
view information about the RSA key pairs on the device.

Prerequisites

The RSA key pair has been created and configured to be exportable using the pki
rsa local-key-pair create command or the RSA key pair has been imported to the
memory using the pki import rsa-key-pair command.

Precautions

The RSA key pair is sensitive information. Delete and destroy the exported RSA key
pair on the device or storage device immediately after you do not need it.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The system software does not contain the 3des and des parameters. To use these
parameters, you need to install the WEAKEA plug-in. However, this algorithm is
less secure. For security purposes, you are advised to use other algorithms.

Example
# Export the RSA key pair key1 in PEM format to the aaa.pem file with the AES
encryption mode after installing the WEAKEA plug-in.
<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create key1 exportable
Info: The name of the new key-pair will be: key1
The size of the public key ranges from 512 to 4096.
Input the bits in the modules:2048
Generating key-pairs...
......+++
....................+++
[HUAWEI] pki export rsa-key-pair key1 pem aaa.pem aes password Admin@1234
Warning: Exporting the key pair impose security risks, are you sure you want to
export it? [y/n]:y
Info: Succeeded in exporting the RSA key pair in PEM format.

14.19.68 pki file-format

Function
The pki file-format command sets the format for the saved certificate request,
certificate, and CRL.
By default, the device stores certificate request, certificate, and CRL in PEM format.

Format
pki file-format { der | pem }

Parameters
Parameter Description Value
der Indicates that the format of a certificate request file is DER. -
pem Indicates that the format of a certificate request file is PEM. -

Views
System view

Default Level
2: Configuration level

Usage Guidelines
To change the format for the saved certificate request, certificate, and CRL, for
example, to use the certificate and CRL obtained through CMPv2, SCEP, run the
pki file-format command.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

However, the certificate and CRL obtained through HTTP are downloaded directly
and are not saved in the format configured using this command. The created self-
signed certificate or local certificate can only be saved in PEM format.

Example
# Set the format of saved certificate request, certificate, and CRL to DER.
<HUAWEI> system-view
[HUAWEI] pki file-format der

14.19.69 pki get-certificate

Function
The pki get-certificate command downloads a certificate to the device storage.

Format
pki get-certificate ca realm realm-name

Parameters
Parameter Description Value
ca Specifies a CA or RA certificate to be -
obtained.
realm realm-name Specifies the PKI realm name of a The value must be an
certificate to be obtained. existing PKI realm
name.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When you request a local certificate for the PKI entity through SCEP, run this
command to download a CA certificate to the device storage, and request a local
certificate using the encrypted CA public key.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Precautions

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

After obtaining a CA certificate, the device automatically imports the certificate to

the device memory.
If the same certificate exists on the device, delete the existing one; otherwise, the
certificate cannot be obtained.

Example
# Obtain the CA certificate in the PKI realm abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki get-certificate ca realm abc

14.19.70 pki get-crl

Function
The pki get-crl command updates CRL immediately.

Format
pki get-crl realm realm-name

Parameters
Parameter Description Value

realm realm- Specifies the PKI realm The value must be an existing PKI
name name of the CRL. realm name, which is a string of 1
to 52 case-insensitive characters.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
The CRL status is checked periodically when it is updated automatically. If the CRL
on the device is likely to expire, configure this command to update CRL
immediately.
After this command is executed, the new CRL replaces the old CRL in the storage,
and is automatically imported to the memory to replace the old one.
Prerequisites

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

A PKI realm has been created using the pki realm (system view) command.

Example
# Configure CRL immediate update.
<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] quit
[HUAWEI] pki get-crl realm test

14.19.71 pki http

Function
The pki http command configures a device to use HTTP to download a CA
certificate, local certificate, or CRL.

Format
pki http [ esc ] url-address save-name

Parameters
Parameter Description Value

esc Specifies the URL in -

ASCII code.

url-address Specifies the URL of the The value is a string of 1

CA certificate, local to 128 case-sensitive
certificate, or CRL. characters.

save-name Specifies the name of a The value is a string of 1

CA certificate, local to 56 case-insensitive
certificate, or CRL saved characters.
on the flash of the
device.

Views
System view

Default Level
3: Management level

Usage Guidelines
Before you configure a device to use HTTP to download a CA certificate, local
certificate, or CRL, ensure that the flash of the device has enough space to
accommodate the CA certificate, local certificate, or CRL.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The keyword esc supports the entering of URLs that include the question mark (?)
in ASCII code, and 3f is the hexadecimal ASCII code for the question mark (?).
Therefore, the entered URL must be in \x3f format. For example, the URL that an
administrator needs to enter is http://www.***.com\x3fpage1, instead of http://
www.***.com?page1. If the administrator wants to configure http://
www.***.com?page1\x3f that includes both a question mark (?) and \x3f, the
administrator should add an escape character (\) to \x3f and enter http://
www.***.com\x3fpage1\\x3f.

Example
# Configure a device to use HTTP to download a local certificate.
<HUAWEI> system-view
[HUAWEI] pki http http://10.1.1.1/test.cer local.cer

# Configure a device to use HTTP to download a local certificate.

<HUAWEI> system-view
[HUAWEI] pki http esc http://www.***.com\x3fpage1\\x3f local.cer

14.19.72 pki import-certificate

Function
The pki import-certificate command imports a certificate to the device memory.

Format
pki import-certificate { ca | local } realm realm-name { der | pkcs12 | pem }
[ filename filename ] [ replace ] [ no-check-validate ] [ no-check-hash-alg ]

pki import-certificate { ca | local } realm realm-name pkcs12 filename filename

[ no-check-validate ] [ no-check-hash-alg ] password password

pki import-certificate ocsp realm realm-name { der | pkcs12 | pem } [ filename

filename ]
pki import-certificate ocsp realm realm-name pkcs12 filename filename
password password

NOTE

Only devices in NETCONF mode support the ocsp parameter.

Parameters
Parameter Description Value

ca Imports a CA certificate. For -

example, when the device works as
an SSL proxy, import the SSL proxy
CA certificate and use the private key
in the certificate to sign the SSL
client certificate again.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

local Imports a local certificate. -

realm realm- Specifies the PKI realm name of the The PKI realm name
name imported certificate. must already exist.
NOTE
The domain name cannot
contain spaces. Otherwise,
the certificate cannot be
imported.

der Imports a certificate in DER format. -

pkcs12 Imports a certificate in PKCS12 -

format.

pem Imports a certificate in PEM format. -

filename Specifies the name of the imported The file name must
filename certificate. already exist.

replace Deletes the original certificate and -

RSA key pair and imports the new
certificate when there are repeated
certificates in the domain.
NOTE
If the RSA key pair of the original
certificate is not referenced by other
domains, the certificate and key pair are
deleted. If the RSA key pair of the
original certificate is referenced by other
domains or a CMP session, only the
original certificate is deleted but the key
pair is not deleted.

no-check- Indicates whether to perform validity -

validate check on the validity period of the
imported certificate.

no-check- Indicates whether to check the hash -

hash-alg algorithm used for the signature of
the imported certificate.

ocsp Imports the Online Certificate Status -

Protocol (OCSP) server's certificate.

password Specifies the decryption password of The value must be the

password the certificate. The password is the name of an existing
same as the password configured decryption password of
using the pki export-certificate the certificate.
command.

Views
System view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After a certificate is saved to the storage, run this command to import the
certificate to the memory for it to take effect.
The device supports the following certificate import modes:
● terminal: Import or copy the certificate file of the peer to the local device.
That is, you can open the PEM certificate file using a text tool and copy the
certificate content to the local device.
● file: The filename parameter is specified to import the certificate file of the
peer.
Multiple certificates can be imported on the device, including the CA certificate,
local certificate, and private key.

NOTE

If you do not know the format of the certificate you want to import, configure each format in
turn and check whether the certificate is successfully imported.

Prerequisites
The PKI realm has been created using the pki realm (system view) command,
and the certificate file already exists on the storage device.
Precautions
If a certificate file contains a key pair file, the pki import-certificate command
imports only the certificate file, but not the key pair file. To import the key pair
file, run the pki import rsa-key-pair command after the pki import-certificate
command, or run the pki import rsa-key-pair command to import the certificate
and key pair files simultaneously.
It is not recommended that multiple local certificates be imported into the same
PKI realm. Otherwise, certificate-related services may use the certificates that do
not match the services, causing services to become unavailable.
When a certificate in pkcs12 format is imported, the PKI system deletes the file
name extension of the original certificate file, adds _localx.cer to generate a new
file name, and saves it to the storage component. Therefore, the name of the
certificate file to be imported should be less than 50 characters, so the total
certificate file name does not exceed 64 characters, and the certificate file cannot
be imported to the storage component.
The device supports the import of digital certificates generated through the RSA
encryption algorithm or SM2 key hash algorithm.

Example
# Import a local certificate to the PKI realm abc in file transfer mode.
<HUAWEI> system-view
[HUAWEI] pki realm abc

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki import-certificate local realm abc pem filename local.cer
Info: Succeeded in importing the certificate.

14.19.73 pki import-certificate peer

Function
The pki import-certificate peer command imports a certificate of the remote
device to the device memory.

Format
pki import-certificate peer peer-name { der | pem | pkcs12 } filename
[ filename ]
pki import-certificate peer peer-name pkcs12 filename filename password
password

Parameters
Parameter Description Value

peer-name Specifies the name of a The value is a string of 1

peer certificate. to 32 case-insensitive
A certificate cannot be characters without
imported to multiple spaces. If the character
peers. string is enclosed in
double quotation marks,
it can contain spaces.

der Imports a certificate of -

the remote device in DER
format.

pem Imports a certificate of -

the remote device in
PEM format.

pkcs12 Imports a certificate of -

the remote device in P12
format.

filename filename Imports a certificate of The value is an existing

the remote device in file certificate name of the
mode. remote device.

password password Specifies the decryption The value must be the

password of the name of an existing
certificate. The password decryption password of
is the same as the the certificate.
password configured
using the pki export-
certificate command.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Where digital envelop authentication is used, configure the public key of the
remote device. The public key can be obtained from the public and private key
management module or certificate of the remote device.

Prerequisites

The certificate file of the remote device must already exist on the storage device.

Precautions

When a certificate in pkcs12 format is imported, the PKI system deletes the file
name extension of the original certificate file, adds _localx.cer to generate a new
file name, and saves it to the storage component. Therefore, the name of the
certificate file to be imported cannot exceed 50 characters. Otherwise, the total
certificate file name will exceed 64 characters, and the certificate file cannot be
imported to the storage component.

You can import a peer certificate generated using the RSA encryption algorithm or
SM2 key hash algorithm to the device.

Example
# Import the certificate aa.pem of the remote device in the file mode.
<HUAWEI> system-view
[HUAWEI] pki import-certificate peer abcd pem file aa.pem
Info: Succeeded in importing the peer certificate.

14.19.74 pki import-crl

Function
The pki import-crl command imports the CRL to the memory.

Format
pki import-crl realm realm-name filename file-name

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

realm realm-name Specifies the PKI realm name. The value must be an
existing PKI realm name.

filename file-name Specifies the name of an The value must be an

imported certificate or CRL file. existing certificate or CRL
The certificates only support file name.
PEM and DER formats.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
To enable the CRL that is obtained in out-of-band mode or is updated manually,
run this command to import the CRL to the memory.
Prerequisites
A PKI realm has been created using the pki realm (system view) command and
the CRL file has been downloaded using HTTP.

Example
# Import the CRL in the PKI realm to the memory.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki http esc http://www.***.com\x3fpage1\\x3f abc.crl
[HUAWEI] pki import-crl realm abc filename abc.crl

14.19.75 pki import rsa-key-pair

Function
The pki import rsa-key-pair command imports the RSA key pair to the device
memory.

Format
pki import rsa-key-pair key-name [ include-cert realm realm-name ] { pem |
pkcs12 } file-name [ exportable ] [ password password ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

pki import rsa-key-pair key-name der file-name [ exportable ]

Parameters
Parameter Description Value

key-name Specifies the name of The value is a string of 1

the RSA key pair on the to 64 characters and
device. case-sensitive without
spaces or question marks
(?). If the character
string is enclosed in
double quotation marks
(" "), the character string
can contain spaces.

include-cert Indicates that the -

certificates in the file will
be imported.

realm realm-name Specifies the PKI realm The value must be an

name of the imported existing PKI realm name.
certificate.

pem file-name Indicates that the RSA The value must be an

key pair to be imported existing certificate file
is in the PEM format and name that stores the
specifies the file name to RSA key pair and the
store the RSA key pair. certificate.

pkcs12 file-name Indicates that the RSA The value must be an

key pair to be imported existing certificate file
is in the PKCS12 format name that stores the
and specifies the file RSA key pair and the
name to store the RSA certificate.
key pair.

der file-name Indicates that the RSA The value must be an

key pair to be imported existing certificate file
is in the DER format and name that stores the
specifies the file name to RSA key pair and the
store the RSA key pair. certificate.

exportable Indicates that the -

imported RSA key pair
can be exported.

password password Specifies the decryption The value must be the

password of the RSA key name of an existing
pair. The password is the decryption password of
same as the password the RSA key pair.
configured using the pki
export rsa-key-pair
command.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Run this command to use the RSA key pair generated by other entities. After the
configuration, the imported RSA key pair can be referenced by the PKI module for
operations such as signing.

NOTE

Windows Server 2003 has a low processing performance. For the device to connect to a
Windows Server 2003, the device cannot have too many entities configured or use a large-sized
key pair.
If you do not know the format of the key pair you want to import, configure each format in turn
and check whether the key pair is successfully imported.

Prerequisites

The RSA key pair must already exist on the storage device.

Example
# Import the RSA key pair aaa.pem. In the system, the RSA key pair is named
key-1, is marked exportable and has the decryption password Test!123456.
<HUAWEI> system-view
[HUAWEI] pki import rsa-key-pair key-1 pem aaa.pem exportable password Test!123456
Info: Succeeded in importing the RSA key pair in PEM format.

14.19.76 pki key enhance enable

Function
The pki key enhance enable command enables the PKI module to use the
enhanced key algorithm for encryption and decryption.

The undo pki key enhance enable command disables the PKI module from using
the enhanced key algorithm for encryption and decryption.

By default, the PKI module is enabled to use the enhanced key algorithm for
encryption and decryption.

Format
pki key enhance enable

undo pki key enhance enable

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In V200R020C00SPC300 and later versions, the PKI module uses the enhanced key
algorithm for encryption and decryption by default. The enhanced key algorithm is
incompatible with the key algorithm used by the PKI module in versions earlier
than V200R020C00SPC300. Therefore, before downgrading a device from
V200R020C00SPC300 or a later version to a version earlier than
V200R020C00SPC300, run the undo pki key enhance enable command to disable
this function so that the PKI module uses the same key algorithm before and after
the device downgrade, ensuring service continuity.

Precautions

When a device is upgraded from a version earlier than V200R020C00SPC300 to

V200R020C00SPC300 or a later version, the undo pki key enhance enable
command is automatically added to the configuration file of the device to ensure
upgrade compatibility.

Example
# Before a device is downgraded from V200R020C00SPC300 or a later version to a
version earlier than V200R020C00SPC300, disable the PKI module from using the
enhanced key algorithm for encryption and decryption so that the key algorithms
before and after the downgrade are the same.
<HUAWEI> system-view
[HUAWEI] undo pki key enhance enable
Warning: The current operation has security risks. You are not advised to perform this operation.

14.19.77 pki match-rsa-key

Function
The pki match-rsa-key command configures a device to search for the RSA key
pair associated with a specific certificate.

Format
pki match-rsa-key certificate-filename file-name

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
certificate-filename Specifies the name of a The value must be an
file-name certificate file. existing certificate file
name.

Views
System view

Default Level
3: Management level

Usage Guidelines
Run this command to check the RSA key pair corresponding to a certificate. After
configuration, the system searches for all the local RSA key pairs, compares them
with the specified certificate and outputs the matched RSA key pair name once it
is searched out.

Example
# Configure a device to search for the RSA key pair that matches the certificate
file local.cer.
<HUAWEI> system-view
[HUAWEI] pki match-rsa-key certificate-filename local.cer
Info: The file local.cer contains certificates 1.
Info: Certificate 1 from file local.cer matches RSA key rsa2.key.

14.19.78 pki ocsp response cache enable

Function
The pki ocsp response cache enable command enables a PKI entity to cache
OCSP responses.
The undo pki ocsp response cache enable command disables a PKI entity from
caching OCSP responses.
By default, OCSP response caching is disabled on a PKI entity.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
pki ocsp response cache enable
undo pki ocsp response cache enable

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
After you enable a PKI entity to cache OCSP responses, the PKI entity first searches
its cache for the certificate revocation status. If the search fails, the PKI entity
sends a request to the OCSP server. In addition, the PKI entity caches valid OCSP
responses for subsequent query. OCSP responses have a validity period. With OCSP
response caching enabled, a PKI entity refreshes the cached OCSP responses every
minute to clear expired OCSP responses.

Example
# Enable a PKI entity to cache OCSP responses.
<HUAWEI> system-view
[HUAWEI] pki ocsp response cache enable

14.19.79 pki ocsp response cache number

Function
The pki ocsp response cache number command sets the maximum number of
OCSP responses that can be cached on a PKI entity.

The undo pki ocsp response cache number command restores the default
maximum number of OCSP responses that can be cached on a PKI entity.

By default, the maximum number of OCSP responses that can be cached on a PKI
entity is 2.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
pki ocsp response cache number number

undo pki ocsp response cache number

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

number Specifies the maximum The value is an integer in

number of OCSP the range from 1 to
responses that can be 1000.
cached on a PKI entity.

Views
System view

Default Level
3: Management level

Usage Guidelines
A PKI entity caches valid OCSP responses for subsequent query. If the number of
cached OCSP responses reaches the value specified by number, the PKI entity
stops caching OCSP responses.

Example
# Set the maximum number of OCSP responses that can be cached on a PKI entity
to 3.
<HUAWEI> system-view
[HUAWEI] pki ocsp response cache number 3

14.19.80 pki ocsp response cache refresh interval

Function
The pki ocsp response cache refresh interval command sets the interval at
which the OCSP response cache is refreshed.
The undo pki ocsp response cache refresh interval command restores the
default interval at which a PKI entity refreshes the OCSP response cache.
By default, the interval at which a PKI entity refreshes the OCSP response cache is
5 minutes.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
pki ocsp response cache refresh interval interval
undo pki ocsp response cache refresh interval

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
interval Specifies the interval at which The value is an integer that ranges
the OCSP response cache is from 1 to 1440, in minutes. The
refreshed. default value is 5.

Views
System view

Default Level
3: Management level

Usage Guidelines
A PKI entity refreshes the OCSP response cache periodically and deletes the OCSP
responses that have expired based on the interval value.

Example
# Set the interval at which the OCSP response cache is refreshed to 30 minutes.
<HUAWEI> system-view
[HUAWEI] pki ocsp response cache refresh interval 30

14.19.81 pki realm (system view)

Function
The pki realm command creates a PKI realm and displays the PKI realm view, or
displays the view of an existing PKI realm.
The undo pki realm command deletes a PKI realm.
By default, the device has a PKI realm named default. This realm can only be
modified but cannot be deleted.

Format
pki realm realm-name
undo pki realm realm-name

Parameters
Parameter Description Value

realm-name Specifies the The value is a string of 1 to 64 case-insensitive

name of a PKI characters. It cannot contain spaces or slashes
realm. (/).

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

A PKI realm is a set of identity information required when a PKI entity enrolls a
certificate.

Precautions

A PKI realm configured on a device is unavailable to certificate authorities (CAs)

or other devices.

When a certificate is requested using a PKI realm, the system names the certificate
file PKI realm name_local.cer. Therefore, ensure that the name of a created PKI
realm does not exceed 50 characters. Otherwise, the certificate file name may
exceed 64 characters and cannot be saved on a storage device.

The name of a CRL file requested using a PKI realm is suffixed with .crl. Therefore,
ensure that the name of a created PKI realm does not exceed 52 characters.
Otherwise, the CRL file name may exceed 64 characters and cannot be saved on a
storage device.

Example
# Create a PKI realm named abc.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc]

14.19.82 pki release-certificate peer

Function
The pki release-certificate peer command releases a certificate of the remote
device.

Format
pki release-certificate peer { name peer-name | all }

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

name peer-name Specifies the name of The value must be an

peer certificate to be existing peer certificate
released. file name.

all Releases all certificates -

of the remote device.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If the specified certificate of the remote device is not required, run the pki
release-certificate peer command to release the certificate of the remote device.

Before using this command, run the display pki peer-certificate command to
view the certificate information of the remote device.

Prerequisites

The pki import-certificate peer command has been used to import the certificate
of the remote device.

Example
# Release the certificate test of the remote device.
<HUAWEI> system-view
[HUAWEI] pki release-certificate peer name test
Info: Succeeded in releasing the peer certificate.

14.19.83 pki rsa local-key-pair create

Function
The pki rsa local-key-pair create command creates the specified RSA key pair.

Format
pki rsa local-key-pair create key-name [ modulus modulus-size ] [ exportable ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Descripti Value
on

key-name Specifies The value is a string of 1 to 64 case-

the name sensitive characters without question
of the marks (?) and spaces. If the string is
RSA key enclosed in double quotation marks ("
pair to be "), the string can contain spaces.
created.

modulus modulus-size Specifies The value is an integer that ranges from

the size of 2048 to 4096. The default value is 2048.
the RSK
key pair.

exportable Indicates -
that the
new RSA
key pair
can be
exported
from the
device.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
When a PKI entity requests a certificate from the CA, the certificate enrollment
request that it sends contains information such as the public key. Run this
command to create the RSA key pair for the certificate request.

NOTE

Windows Server 2003 has a low processing performance. For the device to connect to a
Windows Server 2003, the device cannot have too many entities configured or use a large-sized
key pair.

Precautions
When creating the key pair, the system prompts the user to enter the number of
bits of the RSA key pair. The longer the key pair, the harder it is to crack, and the
more secure but slow the encryption algorithm. It is recommended that the
number of bits of the RSA key pair exceed 2048; otherwise, it has security risks.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The name of an RSA key pair cannot exceed 50 characters. Because when an RSA
key pair is imported, if the certificate is imported at the same time, the PKI system
adds _localx.cer after the name of the RSA key pair to generate a new certificate
file name, and saves it to the storage component. If the name exceeds 50
characters, the total number of characters exceeds 64, and the certificate file
cannot be saved to the storage component.
The RSA key pair referenced by PKI realms cannot be overwritten. They can be
overwritten only after the reference relationship is removed.
If the name of the new RSA key pair is the same as that of a pair on the device,
the system prompts the user to decide whether to overwrite the existing pair.

Example
# Create 2048-bit RSA key pair test.
<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create test
Info: The name of the new key-pair will be: test
The size of the public key ranges from 2048 to 4096.
Input the bits in the modules:2048
Generating key-pairs...
......+++
.......+++

14.19.84 pki rsa local-key-pair destroy

Function
The pki rsa local-key-pair destroy command deletes the specified RSA key pair.

Format
pki rsa local-key-pair destroy key-name

Parameters
Parameter Description Value
key-name Specifies the name of the RSA key The value must be the name of
pair to be deleted. an existing key pair.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

It is recommended that you run this command to destroy the specified RSA key
pair if it is leaked, damaged, unused, or lost.

After this command is executed, the specified RSA key pair is deleted from the
active device and the standby device.

Prerequisites

The RSA key pair has been created using the pki rsa local-key-pair create
command or the RSA key pair has been imported to the memory using the pki
import rsa-key-pair command.

Precautions

The RSA key pair in the creation process cannot be deleted.

The RSA key pair referenced by a PKI realm or CMP session cannot be deleted.
They can be deleted only after the reference relationship is removed.

Example
# Delete the RSA key pair test.
<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create test
Info: The name of the new key-pair will be: test
The size of the public key ranges from 512 to 4096.
Input the bits in the modules:2048
Generating key-pairs...
.....+++
..........................+++
[HUAWEI] pki rsa local-key-pair destroy test
Warning: The name of the key pair to be deleted is test.
Are you sure you want to delete the key pair? [y/n]:y
Info: Delete RSA key pair success.

14.19.85 pki set-certificate expire-prewarning

Function
The pki set-certificate expire-prewarning command sets the expiration warning
date for the local certificate and the CA certificate in the memory.

The undo pki set-certificate expire-prewarning command restores the default

expiration warning date for the local certificate and the CA certificate in the
memory.

By default, the expiration warning date for the local certificate and the CA
certificate in the memory is 90 days.

Format
pki set-certificate expire-prewarning day

undo pki set-certificate expire-prewarning

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

day Specifies the expiration The value is an integer that ranges from
warning date. 7 to 180. By default, the value is 90.

Views
System view

Default Level
3: Management level

Usage Guidelines
After this command is executed, you will be prompted the expiration of a
certificate in advance. If the system detects that a certificate in the memory is to
expire in less than day, the device sends an expiration warning to the user.

Example
Set the expiration warning date for the local certificate and the CA certificate in
the memory as 30 days.
<HUAWEI> system-view
[HUAWEI] pki set-certificate expire-prewarning 30

14.19.86 pki validate ocsp-server-certificate enable

Function
The pki validate ocsp-server-certificate enable command enables the function
that uses the OCSP server certificate to verify OCSP server packets.

The undo pki validate ocsp-server-certificate enable command disables the

function that uses the OCSP server certificate to verify OCSP server packets.

By default, the function that uses the OCSP server certificate to verify OCSP server
packets is enabled.

Format
pki validate ocsp-server-certificate enable

undo pki validate ocsp-server-certificate enable

Parameters
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

For security purposes, you are advised to enable the function that uses the OCSP
server certificate to verify OCSP server packets. If OCSP server packets fail the
verification, the device discards these packets.

Precautions

If the imported OCSP server certificate is not the correct one, OCSP server packets
fail the verification, causing the local certificate to become unavailable. To prevent
this problem, import the correct OCSP server certificate. If no OCSP server
certificate can be obtained, run the undo pki validate ocsp-server-certificate
enable command to disable the function that uses the OCSP server certificate to
verify OCSP server packets.

Example
# Enable the function that uses the OCSP server certificate to verify OCSP server
packets.
<HUAWEI> system-view
[HUAWEI] pki validate ocsp-server-certificate enable

14.19.87 pki validate-certificate

Function
The pki validate-certificate command allows you to verify the validity of a CA
certificate or a local certificate.

Format
pki validate-certificate { ca | local } realm realm-name

Parameters
Parameter Description Value

ca Checks validity of the CA -

certificate.

local Checks validity of the -

local certificate.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

realm realm-name Specifies the PKI realm The value must be an

name of a certificate to existing PKI realm name.
be checked.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
When an end entity verifies a peer certificate, it checks the status of the peer
certificate. For example, the end entity checks whether the peer certificate has
expired and whether the certificate is in a CRL.
To verify the validity of a CA certificate or a local certificate, run the pki validate-
certificate command.
Prerequisites
A PKI realm has been configured using the pki realm (system view) command.
Precautions
The pki validate-certificate ca command allows you to verify only the root CA
certificate, but not subordinate CA certificates. When multiple CA certificates are
imported on a device, you can use only the pki validate-certificate local
command to verify the validity of subordinate certificates.

Example
# Configure the device to check validity of the local certificate using CRL.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] certificate-check crl
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki validate-certificate local realm abc

14.19.88 reset pki cmp statistics

Function
The reset pki cmp statistics command clears the statistics on CMP sessions.

Format
reset pki cmp statistics [ session session-name ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
session session- Specifies the name of a CMP The value must be an
name session. existing CMP session name.

Views
User view

Default Level
2: Configuration level

Usage Guidelines
If a CMP session is specified, this command will clear the statistics of the session.
If no CMP session is specified, this command will clear the statistics of all sessions.

Example
# Clear statistics on the CMP session test.
<HUAWEI> reset pki cmp statistics session test

14.19.89 reset pki ocsp response cache

Function
The reset pki ocsp response cache command resets an OCSP response cache.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
reset pki ocsp response cache

Parameters
None

Views
User view

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
The PKI entity caches valid OCSP responses for future searches. If the number of
cached OCSP responses reaches the maximum value, no more OCSP responses can
be cached. To ensure that the latest OCSP responses can be cached, you can run
this command to clear the OCSP response cache first.

Example
# Reset an OCSP response cache.
<HUAWEI> reset pki ocsp response cache

14.19.90 reset pki ocsp server down-information

Function
The reset pki ocsp server down-information command clears Down state
information of the OCSP server recorded on the device.

NOTE

This command is available only on NETCONF-supporting switch models.

Format
reset pki ocsp server down-information [ url [ esc ] url-addr ]

Parameters
Parameter Description Value

url [ esc ] url-addr Specifies the OCSP The value is a string

server's URL address. If starting with http:// and
no URL address is consisting of 1 to 128
specified, clear Down case-sensitive characters
state information of all without spaces.
OCSP servers.
If the esc parameter is
specified, the URL
address in ASCII format
is supported.

Views
User view

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
There is a mechanism to determine whether the OCSP server is Down. When the
OCSP server corresponding to a URL cannot be accessed, the server status is set to
Down. In this case, the device will not send OCSP requests to the URL within 10
minutes. However, this mechanism may falsely set the state of a transiently
disconnected server to Down. Using this command, the user can manually clear
the falsely reported Down state of the OCSP server so that the device can send
OCSP requests to the server.

Example
# Clear the OCSP server Down information of the specified URL.
<HUAWEI> reset pki ocsp server down-information

14.19.91 rsa local-key-pair

Function
The rsa local-key-pair command configures the RSA key pair used to request a
certificate using SCEP or in offline mode.

The undo rsa local-key-pair command deletes the RSA key pair used to request a
certificate using SCEP or in offline mode.

By default, the system does not configure the RSA key pair used to request a
certificate using SCEP or in offline mode.

Format
rsa local-key-pair key-name

undo rsa local-key-pair

Parameters
Parameter Description Value

key-name Specifies the name of the RSA The value must be an existing
key pair. RSA key pair name.

Views
PKI realm view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The PKI entity that requests a certificate from the CA using SCEP or in offline
PKCS#10 mode must contain a public key. Run this command to configure the
RSA key pair.

Prerequisites

The RSA key pair for certificate application has been created using the pki rsa
local-key-pair create command or the RSA key pair has been imported to the
memory using the pki import rsa-key-pair command.

Precautions

An RSA key pair can be referenced by only one PKI realm.

Example
# Configure the RSA key pair that is referenced by the PKI realm test.
<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create test
Info: The name of the new key-pair will be: test
The size of the public key ranges from 2048 to 4096.
Input the bits in the modules:2048
Generating key-pairs...
.........................+++
................................................................................
........+++
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] rsa local-key-pair test

14.19.92 serial-number

Function
The serial-number command adds the serial number of a device to a PKI entity.

The undo serial-number command restores the default setting.

By default, the serial number of a device is not added to a PKI entity.

