access-group [group-name]
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays SNMP access group information.
Displays information for the specified access group name, up to 32 characters.
The following output is an example of SNMP access group information, and Table: Output fields: access group describes the output fields.
Sample outputA:ALA-4# show system security access-group
===============================================================================
Access Groups
===============================================================================
group name security security read write notify
model level view view view
-------------------------------------------------------------------------------
snmp-ro snmpv1 none no-security no-security
snmp-ro snmpv2c none no-security no-security
snmp-rw snmpv1 none no-security no-security no-security
snmp-rw snmpv2c none no-security no-security no-security
snmp-rwa snmpv1 none iso iso iso
snmp-rwa snmpv2c none iso iso iso
snmp-trap snmpv1 none iso
snmp-trap snmpv2c none iso
===============================================================================
A:ALA-7#
| Label | Description |
|---|---|
Group name |
Displays the access group name |
Security model |
Displays the security model required to access the views configured in this node |
Security level |
Specifies the required authentication and privacy levels to access the views configured in this node |
Read view |
Specifies the variable of the view to read the MIB objects |
Write view |
Specifies the variable of the view to configure the contents of the agent |
Notify view |
Specifies the variable of the view to send a trap about MIB objects |
authentication [statistics]
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays system login authentication configuration and statistics.
Appends login and accounting statistics to the display.
The following output is an example of system login authentication information, and Table: Output fields: security authentication describes the output fields.
Sample outputA:ALA-4# show system security authentication
===============================================================================
Authentication sequence : radius tacplus local
===============================================================================
server address status type timeout(secs) single connection retry count
-------------------------------------------------------------------------------
10.10.10.103 up radius 5 n/a 5
10.10.0.1 up radius 5 n/a 5
10.10.0.2 up radius 5 n/a 5
10.10.0.3 up radius 5 n/a 5
-------------------------------------------------------------------------------
radius admin status : down
tacplus admin status : up
health check : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
A:ALA-4#
A:ALA-7>show>system>security# authentication statistics
===============================================================================
Authentication sequence : radius tacplus local
===============================================================================
server address status type timeout(secs) single connection retry count
-------------------------------------------------------------------------------
10.10.10.103 up radius 5 n/a 5
10.10.0.1 up radius 5 n/a 5
10.10.0.2 up radius 5 n/a 5
10.10.0.3 up radius 5 n/a 5
-------------------------------------------------------------------------------
radius admin status : down
tacplus admin status : up
health check : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
Login Statistics
===============================================================================
server address connection errors accepted logins rejected logins
-------------------------------------------------------------------------------
10.10.10.103 0 0 0
10.10.0.1 0 0 0
10.10.0.2 0 0 0
10.10.0.3 0 0 0
local n/a 1 0
===============================================================================
Authorization Statistics (TACACS+)
===============================================================================
server address connection errors sent packets rejected packets
-------------------------------------------------------------------------------
===============================================================================
Accounting Statistics
===============================================================================
server address connection errors sent packets rejected packets
-------------------------------------------------------------------------------
10.10.10.103 0 0 0
10.10.0.1 0 0 0
10.10.0.2 0 0 0
10.10.0.3 0 0 0
===============================================================================
A:ALA-7#
| Label | Description |
|---|---|
Sequence |
Displays the sequence in which authentication is processed |
Server address |
Displays the IP address of the RADIUS server |
Status |
Displays the current status of the RADIUS server |
Type |
Displays the authentication type |
Timeout (secs) |
Displays the number of seconds the router waits for a response from a RADIUS server |
Single connection |
Enabled — Specifies a single connection to the TACACS+ server and validates everything via that connection Disabled — The TACACS+ protocol operation is disabled |
Retry count |
Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server |
Connection errors |
Displays the number of times a user has attempted to login irrespective of whether the login succeeded or failed |
Accepted logins |
Displays the number of times the user has successfully logged in |
Rejected logins |
Displays the number of unsuccessful login attempts |
Sent packets |
Displays the number of packets sent |
Rejected packets |
Displays the number of packets rejected |
cpu-protection
show>system>security
7210 SAS-R6 and 7210 SAS-R12
Commands in this context display distributed CPU protection information.
policy [name] [association | detail]
show>system>security>dist-cpu-protection
7210 SAS-R6 and 7210 SAS-R12
This command displays distributed CPU protection policy information.
