Security Show, Clear, Debug, Tools, and Admin Command Reference

The command outputs in the following section are examples only; actual displays may differ depending on supported functionality and user configuration.

Security Commands

access-group

Syntax

access-group [group-name]

Context

show>system>security

Description

This command displays SNMP access group information.

Parameters

group-name—

This command displays information for the specified access group.

Output

Security Access Group Output

Table 18 describes security access group output fields..

Table 18: Show System Security Access Group Output Fields

Label	Description
Group name	The access group name.
Security model	The security model required to access the views configured in this node.
Security level	Specifies the required authentication and privacy levels to access the views configured in this node.
Read view	Specifies the variable of the view to read the MIB objects.
Write view	Specifies the variable of the view to configure the contents of the agent.
Notify view	Specifies the variable of the view to send a trap about MIB objects.

Sample Output

A:ALA-4# show system security access-group

===============================================================================

Access Groups

===============================================================================

group name security security read write notify

model level view view view

-------------------------------------------------------------------------------

snmp-ro snmpv1 none no-security no-security

snmp-ro snmpv2c none no-security no-security

snmp-rw snmpv1 none no-security no-security no-security

snmp-rw snmpv2c none no-security no-security no-security

snmp-rwa snmpv1 none iso iso iso

snmp-rwa snmpv2c none iso iso iso

snmp-trap snmpv1 none iso

snmp-trap snmpv2c none iso

===============================================================================

A:ALA-7#

authentication

Syntax

authentication [statistics]

Context

show>system>security

Description

This command displays system login authentication configuration and statistics.

Parameters

statistics—

Appends login and accounting statistics to the display.

Output

Authentication Output

Table 19 describes system security authentication output fields.

Table 19: Show System Security Authentication Output Fields

Label	Description
Sequence	The sequence in which authentication is processed.
Server address	The IP address of the RADIUS server.
Status	Current status of the RADIUS server.
Type	The authentication type.
Timeout (secs)	The number of seconds the router waits for a response from a RADIUS server.
Retry count	Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.
Connection errors	Displays the number of times a user has attempted to login irrespective of whether the login succeeded or failed.
Accepted logins	The number of times the user has successfully logged in.
Rejected logins	The number of unsuccessful login attempts.
Sent packets	The number of packets sent.
Rejected packets	The number of packets rejected.

Sample Output

A:ALA-4# show system security authentication

===============================================================================

Authentication sequence : radius tacplus local

===============================================================================

type status timeout (secs) retry count

server address

-------------------------------------------------------------------------------

radius up 5 5

10.10.10.103

radius up 5 5

10.10.10.1

radius up 5 5

10.10.10.2

radius up 5 5

10.10.10.3

-------------------------------------------------------------------------------

radius admin status : up

tacplus admin status : up

health check : enabled (interval 30)

-------------------------------------------------------------------------------

No. of Servers: 4

===============================================================================

A:ALA-4#

A:ALA-7>show>system>security# authentication statistics

===============================================================================

Authentication sequence : radius tacplus local

===============================================================================

type status timeout (secs) retry count

server address

-------------------------------------------------------------------------------

radius up 5 5

10.10.10.103

radius up 5 5

10.10.10.1

radius up 5 5

10.10.10.2

radius up 5 5

10.10.10.3

-------------------------------------------------------------------------------

radius admin status : up

tacplus admin status : up

health check : enabled (interval 30)

-------------------------------------------------------------------------------

No. of Servers: 4

===============================================================================

server address connection errors accepted logins rejected logins

-------------------------------------------------------------------------------

10.10.10.103 0 0 0

10.10.0.1 0 0 0

10.10.0.2 0 0 0

10.10.0.3 0 0 0

local n/a 1 0

===============================================================================

Authorization Statistics (TACACS+)

===============================================================================

server address connection errors sent packets rejected packets

-------------------------------------------------------------------------------

===============================================================================

Accounting Statistics

===============================================================================

server address connection errors sent packets rejected packets

-------------------------------------------------------------------------------

10.10.10.103 0 0 0

10.10.0.1 0 0 0

10.10.0.2 0 0 0

10.10.0.3 0 0 0

===============================================================================

A:ALA-7#

*A:Dut-C# show system security authentication statistics

===============================================================================

Authentication sequence : radius tacplus local

===============================================================================

type status timeout (secs) retry count

server address

-------------------------------------------------------------------------------

radius up 5 5

10.10.10.103

radius up 5 5

10.10.10.1

radius up 5 5

10.10.10.2

radius up 5 5

10.10.10.3

-------------------------------------------------------------------------------

radius admin status : up

tacplus admin status : up

health check : enabled (interval 30)

-------------------------------------------------------------------------------

No. of Servers: 4

===============================================================================

server address conn accepted rejected

errors logins logins

-------------------------------------------------------------------------------

local n/a 4 0

===============================================================================

Authorization Statistics (TACACS+)

===============================================================================

server address conn sent rejected

errors pkts pkts

-------------------------------------------------------------------------------

===============================================================================

Accounting Statistics

===============================================================================

server address conn sent rejected

errors pkts pkts

-------------------------------------------------------------------------------

==============================================================================

communities

Syntax

communities

Context

show>system>security

Description

This command displays SNMP communities.

Output

Communities Output

Table 20 describes community output fields.

Table 20: Show Communities Output Fields

Label	Description
Community	The community string name for SNMPv1 and SNMPv2c access only.
Access	r The community string allows read-only access.
	rw The community string allows read-write access.
	rwa The community string allows read-write access.
	mgmt The unique SNMP community string assigned to the management router.
View	The view name.
Version	The SNMP version.
Group Name	The access group name.
No of Communities	The total number of configured community strings.

Sample Output

A:ALA-48# show system security communities

=============================================================================

Communities

=============================================================================

community access view version group name

-----------------------------------------------------------------------------

cli-readonly r iso v2c cli-readonly

cli-readwrite rw iso v2c cli-readwrite

public r no-security v1 v2c snmp-ro

-----------------------------------------------------------------------------

No. of Communities: 3

=============================================================================

A:ALA-48#

cpm-filter

Syntax

cpm-filter

Context

show>system>security

Description

This command displays CPM filters.

ip-filter

Syntax

ip-filter [entry entry-id]

Context

show>system>security>cpm-filter

Description

This command displays CPM IP filters.

Parameters

entry entry-id—

Identifies a CPM filter entry as configured on this system.

Values—

1 — 2048

Output

CPM Filter Output

Table 21 describes CPM IP filter output fields..

Table 21: Show CPM IP Filter Output Fields

Label	Description
Entry-Id	Displays information about the specified management access filter entry
Dropped	Displays the number of dropped events.
Forwarded	Displays the number of forwarded events.
Description	Displays the CPM filter description.
Log ID	Displays the log ID where matched packets will be logged.
Src IP	Displays the source IP address(/netmask or prefix-list)
Dest. IP	Displays the destination IP address(/netmask).
Src Port	Displays the source port number (range).
Dest. Port	Displays the destination port number (range).
Protocol	Displays the Protocol field in the IP header.
Dscp	Displays the DSCP field in the IP header.
Fragment	Displays the 3-bit fragment flags or 13-bit fragment offset field.
ICMP Type	Displays the ICMP type field in the ICMP header.
ICMP Code	Displays the ICMP code field in the ICMP header.
TCP-syn	Displays the SYN flag in the TCP header.
TCP-ack	Displays the ACK flag in the TCP header
Match action	When the criteria matches, displays drop or forward packet.
Next Hop	In case match action is forward, indicates destination of the matched packet.
Dropped pkts	Indicates number of matched dropped packets
Forwarded pkts	Indicates number of matched forwarded packets.