Format
serial-number

undo serial-number

Parameters
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
PKI entity view

Default Level
2: Configuration level

Usage Guidelines
The parameters of a PKI entity include the identity information of the PKI entity.
The CA identifies a certificate applicant based on identity information provided by
a PKI entity. To further identify the applicant, add the serial number of the device
to the PKI entity.
After the serial number of the device is added to a PKI entity, the certificate
request packet sent by the device to the CA server carries this serial number. After
receiving the certificate request packet, the CA server verifies the packet. For each
valid packet, the CA server generates a digital certificate carrying the device serial
number.

Example
# Add the serial number of the device to a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] serial-number

14.19.93 source

Function
The source command configures the source address used in TCP connection setup.
The undo source command restores the default setting.
By default, the device uses an outbound interface's IP address as the source IP
address used in TCP connection setup.

Format
source { interface interface-type interface-number | ip-address }
undo source

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

interface interface-type Specifies an interface's IP -

interface-number address as the source IP
address used in TCP
connection setup.
● interface-type
indicates the interface
type.
● interface-number
indicates the interface
number.

ip-address Specifies the source The value is in dotted

address used in TCP decimal notation.
connection setup.

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If the device needs to establish a TCP connection with an SCEP or OCSP server, you
must run the source command to specify the source IP address used in TCP
connection setup.
In the multi-output scenario, if the interfaces for sending and receiving a TCP
packet are different, the IP address in the received TCP packet is different from the
IP address of the receiving interface. Then the TCP packet is dropped, and the TCP
connection is torn down. In this situation, you can run this command to specify
the loopback interface address.
Precautions
If the source interface used in TCP connection setup has been specified, the source
interface must be a Layer 3 interface with an IP address configured.

Example
# Configure the IP address of VLANIF 100 as the source address used in TCP
connection setup.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip address 10.136.2.25 24

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI-Vlanif100] quit
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] source interface vlanif 100

14.19.94 state (PKI entity view)

Function
The state command configures a state or province name for a PKI entity.

The undo state command deletes the configuration.

By default, no state or province name is configured for a PKI entity.

Format
state state-name

undo state

Parameters

Parameter Description Value

state-name Specifies the state or The value is a string of 1 to 32 case-sensitive
province name of a characters, including letters, numerals,
PKI entity. apostrophes ('), equal signs (=), parentheses
(), plus signs (+), commas (,), minus signs
(-), periods (.), slashes (/), colons (:), and
spaces.

Views
PKI entity view

Default Level
2: Configuration level

After the state or province name is configured for a PKI entity, the certificate
request packet sent by the device to the CA server contains this province name.
The CA server verifies every received certificate request packet. For each valid
packet, the CA server generates a digital certificate carrying the state or provision
name of the PKI entity.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the province name to Jiangsu for a PKI entity.
<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] state Jiangsu

14.19.95 undo pki cmp poll-request session

Function
The undo pki cmp poll-request session command cancels CMP polling requests.

Format
undo pki cmp poll-request session session-name

Parameters
Parameter Description Value
session-name Specifies the name of a CMP The value must be an existing
session. CMP session name.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If the server cannot deliver the results immediately after the client initiates
certificate-related requests, the server requires the client to send the requests in
polling mode until the server deliver the final result. The process duration varies
with the actual situation. To cancel the process, run the command. Then the
certificate-related request is also canceled.
Prerequisites
A CMP session has been created using the pki cmp session command.

Example
# Cancel CMP polling requests.
<HUAWEI> system-view
[HUAWEI] pki cmp session test
[HUAWEI-pki-cmp-session-test] quit
[HUAWEI] undo pki cmp poll-request session test

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.19.96 vpn-instance

Function
The vpn-instance command adds a PKI realm to a specified VPN.
The undo vpn-instance command unbinds a PKI realm from a specified VPN.
By default, a PKI realm is not added to any VPN.

Format
vpn-instance vpn-instance-name
undo vpn-instance

Parameters
Parameter Description Value

vpn-instance- Specifies the name of a VPN The value must be an

name instance. existing VPN instance
name.

Views
PKI realm view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To obtain and verify certificates, the device needs to communicate with the CA or
SCEP server. When the CA or SECP server is in a VPN, add the PKI realm to the
specified VPN.
Prerequisites
1. A VPN instance has been created using the ip vpn-instance command.
2. The RD has been configured using the route-distinguisher command.

Example
# Add a PKI realm to the VPN named vrf1.
<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] route-distinguisher 22:1
[HUAWEI-vpn-instance-vrf1-af-ipv4] quit

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

[HUAWEI-vpn-instance-vrf1] quit
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] vpn-instance vrf1

14.20 OLC Configuration Commands

14.20.1 Command Support

Commands provided in this section and all the parameters in the commands are
supported by all switch models by default, unless otherwise specified. For details,
see specific commands.

14.20.2 cpu-overload-control

Function
The cpu-overload-control command configures the CPU usage thresholds and
adjustment factor of the leak rate.

The undo cpu-overload-control command restores the default CPU usage

thresholds and adjustment factor of the leak rate.

By default, the level-1 CPU usage threshold is 95%, the level-2 CPU usage
threshold is 98%, and the adjustment factor of the leak rate is 10.

Format
cpu-overload-control { threshold1 threshold1–value | threshold2 threshold2–
value | adjustfactor adjustfactor–value } * slot slot-id

undo cpu-overload-control { threshold1 threshold1–value | threshold2

threshold2–value | adjustfactor adjustfactor–value } * slot slot-id

Parameters

Parameter Description Value

threshold1 The value is an integer in the
Specifies the level-1
threshold1–value range from 70 to 95, in
CPU usage threshold.
percentages.
threshold2 The value is an integer in the
Specifies the level-2
threshold2–value range from 71 to 100, in
CPU usage threshold.
percentages.
adjustfactor Specifies the The value is an integer in the
adjustfactor–value adjustment factor of range from 1 to 1000.
the leak rate.

slot slot-id The value must be set according

Specifies a slot ID.
to the device configuration.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Only when the CPU usage reaches the OLC start threshold (the same as the
level-1 CPU usage threshold), the OLC function is started to lower the leak rate so
that the rate of packets sent to the CPU is lowered. When the CPU usage reaches
the level-2 CPU usage threshold, the system lowers the leak rate twice as fast.
When the CPU usage falls below the OLC stop threshold (the level-1 CPU usage
threshold minus 20%), the OLC function is stopped. The adjustment factor
specifies the frequency at which the leak rate is adjusted. The smaller the
adjustment factor, the faster the adjustment frequency, and vice versa. A smaller
adjustment factor will allow the system to adjust more quickly to service changes
but may lead t o flapping of the leak rate. The default leak rate is recommended.

Example
# Set the level-1 CPU usage threshold to 90%, level-2 CPU usage threshold to
95%, and adjustment factor of the leak rate to 15 in slot 0.
<HUAWEI> system-view
[HUAWEI] cpu-overload-control threshold1 90 threshold2 95 adjustfactor 15 slot 0

14.20.3 cpu-overload-control alarm disable

Function
The cpu-overload-control alarm disable command disables the OLC alarm
function.
The undo cpu-overload-control alarm disable command enables the OLC alarm
function.
By default, the OLC alarm function is enabled.

Format
cpu-overload-control alarm disable
undo cpu-overload-control alarm disable

Parameters
None

Views
System view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
By default, the OLC alarm function is enabled. When the CPU usage is greater
than the OLC start threshold or lower than the OLC stop threshold, an alarm is
generated to notify users of the CPU running status and the status of the OLC
function.
When the service traffic of monitored protocols or tasks on the live network is
light and the CPU usage remains stably low, you can disable the OLC alarm
function.

Example
# Enable the OLC alarm function.
<HUAWEI> system-view
[HUAWEI] undo cpu-overload-control alarm disable

14.20.4 cpu-overload-control bucket-weight

Function
The cpu-overload-control bucket-weight command configures the weight of a
protocol or task leaky bucket.
The undo cpu-overload-control bucket-weight command restores the default
weight of a protocol or task leaky bucket.
The default weight of the leaky bucket is 90 for 8021x-1st, 200 for 8021x-other,
290 for arp-request, arp-reply, icmp, dhcp, arp-miss, igmp, ttl-expired, ip-frag, fib-
hit, icmpv6, dhcpv6, mld, and nd, 250 for cos-4, 240 for cos-3, 200 for cos-2, 150
for cos-1, 100 for cos-0, and 2500 for acl and arpa tasks.

Format
cpu-overload-control { packet-type packet-type | task task-name } bucket-
weight bucket-weight-value slot slot-id
undo cpu-overload-control { packet-type packet-type | task task-name }
bucket-weight bucket-weight-value slot slot-id

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type packet-type Specifies a protocol type. The value is of the

enumerated type:
● 8021x-1st: first
fragment of an
802.1X packet
● 8021x-other: non-first
fragments of an
802.1X packet
● arp-request: ARP
Request packet
● arp-reply: ARP Reply
packet
● icmp: ICMP packet
● dhcp: DHCP packet
● arp-miss: ARP Miss
packet
● igmp: IGMP packet
● ttl-expired: IPv4 TTL-
expired packet
● ip-frag: IP fragment
● fib-hit: packet
matching a route
● icmpv6: ICMPv6
packet
● dhcpv6: DHCPv6
packet
● mld: MLD packet
● nd: IPv6 neighbor
discovery packet
● cos-4: packet with
priority 4 or higher
(excluding whitelisted
protocol packets)
● cos-3: packet with
priority 3 (excluding
whitelisted protocol
packets)
● cos-2: packet with
priority 2 (excluding
whitelisted protocol
packets)
● cos-1: packet with
priority 1 (excluding

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

whitelisted protocol
packets)
● cos-0: packet with
priority 0 (excluding
whitelisted protocol
packets)
NOTE
S1720GF, S1720GW-E,
S1720GFR-P, S1720GWR-E,
S2720-EI, S5720I-SI,
S5720-LI, S1730S-H,
S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI,
S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, and
S5736-S do not support
arp-miss parameter.

task task-name Specifies a task name. The value is of the

enumerated type:
● acl: ACL task
● arpa: ARP broadcast
task

bucket-weight-value Specifies the weight of The value is an integer in

the leaky bucket for the the range from 50 to
protocol or task. 5000.

slot slot-id Specifies a slot ID. The value must be set

according to the device
configuration.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Each protocol or task for which OLC is enabled is associated with a bottom leaky
bucket. By default, the device assigns each leaky bucket a weight based on
priorities of the monitored protocols and tasks. The weight of a leaky bucket
determines its weighted water level (that is, the number of tokens that it can
apply for). You can run this command to configure weights of the leaky buckets
for monitored protocols and tasks based on service requirements.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the weight of the leaky bucket for the DHCP protocol to 500 in slot 0.
<HUAWEI> system-view
[HUAWEI] cpu-overload-control packet-type dhcp bucket-weight 500 slot 0

14.20.5 cpu-overload-control disable

Function
The cpu-overload-control disable command disables the OLC function.
The undo cpu-overload-control disable command enables the OLC function.
By default, the OLC function is enabled.

Format
cpu-overload-control disable slot slot-id
undo cpu-overload-control disable slot slot-id

Parameters
Parameter Description Value

slot slot-id Specifies a slot ID. The value must be set according to the device
configuration.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
On a complex live network, the CPU may be overloaded if a large amount of
service traffic is sent to the CPU or the CPU is attacked by unauthorized services.
CPU overload will affect both the device's performance and its ability to process
services.
OLC monitors certain CPU-bound protocol packets and tasks. According to the
priorities of different services, OLC rate-limits the monitored protocol packets and
tasks if the CPU usage exceeds a certain threshold. In this way, OLC not only
reduces consumption of CPU resources but also prevents CPU overload from
affecting normal processing of other services.
When the service traffic of monitored protocols or tasks on the live network is
light and the CPU usage remains stably low, you can disable the OLC function.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Precautions
The OLC function configured for a protocol or task takes effect only after the OLC
function is enabled.

Example
# Enable the OLC function in slot 0.
<HUAWEI> system-view
[HUAWEI] undo cpu-overload-control disable slot 0

14.20.6 cpu-overload-control packet-type disable

Function
The cpu-overload-control packet-type disable command disables the OLC
function for a monitored protocol.
The undo cpu-overload-control packet-type disable command enables the OLC
function for a monitored protocol.
By default, the OLC function is enabled for all monitored protocols.

Format
cpu-overload-control packet-type packet-type &<1-20> disable slot slot-id
undo cpu-overload-control packet-type packet-type &<1-20> disable slot slot-id

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type Specifies a protocol type. The value is of the

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

slot slot-id Specifies a slot ID. The value must be set

according to the device
configuration.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

By default, the OLC function is enabled for all monitored protocols to prevent CPU
overload caused by a large number of CPU-bound packets of a certain protocol or
attacks from unauthorized services. When the service traffic of a monitored
protocol on the live network is light, you can disable the OLC function for the
protocol.

Precautions

The OLC function configured for a protocol takes effect only after the OLC
function is enabled.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Enable the OLC function for the DHCP protocol in slot 0.
<HUAWEI> system-view
[HUAWEI] undo cpu-overload-control packet-type dhcp disable slot 0

14.20.7 cpu-overload-control task enable

Function
The cpu-overload-control task enable command enables the OLC function for a
monitored task.
The undo cpu-overload-control task enable command disables the OLC function
for a monitored task.
By default, the OLC function is disabled for all monitored tasks.

Format
cpu-overload-control task task-name &<1-2> enable slot slot-id
undo cpu-overload-control task task-name &<1-2> enable slot slot-id

Parameters
Parameter Description Value

task-name Specifies a task name. The value is of the

enumerated type:
● acl: ACL task
● arpa: ARP broadcast
task
Either or both of the
preceding task can be
selected.

slot slot-id Specifies a slot ID. The value must be set

according to the device
configuration.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

By default, the OLC function is enabled for the ACL and ARPA tasks to prevent
CPU overload caused by a large amount of CPU-bound service traffic or service
attacks. When the service traffic of the ACL or ARPA task is light, you can disable
the OLC function for the task.
Precautions
The OLC function configured for a task takes effect only after the OLC function is
enabled.

Example
# Enable the OLC function for the ACL task in slot 0.
<HUAWEI> system-view
[HUAWEI] cpu-overload-control task acl enable slot 0

14.20.8 display cpu-overload-control configuration

Function
The display cpu-overload-control configuration command displays the OLC
configuration.

Format
display cpu-overload-control configuration [ packet-type packet-type | task
task-name ] slot slot-id

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type packet-type Specifies a protocol type. The value is of the

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

task task-name Specifies a task name. The value is of the

enumerated type:
● acl: ACL task
● arpa: ARP broadcast
task
If this parameter is not
specified, the OLC
configuration in the
specified slot is
displayed.

slot slot-id Specifies a slot ID. The value must be set

according to the device
configuration.

Views
All views

Default Level
1: Monitoring level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
You can use this command to view the OLC configuration of a specified protocol,
task, or slot, including the weight of the leaky bucket, OLC function status, CPU
usage thresholds, and adjustment factor of the leak rate.

Example
# Display the OLC configuration of the DHCP protocol in slot 0.
<HUAWEI> display cpu-overload-control configuration packet-type dhcp slot 0
----------------------------------
Protocol Weight Enable
----------------------------------
dhcp 290 Y
----------------------------------

Table 14-108 Description of the display cpu-overload-control configuration

packet-type command output
Item Description

Protocol Protocol type.

Weight Weight of the leaky bucket for the protocol. For details,
see cpu-overload-control bucket-weight.

Enable Whether the OLC function is enabled for the protocol:

● Y: enabled
● N: disabled
For details, see cpu-overload-control packet-type
disable.

# Display the OLC configuration of the ACL task in slot 0.

<HUAWEI> display cpu-overload-control configuration task ACL slot 0
----------------------------------
Task Weight Enable
----------------------------------
acl 2500 N
----------------------------------

Table 14-109 Description of the display cpu-overload-control configuration

task command output
Item Description

Task Task name.

Weight Weight of the leaky bucket for the task. For details, see
cpu-overload-control bucket-weight.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Enable Whether the OLC function is enabled for the task:

● Y: enabled
● N: disabled
For details, see cpu-overload-control task enable.

# Display the OLC configuration in slot 0.

<HUAWEI> display cpu-overload-control configuration slot 0
CPU OLC Status: enable.
Alarm Status : enable.
Low Threshold: 95%.
High Threshold: 98%.
Adjustfactor : 10.
Total Weight : 10000.
----------------------------------
Task Weight Enable
----------------------------------
arpa 2500 N
acl 2500 N
----------------------------------
----------------------------------
Protocol Weight Enable
----------------------------------
8021x 290
8021x-1st 90 Y
8021x-other 200 Y
arp-request 290 Y
arp-reply 290 Y
icmp 290 Y
dhcp 290 Y
arp-miss 290 Y
igmp 290 Y
ttl-expired 290 Y
ip-frag 290 Y
fib-hit 290 Y
icmpv6 290 Y
dhcpv6 290 Y
nd 290 Y
mld 290 Y
cos-4 250 Y
cos-3 240 Y
cos-2 200 Y
cos-1 150 Y
cos-0 100 Y
----------------------------------

Table 14-110 Description of the display cpu-overload-control configuration

command output
Item Description

CPU OLC Status Whether the OLC function is enabled:

● enable
● disable
For details, see cpu-overload-control disable.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Alarm Status Whether the OLC alarm function is enabled:

● enable
● disable
For details, see cpu-overload-control alarm disable.

Low Threshold Level-1 CPU usage threshold. For details, see cpu-
overload-control.

High Threshold Level-2 CPU usage threshold. For details, see cpu-
overload-control.

Ajustfactor Adjustment factor of the leak rate. For details, see cpu-
overload-control.

Total Weight Total weights of all protocol or task leaky buckets.

Task Task name.

Protocol Protocol type.

Weight Weight of the leaky bucket for the protocol or task. For
details, see cpu-overload-control bucket-weight.

Enable Whether the OLC function is enabled for the protocol or

task. For details, see cpu-overload-control packet-type
disable and cpu-overload-control task enable.

14.20.9 display cpu-overload-control statistics

Function
The display cpu-overload-control statistics command displays OLC statistics.

Format
display cpu-overload-control statistics [ packet-type packet-type | task task-
name ] slot slot-id

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type packet-type Specifies a protocol type. The value is of the

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

task task-name Specifies a task name. The value is of the

enumerated type:
● acl: ACL task
● arpa: ARP broadcast
task
If this parameter is not
specified, OLC statistics
in the specified slot are
displayed.

slot slot-id Specifies a slot ID. The value must be set

according to the device
configuration.

Views
All views

Default Level
1: Monitoring level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
You can run this command to view OLC statistics of a specified protocol, task, or
slot, including the number of protocol packets leaving or dropped by the leaky
bucket, total running time of a task, and delay in processing a task.

Example
# Display OLC statistics of the DHCP protocol in slot 0.
<HUAWEI> display cpu-overload-control statistics packet-type dhcp slot 0
--------------------------------------------------------------------------------
Protocol Total pass Total drop Average pass Average drop
(packet) (packet) (packet) (packet)
--------------------------------------------------------------------------------
dhcp 0 0 0 0
--------------------------------------------------------------------------------

# Display OLC statistics of the ACL task in slot 0.

<HUAWEI> display cpu-overload-control statistics task ACL slot 0
--------------------------------------------------------------------------------
Task Total Runtime Total Delaytime Average Runtime Average Delaytime
(ms) (ms) (ms) (ms)
--------------------------------------------------------------------------------
acl 0 0 0 0
--------------------------------------------------------------------------------

# Display OLC statistics in slot 0.

<HUAWEI> display cpu-overload-control statistics slot 0
--------------------------------------------------------------------------------
Task Total Runtime Total Delaytime Average Runtime Average Delaytime
(ms) (ms) (ms) (ms)
--------------------------------------------------------------------------------
arpa 3170 0 0 0
acl 0 0 0 0
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Protocol Total Pass Total Drop Average Pass Average Drop
(packet) (packet) (packet) (packet)
--------------------------------------------------------------------------------
8021x-1st 0 0 0 0
8021x-other 0 0 0 0
arp-request 0 0 0 0
arp-reply 0 0 0 0
icmp 0 0 0 0
dhcp 0 0 0 0
arp-miss 0 0 0 0
igmp 0 0 0 0
ttl-expired 0 0 0 0
ip-frag 0 0 0 0
fib-hit 0 0 0 0
icmpv6 0 0 0 0
dhcpv6 0 0 0 0
nd 0 0 0 0
mld 0 0 0 0
cos-4 0 0 0 0
cos-3 0 0 0 0
cos-2 0 0 0 0
cos-1 0 0 0 0
cos-0 0 0 0 0
--------------------------------------------------------------------------------

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-111 Description of the display cpu-overload-control statistics

command output
Item Description

Task Task name.

Total Runtime Total running time of the task, in milliseconds.

Total Delaytime Total delay in processing the task, in milliseconds.

Average Runtime Running time of the task in the last second, in

milliseconds.

Average Delaytime Delay in processing the task in the last second, in

milliseconds.

Protocol Protocol type.

Total Pass Total number of protocol packets leaving the leaky

bucket.

Total Drop Total number of protocol packets dropped by the leaky

bucket.

Average Pass Number of protocol packets leaving the leaky bucket in

the last second.

Average Drop Number of protocol packets dropped by the leaky

bucket in the last second.

14.20.10 reset cpu-overload-control statistics

Function
The reset cpu-overload-control statistics command clears OLC statistics.

Format
reset cpu-overload-control statistics [ packet-type packet-type | task task-
name ] slot slot-id

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

packet-type packet-type Specifies a protocol type. The value is of the

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

task task-name Specifies a task name. The value is of the

enumerated type:
● acl: ACL task
● arpa: ARP broadcast
task
If this parameter is not
specified, OLC statistics
in the specified slot are
cleared.

slot slot-id Specifies a slot ID. The value must be set

according to the device
configuration.

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

To obtain OLC statistics in a specified period to locate faults of monitored

protocols or tasks, you can run the reset cpu-overload-control statistics
command to clear the previous OLC statistics of a specified protocol, task, or slot,
and then run the display cpu-overload-control statistics command after a period
of time to view the OLC statistics.

Precautions

The deleted OLC statistics cannot be restored. Therefore, exercise caution when
running this command.

Example
# Clear OLC statistics of the DHCP protocol in slot 0.
<HUAWEI> reset cpu-overload-control statistics packet-type dhcp slot 0

# Clear OLC statistics of the ACL task in slot 0.

<HUAWEI> reset cpu-overload-control statistics task acl slot 0

# Clear OLC statistics in slot 0.

<HUAWEI> reset cpu-overload-control statistics slot 0

14.21 ECA Configuration Commands

14.21.1 Command Support

Only the following switch models support ECA:

S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,

S6730S-S

14.21.2 defence engine enable

Function
The defence engine enable command enables the IAE.

The undo defence engine enable command disables the IAE.

By default, the security engine is disabled.

Format
defence engine enable

undo defence engine enable

Parameters
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
If ECA needs to be configured, you can run the defence engine enable command
to enable the IAE.

Example
# Enable the IAE.
<HUAWEI> system-view
[HUAWEI] defence engine enable

14.21.3 decoding uri-cache

Function
The decoding uri-cache enable command enables the URI cache function.
The decoding uri-cache disable command disables the URI cache function.
By default, the URI cache function is enabled.

Format
decoding uri-cache enable
decoding uri-cache disable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If no threat is detected from the corresponding session traffic after the URI cache
function is enabled, the system will not inspect the session traffic with the same

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

URI in a period of time. If all traffic must be inspected, disable the URI cache
function.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable the URI cache function.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] decoding uri-cache enable

14.21.4 display decoding statistics

Function
The display decoding statistics command displays decoding statistics.

Format
display decoding statistics [ slot slot-id cpu cpu-id ]

Parameters
Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
You can run this command to view statistics about the decoding function,
including the event statistics, traffic statistics, and file statistics of each
application.
Prerequisites

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display IPS statistics.
<HUAWEI> display decoding statistics
Decoding statistic on slot 0 cpu 0 :
------------------------------------------------------------------------------
Decoding Statistic Table
------------------------------------------------------------------------------
Traffic statistic:
------------------------------------------------------------------------------
Total Traffic : 0
----------------------------------------------------------------------------
Application Traffic
----------------------------------------------------------------------------
HTTP 0
FTP 0
SMTP 0
POP3 0
NFS 0
SMB 0
IMAP 0
OTHER 0
------------------------------------------------------------------------------

File statistic:
------------------------------------------------------------------------------
Total File : 0
----------------------------------------------------------------------------
Application File
----------------------------------------------------------------------------
---- More ----

Table 14-112 Description of the display decoding statistics command output

Item Description

Decoding statistic on slot 0 cpu 0 Displays decoding statistic from a

specific slot ID and CPU ID.

Decoding Statistic Table Decoding statistic table

Traffic statistic Traffic statistics.

Total Traffic All traffic.

Application Application name.

Traffic Traffic of the current application

protocol.

File statistic File statistics.

Total File Total number of files.

Application Application name.

File Number of files of the current

application protocol.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.5 display engine information

Function
The display engine information command displays the status of IAE (Intelligent
Awareness Engine) and the version of the application identification signature
database.

Format
display engine information

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
The display engine information command displays the status of IAE and the
version of the application identification signature database.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display the status of IAE and the version of the application identification
signature database.
<HUAWEI> display engine information
==============================================================================
Engine on CPU 0 in slot 0:
==============================================================================
Engine Status : Ready
Compile Status : Commit Succeeded
SA Signature Database Version : 2018041202
------------------------------------------------------------------------------

Table 14-113 Description of the display engine information command output

Item Description

Engine on CPU X in slot Y Engine information on CPU X in slot Y

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Engine Status Engine status, which can be:

● Not Run: The engine is not running.
● Initializing: The engine is initializing.
● Ready: The engine is ready.

Compile Status Compilation status, which can be:

● Idle: The engine status is idle.
● Committing: The configuration is
being committed.
● Commit Succeeded: Succeeded in
committing the configuration.
● Commit Failed: Failed to commit
the configuration.
● Commit Time Out: Committing the
configuration timed out.
● Updating: The signature database is
being updated.
● Update Succeeded: Succeeded in
updating the signature database.
● Update Failed: Failed to update the
signature database.
● Update Time Out: Updating the
signature database timed out.

SA Signature Database Version Version of the application

identification signature database.

14.21.6 display engine session statistics

Function
The display engine session statistics command displays session statistics for the
engine.

Format
display engine session statistics [ slot slot-id cpu cpu-id ]

Parameters
Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
The session statistics of the specified virtual system or all systems can be viewed
only in the root system. In a virtual system, you can view only the session statistics
of the virtual system.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Displays session statistics for the engine.
<HUAWEI> display engine session statistics

Engine session statistic on slot 0 cpu 0 :

------------------------------------------------------------------------------

Engine Session Statistic Information of All Threads:

--------------------------------------------------------------------------------
Total Current Sessions : 0
Total Current UDP Sessions : 0
Total Current TCP Sessions : 0
Total Blocked Sessions : 0
Total Current Free Sessions : 10000
Total Current Buffered TCP Segments : 0
Total Out-of-sequence TCP Segments : 0
Total Overlapping TCP Segments : 0
Total Current Free TCP Segments : 1000
--------------------------------------------------------------------------------
Engine Session Statistic Information of Each Thread:
--------------------------------------------------------------------------------
T00: NgeSess 0, sent: 0 rcv: 0 lost: 0

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-114 Description of the display engine session statistics command

output
Item Description

Engine Session Statistic Information of Session statistics for the engines used
All Threads by all threads

Total Current Sessions Total number of all sessions

Total Current UDP Sessions Total number of UDP sessions

Total Current TCP Sessions Total number of TCP sessions

Total Blocked Sessions Total number of blocked sessions

Total Current Free Sessions Total number of idle session nodes

Total Current Buffered TCP Segments Total number of cached TCP segments

Total Out-of-sequence TCP Segments Total number of out-of-sequence TCP

segments

Total Overlapping TCP Segments Total number of overlapped TCP

segments

Total Current Free TCP Segments Total number of TCP segments that
can be cached

Engine Session Statistic Information of Session statistics for the engine used
Each Thread by each thread

NgeSess Number of sessions

sent Number of sent packets

rcv Number of received packets

lost Number of discarded packets

14.21.7 display engine session statistics app-type

Function
The display engine session statistics app-type command displays application
statistics about an ECA session.

Format
display engine session statistics app-type [ slot slot-id ]
display engine session statistics interface [ interface-type interface-number ]
app-type

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

slot slot-id Displays application statistics about the The value varies
ECA sessions in the specified slot. If the depending on the
slot ID is not specified, application device
statistics about ECA sessions in all slots configuration.
are displayed.

interface Displays application statistics about the -

interface-type ECA sessions on the specified interface.
interface-number If the interface type and number are not
specified, application statistics about
ECA sessions on all interfaces are
displayed.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
To check application statistics about an ECA session and know about service traffic
distribution, you can run the display engine session statistics app-type
command.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.
Precautions
ECA session statistics may be inaccurate because collection of these statistics
depends on NetStream packet statistics, which have no impact on the ECA
function.

Example
# Display application statistics about the ECA sessions on GE0/0/1.
<HUAWEI> display engine session statistics interface gigabitethernet 0/0/1 app-type
GigabitEthernet0/0/1
------------------------------------------------------------------------------------
App-Name Connect-Packet Connect-Byte Percent
------------------------------------------------------------------------------------
Telnet 8933 750614 80.05%
HTTPS 547 182102 19.42%
HTTP 51 4923 0.52%

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

------------------------------------------------------------------------------------
Total:3

Table 14-115 Description of the display engine session statistics app-type

command output

Item Description

App-Name Application name.

Connect-Packet Number of connection packets.

Connect-Byte Number of connection bytes.

Percent Percentage of the application.

Total Total number of applications.

14.21.8 display engine session statistics interface

Function
The display engine session statistics interface command displays ECA session
flow statistics on a specified interface.

Format
display engine session statistics interface interface-type interface-number flow
{ by-time | by-packet }

Parameters
Parameter Description Value

interface-type Displays ECA session flow statistics on an -

interface-number interface with the specified interface type and
number.

flow Displays ECA session flow statistics. -

by-time Displays ECA session flow statistics in -

descending order of time.

by-packet Displays ECA session flow statistics in -

descending order of packet quantity.

