The command outputs in the following section are examples only; actual displays may differ depending on supported functionality and user configuration.
This command displays TCP connections and UDP listeners.
The following is an example of system connections information.
This command displays gRPC server information.
The following is an example of system gRPC information.
Table 32 describes system gRPC output fields.
Label | Description |
gRPC Server | Specifies the gRPC server name. |
Administrative State | Specifies the administrative state (Enabled, Disabled). |
Operational State | Specifies the operational state (Up, Down). |
Supported services | Specifies the supported services. |
gNMI Version | Specifies the gNMI version. |
Address | Specifies the IP address. |
Port | Specifies the port number. |
Establishment Time | Specifies the establishment time. |
Active RPC Count | Specifies the active RPC count. |
Total RPC Count | Specifies the total RPC count. |
Rx Bytes | Specifies the number of received bytes. |
Tx Bytes | Specifies the number of transmitted bytes. |
No. of connections | Specifies the number of gRPC connections. |
No. of RPCs | Specifies the number of RPCs. |
This command displays SNMP access group information.
The following is an example of access group information.
Table 33 describes security access group output fields.
Label | Description |
Group name | The access group name. |
Security model | The security model required to access the views configured in this node. |
Security level | Specifies the required authentication and privacy levels to access the views configured in this node. |
Read view | Specifies the variable of the view to read the MIB objects. |
Write view | Specifies the variable of the view to configure the contents of the agent. |
Notify view | Specifies the variable of the view to send a trap about MIB objects. |
This command displays system login authentication configuration and statistics.
The following is an example of authentication information.
Table 34 describes system security authentication output fields.
Label | Description |
Sequence | The sequence in which authentication is processed. |
Server address | The IP address of the RADIUS server. |
Status | Current status of the RADIUS server. |
Type | The authentication type. |
Timeout (secs) | The number of seconds the router waits for a response from a RADIUS server. |
Retry count | Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server. |
Connection errors | Displays a sum of the the number of sending failures and request timeouts to defined servers. |
Accepted logins | The number of times the user has successfully logged in. |
Rejected logins | The number of unsuccessful login attempts. |
Sent packets | The number of packets sent. |
Rejected packets | The number of packets rejected. |
This command displays the user profiles of this CLI session group and the session group details.
This command displays CPU protection policy information.
This command displays CPM filters.
This command displays CPM IP filters.
The following displays IP filter entry information.
Table 35 describes CPM IP filter output fields.
Label | Description |
Entry-Id | Displays information about the specified management access filter entry |
Dropped | Displays the number of dropped events. |
Forwarded | Displays the number of forwarded events. |
Description | Displays the CPM filter description. |
Log ID | Displays the log ID where matched packets will be logged. |
Src IP | Displays the source IP address(/netmask or prefix-list) |
Dest. IP | Displays the destination IP address(/netmask). |
Src Port | Displays the source port number (range). |
Dest. Port | Displays the destination port number (range). |
Protocol | Displays the Protocol field in the IP header. |
Dscp | Displays the DSCP field in the IP header. |
Fragment | Displays the 3-bit fragment flags or 13-bit fragment offset field. |
ICMP Type | Displays the ICMP type field in the ICMP header. |
ICMP Code | Displays the ICMP code field in the ICMP header. |
TCP-syn | Displays the SYN flag in the TCP header. |
TCP-ack | Displays the ACK flag in the TCP header |
Match action | When the criteria matches, displays drop or forward packet. |
Next Hop | In case match action is forward, indicates destination of the matched packet. |
Dropped pkts | Indicates number of matched dropped packets |
Forwarded pkts | Indicates number of matched forwarded packets. |
This command displays CPM IPv6 filters and only applies to the 7750 SR and 7950 XRS.
The following displays an example of IPv6 filter entry information.
Table 36 describes CPM IPv6 filter output fields.
