2.8. Security Configuration Command Reference
2.8.1. Command Hierarchies
2.8.1.1. Security Commands
2.8.1.1.1. LLDP Commands
2.8.1.1.2. Management Access Filter Commands
2.8.1.1.3. CLI Script Authorization Commands
2.8.1.1.4. CPM Filter Commands
2.8.1.1.5. CPM Queue Commands
2.8.1.1.6. CPU Protection Commands
Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 2 Services and EVPN Guide: VLL, VPLS, PBB, and EVPN, the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 3 Services Guide: IES and VPRN and the 7450 ESS, 7750 SR, and VSR Multiservice Integrated Service Adapter and Extended Services Appliance Guide for command, syntax, and usage information about applying CPU Protection policies to interfaces.
CPU protection policies are applied by default (and customer policies can be applied) to a variety of entities including interfaces and SAPs. Refer to the appropriate guides for command syntax and usage for applying CPU protection policies. Examples of entities that can have CPU protection policies applied to them include:
config>router>if>cpu-protection policy-id
config>service>epipe>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate] [car]]
config>service>epipe>spoke-sdp>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate] [car]]
config>service>ies>if>cpu-protection policy-id
config>service>ies>if>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate] [car]]
config>service>template>vpls-sap-template>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate] [car]]
config>service>vpls>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate] [car]]
config>service>vpls>video-interface>cpu-protection policy-id
config>service>vprn>if>cpu-protection policy-id
config>service>vprn >if>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate] [car]]
config>service>vprn>nw-if>cpu-protection policy-id
config>service>vprn>sub-if>grp-if>sap>cpu-protection policy-id [mac-monitoring] | [eth-cfm-monitoring [aggregate] [car]]
config>subscr-mgmt>msap-policy>cpu-protection policy-id [mac-monitoring]
2.8.1.1.7. Distributed CPU Protection Commands
2.8.1.1.8. Extracted Protocol Traffic Priority Commands
2.8.1.1.9. Security Password Commands
2.8.1.1.10. Public Key Infrastructure (PKI) Commands
The following commands apply only to the 7450 ESS and 7750 SR:
 | Note: For information about CMPv6 admin certificate commands listed in the following tree, see the 7450 ESS, 7750 SR, and VSR Multiservice Integrated Service Adapter and Extended Services Appliance Guide. |
2.8.1.1.11. Profile Commands
2.8.1.1.12. CLI Session Commands
2.8.1.1.13. RADIUS Commands
2.8.1.1.14. TACACS+ Client Commands
2.8.1.1.15. LDAP Commands
2.8.1.1.16. User Management Commands
2.8.1.1.17. User Template Commands
2.8.1.1.18. Dot1x Commands
2.8.1.1.19. Keychain Commands
2.8.1.1.20. TTL Security Commands
2.8.1.1.21. gRPC Commands
2.8.1.2. Login Control Commands
2.8.2. Command Descriptions
This section provides the CLI command descriptions. Topics include:
2.8.2.1. General Security Commands
description
Syntax
Context
Description
This command creates a text description stored in the configuration file for a configuration context.
This command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of this command removes the string.
Default
No description associated with the configuration context.
Parameters
shutdown
Syntax
Context
Description
This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of this command puts an entity into the administratively enabled state.
Default
no shutdown
2.8.2.2. Security Commands
security
Syntax
Context
Description
This command enables the context to configure security settings.
Security commands manage user profiles and user membership. Security commands also manage user login registrations.
copy
Syntax
Context
Description
This command copies a profile or user from a source profile to a destination profile.
Parameters
ftp-server
Syntax
Context
Description
This command enables FTP servers running on the system.
FTP servers are disabled by default. At system startup, only SSH servers are enabled.
The no form of this command disables FTP servers running on the system.
management-interface
Syntax
Context
Description
This command enables the context for choosing a management interface for hash configuration. The management interfaces are classic-cli, md-cli, netconf, or grpc.
classic-cli
Syntax
Context
Description
This command enables the context to configure hash-control for the classic CLI interface.
read-algorithm
Syntax
Context
Description
This command assigns a global read algorithm for the system. The read algorithm is used to read the input phrase in a module.
The no form of this command reverts to the default value.
Default
read-algorithm all-hash
Parameters
write-algorithm
Syntax
Context
Description
This command assigns a global write algorithm for the system. The write algorithm is used to display the phrase in the config file, info, show commands, and so on.
The no form of this command reverts to the default value.
Default
write-algorithm hash2
Parameters
grpc
Syntax
Context
Description
This command enters the context to configure hash-control for the gRPC interface.
hash-algorithm
Syntax
Context
Description
This command assigns a global read and write algorithm for the system. When the hash algorithm is set, the system will read and write the phrase based on the chosen algorithm.
The no form of this command reverts to the default value.
Default
hash-algorithm hash2
Parameters
md-cli
Syntax
Context
Description
This command enables the context to configure hash-control for the MD-CLI interface.
netconf
Syntax
Context
Description
This command enables the context to configure hash-control for the Netconf interface.
management
Syntax
Context
Description
This command enables the context to allow access to management servers.
allow-ftp
Syntax
Context
Description
This command allows access to the FTP server from Base and Management routers if it is operationally up.
The no form of this command disallows access to the FTP server.
Default
allow-ftp
allow-ssh
Syntax
Context
Description
This command allows the SSH parameters to be configured from Base and Management routers.
The no form of this command disallows SSH parameters from being configured.
Default
allow-ssh
allow-telnet
Syntax
Context
Description
This command allows access to the Telnet server from Base and Management routers if it is operationally up.
The no form of this command disallows access to the Telnet server.
Default
allow-telnet
allow-telnet6
Syntax
Context
Description
This command allows access to the Telnet IPv6 server from Base and Management routers if it is operationally up.
The no form of this command disallows access to the Telnet IPv6 server.
Default
allow-telnet6
per-peer-queuing
Syntax
Context
Description
This command enables CPM hardware queuing per peer. This means that when a peering session is established, the router will automatically allocate a separate CPM hardware queue for that peer.
The no form of this command disables CPM hardware queuing per peer.
Default
per-peer-queuing
source-address
Syntax
Context
Description
This command specifies the source address that should be used in all unsolicited packets sent by the application.
This feature only applies to inband interfaces and does not apply to the out of band management interface. Packets going out the management interface will keep using that as source IP address. In other words, when the RADIUS server is reachable through both the management interface and a network interface, the management interface is used despite whatever is configured by the source-address command.
When a source address is specified for the ptp application, the port-based 1588 hardware timestamping assist function will be applied to PTP packets matching the IPv4 address of the router interface used to ingress the SR/ESS or IP address specified in this command. If the IP address is removed, then the port-based 1588 hardware timestamping assist function will only be applied to PTP packets matching the IPv4 address of the router interface.
application
Syntax
Context
Description
This command configures the source IP address specified by the source-address command.
The no form of this command removes the interface name or address from the command.
Parameters
application6
Syntax
Context
Description
This command specifies the application to use the source IPv6 address specified by the source-address command.
The no form of this command removes the application and IPv6 address from the configuration.
Parameters
ssh
Syntax
Context
Description
This command enables the context to configure SSH parameters.
client-cipher-list
Syntax
Context
Description
This command enables the configuration of a list of allowed ciphers by the SSH client.
Parameters
cipher
Syntax
Context
Description
This command enables the configuration of a cipher. Client-ciphers are used when the SR OS is acting as an SSH client. Server-ciphers are used when the SR OS is acting as an SSH server.
The no form of this command removes the index and cipher name from the configuration.
Default
no cipher index
Parameters
Table 21: SSHv1 Default Ciphers
Cipher index value | Cipher name |
200 | 3des |
205 | blowfish |
210 | des |
| Note: blowfish and des are not permitted in FIPS-140-2 mode. |
Table 22: SSHv2 Default Ciphers
Cipher index value | Cipher name |
190 | aes256-ctr |
192 | aes192-ctr |
194 | aes128-ctr |
200 | aes128-cbc |
205 | 3des-cbc |
210 | blowfish-cbc |
215 | cast128-cbc |
220 | arcfour |
225 | aes192-cbc |
230 | aes256-cbc |
235 | rijndael-cbc |
| Note: blowfish-cbc, cast128-cbc, arcfour, and rijndael-cbc are not permitted in FIPS-140-2 mode. |
client-kex-list
Syntax
Context
Description
This command enables the context to configure SSH KEX algorithms for SR OS as a client.
An empty list is the default list that the SSH KEX advertises. The default list contains the following:
diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
kex
Syntax
Context
Description
This command allows the user to configure phase 1 SSH v2 KEX algorithms for SR OS as an SSH server or an SSH client. By default, the client and server lists are empty. If the user configures this list, SSH uses the hard-coded list with the first-listed algorithm having the highest priority and so on. An empty server or client list is the default list and contains the following algorithms:
diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
The no form of this command removes the specified KEX index. If all KEX indexes are removed, the default list is used again.
Parameters
client-mac-list
Syntax
Context
Description
This command enables the context to configure SSH MAC algorithms for SR OS as a client.
mac
Syntax
Context
Description
This command allows the user to configure SSH MAC algorithms for SR OS as an SSH server or an SSH client.
The no form of this command removes the specified mac index.
Default
no mac index
Parameters
Table 23: SSHv2 Default client/server algorithms
index | mac-name |
200 | hmac-sha2-512 |
210 | hmac-sha2-256 |
215 | hmac-sha1 |
220 | hmac-sha1-96 |
225 | hmac-md5 |
230 | hmac-ripemd160 |
235 | hmac-ripemd160-openssh-com |
240 | hmac-md5-96 |
key-re-exchange
Syntax
Context
Description
This command enables the key re-exchange context.
client
Syntax
Context
Description
This command enables the key re-exchange context for SR OS as an SSH client.
mbytes
Syntax
Context
Description
This command configures the maximum bytes to be transmitted before a key re-exchange is initiated by the server.
The no form of this command reverts to the default value.
Default
mbytes 1024
Parameters
minutes
Syntax
Context
Description
This command configures the maximum time, in minutes, before a key re-exchange is initiated by the server.
The no form of this command reverts to the default value.
Default
minutes 60
Parameters
shutdown
Syntax
Context
Description
This command stops the key exchange. It sets the minutes and bytes to infinity so there will not be any key exchange during the PDU transmission.
Default
no shutdown
server
Syntax
Context
Description
This command enables the key re-exchange context for the SSH server.
preserve-key
Syntax
Context
Description
After enabling this command, private keys, public keys, and host key file are saved by the server. It is restored following a system reboot or the ssh server restart.
The no form of this command specifies that the keys are held in memory by an SSH server and is not restored following a system reboot.
Default
no preserve-key
server-cipher-list
Syntax
Context
Description
This command enables the configuration of the list of allowed ciphers by the SSH server.
Parameters
server-kex-list
Syntax
Context
Description
This command allows the user to configure SSH KEX algorithms for SR OS as an SSH server.
An empty list is the default list that the SSH KEX advertises. The default list contains the following:
diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
server-mac-list
Syntax
Context
Description
This command allows the user to configure SSH MAC algorithms for SR OS as an SSH server.
server-shutdown
Syntax
Context
Description
This command enables the SSH servers running on the system.
Default
no server-shutdown
version
Syntax
Context
Description
This command configures the SSH protocol version that will be supported by the SSH server.
The no form of this command removes the SSH version from the configuration.
Parameters
| Note: Values “1” and “1-2” are not permitted in FIPS-140-2 mode. |
telnet-server
Syntax
Context
Description
This command enables Telnet servers running on the system.
Telnet servers are shut down by default. At system startup, only SSH servers are enabled.
Telnet servers in networks limit a Telnet clients to three retries to login. The Telnet server disconnects the Telnet client session after three retries.
The no form of this command disables Telnet servers running on the system.
telnet6-server
Syntax
Context
Description
This command enables Telnet IPv6 servers running on the system and only applies to the 7750 SR and 7950 XRS.
Telnet servers are shut down by default. At system startup, only SSH servers are enabled.
The no form of this command disables Telnet IPv6 servers running on the system.
vprn-network-exceptions
Syntax
Context
Description
This command configures the rate to limit the processing of packets with label TTL expiry received within an LSP shortcut, or within all VPRN instances in the system, and from all network IP interfaces. This includes labeled user and control plane packets, ping and traceroute packets within GRT and VPRN, and ICMP replies. Packets over the configured rate are dropped.
This feature does not rate limit MPLS and service OAM packets (vprn-ping, vprn-trace, lsp-ping, lsp-trace, vccv-ping, and vccv-trace).
The no form of this command disables the rate limiting of the reply to these packets.
This feature only applies to the 7750 SR and 7950 XRS.
Parameters
2.8.2.3. LLDP Commands
lldp
Syntax
Context
Description
This command enables the context to configure system-wide Link Layer Discovery Protocol parameters.
message-fast-tx
Syntax
Context
Description
This command configures the duration of the fast transmission period.
The no form of this command reverts to the default value.
Default
no message-fast-tx
Parameters
message-fast-tx-init
Syntax
Context
Description
This command configures the number of LLDPDUs to send during the fast transmission period.
The no form of this command reverts to the default value.