Sample Output

A:ALA-35# show system security cpm-filter ip-filter

===============================================================================

CPM IP Filters

===============================================================================

Entry-Id Dropped Forwarded Description

-------------------------------------------------------------------------------

101 25880 0 CPM-Filter 10.4.101.2 #101

102 25880 0 CPM-Filter 10.4.102.2 #102

103 25880 0 CPM-Filter 10.4.103.2 #103

104 25882 0 CPM-Filter 10.4.104.2 #104

105 25926 0 CPM-Filter 10.4.105.2 #105

106 25926 0 CPM-Filter 10.4.106.2 #106

107 25944 0 CPM-Filter 10.4.107.2 #107

108 25950 0 CPM-Filter 10.4.108.2 #108

109 25968 0 CPM-Filter 10.4.109.2 #109

110 25984 0 CPM-Filter 10.4.110.2 #110

111 26000 0 CPM-Filter 10.4.111.2 #111

112 26018 0 CPM-Filter 10.4.112.2 #112

113 26034 0 CPM-Filter 10.4.113.2 #113

114 26050 0 CPM-Filter 10.4.114.2 #114

115 26066 0 CPM-Filter 10.4.115.2 #115

116 26084 0 CPM-Filter 10.4.116.2 #116

===============================================================================

A:ALA-35#

A:ALA-35# show system security cpm-filter ip-filter entry 101

===============================================================================

CPM IP Filter Entry

===============================================================================

Entry Id : 101

Description : CPM-Filter 10.4.101.2 #101

-------------------------------------------------------------------------------

Filter Entry Match Criteria :

-------------------------------------------------------------------------------

Log Id : n/a

Src. IP : 10.4.101.2/32 Src. Port : 0

Dest. IP : 10.4.101.1/32 Dest. Port : 0

Protocol : 6 Dscp : ef

ICMP Type : Undefined ICMP Code : Undefined

Fragment : True Option-present : Off

IP-Option : 130/255 Multiple Option : True

TCP-syn : Off TCP-ack : True

Match action : Drop

===============================================================================

A:ALA-35#

ipv6-filter

Syntax

ipv6-filter [entry entry-id]

Context

show>system>security>cpm-filter

Description

This command displays CPM IPv6 filters.

Parameters

entry entry-id—

Identifies a CPM filter entry as configured on this system.

Values—

1 — 2048

ipv6-filter

Syntax

ip-filter [entry entry-id]

Context

show>system>security>cpm-filter

Description

This command displays CPM IPv6 filters and only applies to the 7750 SR and 7950 XRS.

Parameters

entry entry-id—

Identifies a CPM IPv6 filter entry as configured on this system.

Values—

1 — 2048

Output

CPM Filter Output

Table 22 describes CPM IPv6 filter output fields..

Table 22: Show CPM IPv6 Filter Output Fields

Label	Description
Entry-Id	Displays information about the specified management access filter entry
Dropped	Displays the number of dropped events.
Forwarded	Displays the number of forwarded events.
Description	Displays the CPM filter description.
Log ID	Log Id where matched packets will be logged.
Src IP	Displays Source IP address(/netmask)
Dest. IP	Displays Destination IP address(/netmask).
Src Port	Displays Source Port Number (range).
Dest. Port	Displays Destination Port Number (range).
next-header	Displays next-header field in the IPv6 header.
Dscp	Displays Traffic Class field in the IPv6 header.
ICMP Type	Displays ICMP type field in the icmp header.
ICMP Code	Displays ICMP code field in the icmp header.
TCP-syn	Displays the SYN flag in the TCP header.
TCP-ack	Displays the ACK flag in the TCP header
Match action	When criteria matches, displays drop or forward packet.
Next Hop	In case match action is forward, indicates destination of the matched packet.
Dropped pkts	Indicating number of matched dropped packets
Forwarded pkts	Indicating number of matched forwarded packets.

The following is an output example on the 7750 SR:

A:ALA-35# show system security cpm-filter ipv6-filter

===============================================================================

CPM IPv6 Filters

===============================================================================

Entry-Id Dropped Forwarded Description

-------------------------------------------------------------------------------

101 25880 0 CPM-Filter 11::101:2 #101

102 25880 0 CPM-Filter 11::102:2 #102

103 25880 0 CPM-Filter 11::103:2 #103

104 25880 0 CPM-Filter 11::104:2 #104

105 25880 0 CPM-Filter 11::105:2 #105

106 25880 0 CPM-Filter 11::106:2 #106

107 25880 0 CPM-Filter 11::107:2 #107

108 25880 0 CPM-Filter 11::108:2 #108

109 25880 0 CPM-Filter 11::109:2 #109

===============================================================================

A:ALA-35#

A:ALA-35# show system security cpm-filter ipv6-filter entry 101

===============================================================================

CPM IPv6 Filter Entry

===============================================================================

Entry Id : 1

Description : CPM-Filter 11::101:2 #101

-------------------------------------------------------------------------------

Filter Entry Match Criteria :

-------------------------------------------------------------------------------

Log Id : n/a

Src. IP : 11::101:2 Src. Port : 0

Dest. IP : 11::101:1 Dest. Port : 0

next-header : none Dscp : Undefined

ICMP Type : Undefined ICMP Code : Undefined

TCP-syn : Off TCP-ack : Off

Match action : Drop

Dropped pkts : 25880 Forwarded pkts : 0

===============================================================================

A:ALA-35#

cpm-queue

Syntax

cpm-queue queue-id

Context

show>system>security

Description

Displays CPM queues.

Parameters

queue-id—

Specifies an integer value that identifies a CPM queue.

Values—

0, 33 — 2000

Output

CPM queue Output

Table 23 describes CPM queue output fields..

Table 23: Show CPM IPv6 Filter Output Fields

Label	Description
PIR	Displays the administrative Peak Information Rate (PIR) for the queue.
CIR	Displays the amount of bandwidth committed to the queue.
CBS	Displays the amount of buffer drawn from the reserved buffer portion of the queue’s buffer pool.
MBS	Displays the maximum queue depth to which a queue can grow.

Sample Output

A:ALA-35# show system security cpm-queue 1001

===============================================================================

CPM Queue Entry

===============================================================================

Queue Id : 1001

-------------------------------------------------------------------------------

Queue Parameters :

-------------------------------------------------------------------------------

PIR : 10000000 CIR : 1000000

CBS : 4096 MBS : 8192

===============================================================================

A:ALA-35#

cpu-protection

Syntax

cpu-protection

Context

show>system>security

Description

This command enables the context to display CPU protection information.