Displays distributed CPU protection policy information for the specified policy name, up to 32 characters.
Displays associations for the specified policy name.
Displays detailed information for the specified policy name.
keychain [key-chain] [detail]
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays keychain information.
Specifies the keychain name to display.
Displays detailed keychain information.
The following output is an example of keychain information, and Table: Output fields: keychain describes the output fields.
Sample output*A:ALA-A# show system security keychain test
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send : 254 Admin state : Up
TCP-Option number receive : 254 Oper state : Up
===============================================================================
*A:ALA-A#
*A:ALA-A# show system security keychain test detail
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send : 254 Admin state : Up
TCP-Option number receive : 254 Oper state : Up
===============================================================================
Key entries for key chain: test
===============================================================================
Id : 0
Direction : send-receive Algorithm : hmac-sha-1-96
Admin State : Up Valid : Yes
Active : Yes Tolerance : 300
Begin Time : 2007/02/15 18:28:37 Begin Time (UTC) : 2007/02/15 17:28:37
End Time : N/A End Time (UTC) : N/A
===============================================================================
Id : 1
Direction : send-receive Algorithm : aes-128-cmac-96
Admin State : Up Valid : Yes
Active : No Tolerance : 300
Begin Time : 2007/02/15 18:27:57 Begin Time (UTC) : 2007/02/15 17:27:57
End Time : 2007/02/15 18:28:13 End Time (UTC) : 2007/02/15 17:28:13
===============================================================================
Id : 2
Direction : send-receive Algorithm : aes-128-cmac-96
Admin State : Up Valid : Yes
Active : No Tolerance : 500
Begin Time : 2007/02/15 18:28:13 Begin Time (UTC) : 2007/02/15 17:28:13
End Time : 2007/02/15 18:28:37 End Time (UTC) : 2007/02/15 17:28:37
===============================================================================
*A:ALA-A#
| Label | Description |
|---|---|
TCP-Option number send |
Displays the TCP option number to be inserted in the header of sent TCP packets |
Admin state |
Displays the administrative state of the keychain: up or down |
TCP-Option number receive |
Displays the TCP option number that will be accepted in the header of received TCP packets |
Oper state |
Displays the operational state of the keychain: up or down |
Key entries for key chain: test |
|
Id |
Displays the ID of the key entry |
Direction |
Displays the stream direction on which keys will be applied for this entry: send, receive, or send-receive |
Algorithm |
Displays the encryption algorithm to be used by this key entry |
Option |
Indicates the configured IS-IS encoding standard (indicates ‟none” if the associated protocol is not IS-IS) |
Admin State |
Displays the administrative state of the key entry: up or down |
Valid |
Indicates if the receive key is valid |
Active |
Indicates if the transmit (sent) key is active |
Tolerance |
Displays the tolerance time configured for support of both currently active and new keys |
Begin Time |
Displays the time at which the new key is used to sign and/or authenticate protocol packets |
Begin Time (UTC) |
Displays the begin time in UTC time |
End Time |
Displays the time at which the key is no longer eligible to authenticate protocol packets |
End Time (UTC) |
Displays the end time in UTC time |
management-access-filter
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays management access filter information for IP filters.
ip-filter [entry entry-id]
show>system>security>mgmt-access-filter
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays management access IP filters.
Displays information for the specified entry.
The following output is an example of management access IP filter information, and Table: Output fields: IP filter describes the output fields.
