53. system commands

Default

disable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

allow-unsecure-connection

Synopsis

Allow connection without secured transport protocol

Context

Introduced

16.0.R1

Platforms

All

auto-config-save boolean

Synopsis

Introduced

19.10.R1

Platforms

All

file

Synopsis

Enter the file context

Context

configure system grpc gnoi file

Tree

file

Introduced

21.2.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the gNOI File service

Context

Introduced

20.5.R1

Platforms

All

max-msg-size number

Synopsis

Maximum size of received message

Context

configure system grpc max-msg-size number

Tree

max-msg-size

Range

1 to 1024

Default

512

Units

megabytes

Introduced

16.0.R1

Platforms

All

md-cli

Synopsis

Enter the md-cli context

Context

configure system grpc md-cli

Tree

md-cli

Introduced

20.5.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the MD-CLI service

Context

configure system grpc md-cli admin-state keyword

Tree

Default

disable

Options

enable, disable

Introduced

20.5.R1

Platforms

All

rib-api

Synopsis

Enter the rib-api context

Context

configure system grpc rib-api

Tree

rib-api

Introduced

16.0.R4

Platforms

All

admin-state keyword

Synopsis

Administrative state of RibAPI service

Context

configure system grpc rib-api admin-state keyword

Tree

Default

disable

Options

enable, disable

Introduced

16.0.R4

Platforms

All

purge-timeout number

Synopsis

Number of seconds until stale entries are purged

Context

Introduced

16.0.R4

Platforms

All

idle-time number

Synopsis

Time until the first TCP keepalive probe is sent

Context

configure system grpc tcp-keepalive idle-time number

Tree

idle-time

Description

This command configures the amount of time the connection must be idle before TCP keepalives are sent.

Range

1 to 100000

Default

600

Units

seconds

Introduced

16.0.R4

Platforms

All

interval number

Synopsis

Time between TCP keep-alive probes

Context

configure system grpc tcp-keepalive interval number

Tree

configure system grpc-tunnel

Range

1 to 100000

Default

Units

seconds

Introduced

16.0.R4

Platforms

All

retries number

Synopsis

Number of probe retries before closing the connection

Context

configure system grpc tcp-keepalive retries number

Tree

retries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range

3 to 100

Default

Introduced

16.0.R4

Platforms

All

tls-server-profile reference

Synopsis

Preferred TLS server profile

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-server-profile.

Introduced

16.0.R1

Platforms

All

grpc-tunnel

Synopsis

Enter the grpc-tunnel context

Context

Tree

grpc-tunnel

Introduced

22.2.R1

Platforms

All

destination-group [name] string

Synopsis

Enter the destination-group list instance

Context

configure system grpc-tunnel destination-group string

Tree

destination-group

Description

Commands in this context configure parameters for destination groups.

Max. Elements

Introduced

22.2.R1

Platforms

All

[name] string

Synopsis

Destination group name

Context

configure system grpc-tunnel destination-group string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

22.2.R1

Platforms

All

allow-unsecure-connection

Synopsis

Allow unsecured operation of gRPC connections

Context

configure system grpc-tunnel destination-group string allow-unsecure-connection

Tree

allow-unsecure-connection

Description

This command allows a gRPC tunnel to run without a secured transport protocol. Data is transferred in unencrypted form.

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-client-profile.

Introduced

22.2.R1

Platforms

All

description string

Synopsis

Text description

Context

configure system grpc-tunnel destination-group string description string

Tree

String Length

1 to 80

Introduced

22.2.R1

Platforms

All

destination [address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number

Synopsis

Enter the destination list instance

Context

configure system grpc-tunnel destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number

Tree

destination

Max. Elements

Notes

This element is ordered by the user.

Introduced

22.2.R1

Platforms

All

[address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)

Synopsis

Address of the destination within the destination group

Context

configure system grpc-tunnel destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number

String Length

1 to 255

Notes

This element is part of a list key.

Introduced

22.2.R1

Platforms

All

port number

Synopsis

Options

enable, disable

Introduced

22.2.R1

Platforms

All

idle-time number

Synopsis

Time until the first TCP keepalive probe is sent

Context

configure system grpc-tunnel destination-group string tcp-keepalive idle-time number

Tree

idle-time

Description

This command configures the amount of time the connection must be idle before TCP keepalives are sent.

Range

1 to 100000

Default

600

Units

seconds

Introduced

22.2.R1

Platforms

All

interval number

Synopsis

Time between TCP keep-alive probes

Context

configure system grpc-tunnel destination-group string tcp-keepalive interval number

Tree

Range

1 to 100000

Default

Units

seconds

Introduced

22.2.R1

Platforms

All

retries number

Synopsis

Number of probe retries before closing the connection

Context

configure system grpc-tunnel destination-group string tcp-keepalive retries number

Tree

retries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range

3 to 100

Default

Introduced

22.2.R1

Platforms

All

tls-client-profile reference

Synopsis

TLS client profile assigned to the destination group

Context

configure system grpc-tunnel destination-group string tls-client-profile reference

Tree

tls-client-profile

Reference

configure system security tls client-tls-profile string

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-client-profile.

Introduced

22.2.R1

Platforms

All

tunnel [name] string

Synopsis

Enter the tunnel list instance

Context

configure system grpc-tunnel tunnel string

Tree

tunnel

Description

Commands in this context configure gRPC-tunnel-related parameters.

Max. Elements

Introduced

22.2.R1

Platforms

All

[name] string

Synopsis

Tunnel name

Context

configure system grpc-tunnel tunnel string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

22.2.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the tunnel

Context

configure system grpc-tunnel tunnel string admin-state keyword

Tree

Default

disable

Options

enable, disable

Introduced

22.2.R1

Platforms

All

description string

Synopsis

Text description

Context

22.2.R1

Platforms

All

[name] string

Synopsis

Handler name

Context

configure system grpc-tunnel tunnel string handler string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

22.2.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the handler

Context

configure system grpc-tunnel tunnel string handler string admin-state keyword

Tree

label-stack-statistics-count

Default

disable

Options

enable, disable

Introduced

22.2.R1

Platforms

All

port number

Synopsis

Notes

The following elements are part of a choice: custom-type, grpc-server, or ssh-server.

Introduced

22.2.R1

Platforms

All

grpc-server

Synopsis

Target type set to GNMI_GNOI

Context

configure system grpc-tunnel tunnel string handler string target-type grpc-server

Tree

grpc-server

Description

When configured, this command assigns the gRPC server as a handler for all tunnels sessions. At the gRPC tunnel protocol level, this corresponds to a value of GNMI_GNOI.

Notes

The following elements are part of a choice: custom-type, grpc-server, or ssh-server.

Introduced

22.2.R1

Platforms

All

ssh-server

Synopsis

Target type is SSH

Context

Introduced

22.2.R1

Platforms

All

node-name

Synopsis

Set the node name as target name

Context

configure system grpc-tunnel tunnel string target-name node-name

Tree

node-name

Description

When configured, this command uses the node name as the target name. The node name is configured by the configure system name command.

Notes

The following elements are part of a choice: custom-string, node-name, or user-agent.

Introduced

22.2.R1

Platforms

All

user-agent

Synopsis

Set the user agent as the target name

Context

configure system grpc-tunnel tunnel string target-name user-agent

Tree

user-agent

Description

When configured, this command uses the user agent as the target name. The agent is a string consisting of node-name:vendor:model:software-version.

Notes

The following elements are part of a choice: custom-string, node-name, or user-agent.

Introduced

22.2.R1

Platforms

All

icmp-vse boolean

Synopsis

Enable vendor-specific extensions to ICMP

Context

configure system icmp-vse boolean

Tree

icmp-vse

Default

false

Introduced

16.0.R1

Platforms

All

ip

Synopsis

Enter the ip context

Context

configure system ip

max

Options

max, limited

Introduced

20.5.R1

Platforms

All

mpls

Synopsis

Enter the mpls context

Context

configure system ip mpls

Tree

mpls

Introduced

19.10.R3

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

label-stack-statistics-count number

Synopsis

Collect traffic statistics on labels of the MPLS stack

Context

configure system ip mpls label-stack-statistics-count number

Tree

Range

1 to 2

end

Range

0 to 16383

Default

16383

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

start number

Synopsis

Lower bound of the range

Context

configure system l2tp non-multi-chassis-tunnel-id-range start number

Tree

configure system load-balancing

Range

0 to 16383

Default

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

lacp

Synopsis

Enter the lacp context

Context

configure system lacp

Tree

lacp

Introduced

16.0.R1

Platforms

All

system-priority number

Synopsis

LACP system priority on aggregated Ethernet interfaces

Context

Introduced

16.0.R1

Platforms

All

message-fast-tx number

Synopsis

Interval at which LLDP frames are transmitted

Context

configure system lldp message-fast-tx number

Tree

message-fast-tx

Description

This command configures the interval at which LLDP frames are transmitted on behalf of the LLDP during a fast transmission period.

Range

1 to 3600

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

message-fast-tx-init number

Synopsis

PDUs to transmit during the fast transmission period

Context

configure system lldp message-fast-tx-init number

Tree

message-fast-tx-init

Range

1 to 8

Default

Introduced

16.0.R1

Platforms

All

notification-interval number

Synopsis

Minimum interval between change notifications

Context

configure system lldp notification-interval number

Tree

notification-interval

Range

5 to 3600

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

reinit-delay number

Synopsis

Time required before re-initializing LLDP on a port

Context

configure system lldp reinit-delay number

Tree

reinit-delay

Range

1 to 10

Default

Units

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

load-balancing

Synopsis

Enter the load-balancing context

Context

Tree

load-balancing

Introduced

16.0.R1

Platforms

All

l2tp-load-balancing boolean

Synopsis

Platforms

All

mc-enh-load-balancing boolean

Synopsis

Enable enhanced egress multicast load balancing

Context

configure system load-balancing mc-enh-load-balancing boolean

Tree

mc-enh-load-balancing

Default

false

Introduced

16.0.R1

Platforms

All

service-id-lag-hashing boolean

Synopsis

Platforms

All

login-control

Synopsis

Enter the login-control context

Context

configure system login-control

Tree

Introduced

16.0.R1

Platforms

All

exponential-backoff boolean

Synopsis

Enable exponential-backoff of the login prompt

Context

configure system login-control exponential-backoff boolean

Tree

exponential-backoff

Default

false

Introduced

16.0.R1

Platforms

All

ftp

Synopsis

Enter the ftp context

Context

configure system login-control ftp

Tree

ftp

Introduced

16.0.R1

Platforms

All

inbound-max-sessions number

Synopsis

Maximum number of concurrent inbound FTP sessions

Context

configure system login-control ftp inbound-max-sessions number

Tree

inbound-max-sessions

Range

0 to 5

Default

Introduced

16.0.R1

Platforms

All

idle-timeout (keyword | number)

Synopsis

Idle timeout for FTP, console, or Telnet sessions

Context

configure system login-control idle-timeout (keyword | number)

Tree

idle-timeout

Range

1 to 1440

Default

Units

minutes

Options

none

Introduced

16.0.R1

Platforms

All

login-banner boolean

Synopsis

Display login banner

Context

configure system login-control login-banner boolean

Tree

Default

false

Introduced

16.0.R1

Platforms

All

login-scripts

Synopsis

Enter the login-scripts context

Context

configure system login-control login-scripts

Tree

Introduced

16.0.R1

Platforms

All

global-script string

Synopsis

URL of the global CLI login script

Context

configure system login-control login-scripts global-script string

Tree

global-script

String Length

1 to 180

Introduced

16.0.R1

Platforms

All

per-user-script

Synopsis

Enter the per-user-script context

Context

configure system login-control login-scripts per-user-script

Tree

per-user-script

Introduced

16.0.R1

Platforms

All

Platforms

All

pre-login-message

Synopsis

Enter the pre-login-message context

Context

configure system login-control pre-login-message

Tree

pre-login-message

Introduced

16.0.R1

Platforms

All

message string

Synopsis

Message displayed prior to the login prompt

Context

configure system login-control pre-login-message message string

Tree

message

String Length

1 to 900

Introduced

16.0.R1

Platforms

All

name boolean

Synopsis

Platforms

All

inbound-max-sessions number

Synopsis

Maximum number of concurrent inbound sessions

Context

configure system login-control ssh inbound-max-sessions number

Tree

inbound-max-sessions

Range

0 to 50

Default

Introduced

16.0.R1

Platforms

All

outbound-max-sessions number

Synopsis

Maximum number of concurrent outbound sessions

Context

configure system login-control ssh outbound-max-sessions number

Tree

outbound-max-sessions

Range

0 to 15

Default

Introduced

16.0.R1

Platforms

All

ttl-security number

Synopsis

Platforms

All

inbound-max-sessions number

Synopsis

Maximum number of concurrent inbound sessions

Context

configure system login-control telnet inbound-max-sessions number

Tree

inbound-max-sessions

Range

0 to 50

Default

Introduced

16.0.R1

Platforms

All

outbound-max-sessions number

Synopsis

Maximum number of concurrent outbound sessions

Context

configure system login-control telnet outbound-max-sessions number

Tree

outbound-max-sessions

Range

0 to 15

Default

Introduced

16.0.R1

Platforms

All

ttl-security number

Synopsis

Platforms

All

rollback

Synopsis

Enter the rollback context

Context

configure system management-interface cli classic-cli rollback

Tree

rollback

Introduced

16.0.R1

Platforms

All

local-checkpoints number

Synopsis

Maximum number of rollback files on compact flash

Context

configure system management-interface cli classic-cli rollback local-checkpoints number

Tree

local-checkpoints

Range

1 to 50

Default

Introduced

16.0.R1

Platforms

All

location string

Synopsis

Location and filename of the rollback checkpoint files

Context

configure system management-interface cli classic-cli rollback location string

Tree

location

String Length

1 to 180

Introduced

16.0.R1

Platforms

All

remote-checkpoints number

Synopsis

Maximum rollback files saved at a remote location

Context

configure system management-interface cli classic-cli rollback remote-checkpoints number

Tree

remote-checkpoints

Range

1 to 200

Default

Introduced

16.0.R1

Platforms

All

rescue

Synopsis

Enter the rescue context

Context

configure system management-interface cli classic-cli rollback rescue

Tree

rescue

Introduced

16.0.R1

Platforms

All

location string

Synopsis

Location of the rollback rescue file

Context

configure system management-interface cli classic-cli rollback rescue location string

Tree

location

String Length

1 to 180

Introduced

16.0.R1

Platforms

All

cli-engine keyword

Synopsis

System-wide CLI engine access configuration

Context

Introduced

16.0.R1

Platforms

All

auto-config-save boolean

Synopsis

alias [alias-name] string

Synopsis

Enter the alias list instance

Context

configure system management-interface cli md-cli environment command-alias alias string

Tree

alias

Description

Commands in this context create aliases to existing MD-CLI commands or to Python applications.

Aliases may be mounted for use globally or for selected context paths. Arguments and output modifiers may be provided to aliases at configuration or run time.

Introduced

21.7.R1

Platforms

All

[alias-name] string

Synopsis

Alias name

Context

configure system management-interface cli md-cli environment command-alias alias string

String Length

1 to 64

Notes

This element is part of a list key.

Introduced

21.7.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the alias

Context

configure system management-interface cli md-cli environment command-alias alias string admin-state keyword

Tree

Description

This command controls the administrative state of the MD-CLI alias.

MD-CLI aliases that are administratively disabled cannot be executed, do not autocomplete in operational mode, and do not appear in ? help.

Default

disable

Options

enable, disable

Introduced

21.10.R1

Platforms

All

cli-command string

Synopsis

CLI command to run when executing the alias

Context

configure system management-interface cli md-cli environment command-alias alias string cli-command string

Tree

cli-command

String Length

1 to 255

Notes

The following elements are part of a mandatory choice: cli-command or python-script.

Introduced

21.7.R1

Platforms

All

description string

Synopsis

Text description

Context

configure system management-interface cli md-cli environment command-alias alias string description string

Tree

configure system management-interface cli md-cli environment console

String Length

1 to 110

Introduced

21.7.R1

Platforms

All

mount-point [path] (keyword | string)

Synopsis

Add a list entry for mount-point

Context

configure system management-interface cli md-cli environment command-alias alias string mount-point (keyword | string)

Tree

mount-point

Min. Elements

Introduced

21.7.R1

Platforms

All

[path] (keyword | string)

Synopsis

Mount point where alias is available

Context

Enter the console context

Context

Tree

Platforms

All

always-display

Synopsis

Enter the always-display context

Context

configure system management-interface cli md-cli environment info-output always-display

Tree

always-display

Description

Commands in this context specify elements that are always displayed in the info output, regardless of whether the detail option is used.

Introduced

22.2.R1

Platforms

All

admin-state boolean

Synopsis

Display admin-state elements

Context

Introduced

16.0.R1

Platforms

All

more boolean

Synopsis

Prompt to continue or stop when output text fills page

Context

configure system management-interface cli md-cli environment more boolean

Tree

Default

true

Introduced

16.0.R1

Platforms

All

progress-indicator

Synopsis

Enter the progress-indicator context

Context

configure system management-interface cli md-cli environment progress-indicator

Tree

progress-indicator

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the progress indicator

Context

configure system management-interface cli md-cli environment progress-indicator admin-state keyword

Tree

configure system management-interface cli md-cli environment python

Default

enable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

delay number

Synopsis

Delay before progress indicator is displayed

Context

configure system management-interface cli md-cli environment progress-indicator delay number

Tree

Enter the python context

Context

Tree

python

Introduced

21.10.R1

Platforms

All

memory-reservation number

Synopsis

Memory reserved per interpreter

Context

configure system management-interface cli md-cli environment python memory-reservation number

Tree

memory-reservation

Range

1 to 500

Units

megabytes

Introduced

21.10.R1

Platforms

All

minimum-available-memory number

Synopsis

Minimum memory requirement to spawn Python interpreter

Context

configure system management-interface cli md-cli environment python minimum-available-memory number

Tree

minimum-available-memory

Range

5 to 50

Units

percent

Introduced

21.10.R1

Platforms

All

timeout number

Synopsis

Maximum run time before a Python application is stopped

Context

configure system management-interface cli md-cli environment python timeout number

Tree

timeout

Range

30 to 86400

Default

3600

Units

seconds

Introduced

21.10.R1

Platforms

All

time-display keyword

Synopsis

Time zone to display time

Context

configure system management-interface cli md-cli environment time-display keyword

Tree

time-display

Description

This command configures the time zone for a timestamp displayed in outputs, such as event logs and traps for the current CLI session.