Label | Description |
Entry-Id | Displays information about the specified management access filter entry |
Dropped | Displays the number of dropped events. |
Forwarded | Displays the number of forwarded events. |
Description | Displays the CPM filter description. |
Log ID | Log Id where matched packets will be logged. |
Src IP | Displays Source IP address(/netmask) |
Dest. IP | Displays Destination IP address(/netmask). |
Src Port | Displays Source Port Number (range). |
Dest. Port | Displays Destination Port Number (range). |
next-header | Displays next-header field in the IPv6 header. |
Dscp | Displays Traffic Class field in the IPv6 header. |
ICMP Type | Displays ICMP type field in the icmp header. |
ICMP Code | Displays ICMP code field in the icmp header. |
TCP-syn | Displays the SYN flag in the TCP header. |
TCP-ack | Displays the ACK flag in the TCP header |
Match action | When criteria matches, displays drop or forward packet. |
Next Hop | In case match action is forward, indicates destination of the matched packet. |
Dropped pkts | Indicating number of matched dropped packets |
Forwarded pkts | Indicating number of matched forwarded packets. |
This command displays CPM MAC filters.
The following is an output example of CPU MAC filter information.
This command displays CPM queues.
The following display CPM IPv6 filter information.
Table 37 describes CPM queue output fields.
Label | Description |
PIR | Displays the administrative Peak Information Rate (PIR) for the queue. |
CIR | Displays the amount of bandwidth committed to the queue. |
CBS | Displays the amount of buffer drawn from the reserved buffer portion of the queue’s buffer pool. |
MBS | Displays the maximum queue depth to which a queue can grow. |
This command enables the context to display CPU protection information.
The following output is an example of ETH CFM monitoring.
This command displays sources exceeding their eth-cfm-monitoring rate limit.
This command displays sources exceeding their per-source rate limit.
This command display all interfaces with non-zero drop counters.
This command displays all interfaces, ports or SAPs with CPU protection policy violators. It also includes objects (SAPs, interfaces) that exceed the out-profile-rate and have the log-events keyword enabled for the out-profile-rate in the cpu-protection policy associated with the object.
The following is an example of CPU protection violators information.
This command enables the context to display Distributed CPU Protection information.
This command displays keychain information.
The following is an example of keychain information.
This command enables the context to display management access filter information for IP and MAC filters.
This command displays management-access IP filters.
The following is an example of MAF IP filter information
Table 38 describes management access filter output fields.
Label | Description |
Def. action | Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted. Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued. Deny-host-unreachable — Specifies that packets not matching the configured selection criteria in the filter entries are denied. |
Entry | The entry ID in a policy or filter table. |
Description | A text string describing the filter. |
Src IP | The source IP address used for management access filter match criteria. |
Src interface | The interface name for the next hop to which the packet should be forwarded if it hits this filter entry. |
Dest port | The destination port. |
Matches | The number of times a management packet has matched this filter entry. |
Protocol | The IP protocol to match. |
Action | The action to take for packets that match this filter entry. |
This command displays management-access IPv6 filters and only applies to the 7750 SR and 7950 XRS.
The following is an example of MAF IPv6 filter information
This command displays management access MAC filters.
The following is an example of management access filter MAC filter information.
This command displays configured password options.
The following is an example of password options information.
Table 39 describes password options output fields.