Output

Sample Output

show system security cpu-protection eth-cfm-monitoring

===============================================================================

SAP's where the protection policy Eth-CFM rate limit is exceeded

===============================================================================

SAP-Id Service-Id Plcy

-------------------------------------------------------------------------------

1/1/1 3 100

-------------------------------------------------------------------------------

1 SAP('s) found

===============================================================================

SDP's where the protection policy Eth-CFM rate limit is exceeded

===============================================================================

SDP-Id Service-Id Plcy

-------------------------------------------------------------------------------

1:3 3 100

-------------------------------------------------------------------------------

1 SDP('s) found

===============================================================================

show system security cpu-protection eth-cfm-monitoring service-id 3 sap-id 1/1/1

===============================================================================

Flows exceeding the Eth-CFM monitoring rate limit

===============================================================================

Service-Id : 3

SAP-Id : 1/1/1

Plcy : 100

-------------------------------------------------------------------------------

Limit MAC-Address Level OpCode

First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

0 8c:8c:8c:8c:8c:8c 1 18

03/21/2009 23:32:29 03/21/2009 23:34:39 4000000019

61234 8d:8d:8d:8d:8d:8d 2 19

03/21/2009 23:32:39 03/21/2009 23:34:59 4000000020

61234 Aggregated 3 20

03/21/2009 23:32:49 03/21/2009 23:35:19 4000000021

61234 8f:8f:8f:8f:8f:8f 4 21

03/21/2009 23:32:59 03/21/2009 23:35:39 4000000022

61234 90:90:90:90:90:90 5 22

03/21/2009 23:33:09 03/21/2009 23:35:59 4000000023

61234 91:91:91:91:91:91 6 23

03/21/2009 23:33:19 03/21/2009 23:36:19 4000000024

61234 92:92:92:92:92:92 7 24

03/21/2009 23:33:29 03/21/2009 23:36:39 4000000025

max Aggregated 0 25

03/21/2009 23:33:39 03/21/2009 23:36:59 4000000026

0 94:94:94:94:94:94 1 26

03/21/2009 23:33:49 03/21/2009 23:37:19 4000000027

-------------------------------------------------------------------------------

9 flows(s) found

===============================================================================

show system security cpu-protection eth-cfm-monitoring service-id 3 sdp-id 1:3

===============================================================================

Flows exceeding the Eth-CFM monitoring rate limit

===============================================================================

Service-Id : 3

SDP-Id : 1:3

Plcy : 100

-------------------------------------------------------------------------------

Limit MAC-Address Level OpCode

First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

0 8c:8c:8c:8c:8c:8c 1 18

03/21/2009 23:32:29 03/21/2009 23:34:39 3000000019

61234 8d:8d:8d:8d:8d:8d 2 19

03/21/2009 23:32:39 03/21/2009 23:34:59 3000000020

61234 Aggregated 3 20

03/21/2009 23:32:49 03/21/2009 23:35:19 3000000021

61234 8f:8f:8f:8f:8f:8f 4 21

03/21/2009 23:32:59 03/21/2009 23:35:39 3000000022

61234 90:90:90:90:90:90 5 22

03/21/2009 23:33:09 03/21/2009 23:35:59 3000000023

61234 91:91:91:91:91:91 6 23

03/21/2009 23:33:19 03/21/2009 23:36:19 3000000024

61234 92:92:92:92:92:92 7 24

03/21/2009 23:33:29 03/21/2009 23:36:39 3000000025

max Aggregated 0 25

03/21/2009 23:33:39 03/21/2009 23:36:59 3000000026

0 94:94:94:94:94:94 1 26

03/21/2009 23:33:49 03/21/2009 23:37:19 3000000027

-------------------------------------------------------------------------------

9 flow(s) found

===============================================================================

show system security cpu-protection excessive-sources service-id 3 sdp-id 1:3

===============================================================================

Sources exceeding the per-source rate limit

===============================================================================

Service-Id : 3

SDP-Id : 1:3

Plcy : 100

Limit : 65534

-------------------------------------------------------------------------------

MAC-Address First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

00:00:00:00:00:01 03/22/2009 00:41:59 03/22/2009 01:53:39 3000000043

00:00:00:00:00:02 03/22/2009 00:43:39 03/22/2009 01:56:59 3000000044

00:00:00:00:00:03 03/22/2009 00:45:19 03/22/2009 02:00:19 3000000045

00:00:00:00:00:04 03/22/2009 00:46:59 03/22/2009 02:03:39 3000000046

00:00:00:00:00:05 03/22/2009 00:48:39 03/22/2009 02:06:59 3000000047

-------------------------------------------------------------------------------

5 source(s) found

===============================================================================

show system security cpu-protection violators sdp

===============================================================================

SDP's where the protection policy overall rate limit is violated

===============================================================================

SDP-Id Service-Id

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

1:1 3

100 61234 05/01/2010 01:43:53 06/27/2010 22:37:20 3000000007

1:2 3

255 max 05/01/2010 01:43:55 06/27/2010 22:37:23 3000000008

1:3 3

100 61234 05/01/2010 01:43:57 06/27/2010 22:37:26 3000000009

1:4 3

255 max 05/01/2010 01:43:59 06/27/2010 22:37:29 3000000010

1:5 3

100 61234 05/01/2010 01:44:01 06/27/2010 22:37:32 3000000011

-------------------------------------------------------------------------------

5 SDP('s) found

===============================================================================

show system security cpu-protection excessive-sources

===============================================================================

SAP's where the protection policy per-source rate limit is exceeded

===============================================================================

SAP-Id Service-Id

Plcy Limit

-------------------------------------------------------------------------------

1/1/1 3

100 65534

-------------------------------------------------------------------------------

1 SAP('s) found

===============================================================================

SDP's where the protection policy per-source rate limit is exceeded

===============================================================================

SDP-Id Service-Id Plcy Limit

-------------------------------------------------------------------------------

1:3 3 100 65534

1:4 3 255 max

1:5 3 100 65534

-------------------------------------------------------------------------------

3 SDP('s) found

===============================================================================

show system security cpu-protection policy association

===============================================================================

Associations for CPU Protection policy 100

===============================================================================

Description : (Not Specified)

SAP associations

-------------------------------------------------------------------------------

Service Id : 3 Type : VPLS

SAP 1/1/1 mac-monitoring

SAP 1/1/2 eth-cfm-monitoring aggr car

SAP 1/1/3 eth-cfm-monitoring

SAP 1/1/4

-------------------------------------------------------------------------------

Number of SAP's : 4

SDP associations

-------------------------------------------------------------------------------

Service Id : 3 Type : VPLS

SDP 1:1 eth-cfm-monitoring aggr car

SDP 1:3 eth-cfm-monitoring aggr

SDP 1:5 mac-monitoring

SDP 17407:4123456789 eth-cfm-monitoring car

-------------------------------------------------------------------------------

Number of SDP's : 4

Interface associations

-------------------------------------------------------------------------------

None

Managed SAP associations

-------------------------------------------------------------------------------

None

Video-Interface associations

-------------------------------------------------------------------------------

None

===============================================================================

Associations for CPU Protection policy 254

===============================================================================

Description : Default (Modifiable) CPU-Protection Policy assigned to Access

Interfaces

SAP associations

-------------------------------------------------------------------------------

None

SDP associations

-------------------------------------------------------------------------------

None

Interface associations

-------------------------------------------------------------------------------

Router-Name : Base

ies6If

Router-Name : vprn7

vprn7If

-------------------------------------------------------------------------------

Number of interfaces : 2

Managed SAP associations

-------------------------------------------------------------------------------

None

Video-Interface associations

-------------------------------------------------------------------------------

None

===============================================================================

Associations for CPU Protection policy 255

===============================================================================

Description : Default (Modifiable) CPU-Protection Policy assigned to Network

Interfaces

SAP associations

-------------------------------------------------------------------------------

None

SDP associations

-------------------------------------------------------------------------------

Service Id : 3 Type : VPLS

SDP 1:2

SDP 1:4 eth-cfm-monitoring

Service Id : 6 Type : IES

SDP 1:6

Service Id : 7 Type : VPRN

SDP 1:7

Service Id : 9 Type : Epipe

SDP 1:9

Service Id : 300 Type : VPLS

SDP 1:300

-------------------------------------------------------------------------------

Number of SDP's : 6

Interface associations

-------------------------------------------------------------------------------

Router-Name : Base

system

-------------------------------------------------------------------------------

Number of interfaces : 1

Managed SAP associations

-------------------------------------------------------------------------------

None

Video-Interface associations

-------------------------------------------------------------------------------

None

===============================================================================

show system security cpu-protection policy 100 association

===============================================================================

Associations for CPU Protection policy 100

===============================================================================

Description : (Not Specified)

SAP associations

-------------------------------------------------------------------------------

Service Id : 3 Type : VPLS

SAP 1/1/1 mac-monitoring

SAP 1/1/2 eth-cfm-monitoring aggr car

SAP 1/1/3 eth-cfm-monitoring

SAP 1/1/4

-------------------------------------------------------------------------------

Number of SAP's : 4

SDP associations

-------------------------------------------------------------------------------

Service Id : 3 Type : VPLS

SDP 1:1 eth-cfm-monitoring aggr car

SDP 1:3 eth-cfm-monitoring aggr

SDP 1:5 mac-monitoring

SDP 17407:4123456789 eth-cfm-monitoring car

-------------------------------------------------------------------------------

Number of SDP's : 4

Interface associations

-------------------------------------------------------------------------------

None

Managed SAP associations

-------------------------------------------------------------------------------

None

Video-Interface associations

-------------------------------------------------------------------------------

None

===============================================================================

A:bksim130#

show system security cpu-protection violators

==============================================================================

Ports where a rate limit is violated

===============================================================================

Port-Id

Type Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

No ports found

===============================================================================

Interfaces where the protection policy overall rate limit is violated

===============================================================================

Interface-Name Router-Name

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

No interfaces found

===============================================================================

SAP's where the protection policy overall rate limit is violated

===============================================================================

SAP-Id Service-Id

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

1/1/1 3

100 61234 05/01/2010 01:43:41 06/27/2010 22:37:02 3000000001

-------------------------------------------------------------------------------

1 SAP('s) found

===============================================================================

SDP's where the protection policy overall rate limit is violated

===============================================================================

SDP-Id Service-Id

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

1:1 3

100 61234 05/01/2010 01:43:41 06/27/2010 22:37:02 3000000001

1:2 3

255 max 05/01/2010 01:43:43 06/27/2010 22:37:05 3000000002

1:3 3

100 61234 05/01/2010 01:43:45 06/27/2010 22:37:08 3000000003

1:4 3

255 max 05/01/2010 01:43:47 06/27/2010 22:37:11 3000000004

1:5 3

100 61234 05/01/2010 01:43:49 06/27/2010 22:37:14 3000000005

-------------------------------------------------------------------------------

5 SDP('s) found

===============================================================================

Video clients where the protection policy per-source rate limit is violated

===============================================================================

Client IP Address Video-Interface Service-Id

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

No clients found

===============================================================================

eth-cfm-monitoring

Syntax

eth-cfm-monitoring [{service-id service-id sap-id sap-id} | {service-id service-id sdp-id sdp-id:vc-id}]

Context

show>system>security>cpu-protection

Description

This command displays sources exceeding their eth-cfm-monitoring rate limit.

dist-cpu-protection

Syntax

dist-cpu-protection

Context

show>card>fp

Description

This command displays Distributed CPU Protection parameters and status at the per card and forwarding plane level.