Default
no message-fast-tx-init
Parameters
notification-interval
Syntax
Context
Description
This command configures the minimum time between change notifications.
The no form of this command reverts to the default value.
Default
no notification-interval
Parameters
reinit-delay
Syntax
Context
Description
This command configures the time before re-initializing LLDP on a port.
The no form of this command reverts to the default value.
Default
no reinit-delay
Parameters
tx-credit-max
Syntax
Context
Description
This command configures the maximum consecutive LLDPDUs transmitted.
The no form of this command reverts to the default value.
Default
no tx-credit-max
Parameters
tx-hold-multiplier
Syntax
Context
Description
This command configures the multiplier of the tx-interval.
The no form of this command reverts to the default value.
Default
no tx-hold-multiplier
Parameters
tx-interval
Syntax
Context
Description
This command configures the LLDP transmit interval time.
The no form of this command reverts to the default value.
Default
no tx-interval
Parameters
2.8.2.4. Management Access Filter Commands
management-access-filter
Syntax
Context
Description
This command creates the context to edit management access filters and to reset match criteria.
Management access filters control all traffic in and out of the CPM. They can be used to restrict management of the router by other nodes outside either specific (sub)networks or through designated ports.
Management filters, as opposed to other traffic filters, are enforced by system software.
The no form of this command removes management access filters from the configuration.
ip-filter
Syntax
Context
Description
This command enables the context to configure management access IP filter parameters.
ipv6-filter
Syntax
Context
Description
This command enables the context to configure management access IPv6 filter parameters. This command only applies to the 7750 SR and 7950 XRS.
mac-filter
Syntax
Context
Description
This command configures a management access MAC-filter.
default-action
Syntax
Context
Description
This command creates the default action for management access in the absence of a specific management access filter match.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.
Parameters
The deny-host-unreachable only applies to ip-filter and ipv6filter.
entry
Syntax
Context
Description
This command is used to create or edit a management access IP(v4), IPv6, or MAC filter entry. Multiple entries can be created with unique entry-id numbers. The OS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.
The no form of this command removes the specified entry from the management access filter.
Parameters
action
Syntax
Context
Description
This command creates the action associated with the management access filter match criteria entry.
The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
If the packet does not meet any of the match criteria the configured default action is applied.
Parameters
The deny-host-unreachable parameter only applies to ip-filter and ipv6-filter.
dst-port
Syntax
Context
Description
This command configures a destination TCP or UDP port number or port range for a management access filter match criterion.
The no form of this command removes the destination port match criterion.
Parameters
This 16 bit mask can be configured using the formats described in Table 24:
Table 24: Format Styles to Configure Mask
Format Style | Format Syntax | Example |
Decimal | DDDDD | 63488 |
Hexadecimal | 0xHHHH | 0xF800 |
Binary | 0bBBBBBBBBBBBBBBBB | 0b1111100000000000 |
To select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.
log
Syntax
Context
Description
This command enables match logging. When enabled, matches on this entry will cause the Security event mafEntryMatch to be raised.
Default
no log
protocol
Syntax
Context
Description
This command configures an IP protocol type to be used as a management access filter match criterion.
The protocol type, such as TCP, UDP, and OSPF, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).
The no form the command removes the protocol from the match criteria.
Parameters
flow-label
Syntax
Context
Description
This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default quality of service or real-time service. This command only applies to the 7750 SR and 7950 XRS.
Parameters
next-header
Syntax
Context
Description
This command specifies the next header to match. The protocol type such as TCP, UDP or OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17). IPv6 Extension headers are identified by the next header IPv6 numbers as per RFC2460. This command only applies to the 7750 SR and 7950 XRS.
Parameters
next-header: | 0 to 255, protocol numbers accepted in DHB |
keywords: | none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, drp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, spf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp |
router
Syntax
Context
Description
This command configures a router name or service ID to be used as a management access filter match criterion.
The no form the command removes the router name or service ID from the match criteria.
Parameters
router-name — Specifies a router name or CPM router instance, up to 32 characters to be used in the match criteria.
Values | “Base” | “management” | “vpls-management” |
Default | Base |
vprn-svc-id — Specifies a CPM router instance to be used in the match criteria.
src-ip
Syntax
Context
Description
This command configures a source IP address range prefix to be used as a management access filter match criterion.
The no form of this command removes the source IP address match criterion.
Default
no src-ip
Parameters
src-ip
Syntax
Context
Description
This command configures a source IPv6 address range prefix to be used as a management access filter match criterion. This command only applies to the 7750 SR and 7950 XRS.
The no form of this command removes the source IPv6 address match criterion.
Default
no src-ip
Parameters
ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x: [0..FFFF]H | |
d: [0..255]D | |
prefix-length | 1 to 128 |
src-port
Syntax
Context
Description
This command restricts ingress management traffic to either the CPM/CCM Ethernet port or any other logical port (for example LAG) on the device.
When the source interface is configured, only management traffic arriving on those ports satisfy the match criteria.
The no form of this command reverts to the default value.
Default
no src-port
Parameters
slot/mda/port[.channel] | ||
bundle-id | bundle-type-slot/mda.bundle-num | |
bundle | keyword | |
type | ima, fr, or ppp | |
bundle-num | 1 to 336 | |
bpgrp-id | bpgrp-type-bpgrp-num | |
bpgrp | keyword | |
type | ima or ppp | |
bpgrp-num | 1 to 2000 | |
aps-id | aps-group-id[.channel] | |
aps | keyword | |
group-id | 1 to 128 | |
ccag-id | ccag-id. path-id[cc-type] | |
| ccag | keyword |
id | 1 to 8 | |
path-id | a, b | |
cc-type | .sap-net, .net-sap | |
renum
Syntax
Context
Description
This command renumbers existing management access filter entries for an IP(v4), IPv6, or MAC filter to re-sequence filter entries.
The exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit.
Parameters
shutdown
Syntax
Context
Description
This command disables the management-access-filter.
match
Syntax
Context
Description
This command configures math criteria for this MAC filter entry.
Parameters
cfm-opcode
Syntax
Context
Description
This command specifies the type of opcode checking to be performed.
If the cfm-opcode match condition is configured then a check must be made to see if the Ethertype is either IEEE802.1ag or Y1731. If the Ethertype does not match then the packet is not CFM and no match to the cfm-opcode is attempted.
The CFM (ieee802.1ag or Y1731) opcode can be assigned as a range with a start and an end number or with a (less than lt, greater than gt, or equal to eq) operator.
If no range with a start and an end or operator (lt, gt, eq) followed by an opcode with the value between 0 and 255 is defined then the command is invalid.
Table 25 lists the opcode values.
Table 25: Opcode Values
CFM PDU or Organization | Acronym | Configurable Numeric Value (Range) |
Reserved for IEEE 802.1 0 | 0 | |
Continuity Check Message | CCM | 1 |
Loopback Reply | LBR | 2 |
Loopback Message | LBM | 3 |
Linktrace Reply | LTR | 4 |
Linktrace Message | LTM | 5 |
Reserved for IEEE 802.1 | 6 – 31 | |
Reserved for ITU | 32 | |
AIS | 33 | |
Reserved for ITU | 34 | |
LCK | 35 | |
Reserved for ITU | 36 | |
TST | 37 | |
Reserved for ITU | 38 | |
APS | 39 | |
Reserved for ITU | 40 | |
MCC | 41 | |
LMR | 42 | |
LMM | 43 | |
Reserved for ITU | 44 | |
1DM | 45 | |
DMR | 46 | |
DMM | 47 | |
Reserved for ITU | 48 – 63 | |
Reserved for IEEE 802.1 0 | 64 - 255 |
Defined by ITU-T Y.1731 32 - 63
Defined by IEEE 802.1. 64 - 255
Default
no cfm-opcode
Parameters
dot1p
Syntax
Context
Description
This command configures Dot1p match conditions.
Table 26: Management Access Filter dot1p Mask Format
Format Style | Format Syntax | Example |
Decimal | D | 4 |
Hexadecimal | 0xH | 0x4 |
Binary | 0bBBB | 0b100 |
Parameters
dsap
Syntax
Context
Description
This command configures DSAP match conditions.
Parameters
This 8 bit mask can be configured using the formats described in Table 27:
Table 27: Format Styles
Format Style | Format Syntax | Example |
Decimal | DDD | 240 |
Hexadecimal | 0xHH | 0xF0 |
Binary | 0bBBBBBBBB | 0b11110000 |
dst-mac
Syntax
Context
Description
This command configures the destination MAC match condition.
Parameters
etype
Syntax
Context
Description
Configures an Ethernet type II Ethertype value to be used as a MAC filter match criterion.
The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.
The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field. For IEEE 802.3 frames, use the dsap, ssap or snap-pid fields as match criteria.
The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.
The no form of this command removes the previously entered etype field as the match criteria.
Default
no etype
Parameters
snap-oui
Syntax
Context
Description
This command configures an IEEE 802.3 LLC SNAP Ethernet Frame OUI zero or non-zero value to be used as a MAC filter match criterion.
The no form of this command removes the criterion from the match criteria.
Default
no snap-oui
Parameters
snap-pid
Syntax
Context
Description
This command configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC filter match criterion.
This is a two-byte protocol id that is part of the IEEE 802.3 LLC SNAP Ethernet Frame that follows the three-byte OUI field.
The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.
| Note: The snap-pid match criterion is independent of the OUI field within the SNAP header. Two packets with different three-byte OUI fields but the same PID field will both match the same filter entry based on a snap-pid match criteria. |
The no form of this command removes the snap-pid value as the match criteria.
Default
no snap-pid
Parameters
src-mac
Syntax
Context
Description
This command configures a source MAC address or range to be used as a MAC filter match criterion.
The no form of this command removes the source mac as the match criteria.
Default
no src-mac
Parameters
Table 28: ieee-address-mask Formats
Format Style | Format Syntax | Example |
Decimal | DDDDDDDDDDDDDD | 281474959933440 |
Hexadecimal | 0xHHHHHHHHHHHH | 0x0FFFFF000000 |
Binary | 0bBBBBBBB...B | 0b11110000...B |
To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000
ssap
Syntax
Context
Description
This command configures an Ethernet 802.2 LLC SSAP value or range for a MAC filter match criterion.
This is a one-byte field that is part of the 802.2 LLC header of the IEEE 802.3 Ethernet Frame.
The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.
The no form of this command removes the SSAP match criterion.
Default
no ssap
Parameters
svc-id
Syntax
Context
Description
This command specifies an existing svc-id to use as a match condition.
Parameters
2.8.2.5. CLI Script Authorization Commands
cli-script
Syntax
Context
Description
This command enables the context to configure CLI scripts.
authorization
Syntax
Context
Description
This command enables the context to authorize CLI script execution.
cron
Syntax
Context
Description
This command enables the context to configure authorization for the Cron job-scheduler.
cli-user
Syntax
Context
Description
This command configures The user context under which various types of CLI scripts should execute in order to authorize the script commands. TACACS+ and RADIUS users and authorization are not permitted for cli-script authorization.
The no form of this command configures scripts to execute with no restrictions and without performing authorization.
Default
no cli-user
Parameters
event-handler
Syntax
Context
Description
This command enables the context to configure authorization for the Event Handling System (EHS). EHS allows user-controlled programmatic exception handling by allowing a CLI script to be executed upon the detection of a log event.
vsd
Syntax
Context
Description
This command enables the context to configure authorization for the VSD server.
The no form of this command removes all authorizations for the VSD server.
2.8.2.6. CPM Filter Commands
cpm-filter
Syntax
Context
Description
This command enables the context to configure a CPM filter. A CPM filter is a hardware filter done by the P chip on the CPM and CFM that applies to all the traffic going to the CPM CPU. It can be used to drop, accept packets, as well as allocate dedicated hardware queues for the traffic.
The no form of this command disables the CPM filter.
default-action
Syntax
Context
Description
This command specifies the action to take on the traffic when the filter entry matches. If there are no filter entry defined, the packets received will either be dropped or forwarded based on that default action.
Default
default-action accept
Parameters
ip-filter
Syntax
Context
Description
This command enables the context to configure CPM IP filter parameters.
ipv6-filter
Syntax
Context
Description
This command enables the context to configure CPM IPv6 filter parameters. This command applies only to the 7750 SR and 7950 XRS.
mac-filter
Syntax
Context
Description
This command enables the context to configure CPM MAC-filter parameters.
entry
Syntax
Context
Description
This command specifies a particular CPM filter match entry. Every CPM filter must have at least one filter match entry. Entries are created and deleted by user.
The default match criteria is match none.
Parameters
action
Syntax
Context
Description
This command specifies the action to take for packets that match this filter entry.
Default
action drop
Parameters
log
Syntax
Context
Description
This command specifies the log in which packets matching this entry should be entered. The value zero indicates that logging is disabled.
The no form of this command deletes the log ID.
Parameters
match
Syntax
Context
Description
This command enables the context to enter match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed. If more than one match criteria (within one match statement) are configured then all criteria must be satisfied (AND function) before the action associated with the match is executed.
A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
The no form of this command removes the match criteria for the entry-id.
