Refer to the OS Services Guide and the Multi-Service ISA Guide for command, syntax, and usage information about applying CPU Protection policies to interfaces.
CPU protection policies are applied by default (and customer policies can be applied) to a variety of entities including interfaces and SAPs. Refer to the appropriate guides for command syntax and usage for applying CPU protection policies. Examples of entities that can have CPU protection policies applied to them include:
config>router>interface>cpu-protection policy-id
config>service>epipe>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate][car]]
config>service>epipe>spoke-sdp>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate][car]]
config>service>ies>if>cpu-protection policy-id
config>service>ies>if>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate][car]]
config>service>template>vpls-sap-template>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate][car]]
config>service>vpls>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate][car]]
config>service>vpls>video-interface>cpu-protection policy-id
config>service>vprn>if>cpu-protection policy-id
config>service>vprn >if>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate][car]]
config>service>vprn>nw-if>cpu-protection policy-id
config>service>vprn>sub-if>grp-if>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate][car]]
config>subscr-mgmt>msap-policy>cpu-protection policy-id [mac-monitoring]
The following commands apply only to the 7450 ESS and 7750 SR:
Note: For information about CMPv6 admin certificate commands listed in the following tree, see the Multiservice Integrated Service Adapter Guide. |
This section provides the CLI command descriptions. Topics include:
This command creates a text description stored in the configuration file for a configuration context. This command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of the command removes the string.
No description associated with the configuration context.
The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of the command puts an entity into the administratively enabled state.
no shutdown
This command creates the context to configure security settings.
Security commands manage user profiles and user membership. Security commands also manage user login registrations.
This command enables FTP servers running on the system.
FTP servers are disabled by default. At system startup, only SSH server are enabled.
The no form of the command disables FTP servers running on the system.
Whenever the user executes a save or info command, the system will encrypt all passwords, MD5 keys, etc., for security reasons. At present, two algorithms exist.
The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password. However, because it is the same password and the hash key is limited to the password/key, even the casual observer will notice that it is the same key.
The second algorithm is a more complex key, and cannot be copied and pasted in different locations in the configuration file. In this case, if the same key or password is used repeatedly in different contexts, each encrypted (hashed) version will be different.
all — read-version set to accept both versions 1 and 2
This command enables CPM hardware queuing per peer. This means that when a peering session is established, the router will automatically allocate a separate CPM hardware queue for that peer.
The no form of the command disables CPM hardware queuing per peer.
per-peer-queuing
This command specifies the source address that should be used in all unsolicited packets sent by the application.
This feature only applies on inband interfaces and does not apply on the out of band management interface. Packets going out the management interface will keep using that as source IP address. In other words, when the RADIUS server is reachable through both the management interface and a network interface, the management interface is used despite whatever is configured under the source-address statement.
When a source address is specified for the ptp application, the port-based 1588 hardware timestamping assist function will be applied to PTP packets matching the IPv4 address of the router interface used to ingress the SR/ESS or IP address specified in this command. If the IP address is removed, then the port-based 1588 hardware timestamping assist function will only be applied to PTP packets matching the IPv4 address of the router interface.
This command specifies the use of the source IP address specified by the source-address command.
This command specifies the application to use the source IPv6 address specified by the source-address command.
This command enables Telnet servers running on the system.
Telnet servers are off by default. At system startup, only SSH servers are enabled.
Telnet servers in networks limit a Telnet clients to three retries to login. The Telnet server disconnects the Telnet client session after three retries.
The no form of the command disables Telnet servers running on the system.
This command enables Telnet IPv6 servers running on the system and only applies to the 7750 SR and 7950 XRS.
Telnet servers are off by default. At system startup, only SSH server are enabled.
The no form of the command disables Telnet IPv6 servers running on the system.
This command configures the rate to limit ICMP replies to packets with label TTL expiry received within all VPRN sentences in the system and from all network IP interfaces. This includes labeled user packets, ping and traceroute packets within VPRN.
This feature currently also limits the same packets when received within the context of an LSP shortcut.
This feature does not rate limit MPLS and service OAM packets (vprn-ping, vprn-trace, lsp-ping, lsp-trace, vccv-ping, and vccv-trace).
The no form of the command disables the rate limiting of the reply to these packets.
This feature only applies to the 7750 SR and 7950 XRS.
no security vprn-network-exceptions
This command enables the context to configure system-wide Link Layer Discovery Protocol parameters.
This command configures the duration of the fast transmission period.
This command configures the number of LLDPDUs to send during the fast transmission period.
This command configures the minimum time between change notifications.
This command configures the time before re-initializing LLDP on a port.
This command configures the maximum consecutive LLDPDUs transmitted.
This command configures the multiplier of the tx-interval.
This command configures the LLDP transmit interval time.
This command enables the exponential-backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.
The no form of the command disables exponential-backoff.
no exponential-backoff
This command creates the context to configure FTP login control parameters.
This command configures the idle timeout for FTP, console, or Telnet sessions before the session is terminated by the system.
By default, an idle FTP, console, SSH or Telnet session times out after 30 minutes of inactivity. This timer can be set per session.
The no form of the command reverts to the default value.
30 — Idle timeout set for 30 minutes.
This command configures the maximum number of concurrent inbound FTP sessions.
This value is the combined total of inbound and outbound sessions.
The no form of the command reverts to the default value.
3
This parameter limits the number of inbound Telnet and SSH sessions. A maximum of 30 telnet and ssh connections can be established to the router. The local serial port cannot be disabled.
Telnet and SSH maximum sessions can also use the combined total of both inbound sessions (SSH+Telent). While it is acceptable to continue to internally limit the combined total of SSH and Telnet sessions to N, either SSH or Telnet sessions can use the inbound maximum sessions, if so required by the Operator.
The no form of the command reverts to the default value.
5
This command enables or disables the display of a login banner. The login banner contains the SR OS copyright and build date information for a console login attempt.
The no form of the command causes only the configured pre-login-message and a generic login prompt to display.
This command creates the context to configure the session control for console, Telnet and FTP.
This command creates the message of the day displayed after a successful console login. Only one message can be configured.
The no form of the command removes the message.
No motd is defined.
Some special characters can be used to format the message text. The \n character can be used to create multi-line messages. A \n in the message moves to the beginning of the next line by sending ASCII/UTF-8 chars 0xA (LF) and 0xD (CR) to the client terminal. An \r in the message sends the ASCII/UTF-8 char 0xD (CR) to the client terminal.
This parameter limits the number of outbound Telnet and SSH sessions. A maximum of 15 telnet and ssh connections can be established from the router. The local serial port cannot be disabled.
The no form of the command reverts to the default value.
5
This command creates a message displayed prior to console login attempts on the console via Telnet.
Only one message can be configured. If multiple pre-login-messages are configured, the last message entered overwrites the previous entry.
It is possible to add the name parameter to an existing message without affecting the current pre-login-message.
The no form of the command removes the message.
No pre-login-message is defined.
This command enables the context to configure the SSH parameters.
This command enables configuration the list of allowed ciphers by the SSH client.
This command enables configuration of a cipher. Client-ciphers are used when the SR OS is acting as an SSH client. Server-ciphers are used when the SR OS is acting as an SSH server.
no cipher index
Cipher index value | Cipher name |
10 | 3des |
20 | blowfish |
30 | des |
Note: blowfish and des are not permitted in FIPS-140-2 mode. |
Cipher index value | Cipher name |
190 | aes256-ctr |
192 | aes192-ctr |
194 | aes128-ctr |
200 | aes128-cbc |
205 | 3des-cbc |
210 | blowfish-cbc |
215 | cast128-cbc |
220 | arcfour |
225 | aes192-cbc |
230 | aes256-cbc |
235 | rijndael-cbc |
Note: blowfish-cbc, cast128-cbc, arcfour, and rijndael-cbc are not permitted in FIPS-140-2 mode. |
This command enables graceful shutdown of SSH sessions.
The no form of the command disables graceful shutdown of SSH sessions.
After enabling this command, private keys, public keys, and host key file will be saved by the server. It is restored following a system reboot or the ssh server restart.
The no form of the command specifies that the keys will be held in memory by the SSH server and is not restored following a system reboot.
no preserve-key
This command enables configuration the list of allowed ciphers by the SSH server.
This command enables the SSH servers running on the system.
At system startup, only the SSH server is enabled.
Specifies the SSH protocol version that will be supported by the SSH server.