Label | Description |
Password aging in days | Displays the number of days a user password is valid before the user must change their password. |
Time required between password changes | Displays the time interval between changed passwords. |
Number of invalid attempts permitted per login | Displays the number of unsuccessful login attempts allowed for the specified time. |
Time in minutes per login attempt | Displays the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out. |
Lockout period (when threshold breached) | Displays the number of minutes that the user is locked out if the threshold of unsuccessful login attempts has been exceeded. |
Authentication order | Displays the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords. |
User password history length | Displays the size of the password history file to be stored. |
Accepted password length | Displays the minimum length required for local passwords. |
Credits for each character type | Displays the credit for each character type. A credit is obtained for a particular character type; for example, uppercase, lowercase, numeric, or special character. Credits per character type are configurable. Credits can be used towards the minimum length of the password, so a trade-off can be made between a very long, simple password and a short, complex one. |
Required character types | Displays the character types that are required in a password; for example, uppercase, lowercase, numeric, or special character. |
Minimum number different character types | Displays the minimum number of each different character types in a password. |
Required distance with previous password | Displays the minimum Levenshtein distance between a new password and the old password. |
Allow consecutively repeating a character | Displays the number of times the same character is allowed to be repeated consecutively. |
Allow passwords containing username | Displays whether the user name is allowed as part of the password. |
Palindrome allowed | Displays whether palindromes are allowed as part of the password. |
This command enables or disables CPM hardware queuing per peer. TTL security only operates when per-peer-queuing is enabled.
The following is an example of per peer queuing information.
Table 40 describes per-peer-queuing output fields.
Label | Description |
Per Peer Queuing | Displays the status (enabled or disabled) of CPM hardware queuing per peer. |
Total Num of Queues | Displays the total number of hardware queues. |
Num of Queues In Use | Displays the total number of hardware queues in use. |
This command displays user profile information.
If the profile-name is not specified, then information for all profiles are displayed.
The following is an example of user profile output information.
Table 41 describes user profile output fields.
Label | Description |
User Profile | Displays the profile name used to deny or permit user console access to a hierarchical branch or to specific commands. |
Def. action | Permit all — Permits access to all commands. Deny — Denies access to all commands. None — No action is taken. |
Entry | The entry ID in a policy or filter table. |
Description | Displays the text string describing the entry. |
Match Command | Displays the command or subtree commands in subordinate command levels. |
Action | Permit all — Commands matching the entry command match criteria are permitted. Deny — Commands not matching the entry command match criteria are not permitted. |
No. of profiles | The total number of profiles listed. |
This command displays source-address configured for applications.
The following is an example of source address output information.
Table 42 describes source address output fields.
Label | Description |
Application | Displays the source-address application. |
IP address Interface Name | Displays the source address IP address or interface name. |
Oper status | Up: The source address is operationally up. Down: The source address is operationally down. |
This command displays all the SSH sessions as well as the SSH status and fingerprint. The type of SSH application (CLI, SCP, SFTP, or NETCONF) is indicated for each SSH connection.
The following is an example of SSH output information.
Table 43 describes SSH output fields
Label | Description |
Administrative State | Enabled: The SSH server is enabled. Disabled: The SSH server is disabled. |
Operational State | Up: The SSH server is up. Down: The SSH server is down. |
Preserve Key | Enabled: The preserve-key is enabled. Disabled: The preserve-key is disabled. |
Key-re-exchange | Displays the maximum time elapsed and maximum mbytes transmitted before a key re-exchange is initiated. All new sessions will be created with this value. |
SSH protocol version 1 | Enabled: SSH1 is enabled. Disabled: SSH1 is disabled. |
SSH protocol version 2 | Enabled: SSH2 is enabled. Disabled: SSH2 is disabled. |
DSA Host Key Fingerprint | The key fingerprint is the server’s identity. Clients trying to connect to the server verify the server's fingerprint. If the server fingerprint is not known, the client may not continue with the SSH session since the server might be spoofed. |