Output

Table 24 describes Distributed CPU Protection output fields.

Table 24: Show Distributed CPU Protection Output Fields

Label	Description
Card	The card identifier
Forwarding Plane(FP)	Identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, an IOM3-XP) and some cards can contain multiple FPs (for example, an IOM2 has two FPs and an XCM can house two FPs via its two XMAs).
Dynamic Enforcement Policer Pool	The configured size of the dynamic-enforcement-policer-pool for this card/FP.
Dynamic-Policers Currently In Use	The number of policers from the dynamic enforcement policer pool that are currently in use. The policers are allocated from the pool and instantiated as per-object-per-protocol dynamic enforcement policers after a local monitor triggered for an object (such as a SAP or Network Interface).
Hi-WaterMark Hit Count	The maximum Currently In Use value since it was last cleared (clear card x fp y dist-cpu-protection)
Hi-WaterMark Hit Time	The time at which the current Hi-WaterMark Hit Count was first recorded.
Dynamic-Policers Allocation Fail Count	Indicates how many times the system attempted to allocate dynamic enforcement policers but could not get enough the fill the request.

Sample Output

*A:nodeA# show card 1 fp 1 dist-cpu-protection

===============================================================================

Card : 1 Forwarding Plane(FP) : 1

===============================================================================

Dynamic Enforcement Policer Pool : 2000

-------------------------------------------------------------------------------

Statistics Information

-------------------------------------------------------------------------------

Dynamic-Policers Currently In Use : 48

Hi-WaterMark Hit Count : 72

Hi-WaterMark Hit Time : 01/03/2013 15:08:42 UTC

Dynamic-Policers Allocation Fail Count : 0

-------------------------------------------------------------------------------

===============================================================================

dist-cpu-protection

Syntax

dist-cpu-protection [detail]

Context

show>service>id>sap

Description

This command displays Distributed CPU Protection parameters and status at the per SAP level.

Parameters

detail—

Include the adapted operational rate parameters in the CLI output. The adapted Oper. parameters are only applicable if the policer is instantiated (for example, if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kbps, etc are displayed.

Output

Distributed CPU Protection Policer Output

Table 25 describes Distributed CPU Protection Policer Output output fields.

Table 25: Show Distributed CPU Protection Policer Output Fields

Label	Description
Distributed CPU Protection Policy	The DCP policy assigned to the object.
Policer-Name	The configured name of the static policer
Card/FP	The card and FP identifier. FP identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, IOM3-XP) and some cards can contain multiple FPs (for example, an IOM2 has two FPs and an XCM can house two FPs via its two XMAs).
Policer-State	The state of the policer with the following potential values:
	Exceed - The policer has been detected as non-conformant to the associated DCP policy parameters (e.g. packets exceeded the configured rate and the DCP polling process identified this occurrence)
	Conform - The policer has been detected as conformant to the associated DCP policy parameters (rate)
	not-applicable - Newly created policers or policers that are not currently instantiated. This includes policers configured on linecards that are not in service.
Protocols Mapped	A list of protocols that are configured to map to the particular policer.
Oper. xyz fields	The actual hardware may not be able to perfectly rate limit to the exact configured rate parameters in a DCP policy. In this case the configured rate parameters will be adapted to the closest supported rate. These adapted operational values are displayed in CLI when the “detail” keyword is included in the show command. The adapted Oper. parameters are only applicable if the policer is instantiated (e.g. if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kbps, etc are displayed.
	Oper. Kbps - The adapted ‘kilobits-per-second’ value for DCP ‘kbps’ rates
	Oper. MBS - The adapted ‘mbs size’ value for DCP ‘kbps’ rates
	Oper. Depth - The calculated policer bucket depth in packets (for DCP ‘packets’ rates) or in bytes (for DCP ‘kbps’rates)
	Oper. Packets - The adapted ‘ppi’ value for DCP ‘packets’ rates
	Oper. Within - The adapted ‘within seconds’ value for DCP ‘packets’ rates
	Oper. Init. Delay - The adapted ‘initial-delay packets’ value for DCP ‘packets’ rates
Exceed-Count	The count of packets exceeding the policing parameters since the given policer was previously declared as conformant or newly instantiated. This counter has the same behavior as the exceed counter in the DCP the log events – they are baselined (reset) when the policer transitions to conformant.
Detec. Time Remain	The remaining time in the detection-time countdown during which a policer in the exceed state is being monitored to see if it is once again conformant.
Hold-Down Remain	The remaining time in the hold-down countdown during which a policer is treating all packets as exceeding.
All Dyn-Plcr Alloc.	Indicates that all the dynamic enforcement policers have been allocated and instantiated for a given local-monitor.
Dyn-Policer Alloc.	Indicates that a dynamic policer has been instantiated.

Sample Output

*A:nodeA# show service id 33 sap 1/1/3:33 dist-cpu-protection detail

===============================================================================

Service Access Points(SAP) 1/1/3:33

===============================================================================

Distributed CPU Protection Policy : test1

-------------------------------------------------------------------------------

Statistics/Policer-State Information

===============================================================================

-------------------------------------------------------------------------------

Static Policer

-------------------------------------------------------------------------------

Policer-Name : arp

Card/FP : 1/1 Policer-State : Conform

Protocols Mapped : arp

Exceed-Count : 0

Detec. Time Remain : 0 seconds Hold-Down Remain. : none

Operational (adapted) rate parameters:

Oper. Packets : 5 ppi Oper. Within : 8 seconds

Oper. Initial Delay: 6 packets

Oper. Depth : 0 packets

Policer-Name : dhcp

Card/FP : 1/1 Policer-State : Conform

Protocols Mapped : dhcp

Exceed-Count : 0

Detec. Time Remain : 0 seconds Hold-Down Remain. : none

Operational (adapted) rate parameters:

Oper. Kbps : 2343 kbps Oper. MBS : 240 kilobytes

Oper. Depth : 0 bytes

… (snip)

*A:nodaA# show service id 33 sap 1/1/3:34 dist-cpu-protection detail

===============================================================================

Service Access Points(SAP) 1/1/3:34

===============================================================================

Distributed CPU Protection Policy : test2

-------------------------------------------------------------------------------

Statistics/Policer-State Information

===============================================================================

-------------------------------------------------------------------------------

Static Policer

-------------------------------------------------------------------------------

No entries found

-------------------------------------------------------------------------------

Local-Monitoring Policer

-------------------------------------------------------------------------------

Policer-Name : my-local-mon1

Card/FP : 1/1 Policer-State : conform

Protocols Mapped : arp, pppoe-pppoa

Exceed-Count : 0

All Dyn-Plcr Alloc. : False

Operational (adapted) rate parameters:

Oper. Packets : 10 ppi Oper. Within : 8 seconds

Oper. Initial Delay: 8 packets

Oper. Depth : 0 packets

-------------------------------------------------------------------------------

Dynamic-Policer (Protocol)

-------------------------------------------------------------------------------

Protocol(Dyn-Plcr) : arp

Card/FP : 1/1 Protocol-State : not-applicable

Exceed-Count : 0

Detec. Time Remain : 0 seconds Hold-Down Remain. : none

Dyn-Policer Alloc. : False

Operational (adapted) rate parameters: unknown

Protocol(Dyn-Plcr) : pppoe-pppoa

Card/FP : 1/1 Protocol-State : not-applicable

Exceed-Count : 0

Detec. Time Remain : 0 seconds Hold-Down Remain. : none

Dyn-Policer Alloc. : False

Operational (adapted) rate parameters: unknown

-------------------------------------------------------------------------------

dist-cpu-protection

Syntax

dist-cpu-protection [detail]

Context

show>router>interface

Description

This command displays Distributed CPU Protection parameters and status at the router Interface level.

Parameters

detail —

Output

Distributed CPU Protection Policer Output

Table 26 describes Distributed CPU Protection Policer Output output fields.