Log files on compact flash are maintained and displayed in UTC format.

Default

local

Options

local, utc

Introduced

16.0.R1

Platforms

All

time-format keyword

Synopsis

Time format to display date and time

Context

configure system management-interface cli md-cli environment time-format keyword

Tree

time-format

Description

This command specifies the format of the time display in configuration, state, and certain show command output in the current CLI session.

Default

rfc-3339

Options

iso-8601, rfc-1123, rfc-3339

Introduced

20.5.R1

Platforms

All

commit-history number

Synopsis

Number of commit history IDs to store

Context

configure system management-interface commit-history number

Tree

commit-history

Description

This command sets the number of IDs to store in the commit history.

Setting the value to 0 disables the commit history.

Range

0 to 200

Default

Introduced

21.10.R1

Platforms

All

configuration-mode keyword

Synopsis

Configuration mode for the system

Context

configure system management-interface configuration-mode keyword

Tree

configuration-mode

Default

classic

Options

classic, model-driven, mixed

Introduced

16.0.R1

Platforms

All

configuration-save

Synopsis

Enter the configuration-save context

Context

configure system management-interface configuration-save

Tree

configuration-save

Introduced

16.0.R1

Platforms

All

configuration-backups number

Synopsis

Maximum number of backup versions maintained

Context

configure system management-interface configuration-save configuration-backups number

Tree

configuration-backups

Range

1 to 200

Default

Introduced

16.0.R1

Platforms

All

netconf

Synopsis

Enter the netconf context

Context

configure system management-interface netconf

Tree

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of NETCONF

Context

configure system management-interface netconf admin-state keyword

Tree

configure system management-interface operations

Default

disable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

auto-config-save boolean

Synopsis

Platforms

All

writable-running boolean

Synopsis

Allow NETCONF server to access the running datastore

Context

configure system management-interface netconf capabilities writable-running boolean

Tree

writable-running

Default

false

Introduced

16.0.R1

Platforms

All

port number

Synopsis

Choose port on which the NETCONF server will listen for new connections.

Context

configure system management-interface netconf port number

Tree

port

Range

22 | 830

Default

830

Introduced

19.10.R1

Platforms

All

operations

Synopsis

Enter the operations context

Context

Tree

operations

Description

Commands in this context configure parameters associated with operational commands in model-driven interfaces.

Introduced

21.5.R1

Platforms

All

global-timeouts

Synopsis

Enter the global-timeouts context

Context

configure system management-interface operations global-timeouts

Tree

global-timeouts

Description

Commands in this context configure system timeout parameters for operational commands.

Timeout parameters provide default system-level control for various types of operational commands in model-driven interfaces. The timeout values are used when specific execution and retention timeouts are not requested for a specific operation.

Introduced

21.5.R1

Platforms

All

asynchronous-execution (number | keyword)

Synopsis

Timeout for asynchronous operation execution

Context

configure system management-interface operations global-timeouts asynchronous-execution (number | keyword)

Tree

asynchronous-execution

Description

This command configures the period of time that operations launched as “asynchronous” are allowed to execute before being automatically stopped by the SR OS.

An asynchronous operation is not deleted from the system when it is stopped. See the asynchronous-retention command.

If a specific execution timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Note: This execution timeout is part of the general global operations infrastructure and is separate and independent from any operation-specific timeouts (for example, the ping operation also has its own timeout parameter).

Range

1 to 604800

Default

3600

Units

seconds

Options

never

Introduced

21.5.R1

Platforms

All

asynchronous-retention (number | keyword)

Synopsis

Timeout for asynchronous operation data retention

Context

configure system management-interface operations global-timeouts asynchronous-retention (number | keyword)

Tree

asynchronous-retention

Description

This command configures the period of time that data related to operations launched as “asynchronous” is retained in the system. After the retention timeout expires, all information related to the operation is deleted, including any status information and result data.

If a specific retention timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Range

1 to 604800

Default

86400

Units

seconds

Options

never

Introduced

21.5.R1

Platforms

All

synchronous-execution (number | keyword)

Synopsis

Timeout for synchronous operation execution

Context

configure system management-interface operations global-timeouts synchronous-execution (number | keyword)

Tree

synchronous-execution

Description

This command configures the period of time that operations launched as “'synchronous” (the default method for all operations) are allowed to execute before they are automatically stopped, and their associated data is deleted.

20.5.R1

Platforms

All

allow-unsecure-connection

Synopsis

Allow connection without secured transport protocol

Context

configure system management-interface remote-management allow-unsecure-connection

Tree

allow-unsecure-connection

Description

When configured, this command allows an unsecured connection to remote managers; TCP connections are not encrypted, including username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or client-tls-profile.

Introduced

20.5.R1

Platforms

All

client-tls-profile reference

Synopsis

TLS client profile name

Context

configure system management-interface remote-management client-tls-profile reference

Tree

client-tls-profile

Description

This command specifies the client TLS profile to all remote managers.

Reference

configure system security tls client-tls-profile string

Notes

The following elements are part of a choice: allow-unsecure-connection or client-tls-profile.

Introduced

20.5.R1

Platforms

All

connection-timeout number

Synopsis

Time without a response before manager declared down

Context

configure system management-interface remote-management connection-timeout number

Tree

connection-timeout

Range

1 to 3600

Default

Units

seconds

Introduced

20.5.R1

Platforms

All

device-label string

Synopsis

Device label supplied to the remote manager

Context

configure system management-interface remote-management device-label string

Tree

device-label

Description

This command specifies a metadata label that is supplied to the manager. This label is used to group devices or network nodes with a common purpose or goal.

String Length

1 to 64

Introduced

20.5.R1

Platforms

All

device-name string

Synopsis

Device name supplied to the remote manager

Context

configure system management-interface remote-management device-name string

Tree

device-name

Description

This command specifies a device name that is supplied to the manager. The name identifies a specific SR OS node in the network.

When unconfigured, the default system name is used.

String Length

1 to 64

Introduced

20.5.R1

Platforms

All

hello-interval number

Synopsis

Time between hello messages from SR OS node to manager

Context

configure system management-interface remote-management hello-interval number

Tree

hello-interval

Range

10 to 216000

Default

600

Units

seconds

Introduced

20.5.R1

Platforms

All

manager [manager-name] string

Synopsis

Enter the manager list instance

Context

configure system management-interface remote-management manager string

Tree

manager

Description

Commands in this context configure specific manager-related commands. Commands configured in this context take precedence over command values specified directly in the configure management-interface remote-management context.

If a command is not configured in this context, the command setting is inherited from the higher level context.

Max. Elements

Introduced

20.5.R1

Platforms

All

[manager-name] string

Synopsis

Remote management manager name

Context

configure system management-interface remote-management manager string

String Length

1 to 64

Notes

This element is part of a list key.

Introduced

20.5.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of remote management registration

Context

configure system management-interface remote-management manager string admin-state keyword

Tree

allow-unsecure-connection

Default

disable

Options

enable, disable

Introduced

20.5.R1

Platforms

All

allow-unsecure-connection

Synopsis

Allow connection without secured transport protocol

Context

configure system management-interface remote-management manager string allow-unsecure-connection

Tree

Description

When configured, this command allows an unsecured connection to remote managers; TCP connections are not encrypted, including username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or client-tls-profile.

Introduced

20.5.R1

Platforms

All

client-tls-profile reference

Synopsis

TLS client profile name

Context

configure system management-interface remote-management manager string client-tls-profile reference

Tree

client-tls-profile

Description

This command assigns a profile name to a remote manager.

Reference

configure system security tls client-tls-profile string

Notes

The following elements are part of a choice: allow-unsecure-connection or client-tls-profile.

Introduced

20.5.R1

Platforms

All

connection-timeout number

Synopsis

Platforms

All

device-name string

Synopsis

Device name supplied to the remote manager

Context

configure system management-interface remote-management manager string device-name string

Tree

device-name

Description

This command specifies a device name that is supplied to the manager. The name identifies a specific SR OS node in the network.

When unconfigured, the default system name is used.

String Length

1 to 64

Introduced

20.5.R1

Platforms

All

manager-address (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)

Synopsis

Destination IP address of the manager

Context

configure system management-interface remote-management manager string manager-address (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)

Tree

manager-address

String Length

1 to 255

Introduced

20.5.R1

Platforms

All

manager-port number

Synopsis

Destination TCP port for gRPC connections to manager

Context

Introduced

20.5.R1

Platforms

All

router-instance string

Synopsis

Options

grpc-default

Introduced

20.5.R1

Platforms

All

schema-path string

Synopsis

Schema path URL

Context

configure system management-interface schema-path string

Tree

schema-path

Description

This command specifies the schema path where the SR OS YANG modules can be manually copied by the user prior to using a <get-schema> request. It is recommended that the URL string not exceed 135 characters for the <get-schema> request to work properly with all schema files.

When unconfigured, the software upgrade process manages the YANG schema files to ensure the schema files are synchronized with the software image on both the primary and standby CPM.

String Length

1 to 180

Introduced

16.0.R4

Platforms

All

snmp

Synopsis

Enter the snmp context

Context

configure system management-interface snmp

Tree

snmp

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Platforms

All

packet-size number

Synopsis

Maximum SNMP packet size generated by the node

Context

Introduced

16.0.R1

Platforms

All

yang-modules

Synopsis

Enter the yang-modules context

Context

configure system management-interface yang-modules

Tree

yang-modules

Description

Description

When configured to true, this command enables the advertisement of NMDA support over NETCONF through the use of YANG library 1.1.

When configured to false, this command disables NMDA advertisement over NETCONF and YANG library 1.0 is used.

Default

false

Introduced

21.7.R1

Platforms

All

nokia-combined-modules boolean

Synopsis

Support access to combined Nokia YANG models

Context

configure system management-interface yang-modules nokia-combined-modules boolean

Tree

nokia-combined-modules

Description

When configured to true, the system supports the combined Nokia YANG files for both configuration and state data in the NETCONF server.

When the system is operating in classic configuration mode, attempts to access (read or write) the configuration using the Nokia configuration modules or namespace via NETCONF result in errors, even if this command is set to true.

When configured to false, access to the combined Nokia YANG files is not supported.

This command and the nokia-submodules command cannot both be set to true at the same time.

Introduced

16.0.R4

Platforms

All

nokia-submodules boolean

Synopsis

Support submodule-based packaging of Nokia YANG models

Platforms

All

profile [name] string

Synopsis

Enter the profile list instance

Context

configure system network-element-discovery profile string

Tree

profile

Max. Elements

Introduced

19.5.R1

Platforms

All

[name] string

Synopsis

Profile name

Context

configure system network-element-discovery profile string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

19.5.R1

Platforms

All

neid string

Synopsis

Introduced

21.2.R1

Platforms

All

ipv6

Synopsis

Enable the ipv6 context

Context

configure system network-element-discovery profile string neip auto-generate ipv6

Tree

ipv6

Introduced

21.2.R1

Platforms

All

vendor-id-value number

Synopsis

Most significant byte of the NE IPv6 address

Context

Platforms

All

system-mac string

Synopsis

MAC address of the advertised node

Context

configure system network-element-discovery profile string system-mac string

Tree

system-mac

Introduced

19.5.R1

Platforms

All

vendor-id string

Synopsis

Vendor ID to be advertised

Context

configure system network-element-discovery profile string vendor-id string

Tree

vendor-id

String Length

1 to 255

Default

Nokia

Introduced

19.5.R1

Platforms

All

ospf-dynamic-hostnames boolean

Synopsis

Process received OSPF dynamic hostname information

Context

configure system ospf-dynamic-hostnames boolean

Tree

ospf-dynamic-hostnames

Description

When configured to true, OSPF dynamic hostnames are enabled. The router receiving the new dynamic hostname within the OSPF Router Information (RI) LSA is instructed to process the received dynamic hostname information.

When configured to false, dynamic hostname information is not processed.

Default

false

Introduced

20.2.R1

Platforms

All

persistence

Synopsis

Enter the persistence context

Context

configure system persistence

Tree

persistence

Description

Commands in this context configure persistence on the system.

The persistence feature enables the system to retain state information learned through DHCP snooping across reboots. This information includes data such as the IP address and MAC binding information, lease-length information, and ingress SAP information (required for VPLS snooping to identify the ingress interface).

If persistence is enabled when there are no DHCP relay or snooping commands enabled, the system creates an empty file.

Introduced

16.0.R1

Platforms

All

configure system persistence nat-port-forwarding

Tree

nat-port-forwarding

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Text description

Context

configure system persistence python-policy-cache description string

Tree

String Length

1 to 80

Introduced

16.0.R1

Platforms

All

location keyword

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

location keyword

Synopsis

Platforms

7750 SR-s, 7950 XRS

mode keyword

Synopsis

Power capacity mode algorithm

Context

configure system power-management power-zone number mode keyword

Tree

mode

Default

basic

Options

none, basic, advanced

Introduced

16.0.R1

Platforms

7750 SR-s, 7950 XRS

power-safety-alert number

Synopsis

Power capacity to trigger a safety alert event

Context

configure system power-management power-zone number power-safety-alert number

Tree

power-safety-alert

Range

0 to 120000

Default

Units

watts

Introduced

16.0.R1

Platforms

7750 SR-s, 7950 XRS

power-safety-level number

Synopsis

Minimum threshold to power off devices

Context

configure system power-management power-zone number power-safety-level number

Tree

power-safety-level

Range

0 to 100

Default

100

Units

percent

Introduced

16.0.R1

Platforms

7750 SR-s, 7950 XRS

ptp

Synopsis

Enter the ptp context

Context

configure system ptp

Tree

ptp

Description

Commands in this context configure Precision Time Control (PTP) parameters based on IEEE 1588-2008, Precision Time Protocol.

The context is only supported on control assemblies that support 1588.

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword

Synopsis

Administrative state of PTP

Context

configure system ptp admin-state keyword

Tree

Default

disable

Options

enable, disable

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

announce-receipt-timeout number

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Expired intervals count before timeout event declared

Context

configure system ptp announce-receipt-timeout number

Tree

announce-receipt-timeout

Description

This command configures the number of Announce message intervals that must expire with no received Announce messages before declaring an ANNOUNCE_RECEIPT_TIMEOUT event.

Range

2 to 10

Default

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

clock-type keyword

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

Clock type

Context

configure system ptp clock-type keyword

Tree

clock-type

Options

slave-only, master-only, boundary

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

domain number

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

PTP domain

Context

configure system ptp domain number

Tree

domain

Description

This command configures the PTP domain. The default and valid range of the domain depend on the configured PTP profile.

IEEE 1588-2008 - domain range of 0 to 255 (default 0)
G.8265.1 - domain range of 0 to 255 (default 4)
G.8275.1 - domain range of 24 to 43 (default 24)
G.8275.2 - domain range of 0 to 255 (default 44)

Range

0 to 255

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

local-priority number

Synopsis

PTP clock local priority

Context

configure system ptp local-priority number

Tree

local-priority

Description

This command configures the local priority used to choose between PTP masters in the best master clock algorithm (BMCA). This setting applies when the PTP profile is either configured for G.8275.1 or G.8275.2 and is ignored for any other profile.

For G.8275.1 or G.8275.2, this command configures the localPriority parameter associated with the local clock (ptp context). See G.8275.1 or G.8275.2 for detailed information.

Range

1 to 255

Default

128

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-announce-interval number

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Announce message interval in log form

Context

configure system ptp log-announce-interval number

Tree

log-announce-interval

Description

This command configures the Announce message interval used for both unicast and multicast messages.

For unicast messages, the Announce message interval is requested during unicast negotiation to any peer. This controls the Announce message rate sent from remote peers to the local node. It does not affect the announce message rate that may be sent from the local node to remote peers. Remote peers may request an Announce message rate within the acceptable grant range.

For multicast messages used on PTP Ethernet ports, this command specifies the message interval used for Announce messages transmitted by the local node.

This value also defines the interval between executions of the BMCA within the node.

To minimize BMCA driven reconfigurations, IEEE recommends that the announce interval should be consistent across the entire 1588 network.

Range

-3 to 4

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

network-type keyword

Synopsis

PTP network type

Context

configure system ptp network-type keyword

Tree

network-type

Description

This command configures the codeset (as defined in Table 1/G.8265.1) to be used for the encoding of QL values into PTP clockClass values when the profile is configured for G.8265.1.

This setting only applies to the range of values observed in the clockClass parameter transmitted out of the node in Announce messages. The router supports the reception of any valid value in Table 1/G.8265.1

Default

sdh

Options

sonet, sdh

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port [port-id] reference

Synopsis

Enter the port list instance

Context

configure system ptp port reference

Tree

port

Description

Commands in this context configure PTP over Ethernet on the physical port. The PTP process transmits and receives PTP messages through the port using Ethernet encapsulation (as opposed to UDP/IPv4 encapsulation).