Sample output*7210-SAS>show>system>security>management-access-filter# ip-filter entry 1
===============================================================================
IPv4 Management Access Filter
===============================================================================
filter type : ip
Def. Action : permit
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 1
Description : (Not Specified)
Src IP : undefined
Src interface : undefined
Dest port : undefined
L4 Src port : undefined
Fragment : off
Protocol : undefined
Router : undefined
Action : none
Log : disabled
Matches : 0
===============================================================================
*7210-SAS>show>system>security>management-access-filter#
| Label | Description |
|---|---|
Def. action |
Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued Deny-host-unreachble — Specifies that packets not matching the configured selection criteria in the filter entries are denied. |
Entry |
Displays the entry ID in a policy or filter table |
Description |
Displays a text string describing the filter |
Src IP |
Displays the source IP address used for management access filter match criteria |
Src Interface |
Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry |
Dest port |
Displays the destination port |
Match |
Displays the number of times a management packet has matched this filter entry |
Protocol |
Displays the IP protocol to match |
Action |
Displays the action to take for packets that match this filter entry |
Flow label |
Displays the flow label value to match |
Next-header |
Displays the IPv6 next header value to match |
L4 Src port |
Displays the TCP/UDP source port number to match |
Fragment |
Indicates if the entry should match a fragment or not |
Router |
Displays the router Instance ID to match |
Log |
Indicates if packet matching this entry must be logged or not On 7210 SAS platforms, logging is not supported |
ipv6-filter [entry entry-id]
show>system>security>mgmt-access-filter
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays management access IPv6 filters.
Displays information for the specified entry.
The following output is an example of management access IPv6 filter information, and Table: Output fields: IPv6 filter describes the output fields.
Sample outputA:7210SAS# show system security management-access-filter ipv6-filter
===============================================================================
IPv6 Management Access Filter
===============================================================================
filter type : ipv6
Def. Action : permit
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 1
Description : (Not Specified)
Src IP : undefined
Flow label : undefined
Src interface : 1/1/1
Dest port : undefined
L4 Src port : undefined
Next-header : undefined
Router : undefined
Action : permit
Log : disabled
Matches : 0
===============================================================================
*A:7210SAS#
| Label | Description |
|---|---|
Def. action |
Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued Deny-host-unreachble — Specifies that packets not matching the configured selection criteria in the filter entries are denied |
Entry |
Displays the entry ID in a policy or filter table |
Description |
Displays a text string describing the filter |
Src IP |
Displays the source IPv6 address used for management access filter match criteria |
Src Interface |
Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry |
Dest port |
Displays the destination port |
Flow label |
Displays the flow label value to match |
Protocol |
Displays the IPv6 protocol to match |
Action |
Displays the action to take for packets that match this filter entry |
Next-header |
Displays the IPv6 next header value to match |
L4 Src port |
Displays the TCP/UDP source port number to match |
Router |
Displays the router Instance ID to match |
Log |
Indicates if packet matching this entry must be logged or not On 7210 SAS platforms, logging is not supported |
password-options
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays configured password options.
The following output is an example of password option information, and Table: Output fields: password options describes the output fields.
Sample outputA:ALA-7# show system security password-options
===============================================================================
Password Options
===============================================================================
Password aging in days : none
Number of invalid attempts permitted per login : 3
Time in minutes per login attempt : 5
Lockout period (when threshold breached) : 10
Authentication order : radius tacplus local
Configured complexity options :
Minimum password length : 6
===============================================================================
A:ALA-7#
| Label | Description |
|---|---|
Password aging in days |
Displays the number of days a user password is valid before the user must change their password |
Number of invalid attempts permitted per login |
Displays the number of unsuccessful login attempts allowed for the specified time |
Time in minutes per login attempt |
Displays the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out |
Lockout period (when threshold breached) |
Displays the lockout period in minutes where the user is not allowed to login |
Authentication order |
Displays the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords |
Configured complexity options |
Displays the complexity requirements of locally administered passwords, HMAC-MD5-96, HMAC-SHA-96 and DES-keys configured in the authentication section |
Minimum password length |
Displays the minimum number of characters required for locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and DES-keys configured in the system security section |
profile [user-profile-name]
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays user profile information.