Table 26: Show Distributed CPU Protection Policer Output Fields

Label	Description
Distributed CPU Protection Policy	The DCP policy assigned to the object.
Policer-Name	The configured name of the static policer
Card/FP	The card and FP identifier. FP identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, IOM3-XP) and some cards can contain multiple FPs (for example, an IOM2 has two FPs and an XCM can house two FPs via its two XMAs).
Policer-State	The state of the policer with the following potential values:
	Exceed - The policer has been detected as non-conformant to the associated DCP policy parameters (e.g. packets exceeded the configured rate and the DCP polling process identified this occurence)
	Conform - The policer has been detected as conformant to the associated DCP policy parameters (rate)
	not-applicable - Newly created policers or policers that are not currently instantiated. This includes policers configured on linecards that are not in service.
Protocols Mapped	A list of protocols that are configured to map to the particular policer.
Oper. xyz fields	The actual hardware may not be able to perfectly rate limit to the exact configured rate parameters in a DCP policy. In this case the configured rate parameters will be adapted to the closest supported rate. These adapted operational values are displayed in CLI when the “detail” keyword is included in the show command. The adapted Oper. parameters are only applicable if the policer is instantiated (e.g. if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kbps, etc are displayed.
	Oper. Kbps - The adapted ‘kilobits-per-second’ value for DCP ‘kbps’ rates
	Oper. MBS - The adapted ‘mbs size’ value for DCP ‘kbps’ rates
	Oper. Depth - The calculated policer bucket depth in packets (for DCP ‘packets’ rates) or in bytes (for DCP ‘kbps’rates)
	Oper. Packets - The adapted ‘ppi’ value for DCP ‘packets’ rates
	Oper. Within - The adapted ‘within seconds’ value for DCP ‘packets’ rates
	Oper. Init. Delay - The adapted ‘initial-delay packets’ value for DCP ‘packets’ rates
Exceed-Count	The count of packets exceeding the policing parameters since the given policer was previously declared as conformant or newly instantiated. This counter has the same behavior as the exceed counter in the DCP the log events – they are baselined (reset) when the policer transitions to conformant.
Detec. Time Remain	The remaining time in the detection-time countdown during which a policer in the exceed state is being monitored to see if it is once again conformant.
Hold-Down Remain	The remaining time in the hold-down countdown during which a policer is treating all packets as exceeding.
All Dyn-Plcr Alloc.	Indicates that all the dynamic enforcement policers have been allocated and instantiated for a given local-monitor.
Dyn-Policer Alloc.	Indicates that a dynamic policer has been instantiated.

Sample Output

*A:Dut-A# show router interface "test" dist-cpu-protection detail

===============================================================================

Interface "test" (Router: Base)

===============================================================================

Distributed CPU Protection Policy : dcpuPol

-------------------------------------------------------------------------------

Statistics/Policer-State Information

===============================================================================

-------------------------------------------------------------------------------

Static Policer

-------------------------------------------------------------------------------

Policer-Name : staticArpPolicer

Card/FP : 4/1 Policer-State : Exceed

Protocols Mapped : arp

Exceed-Count : 10275218

Detec. Time Remain : 29 seconds Hold-Down Remain. : none

Operational (adapted) Rate Parameters:

Oper. Packets : 100 ppi Oper. Within : 1 seconds

Oper. Initial Delay: none

Oper. Depth : 100 packets

-------------------------------------------------------------------------------

Local-Monitoring Policer

-------------------------------------------------------------------------------

Policer-Name : localMonitor

Card/FP : 4/1 Policer-State : Exceed

Protocols Mapped : icmp, ospf

Exceed-Count : 8019857

All Dyn-Plcr Alloc. : True

Operational (adapted) Rate Parameters:

Oper. Packets : 200 ppi Oper. Within : 1 seconds

Oper. Initial Delay: none

Oper. Depth : 0 packets

-------------------------------------------------------------------------------

Dynamic-Policer (Protocol)

-------------------------------------------------------------------------------

Protocol(Dyn-Plcr) : icmp

Card/FP : 4/1 Protocol-State : Exceed

Exceed-Count : 1948137

Detec. Time Remain : 29 seconds Hold-Down Remain. : none

Dyn-Policer Alloc. : True

Operational (adapted) Rate Parameters:

Oper. Kbps : 25 kbps Oper. MBS : 256 bytes

Oper. Depth : 274 bytes

Protocol(Dyn-Plcr) : ospf

Card/FP : 4/1 Protocol-State : Exceed

Exceed-Count : 1487737

Detec. Time Remain : 29 seconds Hold-Down Remain. : none

Dyn-Policer Alloc. : True

Operational (adapted) Rate Parameters:

Oper. Kbps : 25 kbps Oper. MBS : 256 bytes

Oper. Depth : 284 bytes

-------------------------------------------------------------------------------

===============================================================================

excessive-sources

Syntax

excessive-sources [service-id service-id sap-id sap-id]

Context

show>system>security>cpu-protection

Description

This command displays sources exceeding their per-source rate limit.

Parameters

service-id service-id —

Displays information for services exceeding their per-source rate limit.

sap-id sap-id—

Displays information for SAPs exceeding their per-source rate limit.

policy

Syntax

policy [policy-id] association

Context

show>system>security>cpu-protection

show>system>security>dist-cpu-protection

Description

This command displays CPU protection policy information.

Parameters

policy-id—

Displays CPU protection policy information for the specified policy ID>

association—

This keyword displays policy-id associations.

protocol-protection

Syntax

protocol-protection

Context

show>system>security>cpu-protection

Description

This command display all interfaces with non-zero drop counters.

violators

Syntax

violators [port] [interface] [sap] [video] [sdp]

Context

show>system>security>cpu-protection

Description

This command displays all interfaces, ports or SAPs with CPU protection policy violators. It also includes objects (saps, interfaces) that exceed the out-profile-rate and have the log-events keyword enabled for the out-profile-rate in the cpu-protection policy associated with the object.

Parameters

port—

Displays violators associated with the port.

interface—

Displays violators associated with the interface.

sap—

Displays violators associated with the SAP.

video—

Displays violators associated with the video entity.

sdp—

Displays violators associated with the SDP.

Output

The following is an output example on the 7750 SR:

*A:SecuritySR7>config>sys>security>cpu-protection>policy# show system security

cpu-protection violators

===============================================================================

Ports where a rate limit is violated

===============================================================================

Port-Id

Type Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

No ports found

===============================================================================

Interfaces where the protection policy overall rate limit is violated

===============================================================================

Interface-Name Router-Name

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

toIxia Base

255 1000 10/02/2012 18:38:23 10/02/2012 18:39:31 70

-------------------------------------------------------------------------------

1 interface(s) found

===============================================================================

SAP's where the protection policy overall rate limit is violated

===============================================================================

SAP-Id Service-Id

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

No SAP's found

===============================================================================

SDP's where the protection policy overall rate limit is violated

===============================================================================

SDP-Id Service-Id

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

No SDP's found

===============================================================================

Video clients where the protection policy per-source rate limit is violated

===============================================================================

Client IP Address Video-Interface Service-Id

Plcy Limit First-Time Last-Time Violation-Periods

-------------------------------------------------------------------------------

No clients found

===============================================================================

mac-filter

Syntax

mac-filter [entry entry-id]

Context

show>system>security>cpm-filter

Description

This command displays CPM MAC filters.

Parameters

entry entry-id—

Displays information about the specified entry.

Values—

1 — 2048

Output

Sample Output

*B:bksim67# show system security cpm-filter mac-filter

===============================================================================

CPM Mac Filter (applied)

===============================================================================

Entry-Id Dropped Forwarded Description

-------------------------------------------------------------------------------

1 23002 47094

-------------------------------------------------------------------------------

Num CPM Mac filter entries: 1

===============================================================================

*B:bksim67#

mac-filter

Syntax

mac-filter [entry entry-id]

Context

show>system>security>management-access-filter

Description

This command displays management access MAC filters.

Parameters

entry entry-id—

Displays information about the specified entry.

Values—

1 — 9999

Output

Sample Output

*B:bksim67# show system security management-access-filter mac-filter

=============================================================================

Mac Management Access Filter

=============================================================================

filter type : mac

Def. Action : permit

Admin Status : enabled (no shutdown)

-------------------------------------------------------------------------------

Entry : 1 Action : deny

FrameType : ethernet_II Svc-Id : Undefined

Src Mac : Undefined

Dest Mac : Undefined

Dot1p : Undefined Ethertype : Disabled

DSAP : Undefined SSAP : Undefined

Snap-pid : Undefined ESnap-oui-zero : Undefined

cfm-opcode : Undefined

Log : disabled Matches : 0

=============================================================================

*B:bksim67#

keychain

Syntax

keychain [key-chain] [detail]

Context

show>system>security

Description

This command displays keychain information.