2
Note: Values “1” and “1-2” are not permitted in FIPS-140-2 mode. |
This command creates the context to configure the Telnet login control parameters.
This command enables graceful shutdown of telnet sessions.
The no form of the command disables graceful shutdown of telnet sessions.
This command creates the context to edit management access filters and to reset match criteria.
Management access filters control all traffic in and out of the CPM. They can be used to restrict management of the router by other nodes outside either specific (sub)networks or through designated ports.
Management filters, as opposed to other traffic filters, are enforced by system software.
The no form of the command removes management access filters from the configuration.
No management access filters are defined.
This command enables the context to configure management access IP filter parameters.
This command enables the context to configure management access IPv6 filter parameters. This command only applies to the 7750 SR and 7950 XRS.
This command configures a management access MAC-filter.
This command creates the action associated with the management access filter match criteria entry.
The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
If the packet does not meet any of the match criteria the configured default action is applied.
none — The action is specified by default-action command.
The deny-host-unreachable parameter only applies to ip-filter and ipv6filter.
This command creates the default action for management access in the absence of a specific management access filter match.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.
No default-action is defined.
The deny-host-unreachable only applies to ip-filter and ipv6filter.
This command configures a source TCP or UDP port number or port range for a management access filter match criterion.
The no form of the command removes the source port match criterion.
No dst-port match criterion.
This 16 bit mask can be configured using the formats described in Table 12:
Format Style | Format Syntax | Example |
Decimal | DDDDD | 63488 |
Hexadecimal | 0xHHHH | 0xF800 |
Binary | 0bBBBBBBBBBBBBBBBB | 0b1111100000000000 |
To select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.
This command is used to create or edit a management access IP(v4), IPv6, or MAC filter entry. Multiple entries can be created with unique entry-id numbers. The OS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.
The no form of the command removes the specified entry from the management access filter.
No entries are defined.
This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default quality of service or real-time service. This command only applies to the 7750 SR and 7950 XRS.
This command enables match logging. When enabled, matches on this entry will cause the Security event mafEntryMatch to be raised.
no log
This command specifies the next header to match. The protocol type such as TCP, UDP or OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17). IPv6 Extension headers are identified by the next header IPv6 numbers as per RFC2460. This command only applies to the 7750 SR and 7950 XRS.
next-header: | 0 to 255, protocol numbers accepted in DHB |
keywords: | none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, drp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, spf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp |
This command configures an IP protocol type to be used as a management access filter match criterion.
The protocol type, such as TCP, UDP, and OSPF, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).
The no form the command removes the protocol from the match criteria.
No protocol match criterion is specified.
This command configures a TCP/UDP source or destination port match criterion in IPv4 and IPv6 CPM filter policies. A packet matches this criterion if packet’s TCP/UDP (as configured by protocol/next-header match) source OR destination port matches either the specified port value or a port in the specified port range or port list.
This command is mutually exclusive with src-port and dst-port commands.
The no form of this command deletes the specified port match criterion.
no port
This command configures a router name or service ID to be used as a management access filter match criterion.
The no form the command removes the router name or service ID from the match criteria.
router-name — Specifies a router name or CPM router instance, up to 32 characters to be used in the match criteria.
router-instance : router name | ||
router-name | Base | management | cpm-vr-name | |
cpm-vr-name | [32 characters maximum] |
service-id — Specifies an existing service ID to be used in the match criteria.
cpm-vr-name — Specifies a CPM router instance to be used in the match criteria
This command renumbers existing management access filter entries for an IP(v4), IPv6, or MAC filter to re-sequence filter entries.
The exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit.
This command disables the management-access-filter.
This command configures math criteria for this MAC filter entry.
This command specifies the type of opcode checking to be performed.
If the cfm-opcode match condition is configured then a check must be made to see if the Ethertype is either IEEE802.1ag or Y1731. If the Ethertype does not match then the packet is not CFM and no match to the cfm-opcode is attempted.
The CFM (ieee802.1ag or Y1731) opcode can be assigned as a range with a start and an end number or with a (less than lt, greater than gt, or equal to eq) operator.
If no range with a start and an end or operator (lt, gt, eq) followed by an opcode with the value between 0 and 255 is defined then the command is invalid.
Table 13 lists the opcode values.
CFM PDU or Organization | Acronym | Configurable Numeric Value (Range) |
Reserved for IEEE 802.1 0 | 0 | |
Continuity Check Message | CCM | 1 |
Loopback Reply | LBR | 2 |
Loopback Message | LBM | 3 |
Linktrace Reply | LTR | 4 |
Linktrace Message | LTM | 5 |
Reserved for IEEE 802.1 | 6 – 31 | |
Reserved for ITU | 32 | |
AIS | 33 | |
Reserved for ITU | 34 | |
LCK | 35 | |
Reserved for ITU | 36 | |
TST | 37 | |
Reserved for ITU | 38 | |
APS | 39 | |
Reserved for ITU | 40 | |
MCC | 41 | |
LMR | 42 | |
LMM | 43 | |
Reserved for ITU | 44 | |
1DM | 45 | |
DMR | 46 | |
DMM | 47 | |
Reserved for ITU | 48 – 63 | |
Reserved for IEEE 802.1 0 | 64 - 255 |
Defined by ITU-T Y.1731 32 - 63
Defined by IEEE 802.1. 64 - 255
no cfm-opcode
This command configures Dot1p match conditions.
This command configures dsap match conditions.
Format Style | Format Syntax | Example |
Decimal | D | 4 |
Hexadecimal | 0xH | 0x4 |
Binary | 0bBBB | 0b100 |
This 8 bit mask can be configured using the formats described in Table 15:
Format Style | Format Syntax | Example |
Decimal | DDD | 240 |
Hexadecimal | 0xHH | 0xF0 |
Binary | 0bBBBBBBBB | 0b11110000 |
This command configures the destination MAC match condition.
Configures an Ethernet type II Ethertype value to be used as a MAC filter match criterion.
The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.
The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field. For IEEE 802.3 frames, use the dsap, ssap or snap-pid fields as match criteria.
The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.
The no form of the command removes the previously entered etype field as the match criteria.
no etype
This command configures an IEEE 802.3 LLC SNAP Ethernet Frame OUI zero or non-zero value to be used as a MAC filter match criterion.
The no form of the command removes the criterion from the match criteria.
no snap-oui
This command configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC filter match criterion.
This is a two-byte protocol id that is part of the IEEE 802.3 LLC SNAP Ethernet Frame that follows the three-byte OUI field.
The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.
Note: The snap-pid match criterion is independent of the OUI field within the SNAP header. Two packets with different three-byte OUI fields but the same PID field will both match the same filter entry based on a snap-pid match criteria. |
The no form of the command removes the snap-pid value as the match criteria.
no snap-pid
This command configures a source MAC address or range to be used as a MAC filter match criterion.
The no form of the command removes the source mac as the match criteria.
no src-mac
Format Style | Format Syntax | Example |
Decimal | DDDDDDDDDDDDDD | 281474959933440 |
Hexadecimal | 0xHHHHHHHHHHHH | 0x0FFFFF000000 |
Binary | 0bBBBBBBB...B | 0b11110000...B |
To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000
This command configures an Ethernet 802.2 LLC SSAP value or range for a MAC filter match criterion.
This is a one-byte field that is part of the 802.2 LLC header of the IEEE 802.3 Ethernet Frame.
The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.
The no form of the command removes the ssap match criterion.
no ssap
This command specifies an existing svc-id to use as a match condition.
This command restricts ingress management traffic to either the CPMCCM Ethernet port or any other logical port (for example LAG) on the device.
When the source interface is configured, only management traffic arriving on those ports satisfy the match criteria.
The no form of the command reverts to the default value.
any interface
slot/mda/port[.channel] | ||
bundle-id | bundle-type-slot/mda.bundle-num | |
bundle | keyword | |
type | ima, fr, or ppp | |
bundle-num | 1 to 336 | |
bpgrp-id | bpgrp-type-bpgrp-num | |
bpgrp | keyword | |
type | ima or ppp | |
bpgrp-num | 1 to 2000 | |
aps-id | aps-group-id[.channel] | |
aps | keyword | |
group-id | 1 to 128 | |
ccag-id | ccag-id. path-id[cc-type] | |
| ccag | keyword |
id | 1 to 8 | |
path-id | a, b | |
cc-type | .sap-net, .net-sap |
This command configures a source IP address range prefix to be used as a management access filter match criterion.