RSA Host Key Fingerprint | The key fingerprint is the server’s identity. Clients trying to connect to the server verify the server's fingerprint. If the server fingerprint is not known, the client cannot continue with the SSH session since the server might be spoofed. |
Connection | The IP address of the connected routers (remote client). |
Username | The name of the user. |
Version | The SSH version number. |
Cipher | 3des: A SSHv1 encryption method that allows proprietary information to be transmitted over untrusted networks. 3des-cbc: A SSHv2 encryption method. aes128-cbc: A SSHv2 128-bit encryption method. aes128-ctr: A SSHv2 128-bit encryption method. aes192-cbc: A SSHv2 192-bit encryption method. aes192-ctr: A SSHv2 192-bit encryption method. aes256-cbc: A SSHv2 256-bit encryption method. aes256-ctr: A SSHv2 256-bit encryption method. arcfour: A SSHv2 encryption method. des: A SSHv1 encryption method using a private (secret) key. blowfish: A SSHv1 encryption method. blowfish-cbc: A SSHv2 encryption method. cast128-cbc: A SSHv2 1280-bit encryption method. rijndael-cbc: A SSHv2 encryption method. |
Server Name | The server name. |
Status | connected: The SSH connection is connected. disconnected: The SSH connection is disconnected. |
Router Ins | SSH server router instance. Can be the router name ("Base" or "management") or the VPRN Id (1 to 2147483647). |
MAC | hmac-sha2-512: The SSH MAC algorithm used is hmac-sha2-512. hmac-sha2-256: The SSH MAC algorithm used is hmac-sha2-256. hmac-sha1: The SSH MAC algorithm used is hmac-sha1. hmac-sha1-96: The SSH MAC algorithm used is hmac-sha1-96. hmac-md5: The SSH MAC algorithm used is hmac-md5. hmac-ripemd160: The SSH MAC algorithm used is hmac-ripemd160. hmac-sha2-512: The SSH MAC algorithm used is hmac-sha2-512. hmac-ripemd160-openssh-com: The SSH MAC algorithm used is hmac-ripemd160-openssh-com. |
Key-re-exchange | Maximum time elapsed and maximum mbytes transmitted before a key re-exchange is initiated for this session. |
Number of SSH sessions | The total number of SSH sessions. |
The following is an example of SSH detail output information.
Table 44 describes SSH detail output fields
Label | Description |
Administrative State | Enabled: The SSH server is enabled. Disabled: The SSH server is disabled. |
Operational State | Up: The SSH server is up. Down: The SSH server is down. |
Preserve Key | Enabled: The preserve-key is enabled. Disabled: The preserve-key is disabled. |
Key-re-exchange | Displays the maximum time elapsed and the maximum number of Mbytes transmitted before a key re-exchange is initiated. |
SSH protocol version 1 | Enabled: SSH1 is enabled. Disabled: SSH1 is disabled. |
SSH protocol version 2 | Enabled: SSH2 is enabled. Disabled: SSH2 is disabled. |
DSA Host Key Fingerprint | The key fingerprint is the server’s identity. Clients trying to connect to the server verify the server's fingerprint. If the server fingerprint is not known, the client cannot continue with the SSH session since the server might be spoofed. |
SSH Server Router Instance | SSH server router instance. Can be the router name ("Base" or "management") or the VPRN Id (1 to 2147483647). |
Access Allowed | Allowed: Access to the SSH server is allowed. Disallowed: Access to the SSH server is disallowed. |
Connection | The IP address of the connected routers (remote client). |
Username | The name of the user. |
Version | The SSH version number. |
Cipher | 3des: A SSHv1 encryption method that allows proprietary information to be transmitted over untrusted networks. 3des-cbc: A SSHv2 encryption method. aes128-cbc: A SSHv2 128-bit encryption method. aes128-ctr: A SSHv2 128-bit encryption method. aes192-cbc: A SSHv2 192-bit encryption method. aes192-ctr: A SSHv2 192-bit encryption method. aes256-cbc: A SSHv2 256-bit encryption method. aes256-ctr: A SSHv2 256-bit encryption method. arcfour: A SSHv2 encryption method. des: A SSHv1 encryption method using a private (secret) key. blowfish: A SSHv1 encryption method. blowfish-cbc: A SSHv2 encryption method. cast128-cbc: A SSHv2 1280-bit encryption method. rijndael-cbc: A SSHv2 encryption method. |
Server Name | The server name. |
Status | connected: Displays that the SSH connection is connected. disconnected: Displays that the SSH connection is disconnected. |
MAC | hmac-sha2-512: The SSH MAC algorithm used is hmac-sha2-512. hmac-sha2-256: The SSH MAC algorithm used is hmac-sha2-256. hmac-sha1: The SSH MAC algorithm used is hmac-sha1. hmac-sha1-96: The SSH MAC algorithm used is hmac-sha1-96. hmac-md5: The SSH MAC algorithm used is hmac-md5. hmac-ripemd160: The SSH MAC algorithm used is hmac-ripemd160. hmac-sha2-512: The SSH MAC algorithm used is hmac-sha2-512. hmac-ripemd160-openssh-com: The SSH MAC algorithm used is hmac-ripemd160-openssh-com. |
Key-re-exchange | Displays the maximum time elapsed and the maximum number of Mbytes transmitted before a key re-exchange is initiated for this session. |
Number of SSH sessions | The total number of SSH sessions. |
This command displays user registration information.