Views
All views

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
To check ECA session flow statistics on a specified interface and know about traffic
distribution, run the display engine session statistics interface command.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display ECA session flow statistics on GE0/0/1 in descending order of packet
quantity.
<HUAWEI> display engine session statistics interface gigabitethernet 0/0/1 flow by-packet

------------------------------------------------------------------------------------------------------------------------------
--
Source-ip Destination-ip Sport Dport Connect-Packet Connect-Byte Percent App-name

------------------------------------------------------------------------------------------------------------------------------
--
192.168.240.32 192.168.40.2 4671 443 166 101803 21.58% HTTPS
192.168.240.32 192.168.40.2 4679 443 69 19140 4.05% HTTPS
192.168.240.32 192.168.40.2 4680 443 65 15281 3.24% HTTPS
192.168.240.32 192.168.40.2 4682 443 59 10532 2.23% HTTPS
192.168.240.32 192.168.40.2 4681 443 57 8774 1.86% HTTPS
192.168.240.32 192.168.40.2 4683 443 56 8710 1.84% HTTPS
192.168.240.32 192.168.40.2 4668 80 51 4923 1.04% HTTP
192.168.40.84 192.168.40.2 54657 23 50 4180 0.88% Telnet
192.168.40.84 192.168.40.2 54001 23 48 4052 0.85% Telnet
192.168.40.84 192.168.40.2 50167 23 48 4052 0.85% Telnet
192.168.40.84 192.168.40.2 52973 23 48 4052 0.85% Telnet
192.168.40.84 192.168.40.2 52507 23 48 4052 0.85% Telnet
192.168.40.2 192.168.240.188 23 39069 29 2379 0.50% Telnet
192.168.40.84 192.168.40.2 52795 23 26 2154 0.45% Telnet
192.168.40.84 192.168.40.2 51293 23 26 2154 0.45% Telnet
192.168.40.84 192.168.40.2 53587 23 26 2154 0.45% Telnet
192.168.40.84 192.168.40.2 49800 23 26 2154 0.45% Telnet
192.168.40.84 192.168.40.2 50838 23 26 2154 0.45% Telnet
192.168.40.2 192.168.40.84 23 52504 26 2154 0.45% Telnet
192.168.40.84 192.168.40.2 52156 23 26 2154 0.45% Telnet
192.168.40.84 192.168.40.2 54008 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 53553 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 49613 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 52435 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 52162 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 54290 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 53615 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 52442 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 50025 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 55381 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 51757 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 54892 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 55012 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 53311 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 52677 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 54313 23 25 2090 0.44% Telnet

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

192.168.40.84 192.168.40.2 51857 23 25 2090 0.44% Telnet

192.168.40.84 192.168.40.2 54850 23 25 2090 0.44% Telnet
192.168.40.84 192.168.40.2 51344 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51184 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51319 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54185 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52334 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53589 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52935 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52390 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50833 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54575 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52362 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52472 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53839 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51372 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51346 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50740 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50172 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50218 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51166 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53613 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51337 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51101 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54111 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54558 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50318 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51311 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51602 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51865 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51768 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53686 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53287 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51639 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52556 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52239 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51778 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52295 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49713 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49483 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53465 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52740 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49424 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53369 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 55403 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51936 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50185 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54811 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50231 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51497 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53594 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52648 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51562 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49833 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51465 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50220 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49674 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53279 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51992 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52575 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54275 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50561 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54997 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54541 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 55463 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50370 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53237 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54070 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53798 23 24 2026 0.42% Telnet

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

192.168.40.84 192.168.40.2 53764 23 24 2026 0.42% Telnet

192.168.40.84 192.168.40.2 55483 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50659 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52069 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52020 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53019 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52896 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54381 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53206 23 24 2026 0.42% Telnet
192.168.40.2 192.168.40.84 23 49498 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50960 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52508 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51848 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52338 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54717 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51666 23 24 2026 0.42% Telnet
192.168.40.2 192.168.40.84 23 54773 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54763 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 55417 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49952 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50241 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51389 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54166 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52830 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54164 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49412 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49863 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50044 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53317 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52065 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49885 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 55114 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53650 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 50195 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 49206 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54817 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51190 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52735 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 52385 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54527 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 54331 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 51671 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 55068 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53631 23 24 2026 0.42% Telnet
192.168.40.84 192.168.40.2 53010 23 24 2026 0.42% Telnet

------------------------------------------------------------------------------------------------------------------------------
--
Total:150

Table 14-116 Description of the display engine session statistics interface

command output

Item Description

Source-ip Source IP address of an ECA session flow.

Destination-ip Destination IP address of an ECA session flow.

Sport Source port number of an ECA session flow.

Dport Destination port number of an ECA session flow.

Connect-Packet Number of connection packets of an ECA session flow.

Connect-Byte Number of connection bytes of an ECA session flows.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Percent Percentage of an ECA session flow.

App-name Application name of an ECA session flow.

Total Total number of ECA session flows.

14.21.9 display engine session table

Function
The display engine session table command displays the details about the IPv4
session table of an engine.

Format
display engine session table [ source-ip source-ip-address | source-port source-
port-number | destination-ip destination-ip-address | destination-port
destination-port-number | protocol { tcp | udp } | [ application application-
name ] ]* [ verbose ] [ slot slot-id cpu cpu-id [ thread thread-id ] ]

Parameters
Parameter Description Value

source-ip source-ip- Indicates a source IP The value is in dotted

address address. decimal notation.

source-port source- Indicates a source port. The value is an integer that

port-number ranges from 0 to 65535.

destination-ip Indicates a destination The value is in dotted

destination-ip-address IP address. decimal notation.

destination-port Indicates a destination The value is an integer that

destination-port- port. ranges from 0 to 65535.
number

protocol Specifies the protocol in -

a session table.

tcp Indicates a TCP session. -

udp Indicates a UDP session. -

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

application Specifies an application -

application-name name.

verbose Displays session details. -

slot slot-id Specifies a slot ID. The value range depends on

the device configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on

the device configuration.

thread thread-id Indicates a thread ID. The value range depends on

the device configuration.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
In a virtual system, you can view only the session statistics of the virtual system.
The session information of the specified virtual system or all systems can be
viewed only in the root system.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display details about the IPv4 session table of an engine.
<HUAWEI> display engine session table verbose
Engine session table on slot 0 cpu 0 :
------------------------------------------------------------------------------
VSys:0 Vpn:0 Thread:0 UDP 10.0.0.1:80-->10.0.0.2:132 ttl:20 left-time:132 app: (45,QQ)
------------------------------------------------------------------------------

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-117 Description of the display engine session table verbose command
output

Item Description

Engine session table on slot 0 cpu 0 Engine session table on a specified slot
and CPU

VSys Name of a virtual system

Vpn Name of a VPN instance

Thread Thread ID

UDP UDP

TCP TCP

10.0.0.1:80-->10.0.0.2:132 Source address (10.0.0.1), source port

(80), destination address (10.0.0.2),
and destination port (132)

ttl Aging time of a session

left-time Remaining aging time of a session

app: (45,QQ) Port number (45) and protocol (QQ)

of the application

14.21.10 display engine statistics

Function
The display engine statistics command displays IAE engine statistics.

Format
display engine statistics [ slot slot-id cpu cpu-id ]

Parameters
Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

Views
All views

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display engine statistics.
<HUAWEI> display engine statistics
Engine statistic on slot 0 cpu 0 :
------------------------------------------------------------------------------
Engine Statistic Table
------------------------------------------------------------------------------
Event statistic:
------------------------------------------------------------------------------
Total Alert Events : 0
Total Block Events : 0
----------------------------------------------------------------------------
Application Alert Events Block Events
----------------------------------------------------------------------------
------------------------------------------------------------------------------

Traffic statistic:
------------------------------------------------------------------------------
Total Traffic : 0
----------------------------------------------------------------------------
Application Traffic
----------------------------------------------------------------------------
DECODING 0
------------------------------------------------------------------------------

Table 14-118 Description of the display engine statistics command output

Item Description

Engine Statistic Table Engine statistics table

Event statistic Event statistics

Total Alert Events Total number of alarm events

Total Block Events Total number of block events

Application Feature name

Alert Events Number of alarm events

corresponding to a feature

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Block Events Number of block events corresponding

to a feature

Traffic statistic Traffic statistics

Total Traffic Total volume of traffic

Traffic Volume of traffic processed in a

feature

File statistic File statistics

Total File File size

File Size of files processed in a feature

DECODING Number of decoding.

14.21.11 display flow-probe metadata-collect information

Function
The display flow-probe metadata-collect information command displays
configuration information about the function of metadata collection through the
ECA flow probe.

Format
display flow-probe metadata-collect information

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display configuration information about the function of metadata collection
through the ECA flow probe.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> display flow-probe metadata-collect information

Flow-Probe Metadata-Collect Information on slot 0 cpu 0:
--------------------------------------------------------------------------------
Global Config:
--------------------------------------------------------------------------------
Enable : Yes
Transfer Method : UDP
Server IP : 0.0.0.0
Server Port : 8514
Source IP : 0.0.0.0
Source Port :0
Source VPN Index :0
Source VPN Name :-
Metadata aging time : 300
Metadata Cache Max(Current number): 131072(0)

Table 14-119 Description of the display flow-probe metadata-collect

information command output
Item Description

Flow-Probe Metadata-Collect Metadata collection information

Information on slot 0 cpu 0 through the ECA flow probe of in the
specified slot and CPU.

Global Config Global configuration.

Enable Whether the function of metadata

collection through the ECA flow probe
is enabled:
● Yes: Enable
● No: Disable

Transfer Method Transfer mode of metadata collected

through the ECA flow probe, which can
only be UDP.

Server IP IP address of the peer HiSec Insight

server.

Server Port Port number of the peer HiSec Insight

server.

Source IP Source IP address of the packet sent

from the ECA flow probe metadata to
the HiSec Insight server.

Source Port Source port of the packet sent from

the ECA flow probe metadata to the
HiSec Insight server.

Source VPN Index VPN instance index of the packet sent

from the ECA flow probe metadata to
the HiSec Insight server.

Source VPN Name VPN instance name of the packet sent

from the ECA flow probe metadata to
the HiSec Insight server.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Metadata aging time Aging time of the ECA flow probe

metadata.

Metadata Cache Max(Current number) Max cache of the ECA flow probe
metadata(Current number)

14.21.12 display flow-probe metadata-collect statistics

Function
The display flow-probe metadata-collect statistics command displays statistics
about the function of metadata collection through the ECA flow probe.

Format
display flow-probe metadata-collect statistics [ slot slot-id cpu cpu-id ]

Parameters
Parameter Description Value

slot slot-id Displays statistics of metadata The value range depends on

collection through the ECA flow the device configuration.
probe in the specified slot.

cpu cpu-id Displays statistics of metadata The value range depends on

collection through the ECA flow the device configuration.
probe in the specified CPU.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display statistics about the function of metadata collection through the ECA
flow probe.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> display flow-probe metadata-collect statistics

Flow-Probe Metadata-Collect Statistic Table (slot 0 cpu 0)
--------------------------------------------------------------------------------
Statistics Information:
--------------------------------------------------------------------------------
Engine Send By UDP :0
Engine UDP Send To Forward Success : 0
Engine UDP Send To Forward Fail :0
--------------------------------------------------------------------------------

Table 14-120 Description of the display flow-probe metadata-collect statistics

command output

Item Description

Flow-Probe Metadata-Collect Statistic Statistics table for the metadata

Table (slot 0 cpu 0) collection through the ECA flow probe
in the specified slot and CPU.

Statistics Information Statistics information for the metadata

collection through the ECA flow probe.

Engine Send By UDP Number of times UDP packets are

sent.

Engine UDP Send To Fpath Success Number of times that UDP packets are
successfully sent.

Engine UDP Send To Fpath Fail Number of times that UDP packets fail
to be sent.

14.21.13 display fragment-reassemble configuration

Function
The display fragment-reassemble configuration command displays the global
fragment reassembly configuration.

Format
display fragment-reassemble configuration [ slot slot-id cpu cpu-id ]

Parameters

Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display the global fragment reassembly configuration.
<HUAWEI> display fragment-reassemble configuration
Fragment Reassembly statistics on slot 0 cpu 0 :
------------------------------------------------------------------------------
Fragment Reassembly Configuration:
------------------------------------------------------------
enable : on
overflow-mode : forward
overlap-mode : consistency
time-out(s) :5
packet-cache(packets) : 255
total-cache(packets) : 1000
defense-check : off
pass-through : off
------------------------------------------------------------

Table 14-121 Description of the display fragment-reassemble configuration

command output

Item Description

Fragment Reassembly statistics on slot Fragment Reassembly statistics on a

0 cpu 0 specific slot and CPU

Fragment Reassembly Configuration Global fragment reassembly

configuration

enable State of the fragment reassembly

function.
● on: The function is enabled.
● off: The function is disabled.

overflow-mode Method for handling packets arriving

at a full buffer in fragment
reassembly:
● discard: Packets arriving at a full
buffer are discarded.
● forward: Packets arriving at a full
buffer are forwarded straight
through.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

overlap-mode Policy to handle overlapping

fragments:
consistency indicates that overlapping
fragments are processed based
whether the overlapping parts have
the same content.

time-out(s) Fragment reassembly timeout in

seconds

packet-cache(packets) Fragment buffer size (in number of

packets) for each packet

total-cache(packets) Total buffer size in number of packets

defense-check Status of the fragment attack defense

function:
● on: The function is enabled.
● off: The function is disabled.

pass-through Status of the fragment reassembly

pass-through mode:
● on: The pass through mode is
enabled.
● off: The pass through mode is
disabled.

14.21.14 display fragment-reassemble session table

Function
The display fragment-reassemble session table command displays information
about the IPv4/IPv6 fragmented packet-specific session table.

Format
display fragment-reassemble session table [ source-ip source-ip-address |
destination-ip destination-ip-address ] * [ slot slot-id cpu cpu-id ]
display fragment-reassemble ipv6 session table [ source-ip source-ipv6-address
| destination-ip destination-ipv6-address ] * [ slot slot-id cpu cpu-id ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

source-ip source-ip- Specifies the source IP The value is in dotted

address address. decimal notation.

destination-ip Specifies the destination The value is in dotted

destination-ip-address IP address. decimal notation.

ipv6 Displays statistics on the -

fragment reassembly of
IPv6 packets.

slot slot-id Specifies a slot ID. The value range depends on

the device configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on

the device configuration.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display the IPv4 fragmented packet-specific session table.
<HUAWEI> display fragment-reassemble session table
Fragment Reassembly statistics on slot 0 cpu 0 :
----------------------------------------------------------------------------------------------------------------
VSys:0 Vpn:0 10.1.1.1-->1.1.1.1(363) ttl:5 left-time:4 frag-num:32 flags:(first 1,last 0,overflow 0,result 0)

VSys:0 Vpn:0 10.1.1.1-->1.1.1.1(363) ttl:5 left-time:3 frag-num:32 flags:(first 1,last 0,overflow 0,result 0)
----------------------------------------------------------------------------------------------------------------

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-122 Description of the display fragment-reassemble session table

command output

Item Description

Fragment Reassembly statistics on slot Fragment Reassembly statistics on a

0 cpu 0 specific slot and CPU

VSys Name of a virtual system

Vpn Name of a VPN instance

ttl Aging time of a fragment session

left-time Remaining aging time of a fragment

session

frag-num Number of fragments

flags:(first 1,last 0,overflow 0,result 0) Fragment flag, which can be:

● first: first fragment
● last: last fragment
● overflow: fragment cache overflow
● result: reassembly result

14.21.15 display fragment-reassemble statistics

Function
The display fragment-reassemble statistics command displays statistics on the
fragment reassembly of IP packets.

Format
display fragment-reassemble [ ipv6 ] statistics [ slot slot-id cpu cpu-id ]

Parameters

Parameter Description Value

ipv6 Displays statistics on the -

fragment reassembly of IPv6
packets.

slot slot-id Specifies a slot ID. The value range depends on the
device configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the
device configuration.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display statistics on the fragment reassembly of IP packets.
<HUAWEI> display fragment-reassemble statistics
Fragment Reassembly statistics on slot 0 cpu 0 :
------------------------------------------------------------------------------
Fragment Reassembly Statistics:
------------------------------------------------------------
Total fragments :0
Total cached fragments :0
Total error packets :0
Total discarded fragments : 0
Complete overlap processing : 0
Partial overlap processing : 0
Total current sessions :0
Total free sessions : 1000
------------------------------------------------------------

Table 14-123 Description of the display fragment-reassemble statistics

command output

Item Description

Fragment Reassembly Fragment reassembly statistics on CPU Y in slot

statistics on slot X cpu Y X.
Fragment Reassembly Statistics on fragment reassembly.
Statistics

Total fragments Number of received fragments.

Total cached fragments Number of cached fragments.

Total error packets Number of packets with error fragments.

Total discarded fragments Number of discarded fragments.

Complete overlap processing Complete overlap processing.

Partial overlap processing Partial overlap processing

Total current sessions Total number of current sessions.

Total free sessions Total number of free sessions.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.16 display stream-reassemble configuration

Function
The display stream-reassemble configuration command displays the global TCP
stream reassembly configuration.

Format
display stream-reassemble configuration [ slot slot-id cpu cpu-id ]

Parameters
Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display the global TCP stream reassembly configuration.
<HUAWEI> display stream-reassemble configuration
Stream reassemble configuration on slot 0 cpu 0 :
------------------------------------------------------------------------------
Stream Reassembly Configuration:
------------------------------------------------------------
enable : on
overflow-mode : discard
overlap-mode : overwrite
session-cache(KB) : 16
total-cache(packets) : 1000
timestamp-check : true
tcp-option check : true
defense-check : on
session-timeout(s) : 60
enhanced-mode : on
------------------------------------------------------------

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-124 Description of the display stream-reassemble configuration

command output
Item Description

Stream reassemble configuration on TCP stream reassembly configuration

slot 0 cpu 0 on slot 0 cpu 0.

enable Indicates the state of the TCP stream

reassembly function.
● on: The function is enabled.
● off: The function is disabled.

overflow-mode Indicates the method for handling

packets arriving at a full buffer in
stream reassembly.
● discard: Packets arriving at a full
buffer are discarded.
● forward: Packets arriving at a full
buffer are forwarded straight
through.

overlap-mode Indicates the policy to handle

overlapping packets:
● overwrite: Indicate overwrite the
original overlapped part.
● preserve: Indicate preserve the
original overlapped part.

session-cache(KB) Indicates the buffer size in KB for each

session in TCP stream reassembly.

total-cache(packets) Global buffer size in number of

packets in stream reassembly.

timestamp-check Indicates the state of the timestamp

check function.
● true: The function is enabled.
● false: The function is disabled.

tcp-option check Indicates the state of the TCP option

check function.
● true: The function is enabled.
● false: The function is disabled.

defense-check Indicates the status of the TCP attack

defense function:
● on: The function is enabled.
● off: The function is disabled.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

session-timeout(s) Indicates the timeout of out-of-

sequence TCP packet inspection, in
seconds.

enhanced-mode Status of enhanced traffic reassembly:

● on: The function is enabled.
● off: The function is disabled.

14.21.17 display update configuration

Function
The display update configuration command displays the update configuration of
the application identification signature database.

Format
display update configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display the update configuration of the application identification signature
database.
<HUAWEI> display update configuration
Update Configuration Information:
------------------------------------------------------------
Update Server : sec.huawei.com
Update Port : 443
Proxy State : Disable
Proxy Server :-
Proxy Port :-
Proxy User :-

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Proxy Password :-
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 04:16
------------------------------------------------------------

Table 14-125 Description of the display update configuration command output

Item Description

Update Configuration Update configuration of the application identification

Information signature database.

Update Server IP address or domain name of the update server. The

default domain name is that of the update center.

Update Port Port number of the update server.

Proxy State Whether the proxy server is enabled. The value can be:
● Enable: The proxy server is enabled.
● Disable: The proxy server is disable.

Proxy Server IP address or domain name of the proxy server.

Proxy Port Port number of the proxy server.

Proxy User User name of the proxy server.

Proxy Password Password of the proxy server.

SA-SDB Update configuration of the application identification

signature database.

Application Whether manual installation confirmation is enabled.

Confirmation The value can be:
● Enable: Confirmation is required before the
installation of the update file.
● Disable: The update file is automatically installed.

Schedule Update Whether the scheduled update function is enabled. The

value can be:
● Enable
● Disable

Schedule Update Scheduled update frequency. The value can be:

Frequency ● Weekly
● Daily
● Hourly

Schedule Update Time Scheduled update time

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.18 display update host source

Function
The display update host source command displays the interface and source IP
address configurations used in online updating the application identification
signature database.

Format
display update host source

Parameters
None

Views
All views

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The update host source command configures the source interface and IP address,
and display update host source command displays the configurations.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display the interface and source address configurations used in online updating
the application identification signature database.
<HUAWEI> display update host source
----------------------------------------------------------------
Source IP Information:
IP address : 10.1.1.1
vpn-instance :-
Source Interface Information:
interface name : GigabitEthernet0/0/1
----------------------------------------------------------------

Table 14-126 Description of the display update host source command output

Item Description

Source IP Information Source IP address information.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

IP address IP address.

vpn-instance VPN instance name.

Source Interface Source interface information.

Information

interface name Interface name.

14.21.19 display update information all-sdb

Function
The display update information all-sdb command displays the last record on
application identification signature database updates.

Format
display update information all-sdb

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Display the last record on application identification signature database updates.
<HUAWEI> display update information all-sdb
Current Update Status: Idle.
--------------------------------------------------------------------------------------------
SA-SDB latest update finish time : 04:16:13 2018/07/03
SA-SDB latest update result : Error: Failed to perform DNS resolution.
--------------------------------------------------------------------------------------------

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-127 Description of the display update information all-sdb command

output

Item Description

Current Update Status Current status of the update server, including:

● Idle: indicates that no signature database is being
updated.
● Version Loading: indicates that the version is being
loaded.
● Live Updating: indicates live update.
● Local Updating: indicates the local update.
● Version Rollbacking: indicates that version rollback is
being performed.
● Stop Updating: indicates that the update is being
stopped.
● Version Applying: indicates that the version is being
downloaded.
● Version Restoring: indicates that the default version
is being restored.
● Version Uninstalling: indicates that the version is
being uninstalled.
● Update check: indicates that the update is being
checked.
● Engine start loading: indicates that the engine start
is being loaded.

SA-SDB Application identification signature database.

latest update finish Last update time of the application identification

time signature database.

latest update result Last update result of the application identification

signature database.

SA-SDB Application identification signature database.

14.21.20 display update status

Function
The display update status command displays the update status of the application
identification signature database.

Format
display update status

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# View the current update status of the application identification signature
database.
<HUAWEI> display update status
Current Update Status: Idle.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-128 Description of the display update status command output

Item Description

Current Update Status Current update status of the application identification

signature database consist of update type and update
status.
Update type:
● Idle: indicates that no signature database is being
updated.
● Version Load: indicates that the version is being
loaded.
● Online Update: indicates online update.
● Local Update: indicates the local update.
● Version Rollback: indicates the version rollback.
● Stop Update: indicates that the update is stopped.
● Version Apply: indicates that the version is applied.
● Version Restore: indicates that the default version is
restored.
● Version Uninstall: indicates that the version is being
uninstalled.
● Update check: indicates that the update is checked.
● Engine start loading: indicates that the engine start
is being loaded.
Update status:
● Ready to load The Update Package: indicates that
the update package will be loaded soon.
● Verify The Authority: indicates that permission is
being verified.
● Obtain The Update Package: indicates that the
update package is being obtained.
● Load The Update Package: indicates that the update
package is being loaded.
● Merge The Incremental Package: indicates that the
incremental package is being merged.
● Retry The Update: indicates that the update is being
retried.
For example:
● Online Update, Obtain The Update Package.:
indicates online update and an update package is
being downloaded.
● Version Rollback, Load The Update Package:
indicates version rollback and a rollback package is
being loaded.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

● Version Apply, Verify The Authority.: indicates that

the version is being applied and the permission is
being verified.
● Local Update, Load The Update Package: indicates
local update and a update package is being loaded.

14.21.21 display version sa-sdb

Function
The display version sa-sdb command displays the version of the application
identification signature database.

Format
display version sa-sdb

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# View the version of the application identification signature database.
<HUAWEI> display version sa-sdb
SA SDB Update Information List:
----------------------------------------------------------------
Current Version:
Signature Database Version : 2018041202
Signature Database Size(byte) : 871104
Update Time : 17:47:51 2018/06/30
Issue Time of the Update File : 17:03:54 2018/04/12

Backup Version:
Signature Database Version :
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-129 Description of the display version sa-sdb command output

Item Description

SA SDB Update Update information list of the application identification

Information List signature database.

Current Version Current version information about the engine or the

application identification signature database.

Signature Database Version of the engine or the application identification

Version signature database.

Signature Database Size of the engine or the application identification

Size(byte) signature database(byte).

Update Time Date and time when the application identification

signature database was upgraded to this version

Issue Time of the Date and time when the file for the upgrade package
Update File to this version was released

Backup Version Source version of the engine or the application

identification signature database for rollbacks.

14.21.22 ec-analytics enable

Function
The ec-analytics enable command enables the ECA function on an interface.
The undo ec-analytics enable command disables the ECA function on an
interface.
By default, the ECA function is disabled.

Format
ec-analytics enable [ inbound | outbound ]
undo ec-analytics enable [ inbound | outbound ]

Parameters
Parameter Description Value

inbound Enables ECA traffic in the inbound direction. -

outbound Enables ECA for traffic in the outbound direction. -

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
GE interface view, XGE interface view, MultiGE interface view, 25GE interface view,
VLANIF interface view, port group view

Default Level
2: Configuration level

Usage Guidelines
To analyze encrypted traffic on a network and identify malicious communications
in the encrypted traffic, you can run the ec-analytics enable command on an
interface to enable the ECA function.

Precautions
● If the traffic direction is not specified, ECA is performed for traffic in both
direction by default.
● If it is confirmed that firewalls have been deployed at the network egress, you
are advised to enable ECA only for traffic in the inbound direction.
● When ECA is enabled on both upstream and downstream interfaces, only
upstream interfaces take effect.

Example
# Enable the ECA function for traffic in the inbound direction of GE0/0/1.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ec-analytics enable inbound

14.21.23 ec-analytics enhanced-mode disable

Function
The ec-analytics enhanced-mode disable command disables the ECA enhanced
mode.

The undo ec-analytics enhanced-mode disable command enables the ECA

enhanced mode.

By default, the ECA enhanced mode is enabled.

Format
ec-analytics enhanced-mode disable

undo ec-analytics enhanced-mode disable

Parameters
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

In ECA enhanced mode, 50 packets are sent to the IAE for each ECA session flow,
improving accuracy of encrypted traffic identification. However, the processing
performance of the IAE deteriorates if it has to process enormous packets. When
the device performance is limited, you can disable the ECA enhanced mode. After
that, only 20 packets are sent to the IAE for each ECA session flow.

Precautions

You are advised to enable the ECA enhanced mode when the device performance
meets requirements.

Example
# Enable the ECA enhanced mode.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] undo ec-analytics enhanced-mode disable

14.21.24 ec-analytics whitelist

Function
The ec-analytics whitelist command configures an ECA whitelist. ECA is not
performed for the whitelist traffic.

The undo ec-analytics whitelist command deletes an ECA whitelist.

By default, no ECA whitelist is configured on a device.

Format
ec-analytics whitelist acl acl-number

undo ec-analytics whitelist acl acl-number

Parameters
Parameter Description Value

acl acl-number Adds the specified ACL number The value is an integer in the
to the ECA whitelist. range from 3000 to 3999.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

You can run the ec-analytics whitelist command to add trusted network traffic to
the whitelist so that ECA is not performed for such traffic.

Precautions

Advanced ACLs are applied in the ECA whitelist and only the 5-tuple information is
supported.

When the ECA whitelist is configured, a maximum of 32 ACL rules with small rule
numbers take effect.

Example
# Add ACL 3000 to the ECA whitelist to prevent ECA from being performed for
traffic with the source IP address 10.1.1.1.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule permit ip source 10.1.1.1 0
[HUAWEI-acl-adv-3000] quit
[HUAWEI] ec-analytics whitelist acl 3000

14.21.25 engine configuration commit

Function
The engine configuration commit command commits the configuration of
security policies.

Format
engine configuration commit

Parameters
None

Views
System view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

Newly configured security policies or the modified security policies do not take
effect until you run the engine configuration commit command to commit the
configuration. To save time, commit the configurations in batches after you have
completed all security policy configurations.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Commit the security policy configurations.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] engine configuration commit

14.21.26 engine enhanced-detection

Function
The engine enhanced-detection command configures the engine to work in
enhanced detection mode.

The undo engine enhanced-detection command configures the engine to work

in common detection mode.

By default, the engine works in common detection mode.

Format
engine enhanced-detection

engine enhanced-detection protocol { rtsp | others }

undo engine enhanced-detection

undo engine enhanced-detection protocol { rtsp | others }

Parameters
Parameter Description Value

protocol rtsp Configures the engine to work By default, the engine works
in enhanced detection mode for in enhanced detection mode
RTSP. for RTSP.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

protocol others Configures the engine to work By default, the engine works
in enhanced detection mode for in common detection mode
protocols excluding RTSP. for protocols excluding RTSP.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After you configure the engine to work in enhanced detection mode, the detection
capability of the device will be enhanced, and the detection speed will be
decreased.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Configure the engine to work in enhanced detection mode.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] engine enhanced-detection

14.21.27 engine pass-through enable

Function
The engine pass-through enable command enables the pass-through mode of
the engine.

The undo engine pass-through enable command disables the pass-through

mode of the engine.

By default, the pass-through mode of the engine is disabled.

Format
engine pass-through enable [ slot slot-id cpu cpu-id ]

undo engine pass-through enable [ slot slot-id cpu cpu-id ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After the pass-through mode of the engine is enabled, the system generates
events, such as debugging information or log during service processing, but does
not perform actual actions. Even a block action is configured for a service, the
system does not block traffic but records the service event state.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable the pass-through mode of the engine.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] engine pass-through enable

14.21.28 engine session timeout active

Function
The engine session timeout active command sets the active flow aging time of
an ECA session.
The undo engine session timeout active command restores the default active
flow aging time of an ECA session.
By default, the active flow aging time of an ECA session is 60 seconds.

Format
engine session timeout active time

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo engine session timeout active

Parameters
Parameter Description Value

time Specifies the active flow The value is an integer in the range
aging time of an ECA from 1 to 300, in seconds. The default
session. value is 60.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After ECA is configured on a device, the ECA session flow table ages out after a
certain period. The flow table that is aged out is encapsulated and then sent to
the HiSec Insight server as metadata. Active flow aging of ECA enables the device
to periodically output the statistics about the flows that persist for a long period.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the active flow aging time of an ECA session to 15 seconds.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] engine session timeout active 15

14.21.29 engine session timeout inactive

Function
The engine session timeout inactive command sets the inactive flow aging time
of an ECA session.
The undo engine session timeout inactive command restores the default
inactive flow aging time of an ECA session.
By default, the inactive flow aging time of an ECA session is 15 seconds.

Format
engine session timeout inactive time

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

undo engine session timeout inactive

Parameters
Parameter Description Value

time Specifies the inactive flow The value is an integer in the range
aging time of an ECA from 1 to 300, in seconds. The default
session. value is 15.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After ECA is configured on a device, the ECA session flow table ages out after a
certain period. The flow table that is aged out is encapsulated and then sent to
the HiSec Insight server as metadata. Inactive flow aging of ECA requires the
device to export statistics about the flows that persist for a short period. Once
adding packets to a flow stops, the device exports flow statistics to conserve
memory space.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the inactive flow aging time of an ECA session to 10 seconds.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] engine session timeout active 10

14.21.30 flow-probe metadata-collect aging-time

Function
The flow-probe metadata-collect aging-time command configures the aging
time of ECA flow probe metadata entries.

The undo flow-probe metadata-collect aging-time command restores the

default aging time of ECA flow probe metadata entries.