The no form of the command removes the source IP address match criterion.
No source IP match criterion is specified.
This command configures a source IPv6 address range prefix to be used as a management access filter match criterion. This command only applies to the 7750 SR and 7950 XRS.
The no form of the command removes the source IPv6 address match criterion.
No source IP match criterion is specified.
This command creates the context to configure password management parameters.
This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator.
This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.
This functionality can be enabled in two contexts:
config>system>security>password>admin-password
<global> enable-admin
If the admin-password is configured in the config>system>security>password context, then any user can enter the special mode by entering the enable-admin command. For more information, see the description for the command.
enable-admin is in the default profile. By default, all users are given access to this command.
Once the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the complexity command.
Note: The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets. |
The usernames and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.
For example:
file copy ftp://test:secret@131.12.31.79/test/srcfile cf1:\destfile
In this example, the username 'test' and password 'secret' will not be sent to the AAA servers (or to any logs). They will be replaced with '****'.
The no form of the command removes the admin password from the configuration.
no admin-password
Refer to the description for the command. If the admin-password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the command.
enable-admin is in the default profile. By default, all users are given access to this command.
Once the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the complexity command.
There are two ways to verify that a user is in the enable-admin mode:
This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval.
The no form of the command reverts to the default value.
No aging is enforced.
This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.
If the threshold is exceeded, the user is locked out for a specified time period.
If multiple attempts commands are entered, each command overwrites the previously entered command.
The no attempts command resets all values to default.
count: 3 time minutes: 5 lockout minutes: 10
This command configures the sequence in which password authentication, authorization, and accounting is attempted among local passwords, RADIUS, TACACS+, and LDAP.
The authentication order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.
If all (operational) methods are attempted and no authentication for a particular login has been granted, then an entry in the security log documents the failed attempt. Both the attempted login identification and originating IP address are logged with the a timestamp.
The no form of the command reverts to the default authentication sequence.
authentication-order radius tacplus ldap local - The preferred order for password authentication is 1. local passwords, 2. RADIUS, 3. TACACS+, and 4. LDAP.
A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting will only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration will other configured methods be attempted. If the local keyword is the first authentication and:
This command defines a list of rules for configurable password options.
The user name is allowed to be used as part of the password.
The no form of the command does not allow user name to be used as password.
no allow-user-name
The maximum credits given for usage of the different character classes in the local passwords.
The no form of the command resets to default.
no credits
Force the use of at least this many different character classes
The no form of the command resets to default.
no minimum-classes
This command configures the minimum number of characters required for locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and des-keys configured in the system security section.
If multiple minimum-length commands are entered each command overwrites the previous entered command.
The no form of the command reverts to default value.
6
The number of times a characters can be repeated consecutively.
The no form of the command resets to default.
no repeated-characters
Force the minimum number of different character classes required.
The no form of the command resets to default.
no required
This command configures the password which enables the user to configure dynamic services.
no dynsvc-password
Enable the user to become a system administrator.
When tacplus-map-to-priv-lvl is enabled, and tacplus authorization is enabled with the use-priv-lvl option, typing enable-admin starts an interactive authentication exchange from the node to the TACACS+ server. The start message (service=enable) contains the user-id and the requested admin-priv-lvl. Successful authentication results in the use of a new profile (as configured under config>system>security>tacplus>priv-lvl-map).
This command specifies that RADIUS, TACACS+, and LDAP servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, a trap will be sent based on the type of the server.
The no form of the command disables the periodic monitoring of the RADIUS, TACACS+, and LDAP servers. In this case, the operational status for the active server will be up if the last access was successful.
Configure how many previous passwords a new password is matched against.
no history
Configure the minimum required age of a password before it can be changed again.
no minimum-age
This command configures the minimum number of characters required to be different in the new password from a previous password.
The no form of the command reverts to default value.
no min-change
The commands described in the following section apply to the 7450 ESS and 7750 SR.
This command enables the context to configure certificate parameters.
none
This command creates a new ca-profile or enter the configuration context of an existing ca-profile. Up to 128 ca-profiles could be created in the system. A shutdown the ca-profile will not affect the current up and running ipsec-tunnel or ipsec-gw that associated with the ca-profile. But authentication afterwards will fail with a shutdown ca-profile.
Executing a no shutdown command in this context will cause system to reload the configured cert-file and crl-file.
A ca-profile can be applied under the ipsec-tunnel or ipsec-gw configuration.
The no form of the command removes the name parameter from the configuration. A ca-profile can not be removed until all the association(ipsec-tunnel/gw) have been removed.
This command specifies the filename of a file in cf3:\system-pki\cert as the CA’s certificate of the ca-profile.
Notes:
The no form of the command removes the filename from the configuration.
This command enables the context to configure Certificate Management Protocol Version 2 (CMPv2) parameters.
This command enables the system to accept both protected and unprotected CMPv2 error message. Without this command, system will only accept protected error messages.
The no form of the command causes the system to only accept protected PKI confirmation message.
no accept-unprotected-errormsg
This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will only accept protected PKI confirmation message.
The no form of the command causes the system to only accept protected PKI confirmation message.
no accept-unprotected-errormsg
This command enables the context to configure pre-shared key list parameters.
This command specifies a pre-shared key used for CMPv2 initial registration. Multiples of key commands are allowed to be configured under this context.
The password and reference-number is distributed by the CA via out-of-band means.
The configured password is stored in configuration file in an encrypted form by using the SR OS hash2 algorithm.
The no form of the command removes the parameters from the configuration.
none
This command specifies HTTP URL of the CMPv2 server. The URL must be unique across all configured ca-profiles.
The URL will be resolved by the DNS server configured (if configured) in the corresponding router context.
If the service-id is 0 or omitted, then system will try to resolve the FQDN via DNS server configured in bof.cfg. After resolution, the system will connect to the address in management routing instance first, then base routing instance.
Note: If the service is VPRN, then the system only allows HTTP ports 80 and 8080. |
none
This command specifies the timeout value for HTTP response that is used by CMPv2.
The no form of the command reverts to the default.
30
This command specifies a imported certificate that is used to verify the CMP response message if they are protected by signature. If this command is not configured, then CA’s certificate will be used.
no response-signing-cert
This command enables the system to use same recipNonce as the last CMPv2 response for poll request.
The no form of the command disables system to use same recipNonce as the last CMPv2 response for poll request.
no same-recipnonce-for-pollreq
This command specifies the name of a file in cf3:\system-pki\crl as the Certification Revoke List file of the ca-profile.
Notes:
The no form of the command removes the filename from the configuration.
none
This command enables the context to configure OCSP parameters.
This command specifies HTTP URL of the OCSP responder for the CA, this URL will only be used if there is no OCSP responder defined in the AIA extension of the certificate to be verified.
no responder-url
This command specifies the service or routing instance that used to contact OCSP responder. This applies to OCSP responders that either configured in CLI or defined in AIA extension of the certificate to be verified.
The responder-url will also be resolved by using the DNS server configured in the configured routing instance.
In case of VPRN service, system will check if the specified service-id or service-name is an existing VPRN service at the time of CLI configuration. Otherwise the configuration will fail.
This command specifies the display format used for the Certificates and Certificate Revocation Lists.
ascii
With this command configured, the system will issues two types of warnings related to certificate expiration:
This command specifies when system will issue BeforeExp message before a certificate expires. For example, with certificate-expiration-warning 5, the system will issue a BeforeExp message 5 hours before a certificate expires. An optional repeat <repeat-hour> parameter will enable the system to repeat the BeforeExp message every hour until the certificate expires.
If the user only wants AfterExp, then certificate-expiration-warning 0 can be used to achieve this.
BeforeExp and AfterExp warnings can be cleared in following cases:
no certificate-expiration-warning
This command specifies when system will issue BeforeExp message before a CRL expires. For example, with certificate-expiration-warning 5, the system will issue a BeforeExp message 5 hours before a CRL expires. An optional repeat <repeat-hour> parameter will enable the system to repeat the BeforeExp message every hour until the CRL expires.
If the user only wants AfterExp, then certificate-expiration-warning 0 can be used to achieve this.
BeforeExp and AfterExp warnings can be cleared in following cases:
no crl-expiration-warning
This command defines the maximum depth of certificate chain verification. This number is applied system wide.
The no form of the command reverts to the default.