If no command line options are specified, summary information for all users displays.
The following is an example of user output information.
Table 45 describes user output fields.
Label | Description |
User ID | The name of a system user. |
Users | |
New Pwd | y — The user must change their password at the next login. n — The user does not need to change their password at the next login. |
User Permissions | console: y — The user is authorized for console access. n — The user is not authorized for console access. ftp: y — The user is authorized for FTP access. n — The user is not authorized for FTP access. li: y — The user is authorized for LI access. n — The user is not authorized for LI access. snmp: y — The user is authorized for SNMP access. n — The user is not authorized for SNMP access. netconf: y — The user is authorized for NETCONF access. n — The user is not authorized for NETCONF access. grpc: y — The user is authorized for gRPC access. n — The user is not authorized for gRPC access. |
Password Expires | The number of days after which the user must change their password. |
Login Attempt | The number of times that the user has attempted to log in, irrespective of whether the login succeeded or failed. |
Failed Logins | The number of unsuccessful login attempts. |
Local Conf | y — Password authentication is based on the local password database. n — Password authentication is not based on the local password database. |
Number of users | The total number of listed users. |
User Configuration Detail | |
new pw required | yes — The user must change their password at the next login. no — The user does not need to change their password at the next login. |
cannot change pw | yes — The user does not have the ability to change their password. no — The user has the ability to change their password. |
home directory | The local home directory for the user for both console and FTP access. |
restricted to home | yes — The user is not allowed to navigate to a directory higher in the directory tree on the home directory device. no — The user is allowed to navigate to a directory higher in the directory tree on the home directory device. |
login exec file | The user’s login exec file which executes whenever the user successfully logs in to a console session. |
profile | The security profiles associated with the user. |
locked-out | Whether the user is currently locked out, and, if they are locked out, how much time remains before the user can attempt to log into the node again. |
Currently Failed Login Attempts | |
Remaining Login Attempts | The number of login attempts remaining before the user is locked out. |
Remaining Lockout Time (min:sec) | The number of minutes and seconds remaining until the lockout expires and the user can attempt to log in again. |
With the introduction of the PKI on an SR (SSH Server) the authentication process can be done via PKI or password. SSH client usually authenticate via PKI and password if PKI is configured on the client. In this case PKI takes precedence over password in most clients.
All client authentications are logged and display in the show>system>security>user detail. Table 46 shows the rules where pass and fail attempts are logged.
Authentication Order | Client (such as, putty) | Server (such as, SR) | CLI Show System Security Attempts (SR) | ||
Private Key Programmed | Public Key Configured | Password Configured | Logins Attempts | Failed Logins | |
1. Public Key | Yes | Yes | N/A | Increment | |
2. Password | Yes | Yes (No match between client and server. Go to password.) | Yes | Increment | |
Yes | No | Yes | Increment | ||
No | N/A | Yes | Increment | ||
No | N/A | No | Increment | ||
1. Public Key (only) | Yes | Yes | N/A | Increment | |
Yes | Yes (No match between client and server. Go to password.) | Increment | |||
Yes | N/A | Increment | |||
No | N/A | Increment | |||
This command displays the SNMP MIB views.