Frames are transmitted with no VLAN tags, even if the port is configured for dot1q or qinq modes for encap-type. The received frames from the external PTP clock must also be untagged.

Two reserved multicast addresses are allocated for PTP messages (see Annex F IEEE Std 1588-2008). Either address can be configured for the PTP messages sent through the port.

A PTP port cannot be created if the PTP profile is configured for G.8265.1.

If the port supports 1588 port-based timestamping, Synchronous Ethernet must be enabled on the MDA when PTP over Ethernet is enabled.

De-provisioning of the card or MDA containing the specified port is not permitted while the port is configured within PTP.

Changing the encapsulation or the port type of the Ethernet port is not permitted when PTP Ethernet Multicast operation is configured on the port.

To allocate an Ethernet satellite client port as a PTP port, the Ethernet satellite must first be enabled for the transparent clock function. For more information, see the configure satellite ethernet-satellite ptp-tc command.

The SyncE/1588 ports of the CPM and CCMs can be specified as PTP ports. These use the ‘A/3’ and ‘B/3’ designation and both must be specified as two PTP ports if both are used. The active CPM sends and receives messages on both ports if they are specified and enabled.

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[port-id] reference

Synopsis

Ethernet PTP port ID

Context

configure system ptp port reference

Reference

configure port string

Notes

This element is part of a list key.

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address string

Synopsis

Destination MAC address of the transmitted PTP messages

Context

configure system ptp port reference address string

Tree

Description

This command specifies the destination MAC address of the transmitted PTP messages. IEEE Std 1588-2008 Annex F defines two reserved addresses for 1588 messages, which include:

01-1B-19-00-00-00 — all except the peer delay mechanism messages
01-80-C2-00-00-0E — peer delay mechanism messages

Both addresses are supported for reception, independent of the address configured by this command.

Default

01:1B:19:00:00:00

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword

Synopsis

Administrative state of the PTP port

Context

configure system ptp port reference admin-state keyword

Tree

configure system ptp ptsf monitor-ptsf-unusable

Default

enable

Options

enable, disable

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

local-priority number

Synopsis

PTP port local priority

Context

configure system ptp port reference local-priority number

Tree

local-priority

Description

For G.8275.1 or G.8275.2, this command configures the localPriority parameter associated with the Announce messages received from the external clocks (ptp port context). See G.8275.1 or G.8275.2 for detailed information.

Range

1 to 255

Default

128

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-delay-interval number

Synopsis

Minimum interval for Delay_Req messages in log form

Context

configure system ptp port reference log-delay-interval number

Tree

log-delay-interval

Description

This command configures the minimum interval used for multicast Delay_Req messages for the port. For ports in a slave state, the interval is used, unless the parent port indicates a longer interval. For a port in master state, the interval is advertised to external slave ports as the minimum acceptable interval for Delay_Req messages from the slave ports.

The router supports the 1588 standard requirement for a port in slave state to check the logMessageInterval field of received multicast Delay_Resp messages. If the value of the logMessageInterval field of the messages is greater than the value configured locally for the generation of Delay_Req messages, the slave must use the longer interval for the generation of Delay_Req messages.

The interval value is specified as the logarithm to the base 2.

Range

-6 to 0

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-sync-interval number

Synopsis

Interval for transmission of Sync messages in log form

Context

configure system ptp port reference log-sync-interval number

Tree

log-sync-interval

Description

This command configures the interval used for Sync messages transmitted by the local node when the port is in master state.

The interval value is specified as the logarithm to the base 2.

Range

-6 to 0

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

master-only boolean

Synopsis

Restrict the local port to master state

Context

configure system ptp port reference master-only boolean

Tree

master-only

Description

When configured to true, the local port is restricted to master state only, ensuring that the system does not obtain synchronization from attached external devices.

This command is supported only when the PTP profile is set for G.8275.1 or G.8275.2.

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

priority1 number

Synopsis

Priority1 of the local clock

Context

configure system ptp priority1 number

Tree

priority1

Description

This command configures the priority1 parameter of the local clock. The setting is used when the profile is configured for IEEE 1588-2008.

This value is used by the Best Master Clock Algorithm to determine which clock should provide timing for the network and is advertised in Announce messages.

Range

0 to 255

Default

128

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

priority2 number

Synopsis

Priority2 of the local clock

Context

configure system ptp priority2 number

Tree

priority2

Description

This command configures the priority2 parameter of the local clock. The setting is used when the profile is configured for IEEE 1588-2008, G.8275.1, or G.8275.2.

This value is used by the Best Master Clock algorithm to determine which clock should provide timing for the network and is advertised in Announce messages.

Range

0 to 255

Default

128

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

profile keyword

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

PTP profile

Context

configure system ptp profile keyword

Tree

profile

Description

This command configures the profile to be used for the internal PTP clock. It defines the Best Master Clock Algorithm (BMCA) behavior.

Profile changes may affect the settings of other configuration elements, such as the clock type and default settings for the delay interval, announce interval, and the Sync interval.

The following clock types are supported for the indicated profiles:

G.8265.1: slave only, master only
IEEE 1588 2008: slave only, master only, boundary
G.8275.1: slave only, boundary, master only (master only, only if the platform includes an embedded GNSS receiver)
G.8275.2: slave only, boundary, master only (master only, only if the platform includes an embedded GNSS receiver)

Options

g8265dot1-2010, ieee1588-2008, g8275dot1-2014, g8275dot2-2016

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ptsf

Synopsis

Enter the ptsf context

Context

configure system ptp ptsf

Tree

ptsf

Description

Commands in this context configure the attributes of Packet Timing Signal Fail (PTSF).

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

monitor-ptsf-unusable

Synopsis

Enter the monitor-ptsf-unusable context

Context

Tree

monitor-ptsf-unusable

Description

Commands in this context configure monitoring of neighbor clocks for the PTSF-unusable state (condition) when the profile is set to g8275dot1-2014.

When administratively enabled, the local clock monitors the noise level of PTP event messages between external neighbor PTP ports and the local clock. If it detects a high variation in the network path between the external neighbor port and the local port, it considers the neighbor port unusable. Announce messages from the neighbor are discarded and excluded from the BMCA and the port cannot be selected as the parent clock. The unusable condition must be manually cleared.

When administratively disabled, the monitor PTSF function of the PTP clock clears PTSF-unusable states from all neighbor PTP ports. If no PTP messages are received from a neighbor for 15 minutes, the neighbor information is purged and the PTSF-unusable state is cleared.

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword

Synopsis

Administrative state of PTSF unusable monitoring

Context

configure system ptp ptsf monitor-ptsf-unusable admin-state keyword

Tree

Default

disable

Options

enable, disable

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

router [router-instance] string

Synopsis

Enter the router list instance

Context

configure system ptp router string

Tree

router

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[router-instance] string

Synopsis

Router name or VPRN service name

Context

configure system ptp router string

Notes

This element is part of a list key.

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword

Synopsis

Administrative state of PTP on the router instance

Context

configure system ptp router string admin-state keyword

Tree

Default

enable

Options

enable, disable

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

peer [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)

Synopsis

Enter the peer list instance

Context

configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone)

Tree

peer

Description

Commands in this context configure a remote PTP peer.

In the current release, the system supports PTP using IPv4 only.

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)

Synopsis

IP address of the remote PTP peer

Context

configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone)

Description

This command specifies the IP address of the remote PTP peer.

In the current release, the system supports PTP using IPv4 only.

Notes

This element is part of a list key.

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword

Synopsis

Administrative state of the PTP peer

Context

configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone) admin-state keyword

Tree

Default

enable

Options

enable, disable

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

local-priority number

Synopsis

PTP peer local priority

Context

configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone) local-priority number

Tree

local-priority

Description

This command configures the local priority for the peer, which is used to choose between PTP masters in the best master clock algorithm (BMCA). This setting applies when the PTP profile is configured for G.8265.1, G.8275.1, or G.8275.2 and is ignored for any other profile.

For G.8265.1, this command configures the priority used to choose between master clocks with the same quality (see G.8265.1 for more details).

For G.8275.1 or G.8275.2, this command configures the localPriority parameter associated with the Announce messages received from the external clocks (ptp router peer context). See G.8275.1 or G.8275.2 for detailed information.

Range

1 to 255

Default

128

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-sync-interval number

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

PTP peer interval for Sync messages in log form

Context

configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone) log-sync-interval number

Tree

log-sync-interval

Description

This command configures the message interval used for Sync and Delay_Resp messages that are requested during unicast negotiation to the peer. The setting controls messages sent from remote peers to the local node but the packet rate from the local node to remote peers is not affected. Remote peers may request a packet rate within the acceptable range.

The interval value is specified as the logarithm to the base 2.

Range

-6 to 0

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

peer-limit number

Synopsis

Number of discovered peers allowed for routing instance

Context

configure system ptp router string peer-limit number

Tree

peer-limit

Description

This command specifies the maximum number of discovered peers permitted within the routing instance. This ensures that a routing instance does not consume all the possible discovered peers and prevents the routing instance from blocking discovered peers in other routing instances.

The sum of all peer limit values for all routing instances cannot exceed the maximum number of discovered peers supported by the system.

Range

0 to 512

Introduced

21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

tx-while-sync-uncertain boolean

Synopsis

Send Announce messages while clock is unsynchronized

Context

configure system ptp tx-while-sync-uncertain boolean

Tree

tx-while-sync-uncertain

Description

When configured to true, the local PTP clock transmits Announce messages to downstream clocks to indicate it has not yet stabilized on the recovered synchronization source (upstream clocks or GM clock). While the PTP clock is unsynchronized, the SyncUncertain state is true.

When configured to false, the local PTP clock does not send Announce messages to downstream clocks to indicate it is not synchronized to a valid timing source. If the SyncUncertain state of the clock is true while this command is configured to false, unicast negotiation grant requests are not granted and current grants are canceled.

Default

true

Introduced

22.2.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Administrative state of the script

Context

configure system script-control script string owner string admin-state keyword

Tree

configure system security

Default

disable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

description string

Synopsis

Platforms

All

expire-time (number | keyword)

Synopsis

Maximum amount of time to keep a run history status

Context

configure system script-control script-policy string owner string expire-time (number | keyword)

Tree

expire-time

Range

0 to 21474836

Default

3600

Units

seconds

Options

forever

Introduced

16.0.R1

Platforms

All

lifetime (number | keyword)

Synopsis

Maximum amount of time the script may run

Context

configure system script-control script-policy string owner string lifetime (number | keyword)

Tree

lifetime

Range

0 to 21474836

Default

3600

Units

16.0.R1

Platforms

All

python-lifetime number

Synopsis

Maximum time the Python application can run

Context

configure system script-control script-policy string owner string python-lifetime number

16.0.R1

Platforms

All

owner string

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Script owner

Context

configure system script-control script-policy string owner string script owner string

Tree

owner

String Length

1 to 32

Introduced

16.0.R1

Platforms

All

security

Synopsis

Enter the security context

Context

Tree

security

Description

Commands in this context configure central security settings such as DDoS protection, users, authorization profiles, and certificates.

Access to these commands should be restricted to highly trusted users and device administrators.

Introduced

16.0.R1

Platforms

All

aaa

Synopsis

Enter the aaa context

Context

configure system security aaa

Tree

aaa

Introduced

16.0.R1

Platforms

All

cli-session-group [cli-session-group-name] string

Synopsis

Enter the cli-session-group list instance

Context

configure system security aaa cli-session-group string

Tree

cli-session-group

6 to 1500

Default

Units

seconds

Options

none

Introduced

16.0.R1

Platforms

All

Action for non-matching entry

Context

Platforms

All

action keyword

Synopsis

Platforms

All

gnmi-capabilities keyword

Synopsis

gNMI Capabilities RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnmi-capabilities keyword

Tree

gnmi-capabilities

Default

permit

Options

permit, deny

Introduced

16.0.R1

Platforms

All

gnmi-get keyword

Synopsis

gNMI Get RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnmi-get keyword

Tree

gnmi-get

Default

permit

Options

permit, deny

Introduced

16.0.R1

Platforms

All

gnmi-set keyword

Synopsis

gNMI Set RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnmi-set keyword

Tree

gnmi-set

Default

permit

Options

permit, deny

Introduced

16.0.R1

Platforms

All

gnmi-subscribe keyword

Synopsis

gNMI Subscribe RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnmi-subscribe keyword

Tree

gnmi-subscribe

Default

permit

Options

permit, deny

Introduced

16.0.R1

Platforms

All

gnoi-cert-mgmt-cangenerate keyword

Synopsis

gNOI CanGenerateCSR RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-cert-mgmt-cangenerate keyword

Tree

gnoi-cert-mgmt-cangenerate

Default

deny

Options

permit, deny

Introduced

19.10.R1

Platforms

All

gnoi-cert-mgmt-getcert keyword

Synopsis

gNOI GetCertificates RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-cert-mgmt-getcert keyword

Tree

gnoi-cert-mgmt-getcert

Default

deny

Options

permit, deny

Introduced

19.10.R1

Platforms

All

gnoi-cert-mgmt-install keyword

Synopsis

gNOI Install RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-cert-mgmt-install keyword

Tree

gnoi-cert-mgmt-install

Default

deny

Options

permit, deny

Introduced

19.10.R1

Platforms

All

gnoi-cert-mgmt-revoke keyword

Synopsis

gNOI RevokeCertificates RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-cert-mgmt-revoke keyword

Tree

gnoi-cert-mgmt-revoke

Default

deny

Options

permit, deny

Introduced

20.2.R1

Platforms

All

gnoi-cert-mgmt-rotate keyword

Synopsis

gNOI Rotate RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-cert-mgmt-rotate keyword

Tree

gnoi-cert-mgmt-rotate

Default

deny

Options

permit, deny

Introduced

19.10.R1

Platforms

All

gnoi-file-get keyword

Synopsis

gNOI File Get RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-file-get keyword

Tree

gnoi-file-get

Default

permit

Options

permit, deny

Introduced

21.2.R1

Platforms

All

gnoi-file-put keyword

Synopsis

gNOI File Put RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-file-put keyword

Tree

gnoi-file-put

Default

permit

Options

permit, deny

Introduced

21.2.R1

Platforms

All

gnoi-file-remove keyword

Synopsis

gNOI File Remove RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-file-remove keyword

Tree

gnoi-file-remove

Default

permit

Options

permit, deny

Introduced

21.2.R1

Platforms

All

gnoi-file-stat keyword

Synopsis

gNOI File Stat RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-file-stat keyword

Tree

gnoi-file-stat

Default

permit

Options

permit, deny

Introduced

21.2.R1

Platforms

All

gnoi-file-transfertoremote keyword

Synopsis

gNOI File TransferToRemote RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-file-transfertoremote keyword

Tree

gnoi-file-transfertoremote

Default

permit

Options

permit, deny

Introduced

21.7.R1

Platforms

All

gnoi-system-cancelreboot keyword

Synopsis

gNOI System CancelReboot RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-system-cancelreboot keyword

Tree

gnoi-system-cancelreboot

Default

deny

Options

permit, deny

Introduced

20.5.R1

Platforms

All

gnoi-system-ping keyword

Synopsis

gNOI System Ping RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-system-ping keyword

Tree

gnoi-system-ping

Default

permit

Options

permit, deny

Introduced

21.7.R1

Platforms

All

gnoi-system-reboot keyword

Synopsis

gNOI System Reboot RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-system-reboot keyword

Tree

gnoi-system-reboot

Default

deny

Options

permit, deny

Introduced

20.5.R1

Platforms

All

gnoi-system-rebootstatus keyword

Synopsis

gNOI System RebootStatus RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-system-rebootstatus keyword

Tree

gnoi-system-rebootstatus

Default

deny

Options

permit, deny

Introduced

20.5.R1

Platforms

All

gnoi-system-setpackage keyword

Synopsis

gNOI System SetPackage RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-system-setpackage keyword

Tree

gnoi-system-setpackage

Default

deny

Options

permit, deny

Introduced

20.5.R1

Platforms

All

gnoi-system-switchcontrolprocessor keyword

Synopsis

gNOI System SwitchControlProcessor RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-system-switchcontrolprocessor keyword

Tree

gnoi-system-switchcontrolprocessor

Default

deny

Options

permit, deny

Introduced

20.5.R1

Platforms

All

gnoi-system-time keyword

Synopsis

gNOI System Time RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-system-time keyword

Tree

gnoi-system-time

Default

permit

Options

permit, deny

Introduced

21.7.R1

Platforms

All

gnoi-system-traceroute keyword

Synopsis

gNOI System Traceroute RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization gnoi-system-traceroute keyword

Tree

gnoi-system-traceroute

Default

permit

Options

permit, deny

Introduced

21.7.R1

Platforms

All

md-cli-session keyword

Synopsis

gNOI MdCli Session RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization md-cli-session keyword

Tree

md-cli-session

Default

permit

Options

permit, deny

Introduced

20.5.R1

Platforms

All

rib-api-getversion keyword

Synopsis

RibApi GetVersion RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization rib-api-getversion keyword

Tree

rib-api-getversion

Default

permit

Options

permit, deny

Introduced

16.0.R4

Platforms

All

rib-api-modify keyword

Synopsis

RibApi Modify RPC authorization

Context

configure system security aaa local-profiles profile string grpc rpc-authorization rib-api-modify keyword

Tree

rib-api-modify

Default

permit

Options

permit, deny

Introduced

16.0.R4

Platforms

All

li boolean

Synopsis

Allow lawful intercept profile ID

Context

configure system security aaa local-profiles profile string li boolean

Tree

Default

false

Introduced

19.10.R1

Platforms

All

netconf

Synopsis

Enter the netconf context

Context

configure system security aaa local-profiles profile string netconf

Tree

configure system security aaa management-interface

Introduced

16.0.R1

Platforms

All

base-op-authorization

Synopsis

Enter the base-op-authorization context

Context

configure system security aaa local-profiles profile string netconf base-op-authorization

Tree

base-op-authorization

Description

Description

When configured to true, this command enables the NETCONF create-subscription operation in the default profile.

