redundancy
admin
config
This command enters the context to allow the user to perform redundancy operations.
force-switchover [now]
admin>redundancy
This command forces a switchover to the standby CSM card. The primary CSM reloads its software image and becomes the secondary CSM.
forces the switchover to the redundant CSM card immediately
switchover-exec file-url
no switchover-exec
config>system
This command specifies the location and name of the CLI script file executed following a redundancy switchover from the previously active CSM card. A switchover can happen because of a fatal failure or by manual action.
The CLI script file can contain commands for environment settings, debug settings, and other commands not maintained by the configuration redundancy.
When the file-url parameter is not specified, no CLI script file is executed.
n/a
specifies the location and name of the CLI script file (see Table: URL Types and Syntax for parameter descriptions)
synchronize {boot-env | config}
admin>redundancy
config>redundancy
This command performs a synchronization of the standby CSM’s images and/or config files to the active CSM. Either the boot-env or config parameter must be specified.
In the admin>redundancy context, this command performs a manually triggered standby CSM synchronization.
In the config>redundancy context, this command performs an automatically triggered standby CSM synchronization.
When the standby CSM takes over operation following a failure or reset of the active CSM, it is important to ensure that the active and standby CSMs have identical operational parameters. This includes the saved configuration and CSM images.
The active CSM ensures that the active configuration is maintained on the standby CSM. However, to ensure smooth operation under all circumstances, runtime images and system initialization configurations must also be automatically synchronized between the active and standby CSM.
If synchronization fails, alarms and log messages that indicate the type of error that caused the failure of the synchronization operation are generated. When the error condition ceases to exist, the alarm is cleared.
Only files stored on the router are synchronized. If a configuration file or image is stored in a location other than on a local compact flash, the file is not synchronized (for example, storing a configuration file on an FTP server).
n/a for admin — redundancy context
enabled for config — redundancy context
synchronizes all files required for the boot process (loader, BOF, images, and configuration files
synchronizes only the primary, secondary, and tertiary configuration files
[no] cert-sync
config>redundancy
This command automatically synchronizes the certificate/CRL/key when importing the certificate or generating the key. If a new compact flash card is inserted into the backup CSM, the system will synchronize the whole cf3:/system-pki directory from the active CSM.
cert-sync
multi-chassis
config>redundancy
This command enables the context to configure multi-chassis parameters.
[no] peer ip-address [create]
config>redundancy>multi-chassis
This command configures a multi-chassis redundancy peer.
specifies a peer IP address. A multicast address is not allowed.
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.
authentication-key [authentication-key | hash-key] [hash | hash2]
no authentication-key
config>redundancy>multi-chassis>peer
This command configures the authentication key used between this node and the multi-chassis peer. The authentication key can be any combination of letters or numbers.
specifies the authentication key. Allowed values are any string up to 20 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.
specifies the hash key. The key can be any combination of ASCII characters up to 33 (hash1-key) or 55 (hash2-key) characters in length (encrypted). If spaces are used in the string, the entire string must be enclosed within double quotes.
specifies that the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone. This means that a hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
description description-string
no description
config>redundancy>multi-chassis>peer
This command configures a text description and associates it with a configuration context to help identify the content in a configuration file.
The no form of the command removes the string from the configuration.
n/a
specifies the text description
[no] mc-firewall
config>redundancy>multi-chassis>peer
This command enables the context to configure parameters on the multi-chassis link (MCL), which enables the multi-chassis firewall function.
The no form of this command administratively disables multi-chassis firewall. The no mc-firewall command can only be issued when multi-chassis firewall is shut down.
n/a
boot-timer interval
no boot-timer
config>redundancy>multi-chassis>peer>mc-firewall
This command configures a boot timer interval for the MCL. This command applies when either router reboots. It specifies how long the multi-chassis firewall protocol attempts to establish a connection between the peers before assuming a failure of the remote peer. This is different from the keepalive mechanism that is used once the peer-to-peer communication has been established. If the boot timer interval expires before a connection between the two peers is established, both multi-chassis firewall peers will return to standalone firewall operation.
The no form of this command resets the interval to the default value.
300 s
the boot timer interval, in seconds
[no] encryption
config>redundancy>multi-chassis>peer>mc-firewall
This command enables the context to configure encryption and/or authentication algorithms to secure the multi-chassis firewall link. The no form of the command disables encryption.
no encryption
active-outbound-sa active-outbound-sa
no active-outbound-sa
config>redundancy>multi-chassis>peer>mc-firewall>encryption
This command identifies the active security association (SA) to be used for encrypting packets on the multi-chassis firewall link. On egress, only the active outbound SA is used to encrypt packets. On ingress, both SAs can be used to decrypt the arriving packets; this mechanism is used for rolling over the encryption and authentication keys.
The no form of the command resets the parameter to its default value.
no active-outbound-sa
the index number (SPI) of the active security association
authen-algorithm authen-algorithm
no authen-algorithm
config>redundancy>multi-chassis>peer>mc-firewall>encryption
This command configures the authentication algorithm for the MCL.
The no form of the command resets the parameter to its default value.
sha256
the algorithm used to authenticate the MCL
encryp-algorithm encryp-algorithm
no encryp-algorithm
config>redundancy>multi-chassis>peer>mc-firewall>encryption
This command configures the encryption algorithm for the MCL.