The following is an example of SNMP MIB view information.
Table 47 describes show view output fields.
Label | Description |
view name | The name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree. |
oid tree | The object identifier of the ASN.1 subtree. |
mask | The bit mask that defines a family of view subtrees. |
permission | Indicates whether each view is included or excluded |
No. of Views | Displays the total number of views. |
This command displays certificate information.
This command shows certificate-authority profile information.
This command displays the current cached OCSP results. The output includes the following information:
Certificate issuer
Certificate serial number
OCSP result
Cache entry expire time
This command shows certificate related statistics.
This command displays Distributed CPU Protection parameters and status at the per card and forwarding plane level.
The following is an example of distributed CPU protection fields. Table 48 describes Distributed CPU Protection output fields.
Label | Description |
Card | The card identifier |
Forwarding Plane(FP) | Identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, an IOM3-XP) and some cards can contain multiple FPs (for example, an XCM can house multiple FPs via its two XMAs). |
Dynamic Enforcement Policer Pool | The configured size of the dynamic-enforcement-policer-pool for this card or FP. |
Dynamic-Policers Currently In Use | The number of policers from the dynamic enforcement policer pool that are currently in use. The policers are allocated from the pool and instantiated as per-object-per-protocol dynamic enforcement policers after a local monitor triggered for an object (such as a SAP or Network Interface). |
Hi-WaterMark Hit Count | The maximum Currently In Use value since it was last cleared (clear card x fp y dist-cpu-protection) |
Hi-WaterMark Hit Time | The time at which the current Hi-WaterMark Hit Count was first recorded. |
Dynamic-Policers Allocation Fail Count | Indicates how many times the system attempted to allocate dynamic enforcement policers but could not get enough the fill the request. |
This command displays Distributed CPU Protection parameters and status at the per SAP level.
The following is an example of distributed CPU Protection Policer Output information.
Table 49 describes Distributed CPU Protection Policer output fields.
Label | Description |
Distributed CPU Protection Policy | The DCP policy assigned to the object. |
Policer-Name | The configured name of the static policer |
Card/FP | The card and FP identifier. FP identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, IOM3-XP) and some cards can contain multiple FPs (for example, an XCM can house multiple FPs via its two XMAs). |
Policer-State | The state of the policer with the following potential values: |
Exceed — The policer has been detected as not conforming to the associated DCP policy parameters (for example, packets exceeded the configured rate and the DCP polling process identified this occurrence) | |
Conform — The policer has been detected as conforming to the associated DCP policy parameters (rate) | |
not-applicable — Newly-created policers or policers that are not currently instantiated. This includes policers configured on line cards that are not in service. | |
Protocols Mapped | A list of protocols that are configured to map to the particular policer. |
Oper. xyz fields | The actual hardware may not be able to perfectly rate limit to the exact configured rate parameters in a DCP policy. In this case the configured rate parameters will be adapted to the closest supported rate. These adapted operational values are displayed in CLI when the detail keyword is included in the show command. The adapted Oper. parameters are only applicable if the policer is instantiated (for example, if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kb/s, and so on, are displayed. |
Oper. Kbps - The adapted “kilobits-per-second” value for DCP “kbps” rates | |
Oper. MBS - The adapted “mbs size” value for DCP “kbps” rates | |
Oper. Depth - The calculated policer bucket depth in packets (for DCP “packets” rates) or in bytes (for DCP “kbps” rates) | |
Oper. Packets - The adapted “ppi” value for DCP “packets” rates | |
Oper. Within - The adapted “within seconds” value for DCP “packets” rates | |
Oper. Init. Delay - The adapted “initial-delay packets” value for DCP “packets” rates | |
Exceed-Count | The count of packets exceeding the policing parameters since the given policer was previously declared as conforming or newly-instantiated. This counter has the same behavior as the exceed counter in the DCP the log events, they are baselined (reset) when the policer transitions to conforming. |
Detec. Time Remain | The remaining time in the detection-time countdown during which a policer in the exceed state is being monitored to see if it conforms again. |
Hold-Down Remain | The remaining time in the hold-down countdown during which a policer is treating all packets as exceeding. |
All Dyn-Plcr Alloc. | Indicates that all the dynamic enforcement policers have been allocated and instantiated for a given local-monitor. |
Dyn-Policer Alloc. | Indicates that a dynamic policer has been instantiated. |
This command displays Distributed CPU Protection parameters and status at the router Interface level.