Tree

management-interface

Introduced

20.10.R1

Platforms

All

md-cli

Synopsis

Enter the md-cli context

Context

configure system security aaa management-interface md-cli

Tree

md-cli

Introduced

20.10.R1

Platforms

All

command-accounting-during-load boolean

Synopsis

Perform remote command accounting during a load or rollback operation

Context

configure system security aaa management-interface md-cli command-accounting-during-load boolean

Tree

command-accounting-during-load

Default

true

Introduced

20.10.R1

Platforms

All

output-authorization

Synopsis

Enter the output-authorization context

Context

configure system security aaa management-interface output-authorization

Tree

output-authorization

Description

Commands in this context configure output authorization for model-driven interfaces and telemetry.

When output authorization is performed, commands that display configuration or state output must authorize every element in the output. If a remote AAA server is configured, there may be delays in displaying output while the output is authorized. The remote AAA server may receive a large volume of authorization requests when substantial output displays are needed, such as for system configuration details.

Input to edit the configuration is always authorized, and is not affected by commands in this context.

Introduced

20.10.R1

Platforms

All

md-interfaces boolean

Synopsis

Authorize output in model-driven interfaces

Context

configure system security aaa management-interface output-authorization md-interfaces boolean

Tree

md-interfaces

Description

When configured to true, output is authorized for the following:

MD-CLI info and compare commands

command completion of list key values

NETCONF <get> and <get-config> RPCs, and gRPC/gNMI Get RPCs

Default

true

Introduced

20.10.R1

Platforms

All

telemetry-data boolean

Synopsis

Introduced

16.0.R1

Platforms

All

public-key-authentication boolean

Synopsis

Allow SSH public key authentication from LDAP server

Context

configure system security aaa remote-servers ldap public-key-authentication boolean

Tree

public-key-authentication

Default

false

Introduced

16.0.R1

Platforms

All

route-preference keyword

Synopsis

Route preference to reach the AAA server

Context

configure system security aaa remote-servers ldap route-preference keyword

Tree

route-preference

Description

This command specifies the routing preference to reach the AAA server. If the configured option is to use both in-band and out-of-band routes, the out-of-band routes in the Base routing instance are used to reach the server before the in-band routes in the management routing instance.

Default

both

Options

both, inband, outband

Introduced

21.5.R1

Platforms

All

server [index] number

Synopsis

Enter the server list instance

Context

configure system security aaa remote-servers ldap server number

Tree

Max. Elements

Introduced

16.0.R1

Platforms

All

[index] number

Synopsis

LDAP server ID

Context

configure system security aaa remote-servers ldap server number

Range

1 to 5

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

address [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)

Synopsis

Enter the address list instance

Context

configure system security aaa remote-servers ldap server number address (ipv4-address-no-zone | ipv6-address-no-zone)

Tree

Max. Elements

Introduced

16.0.R1

Platforms

All

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)

Synopsis

LDAP server address

Context

configure system security aaa remote-servers ldap server number address (ipv4-address-no-zone | ipv6-address-no-zone)

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

port number

Synopsis

Port number on which to contact the LDAP server

Context

Enter the search context

Context

configure system security aaa remote-servers ldap server number search

Tree

Introduced

16.0.R1

Platforms

All

base-dn string

Synopsis

LDAP server search base domain name

Context

configure system security aaa remote-servers ldap server number search base-dn string

Tree

base-dn

String Length

1 to 512

Introduced

16.0.R1

Platforms

All

server-name string

Synopsis

LDAP server name

Context

16.0.R1

Platforms

All

server-timeout number

Synopsis

Timeout for a response from the LDAP server

Context

configure system security aaa remote-servers ldap server-timeout number

Tree

server-timeout

Range

1 to 90

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

Platforms

All

admin-state keyword

Synopsis

Platforms

All

route-preference keyword

Synopsis

Route preference to reach the AAA server

Context

configure system security aaa remote-servers radius route-preference keyword

Tree

route-preference

Description

Default

both

Options

both, inband, outband

Introduced

21.5.R1

Platforms

All

server [index] number

Synopsis

Enter the server list instance

Context

configure system security aaa remote-servers radius server number

Tree

configure system security aaa remote-servers tacplus admin-control

This command specifies the TLS client profile used to encrypt RADIUS communication. When configured, RADIUS messages are sent using TLS.

Reference

configure system security tls client-tls-profile string

Introduced

21.10.R1

Platforms

All

server-retry number

Synopsis

Number of attempts to retry contacting RADIUS server

Context

configure system security aaa remote-servers radius server-retry number

Tree

server-retry

Range

1 to 10

Default

Introduced

16.0.R1

Platforms

All

server-timeout number

Synopsis

Time to wait for a response from the RADIUS server

Context

configure system security aaa remote-servers radius server-timeout number

Tree

server-timeout

Range

1 to 90

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

use-default-template boolean

Synopsis

Introduced

16.0.R1

Platforms

All

admin-control

Synopsis

Enter the admin-control context

Context

Tree

admin-control

Introduced

16.0.R1

Platforms

All

tacplus-map-to-priv-lvl number

Synopsis

Interactive authentication from node to TACACS+ server

Context

configure system security aaa remote-servers tacplus admin-control tacplus-map-to-priv-lvl number

Tree

tacplus-map-to-priv-lvl

Range

0 to 15

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the TACACS+ protocol

Context

Platforms

All

access-operation-cmd keyword

Synopsis

Access operations sent in authorization requests

Context

configure system security aaa remote-servers tacplus authorization request-format access-operation-cmd keyword

Tree

access-operation-cmd

Description

This command sends an operation argument in authorization requests.

In model-driven interfaces, this command configures the system to send the operation in the cmd argument, and the path in the cmd-args argument, in TACACS+ authorization requests. This command does not apply to authorization requests in classic interfaces.

Options

delete

Max. Elements

Introduced

21.10.R3

Platforms

All

use-priv-lvl boolean

Synopsis

Allow privilege level mapping

Context

configure system security aaa remote-servers tacplus authorization use-priv-lvl boolean

Tree

use-priv-lvl

Description

When configured to true, this command automatically performs a single authorization request to the TACACS+ server for cmd* (all commands) immediately after login, and then uses the local profile associated (via the priv-lvl-map) with the priv-lvl returned by the TACACS+ server for all subsequent authorization (except enable-admin). After the initial authorization for cmd*, no further authorization requests are sent to the TACACS+ server (except enable-admin).

When configured to false, each command is sent to the TACACS+ server for authorization (this is true regardless of whether the tacplus use-default-template setting is enabled).

Default

false

Introduced

16.0.R1

Platforms

All

interactive-authentication boolean

Synopsis

Platforms

All

user-profile-name reference

Synopsis

User profile for the mapping

Context

configure system security aaa remote-servers tacplus priv-lvl-map priv-lvl number user-profile-name reference

Tree

user-profile-name

Reference

configure system security aaa local-profiles profile string

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

route-preference keyword

Synopsis

Route preference to reach the AAA server

Context

configure system security aaa remote-servers tacplus route-preference keyword

Tree

route-preference

Description

Default

both

Options

both, inband, outband

Introduced

21.5.R1

Platforms

All

server [index] number

Synopsis

Enter the server list instance

Context

configure system security aaa remote-servers tacplus server number

Tree

Max. Elements

Introduced

16.0.R1

Platforms

All

[index] number

Synopsis

TACACS+ server ID

Context

16.0.R1

Platforms

All

secret string

Synopsis

Secret key to access the TACACS+ server

Context

configure system security aaa remote-servers tacplus server number secret string

Tree

secret

String Length

1 to 199

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

server-timeout number

Synopsis

Time to wait for a response from the TACACS+ server

Context

configure system security aaa remote-servers tacplus server-timeout number

Tree

server-timeout

Range

1 to 90

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

use-default-template boolean

Synopsis

Introduced

22.2.R1

Platforms

All

outband reference

Synopsis

VPRN server used for AAA by out-of-band sessions

Context

configure system security aaa remote-servers vprn-server outband reference

Tree

outband

Description

This command configures TACACS+ and RADIUS servers in a VPRN to be used for AAA by that VPRN and by sessions on the console or out-of-band (OOB) Ethernet ports.

Reference

configure service vprn string

Introduced

22.2.R1

Platforms

All

vprn reference

Synopsis

VPRN server used for AAA in VPRNs without a AAA server

Context

Platforms

All

Allow access to lawful intercept

Context

configure system security aaa user-template keyword access li boolean

Tree

Default

false

Introduced

19.10.R1

Platforms

All

netconf boolean

Synopsis

Allow NETCONF session access

Context

configure system security aaa user-template keyword access netconf boolean

Tree

configure system security cpm-filter

Default

false

Introduced

16.0.R1

Platforms

All

console

Synopsis

Enter the console context

Context

configure system security aaa user-template keyword console

Tree

console

Introduced

16.0.R1

Platforms

All

login-exec string

Synopsis

File to execute for a successful user login via console

Context

configure system security aaa user-template keyword console login-exec string

cli-script

Introduced

16.0.R1

Platforms

All

Enter the cpm-filter context

Context

Tree

cpm-filter

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

default-action keyword

Synopsis

Action for packets that do not match any filter entries

Context

configure system security cpm-filter default-action keyword

Tree

configure system security cpm-filter ip-filter

Default

Options

drop, accept

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ip-filter

Synopsis

Enter the ip-filter context

Context

Tree

ip-filter

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword

Synopsis

Administrative state of the CPM filter

Context

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

action

Synopsis

Enter the action context

Context

configure system security cpm-filter ip-filter entry number action

Tree

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

accept

Synopsis

Forward matching packets

Context

configure system security cpm-filter ip-filter entry number action accept

configure system security cpm-filter ip-filter entry number match

Tree

match

Description

Commands in this context specify match criteria for the entry. When the match criteria have been satisfied, the action associated with the entry is executed.

If more than one match criterion is configured, all criteria must be met before the action associated with the entry is executed.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dscp keyword

Synopsis

DSCP used as the match criterion on the packet

Context

configure system security cpm-filter ip-filter entry number match dscp keyword

Tree

dscp

Options

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dst-ip

Synopsis

Enter the dst-ip context

Context

configure system security cpm-filter ip-filter entry number match dst-ip

Tree

dst-ip

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address (ipv4-address | ipv4-prefix-with-host-bits)

Synopsis

IPv4 address used as the match criterion

Context

configure system security cpm-filter ip-filter entry number match dst-ip address (ipv4-address | ipv4-prefix-with-host-bits)

Tree

Notes

The following elements are part of a choice: (address and mask) or ip-prefix-list.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ip-prefix-list reference

Synopsis

eq number

Synopsis

Port number as the match criterion

Context

configure system security cpm-filter ip-filter entry number match dst-port eq number

Tree

Range

0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number

Synopsis

Port mask as the match criterion

Context

configure system security cpm-filter ip-filter entry number match dst-port mask number

Tree

Range

1 to 65535

Default

65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port-list reference

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

start number

Synopsis

Lower bound of the port number to match

Context

configure system security cpm-filter ip-filter entry number match dst-port range start number

Tree

Range

0 to 65535

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

fragment keyword

Synopsis

Match criterion based on presence of fragmented packets

Context

configure system security cpm-filter ip-filter entry number match fragment keyword

Tree

fragment

Description

This command specifies the match criterion based on the existence or absence of fragmented IP packets.

Matching on fragmented IPv4 packets occurs when all packets have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value. For IPv6, the existence of the IPv6 Fragmentation Extension Header results in a fragmented packet match.

Matching on non-fragmented IPv4 packets occurs when all packets have the MF bit set to zero and the Fragment Offset field is also set to zero. For IPv6, the absence of an IPv6 Fragmentation Extension Header results in a non-fragmented packet match.

Options

false, true

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

icmp

Synopsis

Enter the icmp context

Context

configure system security cpm-filter ip-filter entry number match icmp

Tree

icmp

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number

Synopsis

Port number as the match criterion

Context

configure system security cpm-filter ip-filter entry number match port eq number

Tree

Range

0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number

Synopsis

Port mask as the match criterion

Context

configure system security cpm-filter ip-filter entry number match port mask number

Tree

Range

1 to 65535

Default

65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port-list reference

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

start number

Synopsis

Lower bound of the port number to match

Context

configure system security cpm-filter ip-filter entry number match port range start number

Tree

Range

0 to 65535

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

protocol (number | keyword)

Synopsis

IP protocol as the match criterion

Context

configure system security cpm-filter ip-filter entry number match protocol (number | keyword)

Tree

protocol

Range

0 to 255

Options

tcp-udp, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

router-instance string

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ip-prefix-list reference

Synopsis

eq number

Synopsis

Port number as the match criterion

Context

configure system security cpm-filter ip-filter entry number match src-port eq number

Tree

Range

0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number

Synopsis

Port mask as the match criterion

Context

configure system security cpm-filter ip-filter entry number match src-port mask number

Tree

Range

1 to 65535

Default

65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port-list reference

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

start number

Synopsis

Lower bound of the port number to match

Context

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

entry [entry-id] number

Synopsis

Enter the entry list instance

Context

configure system security cpm-filter ipv6-filter entry number

Tree

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[entry-id] number

Synopsis

Filter entry ID

Context

configure system security cpm-filter ipv6-filter entry number

Range

1 to 131072

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

action

Synopsis

Enter the action context

Context

configure system security cpm-filter ipv6-filter entry number action

Tree

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

accept

Synopsis

Forward matching packets

Context

configure system security cpm-filter ipv6-filter entry number action accept

configure system security cpm-filter ipv6-filter entry number match

Tree

match

Description

Commands in this context specify match criteria for the entry. When the match criteria have been satisfied, the action associated with the entry is executed.

If more than one match criterion is configured, all criteria must be met before the action associated with the entry is executed.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dscp keyword

Synopsis

DSCP used as the match criterion on the packet

Context

configure system security cpm-filter ipv6-filter entry number match dscp keyword

Tree

dscp

Options

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dst-ip

Synopsis

Enter the dst-ip context

Context

configure system security cpm-filter ipv6-filter entry number match dst-ip

Tree

dst-ip

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address (ipv6-address | ipv6-prefix-with-host-bits)

Synopsis

IPv6 address used as the match criterion

Context

configure system security cpm-filter ipv6-filter entry number match dst-ip address (ipv6-address | ipv6-prefix-with-host-bits)

Tree

Notes

The following elements are part of a choice: (address and mask) or ipv6-prefix-list.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ipv6-prefix-list reference

Synopsis

eq number

Synopsis

Port number as the match criterion

Context

configure system security cpm-filter ipv6-filter entry number match dst-port eq number

Tree

Range

0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number

Synopsis

Port mask as the match criterion

Context

configure system security cpm-filter ipv6-filter entry number match dst-port mask number

Tree

Range

1 to 65535

Default

65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port-list reference

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

start number

Synopsis

Lower bound of the port number to match

Context

configure system security cpm-filter ipv6-filter entry number match dst-port range start number

Tree

Range

0 to 65535

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

extension-header

Synopsis

Enter the extension-header context

Context

configure system security cpm-filter ipv6-filter entry number match extension-header

Tree

extension-header

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

hop-by-hop boolean

Synopsis

Match on existence of Hop-By-Hop Options Header

Context

configure system security cpm-filter ipv6-filter entry number match extension-header hop-by-hop boolean

Tree

hop-by-hop

Description

When configured to true, a match occurs when the Hop-by-Hop Options Extension Header is present.

When configured to false, a match occurs when the Hop-by-Hop Options Extension Header is not present.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

flow-label number

Synopsis

IP protocol to match

Context

configure system security cpm-filter ipv6-filter entry number match next-header (number | keyword)

Tree

next-header

Range

0 to 255

Options

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port

Synopsis

Enter the port context

Context

configure system security cpm-filter ipv6-filter entry number match port

Tree

port

Notes

The following elements are part of a choice: port or (dst-port and src-port).

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number

Synopsis

Port number as the match criterion

Context

configure system security cpm-filter ipv6-filter entry number match port eq number

Tree

Range

0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number

Synopsis

Port mask as the match criterion

Context

configure system security cpm-filter ipv6-filter entry number match port mask number

Tree

Range

1 to 65535

Default

65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port-list reference

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

start number

Synopsis

Lower bound of the port number to match

Context

configure system security cpm-filter ipv6-filter entry number match port range start number

Tree

Range

0 to 65535

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

router-instance string

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ipv6-prefix-list reference

Synopsis

eq number

Synopsis

Port number as the match criterion

Context

configure system security cpm-filter ipv6-filter entry number match src-port eq number

Tree

Range

0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number

Synopsis

Port mask as the match criterion

Context

configure system security cpm-filter ipv6-filter entry number match src-port mask number

Tree

Range

1 to 65535

Default

65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port-list reference

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

start number

Synopsis

Lower bound of the port number to match

Context

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

entry [entry-id] number

Synopsis

Enter the entry list instance

Context

configure system security cpm-filter mac-filter entry number

Tree

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[entry-id] number

Synopsis

Filter entry ID

Context

configure system security cpm-filter mac-filter entry number

Range

1 to 131072

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

action

Synopsis

Enter the action context

Context

configure system security cpm-filter mac-filter entry number action

Tree

configure system security cpu-protection

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

accept

Synopsis

Forward matching packets

Context

configure system security cpm-filter mac-filter entry number action accept

configure system security cpm-filter mac-filter entry number match

Tree

match

Description

Commands in this context specify match criteria for the entry. When the match criteria have been satisfied, the action associated with the entry is executed.