Parameters
Table 29: IP Protocol Names
Protocol | Protocol ID | Description |
icmp | 1 | Internet Control Message |
igmp | 2 | Internet Group Management |
ip | 4 | IP in IP (encapsulation) |
tcp | 6 | Transmission Control |
egp | 8 | Exterior Gateway Protocol |
igp | 9 | any private interior gateway (used by Cisco for their IGRP) |
udp | 17 | User Datagram |
rdp | 27 | Reliable Data Protocol |
ipv6 | 41 | IPv6 |
ipv6-route | 43 | Routing Header for IPv6 |
ipv6-frag | 44 | Fragment Header for IPv6 |
idrp | 45 | Inter-Domain Routing Protocol |
rsvp | 46 | Reservation Protocol |
gre | 47 | General Routing Encapsulation |
ipv6-icmp | 58 | ICMP for IPv6 |
ipv6-no-nxt | 59 | No Next Header for IPv6 |
ipv6-opts | 60 | Destination Options for IPv6 |
iso-ip | 80 | ISO Internet Protocol |
eigrp | 88 | EIGRP |
ospf-igp | 89 | OSPFIGP |
ether-ip | 97 | Ethernet-within-IP Encapsulation |
encap | 98 | Encapsulation Header |
pnni | 102 | PNNI over IP |
pim | 103 | Protocol Independent Multicast |
vrrp | 112 | Virtual Router Redundancy Protocol |
l2tp | 115 | Layer Two Tunneling Protocol |
stp | 118 | Spanning Tree Protocol |
ptp | 123 | Performance Transparency Protocol |
isis | 124 | ISIS over IPv4 |
crtp | 126 | Combat Radio Transport Protocol |
crudp | 127 | Combat Radio User Datagram |
match
Syntax
Context
Description
This command specifies match criteria for the IP filter entry. This command applies only the 775 SR and 7950 XRS.
The no form of this command removes the match criteria for the entry-id.
Parameters
The protocol type such as TCP / UDP / OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17).
next-header: | 1 to 42, 45 to 49, 52 to 59, 61 to 255 protocol numbers accepted in DHB |
keywords: | none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, drp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, spf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp |
* — udp/tcp wildcard |
dscp
Syntax
Context
Description
This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.
The no form of this command removes the DSCP match criterion.
Default
no dscp
Parameters
dst-ip
Syntax
Context
Description
This command configures a destination IP address range to be used as an IP filter match criterion.
To match on the destination IP address, specify the address and its associated mask, for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
The no form of this command removes the destination IP address match criterion.
Default
no dst-ip
Parameters
dst-ip
Syntax
Context
Description
This command configures a destination IPv6 address range to be used as an IPv6 filter match criterion.
To match on the destination IPv6 address, specify the address.
The no form of this command removes the destination IP address match criterion.
This command only applies to the 7750 SR and 7950 XRS.
Default
no dst-ip
Parameters
x:x:x:x:x:x:x:x (eight 16-bit pieces) | ||
x:x:x:x:x:x:d.d.d.d | ||
x: | [0 to .FFFF]H | |
d: | [0 to 255]D | |
prefix-length: | 1 to 128 | |
dst-port
Syntax
Context
Description
This command specifies the TCP/UDP port or port name to match the destination-port of the packet.
| Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The no form of this command removes the destination port match criterion.
Default
no dst-port
Parameters
flow-label
Syntax
Context
Description
This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default quality of service or real-time service.
Parameters
fragment
Syntax
Context
Description
This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion.
| Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
This command enables match on existence of IPv6 Fragmentation Extension Header in the IPv6 filter policy. To match first fragment of an IP fragmented packet, specify additional Layer 4 matching criteria in a filter policy entry. The no version of this command ignores IPv6 Fragmentation Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
The no form of this command removes the match criterion.
This command enables match on existence of IPv6 Fragmentation Extension Header in the IPv6 filter policy. To match first fragment of an IP fragmented packet, specify additional Layer 4 matching criteria in a filter policy entry. The no version of this command ignores IPv6 Fragmentation Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
Default
no fragment
Parameters
hop-by-hop-opt
Syntax
Context
Description
This command enables match on existence of Hop-by-Hop Options Extension Header in the IPv6 filter policy. This command applies to the 7750 SR and 7950 XRS.
The no form of this command ignores Hop-by-Hop Options Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
Default
no hop-by-hop-opt
Parameters
icmp-code
Syntax
Context
Description
This command configures matching on ICMP code field in the ICMP header of an IP packet as an IP filter match criterion.
| Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The behavior of the icmp-code value is dependent on the configured icmp-type value, thus a configuration with only an icmp-code value specified will have no effect. To match on the icmp-code, an associated icmp-type must also be specified.
The no form of this command removes the criterion from the match entry.
Default
no icmp-code
Parameters
icmp-type
Syntax
Context
Description
This command configures matching on ICMP type field in the ICMP header of an IP packet as an IP filter match criterion.
| Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The no form of this command removes the criterion from the match entry.
Default
no icmp-type
Parameters
ip-option
Syntax
Context
Description
This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion.
The option-type octet contains 3 fields:
- 1 bit copied flag (copy options in all fragments)
- 2 bits option class
- 5 bits option number
The no form of this command removes the match criterion.
Default
no ip-option
Parameters
The decimal value entered for the match should be a combined value of the eight bit option type field and not just the option number. Thus to match on IP packets that contain the Router Alert option (option number =20), enter the option type of 148 (10010100).
This 8 bit mask can be configured using the formats described in Table 30:
Table 30: ip-option-mask Formats
Format Style | Format Syntax | Example |
Decimal | DDD | 20 |
Hexadecimal | 0xHH | 0x14 |
Binary | 0bBBBBBBBB | 0b0010100 |
multiple-option
Syntax
Context
Description
This command configures matching packets that contain more than one option fields in the IP header as an IP filter match criterion.
The no form of this command removes the checking of the number of option fields in the IP header as a match criterion.
Default
no multiple-option
Parameters
option-present
Syntax
Context
Description
This command configures matching packets that contain the option field or have an option field of zero in the IP header as an IP filter match criterion.
The no form of this command removes the checking of the option field in the IP header as a match criterion.
Default
no option-present
Parameters
port
Syntax
Context
Description
This command configures a TCP/UDP source or destination port match criterion in IPv4 and IPv6 CPM filter policies. A packet matches this criterion if packet’s TCP/UDP (as configured by protocol/next-header match) source OR destination port matches either the specified port value or a port in the specified port range or port list.
This command is mutually exclusive with src-port and dst-port commands.
The no form of this command deletes the specified port match criterion.
Default
no port
Parameters
router
Syntax
Context
Description
This command specifies a router name or a service-id to be used in the match criteria.
Default
no router
Parameters
router-name — Specifies a router name up to 32 characters to be used in the match criteria.
service-id — Specifies an existing service ID to be used in the match criteria.
src-ip
Syntax
Context
Description
This command specifies the IP address to match the source IP address of the packet.
To match on the source IP address, specify the address and its associated mask, such as 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
The no form of this command removes the source IP address match criterion.
Default
no src-ip
Parameters
ipv4-address | a.b.c.d (host bits must be 0) |
x:x:x:x:x:x:d.d.d.d[-interface] | |
x: [0..FFFF]H | |
d: [0..255]D | |
interface: 32 characters maximum, mandatory for link local addresses | |
prefix-length | 1 to 128 |
src-ip
Syntax
Context
Description
This command specifies the IPv6 address to match the source IPv6 address of the packet.
To match on the source IP address, specify the address and its associated mask, such as 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
The no form of this command removes the source IP address match criterion.
This command only applies to the 7750 SR and 7950 XRS.
Default
no src-ip
Parameters
ipv6-address | x:x:x:x:x:x:x:x[-interface] | |
x:x:x:x:x:x:d.d.d.d[-interface] | ||
x: [0..FFFF]H | ||
d: [0..255]D | ||
interface: 32 characters maximum, mandatory for link local addresses | ||
mask: | Specifies eight 16-bit hexadecimal pieces representing bit match criteria. | |
Values | x:x:x:x:x:x:x (eight 16-bit pieces) | |
src-port
Syntax
Context
Description
This command specifies the TCP/UDP port to match the source port of the packet.
| Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
Default
no src-port
Parameters
tcp-ack
Syntax
Context
Description
This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP or IPv6 packet as an IP filter match criterion.
| Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The no form of this command removes the criterion from the match entry.
Default
no tcp-ack
Parameters
tcp-syn
Syntax
Context
Description
This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP or IPv6 packet as an IP filter match criterion.
| Note: An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. |
The SYN bit is normally set when the source of the packet wants to initiate a TCP session with the specified destination IP or IPv6 address.
The no form of this command removes the criterion from the match entry.
Default
no tcp-syn
Parameters
renum
Syntax
Context
Description
This command renumbers existing IP(IPv4), IPv6, or MAC filter entries to re-sequence filter entries.
This may be required in some cases since the OS exits when the first match is found and execute the actions according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.
Parameters
shutdown
Syntax
Context
Description
This command enables IPv4, IPv6 or MAC CPM filter.
The no form of this command disable the filter.
Default
shutdown
2.8.2.7. CPM Queue Commands
cpm-queue
Syntax
Context
Description
This command enables the context to configure a CPM queue.
queue
Syntax
Context
Description
This command allows users to allocate dedicated CPM. The first available queue is 33.
Parameters
cbs
Syntax
Context
Description
This command specifies the amount of buffer that can be drawn from the reserved buffer portion of the queue’s buffer pool.
Parameters
mbs
Syntax
Context
Description
This command specifies the maximum queue depth to which a queue can grow.
Parameters
rate
Syntax
Context
Description
This command specifies the maximum bandwidth that will be made available to the queue in kilobits per second (kb/s).
Parameters
2.8.2.8. CPU Protection Commands
cpu-protection
Syntax
Context
Description
This command enters the context to configure CPU protection parameters.
included-protocols
Syntax
Context
Description
This context allows configuration of which protocols are included for ip-src-monitoring. This is system-wide configuration that applies to cpu protection globally.
dhcp
Syntax
Context
Description
This command includes the extracted IPv4 DHCP packets for ip-src-monitoring. IPv4 DHCP packets will be subject to the per-source-rate of CPU protection policies.
Default
dhcp (Note this is different from the other protocols)
gtp
Syntax
Context
Description
This command includes the extracted IPV4 GTP packets for ip-src-monitoring. IPv4 GTP packets will be subject to the per-source-rate of CPU protection policies.
Default
no gtp
icmp
Syntax
Context
Description
This command includes the extracted IPv4 ICMP packets for ip-src-monitoring. IPv4 ICMP packets will be subject to the per-source-rate of CPU protection policies.
Default
no icmp
igmp
Syntax
Context
Description
This command includes the extracted IPv4 IGMP packets for ip-src-monitoring. IPv4 IGMP packets will be subject to the per-source-rate of CPU protection policies.
Default
no igmp
link-specific-rate
Syntax
Context
Description
This command configures a link-specific rate for CPU protection. This limit is applied to all ports within the system. The CPU will receive no more than the configured packet rate for all link level protocols such as LACP from any one port. The measurement is cleared each second and is based on the ingress port.
Default
link-specific-rate 15000
Parameters
policy
Syntax
Context
Description
This command configures CPU protection policies.
The no form of this command deletes the specified policy from the configuration.
Policies 254 and 255 are reserved as the default access and network interface policies, and cannot de deleted. The parameters within these policies can be modified. An event will be logged (warning) when the default policies are modified.
Default
Policy 254 (default access interface policy):
- per-source-rate: max (no limit)
- overall-rate: 6000
- out-profile–rate: 6000
- alarm
Policy 255 (default network interface policy):
- per-source-rate: max (no limit)
- overall-rate: max (no limit)
- out-profile-rate: 3000
- alarm
Parameters
alarm
Syntax
Context
Description
This command enables the generation of an event when a rate is exceed. The event includes information about the offending source. Only one event is generated per monitor period.
The no form of this command disables the notifications.
Default
no alarm
eth-cfm
Syntax
Context
Description
Provides the construct under which the different entries within CPU policy can define the match criteria and overall arrival rate of the Ethernet Configuration and Fault Management (ETH-CFM) packets at the CPU.
entry
Syntax
Context
Description
Builds the specific match and rate criteria. Up to ten entries may exist in up to four CPU protection policies.
The no form of this command reverses the match and rate criteria configured.
Default
no entry
Parameters
out-profile-rate
Syntax
Context
Description
This command applies a packet arrival rate limit for the entire SAP/interface, above which packets will be market as discard eligible, in other words, out-profile/low-priority/yellow. The rate defined is a global rate limit for the interface regardless of the number of traffic flows. It is a per-SAP/interface rate.
The no form of this command sets out-profile-rate parameter back to the default value.
Default
out-profile-rate 3000 for cpu-protection-policy-id 1-253
out-profile-rate 6000 for cpu-protection-policy-id 254 (default access interface policy)
out-profile-rate 3000 for cpu-protection-policy-id 255 (default network interface policy)
Parameters
overall-rate
Syntax
Context
Description
This command applies a maximum packet arrival rate limit (applied per SAP/interface) for the entire SAP/interface, above which packets will be discarded immediately. The rate defined is a global rate limit for the interface regardless of how many traffic flows are present on the SAP/interface. It is a per-SAP/interface rate.