The no form of the command resets the parameter to its default value.
aes128
the algorithm used to encrypt the MCL
security-association spi spi authentication-key authentication-key encryption-key encryption-key [hash | hash2]
no security-association spi spi
config>redundancy>multi-chassis>peer>mc-firewall>encryption
This command creates a security association index for encryption of the MCL. The command is also used to enter the authentication and encryption key values for the security association, or to delete the security association. A security association contains the keys needed to encrypt and authenticate the link and is identified using an SPI. There can be two security association indexes under encryption. These two indexes can be used for rolling over the keys.
The no form of the command deletes the SPI.
no security-association spi
the index for this security association
the authentication key for the security association, either in hexadecimal format (up to 128 hexadecimal nibbles) or as a hash key.
the encryption key for the security association, either in hexadecimal format (up to 64 hexadecimal nibbles) or as a hash key
the hash key. The key can be any combination of ASCII characters up to 33 (hash1-key) or 55 (hash2-key) characters in length (encrypted). If spaces are used in the string, the entire string must be enclosed within double quotes.
specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone. This means that a hash2 encrypted variable cannot be copied and pasted. If the hash2 parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
hold-on-neighbor-failure multiplier
no hold-on-neighbor-failure
config>redundancy>multi-chassis>peer>mc-firewall
This command specifies the number of keepalive intervals that the local router will wait for packets from the multi-chassis firewall peer before assuming that the remote router has failed. If the configured number of intervals is reached before the local router receives packets from the peer, both routers will return to standalone firewall operation.
The no form of this command resets the number of intervals to the default value.
3
the number of keepalive intervals
keep-alive-interval interval
no keep-alive-interval
config>redundancy>multi-chassis>peer>mc-firewall
This command sets the interval at which keepalive messages are exchanged between the two routers participating in a multi-chassis firewall. These keepalive messages are used to determine whether the remote router has failed.
The no form of the command resets the interval to its default value.
10 (1 s)
the time interval expressed in deciseconds
system-priority value
no system-priority
config>redundancy>multi-chassis>peer>mc-firewall
This command configures the system priority for the routers participating in a multi-chassis firewall. The router configured with the lowest value becomes the master. If system priority is the same for both routers, the router with the lowest system ID (chassis MAC address) becomes the master.
The no form of this command resets the system priority to the default value.
0
the priority of the local multi-chassis firewall peer
[no] mc-lag
config>redundancy>multi-chassis>peer
This command enables the context to configure multi-chassis LAG parameters.
The no form of this command administratively disables multi-chassis LAG. The no mc-lag command can only be issued only when MC-LAG is shut down.
n/a
hold-on-neighbor-failure multiplier
no hold-on-neighbor-failure
config>redundancy>multi-chassis>peer>mc-lag
This command sets the number of keep alive intervals the standby 7705 SAR will wait for packets from the active node before assuming a redundant neighbor node failure. This delay in switchover operation is required to accommodate different factors influencing node failure detection rate, such as IGP convergence or high availability switchover times, and to prevent the standby node from take over prematurely.
The no form of the command sets this parameter to its default value.
3
a multiplier of the keepalive interval is used to set the number of keepalive intervals that the standby node will wait for packets from the active node before assuming a redundant-neighbor node failure.
keep-alive-interval interval
no keep-alive-interval
config>redundancy>multi-chassis>peer>mc-lag
This command sets the interval at which keepalive messages are exchanged between two systems participating in an MC-LAG. These keepalive messages are used to determine remote-node failure.
The no form of the command sets the interval to its default value.
10 (1s)
the time interval expressed in deciseconds
lag lag-id lacp-key admin-key system-id system-id [remote-lag lag-id] system-priority system-priority
no lag lag-id
config>redundancy>multi-chassis>peer>mc-lag
This command defines a LAG that is forming a redundant pair for MC-LAG with a LAG configured on the given peer. The same LAG group can be defined only in the scope of one peer.
The same lacp-key, system-id, and system-priority must be configured on both nodes of the redundant pair in order for MC-LAG to become operational. If there is a mismatch, MC-LAG remains operationally down.
n/a
the LAG identifier, expressed as a decimal integer. You must specify the LAG ID. Specifying the lag-id allows a mismatch between lag-id on the redundant pair. If you have two existing nodes that already have LAG IDs that do not match, and an MC-LAG is to be created using these nodes, you must specify the correct remote-lag lag-id so that the matching MC-LAG group can be found. If no matching MC-LAG group can be found between neighbor systems, the individual LAGs will operate as usual (no MC-LAG operation is established).
specifies a 16-bit key that needs to be configured in the same manner on both sides of the MC-LAG in order for the MC-LAG to be operationally up
specifies a 6-bit value expressed in the same notation as a MAC address
specifies the LAG ID on the remote system
specifies the system priority to be used in the context of the MC-LAG. The partner system will consider all ports using the same lacp-key, system-id, and system-priority as part of the same LAG.
source-address ip-address
no source-address
config>redundancy>multi-chassis>peer
This command specifies the source address used to communicate with the multi-chassis peer.
specifies the source address used to communicate with the multi-chassis peer