If more than one match criterion is configured, all criteria must be met before the action associated with the entry is executed.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

cfm-opcode

Synopsis

Enter the cfm-opcode context

Context

Tree

range

Notes

The following elements are part of a choice: eq, gt, lt, or range.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

end number

Synopsis

Upper bound of the Opcode range to match

Context

Ethernet type as the match criterion

Context

configure system security cpm-filter mac-filter entry number match etype string

Tree

etype

Description

Tree

dsap

Range

0 to 255

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ssap number

Synopsis

8-bit SSAP as the match criterion

Context

configure system security cpm-filter mac-filter entry number match llc-ssap ssap number

Tree

ssap

Range

0 to 255

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

service reference

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask string

Synopsis

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

cbs number

Synopsis

Buffer size that can be drawn from queue buffer pool

Context

configure system security cpm-queue queue number cbs number

Tree

cbs

Description

This command specifies the amount of buffer that can be drawn from the reserved buffer portion of the buffer pool of the queue.

Range

0 to 131072

Units

kilobps

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mbs number

Synopsis

Maximum queue depth to which the queue can grow

Context

Units

kilobps

Options

max

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

pir (number | keyword)

Synopsis

Peak Information Rate for the queue

Context

configure system security cpm-queue queue number rate pir (number | keyword)

Tree

pir

Range

1 to 100000000

Default

max

Units

kilobps

Options

max

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

cpu-protection

Synopsis

Enter the cpu-protection context

Context

Tree

cpu-protection

Description

Commands in this context configure CPU protection policies.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

ip-src-monitoring

Synopsis

Enter the ip-src-monitoring context

Context

configure system security cpu-protection ip-src-monitoring

Tree

ip-src-monitoring

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

included-protocols

Synopsis

Enter the included-protocols context

Context

configure system security cpu-protection ip-src-monitoring included-protocols

Tree

included-protocols

Description

Description

This command configures a link-specific rate for CPU protection. The limit is applied to all ports within the system. The CPU receives no more than the configured packet rate for all link level protocols, such as LACP, from any one port.

The measurement is cleared each second and is based on the ingress port.

Range

1 to 65535

Units

packets per second

Options

max

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

policy [policy-id] number

Synopsis

Enter the policy list instance

Context

configure system security cpu-protection policy number

Tree

policy

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

[policy-id] number

Synopsis

Policy ID

Context

configure system security cpu-protection policy number

Range

1 to 255

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

alarm boolean

Synopsis

Generate an event when the rate is exceeded

Context

configure system security cpu-protection policy number alarm boolean

Tree

alarm

Description

Tree

configure system security cpu-protection port-overall-rate

Max. Elements

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

[id] number

Synopsis

Entry ID

Context

configure system security cpu-protection policy number eth-cfm entry number

Range

1 to 100

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

level start number end number

Synopsis

Add a list entry for level

Context

configure system security cpu-protection policy number eth-cfm entry number level start number end number

Tree

level

Description

Commands in this context specify the range of domain levels for the match criterion.

Min. Elements

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

start number

Synopsis

Lower bound of the level range

Context

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

pir (number | keyword)

Synopsis

Packet arrival rate limit

Context

configure system security cpu-protection policy number out-profile-rate pir (number | keyword)

Tree

pir

Range

1 to 65534

Units

packets per second

Options

max

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

overall-rate (number | keyword)

Synopsis

Overall packet arrival rate limit to apply for all sources of packets

Context

configure system security cpu-protection policy number overall-rate (number | keyword)

Tree

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

per-source-rate (number | keyword)

Synopsis

Per-source packet arrival rate limit

Context

configure system security cpu-protection policy number per-source-rate (number | keyword)

Tree

per-source-rate

Description

This command configures the per-source packet arrival rate limit.

A source is defined as a unique combination of SAP and MAC source address or SAP and source IP address. The CPU receives no more than the specified packet rate from each source. The measurement is cleared every second.

This configuration is applicable only if the policy is assigned to an interface (such as SAPs, subscriber interfaces, and spoke SDPs), and MAC monitoring or IP source monitoring is specified in the CPU protection configuration of the interface.

Range

1 to 65534

Default

max

Units

packets per second

Options

max

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

port-overall-rate

Synopsis

Enter the port-overall-rate context

Context

Tree

port-overall-rate

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

action-low-priority boolean

Synopsis

Mark packets that exceed the rate as low-priority

Context

configure system security cpu-protection port-overall-rate action-low-priority boolean

Tree

action-low-priority

Description

When configured to true, packets that exceed the per-port packet arrival rate limit are marked as low priority for preferential discard later (if there is congestion in the control plane) rather than discarded immediately.

Default

false

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

pir (number | keyword)

Synopsis

Per-port packet arrival rate limit

Context

configure system security cpu-protection port-overall-rate pir (number | keyword)

Tree

pir

Range

1 to 65535

Units

packets per second

Options

max

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

protocol-protection

Synopsis

Enable the protocol-protection context

Context

configure system security cpu-protection protocol-protection

Tree

protocol-protection

Description

When enabled, the network processor on the CPM discards all packets received for protocols that are not configured on the interface. This action helps to mitigate DoS attacks by filtering invalid control traffic before it ingresses the CPU. For example, if IS-IS is not configured on an interface, protocol protection discards any IS-IS packets received on the interface.

Commands in this context further define the action when the context is enabled.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

allow-sham-links boolean

Synopsis

Allow OSPF sham link traffic

Context

configure system security cpu-protection protocol-protection allow-sham-links boolean

Tree

allow-sham-links

Description

When configured to true, tunneled OSPF packets received over the backbone network must be explicitly allowed when OSPF sham links form an adjacency over the MPLS-VPRN backbone network.

Default

false

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

block-pim-tunneled boolean

Synopsis

Block extraction and processing of PIM packets

Context

configure system security cpu-protection protocol-protection block-pim-tunneled boolean

Tree

16.0.R1

Platforms

All

[policy-name] string

Synopsis

Policy name

Context

configure system security dist-cpu-protection policy string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

description string

Synopsis

Text description

Context

configure system security dist-cpu-protection policy string description string

Tree

String Length

1 to 80

Introduced

16.0.R1

Platforms

All

local-monitoring-policer [policer-name] string

Synopsis

Enter the local-monitoring-policer list instance

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string

Tree

local-monitoring-policer

This command specifies the action taken on the extracted control packets when the configured policer rates are exceeded.

Default

none

Options

discard, low-priority, none

Introduced

16.0.R1

Platforms

All

log-events keyword

Synopsis

Control of log events creation for status and activity

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string log-events keyword

Tree

Description

This command controls the creation of log events related to the status and activity of the local monitoring policer.

Default

true

Options

false, true, verbose

Introduced

16.0.R1

Platforms

All

rate

Synopsis

Enter the rate context

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string rate

Tree

rate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced

16.0.R1

Platforms

All

kbps

Synopsis

Enter the kbps context

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string rate kbps

Tree

kbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced

16.0.R1

Platforms

All

limit (keyword | number)

Synopsis

Rate limit

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string rate kbps limit (keyword | number)

Tree

Range

1 to 20000000

Default

max

Units

kilobps

Options

max

Introduced

16.0.R1

Platforms

All

mbs number

Synopsis

Tolerance for the rate

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string rate kbps mbs number

Tree

mbs

Range

0 to 4194304

Units

bytes

Introduced

16.0.R1

Platforms

All

packets

Synopsis

Enter the packets context

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string rate packets

Tree

packets

Notes

This element is the default part of a choice.

The following elements are part of a choice: kbps or packets.

Introduced

16.0.R1

Platforms

All

initial-delay number

Synopsis

Additional packets allowed in an initial burst

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string rate packets initial-delay number

Tree

initial-delay

Description

This command specifies the number of packets allowed in an initial burst (or a burst after the policer bucket has drained to zero) in addition to the packets per interval limit. The typical setting would be a value equal to the number of received packets in several full handshakes or negotiations of the protocol.

Range

0 to 255

Default

Units

packets

Introduced

16.0.R1

Platforms

All

limit (keyword | number)

Synopsis

Packets per interval limit

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string rate packets limit (keyword | number)

Tree

Range

0 to 8000

Default

max

Units

packets per interval

Options

max

Introduced

16.0.R1

Platforms

All

within number

Synopsis

Measurement interval for packets rate

Context

configure system security dist-cpu-protection policy string local-monitoring-policer string rate packets within number

Tree

within

Range

1 to 32767

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

protocol [protocol-name] keyword

Synopsis

Enter the protocol list instance

Context

configure system security dist-cpu-protection policy string protocol keyword

Tree

protocol

Introduced

16.0.R1

Platforms

All

[protocol-name] keyword

Synopsis

Protocol name

Context

configure system security dist-cpu-protection policy string protocol keyword

Options

arp, dhcp, http-redirect, icmp, igmp, mld, ndis, pppoe-pppoa, all-unspecified, mpls-ttl, bfd-cpm, bgp, eth-cfm, isis, ldp, ospf, pim, rsvp, icmp-ping-check, lacp

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

dynamic-parameters

Synopsis

Enter the dynamic-parameters context

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters

Tree

dynamic-parameters

Introduced

16.0.R1

Platforms

All

detection-time number

Synopsis

Minimum time the dynamic policer remains allocated

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters detection-time number

Tree

detection-time

Range

1 to 128000

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

exceed-action

Synopsis

Enter the exceed-action context

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters exceed-action

Tree

exceed-action

Description

Commands in this context specify the settings for the scenario when the configured policer rates are exceeded.

Introduced

16.0.R1

Platforms

All

action keyword

Synopsis

Action taken on control packets when rates are exceeded

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters exceed-action action keyword

Tree

Default

none

Options

discard, low-priority, none

Introduced

16.0.R1

Platforms

All

hold-down (keyword | number)

Synopsis

Hold down behavior

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters exceed-action hold-down (keyword | number)

Tree

hold-down

Description

This command specifies the behavior when the system detects that an enforcement policer has marked or discarded one or more packets and there is no action specified for the scenario when the rates are exceeded.

The hold time condition is cleared after the specified time has expired. The detection time (the minimum time that the policer remains allocated) begins after the hold down is complete. The hold down behavior is not applicable to a local monitoring policer.

An indefinite hold down behavior must be cleared using the tools perform security dist-cpu-protection release-hold-down command.

Range

1 to 10080

Default

none

Units

seconds

Options

indefinite, none

Introduced

16.0.R1

Platforms

All

log-events keyword

Synopsis

Control of log events creation for status and activity

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters log-events keyword

Tree

Description

This command controls the creation of log events related to the status and activity of the local monitoring policer.

Default

true

Options

false, true, verbose

Introduced

16.0.R1

Platforms

All

rate

Synopsis

Enter the rate context

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate

Tree

rate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced

16.0.R1

Platforms

All

kbps

Synopsis

Enter the kbps context

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate kbps

Tree

kbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced

16.0.R1

Platforms

All

limit (keyword | number)

Synopsis

Rate limit

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate kbps limit (keyword | number)

Tree

Range

1 to 20000000

Default

max

Units

kilobps

Options

max

Introduced

16.0.R1

Platforms

All

mbs number

Synopsis

Tolerance for the rate

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate kbps mbs number

Tree

mbs

Range

0 to 4194304

Units

bytes

Introduced

16.0.R1

Platforms

All

packets

Synopsis

Enter the packets context

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate packets

Tree

packets

Notes

This element is the default part of a choice.

The following elements are part of a choice: kbps or packets.

Introduced

16.0.R1

Platforms

All

initial-delay number

Synopsis

Additional packets allowed in an initial burst

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate packets initial-delay number

Tree

initial-delay

Description

Range

0 to 255

Default

Units

packets

Introduced

16.0.R1

Platforms

All

limit (keyword | number)

Synopsis

Packets per interval limit

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate packets limit (keyword | number)

Tree

Range

0 to 8000

Default

max

Units

packets per interval

Options

max

Introduced

16.0.R1

Platforms

All

within number

Synopsis

Measurement interval for packets rate

Context

configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate packets within number

Tree

within

Range

1 to 32767

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

enforcement

Synopsis

Enter the enforcement context

Context

configure system security dist-cpu-protection policy string protocol keyword enforcement

Tree

enforcement

Introduced

16.0.R1

Platforms

All

dynamic

Synopsis

Enter the dynamic context

Context

configure system security dist-cpu-protection policy string protocol keyword enforcement dynamic

Tree

dynamic

Notes

The following elements are part of a choice: dynamic, dynamic-local-mon-bypass, or static.

Introduced

16.0.R1

Platforms

All

mon-policer-name reference

Synopsis

Dynamic enforcement policer for the protocol

Context

configure system security dist-cpu-protection policy string protocol keyword enforcement dynamic mon-policer-name reference

Tree

mon-policer-name

Description

This command specifies the dynamic enforcement policer that is instantiated when the associated local monitoring policer is determined to be in a nonconforming state (at the end of a minimum monitoring time of 60 seconds to reduce thrashing).

Reference

configure system security dist-cpu-protection policy string local-monitoring-policer string

Introduced

16.0.R1

Platforms

All

dynamic-local-mon-bypass

Synopsis

Do not include packets in the local monitoring function

Context

configure system security dist-cpu-protection policy string protocol keyword enforcement dynamic-local-mon-bypass

Tree

dynamic-local-mon-bypass

Description

When configured, packets from the protocol are not included in the local monitoring function and the dynamic enforcement policer is not instantiated for the protocol.

Notes

Description

Commands in this context configure a static enforcement policer that can be referenced by one or more protocols in the policy. When a policer is referenced by a protocol, the policer is instantiated for each object (for example, a SAP or network interface) that is created and references the policer.

If no policer resources are available on the associated card or FP, the object is not created.

1 to 128000

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

exceed-action

Synopsis

Enter the exceed-action context

Context

configure system security dist-cpu-protection policy string static-policer string exceed-action

Tree

exceed-action

Description

Commands in this context specify the settings for the scenario when the configured policer rates are exceeded.

Introduced

16.0.R1

Platforms

All

action keyword

Synopsis

Action taken on control packets when rates are exceeded

Context

configure system security dist-cpu-protection policy string static-policer string exceed-action action keyword

Tree

Default

none

Options

discard, low-priority, none

Introduced

16.0.R1

Platforms

All

hold-down (keyword | number)

Synopsis

Hold down behavior

Context

configure system security dist-cpu-protection policy string static-policer string exceed-action hold-down (keyword | number)

Tree

hold-down

Description

An indefinite hold down behavior must be cleared using the tools perform security dist-cpu-protection release-hold-down command.

Range

1 to 10080

Default

none

Units

seconds

Options

indefinite, none

Introduced

16.0.R1

Platforms

All

log-events keyword

Synopsis

Control of log events creation for status and activity

Context

configure system security dist-cpu-protection policy string static-policer string log-events keyword

Tree

Description

This command controls the creation of log events related to the status and activity of the local monitoring policer.

Default

true

Options

false, true, verbose

Introduced

16.0.R1

Platforms

All

rate

Synopsis

Enter the rate context

Context

configure system security dist-cpu-protection policy string static-policer string rate

Tree

rate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced

16.0.R1

Platforms

All

kbps

Synopsis

Enter the kbps context

Context

configure system security dist-cpu-protection policy string static-policer string rate kbps

Tree

kbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced

16.0.R1

Platforms

All

limit (keyword | number)

Synopsis

Rate limit

Context

configure system security dist-cpu-protection policy string static-policer string rate kbps limit (keyword | number)

Tree

Range

1 to 20000000

Default

max

Units

kilobps

Options

max

Introduced

16.0.R1

Platforms

All

mbs number

Synopsis

Tolerance for the rate

Context

configure system security dist-cpu-protection policy string static-policer string rate kbps mbs number

Tree

mbs

Range

0 to 4194304

Units

bytes

Introduced

16.0.R1

Platforms

All

packets

Synopsis

Enter the packets context

Context

configure system security dist-cpu-protection policy string static-policer string rate packets

Tree

packets

Notes

This element is the default part of a choice.

The following elements are part of a choice: kbps or packets.

Introduced

16.0.R1

Platforms

All

initial-delay number

Synopsis

Additional packets allowed in an initial burst

Context

configure system security dist-cpu-protection policy string static-policer string rate packets initial-delay number

Tree

initial-delay

Description

Range

0 to 255

Default

Units

packets

Introduced

16.0.R1

Platforms

All

limit (keyword | number)

Synopsis

Packets per interval limit

Context

configure system security dist-cpu-protection policy string static-policer string rate packets limit (keyword | number)

Tree

Range

0 to 8000

Default

max

Units

packets per interval

Options

max

Introduced

16.0.R1

Platforms

All

within number

Synopsis

Measurement interval for packets rate

Context

configure system security dist-cpu-protection policy string static-policer string rate packets within number

Tree

within

Range

1 to 32767

Default

Tree

retry

Range

1 to 10

Default

Introduced

16.0.R1

Platforms

All

server [server-index] number

Synopsis

Enter the server list instance

Context

configure system security dot1x radius-policy string server number

Tree

configure system security hash-control management-interface classic-cli

Max. Elements

Introduced

16.0.R1

Platforms

All

[server-index] number

Synopsis

RADIUS server index

Context

configure system security dot1x radius-policy string server number

Range

1 to 5

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

accounting-port number

Synopsis

Platforms

All

secret string

Synopsis

Secret key associated with the RADIUS server

Context

Time assigned between the request retries toward the same RADIUS server

Context

configure system security dot1x radius-policy string timeout number

Tree

timeout

Range

1 to 90

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

ftp-server boolean

Synopsis

Platforms

All

classic-cli

Synopsis

Enter the classic-cli context

Context

Tree

classic-cli

Introduced

16.0.R4

Platforms

All

read-algorithm keyword

Synopsis

Input encryption algorithm for configuration secrets

Context

configure system security hash-control management-interface classic-cli read-algorithm keyword

Tree

read-algorithm

Description

This command specifies how encrypted configuration secrets are interpreted and which encryption types are accepted when secrets are input into the system or read from a configuration file (for example, at system bootup time).