The no form of this command sets overall-rate parameter back to the default value.
Default
overall max for cpu-protection-policy-id 1 to 253
overall 6000 for cpu-protection-policy-id 254 (default access interface policy)
overall max for cpu-protection-policy-id 255 (default network interface policy)
Parameters
per-source-rate
Syntax
Context
Description
This command configures a per-source packet arrival rate limit. Use this command to apply a packet arrival rate limit on a per source basis. A source is defined as a unique combination of SAP and MAC source address (mac-monitoring) or SAP and source IP address (ip-src-monitoring). The CPU will receive no more than the configured packet rate from each source (only certain protocols are rate limited for ip-src-monitoring as configured under include-protocols in the cpu-protection policy). The measurement is cleared each second.
This parameter is only applicable if the policy is assigned to an interface (some examples include saps, subscriber-interfaces, and spoke-sdps), and the mac-monitor or ip-src-monitor keyword is specified in the cpu-protection configuration of that interface.
The ip-src-monitoring is useful in subscriber management architectures that have routers between the subscriber and the BNG (router). In layer-3 aggregation scenarios, all packets from all subscribers behind the same aggregation router will arrive with the same source MAC address and as such the mac-monitoring functionality can not differentiate traffic from different subscribers.
Default
per-source-rate max
Parameters
port-overall-rate
Syntax
Context
Description
This command configures a per-port overall rate limit for CPU protection.
Default
port-overall-rate max
Parameters
protocol-protection
Syntax
Context
Description
This command causes the network processor on the CPM to discard all packets received for protocols that are not configured on the particular interface. This helps mitigate DoS attacks by filtering invalid control traffic before it hits the CPU. For example, if an interface does not have IS-IS configured, then protocol protection will discard any IS-IS packets received on that interface.
Default
no protocol-protection
Parameters
cpu-protection
Syntax
Context
Description
Use this command to apply a specific CPU protection policy to the associated interface. For these interface types, the per-source rate limit is not applicable.
If no CPU-protection policy is assigned to an interface, then the default policy is used to limit the overall-rate. The default policy is policy number 254 for access interfaces, 255 for network interfaces and no policy for video interfaces.
The no form of this command reverts to the default values.
Default
cpu-protection 254 (for access interfaces)
cpu-protection 255 (for network interfaces)
no cpu-protection (for video interfaces)
cpu-protection
Syntax
Context
Description
Use this command to apply a specific CPU protection policy to the associated msap-policy. The specified cpu-protection policy will automatically be applied to any MSAPs that are create using the msap-policy.
If no CPU-protection policy is assigned to a SAP, then a default policy is used to limit the overall-rate according to the default policy. The default policy is policy number 254 for access interfaces, 255 for network interfaces and no policy for video interfaces.
The no form of this command reverts to the default values.
Default
cpu-protection 254 (for access interfaces)
cpu-protection 255 (for network interfaces)
The configuration of no cpu-protection returns the msap-policy to the default policies as shown above.
Parameters
cpu-protection
Syntax
Context
Description
Use this command to apply a specific CPU protection policy to the associated msap-policy. The specified cpu-protection policy will automatically be applied to any MSAPs that are create using the msap-policy.
If no CPU-protection policy is assigned to a SAP, then a default policy is used to limit the overall-rate according to the default policy. The default policy is policy number 254 for access interfaces, 255 for network interfaces and no policy for video interfaces.
The no form of this command reverts to the default values.
Default
cpu-protection 254 (for access interfaces)
cpu-protection 255 (for network interfaces)
The configuration of no cpu-protection returns the msap-policy to the default policies as shown above.
Parameters
cpu-protection
Syntax
Context
Description
Use this command to apply a specific CPU protection policy to the associated SAP, SDP or template. If the mac-monitoring keyword is given then per MAC rate limiting should be performed, using the per-source-rate from the associated cpu-protection policy.
If no CPU-protection policy is assigned to a SAP, then a default policy is used to limit the overall-rate according to the default policy. The default policy is policy number 254 for access interfaces, 255 for network interfaces and no policy for video interfaces.
The no form of this command reverts to the default values.
Default
cpu-protection 254 (for access interfaces)
cpu-protection 255 (for network interfaces)
The configuration of no cpu-protection returns the SAP/SDP/template to the default policies as shown above.
Parameters
2.8.2.9. Distributed CPU Protection Commands
dist-cpu-protection
Syntax
Context
Description
This command enters the CLI context for configuration of the Distributed CPU Protection (DCP) feature.
policy
Syntax
Context
Description
This command configures one of the maximum 16 Distributed CPU Protection policies. These policies can be applied to objects such as SAPs and network interfaces.
Parameters
local-monitoring-policer
Syntax
Context
Description
This command configures a monitoring policer that is used to monitor the aggregate rate of several protocols arriving on an object (for example, SAP). When the local-monitoring-policer is determined to be in a nonconforming state (at the end of a minimum monitoring time of 60 seconds) then the system will attempt to allocate dynamic policers for the particular object for any protocols associated with the local monitor (for example, using the protocol name enforcement dynamic policer-name CLI command).
If the system cannot allocate all the dynamic policers within 150 seconds, it will stop attempting to allocate dynamic policers, raise a LocMonExcdAllDynAlloc log event, and go back to using the local monitor. The local monitor may then detect exceeded packets again and make another attempt at allocating dynamic policers.
Once this policer-name is referenced by a protocol then this policer will be instantiated for each “object” that is created and references this DDoS policy. If there is no policer free then the object will be blocked from being created.
Parameters
exceed-action
Syntax
Context
Description
This command controls the action performed upon the extracted control packets when the configured policer rates are exceeded.
Default
exceed-action none
Parameters
log-events
Syntax
Context
Description
This command controls the creation of log events related to local-monitoring-policer status and activity.
Default
log-events
Parameters
rate
Syntax
Context
Description
This command configures the rate and burst tolerance for the policer in either a packet rate or a bit rate.
The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate. The actual (operational) parameters can be seen in CLI, for example, show service id 33 sap 1/1/3:33 dist-cpu-protection detail.
Default
rate packets max within 1 initial-delay 0
Parameters
- rate of max = effectively disable the policer (always conforming)
- rate of packets 0 = all packets considered nonconforming.
protocol
Syntax
Context
Description
This command creates the protocol for control in the policy.
Control packets that are both forwarded (which means they could be subject to normal QoS policy policing) and also copied for extraction are not subject to distributed cpu protection (including in the all-unspecified bucket). This includes traffic snooping (for example, PIM in VPLS) as well as control traffic that is flooded in an R-VPLS instance and also extracted to the CPM (ARP, ISIS and VRRP). Centralized per SAP/interface, cpu-protection can be employed to rate limit or mark this traffic if desired.
Explanatory notes for some of the protocols:
- bfd-cpm: includes all bfd handled on the CPM including cpm-np type, single hop and multi-hop, and MPLS-TP CC and CV bfd
- dhcp: includes dhcp for IPv4 and IPv6
- eth-cfm: 802.1ag and includes Y.1731. Eth-cfm packets on port and LAG based facility MEPs are not included (but packets on Tunnel MEPs are).
- icmp: includes IPv4 and IPv6 ICMP (including RS/RA/Redirect) except NS/NA Neighbor Discovery packets which are classified as a separate protocol “ndis”
- isis: includes isis used for SPBM
- ldp: includes ldp and t-ldp
- mpls-ttl: MPLS packets that are extracted due to an expired mpls ttl field
- ndis: IPv6 NS/NA Neighbor Discovery (not including RS/RA/Redirect which are classified as part of the protocol “icmp”)
- ospf: includes all OSPFv2 and OSPFv3 packets.
- pppoe-pppoa: includes PADx, LCP, PAP/CHAP and NCPs
- all-unspecified: a special “protocol”. When configured, this treats all extracted control packets that are not explicitly created in the dist-cpu-protection policy as a single aggregate flow (or “virtual protocol”). It lumps together “all the rest of the control traffic” to allow it to be rate limited as one flow. It includes all control traffic of all protocols that are extracted and sent to the CPM (even protocols that cannot be explicitly configured with the distributed cpu protection feature). Control packets that are both forwarded and copied for extraction are not included. If an operator later explicitly configures a protocol, then that protocol is suddenly no longer part of the “all-unspecified” flow. The “all-unspecified” protocol must be explicitly configured in order to operate.
“no protocol x” means packets of protocol x are not monitored and not enforced (although they do count in the fp protocol queue) on the objects to which this dist-cpu-protection policy is assigned, although the packets will be treated as part of the all-unspecified protocol if the all-unspecified protocol is created in the policy.
Parameters
dynamic-parameters
Syntax
Context
Description
The dynamic-parameters are used to instantiate a dynamic enforcement policer for the protocol when the associated local-monitoring-policer is considered as exceeding its rate parameters (at the end of a minimum monitoring time of 60 seconds).
detection-time
Syntax
Context
Description
When a dynamic enforcing policer is instantiated, it will remain allocated until at least a contiguous conforming period of detection-time passes.
Default
detection-time 30
Parameters
dynamic-enforcement-policer-pool
Syntax
Context
Description
This command reserves a set of policers for use as dynamic enforcement policers for the Distributed CPU Protection (DCP) feature. Policers are allocated from this pool and instantiated as per-object-per-protocol dynamic enforcement policers after a local monitor is triggered for an object (such as a SAP or Network Interface). Any change to this configured value automatically clears the high water mark, timestamp, and failed allocation counts as seen under “show card x fp y dist-cpu-protection” and in the tmnxFpDcpDynEnfrcPlcrStatTable in the TIMETRA-CHASSIS-MIB. Decreasing this value to below the currently used/allocated number causes all dynamic policers to be returned to the free pool (and traffic returns to the local monitors).
Default
no dynamic-enforcement-policer-pool
Parameters
exceed-action
Syntax
Context
Description
This command controls the action performed upon the extracted control packets when the configured policer rates are exceeded.
Default
exceed-action none
Parameters
When the SR OS software detects that an enforcement policer has marked or discarded one or more packets (software may detect this some time after the packets are actually discarded), and an optional hold-down seconds value has been specified for the exceed-action, then the policer will be set into a “mark-all” or “drop-all” mode that cause the following:
- the policer state to be updated as normal
- all packets to be marked (if the action is “low-priority”) or dropped (action = discard) regardless of the results of the policing decisions/actions/state.
The hold-down is cleared after approximately the configured time in seconds after it was set. The hold-down seconds option should be selected for protocols that receive more than one packet in a complete handshake/negotiation (for example, DHCP, PPP). hold-down is not applicable to a local monitoring policer. The “detection-time” will only start after any hold-down is complete. During the hold-down (and the detection-time), the policer is considered as in an “exceed” state. The policer may re-enter the hold-down state if an exceed packet is detected during the detection-time countdown.
Configuring the indefinite parameter value will cause hold down to remain in place until the operator clears it manually using a tools command (tools perform security dist-cpu-protection release-hold-down) or removes the dist-cpu-protection policy from the object.
Configuring the none parameter value will disable hold down.
log-events
Syntax
Context
Description
This command controls the creation of log events related to dynamic enforcement policer status and activity.
Default
log-events
Parameters
enforcement
Syntax
Context
Description
This command configures the enforcement method for the protocol.
Default
enforcement dynamic local-mon-bypass
Parameters
static-policer
Syntax
Context
Description
Configures a static enforcement policer that can be referenced by one or more protocols in the policy. Once this policer-name is referenced by a protocol, then this policer will be instantiated for each object (for example, a SAP or network interface) that is created and references this policy. If there is no policer resource available on the associated card or fp then the object is be blocked from being created. Multiple protocols can use the same static-policer.
Parameters
detection-time
Syntax
Context
Description
When a policer is declared as in an “exceed” state, it will remain as exceeding until a contiguous conforming period of detection-time passes. The detection-time only starts after the exceed-action hold-down is complete. If the policer detects another exceed during the detection count down then a hold-down is once again triggered before the policer re-enters the detection time (that is, the countdown timer starts again at the configured value). During the hold-down (and the detection-time), the policer is considered as in an “exceed” state.
Default
detection-time 30
Parameters
log-events
Syntax
Context
Description
This command controls the creation of log events related to static-policer status and activity.
Default
log-events
Parameters
2.8.2.10. Extracted Protocol Traffic Priority Commands
init-extract-prio-mode
Syntax
Context
Description
This command determines the scheme used to select the initial drop priority of extracted control plane traffic. The initial drop priority of extracted packets can be either low or high priority. The drop priority of the extracted packets can be subsequently altered by mechanisms such as CPU protection. High-priority traffic receives preferential treatment in control plane congestion situations over low-priority traffic.
Default
init-extract-prio-mode uniform
Parameters
For network interfaces, the QoS classification profile result selects the drop priority (in = high priority, out = low priority) for extracted control traffic, and the default QoS classification maps different DSCP and EXP values to different in/out profile states.
For access interfaces, the QoS classification priority result typically selects the drop priority for extracted control traffic. The default access QoS classification (default-priority) maps all traffic to low. If the queues in the access QoS policy are configured as profile-mode queues (rather than the default priority-mode) extracted traffic will use the QoS classification profile value configured against the associated FC (rather than the priority result) to select the drop priority.