Parameters

key-chain—

Specifies the keychain name to display.

detail—

Displays detailed keychain information.

Output

Sample Output

*A:ALA-A# show system security keychain test

===============================================================================

Key chain:test

===============================================================================

TCP-Option number send : 254 Admin state : Up

TCP-Option number receive : 254 Oper state : Up

===============================================================================

*A:ALA-A#

*A:ALA-A# show system security keychain test detail

===============================================================================

Key chain:test

===============================================================================

TCP-Option number send : 254 Admin state : Up

TCP-Option number receive : 254 Oper state : Up

===============================================================================

Key entries for key chain: test

===============================================================================

Id : 0

Direction : send-receive Algorithm : hmac-sha-1-96

Admin State : Up Valid : Yes

Active : Yes Tolerance : 300

Begin Time : 2007/02/15 18:28:37 Begin Time (UTC) : 2007/02/15 17:28:37

End Time : N/A End Time (UTC) : N/A

===============================================================================

Id : 1

Direction : send-receive Algorithm : aes-128-cmac-96

Admin State : Up Valid : Yes

Active : No Tolerance : 300

Begin Time : 2007/02/15 18:27:57 Begin Time (UTC) : 2007/02/15 17:27:57

End Time : 2007/02/15 18:28:13 End Time (UTC) : 2007/02/15 17:28:13

===============================================================================

Id : 2

Direction : send-receive Algorithm : aes-128-cmac-96

Admin State : Up Valid : Yes

Active : No Tolerance : 500

Begin Time : 2007/02/15 18:28:13 Begin Time (UTC) : 2007/02/15 17:28:13

End Time : 2007/02/15 18:28:37 End Time (UTC) : 2007/02/15 17:28:37

===============================================================================

*A:ALA-A#

management-access-filter

Syntax

management-access-filter

Context

show>system>security

Description

This commend displays management access filter information for IP and MAC filters.

ip-filter

Syntax

ip-filter [entry entry-id]

Context

show>system>security>mgmt-access-filter

Description

This command displays management-access IP filters.

Parameters

entry-id—

Displays information for the specified entry.

Values—

1 — 9999

Output

Management Access Filter Output

Table 27 describes management access filter output fields.

Table 27: Show Management Access Filter Output Fields

Label	Description
Def. action	Permit Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted.
	Deny Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued.
	Deny-host-unreachble Specifies that packets not matching the configured selection criteria in the filter entries are denied.
Entry	The entry ID in a policy or filter table.
Description	A text string describing the filter.
Src IP	The source IP address used for management access filter match criteria.
Src interface	The interface name for the next hop to which the packet should be forwarded if it hits this filter entry.
Dest port	The destination port.
Matches	The number of times a management packet has matched this filter entry.
Protocol	The IP protocol to match.
Action	The action to take for packets that match this filter entry.

Sample Output

*A:Dut-F# show system security management-access-filter ip-filter

=============================================================================

IPv4 Management Access Filter

=============================================================================

filter type: : ip

Def. Action : permit

Admin Status : enabled (no shutdown)

-----------------------------------------------------------------------------

Entry : 1

Src IP : 192.168.0.0/16

Src interface : undefined

Dest port : undefined

Protocol : undefined

Router : undefined

Action : none

Log : disabled

Matches : 0

=============================================================================

*A:Dut-F#

ipv6-filter

Syntax

ipv6-filter [entry entry-id]

Context

show>system>security>mgmt-access-filter

Description

This command displays management-access IPv6 filters and only applies to the 7750 SR and 7950 XRS.

Parameters

entry-id—

Specifies the IPv6 filter entry ID to display.

Values—

1 — 9999

Output

Sample Output

*A:Dut-C# show system security management-access-filter ipv6-filter entry 1

=============================================================================

IPv6 Management Access Filter

=============================================================================

filter type : ipv6

Def. Action : permit

Admin Status : enabled (no shutdown)

-----------------------------------------------------------------------------

Entry : 1

Src IP : 2001::1/128

Flow label : undefined

Src interface : undefined

Dest port : undefined

Next-header : undefined

Router : undefined

Action : permit

Log : enabled

Matches : 0

=============================================================================

*A:Dut-C# s

password-options

Syntax

password-options

Context

show>system>security

Description

This command displays configured password options.

Output

Password Options Output

Table 28 describes password options output fields.

Table 28: Show Password Options Output Fields

Label	Description
Password aging in days	Displays the number of days a user password is valid before the user must change their password.
Time required between password changes	Displays the time interval between changed passwords.
Number of invalid attempts permitted per login	Displays the number of unsuccessful login attempts allowed for the specified time.
Time in minutes per login attempt	Displays the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.
Lockout period (when threshold breached)	Displays the number of minutes that the user is locked out if the threshold of unsuccessful login attempts has been exceeded.
Authentication order	Displays the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords.
User password history length	Displays the size of the password history file to be stored.
Accepted password length	Displays the minimum length required for local passwords.
Credits for each character type	Displays the credit for each character type. A credit is obtained for a particular character type; for example, uppercase, lowercase, numeric, or special character. Credits per character type are configurable. Credits can be used towards the minimum length of the password, so a trade-off can be made between a very long, simple password and a short, complex one.
Required character types	Displays the character types that are required in a password; for example, uppercase, lowercase, numeric, or special character.
Minimum number different character types	Displays the minimum number of each different character types in a password.
Required distance with previous password	Displays the minimum Levenshtein distance between a new password and the old password.
Allow consecutively repeating a character	Displays the number of times the same character is allowed to be repeated consecutively.
Allow passwords containing username	Displays whether the user name is allowed as part of the password.
Palindrome allowed	Displays whether palindromes are allowed as part of the password.

Sample Output

A:ALA-7# show system security password-options

===============================================================================

Password Options

===============================================================================

Password aging in days : none

Time required between password changes : 0d 00:10:00

Number of invalid attempts permitted per login : 3

Time in minutes per login attempt : 5

Lockout period (when threshold breached) : 10

Authentication order : radius tacplus local

User password history length : disabled

Accepted password length : 6..56 characters

Credits for each character type : none

Required character types : none

Minimum number different character types : 0

Required distance with previous password : 5

Allow consecutively repeating a character : always

Allow passwords containing username : yes

Palindrome allowed : no

===============================================================================

A:ALA-7#

per-peer-queuing

Syntax

per-peer-queuing

Context

show>system>security

Description

This command enables or disables CPMCFM hardware queuing per peer. TTL security only operates when per-peer-queuing is enabled.

Output

Per-Peer-Queuing Output

Table 29 describes per-peer-queuing output fields.

Table 29: Show Per-Peer-Queuing Output Fields

Label	Description
Per Peer Queuing	Displays the status (enabled or disabled) of CPM hardware queuing per peer.
Total Num of Queues	Displays the total number of hardware queues.
Num of Queues In Use	Displays the total number of hardware queues in use.

Sample Output

A:ALA-48# show system security per-peer-queuing

=================================================

CPM Hardware Queuing

=================================================

Per Peer Queuing : Enabled

Total Num of Queues : 8192

Num of Queues In Use : 2

=================================================

A:ALA-48# configure

profile

Syntax

profile [user-profile-name]

Context

show>system>security

Description

This command displays user profile information.

If the profile-name is not specified, then information for all profiles are displayed.

Parameters

user-profile-name—

Displays information for the specified user profile.

Output

User Profile Output

Table 30 describes user profile output fields.

Table 30: Show User Profile Output Fields

Label	Description
User Profile	Displays the profile name used to deny or permit user console access to a hierarchical branch or to specific commands.
Def. action	Permit all Permits access to all commands.
	Deny Denies access to all commands.
	None No action is taken.
Entry	The entry ID in a policy or filter table.
Description	Displays the text string describing the entry.
Match Command	Displays the command or subtree commands in subordinate command levels.
Action	Permit all Commands matching the entry command match criteria are permitted.
	Deny Commands not matching the entry command match criteria are not permitted.
No. of profiles	The total number of profiles listed.

Sample Output

A:ALA-7# show system security profile administrative

===============================================================================

User Profile

===============================================================================

User Profile : administrative

Def. Action : permit-all

-------------------------------------------------------------------------------

Entry : 10

Description :

Match Command: configure system security

Action : permit

-------------------------------------------------------------------------------

Entry : 20

Description :

Match Command: show system security

Action : permit

-------------------------------------------------------------------------------

No. of profiles:

===============================================================================

A:ALA-7#

source-address

Syntax

source-address

Context

show>system>security

Description

This command displays source-address configured for applications.