Default

all-hash

Options

all-hash, hash, hash2, custom

Introduced

16.0.R4

Platforms

All

write-algorithm keyword

Synopsis

Output encryption algorithm for configuration secrets

Context

configure system security hash-control management-interface classic-cli write-algorithm keyword

Tree

write-algorithm

Description

This command specifies the format of the output for encrypted configuration secrets (for example, in the saved configuration file, or in the output of the info or show commands).

Default

hash2

Options

cleartext, hash, hash2, custom

Introduced

16.0.R4

Platforms

All

grpc

Synopsis

Enter the grpc context

Context

configure system security hash-control management-interface grpc

Tree

grpc

Introduced

16.0.R4

Platforms

All

hash-algorithm keyword

Synopsis

Encryption algorithm for configuration secrets

Context

configure system security hash-control management-interface grpc hash-algorithm keyword

Tree

hash-algorithm

Description

This command specifies the format of the input and output for encrypted configuration secrets.

Default

hash2

Options

cleartext, hash, hash2, custom

Introduced

16.0.R4

Platforms

All

md-cli

Synopsis

Enter the md-cli context

Context

configure system security hash-control management-interface md-cli

Tree

md-cli

Introduced

16.0.R4

Platforms

All

hash-algorithm keyword

Synopsis

Encryption algorithm for configuration secrets

Context

configure system security hash-control management-interface md-cli hash-algorithm keyword

Tree

hash-algorithm

Description

This command specifies the format of the input and output for encrypted configuration secrets.

Default

hash2

Options

cleartext, hash, hash2, custom

Introduced

16.0.R4

Platforms

All

netconf

Synopsis

Enter the netconf context

Context

configure system security hash-control management-interface netconf

Tree

Introduced

16.0.R4

Platforms

All

hash-algorithm keyword

Synopsis

Encryption algorithm for configuration secrets

Context

configure system security hash-control management-interface netconf hash-algorithm keyword

Tree

hash-algorithm

Description

This command specifies the format of the input and output for encrypted configuration secrets.

Default

hash2

Options

cleartext, hash, hash2, custom

Introduced

16.0.R4

Platforms

All

Administrative state of the keychain

Context

Platforms

All

admin-state keyword

Synopsis

Administrative state of the keychain entry

Context

configure system security keychains keychain string bidirectional entry number admin-state keyword

Tree

Default

enable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

algorithm keyword

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

Encryption algorithm used by the keychain key

infinite

Introduced

16.0.R1

Platforms

All

description string

Synopsis

Platforms

All

admin-state keyword

Synopsis

Administrative state of the keychain entry

Context

configure system security keychains keychain string receive entry number admin-state keyword

Tree

Default

enable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

algorithm keyword

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

Encryption algorithm used by the keychain key

Context

configure system security keychains keychain string receive entry number algorithm keyword

Tree

algorithm

Options

aes-128-cmac-96, hmac-sha-1-96, password, message-digest, hmac-md5, hmac-sha-1, hmac-sha-256, aes-128-gcm-16

Introduced

16.0.R1

Platforms

All

authentication-key string

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

Context

configure system security keychains keychain string send entry number

Range

0 to 63 | 255

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the keychain entry

Context

configure system security keychains keychain string send entry number admin-state keyword

Tree

configure system security management

Default

enable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

algorithm keyword

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

Encryption algorithm used by the keychain key

Context

configure system security keychains keychain string send entry number algorithm keyword

Tree

algorithm

Options

aes-128-cmac-96, hmac-sha-1-96, password, message-digest, hmac-md5, hmac-sha-1, hmac-sha-256, aes-128-gcm-16

Introduced

16.0.R1

Platforms

All

authentication-key string

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

Introduced

16.0.R1

Platforms

All

send keyword

Synopsis

TCP option value assigned in the TCP header of transmitted packets

Context

configure system security keychains keychain string tcp-option-number send keyword

Tree

send

Default

option-254

Options

option-253, option-254, tcp-ao

Introduced

16.0.R1

Platforms

All

management

Synopsis

Enter the management context

Context

Tree

management

Description

Commands in this context control which management protocols can be used to access the SR OS router via the 'Base' and 'management' router instances.

Introduced

16.0.R5

Platforms

All

allow-ftp boolean

Synopsis

Allow access to the FTP server

Context

configure system security management allow-ftp boolean

Tree

allow-ftp

Description

When configured to true, this command allows FTP access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, this command disallows access to the SR OS FTP server.

Default

true

Introduced

16.0.R6

Platforms

All

allow-grpc boolean

Synopsis

Allow access to the gRPC server

Context

configure system security management allow-grpc boolean

Tree

allow-grpc

Description

When configured to true, the system allows access to the gRPC server via the 'Base' and 'management' router instances.

Default

true

Introduced

19.5.R1

Platforms

All

allow-netconf boolean

Synopsis

Allow access to the NETCONF server

Context

configure system security management allow-netconf boolean

Tree

allow-netconf

Description

When configured to true, the system allows NETCONF server access to the SR OS router via the 'Base' and 'management' router instances.

Default

true

Introduced

19.5.R1

Platforms

All

allow-ssh boolean

Synopsis

Allow access to the SSH server

Context

configure system security management allow-ssh boolean

Tree

allow-ssh

Description

When configured to true, this command allows SSH server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, this command disallows SSH server access.

Default

true

Introduced

16.0.R5

Platforms

All

allow-telnet boolean

Synopsis

Allow access to the IPv4 Telnet server

Context

configure system security management allow-telnet boolean

Tree

allow-telnet

Description

When configured to true, this command allows IPv4 Telnet server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, this command disallows access to the IPv4 Telnet server.

Default

true

Introduced

16.0.R5

Platforms

All

allow-telnet6 boolean

Synopsis

Allow access to the Telnet IPv6 server

Context

configure system security management allow-telnet6 boolean

Tree

allow-telnet6

Description

When configured to true, this command allows IPv6 Telnet server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, this command disallows access to the IPv6 Telnet server.

Default

true

Introduced

16.0.R5

Platforms

All

management-access-filter

Synopsis

Enter the management-access-filter context

Context

configure system security management-access-filter

16.0.R4

Platforms

All

default-action keyword

Synopsis

Default action for the management access filter

Context

configure system security management-access-filter ip-filter default-action keyword

Tree

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Default

ignore-match

Options

ignore-match, accept, drop, reject

Introduced

16.0.R4

Platforms

All

entry [entry-id] number

Synopsis

Enter the entry list instance

Context

configure system security management-access-filter ip-filter entry number

Tree

Introduced

16.0.R4

Platforms

All

[entry-id] number

Synopsis

Entry ID to identify the match criteria and the action

Context

configure system security management-access-filter ip-filter entry number

Description

This command specifies the entry ID to identify the match criteria and the corresponding action. It is recommended that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Range

1 to 9999

Notes

This element is part of a list key.

Introduced

16.0.R4

Platforms

All

action keyword

Context

configure system security management-access-filter ip-filter entry number log-events boolean

Tree

Description

Tree

Range

1 to 65535

Default

65535

Introduced

16.0.R4

Platforms

All

port number

Synopsis

16.0.R4

Platforms

All

IP prefix list as the match criterion

Context

configure system security management-access-filter ip-filter entry number match src-ip ip-prefix-list reference

Tree

ip-prefix-list

Reference

configure filter match-list ip-prefix-list string

Notes

The following elements are part of a choice: (address and mask) or ip-prefix-list.

Introduced

20.7.R1

Platforms

All

mask string

Synopsis

Introduced

21.7.R1

Platforms

All

port number

Synopsis

TCP or UDP port number as the match criterion

Context

Introduced

16.0.R4

Platforms

All

default-action keyword

Synopsis

Default action for the management access filter

Context

configure system security management-access-filter ipv6-filter default-action keyword

Tree

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Default

ignore-match

Options

ignore-match, accept, drop, reject

Introduced

16.0.R4

Platforms

All

entry [entry-id] number

Synopsis

Enter the entry list instance

Context

configure system security management-access-filter ipv6-filter entry number

Tree

Introduced

16.0.R4

Platforms

All

[entry-id] number

Synopsis

Entry ID to identify the match criteria and the action

Context

configure system security management-access-filter ipv6-filter entry number

Description

Range

1 to 9999

Notes

This element is part of a list key.

Introduced

16.0.R4

Platforms

All

action keyword

Context

configure system security management-access-filter ipv6-filter entry number log-events boolean

Tree

Description

Tree

Range

1 to 65535

Default

65535

Introduced

16.0.R4

Platforms

All

port number

Synopsis

Platforms

All

port-id string

Synopsis

Port ID as the match criterion

Context

configure system security management-access-filter ipv6-filter entry number match mgmt-port port-id string

Tree

port-id

Notes

The following elements are part of a choice: cpm, (lag and lag-id), or port-id.

Introduced

16.0.R4

Platforms

All

next-header (number | keyword)

Synopsis

IP protocol to match

Context

configure system security management-access-filter ipv6-filter entry number match next-header (number | keyword)

Tree

next-header

Range

0 to 255

Options

Introduced

16.0.R4

Platforms

All

Platforms

All

port number

Synopsis

TCP or UDP port number as the match criterion

Context

Introduced

16.0.R4

Platforms

All

default-action keyword

Synopsis

Default action for the management access filter

Context

configure system security management-access-filter mac-filter default-action keyword

Tree

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Default

ignore-match

Options

ignore-match, accept, drop

Introduced

16.0.R4

Platforms

All

entry [entry-id] number

Synopsis

Enter the entry list instance

Context

configure system security management-access-filter mac-filter entry number

Tree

Introduced

16.0.R4

Platforms

All

[entry-id] number

Synopsis

Entry ID to identify the match criteria and the action

Context

configure system security management-access-filter mac-filter entry number

Description

Range

1 to 9999

Notes

This element is part of a list key.

Introduced

16.0.R4

Platforms

All

action keyword

Context

configure system security management-access-filter mac-filter entry number log-events boolean

Tree

configure system security python-script authorization event-handler

Description

Tree

range

Notes

The following elements are part of a choice: eq, gt, lt, or range.

Introduced

16.0.R4

Platforms

All

end number

Synopsis

Upper bound of the range for the OpCode to match

Context

configure system security management-access-filter mac-filter entry number match cfm-opcode range end number

Tree

end

Range

1 to 255

Notes

This element is mandatory.

Introduced

16.0.R4

Platforms

All

start number

Synopsis

Lower bound of the range for the OpCode to match

Context

configure system security management-access-filter mac-filter entry number match cfm-opcode range start number

Tree

16.0.R4

Platforms

All

priority number

Synopsis

etype string

Synopsis

Ethernet type II Ethertype value as the match criterion

Context

configure system security management-access-filter mac-filter entry number match etype string

Tree

etype

Description

This command specifies an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is used by the Ethernet version-II frames and does not apply to IEEE 802.3 Ethernet frames.

String Length

5 to 6

Introduced

16.0.R4

Platforms

All

frame-type keyword

Synopsis

Platforms

All

mask number

Synopsis

Platforms

All

ssap number

Synopsis

Platforms

All

snap-pid number

Synopsis

IEEE 802.3 LLC SNAP Ethernet Frame PID as the match

Context

configure system security management-access-filter mac-filter entry number match snap-pid number

Tree

snap-pid

Description

Tree

per-peer-queuing

Description

When configured to true, the router automatically allocates a separate CPM hardware queue for the peer when a peering session is established.

When configured to false, a separate CPM hardware queue is not allowed.

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Administrative state of the CA profile

All

url http-url-path-loose

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Location of updated CRL

Context

configure system security pki ca-profile string auto-crl-update crl-urls url-entry number url http-url-path-loose

Tree

url

String Length

1 to 180

Introduced

16.0.R1

Platforms

All

periodic-update-interval number

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Interval between two consecutive CRL updates

Context

configure system security pki ca-profile string auto-crl-update periodic-update-interval number

Tree

periodic-update-interval

Range

3600 to 31622400

Default

86400

Units

seconds

Introduced

16.0.R1

Platforms

All

pre-update-time number

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Time prior to the next update time of the current CRL

Context

configure system security pki ca-profile string auto-crl-update pre-update-time number

Tree

pre-update-time

Range

0 to 31622400

Default

3600

Units

seconds

Introduced

16.0.R1

Platforms

All

retry-interval number

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Interval before retrying to update CRL

Context

configure system security pki ca-profile string auto-crl-update retry-interval number

Tree

retry-interval

Range

0 to 31622400

Default

3600

Units

seconds

Introduced

16.0.R1

Platforms

All

schedule-type keyword

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Time scheduler type for an automated CRL update

Context

configure system security pki ca-profile string auto-crl-update schedule-type keyword

Tree

schedule-type

Default

next-update-based

Options

next-update-based, periodic

Introduced

16.0.R1

Platforms

All

cert-file string

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

All

pkiconf-message boolean

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Accept unprotected PKI confirmation messages

Context

configure system security pki ca-profile string cmpv2 accept-unprotected-message pkiconf-message boolean

Tree

pkiconf-message

Default

false

Introduced

16.0.R1

Platforms

All

always-set-sender-for-ir boolean

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Subject name in CMPv2 header for all Initial Registration (IR) messages

Context

configure system security pki ca-profile string cmpv2 always-set-sender-for-ir boolean

Tree

always-set-sender-for-ir

Default

false

Introduced

16.0.R1

Platforms

All

http

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Enter the http context

Context

configure system security pki ca-profile string cmpv2 http

Tree

http

Introduced

16.0.R1

Platforms

All

response-timeout number

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

HTTP response timeout

Context

configure system security pki ca-profile string cmpv2 http response-timeout number

Tree

response-timeout

Range

1 to 3600

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

version keyword

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

HTTP version for CMPv2 messages

All

[reference-number] string

Synopsis

Unique identifier for the CA initial authentication key

Context

configure system security pki ca-profile string cmpv2 key-list key string

String Length

1 to 64

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

password string

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Shared secret for this CA initial authentication key

Context

configure system security pki ca-profile string cmpv2 key-list key string password string

Tree

password

String Length

1 to 115

Introduced

16.0.R1

Platforms

All

response-signing-cert string

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

File name of the certificate to verify the signature of received CMPv2 responses

Context

configure system security pki ca-profile string cmpv2 response-signing-cert string

Tree

response-signing-cert

String Length

1 to 95

Introduced

16.0.R1

Platforms

All

same-recipient-nonce-for-poll-request boolean

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

All

url-string http-optional-url-loose

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

ocsp

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Enter the ocsp context

Context

configure system security pki ca-profile string ocsp

Tree

ocsp

Introduced

16.0.R1

Platforms

All

responder-url http-optional-url-loose

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

HTTP URL of the OCSP responder for the CA

Context

configure system security pki ca-profile string ocsp responder-url http-optional-url-loose

Tree

responder-url

String Length

1 to 180

Introduced

16.0.R1

Platforms

All

service-name string

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Administrative service name

Context

configure system security pki ca-profile string ocsp service-name string

Tree

service-name

String Length

1 to 64

Introduced

16.0.R1

Platforms

All

transmission-profile reference

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Transmission profile for the OCSP

Context

configure system security pki ca-profile string ocsp transmission-profile reference

Tree

transmission-profile

Reference

configure system transmission-profile string

Introduced

16.0.R6

Platforms

All

revocation-check keyword

Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

Synopsis

Method to verify the revocation status of certificates issued by the CA

Context

configure system security pki ca-profile string revocation-check keyword

Tree

revocation-check

Default

crl

Options

crl, crl-optional

Introduced

16.0.R1

Platforms

All

certificate-display-format keyword

Synopsis

Display format for certificates and Certificate Revocation Lists (CRLs)

Context

Introduced

16.0.R1

Platforms

All

repeat-hours number

Synopsis

Time period when the system repeatedly generates the certificate expiration warning trap

Context

configure system security pki certificate-expiration-warning repeat-hours number

Tree

repeat-hours

Range

0 to 8760

Default

Units

hours

Introduced

16.0.R1

Platforms

All

common-name-list [cn-list-name] string

Synopsis

Enter the common-name-list list instance

Context

configure system security pki common-name-list string

Tree

common-name-list

Max. Elements

Introduced

16.0.R1

Platforms

All

[cn-list-name] string

Synopsis

Platforms

All

cn-type keyword

Synopsis

Common name type

Context

configure system security pki common-name-list string common-name number cn-type keyword

Tree

cn-type

Options

ip-address, domain-name

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

cn-value string

Synopsis

Common name value

Context

Introduced

16.0.R1

Platforms

All

repeat-hours number

Synopsis

Time when the system repeatedly generates the Certificate Revocation List (CRL) expiration warning trap

Context

configure system security pki crl-expiration-warning repeat-hours number

Tree

repeat-hours

Range

0 to 8760

Default

Units

hours

Introduced

16.0.R1

Platforms

All

est-profile [name] string

Synopsis

Enter the est-profile list instance

Context

configure system security pki est-profile string

Tree

est-profile

Description

Commands in this context configure an Enrollment over Secure Transport (EST) profile.

Max. Elements

128

Introduced

21.10.R1

Platforms

All

[name] string

Synopsis

Enrollment over Secured Transport profile name

Context

configure system security pki est-profile string

Description

This command configures the EST profile name.