By default, the aging time of ECA flow probe metadata entries is 300 seconds.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
flow-probe metadata-collect aging-time time
undo flow-probe metadata-collect aging-time

Parameters
Parameter Description Value

time Specifies the aging time of The value is an integer in the range
ECA flow probe metadata from 0 to 1200, in seconds. The
entries. default value is 300.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can configure the aging time of ECA flow probe metadata entries to adjust
the rate of sending packets to the HiSec Insight server.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the aging time of ECA flow probe metadata entries to 10 seconds.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] flow-probe metadata-collect aging-time 10

14.21.31 flow-probe metadata-collect enable

Function
The flow-probe metadata-collect enable command enables the function of
metadata collection through the ECA flow probe.
The undo flow-probe metadata-collect enable command disables the function
of metadata collection through the ECA flow probe.
By default, the function of metadata collection through the ECA flow probe is
enabled.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
flow-probe metadata-collect enable

undo flow-probe metadata-collect enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable the function of metadata collection through the ECA flow probe.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] flow-probe metadata-collect enable

14.21.32 flow-probe metadata-collect server

Function
The flow-probe metadata-collect server command configures the IP address and
port number of the HiSec Insight server.

The undo flow-probe metadata-collect server command deletes the configured

IP address and restores the configured port number to the default value.

By default, the IP address of the HiSec Insight server is not specified and the
default port number is 8514.

Format
flow-probe metadata-collect server ip ip-address [ port port-number ]

undo flow-probe metadata-collect server

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

ip ip-address Specifies the IP address of the The value is an IPv4 address

HiSec Insight server. in dotted decimal notation.

port port-number Specifies the port number of The value is an integer

the HiSec Insight server. ranging from 1 to 65535.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The default port number of the peer HiSec Insight server connected to the flow
probe metadata collector is subject to the metadata collection and transmission
mode. Current switch only support UDP protocol for the metadata transmission,
the default port number is 8514.

When configuring the IP address of the HiSec Insight server:

● If the HiSec Insight server is of the standard version, the IP address is the data
dispatcher management plane IP address of the HiSec Insight server. Multiple
data dispatcher management plane IP addresses may exist. You can select any
one of them.
● If the HiSec Insight server is of the small-scale edition, the IP address is the
Big Data cluster server management plane IP address of the HiSec Insight
server. Multiple Big Data cluster server management plane IP addresses may
exist. You can select any one of them.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the IP address and port number of the HiSec Insight server to 10.1.1.1 and
10 respectively.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] flow-probe metadata-collect server ip 10.1.1.1 port 10

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.33 flow-probe metadata-collect source

Function
The flow-probe metadata-collect source command configures the source IP
address and VPN instance name of the packet sent from the ECA flow probe
metadata to the HiSec Insight server.
The undo flow-probe metadata-collect source command restores the configured
source IP address and VPN instance name to the default values.
By default, the source IP address of the packet sent from the ECA flow probe
metadata to the HiSec Insight is empty.

Format
flow-probe metadata-collect source { ip ip-address port port-number | vpn-
instance vpn-instance-name } *
undo flow-probe metadata-collect source

Parameters
Parameter Description Value

ip ip-address Specifies the source IP address of the The value is in dotted

packet sent from the ECA flow probe decimal notation.
metadata to the HiSec Insight server.

port port-number Specifies the source port number of The value is an

the packet sent from the ECA flow integer that ranges
probe metadata to the HiSec Insight from 1 to 65535.
server.

vpn-instance Specifies the VPN instance name of The value must be

vpn-instance- the packet sent from the ECA flow the name of an
name probe metadata to the HiSec Insight existing VPN instance.
server.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When configuring the source IP address of the packet sent from the ECA flow
probe metadata to the HiSec Insight server, ensure that the IP address is the

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

device interface IP address and that this interface IP address is reachable to the
HiSec Insight server.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the source IP address and source port number of the packet sent from the
ECA flow probe metadata to the HiSec Insight server to 10.1.1.1 and port 1
respectively.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] flow-probe metadata-collect source ip 10.1.1.1 port 1

14.21.34 fragment-reassemble enable

Function
The fragment-reassemble enable command enables fragment reassembly.
The undo fragment-reassemble enable command disables fragment reassembly.
By default, fragment reassembly is enabled.

Format
fragment-reassemble enable
undo fragment-reassemble enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If fragment reassembly is disabled, fragments will not be reassembled and will not
be inspected. Meanwhile, TCP stream reassembly may also fail.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Enable fragment reassembly.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] fragment-reassemble enable

14.21.35 fragment-reassemble overflow-mode

Function
The fragment-reassemble overflow-mode command configures the action to
take on fragments that overflow the cache.
The undo fragment-reassemble overflow-mode command restores the default
action to take on fragments that overflow the cache.
By default, the system forwards the fragments that overflow the cache to ensure
services.

Format
fragment-reassemble overflow-mode { discard | forward }
undo fragment-reassemble overflow-mode

Parameters
Parameter Description Value

discard Discards the fragments that overflow the cache. -

forward Forwards the fragments that overflow the cache. -

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If the action is set to discard, the system discards the fragments that overflow the
cache, which may interrupt services.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the action to take on fragments that overflow the cache to discard.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] fragment-reassemble overflow-mode discard

14.21.36 fragment-reassemble user-configure

Function
The fragment-reassemble user-configure command configures user-defined
items for the fragment reassembly function.
The undo fragment-reassemble user-configure command cancels the
configuration of user-defined items for the fragment reassembly function.
By default, all user-defined items of the fragment reassembly function are
disabled.

Format
fragment-reassemble user-configure { defense-check | pass-through }
undo fragment-reassemble user-configure { defense-check | pass-through }

Parameters
Parameter Description Value

defense-check Indicates fragment attack defense. -

pass-through Indicates the pass through mode. -

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After the pass through mode is enabled (using the fragment-reassemble user-
configure pass-through command), in some special fragment traffic scenarios
(for example, the fragments completely overlap, and the overlapped part has the
same content), the system will regard the traffic as abnormal traffic and will not
reassemble the fragments. If the fragment attack defense function has been
enabled (using the fragment-reassemble user-configure defense-check
command), the abnormal fragments will be discarded. If the fragment attack

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

defense function has not been enabled, the system will forward the fragments.
After the pass through mode is disabled, the system assembles the fragments
based on the normal processing flow.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable the fragment attack defense function.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] fragment-reassemble user-configure defense-check

14.21.37 reset decoding statistics

Function
The reset decoding statistics command clears decoding statistics.

Format
reset decoding statistics [ slot slot-id cpu cpu-id ]

Parameters
Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

Views
User view

Default Level
3: Management level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Clear decoding statistics.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> reset decoding statistics

14.21.38 reset engine session statistics

Function
The reset engine session statistics command clears the session statistics of the
engine.

Format
reset engine session statistics [ slot slot-id cpu cpu-id ]

Parameters

Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Use caution before you decide to run this command. Once the session statistics of
the engine are cleared, they cannot be restored.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Clear the session statistics of the engine.
<HUAWEI> reset engine session statistics

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.39 reset engine session statistics app-type

Function
The reset engine session statistics app-type command clears application
statistics about an ECA session.

Format
reset engine session statistics app-type [ slot slot-id ]
reset engine session statistics interface [ interface-type interface-number ] app-
type

Parameters
Parameter Description Value

slot slot-id Clears application statistics about The value varies

ECA sessions in a specified slot. depending on the
device configuration.

interface interface- Clears application statistics about -

type interface- ECA sessions on a specified interface.
number If the interface type and number are
not specified, application statistics
about ECA sessions on all interfaces
are displayed.

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
You can run the reset engine session statistics app-type command to clear
application statistics about ECA sessions.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Clear application statistics about ECA sessions on slot 0.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> reset engine session statistics app-type slot 0

14.21.40 reset engine session statistics flow

Function
The reset engine session statistics flow command clears ECA session flow
statistics.

Format
reset engine session statistics interface interface-type interface-number flow
{ by-time | by-packet }

Parameters
Parameter Description Value

interface interface-type Clears ECA session flow statistics on a -

interface-number specified interface.

by-time Clears ECA session flow statistics displayed in -

descending order of time.

by-packet Clears ECA session flow statistics displayed in -

descending order of packet quantity.

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
You can run the reset engine session statistics interface command to clear ECA
session flow statistics on a specified interface.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Clear ECA session flow statistics displayed in descending order of packet
quantity on GE0/0/1.
<HUAWEI> reset engine session statistics interface gigabitethernet 0/0/1 flow by-packet

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.41 reset engine session table

Function
The reset engine session table command clears the session information of the
engine.

Format
reset engine session table [ source source-ip-address | destination destination-
ip-address | destination-port destination-port-number | protocol { tcp | udp } ] *
[ slot slot-id cpu cpu-id ]

Parameters
Parameter Description Value

source source-ip- Specifies the source IPv4 The value is in dotted

address address. decimal notation.

destination Specifies the destination The value is in dotted

destination-ip-address IPv4 address. decimal notation.

destination-port Specifies the destination The value is an integer

destination-port- port number. ranging from 0 to 65535.
number

protocol Indicates a protocol. -

tcp Indicates Transmission -

Control Protocol (TCP).

udp Indicates User Datagram -

Protocol (UDP).

slot slot-id Specifies a slot ID. The value range depends on

the device configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on

the device configuration.

Views
User view

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

If no parameter is specified, all session information of the engine is cleared after

you run the reset engine session table command.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Precautions

Use caution before you decide to run this command. Clearing the session
information of the engine adversely affects the service operating.

Example
# Clear all session information of the engine.
<HUAWEI> reset engine session table
Warning: Reseting session table will affect the engine's normal service. Continue? [Y/N]: y

14.21.42 reset engine statistics

Function
The reset engine statistics command clears engine statistics.

Format
reset engine statistics [ slot slot-id cpu cpu-id ]

Parameters

Parameter Description Value

slot slot-id Specifies a slot ID. The value range depends on the device
configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the device
configuration.

Views
User view

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Clear engine statistics.
<HUAWEI> reset engine statistics

14.21.43 reset flow-probe metadata-collect statistics

Function
The reset flow-probe metadata-collect statistics command resets statistics
about the function of metadata collection through the ECA flow probe.

Format
reset flow-probe metadata-collect statistics

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
After you run the display flow-probe metadata-collect statistics command to
view statistics about the function of metadata collection through the ECA flow
probe, you can run the reset flow-probe metadata-collect statistics command
to reset the statistics and collect statistics again. Cleared statistics cannot be
restored. Exercise caution when you run this command.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Reset statistics about the function of metadata collection through the ECA flow
probe.
<HUAWEI> reset flow-probe metadata-collect statistics

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.44 reset fragment-reassemble statistics

Function
The reset fragment-reassemble statistics command clears statistics on fragment
reassembly.

Format
reset fragment-reassemble [ ipv6 ] statistics [ slot slot-id cpu cpu-id ]

Parameters
Parameter Description Value

ipv6 Clears statistics of IPv6 packets -

on fragment reassembly.

slot slot-id Specifies a slot ID. The value range depends on the
device configuration.

cpu cpu-id Specifies a CPU ID. The value range depends on the
device configuration.

Views
User view

Default Level
3: Management level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Clear statistics on fragment reassembly.
<HUAWEI> reset fragment-reassemble statistics

14.21.45 stream-reassemble enable

Function
The stream-reassemble enable command enables TCP stream reassembly.
The undo stream-reassemble enable command disables TCP stream reassembly.
By default, TCP stream reassembly is enabled.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
stream-reassemble enable
undo stream-reassemble enable

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
If TCP stream reassembly is disabled, TCP packets will not be reassembled and will
not be inspected. Meanwhile, security inspections based on TCP streams may also
fail.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable TCP stream reassembly.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble enable

14.21.46 stream-reassemble enhanced-mode

Function
The stream-reassemble enhanced-mode command enables the enhanced traffic
reassembly mode.
The undo stream-reassemble enhanced-mode command disables the enhanced
traffic reassembly mode.
By default, the enhanced traffic reassembly mode is disabled.

Format
stream-reassemble enhanced-mode
undo stream-reassemble enhanced-mode

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The command is used to enable the enhanced traffic reassembly mode in the
bypass deployment scenario. After this mode is enabled, sequence number
reassembly is supported when TCP data packets and three-way handshake packets
are out of order.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable the enhanced traffic reassembly mode.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble enhanced-mode

14.21.47 stream-reassemble overflow-mode

Function
The stream-reassemble overflow-mode command configures the action for
cache overflow during TCP stream reassembly.

The undo stream-reassemble overflow-mode command restores the default

action for cache overflow during TCP stream reassembly.

By default, the action for cache overflow during TCP stream reassembly is
forward.

Format
stream-reassemble overflow-mode { discard | forward }

undo stream-reassemble overflow-mode

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

discard Discards the packets that overflow the cache. -

forward Forwards the fragments that overflow the cache. -

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the action for cache overflow during TCP stream reassembly to forward.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble overflow-mode forward

14.21.48 stream-reassemble overlap-mode

Function
The stream-reassemble overlap-mode command configures the action for
overlapping packets during TCP stream reassembly.

The undo stream-reassemble overlap-mode command restores the default

action for overlapping packets during TCP stream reassembly.

By default, the action for the overlapping packets during TCP stream reassembly is
preserve.

Format
stream-reassemble overlap-mode { preserve | overwrite }

undo stream-reassemble overlap-mode

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

preserve Preserves overlapping packets. -

overwrite Overwrites overlapping packets. -

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the action for the overlapping packets during TCP stream reassembly to
preserve.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble overlap-mode preserve

14.21.49 stream-reassemble session-cache

Function
The stream-reassemble session-cache command configures the maximum cache
for each session during TCP stream reassembly for out-of-order packets.

The undo stream-reassemble session-cache command restores the default

values.

By default , the maximum cache for each session during TCP stream reassembly
for out-of-order packets is 128 KB.

Format
stream-reassemble session-cache session-cache-value

undo stream-reassemble session-cache

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

session-cache- Specifies the maximum The value is an integer ranging

value cache for a session. from 0 to 256, in KB. The default
value is 128.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
When the session-cache-value is 0 or the size of a single session exceeds the
session-cache-value, the stream reassembly for out-of-order packets becomes
invalid.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the maximum cache for each session to 16 KB during stream reassembly.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble session-cache 16

14.21.50 stream-reassemble session-timeout

Function
The stream-reassemble session-timeout command set the timeout time for out-
of-sequence TCP packet inspection.
The undo stream-reassemble session-timeout command restores the default
setting.
By default, the timeout time for out-of-sequence TCP packet inspection is 10
seconds.

Format
stream-reassemble session-timeout session-timeout-value
undo stream-reassemble session-timeout

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

session-timeout- Specifies the timeout The value is an integer ranging from

value time. 0 to 1200, in seconds. The default
value is 10.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

By default, out-of-sequence TCP packet inspection is enabled on the switch.

● When session-timeout-value is 0, out-of-sequence TCP packet inspection is
disabled.
● When session-timeout-value is greater than 0 and the time when TCP packets
are out of order is smaller than or equal to session-timeout-value, the switch
will attempt to reassemble traffic.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the timeout time for out-of-sequence TCP packet inspection to 20 seconds.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble session-timeout 20

14.21.51 stream-reassemble tcp-option check

Function
The stream-reassemble tcp-option check command enables the TCP option
check function.

The undo stream-reassemble tcp-option check command disables the TCP

option check function.

By default, the TCP option check function is disabled.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
stream-reassemble tcp-option check

undo stream-reassemble tcp-option check

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After this function is enabled, the engine directly discards packets with abnormal
TCP options.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable the TCP option check function.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble tcp-option check

14.21.52 stream-reassemble timestamp check

Function
The stream-reassemble timestamp check command enables timestamp check of
TCP flow reassembly.

The undo stream-reassemble timestamp check command disables timestamp

check of TCP flow reassembly.

By default, the timestamp check function is disabled.

Format
stream-reassemble timestamp check

undo stream-reassemble timestamp check

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After you enable timestamp check of TCP flow reassembly, the device verifies the
timestamp option of TCP packets. If the option is incorrect, the device discards the
packets.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable timestamp check of TCP flow reassembly.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble timestamp check

14.21.53 stream-reassemble user-configure defense-check

Function
The stream-reassemble user-configure defense-check command enables the
TCP attack defense function.

The undo stream-reassemble user-configure defense-check command disables

the TCP attack defense function.

By default, the TCP attack defense function is disabled.

Format
stream-reassemble user-configure defense-check

undo stream-reassemble user-configure defense-check

Parameters
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After this function is enabled, the switch directly discards abnormal TCP packets.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable the TCP attack defense function.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] stream-reassemble user-configure defense-check

14.21.54 update abort

Function
The update abort command aborts the update process of the application
identification signature database.

Format
update abort

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
In online/immediate updates, the device needs to connect to the update center. If
the network rate is too low and impacts the services and device performance, you

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

can run the update abort command to abort the update and then retry updating
when appropriate. In update retires, you cannot perform other update operations.
If you need to use another update method, run the update abort command to
abort the update process first.
Prerequisites
The update abort command can only be used for online/immediate updates or
update retries.

Example
# Abort the immediate update process.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update online sa-sdb
[HUAWEI] update abort

14.21.55 update apply sa-sdb

Function
The update apply sa-sdb command installs the downloaded update files of the
application identification signature database.
By default, the upgrade file is automatically installed after being downloaded in
an online upgrade scenario. If manual installation confirmation has been enabled,
the upgrade file need to be manually installed.

Format
update apply sa-sdb

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If manual installation confirmation has been enabled by the update confirm sa-
sdb enable command, run the update apply sa-sdb command to install the
update files.
Prerequisites

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Install the application identification signature database update files.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update apply sa-sdb

14.21.56 update confirm sa-sdb enable

Function
The update confirm sa-sdb enable command enables manual confirmation of
the application identification signature database installation.

The undo update confirm sa-sdb enable command disables manual

confirmation of the application identification signature database installation.

By default, the manual confirmation of the application identification signature

database installation is disabled.

Format
update confirm sa-sdb enable

undo update confirm sa-sdb enable

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

In an online upgrade scenario, the upgrade file is automatically installed after

being downloaded by default. To make the upgrade file not to be automatically
installed after being downloaded, run the update confirm sa-sdb enable
command to enable manual confirmation of the application identification
signature database installation and run the update apply sa-sdb command to
manually install the upgrade file.

Prerequisites

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable manual confirmation for the application identification signature
database installation.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update confirm sa-sdb enable

14.21.57 update download-server aging-time

Function
The update download-server aging-time command specifies the aging time of
the download server.
The undo update download-server aging-time command prevents the download
server from aging.
By default, the aging time of the download server is 7 days.

Format
update download-server aging-time age-time
undo update download-server aging-time

Parameters
Parameter Description Value

age-time Aging time of the The value is an integer ranging from 1

download server to 360, in days. The default value is 7.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If the download server is normal and has not been expired, you do not need to re-
obtain the IP address of the download server. You need to re-obtain the IP address
of the download server when the server has expired or is abnormal. You can use
this command to adjust the aging time of the download server.
Prerequisites

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Before running this command, you must run the defence engine enable
command to enable the IAE.
Precautions
The aging time of the download server applies to only HTTPS upgrade and not to
HTTP upgrade.

Example
# Set the aging time of the download server to 10 days.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update download-server aging-time 10

14.21.58 update force apply sa-sdb

Function
The update force apply sa-sdb command forcibly installs the downloaded update
files of the application identification signature database.

Format
update force apply sa-sdb

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
When you run the update apply sa-sdb command to download update files, the
update fails in case of insufficient system memory. In this case, you can run the
update force apply sa-sdb command to forcibly install downloaded update files.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.
Precautions
Running the update force apply sa-sdb command causes the IAE not to take
effect in a short time and resets all IAE-related session tables. Therefore, exercise
cautions when using this command.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Forcibly install the application identification signature database update files.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update force apply sa-sdb

14.21.59 update force local sa-sdb

Function
The update force local sa-sdb command configures forcible manual update of
the local application identification signature database.

Format
update force local sa-sdb file filename

Parameters
Parameter Description Value

file filename Indicates the file used for the The absolute path of a file is
update. You must upload the a string of 1 to 64 characters
update files to the device memory without spaces.
before the update.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

When you run the update local sa-sdb command to update the application
identification signature database locally, the update fails in case of insufficient
system memory. In this case, you can run the update force local sa-sdb
command to forcibly update the local application identification signature
database.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Precautions

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Running the update force local sa-sdb command causes the IAE not to take
effect in a short time and resets all IAE-related session tables. Therefore, exercise
cautions when using this command.

Example
# Forcibly update the local application identification signature database using file
hda1:/cnc_h10010000_2017111500.zip.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update force local sa-sdb file hda1:/cnc_h10010000_2017111500.zip

14.21.60 update force online sa-sdb

Function
The update force online sa-sdb command forcibly configures the immediate
updates of the application identification signature database.

Format
update force online sa-sdb

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
When you run the update online sa-sdb command to immediately update the
application identification signature database, the update fails in case of
insufficient system memory. In this case, you can run the update force online sa-
sdb command to immediately update the application identification signature
database.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.
Precautions
Running the update force online sa-sdb command causes the IAE not to take
effect in a short time and resets all IAE-related session tables. Therefore, exercise
cautions when using this command.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Forcibly update the application identification signature database.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update force online sa-sdb

14.21.61 update force restore sdb-default sa-sdb

Function
The update force restore sdb-default sa-sdb command forcibly restores the
application identification signature database to the factory default version.

Format
update force restoresdb-default sa-sdb

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
When you run the update restore sdb-default sa-sdb command to restore the
application identification signature database to the default version, the restore
fails if the system memory is insufficient. In this case, you can attempt to run the
update force restore sdb-default sa-sdb command to forcibly restore the
application identification signature database to the default version.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.
Precautions
● After you run the update force restore sdb-default sa-sdb command, the
application identification signature database files corresponding to the
rollback version and download version of the application identification
signature database will be deleted.
● Running the update force restore sdb-default sa-sdb command causes the
IAE not to take effect within a short period, resets all IAE-related session
tables, and interrupts some services. Therefore, exercise caution when running
this command.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Forcibly restore the application identification signature database to the factory
default version.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update force restore sdb-default sa-sdb

14.21.62 update force rollback sa-sdb

Function
The update force rollback sa-sdb command forcibly rolls back the version of the
application identification signature database.

Format
update force rollback sa-sdb

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

When you run the update rollback sa-sdb command to roll back the version of
the application identification signature database, the rollback fails in case of
insufficient system memory. In this case, you can run the update force rollback
sa-sdb command to forcibly roll back the version of the application identification
signature database.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Precautions

Running the update force rollback sa-sdb command causes the IAE not to take
effect in a short time and resets all IAE-related session tables. Therefore, exercise
cautions when using this command.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Forcibly roll back the version of the application identification signature
database.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update force rollback sa-sdb

14.21.63 update host source

Function
The update host source command specifies the source IP address of online
update request packets.

The undo update host source command deletes the specified source IP address of
online update request packets.

By default, the system searches a route based on the IP address of the update
center and uses the IP address of the outgoing interface as the source IP address
of update request packets.

Format
update host source { interface-type interface-number | ip ip-address [ vpn-
instance vpn-instance ] }

undo update host source [ ip ]

Parameters
Parameter Description Value

interface-type Specifies the IP address of the -

interface-number source interface of online
update request packets.

ip ip-address Specifies the source IP address The value is in dotted

of online update request decimal notation.
packets.

vpn-instance vpn- Specifies the name of a VPN The name is a string of

instance instance. 1 to 31 characters.

Views
System view

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

When the device connects to the Internet through a VPN instance, these
commands are mandatory. If the commands are not configured, the update will
fail.
● When update host source interface-type interface-number is configured, the
interface must be bound to the corresponding VPN instance name.
● When the update host source ip ip-address command is configured, vpn-
instance vpn-instance must be specified.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Precautions

Instructions on these commands are as follows:

● The interface specified in the update host source interface-type interface-

number command is not necessarily the outgoing interface of update request
packets. This command actually specifies the IP address of a specific interface
as the source IP address. To send update request packets, the system checks
the route information to determine the outgoing interface.
Do not specify an interface that is bound to a virtual system. Otherwise, the
update will fail.
● If the interface has multiple IP addresses, run the update host source ip ip-
address command to set the source IP address of update request packets and
ensure that the device can receive the reply packets. Otherwise, the online
update may fail.
● When both update host source interface-type interface-number and update
host source ip ip-address [ vpn-instance vpn-instance ] are configured, the
system preferentially uses the specified IP address as the source IP address of
update request packets. That is, the update host source interface-type
interface-number command does not take effect.
NOTE

After configuring this command, the device performs remote URL query within the VPN
that the interface belongs to.

Example
# Set the IP address of the interface used for online update to GE0/0/1.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[HUAWEI-GigabitEthernet1/0/0] quit
[HUAWEI] update host source gigabitethernet 0/0/1

# Set the source IP address of online update request packets to 10.1.1.1.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update host source ip 10.1.1.1

14.21.64 update local sa-sdb

Function
The update local sa-sdb command configures manual update of the local
application identification signature database.

Format
update local sa-sdb file filename

Parameters
Parameter Description Value

file filename Specifies the update file. You The absolute path of a file is a
must upload the update files to string of 1 to 64 characters
the device memory before the without spaces.
update.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
If the device cannot connect to the network, download the update files from the
security center to a PC and upload the files to the device memory. Then run the
update local command to update the application identification signature
database.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Manually update the local the application identification signature database
using file hda1:/cnc_h10010000_2017111500.zip.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update local sa-sdb file hda1:/cnc_h10010000_2017111500.zip

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.65 update online sa-sdb

Function
The update online sa-sdb command configures the immediate updates of the
application identification signature database.

Format
update online sa-sdb

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
The online update modes of the application identification signature database
include scheduled update and immediate update. Generally, scheduled update is
used. In some case, the application identification signature database needs to be
updated to the latest version immediately. If the scheduled update period does not
expire, you can run the update online sa-sdb command to start immediate
update. Before the update, you need to check whether the domain name or IP
address of the update center (sec.huawei.com) is accessible.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Update the application identification signature database immediately.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update online sa-sdb

14.21.66 update online-mode

Function
The update online-mode command sets the online update mode of the
application identification signature database.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo update online-mode command restores the default setting.

By default, the online update is in HTTPS mode.

Format
update online-mode { http | https }
undo update online-mode

Parameters
Parameter Description Value

http Indicates the HTTP update mode, in which the device uses -
HTTP to send update requests and uses FTP to download the
application identification signature database.

https Indicates the HTTPS update mode, in which the device uses -
HTTPS to send update requests and download the
application identification signature database.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
This setting applies only to online update in direct update scenarios (including
scheduled update and immediate update) but not online update through a proxy
server.

NOTE

Update in HTTP mode is risky, and update in HTTPS mode is recommended.

Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the online application identification signature database update mode to
HTTP.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update online-mode http

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.21.67 update proxy

Function
The update proxy command sets the IP address or domain name of the proxy
server.
The undo update proxy command deletes the proxy server setting.
By default, no IP address or domain name is configured for the proxy server.

Format
update proxy { domain domain-name | ip ip-address } [ port port-number ]
[ user user-name [ password password ] ]
undo update proxy

Parameters
Parameter Description Value

domain Indicates the The value is a string of 1 to 64 characters.

domain-name domain name of the It cannot contain spaces.
proxy server.

ip ip-address Indicates the IP The value is in dotted decimal notation.

address of the proxy
server.

port port- Indicates the port The value is an integer in the range from
number number of the proxy 1 to 65535. The default value is 80.
server.

user user- Indicates the user The user name is a string and must have
name name for logging in been set on the proxy server.
to the proxy server.
If the user name does not contain spaces,
it ranges from 1 to 32 characters. If the
user name contains spaces, it ranges from
3 to 34 characters, and must be enclosed
with double quotation marks (""), for
example, "user for test".

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

password Indicates the The password is a string and must be the

password password for same as the password corresponding to
logging in to the the user name of the proxy server.
proxy server.
● If the password does not contain
spaces, it ranges from 1 to 32
characters. If the password contains
spaces, it ranges from 3 to 34
characters, and must be enclosed with
double quotation marks ("").
● The password cannot contain only
asterisks (*).

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

After the password for logging in to the proxy server is configured, you need to
reconfigure the password if a version earlier than V200R021C10 is upgraded to
V200R021C10 or later, or V200R021C10 or later is downgraded to a version earlier
than V200R021C10.

Example
# Configure the proxy server.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update proxy ip 192.168.2.33 port 8080 user test password Hello!123

14.21.68 update proxy enable

Function
The update proxy enable command enables the application identification
signature database proxy update function.

The undo update proxy enable command disables the application identification
signature database proxy update function.

By default, the application identification signature database proxy update function

is disabled.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
update proxy enable

undo update proxy enable

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

The update proxy enable command used for updating the application
identification signature database through a proxy server.

After this function is enabled, you must run the update proxy command to set
the proxy server. Otherwise, the device cannot connect to the update server
through the proxy server.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Precautions

During the application identification signature database update through a proxy

server, HTTP will be used, causing security risks. You are advised to update the
application identification signature database in local or direct update mode.

Example
# Enable the application identification signature proxy update function.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update proxy enable

14.21.69 update restore sdb-default sa-sdb

Function
The update restore sdb-default sa-sdb command restores the application
identification signature database to the factory default version.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
update restore sdb-default sa-sdb

Parameters
None

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

After you run the update restore sdb-default sa-sdb command, the application
identification signature database files corresponding to the rollback version and
download version of the application identification signature database will be
deleted. Therefore, exercise caution when running this command.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Restore the application identification signature database to the factory default
version.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update restore sdb-default sa-sdb

14.21.70 update rollback sa-sdb

Function
The update rollback sa-sdb command rolls back the version of the application
identification signature database.

Format
update rollback sa-sdb

Parameters
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

Run the update rollback sa-sdb command to roll back the current version of the
application identification signature database to an earlier version. Only one earlier
version is available for version rollback. If you run the update rollback sa-sdb
command a second time, the version of the application identification signature
database is rolled back to the current version again.

NOTE

The version rollback function is unavailable before the second update is complete.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Roll back the version of the application identification signature database.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update rollback sa-sdb

14.21.71 update schedule enable

Function
The update schedule enable command enables scheduled update time for the
application identification signature database.

The undo update schedule enable command disables scheduled update time for
the application identification signature database.

By default, scheduled update time for the application identification signature

database is enabled.

Format
update schedule sa-sdb enable

undo update schedule sa-sdb enable

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

sa-sdb Indicates the application identification signature database. -

Views
System view

Default Level
3: Management level

Usage Guidelines
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Enable the scheduled update time function for the application identification
signature database.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update schedule sa-sdb enable

14.21.72 update schedule retry-download interval

Function
The update schedule retry-download interval command sets the retry interval
for downloading the application identification signature database for scheduled
update.

The undo update schedule retry-download interval command restores the

default interval.

By default, the retry interval for downloading the application identification

signature database for scheduled update is 3600 seconds.