If the user-profile-name is not specified, information for all profiles are displayed.
Displays information for the specified user profile name, up to 32 characters.
The following output is an example of user profile information, and Table: Output fields: profile describes the output fields.
Sample outputA:ALA-7# show system security profile administrative
===============================================================================
User Profile
===============================================================================
User Profile : administrative
Def. Action : permit-all
-------------------------------------------------------------------------------
Entry : 10
Description :
Match Command: configure system security
Action : permit
-------------------------------------------------------------------------------
Entry : 20
Description :
Match Command: show system security
Action : permit
-------------------------------------------------------------------------------
No. of profiles:
===============================================================================
A:ALA-7#
| Label | Description |
|---|---|
User Profile |
Displays the profile name used to deny or permit user console access to a hierarchical branch or to specific commands |
Def. action |
Permit all — Permits access to all commands Deny — Denies access to all commands None — No action is taken |
Entry |
Displays the entry ID in a policy or filter table |
Description |
Displays the text string describing the entry |
Match Command |
Displays the command or subtree commands in subordinate command levels |
Action |
Permit all — Commands matching the entry command match criteria are permitted Deny — Commands not matching the entry command match criteria are not permitted. |
No. of profiles |
Displays the total number of profiles listed |
source-address
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays source addresses configured for applications.
The following output is an example of source address information, and Table: Output fields: source access describes the output fields.
Sample outputA:SR-7# show system security source-address
===============================================================================
Source-Address applications
===============================================================================
Application IP address/Interface Name Oper status
-------------------------------------------------------------------------------
telnet 10.20.1.7 Up
radius loopback1 Up
===============================================================================
A:SR-7#
| Label | Description |
|---|---|
Application |
Displays the source-address application |
IP address Interface Name |
Displays the source address IP address or interface name |
Oper status |
Up — The source address is operationally up Down — The source address is operationally down |
ssh
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays all the SSH sessions as well as the SSH status and fingerprint.
The following output is an example of SSH session information, and Table: Output fields: SSH describes the output fields.
Sample outputALA-7# show system security ssh
SSH is enabled
SSH preserve key: Enabled
SSH protocol version 1: Enabled
RSA host key finger print:c6:a9:57:cb:ee:ec:df:33:1a:cd:d2:ef:3f:b5:46:34
SSH protocol version 2: Enabled
DSA host key finger print:ab:ed:43:6a:75:90:d3:fc:42:59:17:8a:80:10:41:79
=======================================================
Connection Encryption Username
=======================================================
192.168.5.218 3des admin
-------------------------------------------------------
Number of SSH sessions : 1
=======================================================
ALA-7#
A:ALA-49>config>system>security# show system security ssh
SSH is disabled
A:ALA-49>config>system>security#
| Label | Description |
|---|---|
SSH status |
SSH is enabled — Displays that SSH server is enabled SSH is disabled — Displays that SSH server is disabled. |
SSH Preserve Key |
Enabled — Displays that preserve-key is enabled. Disabled — Displays that preserve-key is disabled. |
SSH protocol version 1 |
Enabled — Displays that SSH1 is enabled. Disabled — Displays that SSH1 is disabled. |
SSH protocol version 2 |
Enabled — Displays that SSH2 is enabled. Disabled — Displays that SSH2 is disabled. |
Key fingerprint |
The key fingerprint is the server identity Clients trying to connect to the server verify the server fingerprint If the server fingerprint is not known, the client may not continue with the SSH session since the server might be spoofed |
Connection |
Displays the IP address of the connected routers (remote client) |
Encryption |
des — Data encryption using a private (secret) key 3des — An encryption method that allows proprietary information to be transmitted over untrusted networks |
Username |
Displays the name of the user |
Number of SSH sessions |
Displays the total number of SSH sessions |
user [user-name] [detail]
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays user registration information.
If no command line options are specified, summary information for all users is displayed.
Displays information for the specified user name, up to 32 characters.
Displays detailed user information to the summary output.