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

21.10.R1

Platforms

All

check-id-kp-cmcra-only boolean

Synopsis

Check id-kp-cmcra in the EST certificate

Context

configure system security pki est-profile string check-id-kp-cmcra-only boolean

Tree

check-id-kp-cmcra-only

Description

When configured to true, only the id-kp-cmcRA existence in the extended key usage extension of the EST server certificate is checked, instead of the subject or subject alternative name.

When configured to false, the subject or subject alternative name is also checked.

Default

false

Introduced

21.10.R1

Platforms

All

client-tls-profile string

Synopsis

TLS client profile assigned to applications

Context

Range

1 to 65535

Default

443

Introduced

21.10.R1

Platforms

All

transmission-profile string

Synopsis

Transmission profile name for EST

Context

configure system security pki est-profile string transmission-profile string

Tree

transmission-profile

Description

This command associates a file transmission profile to the EST profile.

The transmission profile defines transport parameters for protocol such as HTTP, include routing instance, source address, timeout value, and so on.

String Length

1 to 32

Introduced

21.10.R1

Platforms

All

imported-format keyword

Synopsis

The supported encrypted file formats

Context

configure system security pki imported-format keyword

Tree

imported-format

Default

any

Options

any, secure

Introduced

16.0.R6

Platforms

All

maximum-cert-chain-depth number

Synopsis

Maximum depth of certificate chain verification

Context

configure system security pki maximum-cert-chain-depth number

Tree

maximum-cert-chain-depth

Range

1 to 7

cli-user

Reference

configure system security user-params local-user user string

Introduced

21.10.R1

Platforms

All

event-handler

Synopsis

Enter the event-handler context

Context

Tree

event-handler

Introduced

21.10.R1

Platforms

All

cli-user reference

Synopsis

User profile name when executing a Python application

Context

configure system security python-script authorization event-handler cli-user reference

Tree

cli-user

Reference

configure system security user-params local-user user string

Introduced

21.10.R1

Platforms

All

snmp

Synopsis

Enter the snmp context

Context

configure system security snmp

Tree

snmp

Introduced

16.0.R1

Platforms

All

Platforms

All

write string

Synopsis

SNMP view for write access

Context

configure system security snmp access string context string security-model keyword security-level keyword write string

Tree

write

Description

This command specifies the SNMP view used to control which MIB objects can be accessed using a write (set) operation.

String Length

1 to 32

Introduced

16.0.R1

Platforms

All

attempts

Synopsis

Enter the attempts context

Context

configure system security snmp attempts

Tree

attempts

Introduced

16.0.R1

Platforms

All

count number

Synopsis

Maximum unsuccessful SNMP attempts that are allowed for the specified time

Context

configure system security snmp attempts count number

Tree

count

Range

1 to 64

Default

Introduced

16.0.R1

Platforms

All

lockout number

Synopsis

Lockout period during which the host is not allowed to log in

Context

configure system security snmp attempts lockout number

Tree

lockout

Range

0 to 1440

Default

Units

minutes

Introduced

16.0.R1

Platforms

All

time number

Synopsis

Time when a number of unsuccessful attempts are made before the host is locked out

Context

configure system security snmp attempts time number

Tree

time

Range

0 to 60

Default

Units

minutes

Introduced

16.0.R1

Platforms

All

community [community-string] string

Synopsis

Enter the community list instance

Context

configure system security snmp community string

Tree

community

Introduced

16.0.R1

Platforms

All

[community-string] string

Synopsis

Management information that is accessed when using the community string

Context

configure system security snmp community string

String Length

1 to 114

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

access-permissions keyword

Synopsis

Platforms

All

source-access-list [list-name] string

Synopsis

Enter the source-access-list list instance

Context

configure system security snmp source-access-list string

Tree

source-access-list

Max. Elements

Introduced

16.0.R1

Platforms

All

[list-name] string

Synopsis

Value for the name given to source access list

Context

configure system security snmp source-access-list string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

source-host [host-name] string

Synopsis

Enter the source-host list instance

Context

configure system security snmp source-access-list string source-host string

Tree

source-host

Max. Elements

Introduced

16.0.R1

Platforms

All

[host-name] string

Synopsis

Source host entry name

Context

configure system security snmp source-access-list string source-host string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

address (ipv4-address-no-zone | ipv6-address-no-zone)

Synopsis

Enter the source-address context

Context

configure system security source-address

All

address string

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

Source IPv4 address

Context

configure system security source-address ipv4 keyword address string

Tree

configure system security ssh key-re-exchange client

Notes

The following elements are part of a mandatory choice: address or interface-name.

Introduced

16.0.R1

Platforms

All

interface-name string

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

IP interface name

Context

Platforms

All

address string

Warning:

Modifying this element recreates the parent element automatically for the new value to take effect.

Synopsis

Enter the kex list instance

Context

configure system security ssh client-kex-list-v2 kex number

Tree

kex

Description

Commands in this context configure SSH Key Exchange (KEX) algorithms for SR OS as a client.

If a list is configured, SSH uses the list with the first-listed algorithm having the highest priority.

By default, the client list is empty. The default list contains the following:

diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1

Introduced

19.10.R3

Platforms

All

[index] number

Synopsis

SSHv2 KEX algorithm index

Context

Enter the client context

Context

Tree

client

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the key re-exchange

Context

configure system security ssh key-re-exchange client admin-state keyword

Tree

configure system security ssh key-re-exchange server

Default

enable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

mbytes (number | keyword)

Synopsis

Maximum bytes transmitted before key re-exchange begins

Context

configure system security ssh key-re-exchange client mbytes (number | keyword)

Tree

mbytes

Range

1 to 64000

Default

1024

Units

megabytes

Options

infinite

Introduced

16.0.R1

Platforms

All

minutes (number | keyword)

Synopsis

Maximum time before key re-exchange is initiated

Context

configure system security ssh key-re-exchange client minutes (number | keyword)

Tree

minutes

Range

1 to 1440

Default

Units

minutes

Options

infinite

Introduced

16.0.R1

Platforms

All

server

Synopsis

Enter the server context

Context

Tree

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the key re-exchange

Context

configure system security ssh key-re-exchange server admin-state keyword

Tree

Default

enable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

mbytes (number | keyword)

Synopsis

Maximum bytes transmitted before key re-exchange begins

Context

configure system security ssh key-re-exchange server mbytes (number | keyword)

Tree

mbytes

Range

1 to 64000

Default

1024

Units

megabytes

Options

infinite

Introduced

16.0.R1

Platforms

All

minutes (number | keyword)

Synopsis

Maximum time before key re-exchange is initiated

Context

configure system security ssh key-re-exchange server minutes (number | keyword)

Tree

minutes

Range

1 to 1440

Default

Units

minutes

Options

infinite

Introduced

16.0.R1

Platforms

All

preserve-key boolean

Synopsis

Preserve keys and restore on system or server restart

Context

configure system security ssh preserve-key boolean

Tree

preserve-key

Description

When configured to true, private, public, and host keys are saved by the server. The keys are restored following a system reboot or a restart of an SSH server.

When configured to false, the keys are held in memory by an SSH server but are not restored following a system reboot.

Default

false

Introduced

16.0.R1

Platforms

All

server-admin-state keyword

Synopsis

Administrative state of the SSH server

Context

Enter the kex list instance

Context

configure system security ssh server-kex-list-v2 kex number

Tree

kex

Introduced

19.10.R3

Platforms

All

[index] number

Synopsis

SSHv2 KEX algorithm index

Context

configure system security ssh server-kex-list-v2 kex number

Description

Range

1 to 255

Notes

This element is part of a list key.

Introduced

19.10.R3

Platforms

All

name keyword

Synopsis

KEX algorithm for computing a shared secret key

Context

Platforms

All

name keyword

Synopsis

Algorithm for calculating message authentication code

Context

configure system security ssh server-mac-list-v2 mac number name keyword

Tree

name

Options

hmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-ripemd160, hmac-ripemd160-openssh-com, hmac-md5-96

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

version keyword

Synopsis

SSH protocol version supported by the SSH server

Context

configure system security ssh version keyword

Tree

configure system security system-passwords

Default

Options

1, 2, 1-2

Introduced

16.0.R1

Platforms

All

system-passwords

Synopsis

Enter the system-passwords context

Context

Tree

system-passwords

Introduced

16.0.R1

Platforms

All

admin-password string

Synopsis

Password that assigns the user as administrator

Context

configure system security system-passwords admin-password string

Tree

admin-password

String Length

3 to 136

Introduced

16.0.R1

Platforms

All

vsd-password string

Synopsis

Platforms

All

telnet-server boolean

Synopsis

Enable Telnet servers running on the system

Context

configure system security telnet-server boolean

Tree

telnet-server

Default

false

Introduced

16.0.R1

Platforms

All

telnet6-server boolean

Synopsis

Enable Telnet IPv6 servers running on the system

Context

configure system security telnet6-server boolean

Tree

16.0.R1

Platforms

All

[cert-profile-name] string

Synopsis

TLS certificate profile name

Context

configure system security tls cert-profile string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of the certificate profile

Context

configure system security tls cert-profile string admin-state keyword

Tree

Default

disable

Options

enable, disable

Introduced

16.0.R1

Platforms

All

entry [entry-id] number

Synopsis

Enter the entry list instance

Context

configure system security tls cert-profile string entry number

Tree

configure system security vprn-network-exceptions

16.0.R1

Platforms

All

[ca-profile-name] reference

Synopsis

CA profile name

Context

configure system security tls cert-profile string entry number send-chain ca-profile reference

Reference

configure system security pki ca-profile string

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

client-cipher-list [client-cipher-list-name] string

Synopsis

Enter the client-cipher-list list instance

Context

configure system security tls client-cipher-list string

Tree

client-cipher-list

Max. Elements

Introduced

16.0.R1

Platforms

All

[client-cipher-list-name] string

Synopsis

Platforms

All

name keyword

Synopsis

Cipher suite code

Context

configure system security tls client-cipher-list string tls12-cipher number name keyword

Tree

name

Options

tls-rsa-with3des-ede-cbc-sha, tls-rsa-with-aes128-cbc-sha, tls-rsa-with-aes256-cbc-sha, tls-rsa-with-aes128-cbc-sha256, tls-rsa-with-aes256-cbc-sha256, tls-rsa-with-aes128-gcm-sha256, tls-rsa-with-aes256-gcm-sha384

Notes

This element is mandatory.

Introduced

22.2.R1

Platforms

All

client-tls-profile [client-profile-name] string

Synopsis

Enter the client-tls-profile list instance

Context

configure system security tls client-tls-profile string

Tree

client-tls-profile

Max. Elements

Introduced

16.0.R1

Platforms

All

[client-profile-name] string

Synopsis

Client TLS profile name

Context

configure system security tls client-tls-profile string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

server-cipher-list [server-cipher-list-name] string

Synopsis

Enter the server-cipher-list list instance

Context

configure system security tls server-cipher-list string

Tree

server-cipher-list

Max. Elements

Introduced

16.0.R1

Platforms

All

[server-cipher-list-name] string

Synopsis

Platforms

All

name keyword

Synopsis

Cipher suite code

Context

configure system security tls server-cipher-list string tls12-cipher number name keyword

Tree

name

Options

Notes

This element is mandatory.

Introduced

22.2.R1

Platforms

All

server-tls-profile [server-profile-name] string

Synopsis

Enter the server-tls-profile list instance

Context

configure system security tls server-tls-profile string

Tree

server-tls-profile

Max. Elements

Introduced

16.0.R1

Platforms

All

[server-profile-name] string

Synopsis

TLS HELLO request timer

Context

configure system security tls server-tls-profile string tls-re-negotiate-timer number

Tree

tls-re-negotiate-timer

Range

0 to 65000

Default

Units

minutes

Introduced

16.0.R1

Platforms

All

trust-anchor-profile [trust-anchor-profile-name] string

Synopsis

Enter the trust-anchor-profile list instance

Context

configure system security tls trust-anchor-profile string

Tree

trust-anchor-profile

Max. Elements

Introduced

16.0.R1

Platforms

All

[trust-anchor-profile-name] string

Synopsis

Trust anchor profile name

Context

configure system security tls trust-anchor-profile string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

trust-anchor [ca-profile-name] reference

Synopsis

Add a list entry for trust-anchor

Context

configure system security tls trust-anchor-profile string trust-anchor reference

Tree

trust-anchor

Max. Elements

Introduced

16.0.R1

Platforms

All

[ca-profile-name] reference

Synopsis

count number

Synopsis

Number of unsuccessful login attempts

Context

configure system security user-params attempts count number

Tree

count

Range

1 to 64

Default

Introduced

16.0.R1

Platforms

All

lockout number

Synopsis

Lockout period after unsuccessful login attempts

Context

configure system security user-params attempts lockout number

Tree

lockout

Range

0 to 1440

Default

Units

minutes

Introduced

16.0.R1

Platforms

All

time number

Synopsis

Time frame of unsuccessful login attempts

Context

configure system security user-params attempts time number

Tree

time

Range

0 to 60

Default

Units

minutes

Introduced

16.0.R1

Platforms

All

authentication-order

Synopsis

aging

Range

1 to 500

Units

days

Introduced

16.0.R1

Platforms

All

Minimum length required for local passwords

Context

configure system security user-params local-user password complexity-rules minimum-length number

Tree

minimum-length

Range

6 to 50

bcrypt

Options

bcrypt, sha2-pbkdf2, sha3-pbkdf2

Introduced

20.7.R1

Platforms

All

history-size number

Synopsis

New password to match against previous ones

Context

configure system security user-params local-user password history-size number

Tree

history-size

Range

0 to 20

Introduced

16.0.R1

Platforms

All

minimum-age number

Synopsis

Minimum age required for a password before changing it

Context

configure system security user-params local-user password minimum-age number

Tree

minimum-age

Range

0 to 86400

Default

600

Units

seconds

Introduced

16.0.R1

Platforms

All

minimum-change number

Synopsis

Minimum distance required between the old and the new password

Context

configure system security user-params local-user password minimum-change number

Tree

minimum-change

Range

1 to 20

Default

Introduced

16.0.R1

Platforms

All

user [user-name] string

Synopsis

Enter the user list instance

Context

configure system security user-params local-user user string

Tree

user

Introduced

16.0.R1

Platforms

All

[user-name] string

Synopsis

Platforms

All

ftp boolean

Synopsis

Allow FTP access

Context

configure system security user-params local-user user string access ftp boolean

Tree

ftp

Default

false

Introduced

16.0.R1

Platforms

All

grpc boolean

Synopsis

Allow gRPC access

Context

configure system security user-params local-user user string access grpc boolean

Tree

grpc

Default

false

Introduced

16.0.R1

Platforms

All

li boolean

Synopsis

Enable/disable access to LI.

Context

configure system security user-params local-user user string access li boolean

cli-engine

Default

md-cli

Options

classic-cli, md-cli

Max. Elements

Notes

This element is ordered by the user.

Introduced

16.0.R1

Platforms

All

console

Synopsis

Enter the console context

Context

configure system security user-params local-user user string console

Tree

console

Introduced

16.0.R1

Platforms

All

cannot-change-password boolean

Synopsis

Change password privileges

Context

configure system security user-params local-user user string console cannot-change-password boolean

Tree

cannot-change-password

Default

false

Introduced

16.0.R1

Platforms

All

login-exec (sat-url | cflash-url | ftp-tftp-url | filename)

Synopsis

File to execute when a user successfully logs in

Context

configure system security user-params local-user user string console login-exec (sat-url | cflash-url | ftp-tftp-url | filename)

Tree

String Length

1 to 200

Introduced

16.0.R1

Platforms

All

member reference

Synopsis

User profiles for this user

Context

configure system security user-params local-user user string console member reference

Tree

member

Reference

configure system security aaa local-profiles profile string

Enter the snmp context

Context

configure system security user-params local-user user string snmp

Tree

snmp

Introduced

16.0.R1

Platforms

All

authentication

Synopsis

Enable the authentication context

Context

configure system security user-params local-user user string snmp authentication

Tree

authentication

Description

Commands in this context configure the SNMPv3 authentication and privacy protocols for the user to communicate with the router. The keys are stored in an encrypted format in the configuration.

The keys configured with these commands must be localized keys, which are a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate localized authentication and privacy keys.

Introduced

16.0.R1

Platforms

All

authentication-key string

Synopsis

Localized authentication key

Context

configure system security user-params local-user user string snmp authentication authentication-key string

Tree

authentication-key

Description

This command specifies the authentication key for the authentication protocol. The key must be a localized key, which is a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate a localized authentication key.

String Length

1 to 115

Introduced

16.0.R1

Platforms

All

authentication-protocol keyword

Synopsis

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

privacy-protocol keyword

Synopsis

Privacy protocol

Context

configure system security user-params local-user user string snmp authentication privacy privacy-protocol keyword

Tree

privacy-protocol

Options

cbc-des, cfb128-aes-128, cfb128-aes-192, cfb128-aes-256

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

group string

Synopsis

User to associate with a group name

Context

configure system security user-params local-user user string snmp group string

Tree

group

String Length

1 to 32

Introduced

16.0.R1

Platforms

All

vprn-network-exceptions

Synopsis

Enable the vprn-network-exceptions context

Context

Tree

vprn-network-exceptions

Description

Commands in this context configure the rate limiting attributes for processing packets with label TTL expiry received within an LSP shortcut or VPRN instances in the system and from all network IP interfaces. This includes labeled user and control plan packets, ping, and traceroute packets within GRT and VPRN, and ICMP replies.

These commands do not rate limit MPLS or service OAM packets.

Introduced

16.0.R1

Platforms

All

count number

Synopsis

Limit of exception messages received

Context

configure system security vprn-network-exceptions count number

Tree

count

Description

This command specifies the threshold limit of exception messages. If the threshold value is exceeded within the configured time interval, packets are dropped.