Format
update schedule retry-download interval interval-value

undo update schedule retry-download interval

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

interval-value Specifies the retry interval for The value is an integer ranging
downloading the application from 300 to 3600, in second.
identification signature database The default value is 3600.
for scheduled update.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
In case of scheduled update, if the update server is busy, the application
identification signature database may fail to be download, causing an update
failure. Then, the device will retry downloading the application identification
signature database. The update schedule retry-download interval command is
used to set the retry interval for downloading the application identification
signature database.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the retry interval for downloading the application identification signature
database for scheduled update to 1800s.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update schedule retry-download interval 1800

14.21.73 update schedule retry-load interval

Function
The update schedule retry-load interval command sets the retry interval for
loading the application identification signature database for scheduled update.
The undo update schedule retry-load interval command restores the default
interval.
By default, the retry interval for loading the application identification signature
database for scheduled update is 3600 seconds.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
update schedule retry-load interval interval-value
undo update schedule retry-load interval

Parameters
Parameter Description Value

interval-value Specifies the retry interval for The value is an integer ranging
loading the application from 300 to 3600, in second.
identification signature database The default value is 3600.
for scheduled update.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
In case of scheduled update, if the memory of the device is insufficient, the device
may fail to load the downloaded application identification signature database.
Then, the device will retry loading the application identification signature
database. The update schedule retry-load interval command is used to set the
retry interval for loading the application identification signature database.
Prerequisites
Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the retry interval for loading the application identification signature
database for scheduled update to 1800s.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update schedule retry-load interval 1800

14.21.74 update schedule

Function
The update schedule command sets scheduled update time for the signature
database.
By default, the scheduled update time for the signature database is not set.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
update schedule [ sa-sdb ] [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat |
Sun } } time ]

Parameters
Parameter Description Value

sa-sdb Indicates scheduled update -

time of the application
identification signature
database.

daily Indicates daily update of a -

application identification
signature database.

weekly { Mon | Tue | Indicates weekly update of a -

Wed | Thu | Fri | Sat | application identification
Sun } signature database.

time Specifies the time in a day for The format is hh:mm.

the scheduled update of the The hour and minute are
application identification separated by a colon (:).
signature database. The hh value is an integer
ranging from 0 to 23 and
the mm value is an
integer ranging from 0 to
59.

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

If time is not specified, the update schedule can update the application
identification signature database daily at any point during the time range 22:00 to
08:00.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure a scheduled update of the application identification signature
database at 02:00 every Wednesday.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update schedule weekly Wed 02:00

# Configure a scheduled update of the application identification signature

database at 03:00 every day.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update schedule daily 03:00

14.21.75 update server

Function
The update server command sets the IP address or domain name of the update
server.
The undo update server command deletes the IP address or domain name of the
update server.
By default, the domain name of the update server is sec.huawei.com.

Format
update server { domain domain-name | ip ip-address } [ port port-number ]
undo update server

Parameters
Parameter Description Value

domain domain- Specifies the domain name The value is a string of 1 to

name of the update server. 64 characters, spaces not
supported.

ip ip-address Specifies the IP address of The value is in dotted decimal

the update server. notation.

port port-number Specifies the port number The value is an integer

of the update server. ranging from 1 to 65535.

Views
System view

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
Usage Scenario

By default, the domain name of the update server is sec.huawei.com, the HTTP
port number is 80 and the HTTPS port number is 443.

Prerequisites

Before running this command, you must run the defence engine enable
command to enable the IAE.

Example
# Set the IP address of the update server to 10.1.1.1 and port number to 86.
<HUAWEI> system-view
[HUAWEI] defence engine enable
[HUAWEI] update server ip 10.1.1.1 port 86

14.22 Network Deception Configuration Commands

14.22.1 Command Support

Only the following switch models support deception:

S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S,

S6730S-S

14.22.2 deception

Function
The deception command creates and enters the deception view.

The undo deception command deletes the deception view.

By default, no deception view exists on the switch.

Format
deception

undo deception

Parameters
None

Views
System view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To configure the deception function, run this command to create and enter the
deception view first.
Precautions
The undo deception command will delete all deception configurations. Therefore,
confirm your operation before using this command.

Example
# Create and enter the deception view.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception]

14.22.3 deception aci enable

Function
The deception aci enable command enables the Access Control Isolation (ACI)
deception function.
The undo deception aci enable command disables the ACI deception function.
The ACI deception function is disabled by default.

Format
deception aci detect-network { id id-number | all } enable
undo deception aci detect-network { id id-number | all } enable

Parameters
Parameter Description Value
id id-number Specifies the ID of a network segment The value is an integer
to be detected. ranging from 1 to 50.

all Specifies all network segments to be -

detected.

Views
Deception view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
ACI is an isolation scheme for controlling intranet communication through DNS
access. After this function is enabled, the source or destination address in the
detected network segment must be accessed through the domain name. If the IP
address is directly accessed or the IP address that does not exist is accessed, traffic
is deceived to the Decoy.

The DecoySensor parses DNS reply packets and establishes mappings between the
source addresses of DNS request packets and the IP addresses corresponding to
the domain names in DNS reply packets (that is, the ACI table). Subsequent TCP
SYN packets and ICMP ping packets will match the ACI table. Traffic that fails to
match the table is deceived to the Decoy for in-depth interactive detection.

ACI also supports the configuration of an ACI suffix using the deception aci suffix
command. The default value is aci. An ACI suffix functions as an intranet access
key. For example, if the IP address of the server in the detected network segment
is 192.168.1.1, the server must be accessed through 192.168.1.1.aci if the default
ACI suffix is used. If the IP address of the server is directly accessed or the IP
address with an incorrect ACI suffix is accessed, traffic is deceived to the Decoy for
in-depth interactive detection.

The ACI deception function takes effect only after the deception function is
enabled using deception enable.

Example
# Enable the ACI deception function.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception aci detect-network all enable

14.22.4 deception aci lack decoy

Function
The deception aci lack decoy command sets the policy used in the case of a full
ACI table to deceive.

The undo deception aci lack decoy sets the policy used in the case of a full ACI
table to permit.

The policy used in the case of a full ACI table is permit by default.

Format
deception aci lack decoy

undo deception aci lack decoy

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
The ACI table is space-limited. If there are a large number of intranet DNS
requests and the ACI table cannot store new mappings, traffic will be deceived or
permitted based on the configuration of this command.
To prevent a full ACI table, you can run the deception aci timeout command to
set a shorter aging time for ACI entries.

Example
# Set the policy used in the case of a full ACI table to deceive.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception aci lack decoy
Warning: If the configured ACI resources are insufficient, the default action is decoy which affects services.
Continue? [Y/N]:y

14.22.5 deception aci suffix

Function
The deception aci suffix command sets an ACI suffix.
The undo deception aci suffix command restores the default ACI suffix.
The ACI suffix is aci by default.

Format
deception aci suffix suffix-value
undo deception aci suffix

Parameters
Parameter Description Value
suffix-value Specifies the ACI The value is a string of at most eight
suffix. characters, including letters, digits, and
hyphens (-). It must start with a letter.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
An ACI suffix functions as an intranet access key. For example, if the IP address of
the server in the detected network segment is 192.168.1.1, the server must be
accessed only through 192.168.1.1.aci if the default ACI suffix is used. If the IP
address of the server is directly accessed or the IP address with an incorrect ACI
suffix is accessed, traffic is deceived to the Decoy or discarded.
After the ACI suffix is changed, you need to run the reset deception aci command
to update the ACI entries. Otherwise, the old ACI suffix becomes invalid only after
the ACI entries age. After the ACI entries are updated, the access initiated by a
terminal is deceived when the DNS record of the terminal does not age. Therefore,
change the ACI suffix when no service traffic exists.

Example
# Set the ACI suffix to testaci.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception aci suffix testaci

14.22.6 deception aci timeout

Function
The deception aci timeout command sets the aging time of ACI entries.
The undo deception aci timeout command restores the default aging time of ACI
entries.
By default, the aging time of ACI entries is 60s. When a new DNS reply packet
arrives, the corresponding ACI entry is updated.

Format
deception aci timeout timeout-value
undo deception aci timeout

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
timeout-value Specifies the aging time of The value is an integer ranging
ACI entries. from 10 to 300, in seconds.

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
The DecoySensor replaces the TTL in the DNS reply packet with the aging time
configured in this command. The DNS TTL is the cache time of the DNS entries
recorded by the terminal. After the time expires, the terminal initiates a DNS
request again. After receiving the DNS reply packet, the DecoySensor updates the
aging time of the corresponding ACI entry to ensure that the DNS entry recorded
by the terminal and the ACI entry on the DecoySensor are aged or updated at the
same time.

The ACI table is space-limited. If there are a large number of intranet DNS
requests and the ACI table cannot store new mappings, traffic will be deceived or
permitted based on the configuration of the deception aci lack decoy command.
You can run the deception aci timeout command to set a shorter aging time for
ACI entries.

If the intranet access is stable and there is a small number of DNS requests, you
can set a longer aging time of ACI entries for better performance.

Example
# Set the aging time of ACI entries to 100s.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception aci timeout 100

14.22.7 deception arp-request rate

Function
The deception arp-request rate command sets an IP address scanning threshold.

The undo deception arp-request rate command restores the IP address scanning
threshold to the default value.

By default, the IP address scanning threshold is 10 times per 10 seconds.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
deception arp-request rate rate-number

undo deception arp-request rate

Parameters
Parameter Description Value
rate-number Specifies an IP address The value is an integer in the range
scanning threshold. from 1 to 20000, in "times per 10
seconds".

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
If the frequency of scanning a destination IP address by a source IP address
reaches the specified threshold, the switch considers the event to be a suspected
attack. Once the switch detects that the scanned IP address is offline, it
immediately lures the traffic to the Decoy for further detection.

Example
# Set the IP address scanning threshold to 20 times per 10 seconds.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception arp-request rate 20

14.22.8 deception decoy-network

Function
The deception decoy-network command configures a bait network segment.

The undo deception decoy-network command deletes a bait network segment.

By default, no bait network segment is configured on the switch.

Format
deception decoy-network id id-number destination ip-address [ mask ]
[ destination-port port &<1-20> ] [ vpn-instance vpn-instance-name ]

undo deception decoy-network { all | id id-number }

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
id id-number Specifies the ID of a bait network The value is an integer
segment. in the range from 1 to
50.

destination ip- ● ip-address specifies an IP The value is in dotted

address [ mask ] address. decimal notation.
● mask specifies the subnet mask
of the bait network segment.
destination-port Specifies the destination TCP port The value is an integer
port number. in the range from 1 to
65535.
NOTE
If this parameter is specified, traffic
will be lured immediately if this TCP
port is scanned or the IP address
corresponding to the TCP port is
scanned.

vpn-instance vpn- Specifies the VPN instance for the The VPN instance
instance-name bait network segment. must be an existing
one on the device.

all Specifies all bait network -

segments.

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

After a bait network segment is configured, the switch does not detect whether
the IP addresses on the bait network segment are online. If an IP address or TCP
port on the bait network segment is scanned, the switch lures the scanning traffic
to the Decoy for further attack detection. Therefore, you can add some idle IP
addresses to the bait network segment.

Precautions

A deception whitelist configured using the deception whitelist command takes

precedence over a bait network segment:

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● If an IP address is in both the deception destination IP address whitelist and

the bait network segment, the switch ignores IP address scanning and TCP
port scanning on the IP address and does not lure the traffic destined for the
IP address.
● If scanning is initiated by a whitelisted address and the scanned IP address is
on the bait network segment, the switch does not lure the traffic.
A bait network segment cannot contain the device management address and any
network segment (0.0.0.0). Otherwise, the devices cannot be managed remotely.

Example
# Add 10.1.1.11 to the bait network segment.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception decoy-network id 1 destination 10.1.1.11

14.22.9 deception detect-network

Function
The deception detect-network command sets a network segment detected by
the deception system.
The undo deception detect-network command deletes the detected network
segment.
By default, no detected network segment is configured on the switch.

Format
deception detect-network id id-number ip-address mask [ vpn-instance vpn-
instance-name ]
undo deception detect-network { all | id id-number }

Parameters
Parameter Description Value
id id-number Specifies the ID of a detected The value is an integer in
network segment. the range from 1 to 50.

ip-address Specifies the IP address of the The value is in dotted

detected network segment. decimal notation.

mask Specifies the subnet mask of the The value is in dotted

detected network segment. decimal notation.

vpn-instance Specifies the VPN instance of The VPN instance must be

vpn-instance- the detected network segment. an existing one on the
name device.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

all Indicates that all network -
segments are detected for
deception.

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

The detected network segment is protected by the deception system:

● IP address scanning: Deception is triggered only when the destination IP

address of scanning packets is on the detected network segment.
● TCP port scanning: Deception is triggered when the source or destination IP
address of scanning packets is on the detected network segment.

Precautions

If you have configured a bait network segment using the deception decoy-
network command, deception is triggered when the IP addresses on the bait
network segment are scanned, with no need to configure these IP addresses in the
detected network segment.

Example
# Configure the deception system to detect the network segment 10.1.1.0/24.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception detect-network id 1 10.1.1.0 255.255.255.0

14.22.10 deception dns enable

Function
The deception dns enable command enables the unknown-domain-name
deception function.

The undo deception dns enable command disables the unknown-domain-name

deception function.

The unknown-domain-name deception function is disabled by default.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
deception dns enable

undo deception dns enable

Parameters
None

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
After the unknown-domain-name deception function is enabled, the DecoySensor
identifies DNS requests on the network. When DNS requests are quickly sent from
the same source IP address, it is suspected that domain name scanning is
performed for obtaining the real intranet IP address. When the rate of domain
name scans reaches the threshold and related information in the DNS reply packet
indicates that the domain name does not exist, the DecoySensor automatically
constructs and returns a DNS reply packet. The IP address in the DNS reply packet
is the IP address in the bait network segment and is in the same network segment
as the source address for sending the DNS request packet. The subsequent access
and attack to this IP address will be deceived to the Decoy for in-depth interactive
detection.

The deception operation is performed only after a bait network segment that is
the same as the detected network segment is configured using deception decoy-
network. If the bait network segment is not configured, the DecoySensor sends
only domain name scan threshold-crossing logs.

The unknown-domain-name deception function takes effect only after the

deception function is enabled using deception enable.

Example
# Enable the unknown-domain-name deception function.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception dns enable

14.22.11 deception dns-request rate

Function
The deception dns-request rate command sets the domain name scan threshold.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The undo deception dns-request rate command restores the default domain
name scan threshold.
By default, the domain name scan threshold is 5 scans per second.

Format
deception dns-request rate rate-number
undo deception dns-request rate

Parameters
Parameter Description Value
rate-number Specifies the domain name The value is an integer ranging from
scan threshold. 1 to 20000, in scans per second.

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
When the rate of domain name scans sent from the same source IP address
reaches the threshold and related information carried in the DNS reply packet
indicates that the domain name does not exist, the DecoySensor determines that
it is an attack. The DecoySensor automatically constructs and returns a DNS reply
packet. The IP address corresponding to the domain name in the constructed DNS
reply packet is the IP address in the bait network segment, and is in the same
network segment as the source address for sending the DNS request packet. The
subsequent access and attack to this IP address will be deceived to the Decoy.

Example
# Set the domain name scan threshold to 300 scans per second.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception dns-request rate 300

14.22.12 deception enable

Function
The deception enable command enables the deception function.
The undo deception enable command disables the deception function.
By default, the deception function is disabled.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
deception enable
undo deception enable

Parameters
None

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
After deception is enabled, the DecoySensor identifies IP address and TCP port
scanning activities on the network and lures suspicious traffic to the Decoy. If the
configuration is incorrect, normal network traffic may be affected. Before enabling
deception, run the display this command in the deception view to confirm the
deception configuration.
Prerequisites
● The optimized ARP reply function has been disabled using the arp optimized-
reply disable command, and the VLANIF interface has been configured to
send ARP packets destined for other devices to the CPU using the undo arp
optimized-passby enable command.
● You have configured deception detect-network or deception decoy-
network, or both of them. Otherwise, the deception function does not take
effect.

Example
# Enable the deception function.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception enable

14.22.13 deception decoy

Function
The deception decoy command sets a Decoy IP address.
The undo deception decoy command deletes a Decoy IP address.
By default, no Decoy IP address is configured on the switch.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
deception decoy destination destination-ip [ source source-ip ] [ vpn-instance
vpn-instance-name ] [ backup destination destination-ip [ source source-ip ]
[ vpn-instance vpn-instance-name ] ]

undo deception decoy

Parameters
Parameter Description Value

source source-ip Specifies the IP address used by a The value is in dotted

switch to connect to a Decoy. decimal notation.
If this parameter is not specified,
the IP address of the outbound
interface is used.

destination Specifies a Decoy IP address. The value is in dotted

destination-ip decimal notation.

vpn-instance vpn- Specifies the VPN instance of the The VPN instance
instance-name Decoy. must be an existing
one on the device.

backup Indicates the standby Decoy. -

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When detecting suspected attack traffic, the switch lures the traffic to a Decoy for
further checks. Therefore, you must first run this command to configure the IP
address of the Decoy.

If communication between the switch and active Decoy is abnormal, the switch
sends the log and deceived traffic to the standby Decoy that can communicate
with the switch.

Precautions

A switch cannot use the virtual IP address of a VRRP group or the IP address of
the management network interface to connect to a Decoy.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the Decoy IP address to 10.1.1.1.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception decoy destination 10.1.1.1

14.22.14 deception ip-state detect rate

Function
The deception ip-state detect rate command configures the frequency of
scanning IP addresses by the switch.
The undo deception ip-state detect rate command restores the default
frequency of scanning IP addresses by the switch.
By default, the switch scans IP addresses 30 times per second.

Format
deception ip-state detect rate rate-number
undo deception ip-state detect rate

Parameters
Parameter Description Value
rate-number Specifies the frequency of The value is an integer in the range
scanning IP addresses by the from 1 to 4096, in "times per
switch. second".

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
The switch initiates IP address scanning on the network segment to be detected to
check whether IP addresses are online. If the scanning frequency is too high, the
network is affected. If the scanning frequency is too low, the switch takes a long
time to learn about the online status of IP addresses. You need to configure a
proper IP address scanning frequency based on the site requirements and live
network quality.

Example
# Set the frequency of scanning IP addresses by the switch to 40 times per second.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception ip-state detect rate 40

14.22.15 deception mac-address aging-time

Function
The deception mac-address aging-time command configures the interval at
which the switch sends an ARP broadcast packet.

The undo deception mac-address aging-time command restores the default

interval at which the switch sends an ARP broadcast packet.

By default, the switch sends an ARP broadcast packet at an interval of 290

seconds.

Format
deception mac-address aging-time aging-time

undo deception mac-address aging-time

Parameters
Parameter Description Value
aging-time Specifies the interval at which The value is an integer in the
the switch sends an ARP range from 10 to 1000000, in
broadcast packet. seconds.

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
To perform spoofing on IP address scanning, the switch constructs a virtual MAC
address and sends it to the scanning source. The scanning source then incorrectly
considers that the IP address to be scanned is online, and the switch diverts
subsequent traffic from the scanning source to a Decoy for attack detection. The
Layer 2 switch records an ARP entry of the scanned IP address and virtual MAC
address. To prevent packets destined for the scanned IP address from being
broadcast on the network after the entry is aged out, the switch periodically sends
an ARP broadcast packet that contains the mapping between the scanned IP
address and the virtual MAC address to the Layer 2 switch. You can run the
deception mac-address aging-time command to adjust the interval at which the
switch sends an ARP broadcast packet.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Set the interval at which the switch sends an ARP broadcast packet to 300
seconds.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception mac-address aging-time 300

14.22.16 deception mode strict

Function
The deception mode strict command enables the strict deception mode.

The undo deception mode command disables the strict deception mode.

By default, the strict deception mode is not used.

Format
deception mode strict

undo deception mode

Parameters
None

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
Fixed networking and stable servers are prerequisites for the strict deception
mode. After the strict deception mode is set, the switch immediately lures the
traffic destined for offline IP addresses or unopened TCP ports to the Decoy for
further detection.

In non-strict mode, deception is performed only when the following conditions are
met:
● The IP scanning or TCP port scanning frequency initiated by an IP address
reaches the specified threshold.
● An offline IP address or unopened TCP port is scanned.

Example
# Enable the strict deception mode.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception mode strict

14.22.17 deception syn-connect rate

Function
The deception syn-connect rate command sets a TCP port scanning threshold.

The undo deception syn-connect rate command restores the TCP port scanning
threshold to the default value.

By default, the TCP port scanning threshold is 100 times per second.

Format
deception syn-connect rate rate-number

undo deception syn-connect rate

Parameters

Parameter Description Value

rate-number Specifies a TCP port The value is an integer in the range
scanning threshold. from 1 to 20000, in "times per
second".

Views
Deception view

Default Level
2: Configuration level

Usage Guidelines
If the frequency of scanning a TCP port by a source IP address reaches the
specified threshold, the switch considers the event to be a suspected attack. Once
the switch detects that the scanned TCP port is unopened, it immediately lures the
traffic to the Decoy for further detection.

Example
# Set the TCP port scanning threshold to 200 times per second.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception syn-connect rate 200

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.22.18 deception whitelist

Function
The deception whitelist command sets a deception whitelist.

The undo deception whitelist command deletes a deception whitelist.

By default, there is no deception whitelist.

Format
deception whitelist id id-number { destination | source } ip-address [ mask ]
[ vpn-instance vpn-instance-name ]

undo deception whitelist { all | id id-number }

Parameters

Parameter Description Value

id id-number Specifies a whitelist ID. The value is an integer
in the range from 1 to
50.

destination Indicates the destination IP address -

whitelist.

source Indicates the source IP address -

whitelist.

ip-address [ mask ] Adds a specified IP address or IP The value is in dotted

address segment to the deception decimal notation.
whitelist.
● ip-address specifies an IP
address.
● mask specifies the subnet mask
of the IP address segment.
vpn-instance vpn- Specifies the VPN instance of the The VPN instance must
instance-name whitelisted IP address. be an existing one on
the device.

all Indicates all whitelists. -

Views
Deception view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
2: Configuration level

Usage Guidelines
You can configure destination IP address whitelists and source IP address
whitelists:
● Source IP address whitelist: If the source IP address of scanning packets is in
the source IP address whitelist, the device does not lure the scanning packets
sent from this IP address to the Decoy. The addresses of devices that
proactively detect the network (such as the NMS) can be whitelisted to
prevent deception.
● Destination IP address whitelist: If the destination IP address of scanning
packets is in the destination IP address whitelist, the device does not lure the
scanning packets sent to this IP address to the Decoy. The addresses of
devices that do not respond to ARP requests or port connection requests (such
as traditional printers) can be whitelisted to prevent deception.

Example
# Add 10.1.1.10 to destination IP address whitelist.
<HUAWEI> system-view
[HUAWEI] deception
[HUAWEI-deception] deception whitelist id 1 destination 10.1.1.10

14.22.19 display deception aci

Function
The display deception aci command displays the ACI table.

Format
display deception aci [ source ip-address ]

Parameters
Parameter Description Value
source ip-address Specifies the source IP address in The value is in dotted
an ACI entry. decimal notation.

Views
All views

Default Level
1: Monitoring level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
The DecoySensor parses DNS reply packets and establishes mappings between the
source addresses of DNS request packets and the IP addresses corresponding to
the domain names in DNS reply packets (that is, the ACI table). Subsequent TCP
SYN packets and ICMP ping packets will match the ACI table. Traffic that fails to
match the table is deceived to the Decoy for in-depth interactive detection.
If the number of current entries approaches the upper limit, run the deception aci
timeout command to set a shorter aging time for ACI entries.

Example
# Display the ACI table.
<HUAWEI> display deception aci
-------------------------------------------------------------------------------------------------------
Current total number = 1
-------------------------------------------------------------------------------------------------------
source destnation time vpn-instance
-------------------------------------------------------------------------------------------------------
192.168.1.1 172.16.2.1 192 public

Table 14-130 Description of the display deception aci command output

Item Description

source Source IP address initiating a DNS request

destnation IP address corresponding to the domain name in the

DNS reply packet

time Remaining lifetime of the entry

vpn-instance VPN instance to which the source IP address belongs

14.22.20 display deception arp-proxy

Function
The display deception arp-proxy command displays the interface IP address of
the switch and the target IP addresses in the proxy ARP requests sent to the switch
in the online IP address table.

Format
display deception arp-proxy

Parameters
None

Views
All views

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
The switch cannot scan its interface IP address and the target IP addresses in the
proxy ARP requests sent to the switch. Therefore, the switch may lure the traffic
destined for these IP addresses to a Decoy. To solve this problem, after the switch
receives ARP requests destined for these IP addresses, the switch returns ARP reply
packets, and the management plane instructs the deception module to add the
target IP addresses in ARP requests to the online IP address table.

Example
# Display the interface IP address of the switch and the target IP addresses in the
proxy ARP requests sent to the switch in the online IP address table.
<HUAWEI> display deception arp-proxy
-------------------------------------------------------------------------------------------------------
Current total number = 1

-------------------------------------------------------------------------------------------------------
ip-address vlan vpn-instance
10.1.1.1 10 default
--------------------------------------------------------------------------------

Table 14-131 Description of the display deception arp-proxy command output

Item Description

Current total number Number of entries.

ip-address Interface IP address of the switch or the target IP

address in the proxy ARP request sent to the switch.

vlan VLAN ID corresponding to the IP address.

vpn-instance VPN instance to which the IP address belongs.

14.22.21 display deception arp-request

Function
The display deception arp-request command displays the IP address scanning
behavior detected by the switch.

Format
display deception arp-request [ source ip-address ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
source ip-address Specifies the source IP address The value is in dotted
that initiates IP address scanning. decimal notation.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to check the IP address scanning behavior detected by
the switch, so that you can configure a more accurate IP address canning
threshold using the deception arp-request rate command. If an IP address is
scanned at a lower frequency than the threshold specified by the deception arp-
request rate command but have been scanned for many times, the scanning
behavior may be an attack.

Example
# Display the IP address scanning behavior detected by the switch.
<HUAWEI> display deception arp-request
---------------------------------------------------------------------------------------------------
Current total number = 2

---------------------------------------------------------------------------------------------------
source rate(num/10s) number vlan vpn-instance
---------------------------------------------------------------------------------------------------
10.1.1.1 4 231 10 public
10.1.1.2 1 280 10 public
--------------------------------------------------------------------------------

Table 14-132 Description of the display deception arp-request command output

Item Description

Current total number Number of entries.

source Source IP address that initiates IP scanning.

rate(num/10s) IP address scanning frequency, in "times per 10

seconds".

number Number of IP address scanning times.

vlan VLAN to which the source IP address belongs.

vpn-instance VPN instance of the source IP address.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.22.22 display deception config-flow

Function
The display deception config-flow command displays the configuration flow
table.

Format
display deception config-flow [ slot slot-id ]

Parameters
Parameter Description Value
slot slot-id Specifies a slot ID. The value must be set according to the device
configuration.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When a detected network segment, bait network segment, or deception whitelist
is configured, a configuration flow table is generated. If the preceding
configuration is changed, the switch checks whether the deceived traffic meets the
conditions of configuration flow tables and determines whether to lure the traffic
to the Decoy.

Example
# Display the configuration flow table.
<HUAWEI> display deception config-flow

Slot: 0
-------------------------------------------------------------------------------------------------------
CFG Flow ID 1 information:
-------------------------------------------------------------------------------------------------------
Priority :0
Action :1
Causeid :16384
Vpn-instance :
Source IP :10.10.11.11/255.255.255.255
-------------------------------------------------------------------------------------------------------
CFG Flow ID 2 information:
-------------------------------------------------------------------------------------------------------
Priority :1
Action :4
Causeid :4096
Vpn-instance :

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Destination IP :192.168.1.0/255.255.255.240
-------------------------------------------------------------------------------------------------------
CFG Flow ID 3 information:
-------------------------------------------------------------------------------------------------------
Priority :3
Action :8
Causeid :1
Vpn-instance :
Destination IP :10.10.10.0/255.255.255.0
-------------------------------------------------------------------------------------------------------
CFG Flow ID 4 information:
-------------------------------------------------------------------------------------------------------
Priority :3
Action :8
Causeid :1
Vpn-instance :
Source IP :10.10.10.0/255.255.255.0
-------------------------------------------------------------------------------------------------------
CFG Flow ID 5 information:
-------------------------------------------------------------------------------------------------------
Priority :3
Action :8
Causeid :1
Vpn-instance :
Destination IP :192.168.1.0/255.255.255.0
-------------------------------------------------------------------------------------------------------
CFG Flow ID 6 information:
-------------------------------------------------------------------------------------------------------
Priority :3
Action :8
Causeid :1
Vpn-instance :
Source IP :192.168.1.0/255.255.255.0
-------------------------------------------------------------------------------------------------------
CFG Flow ID 7 information:
-------------------------------------------------------------------------------------------------------
Priority :0
Action :1
Causeid :16384
Vpn-instance :
Destination IP :10.10.10.22/255.255.255.255

Table 14-133 Description of the display deception config-flow command output

Item Description

Slot Slot ID.

CFG Flow ID n Information about configuration flow table n.

information

Priority Priority of the configuration flow entry. The value is in

the range from 0 to 10, and a smaller value indicates a
higher priority. If a flow matches multiple
configuration flow entries, the configuration flow entry
with the highest priority takes effect.

Action Action taken on the packets matching the

configuration flow entry:
● 1: Deception check is not performed on the packets.
● 2: The packets are discarded.
● 4 and 8: Deception check is performed on the
packets.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Causeid Type of packets. The value in 2i, in which i can be as

follows:
● 0: packets matching the deception detected network
segment
● 12: packets matching the bait network segment
● 14: packets matching the deception whitelist

Vpn-instance VPN instance.

Destination IP Destination IP address of traffic.

Destination Port Destination TCP port number of traffic.

Source IP Source IP address of traffic.

14.22.23 display deception decoy-network

Function
The display deception decoy-network command displays a bait network
segment.

Format
display deception decoy-network [ id id-number ]

Parameters
Parameter Description Value
id id-number Specifies the ID of a bait The value is an integer in the
network segment. range from 1 to 50.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring a bait network segment using the deception decoy-network
command, you can run the display deception decoy-network command to check
whether the bait network segment is correctly configured.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Display all bait network segments.
<HUAWEI> display deception decoy-network
-------------------------------------------------------------------------------------------------------
Current total number = 1

-------------------------------------------------------------------------------------------------------
Decoy-network ID 1 information:
-------------------------------------------------------------------------------------------------------
source/mask :any
destination/mask :192.168.1.0/255.255.255.240
destination-port :
vpn-instance :

Table 14-134 Description of the display deception decoy-network command

output
Item Description

Current total number Number of entries.

Decoy-network ID i Information about the bait network segment whose ID

information is i.

source/mask Source IP address and subnet mask.

destination/mask Destination IP address and subnet mask.

destination-port Destination port number.

vpn-instance VPN instance of the destination IP address.

14.22.24 display deception detect-network

Function
The display deception detect-network command displays the network segments
detected for deception.