The following output is an example of user registration information, and Table: Output fields: security user describes the output fields.
Sample outputA:ALA-7# show system security user
===============================================================================
Users
===============================================================================
user id need user permissions password attempted failed local
new pwd console ftp snmp expires logins logins conf
-------------------------------------------------------------------------------
admin n y n n never 21 0 y
===============================================================================
A:ALA-7#
A:
ALA-7# show system security user detail
===============================================================================
Users
===============================================================================
user id need user permissions password attempted failed local
new pwd console ftp snmp expires logins logins conf
-------------------------------------------------------------------------------
admin n y n n never 21 0 y
===============================================================================
===============================================================================
User Configuration Detail
===============================================================================
user id : admin
-------------------------------------------------------------------------------
console parameters
-------------------------------------------------------------------------------
new pw required : no cannot change pw : no
home directory : cf1:\
restricted to home : no
login exec file :
profile : administrative
-------------------------------------------------------------------------------
snmp parameters
===============================================================================
A:ALA-7#
| Label | Description |
|---|---|
User ID |
Displays the name of a system user |
Need new pwd |
Y — The user must change their password at the next login N — The user is not forced to change their password at the next login |
Cannot change pw |
Y — The user has the ability to change the login password N — The user does not have the ability to change the login password |
User permissions |
Console Y — The user is authorized for console access. N — The user is not authorized for console access. FTP Y — The user is authorized for FTP access. N — The user is not authorized for FTP access. SNMP Y — The user is authorized for SNMP access. N — The user is not authorized for SNMP access. |
Password expires |
Displays the number of days in which the user must change their login password |
Attempted logins |
Displays the number of times the user has attempted to login irrespective of whether the login succeeded or failed |
Failed logins |
Displays the number of unsuccessful login attempts |
Local conf |
Y — Password authentication is based on the local password database N — Password authentication is not based on the local password database |
Home directory |
Specifies the local home directory for the user for both console and FTP access |
Restricted to home |
Yes — The user is not allowed to navigate to a directory higher in the directory tree on the home directory device No — The user is allowed to navigate to a directory higher in the directory tree on the home directory device |
Login exec file |
Displays the user login exec file which executes whenever the user successfully logs in to a console session |
view [view-name] [detail]
show>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command displays the SNMP MIB views.
Specifies the name of the view to display output, up to 32 characters. If no view name is specified, the complete list of views is displayed.
Displays detailed view information.
The following output is an example of SNMP MIB view information, and Table: Output fields: security view describes the output fields.
Sample outputA:ALA-48# show system security view
===============================================================================
Views
===============================================================================
view name oid tree mask permission
-------------------------------------------------------------------------------
iso 1 included
read1 1.1.1.1 11111111 included
write1 2.2.2.2 11111111 included
testview 1 11111111 included
testview 1.3.6.1.2 11111111 excluded
mgmt-view 1.3.6.1.2.1.2 included
mgmt-view 1.3.6.1.2.1.4 included
mgmt-view 1.3.6.1.2.1.5 included
mgmt-view 1.3.6.1.2.1.6 included
mgmt-view 1.3.6.1.2.1.7 included
mgmt-view 1.3.6.1.2.1.31 included
mgmt-view 1.3.6.1.2.1.77 included
mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.7 included
mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.11 included
no-security 1 included
no-security 1.3.6.1.6.3 excluded
no-security 1.3.6.1.6.3.10.2.1 included
no-security 1.3.6.1.6.3.11.2.1 included
no-security 1.3.6.1.6.3.15.1.1 included
on-security 2 00000000 included
-------------------------------------------------------------------------------
No. of Views:
===============================================================================
A:ALA-48#
| Label | Description |
|---|---|
view name |
Displays the name of the view Views control the accessibility of a MIB object within the configured MIB view and subtree |
oid tree |
Displays the object identifier of the ASN.1 subtree |
mask |
Displays the bit mask that defines a family of view subtrees |
permission |
Indicates whether each view is included or excluded |
No. of Views |
Displays the total number of views |