Layer 2 extracted control traffic (ARP or ETH-CFM) and protocols that cannot always be QoS-classified, such as IS-IS, are initialized as low drop priority in order to protect Layer 2 protocol traffic on uniform interfaces (which would typically be subject to centralized CPU protection). Alternately, DCP can be used (by configuring a non-zero rate with exceed-action of low-priority for the all-unspecified protocol) to mark some of this traffic as high priority.
2.8.2.11. Security Password Commands
password
Syntax
Context
Description
This command creates the context to configure password management parameters.
admin-password
Syntax
Context
Description
This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator.
This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.
This functionality can be enabled in two contexts:
config>system>security>password>admin-password
<global> enable-admin
If the admin-password is configured in the config>system>security>password context, then any user can enter the special mode by entering the enable-admin command.
enable-admin is in the default profile. By default, all users are given access to this command.
Once the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the complexity command.
| Note: The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets. |
The usernames and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.
For example:
file copy ftp://test:secret@10.20.31.79/test/srcfile cf1:\destfile
In this example, the username 'test' and password 'secret' will not be sent to the AAA servers (or to any logs). They will be replaced with '****'.
The no form of this command removes the admin password from the configuration.
Default
no admin-password
Parameters
| Note: This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP. |
aging
Syntax
Context
Description
This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval. Note the aging starts after the last password configuration or update. This timer is persistence (per user) over a node reboot or activity switch between CPMs. When the user changes the password, the timer is reset to the maximum age. When the password for a user ages out, the user is prompted at login to change the password. Console/SSH/Telnet supports password change prompt.
The no form of this command reverts to the default value.
Parameters
| Note: This command applies to local users. |
attempts
Syntax
Context
Description
This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.
If the threshold is exceeded, the user is locked out for a specified time period.
If multiple attempts commands are entered, each command overwrites the previously entered command.
The no attempts command resets all values to default.
Default
attempts 3 time 5 lockout 10
Parameters
| Note: This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP. |
enable-admin
Syntax
Context
Description
Refer to the description for the admin-password command. If the admin-password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the command.
The enable-admin command is in the default profile. By default, all users are given access to this command.
Once the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is given unrestricted access to all of the commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the complexity command.
To verify that a user is in the enable-admin mode, perform one of the following steps:
- Enter the show users command to show which users are in this mode
- Enter the enable-admin command again at the root prompt and an error message will be returned.
authentication-order
Syntax
Context
Description
This command configures the sequence in which password authentication, authorization, and accounting is attempted among local passwords, RADIUS, TACACS+, and LDAP.
The authentication order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.
If all (operational) methods are attempted and no authentication for a particular login has been granted, then an entry in the security log documents the failed attempt. Both the attempted login identification and originating IP address are logged with the a timestamp.
The no form of this command reverts to the default authentication sequence.
Default
authentication-order radius tacplus ldap local - The preferred order for password authentication is 1. local passwords, 2. RADIUS, 3. TACACS+, and 4. LDAP.
Parameters
A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting will only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration will other configured methods be attempted. If the local keyword is the first authentication and:
- exit-on-reject is configured and the user does not exist, the user will not be authenticated
- the user is authenticated locally, then other methods, if configured, will be used for authorization and accounting
- the user is configured locally but without console access, login will be denied
Note: This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP.
complexity-rules
Syntax
Context
Description
This command defines a list of rules for configurable password options.
| Note: This command applies to local users. |
allow-user-name
Syntax
Context
Description
The user name is allowed to be used as part of the password.
The no form of this command does not allow user name to be used as password.
Default
no allow-user-name
credits
Syntax
Context
Description
The maximum credits given for usage of the different character classes in the local passwords.
The no form of this command resets to default.
Default
no credits
Parameters
minimum-classes
Syntax
Context
Description
Force the use of at least this many different character classes
The no form of this command resets to default.
Default
no minimum-classes
Parameters
minimum-length
Syntax
Context
Description
This command configures the minimum number of characters required for locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and des-keys configured in the system security section.
If multiple minimum-length commands are entered each command overwrites the previous entered command.
The no form of this command reverts to default value.
Default
minimum-length 6
Parameters
repeated-characters
Syntax
Context
Description
The number of times a characters can be repeated consecutively.
The no form of this command resets to default.
Default
no repeated-characters
Parameters
required
Syntax
Context
Description
Force the minimum number of different character classes required.
The no form of this command resets to default.
Default
required lowercase 0 uppercase 0 numeric 0 special-character 0
Parameters
dynsvc-password
Syntax
Context
Description
This command configures the password which enables the user to configure dynamic services.
Default
no dynsvc-password
Parameters
| Note: This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP. |
enable-admin-control
Syntax
Context
Description
Enable the user to become a system administrator.
| Note: This command applies to users on RADIUS, TACACS, and LDAP. |
tacplus-map-to-priv-lvl
Syntax
Context
Description
When tacplus-map-to-priv-lvl is enabled, and tacplus authorization is enabled with the use-priv-lvl option, typing enable-admin starts an interactive authentication exchange from the node to the TACACS+ server. The start message (service=enable) contains the user-id and the requested admin-priv-lvl. Successful authentication results in the use of a new profile (as configured under config>system>security>tacplus>priv-lvl-map).
health-check
Syntax
Context
Description
This command specifies that RADIUS, TACACS+, and LDAP servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, a trap will be sent based on the type of the server.
The no form of this command disables the periodic monitoring of the RADIUS, TACACS+, and LDAP servers. In this case, the operational status for the active server will be up if the last access was successful.
Default
health-check interval 30
Parameters
history-size
Syntax
Context
Description
Configure how many previous passwords a new password is matched against.
Default
history-size 0
Parameters
minimum-age
Syntax
Context
Description
Configure the minimum required age of a password before it can be changed again.
Default
minimum-age min 10
Parameters
| Note: This command applies to local users. |
minimum-change
Syntax
Context
Description
This command configures the minimum number of characters required to be different in the new password from a previous password.
The no form of this command reverts to default value.
Default
minimum-change 5
Parameters
| Note: This command applies to local users. |
2.8.2.12. Public Key Infrastructure (PKI) Commands
The commands described in the following section apply to the 7450 ESS and 7750 SR.
pki
Syntax
Context
Description
This command enables the context to configure certificate parameters.
ca-profile
Syntax
Context
Description
This command creates a new ca-profile or enter the configuration context of an existing ca-profile. Up to 128 ca-profiles could be created in the system. A shutdown the ca-profile will not affect the current up and running ipsec-tunnel or ipsec-gw that associated with the ca-profile. But authentication afterwards will fail with a shutdown ca-profile.
Executing a no shutdown command in this context will cause system to reload the configured cert-file and crl-file.
A ca-profile can be applied under the ipsec-tunnel or ipsec-gw configuration.
The no form of this command removes the name parameter from the configuration. A ca-profile cannot be removed until all the associations (ipsec-tunnel/gw) have been removed.
Parameters
cert-file
Syntax
Context
Description
This command specifies the filename of a file in cf3:\system-pki\cert as the CA’s certificate of the ca-profile.
Notes:
- The system will perform following checks against configured cert-file when a no shutdown command is issued:
- Configured cert-file must be a DER formatted X.509v3 certificate file.
- All non-optional fields defined in section 4.1 of RFC5280 must exist and conform to the RFC 5280 defined format.
- Check the version field to see if its value is 0x2.
- Check The Validity field to see that if the certificate is still in validity period.
- X509 basic constraints extension must exists, and CA Boolean must be True.
- If Key Usage extension exists, then at least keyCertSign and cRLSign should be asserted.
- If the certificate is not a self-signing certificate, then system will try to look for issuer’s CA’s certificate to verify if this certificate is signed by issuer’s CA; but if there is no such CA-profile configured, then system will just proceed with a warning message.
- If the certificate is not a self-signing certificate, then system will try to look for issuer’s CA’s CRL to verify that it has not been revoked; but if there is no such CA-profile configured or there is no such CRL, then system will just proceed with a warning message.
If any of above checks fails, then the no shutdown command will fail. - Changing or removing of cert-file is only allowed when the ca-profile is in a shutdown state.
The no form of this command removes the filename from the configuration.
Parameters
cmpv2
Syntax
Context
Description
This command enables the context to configure Certificate Management Protocol Version 2 (CMPv2) parameters.
accept-unprotected-errormsg
Syntax
Context
Description
This command enables the system to accept both protected and unprotected CMPv2 error message. Without this command, system will only accept protected error messages.
The no form of this command causes the system to only accept protected PKI confirmation message.
Default
no accept-unprotected-errormsg
accept-unprotected-pkiconf
Syntax
Context
Description
This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will only accept protected PKI confirmation message.
The no form of this command causes the system to only accept protected PKI confirmation message.
Default
no accept-unprotected-pkiconf
http-response-timeout
Syntax
Context
Description
This command specifies the timeout value for HTTP response that is used by CMPv2.
The no form of this command reverts to the default.
Default
http-response-timeout 30
Parameters
key-list
Syntax
Context
Description
This command enables the context to configure pre-shared key list parameters.
key
Syntax
Context
Description
This command specifies a pre-shared key used for CMPv2 initial registration. Multiples of key commands are allowed to be configured under this context.
The password and reference-number is distributed by the CA via out-of-band means.
The configured password is stored in configuration file in an encrypted form by using the SR OS hash2 algorithm.
The no form of this command removes the parameters from the configuration.
Parameters
response-signing-cert
Syntax
Context
Description
This command specifies a imported certificate that is used to verify the CMP response message if they are protected by signature. If this command is not configured, then CA’s certificate will be used.
Default
no response-signing-cert
Parameters
same-recipnonce-for-pollreq
Syntax
Context
Description
This command enables the system to use same recipNonce as the last CMPv2 response for poll request.
The no form of this command disables system to use same recipNonce as the last CMPv2 response for poll request.
Default
no same-recipnonce-for-pollreq
url
Syntax
Context
Description
This command specifies HTTP URL of the CMPv2 server. The URL must be unique across all configured ca-profiles.
The URL will be resolved by the DNS server configured (if configured) in the corresponding router context.
If the service-id is 0 or omitted, then system will try to resolve the FQDN via DNS server configured in bof.cfg. After resolution, the system will connect to the address in management routing instance first, then base routing instance.
| Note: If the service is VPRN, then the system only allows HTTP ports 80 and 8080. |
Parameters
This variant of this command is only supported in 'classic' configuration-mode (configure system management-interface configuration-mode classic). The url url-string service-name service-name variant can be used in all configuration modes.
crl-file
Syntax
Context
Description
This command specifies the name of a file in cf3:\system-pki\crl as the Certification Revoke List file of the ca-profile.
Notes:
- The system will perform following checks against configured crl-file when a no shutdown command is issued:
- A valid cert-file of the ca-profile must be already configured.
- Configured crl-file must be a DER formatted CRLv2 file.
- All non-optional fields defined in section 5.1 of RFC5280 must exist and conform to the RFC5280 defined format.
- Check the version field to see if its value is 0x1.
- Delta CRL Indicator must not exists (delta CRL is not supported).
- CRL’s signature must be verified by using the cert-file of ca-profile.
If any of above checks fail, the no shutdown command will fail. - Changing or removing the crl-file is only allowed when the ca-profile is in a shutdown state.
The no form of this command removes the filename from the configuration.
Parameters
ocsp
Syntax
Context
Description
This command enables the context to configure OCSP parameters.
responder-url
Syntax
Context
Description
This command specifies HTTP URL of the OCSP responder for the CA, this URL will only be used if there is no OCSP responder defined in the AIA extension of the certificate to be verified.
Default
no responder-url
Parameters
service
Syntax
Context
Description
This command specifies the service or routing instance that used to contact OCSP responder. This applies to OCSP responders that either configured in CLI or defined in AIA extension of the certificate to be verified.
The responder-url will also be resolved by using the DNS server configured in the configured routing instance.
With VPRN services, the system checks whether the specified service ID or service name is an existing VPRN service at the time of CLI configuration. Otherwise the configuration fails.
Parameters
This variant of this command is only supported in 'classic' configuration-mode (configure system management-interface configuration-mode classic). The service name service-name variant can be used in all configuration modes.
transmission-profile
Syntax
Context
Description
This command specifies the transmission-profile for OCSP. When specified, this configuration overrides the service service-id or service service-name configured in the config>system>security>pki>ca-profile>ocsp context.
The no form of the command removes the profile name from the configuration.
Default
no transmission-probile
Parameters
certificate-display-format
Syntax
Context
Description
This command specifies the display format used for the Certificates and Certificate Revocation Lists.
Default
certificate-display-format ascii
Parameters
certificate-expiration-warning
Syntax
Context
Description
With this command configured, the system will issues two types of warnings related to certificate expiration:
- BeforeExp — A warning message issued before certificate expire
- AfterExp — A warning message issued when certificate expire
This command specifies when system will issue BeforeExp message before a certificate expires. For example, with certificate-expiration-warning 5, the system will issue a BeforeExp message 5 hours before a certificate expires. An optional repeat <repeat-hour> parameter will enable the system to repeat the BeforeExp message every hour until the certificate expires.