7
Use this command to enable or disable the ca-profile. The system will verify the configured cert-file and crl-file. If the verification fails, then the no shutdown command will fail.
The ca-profile in a shutdown state cannot be used in certificate authentication.
shutdown
This command enables the context to configure X.509 certificate related operational parameters. For information about CMPv6 admin certificate commands, see the Multiservice Integrated Service Adapter Guide.
This command clears the current OCSP response cache. If optional issuer and serial-number are not specified, then all current cached results are cleared.
This command manually triggers the Certificate Revocation List file (CRL) update for the specified ca-profile.
Using this command requires shutting down the auto-crl-update.
None
This command displays the content of an input file in plain text.
Note: When displaying the key file content, only the key size and type are displayed. |
The following list summarizes the formats supported by this command:
none
url-string | <local-url> - [99 chars max] |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1: | cf2: | cf3: |
This command performs certificate operations.
This command generatse a RSA or DSA private key/public key pairs and store them in a local file in cf3:\system-pki\key
url-string | <local-url> - [99 chars max] |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1: | cf2: | cf3: |
The minimum key-size is 1024 when running in FIPS-140-2 mode.
This command generates a PKCS#10 formatted certificate request by using a local existing key pair file.
none
url-string | <local-url> - [99 chars max] |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1: | cf2: | cf3: |
This parameter is formatted as a text string including any of the above attributes. The attribute and its value is linked by using “=”, and “,” is used to separate different attributes.
For example: C=US,ST=CA,O=ALU,CN=SR12
This command converts an input file(key/certificate/CRL) to a system format file. The following list summarizes the formats supported by this command:
Note: If there are multiple objects with the same type in the input file, only the first object will be extracted and converted. |
none
url-string | <local-url> - [99 chars max] |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1:|cf2:|cf3: |
This command reloads imported certificate or key file or both at the same time. This command is typically used to update certificate/key file without shutting down ipsec-tunnel/ipsec-gw/cert-profile/ca-profile. Note that type cert and type key will be deprecated in a future release. Use type cert-key-pair instead. Instead of type cert use type key instead.
If the new file does not exists or somehow invalid (bad format, does not contain right extension, etc.), then this command will abort.
In the case of type cert-key-pair, if the new file doesn’t exist or is invalid or cert and key do not match, then this command will abort with an error message.
none
This command exports IPv6 Secure Neighbor Discovery (SeND) certificates to the file cf[1..3]:\system-pki\secureNdKey in PKCS #7 DER format.
This command imports IPv6 Secure Neighbor Discovery (SeND) certificates from a file, and saves them to cf[1..3]:\system-pki\secureNdKey in PKCS #7 DER format.
local-url | <cflash-id>\<file-path> |
cflash-id | cf1:|cf2:|cf3: |
This command configures the action associated with the profile entry.
This command configures a command or subtree commands in subordinate command levels are specified.
Because the OS exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.
All commands below the hierarchy level of the matched command are denied.
The no form of this command removes a match condition
none
This command copies a profile or user from a source profile to a destination profile.
This command specifies the default action to be applied when no match conditions are met.
none
Note: The permit-all parameter does not change access to security commands. Security commands are only and always available to members of the super-user profile. |
For example, if a user is a member of two profiles and the default action of the first profile is permit-all, then the second profile will never be evaluated because the permit-all is executed first. Set the first profile default action to none and if no match conditions are met in the first profile, then the second profile will be evaluated. If the default action of the last profile is none and no explicit match is found, then the default deny-all takes effect.
This command is used to create a user profile entry.
More than one entry can be created with unique entry-id numbers. Exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.
The no form of the command removes the specified entry from the user profile.
No entry IDs are defined.
This command creates a context to create user profiles for CLI command tree permissions.
Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.
Once the profiles are created, the user command assigns users to one or more profiles. You can define up to 16 user profiles but a maximum of 8 profiles can be assigned to a user. The user-profile-name can consist of up to 32 alphanumeric characters.
The no form of the command deletes a user profile.
user-profile default
This command renumbers profile entries to re-sequence the entries.
Since the OS exits when the first match is found and executes the actions according to accompanying action command, re-numbering is useful to rearrange the entries from most explicit to least explicit.
This command grants a user permission for FTP, SNMP, console or lawful intercept (LI) access.
If a user requires access to more than one application, then multiple applications can be specified in a single command. Multiple commands are treated additively.
The no form of command removes access for a specific application. no access denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied, for example, no access FTP denies FTP access.
No access is granted to the user by default.
This command configures the authentication and encryption method the user must use in order to be validated by the router. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered.
The keys configured in this command must be localized keys (MD5 or DES hash of the configured SNMP engine-ID and a password). The password is not directly entered in this command (only the localized key).
authentication none - No authentication is configured and privacy cannot be configured.
The MD5 authentication key is stored in an encrypted format. The key must be entered as a full 32 hex character string.
The sha authentication key is stored in an encrypted format. The key must be entered as a full 40 hex character string.
The des-key parameter is not available in FIPS-140-2 mode.
This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user >snmp>group command. The access command links the group with one or more views, security model (s), security level (s), and read, write, and notify permissions
No group name is associated with a user.
This command allows a user the privilege to change their password for both FTP and console login.
To disable a user’s privilege to change their password, use the cannot-change-password form of the command.
Note: The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead. |
no cannot-change-password
This command creates the context to configure user profile membership for the console (either Telnet or CPM serial port user).
This command copies a specific user’s configuration parameters to another (destination) user.
The password is set to a carriage return and a new password at login must be selected.
This command configures the local home directory for the user for both console (file commands and '>' redirection) and FTP access.
If the URL or the specified URL/directory structure is not present, then a warning message is issued and the default is assumed.
The no form of the command removes the configured home directory.
no home-directory
Note: If restrict-to-home has been configured no file access is granted and no home-directory is created. If restrict-to-home is not applied then root becomes the user’s home-directory. |
This command configures the profile for the user based on this template.
This command configures a user’s login exec file which executes whenever the user successfully logs in to a console session.
Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.
The no form of the command disables the login exec file for the user.
no login-exec
This command is used to allow the user access to a profile.
A user can participate in up to eight profiles.
The no form of this command deletes access user access to a profile.
default
This command forces the user to change a password at the next console login. The new password applies to FTP but the change can be enforced only by the console, SSH, or Telnet login.
The no form of the command does not force the user to change passwords.
no new-password-at-login
This command configures the user password for console and FTP access.
The password is stored in an encrypted format in the configuration file when specified. Passwords should be encased in double quotes (“ “) at the time of the password creation. The double quote character (“) is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.
The password can be entered as plain text or a hashed value. SR OS can distinguish between hashed passwords and plain text passwords and take the appropriate action to store the password correctly.
The password is hashed by default.
For example:
The password command allows you also to enter the password as a hashed value.
For example:
A password value that does not conform to the minimum-length or other password complexity rules can be configured using the config>system>security>user>password command, but a warning is provided in the CLI. This allows, for example, an administrator to configure a non-conformant password for a user. A user cannot configure a non-conformant password for themselves using the global password command.
All password special characters (#, $, spaces, etc.) must be enclosed within double quotes.
For example: config>system>security>user# password “south#bay?”
The question mark character (?) cannot be directly inserted as input during a telnet connection because the character is bound to the help command during a normal Telnet/console connection.
To insert a # or ? characters, they must be entered inside a notepad or clipboard program and then cut and pasted into the Telnet session in the password field that is encased in the double quotes as delimiters for the password.
If a password is entered without any parameters, a password length of zero is implied: (carriage return).
This command allows the user to enter the context to configure public keys for SSH.
This command allows the user to enter the context to configure ECDSA public keys.
This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
This command configures a value for the RSA or ECDSA public key. The public key must be enclosed in quotation marks. For RSA, the key is between 768 and 4096 bits. For ECDSA, the key is between 1 and 1024 bits.
no key-value
This command allows the user to enter the context to configure RSA public keys.
This command creates an RSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
This command prevents users from navigating above their home directories for file access (either by means of CLI sessions with the file command, '>' redirection, or by means of FTP). A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.
If a home-directory is not configured or the home directory is not available, then the user has no file access.
The no form of the command allows the user access to navigate to directories above their home directory.
no restricted-to-home
This command creates the context to configure SNMP group membership for a specific user and defines encryption and authentication parameters.
All SNMPv3 users must be configured with the commands available in this CLI node.