The following is an example of Distributed CPU Protection Policer Output information.
Table 50 describes Distributed CPU Protection Policer output fields.
Label | Description |
Distributed CPU Protection Policy | Displays the DCP policy assigned to the object. |
Policer-Name | Displays the configured name of the static policer |
Card/FP | Displays the card and FP identifier. FP identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, IOM3-XP) and some cards can contain multiple FPs (for example, an XCM can house multiple FPs via its two XMAs). |
Policer-State | Displays the state of the policer with the following potential values: |
Exceed - The policer has been detected as nonconforming to the associated DCP policy parameters (packets exceeded the configured rate and the DCP polling process identified this occurrence) | |
Conform - The policer has been detected as conforming to the associated DCP policy parameters (rate) | |
not-applicable - newly-created policers or policers that are not currently instantiated. This includes policers configured on line cards that are not in service. | |
Protocols Mapped | Displays a list of protocols that are configured to map to the particular policer. |
Oper. xyz fields | The actual hardware may not be able to perfectly rate limit to the exact configured rate parameters in a DCP policy. In this case the configured rate parameters will be adapted to the closest supported rate. These adapted operational values are displayed in CLI when the detail keyword is included in the show command. The adapted Oper. parameters are only applicable if the policer is instantiated (for example, if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kb/s, and so on, are displayed. Oper. Kbps - Displays the adapted “kilobits-per-second” value for DCP “kbps” rates Oper. MBS - Displays the adapted “mbs size” value for DCP “kbps” rates Oper. Depth - Displays the calculated policer bucket depth in packets (for DCP “packets” rates) or in bytes (for DCP “kbps” rates) Oper. Packets - Displays the adapted “ppi” value for DCP “packets” rates Oper. Within - Displays the adapted “within seconds” value for DCP “packets” rates Oper. Init. Delay - Displays the adapted “initial-delay packets” value for DCP “packets” rates |
Exceed-Count | Displays the count of packets exceeding the policing parameters since the given policer was previously declared as conforming or newly-instantiated. This counter has the same behavior as the exceed counter in the DCP the log events – they are baselined (reset) when the policer transitions to conforming. |
Detec. Time Remain | Displays the remaining time in the detection-time countdown during which a policer in the exceed state is being monitored to see if it conforms again. |
Hold-Down Remain | Displays the remaining time in the hold-down countdown during which a policer is treating all packets as exceeding. |
All Dyn-Plcr Alloc. | Indicates that all the dynamic enforcement policers have been allocated and instantiated for a given local-monitor. |
Dyn-Policer Alloc. | Indicates that a dynamic policer has been instantiated. |
Label | Description |
Distributed CPU Protection Policy | Displays the DCP policy assigned to the object. |
Policer-Name | Displays the configured name of the static policer |
Card/FP | Displays the card and FP identifier. FP identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, IOM3-XP) and some cards can contain multiple FPs (for example, an XCM can house multiple FPs via its two XMAs). |
Policer-State | Displays the state of the policer with the following potential values: Exceed — The policer has been detected as nonconforming to the associated DCP policy parameters (packets exceeded the configured rate and the DCP polling process identified this occurrence). Conform — The policer has been detected as conforming to the associated DCP policy parameters (rate). not-applicable — Newly-created policers or policers that are not currently instantiated. This includes policers configured on line cards that are not in service. |
Protocols Mapped | Displays a list of protocols that are configured to map to the particular policer. |