Format
display deception detect-network [ id id-number ]

Parameters
Parameter Description Value
id id-number Specifies the ID of a detected The value is an integer in the
network segment. range from 1 to 50.

Views
All views

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
After configuring a detected network segment using the deception detect-
network command, you can run the display deception detect-network
command to check whether the detected network segment is correctly configured.

Example
# Display the network segments detected for deception.
<HUAWEI> display deception detect-network
---------------------------------------------------------------------------------------------------
Current total number = 1

---------------------------------------------------------------------------------------------------
id ip-address/mask(For both source and destination) vpn-
instance
---------------------------------------------------------------------------------------------------
1 192.168.10.0/255.255.255.0

Table 14-135 Description of the display deception detect-network command

output
Item Description

Current total number Number of entries.

id ID of a detected network segment.

ip-address/mask IP address and subnet mask of the detected network

segment.

vpn-instance VPN instance of the detected network segment.

14.22.25 display deception dns

Function
The display deception dns command displays the domain name scan status.

Format
display deception dns [ source ip-address ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

source ip-address Specifies the source IP address The value is in dotted

initiating the domain name scan. decimal notation.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
By observing the domain name scan status, network administrators can set a
more accurate domain name scan threshold using the deception dns-request
rate command.

If the rate of a source address is low and does not reach the threshold but the
number is large, a very patient hacker may be hidden behind this address.

Example
# Display domain name scan status.
<HUAWEI> display deception dns
--------------------------------------------------------------------------------
Current total number = 2
--------------------------------------------------------------------------------
source number rate(num/s) error-aci vpn-instance
--------------------------------------------------------------------------------
192.168.1.1 4 231 0 public
192.168.1.2 1 280 0 public
--------------------------------------------------------------------------------
recent request dns domain :
www.huawei.com
192.168.1.3.aci

Table 14-136 Description of the display deception dns command output

Item Description

source Source IP address initiating the domain name scan

number Number of domain name scans

rate(num/s) Rate of domain name scans, in scans per second

error-aci Number of ACI suffix mismatches in DNS requests in

ACI format

vpn-instance VPN instance to which the source IP address belongs

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

recent request dns Domain name in the latest request. A maximum of five
domain domain names can be recorded

14.22.26 display deception flow

Function
The display deception flow command displays the deception flow table.

Format
display deception flow [ slot slot-id ]

Parameters
Parameter Description Value
slot slot-id Specifies a slot ID. The value must be set according to the device
configuration.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
In the deception flow table, you can view the traffic that meets certain conditions
and will be sent to the deception module. The deception module then determines
whether to lure the traffic to the Decoy based on the scanned IP address and TCP
port.
Precautions
When a detected network segment, bait network segment, or deception whitelist
is configured, a deception flow table is generated.

Example
# Display the deception flow table.
<HUAWEI> display deception flow

Slot: 0

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

--------------------------------------------------------------------------------
Flow ID 1 information:
--------------------------------------------------------------------------------
Status :Valid
Destination mac :0050-568c-1bbc
Vpn-instance :
--------------------------------------------------------------------------------
Flow ID 2 information:
--------------------------------------------------------------------------------
Status :Valid
Vpn-instance :
Eth_type :Arp
--------------------------------------------------------------------------------
Flow ID 4 information:
--------------------------------------------------------------------------------
Status :Valid
Vpn-instance :
Protocol :Tcp
Tcp_flag :Syn
--------------------------------------------------------------------------------
Flow ID 5 information:
--------------------------------------------------------------------------------
Status :Valid
Vpn-instance :
Protocol :Tcp
Tcp_flag :Syn | Ack
--------------------------------------------------------------------------------
Flow ID 6 information:
--------------------------------------------------------------------------------
Status :Valid
Vpn-instance :
Protocol :Tcp
Tcp_flag :Rst | Ack

Table 14-137 Description of the display deception flow command output

Item Description

Slot Slot ID.

Flow ID n information Information about deception flow table n.

Status Whether the deception flow entry is valid:

● Valid
● Invalid

Vpn-instance VPN instance to which the inbound interface of the

scanning packets belongs.

Destination mac MAC address used by the switch to perform ARP

spoofing on IP address scanning in a suspected attack.

Destination IP Destination IP address of scanning packets.

Destination Port Destination port number of scanning packets.

Source IP Source IP address of scanning packets.

Protocol Transport layer protocol type of scanning packets.

Eth_type Layer 2 protocol type of scanning packets.

Tcp_flag TCP flag.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.22.27 display deception decoy status

Function
The display deception decoy status command displays the registration status of
a DecoySensor on a Decoy.

Format
display deception decoy status

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
A DecoySensor initiates registration to a Decoy. If the registration succeeds:
● The registration status changes from INIT to ALIVE.
● The Decoy informs the DecoySensor of a port list for which the deception
service is provided. Only the traffic whose destination ports in the list can be
lured to the Decoy for further detection.
● The DecoySensor and Decoy send heartbeat packets to each other every 5
seconds. If the DecoySensor does not receive heartbeat packets from the
Decoy within 60 seconds, its registration status changes to INIT. If the Decoy
does not receive heartbeat packets from the DecoySensor within 60 seconds,
it sends a deregistration packet to the DecoySensor. After the DecoySensor
receives the packet, its registration status changes to INIT.

Example
# Display the registration status of a DecoySensor on a Decoy.
<HUAWEI> display deception decoy status
Decoy register status information:
Register status : alive
Decoy select : master
Online time : 37062(s)
Send heartbeat timeout : 0(s)
Receive heartbeat timeout : 5(s)
Decoy register port information:
445 80 8080 443 22
3389 21 3306 6379

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-138 Description of the display deception decoy status command

output
Item Description

Decoy register status Registration status of a DecoySensor on a Decoy.

information

Register status Registration status:

● init: Unregistered
● alive: Successfully registered

Decoy select Currently connected Decoy

● master: Active
● backup: Standby

Online time Duration of the connection to the Decoy.

Send heartbeat Period after the DecoySensor sent the last heartbeat
timeout packet, in seconds.

Receive Heartbeat Period after the DecoySensor received the last

timeout heartbeat packet, in seconds.

Decoy register port Port information of the deception service provided by

information the Decoy.

Decoy nonsupport Port statistics not supported by the Decoy.

port statistics

14.22.28 display deception instance

Function
The display deception instance command checks whether the deception process
is normal.

Format
display deception instance

Parameters
None

Views
All views

Default Level
1: Monitoring level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
None

Example
# Check whether the deception process is normal.
<HUAWEI> display deception instance
------------------------------------------------------------------------------------------------------------

Instance Slot Cpu State

------------------------------------------------------------------------------------------------------------

decpt * * normal
------------------------------------------------------------------------------------------------------------

Current total number = 1

Table 14-139 Description of the display deception instance command output

Item Description

Instance Name of the deception process.

Slot Slot ID.

Cpu CPU ID.

State Status:
● normal
● abnormal

Current total number Total number of processes.

14.22.29 display deception interface

Function
The display deception interface command displays information about all
deception-enabled interfaces.

Format
display deception interface

Parameters
None

Views
All views

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

You can run this command to view information about all deception-enabled
interfaces, including the interface name, VLAN ID, and election status of interfaces
for detecting IP address scanning. If a detected network segment has been
configured using the deception detect-network command, the deception
function can be configured only on the interfaces whose IP addresses are on the
detected network segment.

Precautions

Interfaces whose IP addresses are not on the detected network segment cannot
detect IP address scanning or participate in the election.

Example
# Display information about all deception-enabled interfaces.
<HUAWEI> display deception interface
----------------------------------------------------------------------------------------------------------
Current total number = 0
----------------------------------------------------------------------------------------------------------
name ip-address vlan election-state master-ip vpn-instance
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------

Table 14-140 Description of the display deception interface command output

Item Description

name Interface name.

ip-address IP address of the interface.

vlan VLAN to which the interface belongs.

election-state Election status of the interface for detecting IP address

scanning:
● master: If the device of the interface is elected as
the active DecoySensor, it detects IP scanning on the
network.
● slave: If the device of the interface is elected as a
standby DecoySensor, it does not detect IP scanning
on the network.
● init: Election is ongoing.
● --: The interface address is not in the detected
network segment, so the interface does not
participate in election.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

master-ip IP address of the active DecoySensor on the network

segment.

vpn-instance VPN instance of the interface.

14.22.30 display deception ip-redirect

Function
The display deception ip-redirect command displays information about deceived
traffic due to the scanning of offline IP addresses.

Format
display deception ip-redirect [ source-ip ip-address ] [ destination-ip ip-
address ] [ destination-port port ]

Parameters

Parameter Description Value

source-ip ip-address Specifies the source IP The value is in dotted
address of the deceived decimal notation.
traffic.

destination-ip ip- Specifies the destination IP The value is in dotted

address address of the deceived decimal notation.
traffic.

destination-port port Specifies the destination port The value is an integer in

of the deceived traffic. the range from 1 to
65535.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Display information about deceived traffic due to the scanning of offline IP
addresses.
<HUAWEI> display deception ip-redirect
--------------------------------------------------------------------------------
Current total number = 1
--------------------------------------------------------------------------------
source destination port out-vlan vpn-instance left-time(s) packets
--------------------------------------------------------------------------------
10.1.1.1 10.1.1.2 * 10 public 432 0
--------------------------------------------------------------------------------

Table 14-141 Description of the display deception ip-redirect command output

Item Description

Current total number Number of entries.

source Source IP address of the deceived traffic.

destination Destination IP address of the deceived traffic.

port Destination port number of the deceived traffic.

out-vlan VLAN ID of the deceived traffic.

vpn-instance VPN instance of the deceived traffic.

left-time(s) Remaining time before an entry ages, in seconds.

The aging time is 10 minutes. If no traffic matches the
entry within the aging time, the entry is deleted. If
traffic matches the entry within the aging time, the
aging time is updated.

packets Number of the deceived packets.

14.22.31 display deception ip-state

Function
The display deception ip-state command displays the online status of IP
addresses scanned by the switch.

Format
display deception ip-state [ ip-address ] [ verbose ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
ip-address Displays the online status of a specified The value is in dotted
IP address. decimal notation.

verbose Displays the detailed online status of IP -

addresses.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
A switch checks the online status of IP addresses every 30 minutes. If traffic
destined for address A is deceived, the interval for checking the online status of
address A is shortened to 10 to 110 seconds to minimize the adverse impact on
network services. The interval depends on the number of the deceived source
addresses. More source addresses result in a longer interval.
The display deception ip-state command output does not contain the IP address
online status if the deception detect-network command is not used to set any
detected network segment.
Precautions
The IP addresses scanned by the DecoySensor must be on the detected network
segment, and the DecoySensor has an IP address belonging to this network
segment.
The reset deception ip-state command clears the IP address online status and
immediately initiates the check on the online status of IP addresses.

Example
# Display the online status of IP addresses scanned by the switch.
<HUAWEI> display deception ip-state
---------------------------------------------------------------------------------------------------
Current total number = 0

---------------------------------------------------------------------------------------------------
ip-address state vlan vpn-instance
---------------------------------------------------------------------------------------------------

# Display the detailed online status of IP addresses scanned by the switch.

<HUAWEI> display deception ip-state verbose
---------------------------------------------------------------------------------------

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

10.1.1.1 information:
---------------------------------------------------------------------------------------
state :online
vlan :10
vpn-instance :
proxy_flag :1
on2off_flag :0
redirect_num :0
---------------------------------------------------------------------------------------
Total displayed = 1

Table 14-142 Description of the display deception ip-state command output

Item Description

Current total number Number of entries.

ip-address information Detailed information about the IP address.

ip-address IP address.

state Online status of the IP address:

● online
● offline

vlan VLAN to which the IP address belongs.

vpn-instance VPN instance of the IP address.

proxy_flag Whether the IP address is learned through proxy ARP:

● 0: No
● 1: Yes

on2off_flag Whether the IP address changes from online to offline:

● 0: No
● 1: Yes

redirect_num Number of the deceived source IP addresses that

scanned this IP address.

14.22.32 display deception port-redirect

Function
The display deception port-redirect command displays information about
deceived traffic due to the scanning of unopened TCP ports.

Format
display deception port-redirect [ source-ip ip-address ] [ destination-ip ip-
address ] [ destination-port port ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
source-ip ip-address Specifies the source IP The value is in dotted
address of the deceived decimal notation.
traffic.

destination-ip ip- Specifies the destination IP The value is in dotted

address address of the deceived decimal notation.
traffic.

destination-port port Specifies the destination port The value is an integer in

of the deceived traffic. the range from 1 to
65535.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
If it is found that deceived traffic is normal service traffic, run the reset deception
port-redirect command to delete the corresponding entry from the deception
flow table to release the traffic.

Example
# Display information about deceived traffic due to the scanning of unopened TCP
ports.
<HUAWEI> display deception port-redirect
---------------------------------------------------------------------------------------------------
Current total number = 0

---------------------------------------------------------------------------------------------------
source destination port out-vlan vpn-instance packets left-
time(s)
---------------------------------------------------------------------------------------------------

Table 14-143 Description of the display deception port-redirect command

output

Item Description

Current total number Number of entries.

source Source IP address of the deceived traffic.

destination Destination IP address of the deceived traffic.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

port Destination TCP port of the deceived traffic.

out-vlan VLAN of the deceived traffic.

vpn-instance VPN instance of the deceived traffic.

packets Number of the deceived packets

left-time(s) Remaining time before an entry ages, in seconds.

The aging time is 10 minutes. If no traffic matches the
entry within the aging time, the entry is deleted. If
traffic matches the entry within the aging time, the
aging time is updated.

14.22.33 display deception port-state

Function
The display deception port-state command displays the port openness status of
a service host.

Format
display deception port-state [ ip-address ]

Parameters
Parameter Description Value

ip-address Specifies an IP address. The value is in dotted

decimal notation.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
When a service host is busy, it responds with the RST-ACK packet even to normal
TCP access. As a result, the DecoySensor incorrectly considers that the host port is
not opened and deceives normal traffic. The DecoySensor records the port
openness status based on the SYN-ACK packet returned by the service host and
saves the record for 24 hours, until the record ages naturally or updated when a

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

new SYN-ACK packet is generated. During this period, even if the DecoySensor
receives the RST-ACK packet from the corresponding port, it does not deceive the
traffic.

The DecoySensor records only the port openness status for TCP access requests
whose destination IP addresses are in the detected network segment. The
prerequisite for the DecoySensor to record the port openness status is that the in-
depth interaction services must be supported by the Decoy.

The reset deception port-state command clears the current port openness status.

Examples
# Display the port openness status of a service host.
<HUAWEI> display deception port-state
--------------------------------------------------------------------------------
Current total number = 2
--------------------------------------------------------------------------------
ip-address :192.168.1.1
vpn-instance :public port state time_out(h)
80 open 24
8080 open 24
445 open 24

ip-address :192.168.1.2
vpn-instance :public
port state time_out(h)
80 open 24
8080 open 24
445 open 2

Table 14-144 Description of the display deception port-state command output

Item Description

ip-address IP address of a service host

vpn-instance VPN instance to which the IP address belongs

port Port

state Port openness status

● open: Open

time_out(h) Expiration time

The new SYN-ACK packet will update the expiration
time. If the expiration time is not updated within 24
hours, the service may have stopped working.

14.22.34 display deception statistics

Function
The display deception statistics command displays deception statistics.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
display deception statistics

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
To clear deception statistics, run the reset deception statistics command. Then,
run the display deception statistics command to view deception statistics in this
period.

Example
# Display deception statistics.
<HUAWEI> display deception statistics
Dataplane normal statistics information:
Receive local ip pkts : 9466
Receive arp request pkts : 143087
Receive arp reply pkts : 8671
Receive don't need check pkts : 9471
Receive from decoy pkts : 18605
Receive from decoy reg acks : 14884
Receive from decoy heartbeats : 3721
Constructor arp request pkts : 8216
Constructor arp reply pkts : 3860
Send to decoy pkts : 14884
Send to decoy regs : 14884
Send channel success pkts : 12076
Dataplane discard statistics information:
Send to decoy failed logs : 226
VPN header illegal packets discarded : 14884
Dataplane error statistics information:

Table 14-145 Description of the display deception statistics command output

Item Description

Mgmtplane statistics Statistics about the management plane.

information

Rpc msg send success Number of RPC messages that have been successfully
sent.

Rpc msg recv success Number of RPC messages that have been successfully
received.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Rpc msg send instance Number of RPC messages that fail to be sent because
not exist the instance does not exist.

Rpc msg recv poll Statistics about message query failures on the receiver.
failed

Receive RPC msg Number of received RPC messages.

Send RPC msg success Number of RPC messages that have been successfully
sent.

Dataplane normal Statistics on normal packets

statistics information

ReceiveRPCmsg Number of received RPC messages

Number of RPC messages that have been successfully

SendRPCmsgsuccess sent

Receive total pkts Number of received packets

Receive VLAN pkts Number of received packets with VLAN tags

Number of packets destined for the local device or

Receive local ip pkts packets sent from the local device

Receive arp request

pkts Number of received ARP requests

Receive arp reply pkts Number of received ARP replies

Receive offline ip icmp Number of received ICMP packets whose destination IP

pkts addresses are offline

Receive offline ip tcp Number of received TCP packets whose destination IP

pkts addresses are offline

Receive tcp syn pkts Number of received SYN packets

Receive tcp syn ack

pkts Number of received SYN ACK packets

Receive tcp rst pkts Number of received RST packets

Receive tcp decoy Number of received packets that match the bait
network pkts network segment

Receive don't need

check pkts Number of packets that do not need to be checked

Receive match acl Number of packets that match ACLs

Receive from decoy

pkts Number of received packets from the Decoy

Receive arp consult

pkts Number of received ARP negotiation packets

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Receive arp notify

enable pkts Number of received ARP notification enabling packets

Receive arp notify

undo enable pkts Number of received ARP notification disabling packets

Receive from decoy

forward pkts Number of received packets forwarded by the Decoy

Receive from decoy Number of received registration reply packets from the
reg acks Decoy

Receive from decoy Number of packets received from the Decoy for
update decoy ports updating the honeypot service port

Receive from decoy

heartbeats Number of received heartbeat packets from the Decoy

Receive total dns pkts Number of received DNS packets

Receive dns request

aci pkts Number of received DNS packets with the ACI suffix

Receive aci syn pkts Number of received SYN packets matching ACI entries

Constructor arp
request pkts Number of constructed ARP requests

Constructor arp reply

pkts Number of constructed ARP replies

Send to decoy pkts Number of packets sent to the Decoy

Send to decoy forward

pkts Number of packets forwarded to the Decoy

Send to decoy regs Number of registration packets sent to the Decoy

Send to decoy
heartbeats Number of heartbeat packets sent to the Decoy

Send to decoy logs Number of log packets sent to the Decoy

Number of IP address status adding messages sent to

Add ip state to decoy the Decoy

Delete ip state to Number of IP address status deleting messages sent to

decoy the Decoy

Update ip state to Number of IP address status updating messages sent

decoy to the Decoy

Send to decoy iplist Number of IP status packets sent to the Decoy

Send to decoy redirect Number of packets redirected to the Decoy

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Send scan reply to

decoy Number of scan response packets sent to the Decoy

Send channel success Number of packets successfully sent through the

pkts channel

Constructor icmp reply

pkts Number of constructed ICMP replies

Constructor tcp syn

pkts Number of constructed TCP SYN packets

Constructor arp Number of constructed ARP negotiation packets

consult pkts

Constructor arp notify Number of constructed ARP notification enabling

enable pkts packets

Constructor arp notify Number of constructed ARP notification disabling

undo enable pkts packets

Dns answer query pkts Number of DNS request packets responded using the
for aci ACI function

Dns answer respond Number of DNS reply packets modified using the ACI
pkts function

Aci forward syn pkts Number of SYN packets forwarded using the ACI
function

Aci decoy syn pkts Number of SYN packets discarded or deceived using
the ACI function

Send subnet Number of times that subnet information is sent to the

Decoy

Subnet add Number of subnet information adding messages sent

to the Decoy

Subnet del Number of subnet information deleting messages sent

to the Decoy

Dataplane discard Statistics on discarded packets

statistics information

Send RPC msg failed Number of RPC messages that fail to be sent

Run RPC msg failed Number of RPC message errors

Send channel failed Number of packets discarded due to transmission

pkts failures on the channel

Arp malloc node failed Number of packets discarded due to ARP table node
pkts application failures

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Ip port table malloc Number of packets discarded due to port table node
node failed pkts application failures

Attack weight table

malloc node failed Number of packets discarded due to attack weight
pkts table node application failures.

Arp redirect node

exhaustion Number of times when the ARP table node is full.

Get port info failed Number of packets discarded due to interface

pkts information obtaining failures

Number of packets discarded due to long hash table

Hash length limit pkts chains

Send to decoy failed

pkts Number of packets that fail to be sent to the Decoy

Send to decoy failed Number of packets that fail to be forwarded to the

forward pkts Decoy

Send to decoy failed Number of registration packets that fail to be sent to

regs the Decoy

Send to decoy failed Number of heartbeat packets that fail to be sent to the
heartbeats Decoy

Send to decoy failed Number of log packets that fail to be sent to the
logs Decoy

Send to decoy failed Number of IP status packets that fail to be sent to the
iplist Decoy

Send to decoy failed Number of packets that fail to be redirected to the

redirect Decoy

Send to attacker failed

pkts Number of packets that fail to be sent to the attacker

Number of packets discarded due to Smbuf application

Smbuf malloc failed failures

ARP header illegal Number of packets discarded due to invalid ARP

packets discarded headers

IP header illegal
packets discarded Number of packets discarded due to invalid IP headers

IP frag packets
discarded Number of discarded IP fragments

TCP header illegal Number of packets discarded due to invalid TCP

packets discarded headers

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

VPN header illegal Number of packets discarded due to invalid VPN

packets discarded headers

Arp extend type illegal Statistics of packets discarded due to invalid ARP
packets discarded extended types

Log cache num limit Number of logs that are not merged when the number
not merge of cached logs reaches the upper limit

Log cache num limit Number of logs that are not sent when the number of
not send cached logs reaches the upper limit

Aci node exhaustion Number of ACI entry creation failures due to

insufficient ACI cache resources

Aci source ip limit add Number of ACI entry creation failures due to the limit
fail on the number of source addresses that can be cached

Dns node exhaustion Number of DNS entry creation failures due to

insufficient DNS cache resources

Send subnet fai Number of times that subnet information fails to be

sent.

Smbuf pool Number of Smbuf resource application failures due to

exhaustion Smbuf resource exhaustion

Smbuf pool head null Number of Smbuf resource application failures due to
an empty Smbuf resource head

Smbuf pool bad Number of Smbuf resource application failures due to

safemask an incorrect header verification value of the Smbuf
resource

Smbuf pool bad free Number of Smbuf resource application failures due to
flag an incorrect release verification value of the Smbuf
resource

Dataplane error Error statistics

statistics information

14.22.35 display deception syn-connect

Function
The display deception syn-connect command displays the TCP port scanning
behavior detected by the switch.

Format
display deception syn-connect [ source-ip ip-address ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

source-ip ip-address Specifies the source IP address The value is in dotted
that initiates TCP port scanning. decimal notation.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to check the TCP port scanning behavior detected by
the switch, so that you can configure a more accurate TCP port scanning threshold
using the deception syn-connect rate command. If a TCP port is scanned at a
lower frequency than the threshold specified by the deception syn-connect rate
command but have been scanned for many times, the scanning behavior may be
an attack.

Example
# Display the TCP port scanning behavior detected by the switch.
<HUAWEI> display deception syn-connect
---------------------------------------------------------------------------------------------------
Current total number = 0

---------------------------------------------------------------------------------------------------
source rate(num/s)number vlan vpn-instance
---------------------------------------------------------------------------------------------------

Table 14-146 Description of the display deception syn-connect command output

Item Description

Current total number Number of entries.

source Source IP address that initiates TCP port scanning.

rate(num/s) TCP port scanning frequency, in "times per second".

number Number of TCP port scanning times.

vlan VLAN to which the source IP address belongs.

vpn-instance VPN instance of the source IP address.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.22.36 display deception version

Function
The display deception version command displays the DecoySensor version.

Format
display deception version

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
The DecoySensor and Decoy need to be used together, and they can communicate
with each only when their versions are the same.

Example
# Display the DecoySensor version.
<HUAWEI> display deception version
Version 1.1.0

Table 14-147 Description of the display deception version command output

Item Description

Version DecoySensor version.

14.22.37 display deception whitelist

Function
The display deception whitelist command displays the deception whitelist.

Format
display deception whitelist [ id id-number ]

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value
id id-number Specifies a whitelist ID. The value is an integer in the range from
1 to 50.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After configuring a deception whitelist using the deception whitelist command,
you can run the display deception whitelist command to check whether the
deception whitelist is correctly configured.

Example
# Display deception whitelists.
<HUAWEI> display deception whitelist
---------------------------------------------------------------------------------------------------
Current total number = 1

---------------------------------------------------------------------------------------------------
Whitelist ID 1 information:
---------------------------------------------------------------------------------------------------
source/mask :192.168.10.10/255.255.255.255
destination/mask :any
vpn-instance :

Table 14-148 Description of the display deception whitelist command output

Item Description

Current total number Number of entries.

Whitelist ID i Information about the whitelist whose ID is i.

information

source/mask Source IP address and subnet mask.

destination/mask Destination IP address and subnet mask.

vpn-instance VPN instance of the IP address.

14.22.38 reset deception aci

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Function
The reset deception aci command updates ACI entries.

Format
reset deception aci

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
After the ACI suffix is changed, you need to update the ACI entries. Otherwise, the
old ACI suffix becomes invalid only after the ACI entries age.
After the ACI entries are updated, the access initiated by a terminal is deceived
when the DNS record of the terminal does not age. Therefore, change the ACI
suffix when no service traffic exists.

Example
# Update ACI entries.
<HUAWEI> reset deception aci
Warning:Reseting aci table will affect the normal service. Continue? [Y/N]:y

14.22.39 reset deception arp-proxy

Function
The reset deception arp-proxy command clears the interface IP address of the
switch and the target IP addresses in the proxy ARP requests sent to the switch in
the online IP address table.

Format
reset deception arp-proxy

Parameters
None

Views
User view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
3: Management level

Usage Guidelines
None

Example
# Clear the interface IP address of the switch and the target IP addresses in the
proxy ARP requests sent to the switch in the online IP address table.
<HUAWEI> reset deception arp-proxy

14.22.40 reset deception ip-state

Function
The reset deception ip-state command updates the online status of IP addresses
on the network where the switch is located.

Format
reset deception ip-state

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
The reset deception ip-state command clears the IP address online status and
immediately initiates the check on the online status of IP addresses. There are two
exceptions:
● If traffic destined for address A is deceived, the online status of address A is
not cleared.
● The online status of IP addresses learned through proxy ARP is not cleared.

Example
# Update the online status of IP addresses on the network where the switch is
located.
<HUAWEI> reset deception ip-state

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.22.41 reset deception port-redirect

Function
The reset deception port-redirect command clears information about deceived
traffic that scanned unopened TCP ports and stops port deception.

Format
reset deception port-redirect [ source-ip ip-address ] [ destination-ip ip-
address ] [ destination-port port ]

Parameters
Parameter Description Value
source-ip ip-address Specifies the source IP The value is in dotted
address of the deceived decimal notation.
traffic.

destination-ip ip- Specifies the destination IP The value is in dotted

address address of the deceived decimal notation.
traffic.

destination-port port Specifies the destination TCP The value is an integer in

port of the deceived traffic. the range from 1 to
65535.

Views
User view

Default Level
3: Management level

Usage Guidelines
If it is found that deceived traffic is normal service traffic based on the display
deception port-redirect command, run the reset deception port-redirect
command to delete the corresponding entry from the deception flow table to
release the traffic.

Example
# Clear information about deceived traffic that scanned unopened TCP ports and
stop port deception.
<HUAWEI> reset deception port-redirect

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.22.42 reset deception port-state

Function
The reset deception port-state command updates the port openness status of a
service host.

Format
reset deception port-state

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
The DecoySensor records the port openness status based on the SYN-ACK packet
returned by the service host and saves the record for 24 hours, until the record
ages naturally or updated when a new SYN-ACK packet is generated. During this
period, even if the DecoySensor receives the RST-ACK packet from the
corresponding port, it does not deceive the traffic.
If the service openness status of the service host is updated, update the record in a
timely manner.

Examples
# Update the port openness status of a service host.
<HUAWEI> reset deception port-state

14.22.43 reset deception statistics

Function
The reset deception statistics command clears deception statistics.

Format
reset deception statistics

Parameters
None

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
User view

Default Level
3: Management level

Usage Guidelines
To clear deception statistics, run the reset deception statistics command. Then,
run the display deception statistics command to view deception statistics in this
period.

Example
# Clear deception statistics.
<HUAWEI> reset deception statistics

14.23 Terminal Anti-Spoofing Configuration Commands

14.23.1 Command Support

Only the following models support terminal anti-spoofing:
S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-H, S6730S-H, S6730-S,
S6730S-S

14.23.2 display terminal configuration

Function
The display terminal configuration command displays the manually entered
terminal information.

Format
display terminal configuration

Parameters
None

Views
All views

Default Level
1: Monitoring level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
After running the terminal command to manually enter terminal information, you
can run the display terminal configuration command to check the manually
entered terminal information.

Example
# Display the manually entered terminal information.
<HUAWEI> display terminal configuration
---------------------------------------------------------------------------------------
MAC Address IP Address Mask Interface Category
---------------------------------------------------------------------------------------
00e0-fc11-1111 10.10.1.1 - - printer
00e0-fc11-1112 10.10.1.2 255.255.255.0 - printer
---------------------------------------------------------------------------------------
Total items displayed = 2

Table 14-149 Description of the display terminal configuration command

output

Item Description

MAC Address MAC address of a terminal.

IP Address IP address of a terminal.

Mask Subnet mask of a terminal's IP address.

Interface Access interface of a terminal.

Category Type of a terminal.

Total items displayed Total number of entries.

14.23.3 display terminal information

Function
The display terminal information command displays terminal entries.

Format
display terminal information { all | mac-address mac-address }

Parameters
Parameter Description Value

all Displays entry -

information about all
terminals.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

mac-address Displays entry The value must be an existing

mac-address information about the terminal MAC address in the
terminal with a specified terminal table.
MAC address.
The value is in H-H-H format. An
H is a 4-digit hexadecimal number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario
You can run this command to view terminal entries, including the MAC address,
type, access interface, anomaly detection result, isolation status, and aging time of
the terminal.
The device generates an entry for a terminal only when the terminal information
manually entered using the terminal command matches the ARP packets sent by
the terminal. Then you can run this command to view the terminal entry.

Example
# Display entries of all terminals.
<HUAWEI> display terminal information all
Status: N - Normal, F - Flow abnormal U - Unknown
IP - Ip abnormal, INT - Interface abnormal
INTIP - Interface and ip abnormal
------------------------------------------------------------------------------------------------------------
MAC Address Category Ip Address Interface Status Isolation Inspect Expire(minute)
------------------------------------------------------------------------------------------------------------
00e0-fc11-1111 Printer 10.1.10.1 GigabitEthernet0/0/1 N No Enable 30
00e0-fc22-2222 Ip-camera 10.1.20.1 GigabitEthernet0/0/2 N No Enable 24
------------------------------------------------------------------------------------------------------------
Total: 1, printed: 1

Table 14-150 Description of the display terminal information command output

Item Description

MAC Address MAC address of a terminal.