The OS always uses the configured SNMPv3 user name as the security user name.
This command configures default security user template parameters.
This command creates a local user and a context to edit the user configuration.
If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.
When creating a new user and then entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that user name, there will be no password required. The user can login to the system and then <ENTER> at the password prompt, the user will be logged in.
Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value will change.
The no form of the command deletes the user and all configuration data. Users cannot delete themselves.
none
This command is used to configure a session group that can be used to limit the number of CLI sessions available to members of the group.
This command is used to limit the number of SSH-based CLI sessions available to all users that are part of a particular profile, or to all users of all profiles that are part of the same cli-session-group.
The no form of this command disables the command and the profile/group limit is not applied on the number of sessions.
no ssh-max-sessions
This command is used to limit the number of Telnet-based CLI sessions available to all users that are part of a particular profile, or to all users of all profiles that are part of the same cli-session-group.
The no form of this command disables the command and the profile/group limit is not applied on the number of sessions.
no telnet-max-sessions
This command is used to limit the number of combined SSH/TELENT based CLI sessions available to all users that are part of a particular profile, or to all users of all profiles that are part of the same cli-session-group.
The no form of this command disables the command and the profile/group limit is not applied to the number of combined sessions.
no combined-max-sessions
This command indicates the algorithm used to access the set of RADIUS servers.
direct
This command enables RADIUS accounting.
The no form of this command disables RADIUS accounting.
no accounting
This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.
This command configures RADIUS authorization parameters for the system.
no authorization
This command enables RADIUS interactive authentication for the system. Enabling interactive-authentication forces RADIUS to fall into challenge/response mode.
no authentication
This command configures the TCP port number to contact the RADIUS server.
The no form of the command reverts to the default value.
1812 (as specified in RFC 2865, Remote Authentication Dial In User Service (RADIUS))
This command creates the context to configure RADIUS authentication on the router.
Implement redundancy by configuring multiple server addresses for each router.
The no form of the command removes the RADIUS configuration.
This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.
The no form of the command reverts to the default value.
3
This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.
Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.
The no form of the command removes the server from the configuration.
no server
ipv4-address | a.b.c.d (host bits must be 0) |
ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x: [0..FFFF]H | |
d: [0..255]D |
This command administratively disables the RADIUS protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of the command administratively enables the protocol which is the default state.
no shutdown
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of the command reverts to the default value.
3
This command specifies whether the RADIUS default user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server. When enabled, the radius_default user-template is actively applied if no VSAs are returned with the auth-accept from the RADIUS server and radius authorization is enabled.
The no form of the command disables the use of the RADIUS default template.
no use-default-template
This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.
Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from lowest index to the highest index for authentication requests.
The no form of the command removes the server from the configuration.
No TACACS+ servers are configured.
ipv4-address | a.b.c.d (host bits must be 0) |
ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x: [0..FFFF]H | |
d: [0..255]D |
This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of the command administratively enables the protocol which is the default state.
no shutdown
This command creates the context to configure TACACS+ authentication on the router.
Configure multiple server addresses for each router for redundancy.
The no form of the command removes the TACACS+ configuration.
This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.
record-type stop-only
This command configures TACACS+ authorization parameters for the system.
no authorization
This configuration instructs the SR OS to send no username nor password in the TACACS+ start message, and to display the server_msg in the GETUSER and GETPASS response from the TACACS+ server. Interactive authentication can be used to support a One Time Password scheme (e.g. S/Key). An example flow (e.g. with a telnet connection) is as follows:
When interactive-authentication is disabled the SR OS will send the username and password in the tacplus start message. An example flow (e.g. with a telnet connection) is as follows:
When interactive-authentication is enabled, tacplus must be the first method specified in the authentication-order configuration.
no interactive-authentication
This command enables the context to specify a series of mappings between TACACS+ priv-lvl and locally configured profiles for authorization. These mappings are used when the use-priv-lvl option is specified for tacplus authorization.
The no form of the command reverts to the default.
priv-lvl-map
This command maps a specific TACACS+ priv-lvl to a locally configured profile for authorization. This mapping is used when the use-priv-lvl option is specified for TACPLUS authorization.
This command configures the number of seconds the router waits for a response from a TACACS+ server.
The no form of the command reverts to the default value.
3
This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of the command administratively enables the protocol which is the default state.
no shutdown
This command specifies whether the tacplus_default user-template is actively applied to the TACACS+ user. When enabled, the tacplus_default user-template is actively applied if tacplus authorization is enabled (without the use-priv-lvl option).
use-default-template
This command configures LDAP authentication parameters for the system.
The no form will de-configure the LDAP client from the SR OS.
This command enables public key retrieval from the LDAP server. If disabled (in its no form), password authentication will be attempted via LDAP.
no public-key-authentication
This command configures the number of retries for the SR OS in its attempt to reach the current LDAP server before attempting the next server.
The no version of this command will configure a default retry value of 3.
This command configures an LDAP server. Up to five servers can be configured, which can then work in a redundant manner.
The no version of this command removes the server connection.
This command configures the IPv4 or IPv6 address for the LDAP server.
The no version of this command removes the server address.
ipv4-address | a.b.c.d (host bits must be 0) |
ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x: [0..FFFF]H | |
d: [0..255]D |
This command configures the LDAP binding used to log into LDAP server. A string of domain components (DC) and common names (CN) can be programmed to identify the user in addition to the password field. The password is hashed. For example, “cn=admin,dc=nokia,dc=com” indicates the user admin in domain nokia.com. Table 17 lists the LDAP attributes.
The no version of this command removes the bind-authentication.
Object Class | Naming Attribute Display Name | Naming Attribute LDAP Name |
user | Common-Name | cn |
organizationalUnit | Organizational-Unit-Name | ou |
domain | Domain-Component | dc |
This command configures the LDAP server name or description.
The no version of this command removes the LDAP server name.
This command configures the LDAP search command. The search base-dn tells the server which part of the external directory tree to search. The search DN uses the same LDAP attribute as root-dn. For example, to search a public-key for an SSH generated for a Nokia vendor, one might use “dc=public-key,dc=nokia,dc=com”.
The no version of this command remove the search DN; as such, no search will be possible on the LDAP server.
In the ldap context, this command enables or disabled LDAP protocol operations.
In the server context, this command enables or disables the LDAP server. To perform no shutdown, an LDAP server address is required. To change the address, the user first needs to shut down the server.
This command attaches a TLS client profile to the LDAP client. The parameter in the TLS profile is used to encrypt the LDAP connection to the server. Each LDAP server can use its own TLS profile.
The no version of this command removes the TLS profile from LDAP and disables the TLS encryption from LDAP.
The timeout value is the number of seconds that the SR OS will wait for a response from the current server that it is trying to establish a connection with. If the server does not reply within the configured timeout value, the SR OS will increment the retry counter by 1. The SR OS attempts to establish the connection to the current server up to the configured retry value before it moves to the next configured server.
The no version of this command configures the default timeout of 3.
This command specifies whether or not the default template is to be actively applied to LDAP.
no use-default-template
This command creates the context to configure 802.1x network access control on the router.
The no form of the command removes the 802.1x configuration.
This command creates the context to configure RADIUS server parameters for 802.1x network access control on the router.
Note: The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the router as opposed to the RADIUS server configured under the config>system>radius context which authenticates CLI login users who get access to the management plane of the router. |
The no form of the command removes the RADIUS server configuration for 802.1x.
This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.
The no form of the command reverts to the default value.
3
This command adds a Dot1x server and configures the Dot1x server IP address, index, and key values.
Up to five Dot1x servers can be configured at any one time. Dot1x servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other Dot1x servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.
The no form of the command removes the server from the configuration.
no server
This command configures the NAS IP address to be sent in the RADIUS packet.
The no form of the command reverts to the default value.
By default the System IP address is used in the NAS field.
This command administratively disables the 802.1x protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within.
The no form of the command administratively enables the protocol which is the default state.
shutdown
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of the command reverts to the default value.
3
This command enables the context to configure keychain parameters. A keychain must be configured on the system before it can be applied to a session.
The no form of the command removes the keychain nodal context and everything under it from the configuration. If the keychain to be removed is in use when the no keychain command is entered, the command will not be accepted and an error indicating that the keychain is in use will be printed.
none
This command specifies the data type that indicates the TCP stream direction to apply the keychain.
none
This command configures keys for both send and receive stream directions.
none
This command configures keys for send or receive stream directions.
none
This command enables the receive nodal context. Entries defined under this context are used to authenticate TCP segments that are being received by the router.
none
This command specifies the send nodal context to sign TCP segments that are being sent by the router to another device.
none
This command defines a particular key in the keychain. Entries are defined by an entry-id. A keychain must have valid entries for the TCP Enhanced Authentication mechanism to work.