If the user only wants AfterExp, then certificate-expiration-warning 0 can be used to achieve this.
BeforeExp and AfterExp warnings can be cleared in following cases:
- The certificate is reloaded by the admin certificate reload command. In this case, if the reloaded file is not expired, then AfterExp is cleared. And, if the reloaded file is outside of configured warning window, then the BeforeExp is also cleared.
- When the ca-profile/ipsec-gw/ipsec-tunnel/cert-profile is shutdown, then BeforeExp and AfterExp of corresponding certificates are cleared.
- When no certificate-expiration-warning command is configured, then all existing BeforeExp and AfterExp are cleared.
- Users may change the configuration of the certificate-expiration-warning so that certain certificates are no longer in the warning window. BeforeExp of corresponding certificates are cleared.
- If the system time changes so that the new time causes the certificates to no longer be in the warning window, then BeforeExp is cleared. If the new time causes an expired certificate to come non-expired, then AfterExp is cleared.
Default
no certificate-expiration-warning
Parameters
common-name-list
Syntax
Context
Description
This command configures a list of common names (CNs) that will be used to authenticate X.509.3 certificates. If the CN field of the X.509.3 certificate matches any of the CNs in the list, then the certificate can be used.
Parameters
cn
Syntax
Context
Description
This command creates a CN list entry in text or regexp format.
The no form of this command removes the specified entry.
Parameters
crl-expiration-warning
Syntax
Context
Description
This command specifies when system will issue BeforeExp message before a CRL expires. For example, with certificate-expiration-warning 5, the system will issue a BeforeExp message 5 hours before a CRL expires. An optional repeat repeat-hour parameter enables the system to repeat the BeforeExp message every hour until the CRL expires.
If the user only wants AfterExp, then certificate-expiration-warning 0 can be used to achieve this.
BeforeExp and AfterExp warnings can be cleared in following cases:
- The CRL is reloaded by the admin certificate reload command. In this case, if the reloaded file is not expired, then AfterExp is cleared. And, if the reloaded file is outside of configured warning window, then the BeforeExp is also cleared.
- When the ca-profile is shutdown, then BeforeExp and AfterExp of corresponding certificates are cleared.
- When no crl-expiration-warning command is configured, then all existing BeforeExp and AfterExp are cleared.
- Users may change the configuration of the crl-expiration-warning so that certain CRL are no longer in the warning window. BeforeExp of corresponding CRL are cleared.
- If the system time changes so that the new time causes the CRL to no longer be in the warning window, then BeforeExp is cleared. If the new time causes an expired CRL to come non-expired, then AfterExp is cleared.
Default
no crl-expiration-warning
Parameters
imported-format
Syntax
Context
Description
This command specifies the allowed format of imported certificates or keys in the cf3:/system-pki directory.
Default
imported-format any
Parameters
maximum-cert-chain-depth
Syntax
Context
Description
This command defines the maximum depth of certificate chain verification. This number is applied system wide.
The no form of this command reverts to the default.
Default
maximum-cert-chain-depth 7
Parameters
shutdown
Syntax
Context
Description
Use this command to enable or disable the ca-profile. The system verifies the configured cert-file and crl-file. If the verification fails, then the no shutdown command fails.
The ca-profile in a shutdown state cannot be used in certificate authentication.
Default
shutdown
certificate
Syntax
Context
Description
This command enables the context to configure X.509 certificate related operational parameters. For information about CMPv6 admin certificate commands, see the 7450 ESS, 7750 SR, and VSR Multiservice Integrated Service Adapter and Extended Services Appliance Guide.
clear-ocsp-cache
Syntax
Context
Description
This command clears the current OCSP response cache. If optional issuer and serial-number are not specified, then all current cached results are cleared.
Parameters
crl-update
Syntax
Context
Description
This command manually triggers the Certificate Revocation List file (CRL) update for the specified ca-profile.
Using this command requires shutting down the auto-crl-update.
Parameters
display
Syntax
Context
Description
This command displays the content of an input file in plain text.
| Note: When displaying the key file content, only the key size and type are displayed. |
The following list summarizes the formats supported by this command:
- System
- system format
- PKCS #12
- PKCS #7 PEM encoded
- PKCS #7 DER encoded
- RFC4945
- Certificate Request
- PKCS #10
- Key
- system format
- PKCS #12
- CRL
- system format
- PKCS #7 PEM encoded
- PKCS #7 DER encoded
- RFC4945
Parameters
url-string | <local-url> [up to 99 characters] |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1: | cf2: | cf3: |
export
Syntax
Context
Description
This command performs certificate operations.
Parameters
url-string | <local-url> [up to 99 characters] |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1: | cf2: | cf3: |
gen-keypair
Syntax
Context
Description
This command generates RSA, DSA, or ECDSA private key or public key pairs at the specified location.
Parameters
url-string | <local-url> [up to 99 characters] |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1: | cf2: | cf3: |
The minimum key-size is 1024 when running in FIPS-140-2 mode.
gen-local-cert-req
Syntax
Context
Description
This command generates a PKCS#10 formatted certificate request by using a local existing key pair file.
Parameters
url-string | <local-url> [up to 99 characters] |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1: | cf2: | cf3: |
- C-Country
- ST-State
- O-Organization name
- OU-Organization Unit name
- CN-common name
This parameter is formatted as a text string including any of the above attributes. The attribute and its value is linked by using “=”, and “,” is used to separate different attributes.
For example: C=US,ST=CA,O=ALU,CN=SR12
import
Syntax
Context
Description
This command converts an input file (key/certificate/CRL) to a system format file. The following list summarizes the formats supported by this command:
- Certificate
- PKCS #12
- PKCS #7 PEM encoded
- PKCS #7 DER encoded
- PEM
- DER
- Key
- PKCS #12
- PEM
- DER
- CRL
- PKCS #7 PEM encoded
- PKCS #7 DER encoded
- PEM
- DER
| Note: If there are multiple objects with the same type in the input file, only the first object is extracted and converted. |
Parameters
url-string | <local-url> up to 99 characters |
local-url | <cflash-id>/<file-path> |
cflash-id | cf1:|cf2:|cf3: |
- Key: cf3:\system-pki\key
- Cert: cf3:\system-pki\cert
- CRL: cf3:\system-pki\CRL
reload
Syntax
Context
Description
This command reloads imported certificate or key file or both at the same time. This command is typically used to update certificate or key file without shutting down ipsec-tunnel/ipsec-gw/cert-profile/ca-profile. Note that type cert and type key is deprecated in a future release. Use type cert-key-pair instead. Instead of type cert use type key instead.
- If the new file exists and valid, then for each tunnel using it:
- If the key matches the certificate, then the new file is downloaded to the MS-ISA to be used the next time. Tunnels currently up are not affected.
- If the key does not match the certificate:
- If cert and key configuration is used instead of cert-profile then the tunnel is brought down.
- If cert-profile is used, then cert-profile is brought down. The next authentication fails while the established tunnels are not affected.
If the new file does not exists or somehow invalid (bad format, does not contain right extension, and so on), then this command will abort.
In the case of type cert-key-pair, if the new file does not exist or is invalid or cert and key do not match, then this command aborts with an error message.
Parameters
secure-nd-export
Syntax
Context
Description
This command exports IPv6 Secure Neighbor Discovery (SeND) certificates to the file cf[1..3]:\system-pki\secureNdKey in PKCS #7 DER format.
secure-nd-import
Syntax
Context
Description
This command imports IPv6 Secure Neighbor Discovery (SeND) certificates from a file, and saves them to cf[1..3]:\system-pki\secureNdKey in PKCS #7 DER format.
Parameters
local-url | <cflash-id>\<file-path> |
cflash-id | cf1:|cf2:|cf3: |
2.8.2.13. Profile Commands
profile
Syntax
Context
Description
This command creates a context to create user profiles for CLI command tree permissions.
Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.
Once the profiles are created, the user command assigns users to one or more profiles. You can define up to 16 user profiles but a maximum of 8 profiles can be assigned to a user. The user-profile-name can consist of up to 32 alphanumeric characters.
The no form of this command deletes a user profile.
Default
profile default
Parameters
default-action
Syntax
Context
Description
This command specifies the default action to be applied when no match conditions are met.
Parameters
| Note: The permit-all parameter does not change access to security commands. Security commands are only and always available to members of the super-user profile. |
For example, if a user is a member of two profiles and the default action of the first profile is permit-all, then the second profile is never evaluated because the permit-all is executed first. Set the first profile default action to none and if no match conditions are met in the first profile, then the second profile is evaluated. If the default action of the last profile is none and no explicit match is found, then the default deny-all takes effect.
entry
Syntax
Context
Description
This command is used to create a user profile entry.
More than one entry can be created with unique entry-id numbers. Exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.
The no form of this command removes the specified entry from the user profile.
Parameters
action
Syntax
Context
Description
This command configures the action associated with the profile entry.
Parameters
match
Syntax
Context
Description
This command configures a command or subtree commands in subordinate command levels are specified.
Because the OS exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.
All commands below the hierarchy level of the matched command are denied.
The no form of this command removes a match condition.
Parameters
grpc
Syntax
Context
Description
This command enables the context to configure a specific gRPC security profile.
rpc-authorization
Syntax
Context
Description
This command opens a configuration context for configuring user privileges related to RPCs.
gnmi-capabilities
Syntax
Context
Description
This command permits or denies use of Capability RPC for a user associated with the given format.
Default
gnmi-capabilities permit
Parameters
gnmi-get
Syntax
Context
Description
This command permits or denies the Get RPC.
Default
gnmi-get permit
Parameters
gnmi-set
Syntax
Context
Description
This command permits or denies the Set RPC.
Default
gnmi-set permit
Parameters
gnmi-subscribe
Syntax
Context
Description
This command permits or denies the Subscribe RPC.
Default
gnmi-subscribe permit
Parameters
gnoi-cert-mgmt-cangenerate
Syntax
Context
Description
This command permits or denies the use of the gNOI CanGenerateCSR RPCs for the user profile.
Default
gnoi-cert-mgmt-cangenerate deny
Parameters
gnoi-cert-mgmt-getcert
Syntax
Context
Description
This command permits or denies the use of the gNOI GetCertificate RPCs for the user profile.
Default
gnoi-cert-mgmt-getcert deny
Parameters
gnoi-cert-mgmt-install
Syntax
Context
Description
This command permits or denies the use of the gNOI Install RPCs for the user profile.
Default
gnoi-cert-mgmt-install deny
Parameters
gnoi-cert-mgmt-revoke
Syntax
Context
Description
This command permits or denies the use of gNOI RevokeCertificates RPCs for the user profile.
Default
gnoi-cert-mgmt-revoke deny
Parameters
gnoi-cert-mgmt-rotate
Syntax
Context
Description
This command permits or denies the use of the gNOI Rotate RPCs for the user profile.
Default
gnoi-cert-mgmt-rotate deny
Parameters
rib-api-getversion
Syntax
Context
Description
This command permits or denies the use of the GetVersion RPC provided by the RibApi service.
Default
rib-api-getversion permit
Parameters
rib-api-modify
Syntax
Context
Description
This command permits or denies the use of the Modify RPC provided by the RibApi service.
Default
rib-api-modify permit
Parameters
li
Syntax
Context
Description
This command enables the Lawful Intercept (LI) profile identifier.
The no form of this command disables the LI profile identifier.
renum
Syntax
Context
Description
This command renumbers profile entries to re-sequence the entries.
Since the OS exits when the first match is found and executes the actions according to accompanying action command, re-numbering is useful to rearrange the entries from most explicit to least explicit.
Parameters
2.8.2.14. CLI Session Commands
cli-session-group
Syntax
Context
Description
This command is used to configure a session group that can be used to limit the number of CLI sessions available to members of the group.
Parameters
combined-max-sessions
Syntax
Context
Description
This command is used to limit the number of combined SSH/TELNET based CLI sessions available to all users that are part of a particular profile, or to all users of all profiles that are part of the same cli-session-group.
The no form of this command disables the command and the profile/group limit is not applied to the number of combined sessions.
Default
no combined-max-sessions
Parameters
ssh-max-sessions
Syntax
Context
Description
This command is used to limit the number of SSH-based CLI sessions available to all users that are part of a particular profile, or to all users of all profiles that are part of the same cli-session-group.
The no form of this command disables the command and the profile/group limit is not applied on the number of sessions.
Default
no ssh-max-sessions
Parameters
telnet-max-sessions
Syntax
Context
Description
This command is used to limit the number of Telnet-based CLI sessions available to all users that are part of a particular profile, or to all users of all profiles that are part of the same cli-session-group.
The no form of this command disables the command and the profile/group limit is not applied on the number of sessions.
Default
no telnet-max-sessions
Parameters
2.8.2.15. RADIUS Commands
radius
Syntax
Context
Description
This command creates the context to configure RADIUS authentication on the router.
Implement redundancy by configuring multiple server addresses for each router.
The no form of this command removes the RADIUS configuration.
access-algorithm
Syntax
Context
Description
This command indicates the algorithm used to access the set of RADIUS servers.