Oper. xyz fields | The actual hardware may not be able to perfectly rate limit to the exact configured rate parameters in a DCP policy. In this case the configured rate parameters will be adapted to the closest supported rate. These adapted operational values are displayed in CLI when the detail keyword is included in the show command. The adapted Oper. parameters are only applicable if the policer is instantiated (for example, if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kb/s, and so on, are displayed. Oper. Kbps — Displays the adapted “kilobits-per-second” value for DCP “kbps” rates Oper. MBS — Displays the adapted “mbs size” value for DCP “kbps” rates Oper. Depth — Displays the calculated policer bucket depth in packets (for DCP “packets” rates) or in bytes (for DCP “kbps” rates) Oper. Packets — Displays the adapted “ppi” value for DCP “packets” rates Oper. Within — Displays the adapted “within seconds” value for DCP “packets” rates Oper. Init. Delay — Displays the adapted “initial-delay packets” value for DCP “packets” rates |
Exceed-Count | Displays the count of packets exceeding the policing parameters since the given policer was previously declared as conforming or newly-instantiated. This counter has the same behavior as the exceed counter in the DCP the log events – they are baselined (reset) when the policer transitions to conforming. |
Detec. Time Remain | Displays the remaining time in the detection-time countdown during which a policer in the exceed state is being monitored to see if it conforms again. |
Hold-Down Remain | Displays the remaining time in the hold-down countdown during which a policer is treating all packets as exceeding. |
All Dyn-Plcr Alloc. | Indicates that all the dynamic enforcement policers have been allocated and instantiated for a given local-monitor. |
Dyn-Policer Alloc. | Indicates that a dynamic policer has been instantiated. |
Displays console user login and connection information.
The following is an example of user information.
Table 52 describes show users output fields.
Label | Description |
User | The user name. |
Type | The user is authorized this access type. |
From | The originating IP address. |
Login time | The time the user logged in. |
Idle time | The amount of idle time for a specific login. |
Number of users | Displays the total number of users logged in. |
This command clears authentication statistics.
This command clears RADIUS proxy server data.
This command clears IP filter statistics.
This command clears IPv6 filter information and only applies to the 7750 SR and 7950 XRS.
This command clears IPv6 filter statistics.
This command clears MAC filter statistics.
This command enables the context to clear CPU protection data.
This command clears the records of sources exceeding their per-source rate limit.
This command clears the interface counts of packets dropped by protocol protection.
This command clears the rate limit violator record.
This command clears CPM queue information.
This command enables debugging for RADIUS connections.
The no form of the command disables the debug output.
This command enters the debug certificate context.
This command enables debug output of the OCSP protocol for a CA profile.
The no form of this command disables the debug output.
This command enables debug output for a specific CA profile.
The no form of this command disables the debug output.
This command enables the debug context for gRPC.
The no form of this command removes any debug activation within the gRPC context.
This command enables debug output for all clients for a particular client.
The no form of this command deactivates debugging for all clients.
This command enables debugging for all RPCs or a particular RPC.
The no form of this command deactivates debugging for all RPCs.
This command displays to release Distributed CPU Protection parameters and status at the per card and forwarding plane level.
This command shows the nonconforming enforcement policers and local monitors.
Users Output
Table 53 describes show users output fields.
Label | Description |
Interface | The name of the router interface |
Policer/Protocol | The configured name of the static policer (indicated with an [S]) or the DCP protocol name for a dynamic policer (indicated with a [D]). |
[S] / [D] | indicates a static vs dynamic policer |
Hld Rem | The remaining time in the hold-down countdown during which a policer is treating all packets as exceeding. |
This command releases a Distributed CPU Protection (DCP) policer from a hold-down countdown (or indefinite hold-down if configured as such).
This command converts imported certificates and keys in the cf3:/system-pki directory between secure and legacy format.
This command is used to clear any lockouts for a specific user, or for all users.
This command is used to clear old passwords used by a specific user, or for all users.