The no form of the command removes the entry from the keychain. If the entry is the active entry for sending, then this will cause a new active key to be selected (if one is available using the youngest key rule). If it is the ONLY possible send key, then the system will reject the command with an error indicating the configured key is the only available send key.
If the key is one of the eligible keys for receiving, it will be removed. If the key is the ONLY possible eligible key, then the command will not be accepted, and an error indicating that this is the only eligible key will be output.
The no form of the command deletes the entry.
There are no default entries.
The authentication-key can be any combination of letters or numbers.
This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.
This command specifies the calendar date and time after which the key specified by the keychain authentication key is used to sign and/or authenticate the protocol stream.
If no date and time is set, the begin-time is represented by a date and time string with all NULLs and the key is not valid by default.
This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to sign and/or authenticate the protocol stream.
forever
This command configures the amount of time that an eligible receive key should overlap with the active send key or to never expire.
This command configures allows options to be associated with the authentication key.
This command enables the context to configure the TCP option number to be placed in the TCP packet header.
This command configures the TCP option number accepted in TCP packets received.
254
This command configures the TCP option number accepted in TCP packets sent.
254
This command enables the context to configure CLI scripts.
This command enables the context to authorize CLI script execution.
This command enables the context to configure authorization for the Cron job-scheduler.
This command enables the context to configure authorization for the VSD server.
The no form of the command removes all authorizations for the VSD server.
This command enables the context to configure authorization for the Event Handling System (EHS). EHS allows user-controlled programmatic exception handling by allowing a CLI script to be executed upon the detection of a log event.
This command configures The user context under which various types of CLI scripts should execute in order to authorize the script commands. TACACS+ and RADIUS users and authorization are not permitted for cli-script authorization.
The no form of this command configures scripts to execute with no restrictions and without performing authorization.
no cli-user
This command enables the context to configure a CPM filter. A CPM filter is a hardware filter done by the P chip on the CPM and CFM that applies to all the traffic going to the CPM or CFM CPU. It can be used to drop, accept packets, as well as allocate dedicated hardware queues for the traffic.
The no form of the command disables the CPM filter.
This command specifies the action to take on the traffic when the filter entry matches. If there are no filter entry defined, the packets received will either be dropped or forwarded based on that default action.
accept
This command enables the context to configure CPM IP filter parameters.
shutdown
This command enables the context to configure CPM IPv6 filter parameters. This command applies only to the 7750 SR and 7950 XRS.
shutdown
This command enables the context to configure CPM MAC-filter parameters.
shutdown
This command specifies a particular CPM filter match entry. Every CPM filter must have at least one filter match entry. Entries are created and deleted by user.
The default match criteria is match none.
This command specifies the action to take for packets that match this filter entry.
drop
This command specifies the log in which packets matching this entry should be entered. The value zero indicates that logging is disabled.
The no form of the command deletes the log ID.
This command enables the context to enter match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed. If more than one match criteria (within one match statement) are configured then all criteria must be satisfied (AND function) before the action associated with the match is executed.
A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
The no form of the command removes the match criteria for the entry-id.
Protocol | Protocol ID | Description |
icmp | 1 | Internet Control Message |
igmp | 2 | Internet Group Management |
ip | 4 | IP in IP (encapsulation) |
tcp | 6 | Transmission Control |
egp | 8 | Exterior Gateway Protocol |
igp | 9 | any private interior gateway (used by Cisco for their IGRP) |
udp | 17 | User Datagram |
rdp | 27 | Reliable Data Protocol |
ipv6 | 41 | IPv6 |
ipv6-route | 43 | Routing Header for IPv6 |
ipv6-frag | 44 | Fragment Header for IPv6 |
idrp | 45 | Inter-Domain Routing Protocol |
rsvp | 46 | Reservation Protocol |
gre | 47 | General Routing Encapsulation |
ipv6-icmp | 58 | ICMP for IPv6 |
ipv6-no-nxt | 59 | No Next Header for IPv6 |
ipv6-opts | 60 | Destination Options for IPv6 |
iso-ip | 80 | ISO Internet Protocol |
eigrp | 88 | EIGRP |
ospf-igp | 89 | OSPFIGP |
ether-ip | 97 | Ethernet-within-IP Encapsulation |
encap | 98 | Encapsulation Header |
pnni | 102 | PNNI over IP |
pim | 103 | Protocol Independent Multicast |
vrrp | 112 | Virtual Router Redundancy Protocol |
l2tp | 115 | Layer Two Tunneling Protocol |
stp | 118 | Spanning Tree Protocol |
ptp | 123 | Performance Transparency Protocol |
isis | 124 | ISIS over IPv4 |
crtp | 126 | Combat Radio Transport Protocol |
crudp | 127 | Combat Radio User Datagram |
This command specifies match criteria for the IP filter entry. This command applies only the the 775 SR and 7950 XRS.
The no form of this command removes the match criteria for the entry-id.
The protocol type such as TCP / UDP / OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17).
next-header: | 1 to 42, 45 to 49, 52 to 59, 61 to 255 protocol numbers accepted in DHB |
keywords: | none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, drp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, spf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp |
* — udp/tcp wildcard |
This command creates the action associated with the management access filter match criteria entry.
The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
If the packet does not meet any of the match criteria the configured default action is applied.
none — The action is specified by default-action command.
This command creates the default action for management access in the absence of a specific management access filter match.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.
No default-action is defined.
This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.
The no form of the command removes the DSCP match criterion.
no dscp
This command configures a destination IP address range to be used as an IP filter match criterion.
To match on the destination IP address, specify the address and its associated mask, for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
The no form of the command removes the destination IP address match criterion.
no dst-ip
This command configures a destination IPv6 address range to be used as an IPv6 filter match criterion.
To match on the destination IPv6 address, specify the address.
The no form of the command removes the destination IP address match criterion.
This command only applies to the 7750 SR and 7950 XRS.
no dst-ip
x:x:x:x:x:x:x:x (eight 16-bit pieces) | ||
x:x:x:x:x:x:d.d.d.d | ||
x: | [0 to .FFFF]H | |
d: | [0 to 255]D | |
prefix-length: | 1 to 128 |
This command specifies the TCP/UDP port or port name to match the destination-port of the packet.
Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The no form of the command removes the destination port match criterion.
no dst-port
This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default quality of service or real-time service.
This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion.
Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
This command enables match on existence of IPv6 Fragmentation Extension Header in the IPv6 filter policy. To match first fragment of an IP fragmented packet, specify additional Layer 4 matching criteria in a filter policy entry. The no version of this command ignores IPv6 Fragmentation Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
The no form of the command removes the match criterion.
This command enables match on existence of IPv6 Fragmentation Extension Header in the IPv6 filter policy. To match first fragment of an IP fragmented packet, specify additional Layer 4 matching criteria in a filter policy entry. The no version of this command ignores IPv6 Fragmentation Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
no fragment
This command enables match on existence of Hop-by-Hop Options Extension Header in the IPv6 filter policy. This command applies to the 7750 SR and 7950 XRS.
The no form of this command ignores Hop-by-Hop Options Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
no hop-by-hop-opt
This command configures matching on ICMP code field in the ICMP header of an IP packet as an IP filter match criterion.
Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The behavior of the icmp-code value is dependent on the configured icmp-type value, thus a configuration with only an icmp-code value specified will have no effect. To match on the icmp-code, an associated icmp-type must also be specified.
The no form of the command removes the criterion from the match entry.
no icmp-code
This command configures matching on ICMP type field in the ICMP header of an IP packet as an IP filter match criterion.
Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The no form of the command removes the criterion from the match entry.
no icmp-type
This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion.
The option-type octet contains 3 fields:
The no form of the command removes the match criterion.
no ip-option
The decimal value entered for the match should be a combined value of the eight bit option type field and not just the option number. Thus to match on IP packets that contain the Router Alert option (option number =20), enter the option type of 148 (10010100).
This 8 bit mask can be configured using the formats described in Table 19:
Format Style | Format Syntax | Example |
Decimal | DDD | 20 |
Hexadecimal | 0xHH | 0x14 |
Binary | 0bBBBBBBBB | 0b0010100 |
This command configures matching packets that contain more than one option fields in the IP header as an IP filter match criterion.
