SR OS has the capability to manage Telnet/SSH sessions per user and at a higher level per system. At the system level, the user can configure a cli-session-group for different customer priorities. The cli-session-group is a container that sets the maximum number of CLI sessions for a class of customers, with a unique session limit for each customer. For example, as depicted in Figure: cli-session-group for customer classes, ‟Gold” category customers can have a cli-session-group that allows them more Telnet/SSH sessions compared to ‟Silver” category customers.
The configured cli-session-group can be assigned to user-profiles. At the user profile level, each profile can be configured with its own max SSH/Telnet session and it is policed/restricted by the higher order cli-session-group that is assigned to it.
As depicted in Figure: Hierarchy of cli-session-group profiles, the final picture is a hierarchical configuration with top-level cli-session-groups that control each customer’s total number of SSH or Telnet sessions and the user-profile for each user for that customer.
Every profile subtracts one from it's corresponding max-session when a Telnet or SSH session is established in the following cases:
where multiple profiles are configured under a user
where multiple profiles arrive from different AAA servers (Local Profile, RADIUS Profile or TACACS Profile)
The first profile to run out of corresponding max-session limits future Telnet or SSH sessions. In other words, while each profile for the user can have its independent max-session, only the lowest one is honored. If the profile with the lowest max-session is removed, the next lower profile max-session is honored and so on. All profiles for a user are updated when a Telnet or SSH session is established.
For information about login control, see Configuring login controls.
Use the following CLI commands to configure CLI session resources.
CLI syntax:
config>system>security>profile <name>
[no] ssh-max-sessions session-limit
[no] telnet-max-sessions session-limit
[no] combined-max-session session-limit
[no] cli-session-group session-group-name