Output

Source Address Output

Table 31 describes source address output fields.

Table 31: Show Source Address Output Fields

Label	Description
Application	Displays the source-address application.
IP address Interface Name	Displays the source address IP address or interface name.
Oper status	Up The source address is operationally up.
Oper status	Down The source address is operationally down.

Sample Output

A:SR-7# show system security source-address

===============================================================================

Source-Address applications

===============================================================================

Application IP address/Interface Name Oper status

-------------------------------------------------------------------------------

telnet 10.20.1.7 Up

radius loopback1 Up

===============================================================================

A:SR-7#

ssh

Syntax

ssh

Context

show>system>security

Description

This command displays all the SSH sessions as well as the SSH status and fingerprint. The type of SSH application (CLI, SCP, SFTP or NETCONF) is indicated for each SSH connection.

Output

SSH Options Output

Table 32 describes SSH output fields .

Table 32: Show System Security SSH Options Output Fields

Label	Description
SSH status	SSH is enabled Displays that SSH server is enabled. SSH is disabled Displays that SSH server is disabled.
SSH Preserve Key	Enabled Displays that preserve-key is enabled. Disabled Displays that preserve-key is disabled.
SSH protocol version 1	Enabled Displays that SSH1 is enabled. Disabled Displays that SSH1 is disabled.
SSH protocol version 2	Enabled Displays that SSH2 is enabled. Disabled Displays that SSH2 is disabled.
Key fingerprint	The key fingerprint is the server’s identity. Clients trying to connect to the server verify the server's fingerprint. If the server fingerprint is not known, the client may not continue with the SSH session since the server might be spoofed.
Connection	The IP address of the connected router(s) (remote client).
Encryption	des — Data encryption using a private (secret) key. 3des — An encryption method that allows proprietary information to be transmitted over untrusted networks.
Username	The name of the user.
Version	The SSH version number.
Server Name	The type of SSH application (CLI, SCP, SFTP or NETCONF)
Number of SSH sessions	The total number of SSH sessions.

Sample output

*A:ALA-49# show system security ssh

===============================================================================

SSH Server

===============================================================================

Administrative State : Enabled

Operational State : Up

Preserve Key : Enabled

SSH Protocol Version 1 : Disabled

SSH Protocol Version 2 : Enabled

DSA Host Key Fingerprint : 88:41:1c:7e:97:64:df:a0:e4:54:c2:cc:3d:dd:c7:70

RSA Host Key Fingerprint : 63:b8:c4:8a:17:b7:1c:95:35:91:c9:08:75:cc:31:a3

-------------------------------------------------------------------------------

Connection Username Version ServerName Status

-------------------------------------------------------------------------------

138.120.214.254 admin 2 netconf connected

138.120.140.148 admin 2 cli connected

-------------------------------------------------------------------------------

Number of SSH sessions : 2

===============================================================================

user

Syntax

user [user-id] [detail]

user [user-id] lockout

Context

show>system>security

Description

This command displays user registration information.

If no command line options are specified, summary information for all users displays.

Parameters

user-id—

Displays information for the specified user.

Values—

All users

detail—

Displays detailed user information to the summary output.

lockout—

Displays information about any users who are currently locked out.

Output

User Output

Table 33 describes user output fields.

Table 33: Show System Security User Output fields

Label	Description
User ID	The name of a system user.
Need new pwd	Y The user must change his password at the next login.
	N The user is not forced to change his password at the next login.
Cannot change pw	Y The user has the ability to change the login password.
	N The user does not have the ability to change the login password.
User permissions	Console Y - The user is authorized for console access. N- The user is not authorized for console access.
	FTP Y - The user is authorized for FTP access. N - The user is not authorized for FTP access.
	SNMP Y - The user is authorized for SNMP access. N - The user is not authorized for SNMP access.
Password expires	The number of days in which the user must change his login password.
Attempted logins	The number of times the user has attempted to login irrespective of whether the login succeeded or failed.
Failed logins	The number of unsuccessful login attempts.
Local conf	Y Password authentication is based on the local password database.
	N Password authentication is not based on the local password database.
Home directory	Specifies the local home directory for the user for both console and FTP access.
Restricted to home	Yes The user is not allowed to navigate to a directory higher in the directory tree on the home directory device.
	No The user is allowed to navigate to a directory higher in the directory tree on the home directory device.
Login exec file	Displays the user’s login exec file which executes whenever the user successfully logs in to a console session.
	profile - the security profile(s) associated with the user
	locked-out - no / yes (time remaining). Indicates the the user is currently locked-out. After the time expires, or the lockout is manually cleared, the user will be able to attempt to log into the node again.
	Remaining Login attempts - number of login attempts remaining until the user will be locked-out
	Remaining Lockout Time - The time until the lockout is automatically cleared and the user can attempt to log into the node again.

The following is an output example for the 7450 ESS and 7750 SR:

A:ALA-7# show system security user

===============================================================================

Users

===============================================================================

user id need user permissions password attempted failed local

new pwd console ftp snmp expires logins logins conf

-------------------------------------------------------------------------------

admin n y n n never 21 0 y

===============================================================================

A:ALA-7#

ALA-7# show system security user detail

===============================================================================

Users

===============================================================================

user id need user permissions password attempted failed local

new pwd console ftp snmp expires logins logins conf

-------------------------------------------------------------------------------

admin n y n n never 21 0 y

===============================================================================

User Configuration Detail

===============================================================================

user id : admin

-------------------------------------------------------------------------------

console parameters

-------------------------------------------------------------------------------

new pw required : no cannot change pw : no

home directory : cf3:\

restricted to home : no

profile : administrative

-------------------------------------------------------------------------------

snmp parameters

===============================================================================

A:ALA-7#

*A:Dut-C# show system security user detail

===============================================================================

Users

===============================================================================

User ID New User Permissions Password Login Failed Local

Pwd console ftp li snmp Expires Attempts Logins Conf

-------------------------------------------------------------------------------

admin n y n n n never 4 0 y

-------------------------------------------------------------------------------

Number of users : 1

===============================================================================

*A:Dut-C# show system security user detail

===============================================================================

User Configuration Detail

===============================================================================

user id : admin

-------------------------------------------------------------------------------

console parameters

-------------------------------------------------------------------------------

new pw required : no cannot change pw : no

home directory :

restricted to home : no

profile : administrative

locked-out : yes (9:23 remaining)

-------------------------------------------------------------------------------

snmp parameters

-------------------------------------------------------------------------------

===============================================================================

*A:Node234# show system security user lockout

===============================================================================

Currently Failed Login Attempts

===============================================================================

User ID Remaining Login attempts Remaining Lockout Time (min:sec)

-------------------------------------------------------------------------------

jason123 N/A 9:56

-------------------------------------------------------------------------------

Number of users : 1

===============================================================================

With the introduction of the PKI on an SR (SSH Server) the authentication process can be done via PKI or password. SSH client usually authenticate via PKI and password if PKI is configured on the client. In this case PKI takes precedence over password in most clients.

All client authentications are logged and display in the show>system>security>user detail. Table 34 shows the rules where pass and fail attempts are logged.

Table 34: Pass/Fail Login Attempts

Authentication Order	Client (i.e., putty)	Server (i.e., SR)		CLI Show System Security Attempts (SR)
Authentication Order	Private Key Programmed	Public Key Configured	Password Configured	Logins Attempts	Failed Logins
1. Public Key	Yes	Yes	N/A	Increment
2. Password	Yes	Yes (No match between client and server. Go to password.)	Yes	Increment
	Yes	No	Yes	Increment
	No	N/A	Yes	Increment
	No	N/A	No		Increment
1. Public Key (only)	Yes	Yes	N/A	Increment
	Yes	Yes (No match between client and server. Go go password.)			Increment
	Yes		N/A		Increment
	No		N/A		Increment

TABLE

*A:Dut-C# show system security user detail

===============================================================================

Users

===============================================================================

User ID New User Permissions Password Login Failed Local

Pwd console ftp li snmp Expires Attempts Logins Conf

-------------------------------------------------------------------------------

admin n y n n n never 4 0 y

-------------------------------------------------------------------------------

Number of users : 1

===============================================================================

User Configuration Detail

===============================================================================

user id : admin

-------------------------------------------------------------------------------

console parameters

-------------------------------------------------------------------------------

new pw required : no cannot change pw : no

home directory :

restricted to home : no

profile : administrative

-------------------------------------------------------------------------------

snmp parameters

-------------------------------------------------------------------------------

===============================================================================

view

Syntax

view [view-name] [detail]

Context

show>system>security

Description

This command displays the SNMP MIB views.