The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.
no multiple-option
This command configures matching packets that contain the option field or have an option field of zero in the IP header as an IP filter match criterion.
The no form of the command removes the checking of the option field in the IP header as a match criterion.
no option-present
This command specifies a router name or a service-id to be used in the match criteria.
no router
router-name — Specifies a router name up to 32 characters to be used in the match criteria.
service-id — Specifies an existing service ID to be used in the match criteria.
This command specifies the IP address to match the source IP address of the packet.
To match on the source IP address, specify the address and its associated mask, such as 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
The no form of the command removes the source IP address match criterion.
no src-ip — No source IP match criterion.
ipv4-address | a.b.c.d (host bits must be 0) |
x:x:x:x:x:x:d.d.d.d[-interface] | |
x: [0..FFFF]H | |
d: [0..255]D | |
interface: 32 characters maximum, mandatory for link local addresses | |
mask: | Specifies the 16 bit mask to be applied when matching the source IP address. |
1 to 32 |
This command specifies the IPv6 address to match the source IPv6 address of the packet.
To match on the source IP address, specify the address and its associated mask, such as 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
The no form of the command removes the source IP address match criterion.
This command only applies to the 7750 SR and 7950 XRS.
no src-ip
ipv6-address | x:x:x:x:x:x:x:x[-interface] | |
x:x:x:x:x:x:d.d.d.d[-interface] | ||
x: [0..FFFF]H | ||
d: [0..255]D | ||
interface: 32 characters maximum, mandatory for link local addresses | ||
mask: | Specifies eight 16-bit hexadecimal pieces representing bit match criteria. | |
Values | x:x:x:x:x:x:x (eight 16-bit pieces) |
This command specifies the TCP/UDP port to match the source port of the packet.
Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
no src-port
This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP or IPv6 packet as an IP filter match criterion.
Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The no form of the command removes the criterion from the match entry.
no tcp-ack
This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP or IPv6 packet as an IP filter match criterion.
Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The SYN bit is normally set when the source of the packet wants to initiate a TCP session with the specified destination IP or IPv6 address.
The no form of the command removes the criterion from the match entry.
no tcp-syn
This command renumbers existing IP(IPv4), IPv6, or MAC filter entries to re-sequence filter entries.
This may be required in some cases since the OS exits when the first match is found and execute the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.
This command enables IPv4, IPv6 or MAC CPM filter.
The no form of this command disable the filter.
shutdown
This command enables the context to configure a CPM queue.
This command allows users to allocate dedicated CPM. The first available queue is 33.
This command specifies the amount of buffer that can be drawn from the reserved buffer portion of the queue’s buffer pool.
This command specifies the maximum queue depth to which a queue can grow.
This command specifies the maximum bandwidth that will be made available to the queue in kilobits per second (kbps).
This command configures TTL security parameters for incoming packets. When the feature is enabled, LDP will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer. Per-peer-queueing must be enabled in order for TTL protection to operate.
The no form of the command disables TTL security.
This command configures TTL security parameters for incoming packets. When the feature is enabled, BGP will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer. Per-peer-queueing must be enabled in order for TTL protection to operate.
The no form of the command disables TTL security.
no ttl-security
This command configures TTL security parameters for incoming packets. When the feature is enabled, SSH/Telnet will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer. Per-peer-queueing must be enabled in order for TTL protection to operate.
The no form of the command disables TTL security.
This command enters the context to configure CPU protection parameters.
This context allows configuration of which protocols are included for ip-src-monitoring. This is system-wide configuration that applies to cpu protection globally.
This command includes the extracted IPv4 DHCP packets for ip-src-monitoring. IPv4 DHCP packets will be subject to the per-source-rate of CPU protection policies.
dhcp (Note this is different from the other protocols)
This command includes the extracted IPV4 GTP packets for ip-src-monitoring. IPv4 GTP packets will be subject to the per-source-rate of CPU protection policies.
no gtp
This command includes the extracted IPv4 ICMP packets for ip-src-monitoring. IPv4 ICMP packets will be subject to the per-source-rate of CPU protection policies.
no icmp
This command includes the extracted IPv4 IGMP packets for ip-src-monitoring. IPv4 IGMP packets will be subject to the per-source-rate of CPU protection policies.
no igmp
This command configures a link-specific rate for CPU protection. This limit is applied to all ports within the system. The CPU will receive no more than the configured packet rate for all link level protocols such as LACP from any one port. The measurement is cleared each second and is based on the ingress port.
15000
This command configures CPU protection policies.
The no form of the command deletes the specified policy from the configuration.
Policies 254 and 255 are reserved as the default access and network interface policies, and cannot de deleted. The parameters within these policies can be modified. An event will be logged (warning) when the default policies are modified.
Policy 254 (default access interface policy):
Policy 255 (default network interface policy):
This command enables the generation of an event when a rate is exceed. The event includes information about the offending source. Only one event is generated per monitor period.
The no form of the command disables the notifications.
no alarm
Provides the construct under which the different entries within CPU policy can define the match criteria and overall arrival rate of the Ethernet Configuration and Fault Management (ETH-CFM) packets at the CPU.
Builds the specific match and rate criteria. Up to ten entries may exist in up to four CPU protection policies.
The no form of the command reverses the match and rate criteria configured.
no entry
all | Wildcard entry level |
range | 0 to 7: within specified range, multiple ranges allowed |
number | 0 to 7: specific level number, may be combined with range |
range | 0 to 255: within specified range, multiple ranges allowed |
number | 0 to 255: specific level number, may be combined with range |
This command applies a packet arrival rate limit for the entire SAP/interface, above which packets will be market as discard eligible, in other words, out-profile/low-priority/yellow. The rate defined is a global rate limit for the interface regardless of the number of traffic flows. It is a per-SAP/interface rate.
The no form of the command sets out-profile-rate parameter back to the default value.
3000 for cpu-protection-policy-id 1-253
6000 for cpu-protection-policy-id 254 (default access interface policy)
3000 for cpu-protection-policy-id 255 (default network interface policy)
This command applies a maximum packet arrival rate limit (applied per SAP/interface) for the entire SAP/interface, above which packets will be discarded immediately. The rate defined is a global rate limit for the interface regardless of how many traffic flows are present on the SAP/interface. It is a per-SAP/interface rate.
The no form of the command sets overall-rate parameter back to the default value.
max for cpu-protection-policy-id 1 to 253
6000 for cpu-protection-policy-id 254 (default access interface policy)
max for cpu-protection-policy-id 255 (default network interface policy)
This command configures a per-source packet arrival rate limit. Use this command to apply a packet arrival rate limit on a per source basis. A source is defined as a unique combination of SAP and MAC source address (mac-monitoring) or SAP and source IP address (ip-src-monitoring). The CPU will receive no more than the configured packet rate from each source (only certain protocols are rate limited for ip-src-monitoring as configured under ‘include-protocols’ in the cpu protection policy). The measurement is cleared each second.
This parameter is only applicable if the policy is assigned to an interface (some examples include saps, subscriber-interfaces, and spoke-sdps), and the mac-monitor or ip-src-monitor keyword is specified in the cpu-protection configuration of that interface.
The ip-src-monitoring is useful in subscriber management architectures that have routers between the subscriber and the BNG (router). In layer-3 aggregation scenarios, all packets from all subscribers behind the same aggregation router will arrive with the same source MAC address and as such the mac-monitoring functionality can not differentiate traffic from different subscribers.
max, no limit
This command configures a per-port overall rate limit for CPU protection.
This command causes the network processor on the CPM to discard all packets received for protocols that are not configured on the particular interface. This helps mitigate DoS attacks by filtering invalid control traffic before it hits the CPU. For example, if an interface does not have IS-IS configured, then protocol protection will discard any IS-IS packets received on that interface.
no protocol-protection
Use this command to apply a specific CPU protection policy to the associated interface. For these interface types, the per-source rate limit is not applicable.
If no CPU-protection policy is assigned to an interface, then the default policy is used to limit the overall-rate. The default policy is policy number 254 for access interfaces, 255 for network interfaces and no policy for video interfaces.
The no form of the command reverts to the default values.
cpu-protection 254 (for access interfaces)
cpu-protection 255 (for network interfaces)
none (for video-interfaces, shown as no cpu-protection in CLI)
The configuration of no cpu-protection returns the interface to the default policies as shown above.