Category Terminal type. The options are as follows:

● Printer: printer
● Ip-camera: IP camera
● Voip-phone: IP phone

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Ip Address IP address of a terminal.

Interface Access interface of a terminal.

Status Anomaly detection result of a terminal. The options are

as follows:
● N: The terminal is normal.
● F: The traffic of the terminal is abnormal.
● U: No detection result is obtained after the terminal
is de-isolated.
● IP: The IP address of the terminal is abnormal.
● INT: The access interface of the terminal is
abnormal.
● INTIP: Both the access interface and IP address of
the terminal are abnormal.

Isolation Isolation status of a terminal. The options are as

follows:
● Yes: The terminal is isolated.
● No: The terminal is not isolated.

Inspect Whether terminal anomaly detection is enabled. The

options are as follows:
● Enable: The function is enabled.
● Disable: The function is disabled.

Expire(minute) ● When the value of Isolation is Yes, this field

indicates the remaining time of the isolation action,
in minutes. When the remaining time is 0, the entry
is deleted.
● When the value of Isolation is No, this field
indicates the remaining time before a terminal entry
is aged, in minutes. When the remaining time is 0,
the entry is deleted.

14.23.4 display terminal-inspect abnormal-reason

Function
The display terminal-inspect abnormal-reason command displays the terminal
anomaly cause.

Format
display terminal-inspect abnormal-reason { all | mac-address mac-address }

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters

Parameter Description Value

all Displays the anomaly -

causes of all terminals.

mac-address Displays the anomaly The value is in H-H-H format. An

mac-address cause of the terminal with H is a 4-digit hexadecimal
a specified MAC address. number.
The value must be an existing
terminal MAC address in the
terminal table.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

You can run this command to check the anomaly cause of a terminal.

Prerequisites

The terminal-inspect flow enable command has been run in the system view to
enable terminal anomaly detection globally.

Example
# Display the anomaly causes of all terminals.
<HUAWEI> display terminal-inspect abnormal-reason all
---------------------------------
MAC AbnormalReason
---------------------------------
00e0-fc11-1111 stream-model
00e0-fc11-1112 stream-model
---------------------------------
Total: 2, printed: 2

Table 14-151 Description of the display terminal-inspect abnormal-reason

command output

Item Description

MAC MAC address of a terminal.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Item Description

Abnormal-reason Anomaly cause.

● stream-model: The actual traffic behavior of the
terminal does not comply with the traffic behavior
model of the terminal type.

Total Total number of entries.

printed Number of displayed entries.

14.23.5 display terminal-inspect cache-data

Function
The display terminal-inspect cache-data command displays terminal traffic data
cached on the device.

Format
display terminal-inspect cache-data [ mac-address mac-address ]

Parameters
Parameter Description Value

mac-address Specifies the MAC The value must be the MAC address of
mac-address address of a an existing terminal.
terminal.
The value is in H-H-H format. An H is a
4-digit hexadecimal number.

Views
All view

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

After the terminal-inspect cache-data command is run to enable the traffic data
caching function for a terminal, you can run the display terminal-inspect cache-
data command to view the traffic data of the terminal.

Prerequisites

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

1. The terminal-inspect flow enable command has been run in the system
view to enable terminal anomaly detection globally.
2. The terminal-inspect cache-data command has been run in the system view
to enable the traffic data caching function for a terminal.

Precautions

A maximum of 128 terminal traffic data records can be displayed on the device,
and the latest 128 records are saved in time sequence.

Example
# Display terminal traffic data cached on the device.
<HUAWEI> display terminal-inspect cache-data
MAC: 00e0-fc11-1111
-------------------------------------------------------------------------------------
TimeStamp SrcMac DstMac SrcPort DstPort Protocol Byte Packet
-------------------------------------------------------------------------------------
8743 00e0-fc11-1111 00e0-fc22-2222 0 1000 17 34688 271
-------------------------------------------------------------------------------------
Total: 1, printed: 1

Table 14-152 Description of the display terminal-inspect cache-data command

output

Item Description

MAC MAC address of a terminal.

TimeStamp Time stamp of the first packet.

SrcMac Source MAC address of packets.

DstMac Destination MAC address of packets.

SrcPort Source port number of packets.

DstPort Destination port number of packets.

Protocol 5-tuple protocol identifier of traffic.

Byte Total number of bytes.

Packet Total number of packets.

Total Total number of entries.

printed Number of printed entries.

14.23.6 display terminal-inspect category

Function
The display terminal-inspect category command displays the types of terminals
for which terminal anomaly detection is enabled.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
display terminal-inspect category

Parameters
None

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

After the terminal anomaly detection function is enabled, you can run this
command to view the terminal types.

Prerequisites

The terminal-inspect flow enable command has been run in the system view to
enable terminal anomaly detection globally.

Example
# Display the types of terminals for which terminal anomaly detection is enabled.
<HUAWEI> display terminal-inspect category
--------------------
Id Category
--------------------
1 ip-camera
2 voip-phone
--------------------
Total: 2

Table 14-153 Description of the display terminal-inspect category command

output

Item Description

Id Terminal ID.

Category Terminal type.

Total Total number of terminal types.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.23.7 display terminal-inspect result

Function
The display terminal-inspect result command displays the terminal anomaly
detection result.

Format
display terminal-inspect result { all | mac-address mac-address }

Parameters
Parameter Description Value

all Displays anomaly -

detection results of all
terminals.

mac-address Displays the anomaly The value must be an existing

mac-address detection result of the terminal MAC address in the
terminal with a specified terminal table.
MAC address.
The value is in H-H-H format. An
H is a 4-digit hexadecimal
number.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
You can run this command to view the comprehensive anomaly detection result of
the traffic behavior model of a terminal, including the update time of the
detection result, MAC address of the terminal, and detection result.

Example
# Display the anomaly detection results of all terminals.
<HUAWEI> display terminal-inspect result all
---------------------------------------------
Mac-address Time Result
---------------------------------------------
00e0-fc11-1111 2021-04-29 13:10:07 abnormal
00e0-fc22-2222 2021-04-29 13:10:07 abnormal
---------------------------------------------
Total: 2, printed: 2

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-154 Description of the display terminal-inspect result command

output

Item Description

Time Time when the detection result is updated.

Mac-address MAC address of a terminal.

Result Anomaly detection result. The options are as follows:

● inspecting: Detection is in progress and no detection
result is available.
● normal: The terminal is normal.
● abnormal: The terminal is abnormal.
NOTE
If a terminal has detection results, the result of the last
detection is displayed when you perform the detection again.

Total Total number of entries.

14.23.8 display terminal-inspect supervised abnormal-reason

Function
The display terminal-inspect supervised abnormal-reason command displays
the anomaly degree of terminal detection indicators.

Format
display terminal-inspect supervised abnormal-reason { all | mac-address mac-
address }

Parameters

Parameter Description Value

all Specifies all terminals. -

mac-address Specifies the MAC The value is in H-H-H format. An H is

mac-address address of a terminal. a 4-digit hexadecimal number.
The value must be an existing
terminal MAC address in the terminal
table.

Views
All views

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
1: Monitoring level

Usage Guidelines
To locate terminal anomaly problems, you can run this command to check the
anomaly degree of terminal detection indicators for further analysis. Exercise
caution when running the display terminal-inspect supervised abnormal-reason
all command. Excessive information output affects system performance.

Example
# Display the anomaly degree of detection indicators for the terminal whose MAC
address is 00e0-fc11-1111.
<HUAWEI> system-view
[HUAWEI] diagnose
[HUAWEI-diagnose] display terminal-inspect supervised abnormal-reason mac-address 00e0-fc11-1111
UpstreamTrafficRate: upstream traffic rate of a terminal
DownstreamTrafficRate: downstream traffic rate of a terminal
TotalTrafficRate: total traffic rate of a terminal
DestinationPort: destination port number in packets sent by a terminal
Ratio: ratio of the upstream traffic rate to the downstream traffic rate of a terminal
----------------------------------------------------------------------------------------------------------------------------
MAC UpstreamTrafficRate DownstreamTrafficRate TotalTrafficRate DestinationPort
Ratio
00e0-fc11-1111 82% 1% 4% 4% 9%
----------------------------------------------------------------------------------------------------------------------------
Total: 1, printed: 1

Table 14-155 Description of the display terminal-inspect supervised abnormal-

reason command output
Item Description

MAC MAC address of a terminal.

UpstreamTrafficRate Upstream traffic rate of a terminal.

DownstreamTrafficRate Downstream traffic rate of a terminal.

TotalTrafficRate Total traffic rate of a terminal.

DestinationPort Number of the destination port to which packets are

sent.

Ratio Anomaly degree of the ratio of the upstream traffic

rate to the downstream traffic rate for a terminal.

Total Total number of MAC addresses.

printed Number of printed entries.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.23.9 display terminal-inspect terminal-list

Function
The display terminal-inspect terminal-list command displays the list of
terminals under anomaly detection.

Format
display terminal-inspect [ category category-name ] terminal-list

Parameters
Parameter Description Value

category category- Specifies a terminal The value is of the enumerated type:

name type. ● ip-camera: IP camera
● printer: printer
● Voip-phone: IP phone

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
Usage Scenario

This command displays only the terminals that are enabled with anomaly
detection and are not isolated.

Prerequisites

The terminal-inspect flow enable command has been run in the system view to
enable terminal anomaly detection globally.

Example
# Display the list of all terminals under anomaly detection.
<HUAWEI> display terminal-inspect terminal-list
------------------------------
MAC Category
------------------------------
00e0-fc11-1111 ip-camera
00e0-fc22-2222 voip-phone
------------------------------
Total: 2, printed: 2

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Table 14-156 Description of the display terminal-inspect terminal-list command

output

Item Description

MAC MAC address of a terminal.

Category Terminal type. The options are as follows:

● printer: printer
● ip-camera: IP camera
● Voip-phone: IP phone

Total Total number of entries.

printed Number of displayed entries.

14.23.10 display terminal-isolate configuration

Function
The display terminal-isolate configuration command displays the configuration
of a terminal isolation policy.

Format
display terminal-isolate { apply | exclude } configuration

Parameters
Parameter Description Value

apply Displays the terminal isolation policy applied to the device. -

exclude Displays the whitelist configured in a terminal isolation -

policy. The device does not apply the isolation policy to
whitelisted terminals.

Views
All views

Default Level
1: Monitoring level

Usage Guidelines
After a terminal isolation policy is configured, you can run this command to view
the configuration of the terminal isolation policy.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Display the terminal isolation policy applied to the device.
<HUAWEI> display terminal-isolate apply configuration
-------------------------------------------------------------------------------------------
Category MAC Address Block Period(minutes) Template Name
-------------------------------------------------------------------------------------------
printer 00e0-fc11-1111 YES 35 test1
printer 00e0-fc22-2222 NO 20 test2
-------------------------------------------------------------------------------------------
Total items = 2

# Display the whitelist configured in a terminal isolation policy.

<HUAWEI> display terminal-isolate exclude configuration
------------------------------
Category MAC Address
------------------------------
printer 00e0-fc33-3333
------------------------------
Total items = 1

Table 14-157 Description of the display terminal-isolate configuration

command output

Item Description

Category Terminal type.

MAC Address MAC address of a terminal. If the MAC address of a

terminal is not specified when you configure the
terminal isolation policy, NA is displayed.

Block Whether the isolation action of the terminal is block.

Period(minutes) Aging time of the configured isolation action, in

minutes.
This parameter is configured using the terminal-
isolate period command.

Template Name Name of an isolation template.

Total items Total number of entries.

14.23.11 reset terminal-inspect cache-data

Function
The reset terminal-inspect cache-data command clears the terminal traffic data
cached on the device.

Format
reset terminal-inspect cache-data

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
None

Views
User view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To view the latest terminal traffic data, run the reset terminal-inspect cache-
data command to clear the cached terminal traffic data. After a period of time,
run the display terminal-inspect cache-data command to view the cached
terminal traffic data.
Prerequisites
1. The terminal-inspect flow enable command has been run in the system
view to enable terminal anomaly detection globally.
2. The terminal-inspect cache-data command has been run in the system view
to enable the traffic data caching function for a terminal.

Example
# Clear the terminal traffic data cached on the device.
<HUAWEI> reset terminal-inspect cache-data

14.23.12 terminal
Function
The terminal command allows you to manually enter terminal information.
The undo terminal command deletes the manually entered terminal information.
By default, no terminal information is manually entered on the device.

Format
terminal { mac-address mac-address [ ip-address ip-address | interface
interface-type interface-number ] | ip-address ip-address { mask | mask-length } |
interface { interface-type interface-number &<1-8> | interface-type interface-
number1 to interface-number2 } } category { printer | voip-phone | ip-camera }
undo terminal { mac-address mac-address | ip-address ip-address { mask | mask-
length } | interface { interface-type interface-number &<1-8> | interface-type
interface-number to interface-number } }
undo terminal { mac-address | ip-address | interface } all

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

mac-address Specifies the MAC address The value is in H-H-H format. H

mac-address of a terminal. is a hexadecimal number of 4
digits, for example, 00e0 and
fc01. If you enter less than four
digits, 0s are prefixed to the input
digits. For example, if you enter
e0, the system changes e0 to
00e0. The MAC address cannot
be FFFF-FFFF-FFFF,
0000-0000-0000, or a multicast
MAC address.

ip-address ip- Specifies the IP address of a The value is in dotted decimal

address terminal. notation.

mask Specifies the subnet mask The value is in dotted decimal

of an IP address. notation.

mask-length Specifies the mask length The value is an integer ranging

of an IP address. from 0 to 32, but the mask
length of an IP address cannot be
set to 0.

interface Specifies the access -

interface of a terminal.

interface-type Specifies the type and The interface type cannot be set
interface- number of an interface. to Eth-Trunk.
number

interface-type Specifies the type and The interface type cannot be set
interface- number of an interface. to Eth-Trunk.
number1 to interface-number1 and
interface- interface-number2 specify In a stack, interface-number1 and
number2 an interface range. interface-number2 cannot reside
on different devices. That is, the
interface-number1 specifies slot IDs of the interfaces
the number of the first corresponding to interface-
interface, and interface- number1 and interface-number2
number2 specifies the must be the same.
number of the last
interface.
The value of interface-
number2 must be larger
than that of interface-
number1.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

category Specifies a terminal type. -

printer Sets the terminal type to -

printer.

voip-phone Sets the terminal type to IP -

phone.

ip-camera Sets the terminal type to IP -

camera.

mac-address Deletes all terminal MAC -

addresses.

ip-address Deletes all terminal IP -

addresses.

interface Deletes all terminal access -

interfaces.

all Deletes all the manually -

entered terminal
information.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can run this command to manually enter the MAC address, IP address, type,
and access interface of a terminal.
Precautions
If different terminals have the same MAC address, their information cannot be
recorded.
The device generates an entry for a terminal only when the terminal information
manually entered using the terminal command matches the ARP packets sent by
the terminal and terminal anomaly detection has been enabled globally using the
terminal-inspect flow enable command. Then you can run the display terminal
information command to view the terminal entry information.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

You can run this command to manually enter the access interface information of a
terminal only when the device is directly connected to the terminal. Otherwise, the
terminal may be incorrectly identified.

Example
# Manually enter the following terminal information: The terminal MAC address is
00e0-fc11-1111, the IP address is 10.1.1.1, and the terminal type is printer.
<HUAWEI> system-view
[HUAWEI] terminal mac-address 00e0-fc11-1111 ip-address 10.1.1.1 category printer

# Delete all the manually entered terminal information.

<HUAWEI> system-view
[HUAWEI] undo terminal all

14.23.13 terminal-inspect cache-data

Function
The terminal-inspect cache-data command enables the traffic data caching
function for a terminal.
The undo terminal-inspect cache-data command disables the traffic data
caching function for a terminal.
By default, the traffic data caching function is disabled for a terminal.

Format
terminal-inspect cache-data mac-address mac-address [ max-num max-num ]
undo terminal-inspect cache-data mac-address mac-address [ max-num max-
num ]

Parameters
Parameter Description Value

mac-address mac- The value must be the

address MAC address of an
Specifies the MAC existing terminal. The
address of a terminal. value is in H-H-H
format. An H is a 4-digit
hexadecimal number.

max-num max-num Specifies the maximum The value is an integer

number of traffic data ranging from 1 to 128.
entries that can be
cached.
If this parameter is not
specified, a maximum of
128 entries can be
cached.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

If the algorithm used for terminal anomaly detection is incorrect, engineers need
to analyze the original traffic data to locate the problem. To view the traffic data
of a terminal, run the terminal-inspect cache-data command to enable the
traffic data caching function for the terminal. If you want to delete the cached
traffic data of a terminal and disable the device from caching the traffic data of
the terminal, run the undo terminal-inspect cache-data command to disable the
traffic data caching function for the terminal.

Prerequisites

The terminal-inspect flow enable command has been run in the system view to
enable terminal anomaly detection globally.

Follow-up Procedure

Run the display terminal-inspect cache-data command to view the terminal

traffic data.

Precautions

If you run this command multiple times, only the latest configuration takes effect.

Example
# Enable the traffic data caching function for the terminal whose MAC address is
00e0-fc12-3456.
<HUAWEI> system-view
[HUAWEI] terminal-inspect cache-data mac-address 00e0-fc12-3456

14.23.14 terminal-inspect category

Function
The terminal-inspect category command enables terminal anomaly detection for
a specified type of terminal.

The undo terminal-inspect category command disables terminal anomaly

detection for a specified type of terminal.

By default, anomaly detection is not directed at a specific type of terminal.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
terminal-inspect category { printer | voip-phone | ip-camera } [ [ exclude ]
mac-address mac-address ]
undo terminal-inspect category { printer | voip-phone | ip-camera }
[ [ exclude ] mac-address mac-address ]

Parameters
Parameter Description Value

printer Sets the terminal type to -

printer.

voip-phone Sets the terminal type to IP -

phone.

ip-camera Sets the terminal type to IP -

camera.

exclude Whitelist a terminal, for which -

terminal anomaly detection is
not performed.

mac-address Specifies the MAC address of The value must be an

mac-address a terminal. existing terminal MAC
address in the terminal table.
The value is in H-H-H
format. An H is a 4-digit
hexadecimal number.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can run the terminal-inspect category command to enable terminal
anomaly detection for a specified type of terminal. After this command is
configured, the device compares the traffic behavior model with the actual traffic
behavior of the terminal to determine whether the traffic behavior of the terminal
is abnormal.
The following uses printers as an example to describe how to use the terminal-
inspect category command:

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

● Run the terminal-inspect category printer command to enable terminal

anomaly detection for all printers.
● Run the terminal-inspect category printer mac-address mac-address
command to enable terminal anomaly detection for the printer with a
specified MAC address.
● After you run the terminal-inspect category printer command to enable
terminal anomaly detection for all printers, run the terminal-inspect
category printer exclude mac-address mac-address command to disable
terminal anomaly detection for the printer with a specified MAC address.
Precautions
● The terminal-inspect category command takes effect only when the
following conditions are met:
a. The terminal-inspect flow enable command has been run in the system
view to enable terminal anomaly detection globally.
b. A terminal entry is generated on the device for the terminal to be
detected. The device generates the corresponding terminal entry only
when terminal anomaly detection is enabled globally and the terminal
information manually entered using the terminal command matches the
ARP packets sent by the terminal. You can run the display terminal
information command to view the terminal entry information.
● Before running the terminal-inspect category { printer | voip-phone | ip-
camera } exclude mac-address mac-address command, ensure that anomaly
detection has been enabled for all terminals of the specified type.
Using printers as an example, before running the terminal-inspect category
printer exclude mac-address mac-address command, you must run the
terminal-inspect category printer command.
● If anomaly detection has been enabled for all terminals of a certain type, you
cannot run the terminal-inspect category { printer | voip-phone | ip-
camera } mac-address mac-address command to enable this function for a
terminal of this type with a specified MAC address.
Using printers as an example, after the terminal-inspect category printer
command is run, the terminal-inspect category printer mac-address mac-
address command is not supported.
● When anomaly detection has been enabled for a terminal of a certain type
with a specified MAC address and if you run the terminal-inspect category
{ printer | voip-phone | ip-camera } command to enable anomaly detection
for all terminals of this type, the device deletes the configuration of enabling
anomaly detection for the terminal of this type with the specified MAC
address.
Using printers as an example, if you run the terminal-inspect category
printer command after the terminal-inspect category printer mac-address
mac-address command, the device deletes the terminal-inspect category
printer mac-address mac-address command configuration.

Example
# Enable terminal anomaly detection for all printers.
<HUAWEI> system-view
[HUAWEI] terminal-inspect category printer

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

14.23.15 terminal-inspect flow enable

Function
The terminal-inspect flow enable command enables terminal anomaly detection
globally.
The undo terminal-inspect flow disables terminal anomaly detection.
By default, terminal anomaly detection is disabled globally.

Format
terminal-inspect flow enable
undo terminal-inspect flow

Parameters
None

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
You can run the terminal-inspect flow enable command to enable terminal
anomaly detection globally.
After terminal anomaly detection is enabled globally, the device sends the ARP
packet received from a terminal to the CPU, and checks whether the IP address
and access interface of the terminal are abnormal based on the terminal entry.
The device generates an entry for a terminal only when the terminal information
manually entered by the administrator matches the ARP packet sent by the
terminal and the device sends the ARP packet to the CPU.
Precautions
● The terminal-inspect flow enable command is mutually exclusive with the
following commands:
– s-ipfpm measure flow (enables packet loss and delay measurement)
– s-ipfpm measure auto-detect (enables automatic in-band flow
measurement)
– ip netstream (enables IPv4 traffic statistics collection on the inbound
and outbound interfaces)
– ipv6 netstream (enables IPv6 traffic statistics collection on the inbound
and outbound interfaces)

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

– service-awareness enable (enables service awareness)

– ec-analytics enable (enables ECA)

Example
# Enable terminal anomaly detection globally.
<HUAWEI> system-view
[HUAWEI] terminal-inspect flow enable

14.23.16 terminal-isolate category

Function
The terminal-isolate category command configures a terminal isolation policy
for a specified type of terminal.
The undo terminal-isolate category command restores the default setting.
The undo terminal-isolate all command deletes all isolation policies and
whitelists bound to all terminals.
By default, no terminal isolation policy is configured.

Format
terminal-isolate category { printer | voip-phone | ip-camera } { [ mac-address
mac-address ] apply template template-name | exclude mac-address mac-
address }
undo terminal-isolate category { printer | voip-phone | ip-camera } { [ mac-
address mac-address ] apply template template-name | exclude mac-address
mac-address }
undo terminal-isolate { apply | exclude } all

Parameters
Parameter Description Value

printer Sets the terminal type to printer. -

voip-phone Sets the terminal type to IP -

phone.

ip-camera Sets the terminal type to IP -

camera.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

mac-address Specifies the MAC address of a The value must be an

mac-address terminal. existing terminal MAC
address in the terminal
table.
The value is in H-H-H
format. An H is a 4-digit
hexadecimal number.

apply Applies an isolation template to a -

terminal.
If apply is specified but mac-
address mac-address is not
specified, the isolation template
is applied to all terminals of the
specified type.

template Specifies the name of an isolation The value must be the

template-name template. name of an existing
isolation template.
The isolation template
name is configured using
the terminal-isolate
template command.

exclude Whitelists a terminal. The device -

does not apply the isolation
policy to whitelisted terminals.

all Deletes all isolation policies and -

whitelists bound to terminals.

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
To implement the terminal isolation action configured in a terminal isolation
template for abnormal terminals of a specified type, run the terminal-isolate
category { printer | voip-phone | ip-camera } [ mac-address mac-address ]
apply template template-name command to apply the configured isolation

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

template to all terminals of this type. Then if a terminal of this type does not need
to be isolated, you can run the terminal-isolate category { printer | voip-phone |
ip-camera } exclude mac-address mac-address command to add the terminal to
the isolation whitelist.
Precautions
Before running the terminal-isolate category { printer | voip-phone | ip-
camera } [ mac-address mac-address ] apply template template-name
command, run the terminal-isolate template command to create a terminal
isolation template. To make the terminal isolation template take effect, you must
run the terminal-isolate action command in the terminal isolation template to
configure a terminal isolation action.

Example
# Apply the isolation template named test to all printers. In the isolation
template, set the terminal isolation action to block.
<HUAWEI> system-view
[HUAWEI] terminal-isolate template test
[HUAWEI-terminal-isolate-test] terminal-isolate action block
[HUAWEI-terminal-isolate-test] quit
[HUAWEI] terminal-isolate category printer apply template test

# Delete all isolation policies bound to terminals.

<HUAWEI> system-view
[HUAWEI] undo terminal-isolate apply all

14.23.17 terminal-isolate template

Function
The terminal-isolate template command creates a terminal isolation template
and displays the terminal isolation template view.
The undo terminal-isolate template command deletes a terminal isolation
template.
By default, no terminal isolation template is created.

Format
terminal-isolate template template-name
undo terminal-isolate template template-name

Parameters
Parameter Description Value

template-name Specifies the name of a The value is a string of 1 to 31 case-

terminal isolation sensitive characters. It cannot contain
template. spaces, question marks (?), or double
quotation marks (").

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When configuring a terminal isolation policy, you need to create a terminal

isolation template, configure a terminal isolation action and the aging time of the
action in the terminal isolation template view, and run the terminal-isolate
category command to bind the terminal isolation template to a specified type of
terminal.

Follow-up Procedure

1. Run the terminal-isolate action command in the terminal isolation template

view to configure a terminal isolation action.
2. (Optional) Run the terminal-isolate period command in the terminal
isolation template view to set the aging time of the terminal isolation action.
3. Run the terminal-isolate category { printer | voip-phone | ip-camera }
[ mac-address mac-address ] apply template template-name command in
the system view to apply the terminal isolation template to a specified type of
terminal.

Example
# Create a terminal isolation template named test.
<HUAWEI> system-view
[HUAWEI] terminal-isolate template test

14.23.18 terminal-isolate action

Function
The terminal-isolate action command configures a terminal isolation action.

The undo terminal-isolate action command restores the default setting.

By default, no terminal isolation action is configured, meaning that the device

does not isolate spoofed terminals.

Format
terminal-isolate action block

undo terminal-isolate action block

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

block Specifies the terminal isolation action to block, that is, -

blocking packets.

Views
Terminal isolation template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When configuring a terminal isolation policy, you need to run the terminal-
isolate template command to create a terminal isolation template, configure a
terminal isolation action in the terminal isolation template view, and run the
terminal-isolate category command to bind the terminal isolation template to a
specified type of terminal.

When the terminal isolation action is set to block, the device discards packets
from spoofed terminals identified by the device.

Follow-up Procedure

Run the terminal-isolate category { printer | voip-phone | ip-camera } [ mac-

address mac-address ] apply template template-name command in the system
view to apply the terminal isolation template to a specified type of terminal.

Example
# In the isolation template named test, set the terminal isolation action to block.
<HUAWEI> system-view
[HUAWEI] terminal-isolate template test
[HUAWEI-terminal-isolate-test] terminal-isolate action block

14.23.19 terminal-isolate period

Function
The terminal-isolate period command sets the aging time of a terminal isolation
action.

The undo terminal-isolate period command restores the default setting.

By default, the aging time is not configured for a terminal isolation action,
meaning that a terminal isolation action does not age.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Format
terminal-isolate period period-time

undo terminal-isolate period

Parameters

Parameter Description Value

period-time Specifies the aging time of a The value is an integer ranging

terminal isolation action. from 1 to 1440, in minutes.

Views
Terminal isolation template view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

When configuring a terminal isolation policy, you need to run the terminal-
isolate template command to create a terminal isolation template, configure a
terminal isolation action and the aging time of the action in the terminal isolation
template view, and run the terminal-isolate category command to bind the
terminal isolation template to a specified type of terminal.

By default, the aging time is not configured for a terminal isolation action,
meaning that the device always implements the configured terminal isolation
action for the identified spoofed terminals. To prevent abnormal terminals from
being isolated after recovery, you can run the terminal-isolate period command
to set the aging time of the terminal isolation action. When the aging time
arrives, the device re-identifies whether the terminal is a spoofed terminal and
determines whether to implement the configured terminal isolation action.

Prerequisites

The terminal-isolate action command has been run in the terminal isolation
template view to configure a terminal isolation action.

Follow-up Procedure

Run the terminal-isolate category { printer | voip-phone | ip-camera } [ mac-

address mac-address ] apply template template-name command in the system
view to apply the terminal isolation template to a specified type of terminal.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure an isolation template named test, set the terminal isolation action to
block, and set the aging time of the terminal isolation action to 60 minutes. Apply
the isolation template named test to all printers.
<HUAWEI> system-view
[HUAWEI] terminal-isolate template test
[HUAWEI-terminal-isolate-test] terminal-isolate action block
[HUAWEI-terminal-isolate-test] terminal-isolate period 60
[HUAWEI-terminal-isolate-test] quit
[HUAWEI] terminal-isolate category printer apply template test

14.24 WEAKEA Command Reference

14.24.1 ah authentication-algorithm
Function
The ah authentication-algorithm command specifies the authentication
algorithm for AH protocol.

NOTE

All models support this command, except S200, S1730S-S and S1730S-S1.

Format
ah authentication-algorithm md5

Parameters
Parameter Description Value

md5 Specifies MD5 as the authentication algorithm. -

Views
IPSec proposal view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
IPSec can use AH protocol to authenticate packets, preventing packets from being
intercepted or modified, you can run the ah authentication-algorithm command
to configure the authentication algorithm for AH protocol.
Prerequisite

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The protocol of this IPSec proposal has been configured to AH using the
transform command.

Precautions

The authentication algorithms on both IPSec peers must be identical.

Example
# Configure the IPSec proposal prop1 to use the AH protocol, and specify MD5 as
the authentication algorithm.
<HUAWEI> system-view
[HUAWEI] ipsec proposal prop1
[HUAWEI-ipsec-proposal-prop1] transform ah
[HUAWEI-ipsec-proposal-prop1] ah authentication-algorithm md5

14.24.2 dh

Function
The dh command specifies a DH group used for IKE negotiation.

NOTE

All models support this command, except S200, S1730S-S and S1730S-S1.

Format
dh { group1 | group2 | group5 }

Parameters
Parameter Description Value

group1 Uses the 768-bit DH group in IKE negotiation phase 1. -

group2 Uses the 1024-bit DH group in IKE negotiation phase 1. -

group5 Uses the 1536-bit DH group in IKE negotiation phase 1. -

Views
Efficient VPN policy view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

The DH algorithm is a public key algorithm. Two communicating parties calculate

a shared key based on data exchanged between them, without transmitting the
key. A third party (such as a hacker) cannot calculate the actual key even if it
obtains all exchanged data for key calculation.
Precautions
Both ends of an IPSec tunnel must be configured with the same DH group.
Otherwise, the negotiation fails.