Range

10 to 1000

Default

100

Introduced

16.0.R1

Platforms

All

window number

Synopsis

Time interval to measure exception messages

Context

configure system security vprn-network-exceptions window number

Tree

window

Description

This command configures the time interval within which exception messages are counted. If the threshold value is exceeded within the configured time interval, packets are dropped.

Range

1 to 60

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

selective-fib boolean

Synopsis

FIB assigned to the system

Context

configure system selective-fib boolean

Tree

selective-fib

Default

false

Introduced

16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Administrative state of the failure recovery process

Context

configure system switch-fabric failure-recovery admin-state keyword

Tree

configure system telemetry

Default

disable

Options

enable, disable

Introduced

21.2.R1

Platforms

7450 ESS, 7750 SR-7, 7950 XRS

sfm-loss-threshold number

Synopsis

Number of SFMs that can fail before SFM overload state

Context

configure system switch-fabric sfm-loss-threshold number

Tree

sfm-loss-threshold

Description

This command specifies the number of SFMs that are permitted to fail before the system goes into SFM overload state.

The default value for the 7750 SR-7s is 1 and the default value for the 7750 SR-14s is 2. Users can select the SFM limit based on the number possible for the system minus one. For the 7750 SR-7s, the limit is 3 and the limit for the 7750 SR-14s is 7.

Range

1 to 7

Introduced

20.5.R1

Platforms

7750 SR-7s, 7750 SR-14s

telemetry

Synopsis

Enter the telemetry context

Context

Tree

telemetry

Description

Commands in this context configure the parameters for the dial-out telemetry functionality.

Introduced

20.2.R1

Platforms

All

destination-group [name] string

Synopsis

Platforms

All

description string

Synopsis

Text description

Context

configure system telemetry destination-group string description string

Tree

String Length

1 to 80

Introduced

20.5.R1

Platforms

All

destination [address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number

Synopsis

Enter the destination list instance

Context

configure system telemetry destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number

Tree

destination

Max. Elements

Notes

This element is ordered by the user.

Introduced

20.5.R1

Platforms

All

[address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)

Synopsis

Address of the destination within the destination group

Context

configure system telemetry destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number

String Length

1 to 255

Notes

This element is part of a list key.

Introduced

20.5.R1

Platforms

All

port number

Synopsis

Introduced

20.5.R1

Platforms

All

idle-time number

Synopsis

Time until the first TCP keepalive probe is sent

Context

configure system telemetry destination-group string tcp-keepalive idle-time number

Tree

idle-time

Range

1 to 100000

Default

600

Units

seconds

Introduced

20.5.R1

Platforms

All

interval number

Synopsis

Time between TCP keepalive probes

Context

configure system telemetry destination-group string tcp-keepalive interval number

Tree

Range

1 to 100000

Default

Units

seconds

Introduced

20.5.R1

Platforms

All

retries number

Synopsis

Number of probe retries before closing the connection

Context

configure system telemetry destination-group string tcp-keepalive retries number

Tree

retries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range

3 to 100

Default

Introduced

20.5.R1

Platforms

All

tls-client-profile reference

Synopsis

Platforms

All

max-msg-count number

Synopsis

Max number of notifications in telemetry message bundle

Context

configure system telemetry notification-bundling max-msg-count number

Tree

max-msg-count

Range

2 to 1000

Default

100

Introduced

21.10.R1

Platforms

All

max-time-granularity number

Synopsis

Max time interval when bundling of notifications occurs

Context

configure system telemetry notification-bundling max-time-granularity number

Tree

max-time-granularity

Description

Platforms

All

[name] string

Synopsis

Persistent subscription name

Context

configure system telemetry persistent-subscriptions subscription string

String Length

1 to 32

Notes

This element is part of a list key.

Introduced

20.5.R1

Platforms

All

admin-state keyword

Synopsis

Introduced

20.5.R1

Platforms

All

local-source-address (ipv4-address-no-zone | ipv6-address-no-zone)

Synopsis

Local IP address of packets sent from the source

Context

configure system telemetry persistent-subscriptions subscription string local-source-address (ipv4-address-no-zone | ipv6-address-no-zone)

Tree

local-source-address

Introduced

20.5.R1

Platforms

All

mode keyword

Synopsis

Mode for telemetry notifications

Context

configure system telemetry persistent-subscriptions subscription string mode keyword

Tree

mode

Description

This command specifies the subscription path mode for telemetry notifications sent out for the persistent subscription.

Options

target-defined, on-change, sample

Introduced

20.5.R1

Platforms

All

originated-qos-marking keyword

Synopsis

QoS marking used for telemetry notification packets

Context

configure system telemetry persistent-subscriptions subscription string originated-qos-marking keyword

Tree

originated-qos-marking

Options

Introduced

20.5.R1

Platforms

All

sample-interval number

Synopsis

Sampling interval for the persistent subscription

Context

configure system telemetry persistent-subscriptions subscription string sample-interval number

Tree

sample-interval

Description

Enter the cflash-cap-alarm-percent list instance

Context

configure system thresholds cflash-cap-alarm-percent string

Tree

cflash-cap-alarm-percent

Introduced

16.0.R1

Platforms

All

[cflash-id] string

Synopsis

cflash device name monitored for capacity

Context

configure system thresholds cflash-cap-alarm-percent string

String Length

1 to 200

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

falling-threshold number

Synopsis

Falling threshold for the sampled statistic

Context

configure system thresholds cflash-cap-alarm-percent string falling-threshold number

Tree

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range

0 to 100

Units

percent

Introduced

16.0.R4

Platforms

All

interval number

Synopsis

Polling period over which data is sampled and compared

Context

configure system thresholds cflash-cap-alarm-percent string interval number

Tree

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range

1 to 2147483647

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

rising-threshold number

Tree

Description

This command specifies the alarm type that may be sent when this alarm is first created.

16.0.R1

Platforms

All

falling-threshold number

Synopsis

Falling threshold for the sampled statistic

Context

configure system thresholds cflash-cap-warn-percent string falling-threshold number

Tree

Description

Range

0 to 100

Units

percent

Introduced

16.0.R4

Platforms

All

interval number

Synopsis

Polling period over which data is sampled and compared

Context

configure system thresholds cflash-cap-warn-percent string interval number

Tree

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range

1 to 2147483647

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

rising-threshold number

Synopsis

Rising threshold for the sampled statistic

Context

configure system thresholds cflash-cap-warn-percent string rising-threshold number

Tree

Description

Range

0 to 100

Units

percent

Notes

This element is mandatory.

Introduced

16.0.R4

Platforms

All

rmon-event-type keyword

Synopsis

Notification type specifying action when event occurs

Context

configure system thresholds cflash-cap-warn-percent string rmon-event-type keyword

Tree

rmon-event-type

Default

both

Options

none, log, trap, both

Introduced

16.0.R1

Platforms

All

startup-alarm keyword

Synopsis

Alarm type when the alarm is first created

Context

configure system thresholds cflash-cap-warn-percent string startup-alarm keyword

Tree

configure system thresholds kb-memory-use-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Default

either

Options

rising, falling, either

Introduced

16.0.R1

Platforms

All

kb-memory-use-alarm

Synopsis

Enable the kb-memory-use-alarm context

Context

Tree

kb-memory-use-alarm

Introduced

16.0.R4

Platforms

All

falling-threshold number

Synopsis

Falling threshold for the sampled statistic

Context

configure system thresholds kb-memory-use-alarm falling-threshold number

Tree

Description

Range

-2147483648 to 2147483647

Introduced

16.0.R4

Platforms

All

interval number

Synopsis

Polling period over which data is sampled and compared

Context

configure system thresholds kb-memory-use-alarm interval number

Tree

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range

1 to 2147483647

Notes

This element is mandatory.

Introduced

16.0.R4

Platforms

All

rising-threshold number

Synopsis

Rising threshold for the sampled statistic

Context

configure system thresholds kb-memory-use-alarm rising-threshold number

Tree

Description

Range

-2147483648 to 2147483647

Notes

This element is mandatory.

Introduced

16.0.R4

Platforms

All

rmon-event-type keyword

Synopsis

Notification type specifying action when event occurs

Context

configure system thresholds kb-memory-use-alarm rmon-event-type keyword

Tree

rmon-event-type

Default

both

Options

none, log, trap, both

Introduced

16.0.R4

Platforms

All

startup-alarm keyword

Synopsis

Alarm type when the alarm is first created

Context

configure system thresholds kb-memory-use-alarm startup-alarm keyword

Tree

configure system thresholds kb-memory-use-warn

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Default

either

Options

rising, falling, either

Introduced

16.0.R4

Platforms

All

kb-memory-use-warn

Synopsis

Enable the kb-memory-use-warn context

Context

Tree

kb-memory-use-warn

Introduced

16.0.R4

Platforms

All

falling-threshold number

Synopsis

Falling threshold for the sampled statistic

Context

configure system thresholds kb-memory-use-warn falling-threshold number

Tree

Description

Range

-2147483648 to 2147483647

Introduced

16.0.R4

Platforms

All

interval number

Synopsis

Polling period over which data is sampled and compared

Context

configure system thresholds kb-memory-use-warn interval number

Tree

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range

1 to 2147483647

Notes

This element is mandatory.

Introduced

16.0.R4

Platforms

All

rising-threshold number

Synopsis

Rising threshold for the sampled statistic

Context

configure system thresholds kb-memory-use-warn rising-threshold number

Tree

Description

Range

-2147483648 to 2147483647

Notes

This element is mandatory.

Introduced

16.0.R4

Platforms

All

rmon-event-type keyword

Synopsis

Notification type specifying action when event occurs

Context

configure system thresholds kb-memory-use-warn rmon-event-type keyword

Tree

rmon-event-type

Default

both

Options

none, log, trap, both

Introduced

16.0.R4

Platforms

All

startup-alarm keyword

Synopsis

Alarm type when the alarm is first created

Context

configure system thresholds kb-memory-use-warn startup-alarm keyword

Tree

Description

This command specifies the alarm type that may be sent when this alarm is first created.

16.0.R1

Platforms

All

falling-event number

Synopsis

RMON event ID used when a falling threshold crossing event occurs

Context

configure system thresholds rmon alarm number falling-event number

Tree

falling-event

Range

0 to 65400

Introduced

16.0.R1

Platforms

All

falling-threshold number

Synopsis

Falling threshold for the sampled statistic

Context

configure system thresholds rmon alarm number falling-threshold number

Tree

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold and the value at the last sampling interval was greater than this threshold, a single threshold crossing event is generated. A single threshold crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is set to falling or either.

After a falling threshold crossing event is generated, another such event is not generated until the sampled value exceeds this threshold and reaches or exceeds the rising-threshold command setting.

Range

-2147483648 to 2147483647

Introduced

16.0.R1

Platforms

All

interval number

Synopsis

Polling period over which data is sampled and compared

Context

configure system thresholds rmon alarm number interval number

Tree

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds

Range

1 to 2147483647

Notes

This element is mandatory.

Introduced

16.0.R1

Platforms

All

owner string

Synopsis

Owner that created this entry and uses the resources

Context

configure system thresholds rmon alarm number owner string

Tree

owner

String Length

1 to 80

Default

TiMOS CLI

Introduced

16.0.R1

Platforms

All

rising-event number

Synopsis

RMON event ID used when a rising event threshold event occurs

Context

configure system thresholds rmon alarm number rising-event number

Tree

rising-event

Range

0 to 65400

Introduced

16.0.R1

Platforms

All

rising-threshold number

Synopsis

Rising threshold for the sampled statistic

Context

configure system thresholds rmon alarm number rising-threshold number

Tree

Description

This command specifies the rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold and the value at the last sampling interval was below this threshold, a single threshold crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is set to rising or either.

After a rising threshold crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches or falls below the falling-threshold command setting.

Range

-2147483648 to 2147483647

Introduced

16.0.R1

Platforms

All

sample-type keyword

Synopsis

Method to sample the selected variable and calculate the value comparing against the thresholds

Context

configure system thresholds rmon alarm number sample-type keyword

Tree

sample-type

Default

absolute

Options

absolute, delta

Introduced

16.0.R1

Platforms

All

startup-alarm keyword

Synopsis

Alarm to send when this entry is first set to valid

Context

configure system thresholds rmon alarm number startup-alarm keyword

Tree

Default

either

Options

rising, falling, either

Introduced

16.0.R1

Platforms

All

variable-oid string

Synopsis

Platforms

All

owner string

Synopsis

Owner that created this entry and uses the resources

Context

configure system thresholds rmon event number owner string

Tree

owner

String Length

16.0.R1

Platforms

All

[summer-time-zone] string

Synopsis

Introduced

16.0.R1

Platforms

All

hours-minutes string

Synopsis

Hour and number of minutes after which the daylight savings time ends

Context

configure system time dst-zone string end hours-minutes string

Tree

hours-minutes

String Length

Default

00:00

Introduced

16.0.R1

Platforms

All

month keyword

Synopsis

Month of the week when the daylight savings time setting ends

Context

configure system time dst-zone string end month keyword

Tree

month

Default

january

Options

january, february, march, april, may, june, july, august, september, october, november, december

Introduced

16.0.R1

Platforms

All

week keyword

Synopsis

Week of the month when the daylight savings time setting ends

Context

configure system time dst-zone string end week keyword

Tree

week

Default

first

Options

first, second, third, fourth, last

Introduced

16.0.R1

Platforms

All

offset number

Synopsis

Offset for summer time setting

Context

configure system time dst-zone string offset number

Tree

offset

Range

0 to 60

Default

Units

minutes

Introduced

16.0.R1

Platforms

All

start

Synopsis

Enter the start context

Context

configure system time dst-zone string start

Tree

Introduced

16.0.R1

Platforms

All

day keyword

Synopsis

Day of the week when the daylight savings time setting starts

Context

configure system time dst-zone string start day keyword

Tree

day

Default

sunday

Options

sunday, monday, tuesday, wednesday, thursday, friday, saturday

Introduced

16.0.R1

Platforms

All

hours-minutes string

Synopsis

Hour and number of minutes after which the daylight savings time starts

Context

configure system time dst-zone string start hours-minutes string

Tree

hours-minutes

String Length

Default

00:00

Introduced

16.0.R1

Platforms

All

month keyword

Synopsis

Month of the week when the daylight savings time setting starts

Context

configure system time dst-zone string start month keyword

Tree

month

Default

january

Options

january, february, march, april, may, june, july, august, september, october, november, december

Introduced

16.0.R1

Platforms

All

week keyword

Synopsis

Week of the month when the daylight savings time setting starts

Context

Introduced

16.0.R1

Platforms

All

authentication-check boolean

Synopsis

Platforms

All

key string

Synopsis

Key to authenticate NTP packets

Context

version number

Synopsis

NTP version number generated or accepted by this node in NTP packets

Context

configure system time ntp broadcast reference interface-name string version number

Tree

Range

2 to 4

1 to 32

Notes

This element is part of a list key.

Introduced

16.0.R1

Platforms

All

authenticate boolean

Synopsis

Platforms

All

version number

Synopsis

NTP version number generated by the node

Context

configure system time ntp multicast version number

Tree

configure system time ntp multicast-client

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range

2 to 4

Default

Introduced

16.0.R1

Platforms

All

multicast-client

Synopsis

Enable the multicast-client context

Context

Tree

multicast-client

Introduced

16.0.R1

Platforms

All

authenticate boolean

Synopsis

Platforms

All

prefer boolean

Synopsis

NTP server from which is preferred to receive time

Context

configure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string prefer boolean

Tree

prefer

Default

false

Introduced

16.0.R1

Platforms

All

version number

Synopsis

NTP version number generated by the node

Context

configure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string version number

Tree

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range

2 to 4

Default

Introduced

16.0.R1

Platforms

All

server [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string

Synopsis

Enter the server list instance

Context

configure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string

Tree

Introduced

16.0.R1

Platforms

All

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone | keyword)

Synopsis

Platforms

All

prefer boolean

Synopsis

NTP server from which is preferred to receive time

Context

configure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string prefer boolean

Tree

prefer

Default

false

Introduced

16.0.R1

Platforms

All

version number

Synopsis

NTP version number generated by the node

Context

configure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string version number

Tree

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range

2 to 4

Default

Introduced

16.0.R1

Platforms

All

prefer-local-time boolean

Synopsis

Use local time over UTC time in the system

Context

configure system time prefer-local-time boolean

Tree

prefer-local-time

Description

When configured to true, the system uses local time. This preference is applied to objects such as log file names, created and completed times reported in log files, NETCONF and gRPC date-and-time leafs, and rollback times displayed in show command outputs.

When configured to false, the system uses UTC time.

Note: The timezone used for show command outputs during a CLI session can be controlled using the environment time-display command.

Note: The format used for the date-time strings may change, depending on the command setting. For example, when this command is set to true, all date-time strings include a suffix of three to five characters that indicates the timezone used.

Note: The time format for timestamps on log events is controlled on a per-log basis, using the configure log log-id time-format command.

Default

false

Introduced

16.0.R1

Platforms

All

sntp

Synopsis

Enter the sntp context

Context

configure system time sntp

Tree

sntp

Introduced

16.0.R1

Platforms

All

admin-state keyword

Synopsis

Administrative state of SNTP

Context

interval number

Synopsis

Frequency of querying the server

Context

configure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) interval number

Tree

Range

64 to 1024

Default

Units

seconds

Introduced

16.0.R1

Platforms

All

prefer boolean

Synopsis

Preference value for this SNTP server

Context

configure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) prefer boolean

Tree

prefer

Default

false

Introduced

16.0.R1

Platforms

All

version number

Synopsis

SNTP version supported by this server

Context

configure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) version number

Tree