Use this command to apply a specific CPU protection policy to the associated msap-policy. The specified cpu-protection policy will automatically be applied to any MSAPs that are create using the msap-policy.
If no CPU-protection policy is assigned to a SAP, then a default policy is used to limit the overall-rate according to the default policy. The default policy is policy number 254 for access interfaces, 255 for network interfaces and no policy for video interfaces.
The no form of the command reverts to the default values.
cpu-protection 254 (for access interfaces)
cpu-protection 255 (for network interfaces)
The configuration of no cpu-protection returns the msap-policy to the default policies as shown above.
Use this command to apply a specific CPU protection policy to the associated msap-policy. The specified cpu-protection policy will automatically be applied to any MSAPs that are create using the msap-policy.
If no CPU-protection policy is assigned to a SAP, then a default policy is used to limit the overall-rate according to the default policy. The default policy is policy number 254 for access interfaces, 255 for network interfaces and no policy for video interfaces.
The no form of the command reverts to the default values.
cpu-protection 254 (for access interfaces)
cpu-protection 255 (for network interfaces)
The configuration of no cpu-protection returns the msap-policy to the default policies as shown above.
Use this command to apply a specific CPU protection policy to the associated SAP, SDP or template. If the mac-monitoring keyword is given then per MAC rate limiting should be performed, using the per-source-rate from the associated cpu-protection policy.
If no CPU-protection policy is assigned to a SAP, then a default policy is used to limit the overall-rate according to the default policy. The default policy is policy number 254 for access interfaces, 255 for network interfaces and no policy for video interfaces.
The no form of the command reverts to the default values.
cpu-protection 254 (for access interfaces)
cpu-protection 255 (for network interfaces)
The configuration of no cpu-protection returns the SAP/SDP/template to the default policies as shown above.
This command enters the CLI context for configuration of the Distributed CPU Protection (DCP) feature.
This command configures one of the maximum 16 Distributed CPU Protection policies. These policies can be applied to objects such as SAPs and network interfaces.
This command allows you to set the description of the CPU Protection Policy.
This command configures the rate and burst tolerance for the policer in either a packet rate or a bit rate.
The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate. The actual (operational) parameters can be seen in CLI, for example, “show service id 33 sap 1/1/3:33 dist-cpu-protection detail”.
rate packets max within 1
When a policer is declared as in an “exceed” state, it will remain as exceeding until a contiguous conformant period of detection-time passes. The detection-time only starts after the exceed-action hold-down is complete. If the policer detects another exceed during the detection count down then a hold-down is once again triggered before the policer re-enters the detection time (that is, the countdown timer starts again at the configured value). During the hold-down (and the detection-time), the policer is considered as in an “exceed” state.
30
This command reserves a set of policers for use as dynamic enforcement policers for the Distributed CPU Protection (DCP) feature. Policers are allocated from this pool and instantiated as per-object-per-protocol dynamic enforcement policers after a local monitor is triggered for an object (such as a SAP or Network Interface). Any change to this configured value automatically clears the high water mark, timestamp, and failed allocation counts as seen under “show card x fp y dist-cpu-protection” and in the tmnxFpDcpDynEnfrcPlcrStatTable in the TIMETRA-CHASSIS-MIB. Decreasing this value to below the currently used/allocated number causes all dynamic policers to be returned to the free pool (and traffic returns to the local monitors).
0
This command controls the action performed upon the extracted control packets when the configured policer rates are exceeded.
none
When the SR OS software detects that an enforcement policer has marked or discarded one or more packets (software may detect this some time after the packets are actually discarded), and an optional hold-down seconds value has been specified for the exceed-action, then the policer will be set into a “mark-all” or “drop-all” mode that cause the following:
- the policer state to be updated as normal
- all packets to be marked (if the action is “low-priority”) or dropped (action = discard) regardless of the results of the policing decisions/actions/state.
The hold-down is cleared after approximately the configured time in seconds after it was set. The hold-down seconds option should be selected for protocols that receive more than one packet in a complete handshake/negotiation (for example, DHCP, PPP). hold-down is not applicable to a local monitoring policer. The “detection-time” will only start after any hold-down is complete. During the hold-down (and the detection-time), the policer is considered as in an “exceed” state. The policer may re-enter the hold-down state if an exceed packet is detected during the detection-time countdown. The allowed values are none, 1 to 10080, indefinite.
This command controls the action performed upon the extracted control packets when the configured policer rates are exceeded.
none
This command controls the creation of log events related to static-policer status and activity.
default = log-events
log-events: send the Exceed (Excd) and Conform events (e.g. sapDcpStaticExcd)
This command configures a monitoring policer that is used to monitor the aggregate rate of several protocols arriving on an object (for example, SAP). When the local-monitoring-policer is determined to be in a non-conformant state (at the end of a minimum monitoring time of 60 seconds) then the system will attempt to allocate dynamic policers for the particular object for any protocols associated with the local monitor (for example, via the “protocol xyz enforcement” CLI command).
If the system cannot allocate all the dynamic policers within 150 seconds, it will stop attempting to allocate dynamic policers, raise a LocMonExcdAllDynAlloc log event, and go back to using the local monitor. The local monitor may then detect exceeded packets again and make another attempt at allocating dynamic policers.
Once this policer-name is referenced by a protocol then this policer will be instantiated for each “object” that is created and references this DDoS policy. If there is no policer free then the object will be blocked from being created.
This command controls the creation of log events related to local-monitoring-policer status and activity.
log-events: send the DcpLocMonExcdOutOfDynRes events
This command creates the protocol for control in the policy.
Control packets that are both forwarded (which means they could be subject to normal QoS policy policing) and also copied for extraction are not subject to distributed cpu protection (including in the all-unspecified bucket). This includes traffic snooping (for example, PIM in VPLS) as well as control traffic that is flooded in an R-VPLS instance and also extracted to the CPM (ARP, ISIS and VRRP). Centralized per SAP/interface, cpu-protection can be employed to rate limit or mark this traffic if desired.
Explanatory notes for some of the protocols:
“no protocol x” means packets of protocol x are not monitored and not enforced (although they do count in the fp protocol queue) on the objects to which this dist-cpu-protection policy is assigned, although the packets will be treated as part of the all-unspecified protocol if the all-unspecified protocol is created in the policy.
none
This command configures the enforcement method for the protocol.
dynamic local-mon-bypass
When a dynamic enforcing policer is instantiated, it will remain allocated until at least a contiguous conformant period of detection-time passes.
The dynamic-parameters are used to instantiate a dynamic enforcement policer for the protocol when the associated local-monitoring-policer is considered as exceeding its rate parameters (at the end of a minimum monitoring time of 60 seconds).
This command controls the creation of log events related to dynamic enforcement policer status & activity
log-events - send the Exceed (Excd) and Conform events
Configures a static enforcement policer that can be referenced by one or more protocols in the policy. Once this policer-name is referenced by a protocol, then this policer will be instantiated for each object (e.g. SAP or network interface) that is created and references this policy. If there is no policer resource available on the associated card/fp then the object will be blocked from being created. Multiple protocols can use the same static-policer.
This command determines the scheme used to select the initial drop priority of extracted control plane traffic. The initial drop priority of extracted packets can be either low or high priority. The drop priority of the extracted packets can be subsequently altered by mechanisms such as CPU protection. High-priority traffic receives preferential treatment in control plane congestion situations over low-priority traffic.
uniform
For network interfaces, the QoS classification profile result selects the drop priority (in = high priority, out = low priority) for extracted control traffic, and the default QoS classification maps different DSCP and EXP values to different in/out profile states.
For access interfaces, the QoS classification priority result typically selects the drop priority for extracted control traffic. The default access QoS classification (default-priority) maps all traffic to low. If the queues in the access QoS policy are configured as profile-mode queues (rather than the default priority-mode) extracted traffic will use the QoS classification profile value configured against the associated FC (rather than the priority result) to select the drop priority.
Layer 2 extracted control traffic (ARP or ETH-CFM) and protocols that cannot always be QoS-classified, such as IS-IS, are initialized as low drop priority in order to protect Layer 2 protocol traffic on uniform interfaces (which would typically be subject to centralized CPU protection). Alternately, DCP can be used (by configuring a non-zero rate with exceed-action of low-priority for the all-unspecified protocol) to mark some of this traffic as high priority.