Parameters

view-name—

Specify the name of the view to display output. If no view name is specified, the complete list of views displays.

detail—

Displays detailed view information.

Output

View Output

Table 35 describes show view output fields.

Table 35: Show View Output Fields

Label	Description
view name	The name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree.
oid tree	The object identifier of the ASN.1 subtree.
mask	The bit mask that defines a family of view subtrees.
permission	Indicates whether each view is included or excluded
No. of Views	Displays the total number of views.

Sample Output

A:ALA-48# show system security view

===============================================================================

Views

===============================================================================

view name oid tree mask permission

-------------------------------------------------------------------------------

iso 1 included

read1 1.1.1.1 11111111 included

write1 2.2.2.2 11111111 included

testview 1 11111111 included

testview 1.3.6.1.2 11111111 excluded

mgmt-view 1.3.6.1.2.1.2 included

mgmt-view 1.3.6.1.2.1.4 included

mgmt-view 1.3.6.1.2.1.5 included

mgmt-view 1.3.6.1.2.1.6 included

mgmt-view 1.3.6.1.2.1.7 included

mgmt-view 1.3.6.1.2.1.31 included

mgmt-view 1.3.6.1.2.1.77 included

mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.7 included

mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.11 included

vprn-view 1.3.6.1.2.1.2 included

vprn-view 1.3.6.1.2.1.4 included

vprn-view 1.3.6.1.2.1.5 included

vprn-view 1.3.6.1.2.1.6 included

vprn-view 1.3.6.1.2.1.7 included

vprn-view 1.3.6.1.2.1.15 included

vprn-view 1.3.6.1.2.1.23 included

vprn-view 1.3.6.1.2.1.31 included

vprn-view 1.3.6.1.2.1.68 included

vprn-view 1.3.6.1.2.1.77 included

vprn-view 1.3.6.1.4.1.6527.3.1.2.3.7 included

vprn-view 1.3.6.1.4.1.6527.3.1.2.3.11 included

vprn-view 1.3.6.1.4.1.6527.3.1.2.20.1 included

no-security 1 included

no-security 1.3.6.1.6.3 excluded

no-security 1.3.6.1.6.3.10.2.1 included

no-security 1.3.6.1.6.3.11.2.1 included

no-security 1.3.6.1.6.3.15.1.1 included

on-security 2 00000000 included

-------------------------------------------------------------------------------

No. of Views: 33

===============================================================================

A:ALA-48#

certificate

Syntax

certificate

Context

show

Description

This command displays certificate information.

ca-profile

Syntax

ca-profile

ca-profile name [association]

Context

show>certificate

Description

This command shows certificate-authority profile information.

Parameters

name—

Specifies the name of the Certificate Authority (CA) profile.

association—

Displays associated CA profiles.

ocsp-cache

Syntax

ocsp-cache [entry-id]

Context

show>certificate

Description

This command displays the current cached OCSP results. The output includes the following information:

Certificate issuer

Certificate serial number

OCSP result

Cache entry expire time

Parameters

entry-id—

Specifies the local cache entry identifier of the certificate that was validated by the OCSP responder.

statistics

Syntax

statistics

Context

show>certificate

Description

This command shows certificate related statistics.

Login Control

users

Syntax

users

Context

show

Description

Displays console user login and connection information.

Output

Users Output

Table 36 describes show users output fields.

Table 36: Show Users Output Fields

Label	Description
User	The user name.
Type	The user is authorized this access type.
From	The originating IP address.
Login time	The time the user logged in.
Idle time	The amount of idle time for a specific login.
Number of users	Displays the total number of users logged in.

Sample Console Users Output

A:ALA-7# show users

===============================================================================

User Type From Login time Idle time

===============================================================================

testuser Console -- 21FEB2007 04:58:55 0d 00:00:00 A

-------------------------------------------------------------------------------

Number of users : 1

entry entry-id—

Specifies a particular CPM IPv6 filter entry.

Values—

1 — 2048

This command clears the rate limit violator record.

Parameters

port—

Clears entries for ports.

interface—

Clears entries for interfaces.

sap—

Clears entries for SAPs.

cpm-queue

Syntax

cpm-queue queue-id

Context

clear

Description

This command clears CPM queue information.

Parameters

queue-id—

Specifies the CPM queue ID.

Values—

33 — 2000

radius-proxy-server

Syntax

radius-proxy-server server-name statistics

Context

clear>router

Description

This command clears RADIUS proxy server data.

Parameters

server-name—

Specifies the proxy server name.

statistics—

Clears statistics for the specified server.

Debug Commands

radius

Syntax

radius [detail] [hex]

no radius

Context

debug

Description

This command enables debugging for RADIUS connections.

The no form of the command disables the debugging.

Parameters

detail—

Displays detailed output.

hex—

Displays the packet dump in hex format.

ocsp

Syntax

[no] ocsp

Context

debug

Description

This command enables debug output of OCSP protocol for the CA profile.

The no form of the command disables the debug output.

ca-profile

Syntax

[no] ca-profile profile-name

Context

debug>ocsp

Description

This command enables debug output of a specific CA profile.

Tools Commands

dist-cpu-protection

Syntax

dist-cpu-protection

Context

tools>perform>security

tools>dump>security

Description

This command displays to release Distributed CPU Protection parameters and status at the per card and forwarding plane level.

release-hold-down

Syntax

release-hold-down interface interface-name [protocol protocol] [static-policer name]

release-hold-down sap sap-id [protocol protocol] [static-policer name]

Context

tools>perform>security>dist-cput protection

Description

This command is used to release a Distributed CPU Protection (DCP) policer from a hold-down countdown (or indefinite hold-down if configured as such).

Parameters

interface interface-name—

Specifies Router interface name.

sap sap-id—

Specify sap identifier.

protocol protocol—

Specifies DCP protocol name (for example, arp, dhcp)

static-policer name—

Specifies DCP static policer name as defined in the DCP policy.

violators

Syntax

violators enforcement {sap|interface} card slot-number [fp fp-number]

violators local-monitor {sap|interface} card slot-number [fp fp-number]

Context

tools>dump>security>dist-cput protection

Description

This command shows the non-conformant enforcement policers and local monitors.

Parameters

sap —

-Indicates to display the violators associated with SAPs

interface —

- Indicates to display the violators associated with router interfaces.

enforcement—

Shows exceed and hold-down for Static and Dynamic Policers.

local-monitor—

Shows state of dynamic policer allocation for Local Monitoring Policers.

card slot-number—

The physical slot number for the card.

Values—

1— n (n is platform dependant)

fp fp-number—

Identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, an IOM3-XP) and some cards can contain multiple FPs (for example, an IOM2 has two FPs and an XCM can house two FPs via its two XMAs).

Values—

1— 2

Output

Users Output

Table 37 describes show users output fields.

Table 37: Output Parameters

Label	Description
Interface	The name of the router interface
Policer/Protocol	The configured name of the static policer (indicated with an [S]) or the DCP protocol name for a dynamic policer (indicated with a [D]).
[S] / [D]	indicates a static vs dynamic policer
Hld Rem	The remaining time in the hold-down countdown during which a policer is treating all packets as exceeding.

Sample Output

*A:Dut-A# tools dump security dist-cpu-protection violators enforcement interface

card 4 fp 1

===============================================================================

Distributed Cpu Protection Current Interface Enforcer Policer Violators

===============================================================================

Interface Policer/Protocol Hld Rem

-------------------------------------------------------------------------------

Violators on Slot-4 Fp-1

-------------------------------------------------------------------------------

test staticArpPolicer [S] none

test icmp [D] none

test ospf [D] none

-------------------------------------------------------------------------------

[S]-Static [D]-Dynamic [M]-Monitor

-------------------------------------------------------------------------------

===============================================================================

Admin Commands

clear lockout

Syntax

clear lockout {user name | all}

Context

admin>user

Description

This command is used to clear any lockouts for a specific user, or for all users.

Parameters

name—

Specifies locked username.

clear password-history

Syntax

clear password-history {user name | all}

Context

admin>user

Description

This command is used to clear old passwords used by a specific user, or for all users.

Parameters

name—

Specifies username.