Default
access-algorithm direct
Parameters
accounting
Syntax
Context
Description
This command enables RADIUS accounting.
The no form of this command disables RADIUS accounting.
Default
no accounting
accounting-port
Syntax
Context
Description
This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.
Default
accounting-port 1813
Parameters
authorization
Syntax
Context
Description
This command configures RADIUS authorization parameters for the system.
Default
no authorization
interactive-authentication
Syntax
Context
Description
This command enables RADIUS interactive authentication for the system. Enabling interactive-authentication forces RADIUS to fall into challenge/response mode.
Default
no interactive-authentication
port
Syntax
Context
Description
This command configures the TCP port number to contact the RADIUS server.
The no form of this command reverts to the default value.
Default
port 1812 (as specified in RFC 2865, Remote Authentication Dial In User Service (RADIUS))
Parameters
retry
Syntax
Context
Description
This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.
The no form of this command reverts to the default value.
Default
retry 3
Parameters
server
Syntax
Context
Description
This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.
Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.
The no form of this command removes the server from the configuration.
Default
no server
Parameters
ipv4-address | a.b.c.d (host bits must be 0) |
ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x: [0..FFFF]H | |
d: [0..255]D |
timeout
Syntax
Context
Description
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of this command reverts to the default value.
Default
timeout 3
Parameters
use-default-template
Syntax
Context
Description
This command specifies whether the RADIUS default user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server. When enabled, the radius_default user-template is actively applied if no VSAs are returned with the auth-accept from the RADIUS server and radius authorization is enabled.
The no form of this command disables the use of the RADIUS default template.
Default
no use-default-template
2.8.2.16. TACACS+ Client Commands
tacplus
Syntax
Context
Description
This command creates the context to configure TACACS+ authentication on the router.
Configure multiple server addresses for each router for redundancy.
The no form of this command removes the TACACS+ configuration.
accounting
Syntax
Context
Description
This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.
Default
no accounting
Parameters
authorization
Syntax
Context
Description
This command configures TACACS+ authorization parameters for the system.
Default
no authorization
Parameters
interactive-authentication
Syntax
Context
Description
This configuration instructs the SR OS to send no username nor password in the TACACS+ start message, and to display the server_msg in the GETUSER and GETPASS response from the TACACS+ server. Interactive authentication can be used to support a One Time Password scheme (e.g. S/Key). An example flow (e.g. with a telnet connection) is as follows:
- The SR OS sends an authentication start request to the TACACS+ server with no username nor password.
- TACACS+ server replies with TAC_PLUS_AUTHEN_STATUS_GETUSER and a server_msg.
- The SR OS displays the server_msg, and collects the user name.
- The SR OS sends a continue message with the user name.
- TACACS+ server replies with TAC_PLUS_AUTHEN_STATUS_GETPASS and a server_msg.
- The SR OS displays the server_msg (which may contain, for example, an S/Key for One Time Password operation), and collects the password.
- The SR OS sends a continue message with the password.
- TACACS+ server replies with PASS or FAIL.
When interactive-authentication is disabled the SR OS sends the username and password in the tacplus start message. An example flow (e.g. with a telnet connection) is as follows:
- TAC_PLUS_AUTHEN_TYPE_ASCII.
- the login username in the “user” field.
- the password in the user_msg field (while this is non-standard, it does not cause interoperability problems).
- TACACS+ server ignores the password and replies with TAC_PLUS_AUTHEN_STATUS_GETPASS.
- The SR OS sends a continue packet with the password in the user_msg field.
- TACACS+ server replies with PASS or FAIL.
When interactive-authentication is enabled, tacplus must be the first method specified in the authentication-order configuration.
Default
no interactive-authentication
priv-lvl-map
Syntax
Context
Description
This command enables the context to specify a series of mappings between TACACS+ priv-lvl and locally configured profiles for authorization. These mappings are used when the use-priv-lvl option is specified for tacplus authorization.
The no form of this command reverts to the default.
Default
priv-lvl-map
priv-lvl
Syntax
Context
Description
This command maps a specific TACACS+ priv-lvl to a locally configured profile for authorization. This mapping is used when the use-priv-lvl option is specified for TACPLUS authorization.
Parameters
server
Syntax
Context
Description
This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.
Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from lowest index to the highest index for authentication requests.
The no form of this command removes the server from the configuration.
Parameters
ipv4-address | a.b.c.d (host bits must be 0) |
ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x: [0..FFFF]H | |
d: [0..255]D |
shutdown
Syntax
Context
Description
This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of this command administratively enables the protocol which is the default state.
Default
no shutdown
timeout
Syntax
Context
Description
This command configures the number of seconds the router waits for a response from a TACACS+ server.
The no form of this command reverts to the default value.
Default
timeout 3
Parameters
use-default-template
Syntax
Context
Description
This command specifies whether the tacplus_default user-template is actively applied to the TACACS+ user. When enabled, the tacplus_default user-template is actively applied if tacplus authorization is enabled (without the use-priv-lvl option).
Default
use-default-template
2.8.2.17. LDAP Client Commands
ldap
Syntax
Context
Description
This command configures LDAP authentication parameters for the system.
The no form of this command de-configures the LDAP client from the SR OS.
public-key-authentication
Syntax
Context
Description
This command enables public key retrieval from the LDAP server. If disabled (no public-key-authentication), password authentication is attempted via LDAP.
Default
no public-key-authentication
retry
Syntax
Context
Description
This command configures the number of retries for the SR OS in its attempt to reach the current LDAP server before attempting the next server.
The no form of this command reverts to the default value.
Default
retry 3
Parameters
server
Syntax
Context
Description
This command configures an LDAP server. Up to five servers can be configured, which can then work in a redundant manner.
The no version of this command removes the server connection.
Parameters
address
Syntax
Context
Description
This command configures the IPv4 or IPv6 address for the LDAP server.
The no version of this command removes the server address.
Parameters
ipv4-address | a.b.c.d (host bits must be 0) |
ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
x:x:x:x:x:x:d.d.d.d | |
x: [0..FFFF]H | |
d: [0..255]D |
bind-authentication
Syntax
Context
Description
This command configures the LDAP binding used to log into LDAP server. A string of domain components (DC) and common names (CN) can be programmed to identify the user in addition to the password field. The password is hashed. For example, “cn=admin,dc=nokia,dc=com” indicates the user admin in domain nokia.com. Table 31 lists the LDAP attributes.
The no version of this command removes the bind-authentication.
Table 31: LDAP Attributes
Object Class | Naming Attribute Display Name | Naming Attribute LDAP Name |
user | Common-Name | cn |
organizationalUnit | Organizational-Unit-Name | ou |
domain | Domain-Component | dc |
Parameters
ldap-server
Syntax
Context
Description
This command configures the LDAP server name or description.
The no version of this command removes the LDAP server name.
Parameters
search
Syntax
Context
Description
This command configures the LDAP search command. The search base-dn tells the server which part of the external directory tree to search. The search DN uses the same LDAP attribute as root-dn. For example, to search a public-key for an SSH generated for a Nokia vendor, one might use “dc=public-key,dc=nokia,dc=com”.
The no version of this command remove the search DN; as such, no search is possible on the LDAP server.
Parameters
shutdown
Syntax
Context
Description
In the ldap context, this command enables or disabled LDAP protocol operations.
In the server context, this command enables or disables the LDAP server. To perform no shutdown, an LDAP server address is required. To change the address, the user first needs to shut down the server.
tls-profile
Syntax
Context
Description
This command attaches a TLS client profile to the LDAP client. The parameter in the TLS profile is used to encrypt the LDAP connection to the server. Each LDAP server can use its own TLS profile.
The no form of this command removes the TLS profile from LDAP and disables the TLS encryption from LDAP.
Parameters
timeout
Syntax
Context
Description
The timeout value is the number of seconds that the SR OS will wait for a response from the current server that it is trying to establish a connection with. If the server does not reply within the configured timeout value, the SR OS will increment the retry counter by 1. The SR OS attempts to establish the connection to the current server up to the configured retry value before it moves to the next configured server.
The no form of this command reverts to the default value.
Default
timeout 3
Parameters
use-default-template
Syntax
Context
Description
This command specifies whether or not the default template is to be actively applied to LDAP.
Default
use-default-template
2.8.2.18. User Management Commands
user
Syntax
Context
Description
This command creates a local user and a context to edit the user configuration.
If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.
When creating a new user and then entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that user name, there will be no password required. The user can login to the system and then <ENTER> at the password prompt, the user will be logged in.
Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value will change.
The no form of this command deletes the user and all configuration data. Users cannot delete themselves.
Parameters
access
Syntax
Context
Description
This command grants a user permission for FTP, SNMP, console, lawful intercept (LI), NETCONF, or gRPC access.
If a user requires access to more than one application, then multiple applications can be specified in a single command. Multiple commands are treated additively.
The no form of this command removes access for a specific application, and denies permission for all management access methods. To deny a single access method, enter the no form of this command followed by the method to be denied, for example, no access FTP denies FTP access.
Default
no access
Parameters
console
Syntax
Context
Description
This command creates the context to configure user profile membership for the console (either Telnet or CPM serial port user).
cannot-change-password
Syntax
Context
Description
This command allows a user the privilege to change their password for both FTP and console login.
To disable a user’s privilege to change their password, use the cannot-change-password form of this command.
| Note: The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead. |
Default
no cannot-change-password
login-exec
Syntax
Context
Description
This command configures a user’s login exec file which executes whenever the user successfully logs in to a console session.
Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.
The no form of this command disables the login exec file for the user.
Default
no login-exec
Parameters
member
Syntax
Context
Description
This command is used to allow the user access to a profile.
A user can participate in up to eight profiles.
The no form of this command deletes access user access to a profile.
Default
member default
Parameters
new-password-at-login
Syntax
Context
Description
This command forces the user to change a password at the next console login. The new password applies to FTP but the change can be enforced only by the console, SSH, or Telnet login.
The no form of this command does not force the user to change passwords.
Default
no new-password-at-login
home-directory
Syntax
Context
Description
This command configures the local home directory for the user for both console (file commands and '>' redirection) and FTP access.
If the URL or the specified URL/directory structure is not present, then a warning message is issued and the default is assumed.
The no form of this command removes the configured home directory.
Default
no home-directory
| Note: If restrict-to-home has been configured no file access is granted and no home-directory is created. If restrict-to-home is not applied then root becomes the user’s home-directory. |
Parameters
password
Syntax
Context
Description
This command configures the user password for console and FTP access.
The password is stored in an encrypted format in the configuration file when specified. Passwords should be encased in double quotes (“ “) at the time of the password creation. The double quote character (“) is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.
The password can be entered as plain text or a hashed value. SR OS can distinguish between hashed passwords and plain text passwords and take the appropriate action to store the password correctly.
The password is hashed by default.
For example:
The password command allows you also to enter the password as a hashed value.
For example:
Parameters
All password special characters (#, $, spaces, and so on) must be enclosed within double quotes.
For example: config>system>security>user# password “south#bay?”
The question mark character (?) cannot be directly inserted as input during a telnet connection because the character is bound to the help command during a normal Telnet/console connection.
To insert a # or ? characters, they must be entered inside a notepad or clipboard program and then cut and pasted into the Telnet session in the password field that is encased in the double quotes as delimiters for the password.
If a password is entered without any parameters, a password length of zero is implied: (carriage return).
public-keys
Syntax
Context
Description
This command allows the user to enter the context to configure public keys for SSH.
ecdsa
Syntax
Context
Description
This command allows the user to enter the context to configure ECDSA public keys.
ecdsa-key
Syntax
Context
Description
This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
Parameters
key-value
Syntax
Context
Description
This command configures a value for the RSA or ECDSA public key. The public key must be enclosed in quotation marks. For RSA, the key is between 768 and 4096 bits. For ECDSA, the key is between 1 and 1024 bits.
Default
no key-value
Parameters
rsa
Syntax
Context
Description
This command allows the user to enter the context to configure RSA public keys.
rsa-key
Syntax
Context
Description
This command creates an RSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
Parameters
restricted-to-home
Syntax
Context
Description
This command prevents users from navigating above their home directories for file access (either by means of CLI sessions with the file command, '>' redirection, or by means of FTP). A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.
If a home-directory is not configured or the home directory is not available, then the user has no file access.
The no form of this command allows the user access to navigate to directories above their home directory.
Default
no restricted-to-home
snmp
Syntax
Context
Description
This command creates the context to configure SNMP group membership for a specific user and defines encryption and authentication parameters.
All SNMPv3 users must be configured with the commands available in this CLI node.
The OS always uses the configured SNMPv3 user name as the security user name.
authentication
Syntax
Context
Description
This command configures the authentication and encryption method the user must use in order to be validated by the router. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered.
The keys configured in this command must be localized keys (MD5 or DES hash of the configured SNMP engine-ID and a password). The password is not directly entered in this command (only the localized key).
Default
no authentication
Parameters
The MD5 authentication key is stored in an encrypted format. The key must be entered as a full 32 hex character string.
The sha authentication key is stored in an encrypted format. The key must be entered as a full 40 hex character string.
The des-key parameter is not available in FIPS-140-2 mode.
group
Syntax
Context
Description
This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user >snmp>group command. The access command links the group with one or more views, security model (s), security level (s), and read, write, and notify permissions.