Example
# Specify the 1024-bit DH group in IKE negotiation phase 1.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] dh group2

14.24.3 esp authentication-algorithm

Function
The esp authentication-algorithm command configures the authentication
algorithm for ESP protocol.

NOTE

All models support this command, except S200, S1730S-S and S1730S-S1.

Format
esp authentication-algorithm md5

Parameters
Parameter Description Value

md5 Specifies MD5 as the authentication algorithm. -

Views
IPSec proposal view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario
IPSec can use ESP protocol to authenticate and encrypt packets, preventing
packets from being intercepted or modified, you can run the esp authentication-
algorithm command to configure the authentication algorithm for ESP protocol.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Prerequisite
The protocol of this IPSec proposal has been configured to ESP using the
transform command.
Precautions
The authentication algorithms on both IPSec peers must be identical.
The authentication algorithm and encryption algorithm for ESP protocol cannot be
both set to NULL.

Example
# Configure the IPSec proposal prop1 to use the ESP protocol, and specify MD5 as
the authentication algorithm.
<HUAWEI> system-view
[HUAWEI] ipsec proposal prop1
[HUAWEI-ipsec-proposal-prop1] transform esp
[HUAWEI-ipsec-proposal-prop1] esp authentication-algorithm md5

14.24.4 esp encryption-algorithm

Function
The esp encryption-algorithm command configures the encryption algorithm for
ESP protocol.

NOTE

All models support this command, except S200, S1730S-S and S1730S-S1.

Format
esp encryption-algorithm des

Parameters
Parameter Description Value

des Specifies DES as the encryption algorithm. -

Views
IPSec proposal view

Default Level
2: Configuration level

Usage Guidelines
Usage Scenario

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

IPSec can use ESP protocol to authenticate and encrypt packets, preventing
packets from being intercepted or modified, you can run the esp encryption-
algorithm command to configure the encryption algorithm for ESP protocol.
Prerequisite
The protocol of this IPSec proposal has been configured to ESP using the
transform command.
Precautions
The encryption algorithms on both IPSec peers must be identical.
The authentication algorithm and encryption algorithm for ESP protocol cannot be
both set to NULL.

Example
# Configure the IPSec proposal prop1 to use the AH protocol, and specify DES as
the encryption algorithm.
<HUAWEI> system-view
[HUAWEI] ipsec proposal prop1
[HUAWEI-ipsec-proposal-prop1] transform esp
[HUAWEI-ipsec-proposal-prop1] esp encryption-algorithm des

14.24.5 load-module weakea

Function
The load-module weakea command loads the WEAKEA plug-in from the system
software.

Format
load-module weakea

Parameters
None

Views
User view

Default Level
3: Management level

Usage Guidelines
Usage Scenario
Before installing the WEAKEA plug-in, run the load-module weakea command in
the user view to load the WEAKEA plug-in (for example, xxxWEAKEA.mod) from
the system software to the plug-in installation directory $_install_mod.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Follow-up Procedure

Install the plug-in.

Precautions

If the WEAKEA plug-in exists in the plug-in installation directory $_install_mod,

delete the original WEAKEA plug-in. Otherwise, this command cannot be executed
successfully.

Example
# Load the WEAKEA plug-in from the system software.
<HUAWEI> load-module weakea

14.24.6 pfs

Function
The pfs command enables PFS when the local end initiates IPSec tunnel
negotiation.

NOTE

All models support this command, except S200, S1730S-S and S1730S-S1.

Format
pfs { dh-group1 | dh-group2 | dh-group5 }

Parameters

Parameter Description Value

dh-group1 Uses the 768-bit DH group. -

dh-group2 Uses the 1024-bit DH group. -

dh-group5 Uses the 1536-bit DH group. -

Views
Efficient VPN policy view

Default Level
2: Configuration level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
When the local end initiates negotiation, there is an additional DH exchange in
IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange
ensures security of the IPSec SA key and improves communication security.

Example
# Enable PFS (using the 1024-bit DH group) when the local end initiates IPSec
tunnel negotiation.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] pfs dh-group2

14.24.7 pki export rsa-key-pair

Function
The pki export rsa-key-pair command exports the RSA key pair to the device
flash memory and supports the export of the associated certificate.

Format
pki export rsa-key-pair key-name [ and-certificate certificate-name ] { pem file-
name [ 3des | des ] | pkcs12 file-name } password password

Parameters
Parameter Description Value

key-name Specifies the name of an The value must be an

RSA key pair on the existing RSA key pair
device. name.

and-certificate Indicates that the The value must be an

certificate-name certificate associated to existing certificate file
the RSA key pair will be name.
exported.

pem file-name Indicates that the RSA The value is a string of 1

key pair will be exported to 64 case-insensitive
in PEM format and characters. Spaces and
specifies the name of the question marks (?) are
file to be exported. not supported. If the file
path is included, the
value is a string of 1 to
127 characters, for
example, flash:/8ab3/
ab3.pem.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

pkcs12 file-name Indicates that the RSA The value is a string of 1

key pair will be exported to 64 case-insensitive
in PKCS12 format and characters without
specifies the name of the spaces and question
file to be exported. marks (?). When the
value contains a
directory, it is a string of
1 to 127 characters, for
example, flash:/8ab3/
ab3.pem.

3des | des Sets the encryption -

algorithm to DES or
3DES if the RSA key pair
is exported in PEM
format.

password password Specifies the encryption The value is a string of 8

password for the RSA to 32 case-sensitive
key pair file. This characters without
password protects the question marks (?).
exported RSA key pair For security purposes, a
file and is required when password must meet the
you import the RSA key minimum strength
pair file. requirements, that is, the
password needs to
contain at least three
types of the following
characters: uppercase
letters, lowercase letters,
numerals, and special
characters, such as
exclamation points (!), at
signs (@), number signs
(#), dollar signs ($), and
percent signs (%).

Views
System view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Before transferring or backing up an RSA key pair, run this command to enable the
device to generate the PEM or PKCS12 file carrying this RSA key pair (which may
include the certificate) in its flash memory.
Before using this command, run the display pki rsa local-key-pair command to
view RSA key pair information on the device.
Prerequisites
The RSA key pair has been created and configured to be exportable using the pki
rsa local-key-pair create command, or it has been imported to the device
memory and configured to be exportable using the pki import rsa-key-pair
command.
Precautions
The RSA key pair is sensitive information. Delete and destroy the exported RSA key
pair on the device or storage device immediately after you do not need it.

Example
# Export the RSA key pair key1 to the file aaa.pem and set the encryption mode
to DES.
<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create key1 exportable
Info: The name of the new key-pair will be: key1
The size of the public key ranges from 512 to 4096.
Input the bits in the modules:2048
Generating key-pairs...
......+++
....................+++
[HUAWEI] pki export rsa-key-pair key1 pem aaa.pem DES password Admin@1234
Warning: Exporting the key pair impose security risks, are you sure you want to
export it? [y/n]:y
Info: Succeeded in exporting the RSA key pair in PEM format.

14.24.8 set cipher-suite

Function
The set cipher-suite command configures cipher suites for a customized SSL
cipher suite policy.

Format
set cipher-suite { tls12_ck_rsa_aes_256_cbc_sha256 |
tls1_ck_dhe_dss_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_256_sha |
tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha |
tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_with_aes_256_sha }

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

tls12_ck_rsa_aes_256_cb Configures the -

c_sha256 TLS12_CK_RSA_AES_256_
CBC_SHA256 cipher
suite.

tls1_ck_dhe_dss_with_a Configures the -

es_128_sha TLS1_CK_DHE_DSS_WIT
H_AES_128_SHA cipher
suite.

tls1_ck_dhe_dss_with_a Configures the -

es_256_sha TLS1_CK_DHE_DSS_WIT
H_AES_256_SHA cipher
suite.

tls1_ck_dhe_rsa_with_a Configures the -

es_128_sha TLS1_CK_DHE_RSA_WIT
H_AES_128_SHA cipher
suite.

tls1_ck_dhe_rsa_with_a Configures the -

es_256_sha TLS1_CK_DHE_RSA_WIT
H_AES_256_SHA cipher
suite.

tls1_ck_rsa_with_aes_12 Configures the -

8_sha TLS1_CK_RSA_WITH_AES
_128_SHA cipher suite.

tls1_ck_rsa_with_aes_25 Configures the -

6_sha TLS1_CK_RSA_WITH_AES
_256_SHA cipher suite.

Views
Customized SSL cipher suite policy view

Default Level
3: Management level

Usage Guidelines
Usage Scenario

To configure cipher suites for a customized SSL cipher suite policy, run the set
cipher-suite command.

Precautions

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

If a customized SSL cipher suite policy is being referenced by an SSL policy, the
cipher suites in the customized cipher suite policy can be added, modified, or
partially deleted. Deleting all of the cipher suites is not allowed.

Example
# Configure the tls12_ck_rsa_aes_256_cbc_sha256 cipher suite for the customized
SSL cipher suite policy named cipher1.
<HUAWEI> system-view
[HUAWEI] ssl cipher-suite-list cipher1
[HUAWEI-ssl-cipher-suite-cipher1] set cipher-suite tls12_ck_rsa_aes_256_cbc_sha256

14.24.9 ssh client cipher

Function
The ssh client cipher command configures an encryption algorithm list for an
SSH client.
The undo ssh client cipher command restores the default encryption algorithm
list of an SSH client.
By default, an SSH client supports all encryption algorithms.

Format
ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc } *

undo ssh client cipher

Parameters
Parameter Description Value

des_cbc Specifies the CBC DES -

encryption algorithm.

3des_cbc Specifies the CBC 3DES -

encryption algorithm.

aes128_cbc Specifies the CBC AES128 -

encryption algorithm.

aes256_cbc Specifies the CBC AES256 -

encryption algorithm.

Views
System view

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
An SSH server and a client need to negotiate an encryption algorithm for the
packets exchanged between them. You can run the ssh client cipher command to
configure an encryption algorithm list for the SSH client. After the SSH server
receives a packet from the client, the server matches the encryption algorithm list
of the client against its local list and selects the first matched encryption
algorithm. If no encryption algorithm matches, the negotiation fails.

Example
# Configure CBC encryption algorithms for an SSH client.
<HUAWEI> system-view
[HUAWEI] ssh client cipher aes128_cbc aes256_cbc

14.24.10 ssh client hmac

Function
The ssh client hmac command configures an HMAC algorithm list for an SSH
client.

The undo ssh client hmac command restores the default HMAC algorithm list of
an SSH client.

By default, an SSH client supports all HMAC algorithms.

Format
ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256_96 } *

undo ssh client hmac

Parameters
Parameter Description Value

md5 Specifies the HMAC MD5 -

algorithm.

md5_96 Specifies the HMAC -

MD5_96 algorithm.

sha1 Specifies the HMAC -

SHA1 algorithm.

sha1_96 Specifies the HMAC -

SHA1_96 algorithm.

sha2_256_96 Specifies the HMAC -

SHA2_256_96 algorithm.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Views
System view

Default Level
3: Management level

Usage Guidelines
An SSH server and a client need to negotiate an HMAC algorithm for the packets
exchanged between them. You can run the ssh client hmac command to
configure an HMAC algorithm list for the SSH client. After the SSH server receives
a packet from the client, the server matches the list of the client against its local
list and selects the first matched HMAC algorithm. If no matched HMAC
algorithms, the negotiation fails.

Example
# Configure the HMAC sha2_256_96 algorithm for an SSH client.
<HUAWEI> system-view
[HUAWEI] ssh client hmac sha2_256_96

14.24.11 ssh client key-exchange

Function
The ssh client key-exchange command configures a key exchange algorithm list
for an SSH client.
The undo ssh client key-exchange command restores the default configuration.
By default, an SSH client supports all key exchange algorithms.

Format
ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 }*
undo ssh client key-exchange

Parameters
Parameter Description Value

dh_group14_sha1 Adds the Diffie-hellman-group14-sha1 -

algorithm to the key exchange algorithm list
of an SSH client.

dh_group1_sha1 Adds the Diffie-hellman-group1-sha1 -

algorithm to the key exchange algorithm list
of an SSH client.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

dh_group_exchange_sha1 Adds the Diffie-hellman-group-exchange- -

sha1 algorithm to the key exchange
algorithm list of an SSH client.

Views
System view

Default Level
3: Management level

Usage Guidelines
The client and server negotiate the key exchange algorithm used for packet
transmission. You can run the ssh client key-exchange command to configure a
key exchange algorithm list for the SSH client. The SSH server compares the
configured key exchange algorithm list with the counterpart sent by the client and
then selects the first matched key exchange algorithm for packet transmission. If
the key exchange algorithm list sent by the client does not match any algorithm in
the key exchange algorithm list configured on the server, the negotiation fails.

Example
# Configure key exchange algorithm lists dh_group1_sha1 on the SSH client.
<HUAWEI> system-view
[HUAWEI] ssh client key-exchange dh_group1_sha1

14.24.12 ssh server cipher

Function
The ssh server cipher command configures an encryption algorithm list for an
SSH server.

The undo ssh server cipher command restores the default encryption algorithm
list of an SSH server.

By default, an SSH server supports all encryption algorithms.

Format
ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc } *

undo ssh server cipher

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameters
Parameter Description Value

des_cbc Specifies the CBC DES -

encryption algorithm.

3des_cbc Specifies the CBC 3DES -

encryption algorithm.

aes128_cbc Specifies the CBC AES128 -

encryption algorithm.

aes256_cbc Specifies the CBC AES256 -

encryption algorithm.

Views
System view

Default Level
3: Management level

Usage Guidelines
An SSH server and a client need to negotiate an encryption algorithm for the
packets exchanged between them. You can run the ssh server cipher command to
configure an encryption algorithm list for the SSH server. After the SSH server
receives a packet from the client, the server matches the encryption algorithm list
of the client against its local list and selects the first matched encryption
algorithm. If no matched encryption algorithms, the negotiation fails.

Example
# Configure CBC encryption algorithms for an SSH server.
<HUAWEI> system-view
[HUAWEI] ssh server cipher aes256_cbc aes128_cbc

14.24.13 sshd server

Function
The sshd server command configures the algorithms that can be used by a switch
to establish a NETCONF session with a third-party controller.

The undo sshd server command deletes the algorithms that can be used by a
switch to establish a NETCONF session with a third-party controller.

The algorithms that can be configured by this command have low security. By
default, the switch does not support these algorithms when establishing a
NETCONF session with a third-party controller.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

NOTE

All models support this command, except S1720GW, S1720GW-E, S1720GWR, S1720GWR-E,
S1730S-S1, S200, and S1730S-S.

Format
sshd server cipher { aes128-cbc | aes192-cbc | aes256-cbc | aes128-
gcm@openssh.com | aes256-gcm@opensscom } *

sshd server hmac { hmac-md5 | hmac-md5-etm@openssh.com | hmac-sha1 |

hmac-sha1-etm@openssh.com } *

sshd server hostkey hostkey

sshd server key-exchange { ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | diffie-

hellman-group1-sha1 | diffie-hellman-group14-sha1 | diffie-hellman-group-
exchange-sha1 } *

sshd server hostkey-algorithms ssh-rsa

undo sshd server { cipher | hmac | hostkey | key-exchange | hostkey-

algorithms }

Parameters
Parameter Description Value

cipher Specifies an encryption algorithm. -

aes128-cbc Specifies the aes128-cbc algorithm. -

aes192-cbc Specifies the aes192-cbc algorithm. -

aes256-cbc Specifies the aes256-cbc algorithm. -

aes128-gcm@openssh.com Specifies the aes128- -

gcm@openssh.com algorithm.

aes256-gcm@openssh.com Specifies the aes256- -

gcm@openssh.com algorithm.

hmac Specifies an authentication -

algorithm.

hmac-md5 Specifies the hmac-md5 algorithm. -

hmac-md5- Specifies the hmac-md5- -

etm@openssh.com etm@openssh.com algorithm.

hmac-sha1 Specifies the hmac-sha1 algorithm. -

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Parameter Description Value

hmac-sha1- Specifies the hmac-sha1- -

etm@openssh.com etm@openssh.com algorithm.

hostkey hostkey Specifies a key file. The key file

must exist
on the
device.

key-exchange Specifies a key exchange algorithm. -

ecdh-sha2-nistp256 Specifies the ecdh-sha2-nistp256 -

algorithm.

ecdh-sha2-nistp384 Specifies the ecdh-sha2-nistp384 -

algorithm.

diffie-hellman-group1- Specifies the diffie-hellman- -

sha1 group1-sha1 algorithm.

diffie-hellman-group14- Specifies the diffie-hellman- -

sha1 group14-sha1 algorithm.

diffie-hellman-group- Specifies the diffie-hellman-group- -

exchange-sha1 exchange-sha1 algorithm.

hostkey-algorithms Specifies a key algorithm. -

ssh-rsa Specifies the ssh-rsa algorithm. -

Views
NETCONF view

Default Level
3: Management level

Usage Guidelines
The algorithms that can be configured by this command have low security. By
default, the switch does not support these algorithms when establishing a
NETCONF session with a third-party controller. You are advised not to use these
algorithms.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Example
# Configure the aes128-cbc encryption algorithm that can be used by the switch
to establish a NETCONF session with a third-party controller.
<HUAWEI> system-view
[HUAWEI] netconf
[HUAWEI-netconf] sshd server cipher aes128-cbc
Warning: Insecure encryption algorithms will be enabling and the SSH connection may be teared down.
Continue? [Y/N]:y

14.24.14 ssh server hmac

Function
The ssh server hmac command configures an HMAC algorithm list for an SSH
server.
The undo ssh server hmac command restores the default HMAC algorithm list of
an SSH server.
By default, an SSH server supports all HMAC algorithms.

Format
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256_96 } *

undo ssh server hmac

Parameters
Parameter Description Value

md5 Specifies the HMAC MD5 -

algorithm.

md5_96 Specifies the HMAC -

MD5_96 algorithm.

sha1 Specifies the HMAC -

SHA1 algorithm.

sha1_96 Specifies the HMAC -

SHA1_96 algorithm.

sha2_256_96 Specifies the HMAC -

SHA2_256_96 algorithm.

Views
System view

Default Level
3: Management level

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Usage Guidelines
An SSH server and a client need to negotiate an HMAC algorithm for the packets
exchanged between them. You can run the ssh server hmac command to
configure an HMAC algorithm list for the SSH server. After the server receives a
packet from the client, the server matches the list of the client against its local list
and selects the first matched HMAC algorithm. If no matched HMAC algorithms,
the negotiation fails.

Example
# Configure the HMAC sha2_256_96 algorithm for an SSH server.
<HUAWEI> system-view
[HUAWEI] ssh server hmac sha2_256_96

14.24.15 ssh server key-exchange

Function
The ssh server key-exchange command configures a key exchange algorithm list
on an SSH server.
The undo ssh server key-exchange command restores the default configuration.
By default, an SSH server supports all key exchange algorithms.

Format
ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 }*
undo ssh server key-exchange

Parameters
Parameter Description Value

dh_group14_sha1 Adds the Diffie-hellman-group14-sha1 -

algorithm to the key exchange algorithm list
of an SSH server.

dh_group1_sha1 Adds the Diffie-hellman-group1-sha1 -

algorithm to the key exchange algorithm list
of an SSH server.

dh_group_exchange_sha1 Adds the Diffie-hellman-group-exchange- -

sha1 algorithm to the key exchange
algorithm list of an SSH server.

Views
System view

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

Default Level
3: Management level

Usage Guidelines
An SSH server and a client need to negotiate a key exchange algorithm for the
packets exchanged between them. You can run the ssh server key-exchange
command to configure a key exchange algorithm list for the SSH server. After the
server receives a packet from the client, the server matches the key exchange
algorithm list of the client against its local list and selects the first matched key
exchange algorithm. If no matched key exchange algorithms, the negotiation fails.

Example
# Configure key exchange algorithm lists dh_group1_sha1 on the SSH server.
<HUAWEI> system-view
[HUAWEI] ssh server key-exchange dh_group1_sha1

14.24.16 ssl minimum version

Function
The ssl minimum version command configures a minimum SSL version for an SSL
policy.

Format
ssl minimum version tls1.0

Parameters
Parameter Description Value

tls1.0 Sets the minimum SSL version to TLS1.0 for an SSL policy. -

Views
SSL policy view

Default Level
3: Management level

Usage Guidelines
To configure a minimum SSL version for an SSL policy, run the ssl minimum
version command so that service modules can flexibly adopt the SSL policy.

Example
# Configure the minimum SSL version for the SSL policy ftp_server to be TLS1.0.

S300, S500, S1700, S2700, S5700, and S6700 Series
Ethernet Switches
Command Reference 14 Security Commands

<HUAWEI> system-view
[HUAWEI] ssl policy ftp_server
[HUAWEI-ssl-policy-ftp_server] ssl minimum version tls1.0

Write Now Plus 1 - SB Answer Key
No ratings yet
Write Now Plus 1 - SB Answer Key
43 pages
Theint Thazin Win (MBF - 66)
No ratings yet
Theint Thazin Win (MBF - 66)
57 pages
User Guide Junction Box Racks: Intended Use Typical Parts List
No ratings yet
User Guide Junction Box Racks: Intended Use Typical Parts List
1 page
Comandos Cisco Para Redes Mas Solidas
No ratings yet
Comandos Cisco Para Redes Mas Solidas
13 pages
imagerunner_advancec3530_series
No ratings yet
imagerunner_advancec3530_series
14 pages
SIS_Student guidelines & Instructions_Session 2026
No ratings yet
SIS_Student guidelines & Instructions_Session 2026
3 pages
Notes CN Lab 7
No ratings yet
Notes CN Lab 7
2 pages
12- ACL Principles and Configuration
No ratings yet
12- ACL Principles and Configuration
25 pages
Ipv6 Addressing Commands
No ratings yet
Ipv6 Addressing Commands
6 pages
acl_feature_overview_guide
No ratings yet
acl_feature_overview_guide
51 pages
فیمینزم اور اینٹی فیمینزم۔ توازن کی تلاش
No ratings yet
فیمینزم اور اینٹی فیمینزم۔ توازن کی تلاش
17 pages
01-02 ACL Configuration
No ratings yet
01-02 ACL Configuration
122 pages
System H1 KLB KITCHEN EP Standard SI en 2022 09
No ratings yet
System H1 KLB KITCHEN EP Standard SI en 2022 09
2 pages
IPv6 DHCPv6 Guard
No ratings yet
IPv6 DHCPv6 Guard
5 pages
Ip Feature Config Overview Revd
No ratings yet
Ip Feature Config Overview Revd
38 pages
S1700, S2720, S5700, and S6700 V200R020C00 Alarm Handling
No ratings yet
S1700, S2720, S5700, and S6700 V200R020C00 Alarm Handling
1,924 pages
Practical 5
No ratings yet
Practical 5
8 pages
Access Control List
No ratings yet
Access Control List
9 pages
Configuring An IPv6 Access Control List On The Cisco ASR 903 Router
No ratings yet
Configuring An IPv6 Access Control List On The Cisco ASR 903 Router
4 pages
Dynamic and Static IP Addressing
No ratings yet
Dynamic and Static IP Addressing
12 pages
Red Hat Enterprise Linux-9-Tuning Performance in Identity Management-En-Us
No ratings yet
Red Hat Enterprise Linux-9-Tuning Performance in Identity Management-En-Us
48 pages
English 1
No ratings yet
English 1
56 pages
ACL-CCNA
No ratings yet
ACL-CCNA
9 pages
Cardigan Lyrics - Google Search
No ratings yet
Cardigan Lyrics - Google Search
1 page
extc-scheme-2023-27
No ratings yet
extc-scheme-2023-27
14 pages
Paper I4 BPM Final
No ratings yet
Paper I4 BPM Final
15 pages
The Khairy Chronicles
No ratings yet
The Khairy Chronicles
139 pages
Ipv6 - Lab4
100% (1)
Ipv6 - Lab4
3 pages
Unit 22: Group Project: Assignment 1 of 1
No ratings yet
Unit 22: Group Project: Assignment 1 of 1
12 pages
S5720I-6X-PWH-SI-AC and S5720I-10X-PWH-SI-AC Quick Start Guide
No ratings yet
S5720I-6X-PWH-SI-AC and S5720I-10X-PWH-SI-AC Quick Start Guide
11 pages
Alcatel 4059 Attendant Console
No ratings yet
Alcatel 4059 Attendant Console
102 pages
7
No ratings yet
7
15 pages
Aruba 2930F&2930M IPv6 Configuration Guide For AOS-S 16.11
No ratings yet
Aruba 2930F&2930M IPv6 Configuration Guide For AOS-S 16.11
293 pages
Latouche: Basic Commands On Alcatel Omniswitch
No ratings yet
Latouche: Basic Commands On Alcatel Omniswitch
4 pages
01-13 User Access and Authentication Commands
No ratings yet
01-13 User Access and Authentication Commands
961 pages
01-06 IP Service Commands
No ratings yet
01-06 IP Service Commands
693 pages
DHCP Notes
No ratings yet
DHCP Notes
2 pages
01-10 Routing Policy Configuration
No ratings yet
01-10 Routing Policy Configuration
28 pages
HP 5700 Switch Config Acl
No ratings yet
HP 5700 Switch Config Acl
132 pages
GFFGFG
No ratings yet
GFFGFG
8 pages
Deployment Profiles - SD-WAN Orchestrator Docs
No ratings yet
Deployment Profiles - SD-WAN Orchestrator Docs
1 page
CCNA 200-301 Official Cert Guide, Volume 2-28
No ratings yet
CCNA 200-301 Official Cert Guide, Volume 2-28
3 pages
Character Strength Endorsement and Well Being Among North Indian Adolescents
No ratings yet
Character Strength Endorsement and Well Being Among North Indian Adolescents
9 pages
Letter To PM PDF
No ratings yet
Letter To PM PDF
3 pages
Linux Ip Command Examples
No ratings yet
Linux Ip Command Examples
8 pages
Creekside Neighbors Address/Phone/Email List: VER: June 2015 Changes, Call Wayne Foresman
No ratings yet
Creekside Neighbors Address/Phone/Email List: VER: June 2015 Changes, Call Wayne Foresman
2 pages
3.0 DHCP
No ratings yet
3.0 DHCP
3 pages
01-06 Common MAC Address Operations
No ratings yet
01-06 Common MAC Address Operations
5 pages
Thomson TG585v7 Command Line Interface - DHCP Pools
No ratings yet
Thomson TG585v7 Command Line Interface - DHCP Pools
3 pages
Topic5-Access Control Lists ACL
No ratings yet
Topic5-Access Control Lists ACL
43 pages
01-31 Security Commands
No ratings yet
01-31 Security Commands
598 pages
Doctrine of Signatures
No ratings yet
Doctrine of Signatures
10 pages
4.4.2.11 Lab - Troubleshooting ACL Configuration and Placement - ILM
No ratings yet
4.4.2.11 Lab - Troubleshooting ACL Configuration and Placement - ILM
16 pages
01-03 DHCP Configuration
No ratings yet
01-03 DHCP Configuration
111 pages
01-11 WLAN-AC Commands
No ratings yet
01-11 WLAN-AC Commands
851 pages
Configuring Network Security With Acls
No ratings yet
Configuring Network Security With Acls
26 pages
11 Routing Policy and Route Control
No ratings yet
11 Routing Policy and Route Control
52 pages
Difference Between Marketing and Selling: The Definition of Marketing
No ratings yet
Difference Between Marketing and Selling: The Definition of Marketing
5 pages
00-2 About This Document PDF
No ratings yet
00-2 About This Document PDF
4 pages
Homophones PowerPoint
No ratings yet
Homophones PowerPoint
18 pages
01-02 ACL Configuration
No ratings yet
01-02 ACL Configuration
146 pages
HP QoS
No ratings yet
HP QoS
112 pages
01-04 DHCP Configuration
No ratings yet
01-04 DHCP Configuration
115 pages
Tle Questions Answer Key
100% (1)
Tle Questions Answer Key
14 pages
ACL Manager - UserGuide PDF
No ratings yet
ACL Manager - UserGuide PDF
512 pages
Commands Module 2
No ratings yet
Commands Module 2
8 pages
Learning Scenario
No ratings yet
Learning Scenario
5 pages
01-03 DHCP Configuration PDF
No ratings yet
01-03 DHCP Configuration PDF
122 pages
Ocado Group CW Example
No ratings yet
Ocado Group CW Example
7 pages
SASMO 2020 g7
No ratings yet
SASMO 2020 g7
13 pages
CPC-II Teaching Plan
No ratings yet
CPC-II Teaching Plan
9 pages
Final Presentation Con World
No ratings yet
Final Presentation Con World
13 pages
DHCP Configuration Examples H3C S7500 Series Ethernet Switches Release 3135
No ratings yet
DHCP Configuration Examples H3C S7500 Series Ethernet Switches Release 3135
23 pages
ENARSI Chapter 21
No ratings yet
ENARSI Chapter 21
24 pages
(CCNA) Cisco Commands Cheat Sheet #4
No ratings yet
(CCNA) Cisco Commands Cheat Sheet #4
3 pages
W11-Presentation-Chapter 9 Access Control Lists
No ratings yet
W11-Presentation-Chapter 9 Access Control Lists
19 pages
DCCN DHCP
No ratings yet
DCCN DHCP
19 pages
CCNA Cheat Sheet
No ratings yet
CCNA Cheat Sheet
17 pages
Marketing - Marketing Strategies of Toyota Final
100% (1)
Marketing - Marketing Strategies of Toyota Final
66 pages
Cuadernillo de Ingreso Ingles New..
No ratings yet
Cuadernillo de Ingreso Ingles New..
71 pages
01-07 IP Address Allocation
No ratings yet
01-07 IP Address Allocation
7 pages
Configuracion Swi Del n1524p Datacenter
No ratings yet
Configuracion Swi Del n1524p Datacenter
18 pages
Microsoft Word - Router Simulator Supported Commands
No ratings yet
Microsoft Word - Router Simulator Supported Commands
13 pages
Manual - IP - DHCP Server - MikroTik Wiki
No ratings yet
Manual - IP - DHCP Server - MikroTik Wiki
15 pages
Command Reference (Security)
No ratings yet
Command Reference (Security)
189 pages
Logical Reasoning Test
57% (7)
Logical Reasoning Test
8 pages
CLI Access Modes:: Operational Mode
No ratings yet
CLI Access Modes:: Operational Mode
3 pages
CCNA Certification Study Guide Volume 2: Exam 200-301 v1.1
From Everand
CCNA Certification Study Guide Volume 2: Exam 200-301 v1.1
Todd Lammle
5/5 (1)
CCNA Certification All-in-One For Dummies
From Everand
CCNA Certification All-in-One For Dummies
Silviu Angelescu
5/5 (1)
Alcatel-Lucent Network Routing Specialist II (NRS II) Self-Study Guide: Preparing for the NRS II Certification Exams
From Everand
Alcatel-Lucent Network Routing Specialist II (NRS II) Self-Study Guide: Preparing for the NRS II Certification Exams
Glenn Warnock
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.