Parameters
user-template
Syntax
Context
Description
This command configures default security user template parameters.
Parameters
profile
Syntax
Context
Description
This command configures the profile for the user based on this template.
Parameters
2.8.2.19. Dot1x Commands
dot1x
Syntax
Context
Description
This command creates the context to configure 802.1x network access control on the router.
The no form of this command removes the 802.1x configuration.
radius-plcy
Syntax
Context
Description
This command creates the context to configure RADIUS server parameters for 802.1x network access control on the router.
| Note: The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the router as opposed to the RADIUS server configured under the config>system>radius context which authenticates CLI login users who get access to the management plane of the router. |
The no form of this command removes the RADIUS server configuration for 802.1x.
retry
Syntax
Context
Description
This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.
The no form of this command reverts to the default value.
Default
retry 3
Parameters
server
Syntax
Context
Description
This command adds a Dot1x server and configures the Dot1x server IP address, index, and key values.
Up to five Dot1x servers can be configured at any one time. Dot1x servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other Dot1x servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.
The no form of this command removes the server from the configuration.
Default
no server
Parameters
source-address
Syntax
Context
Description
This command configures the NAS IP address to be sent in the RADIUS packet.
The no form of this command reverts to the default value.
Parameters
shutdown
Syntax
Context
Description
This command administratively disables the 802.1x protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within.
The no form of this command administratively enables the protocol which is the default state.
Default
shutdown
timeout
Syntax
Context
Description
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of this command reverts to the default value.
Default
timeout 3
Parameters
2.8.2.20. Keychain Authentication
keychain
Syntax
Context
Description
This command enables the context to configure keychain parameters. A keychain must be configured on the system before it can be applied to a session.
The no form of this command removes the keychain nodal context and everything under it from the configuration. If the keychain to be removed is in use when the no keychain command is entered, the command will not be accepted and an error indicating that the keychain is in use will be printed.
Parameters
direction
Syntax
Context
Description
This command specifies the data type that indicates the TCP stream direction to apply the keychain.
bi
Syntax
Context
Description
This command configures keys for both send and receive stream directions.
uni
Syntax
Context
Description
This command configures keys for send or receive stream directions.
entry
Syntax
Context
Description
This command defines a particular key in the keychain. Entries are defined by an entry-id. A keychain must have valid entries for the TCP Enhanced Authentication mechanism to work.
If the entry is the active entry for sending, then this causes a new active key to be selected (if one is available using the youngest key rule). If it is the only possible key to send, then the system rejects the command with an error indicating the configured key is the only available send key.
If the key is one of the eligible keys for receiving, it will be removed. If the key is the only possible eligible key, then the command is accepted, and an error indicating that this is the only eligible key will be generated.
The no form of this command removes the entry from the keychain.
Parameters
The authentication-key can be any combination of letters or numbers.
This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.
begin-time
Syntax
Context
Description
This command specifies the calendar date and time after which the key specified by the keychain authentication key is used to sign and/or authenticate the protocol stream.
If no date and time is set, the begin-time is represented by a date and time string with all NULLs and the key is not valid by default.
Default
begin-time forever
Parameters
option
Syntax
Context
Description
This command configures allows options to be associated with the authentication key.
Parameters
tolerance
Syntax
Context
Description
This command configures the amount of time that an eligible receive key should overlap with the active send key or to never expire.
Parameters
receive
Syntax
Context
Description
This command enables the receive nodal context. Entries defined under this context are used to authenticate TCP segments that are being received by the router.
send
Syntax
Context
Description
This command specifies the send nodal context to sign TCP segments that are being sent by the router to another device.
end-time
Syntax
Context
Description
This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to sign and/or authenticate the protocol stream.
Default
end-time forever
Parameters
tcp-option-number
Syntax
Context
Description
This command enables the context to configure the TCP option number to be placed in the TCP packet header.
receive
Syntax
Context
Description
This command configures the TCP option number accepted in TCP packets received.
The no form of this command reverts to the default value.
Default
receive 254
Parameters
send
Syntax
Context
Description
This command configures the TCP option number accepted in TCP packets sent.
Default
send 254
Parameters
2.8.2.21. TTL Security Commands
ttl-security
Syntax
Context
Description
This command configures TTL security parameters for incoming packets. When the feature is enabled, LDP will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer. Per-peer-queueing must be enabled in order for TTL protection to operate.
The no form of this command disables TTL security.
Parameters
2.8.2.22. gRPC Commands
grpc
Syntax
Context
Description
This command enters the context to configure gRPC parameters.
allow-unsecure-connection
Syntax
Context
Description
This command enables unsecure operation of gRPC connections. This means that TCP connections are not encrypted, including username and password information.
This command can be enabled only if there is no TLS profile assigned to the gRPC server.
The no form of this command enables TLS encryption on gRPC connections.
Default
no allow-unsecure-connection
gnmi
Syntax
Context
Description
This command enables the context for configuring a gNMI service on gRPC.
auto-config-save
Syntax
Context
Description
This command enables automatic saving of the configuration as part of the commit operation.
The no form of this command disables automatic saving.
shutdown
Syntax
Context
Description
This command stops the gNMI service.
The no form of this command starts the gNMI service.
max-msg-size
Syntax
Context
Description
This command configures the maximum rx message size that can be received.
The no form of this command reverts to the default.
Default
max-msg-size 512
Parameters
rib-api
Syntax
Context
Description
This command enables the context to control the RibAPI gRPC service.
purge-timeout
Syntax
Context
Description
This command configures the purge timeout associated with the RibApi gRPC service.
If a gRPC client used the RibApi gRPC service to program RIB entries into the router, and then the TCP connection drops for any reason, the associated RIB entries are immediately marked as stale and a timer with the purge-timeout value is started. Upon timer expiration, all of the stale entries are removed. While the timer is running, the stale entries remain valid and usable for forwarding but are less preferred than any non-stale entry. The purge-timeout gives an opportunity for the disconnected client, or some other client, to re-program the necessary RIB entries so that forwarding can continue uninterrupted.
The no form of this command resets to the default value of 0. Entries are immediately deleted when the TCP connection drops.
Default
no purge-timeout
Parameters
shutdown
Syntax
Context
Description
This command stops the RibApi gRPC service, deletes all programmed RIB entries (stale and non-stale), but does not close the TCP connections.
The no form of this command restarts the RibApi gRPC service.
shutdown
Syntax
Context
Description
This command stops the gRPC server. This closes all of the associated TCP connections and immediately purges all RIB entries that were programmed using the RibApi Service.
The no form of this command starts the gRPC server.
tcp-keepalive
Syntax
Context
Description
This command enables the context to configure the sending of TCP keepalives by the router towards all gRPC clients.
Enabling TCP keepalive speeds up the detection of certain failures. The TCP keepalives sent by the router are controlled by three commands: idle-time, interval, and retries. The router starts sending TCP keepalives when the connection has been idle (no TCP segments sent or received) for more than idle-time seconds. At that point, the router sends a probe (TCP ACK with a sequence number = current sequence number - 1) and expects a TCP ACK. It repeats this probe every interval seconds for the configured number of retries. If no response is received to any of the probes, the connection is immediately closed, which starts the purge timer if the TCP connection is currently supporting the RibApi service.
idle-time
Syntax
Context
Description
This command configures the amount of time in seconds that the connection must be idle before TCP keepalives are sent.
The no form of this command resets to the default value.
Default
idle-time 600
Parameters
interval
Syntax
Context
Description
This command configures the amount of time in seconds between successive TCP keepalive probes sent by the router.
The no form of this command resets to the default value.
Default
interval 15
Parameters
retries
Syntax
Context
Description
This command configures the number of TCP keepalive probes sent by the router that must be unacknowledged before the connection is closed.
The no form of this command resets to the default value.
Default
retries 4
Parameters
shutdown
Syntax
Context
Description
This command stops the TCP keepalives from being sent to all gRPC clients.
The no form of this command restarts the sending of TCP keepalives to all gRPC clients.
tls-server-profile
Syntax
Context
Description
This command adds a configured TLS server profile to the gRPC session. The TLS server is used for encryption of the gRPC session. gRPC will not transmit any PDUs if there is a TLS server profile assigned to it and the TLS connection is down.
The no form of this command removes the specified TLS server profile from the gRPC session.
Parameters
2.8.2.23. Login Control Commands
login-control
Syntax
Context
Description
This command creates the context to configure the session control for console, Telnet, SSH, and FTP sessions.
exponential-backoff
Syntax
Context
Description
This command enables the exponential-backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.
The no form of this command disables exponential-backoff.
Default
no exponential-backoff
ftp
Syntax
Context
Description
This command creates the context to configure FTP login control parameters.
inbound-max-sessions
Syntax
Context
Description
This command configures the maximum number of concurrent inbound FTP sessions.
This value is the combined total of inbound and outbound sessions.
The no form of this command reverts to the default value.
Default
inbound-max-sessions 3
Parameters
idle-timeout
Syntax
Context
Description
This command configures the idle timeout for console, Telnet, SSH, and FTP sessions before the session is terminated by the system.
By default, each idle console, Telnet, SSH, or FTP session times out after 30 minutes of inactivity.
The no form of this command reverts to the default value.
Default
idle-timeout 30
Parameters
login-banner
Syntax
Context
Description
This command enables or disables the display of a login banner. The login banner contains the SR OS copyright and build date information for a console login attempt.
The no form of this command causes only the configured pre-login-message and a generic login prompt to display.
login-scripts
Syntax
Context
Description
This command enables the context to configure CLI scripts that execute when a user (authenticated via any method including local user database, TACACS+, or RADIUS) first logs into a CLI session.
global
Syntax
Context
Description
This command enables an operator to define a common CLI script that executes when any user logs into a CLI session. This login exec script is executed when any user (authenticated by any means including local user database, TACACS+, or RADIUS) opens a CLI session. This allows a user, for example, to define a common set of CLI aliases that are made available on the router for all users. This global login exec script is executed before any user-specific login exec files that may be configured.
This CLI script executes in the context of the user who opens the CLI session. Any commands in the script that the user is not authorized to execute will fail.
The no form of this command disables the execution of a global login-script.
Default
no global
Parameters
per-user
Syntax
Context
Description
This command allows users to define their own login scripts that can be executed each time they first login to a CLI session. The command executes the script “file-url / username / file-name" when the user username logs into a CLI session (authenticated by any means including local user database, TACACS+, or RADIUS).
For example:
per-user user-directory "cf1:/local/users" file-name "login-script.txt"
would search for the following script when user “admin” logs in and authenticates via RADIUS:
cf1:/local/users/admin/login-script.txt
The per user login script is executed after any global script executes and before any login-exec script configured against a local user is executed. This allows users, for example, who are authenticated via TACACS+ or RADIUS to define their own login scripts.
This CLI script executes in the context of the user who opens the CLI session. Any commands in the script that the user is not authorized to execute will fail.
The no form of this command disables the execution of any per user login-scripts.
Default
no per-user
Parameters
motd
Syntax
Context
Description
This command creates the message of the day displayed after a successful console login. Only one message can be configured.
The no form of this command removes the message.
Default
no motd
Parameters
Some special characters can be used to format the message text. The \n character can be used to create multi-line messages. A \n in the message moves to the beginning of the next line by sending ASCII/UTF-8 chars 0xA (LF) and 0xD (CR) to the client terminal. An \r in the message sends the ASCII/UTF-8 char 0xD (CR) to the client terminal.
pre-login-message
Syntax
Context
Description
This command creates a message displayed prior to console login attempts on the console via Telnet.
Only one message can be configured. If multiple pre-login-messages are configured, the last message entered overwrites the previous entry.
It is possible to add the name parameter to an existing message without affecting the current pre-login-message.
The no form of this command removes the message.
Default
no pre-login-message
Parameters
ssh
Syntax
Context
Description
This command enables the context to configure the SSH parameters.
telnet
Syntax
Context
Description
This command creates the context to configure the Telnet login control parameters.
disable-graceful-shutdown
Syntax
Context
Description
This command enables graceful shutdown of SSH sessions.
The no form of this command disables graceful shutdown of SSH sessions.
inbound-max-sessions
Syntax
Context
Description
This parameter limits the number of inbound Telnet and SSH sessions. A maximum of 30 telnet and ssh connections can be established to the router. The local serial port cannot be disabled.
Telnet and SSH maximum sessions can also use the combined total of both inbound sessions (SSH+Telnet). While it is acceptable to continue to internally limit the combined total of SSH and Telnet sessions to N, either SSH or Telnet sessions can use the inbound maximum sessions, if so required by the Operator.
The no form of this command reverts to the default value.
Default
inbound-max-sessions 5
Parameters
outbound-max-sessions
Syntax
Context
Description
This parameter limits the number of outbound Telnet and SSH sessions. A maximum of 15 telnet and ssh connections can be established from the router. The local serial port cannot be disabled.
The no form of this command reverts to the default value.
Default
outbound-max-sessions 5
Parameters
enable-graceful-shutdown
Syntax
Context
Description
This command enables graceful shutdown of telnet sessions.
The no form of this command disables graceful shutdown of telnet sessions.