The no form of the command removes the string.
The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the
no shutdown command. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of the command puts an entity into the administratively enabled state.
The no form of the command disables FTP servers running on the system.
hash-control [read-version
{1 | 2 | all
}] [write-version
{1 | 2
}]
Whenever the user executes a save or
info command, the system will encrypt all passwords, MD5 keys, etc., for security reasons. At present, two algorithms exist.
This command enables CPM hardware queuing per peer. This means that when a peering session is established, the router will automatically allocate a separate CPM hardware queue for that peer.
The no form of the command disables CPM hardware queuing per peer.
When a source address is specified for the ptp application, the port-based 1588 hardware timestamping assist function will be applied to PTP packets matching the IPv4 address of the router interface used to ingress the SR/ESS or IP address specified in this command. If the IP address is removed, then the port-based 1588 hardware timestamping assist function will only be applied to PTP packets matching the IPv4 address of the router interface.
|
Values
|
cflowd, dns, ftp, ntp, ping, ptp, radius, snmptrap, sntp, ssh, syslog, tacplus, telnet, traceroute, mcreporter, icmp-error
|
|
Values
|
cflowd, dns, ftp, ntp, ping, radius, snmptrap, syslog, tacplus, telnet, traceroute, icmp6-error
|
The no form of the command disables Telnet servers running on the system.
The no form of the command disables Telnet IPv6 servers running on the system.
The no form of the command disables the rate limiting of the reply to these packets.
The no form of the command disables exponential-backoff.
The no form of the command reverts to the default value.
30 — Idle timeout set for 30 minutes.
When the disable option is specified, a session will never timeout. To re-enable idle timeout, enter the command without the disable option.
The no form of the command reverts to the default value.
The no form of the command reverts to the default value.
|
Values
|
0 — 50 (default = 5) or 0 — N where N is the new total number of SSH+Telent sessions if they are scaled
|
The no form of the command causes only the configured pre-login-message and a generic login prompt to display.
motd {url
url-prefix:
source-url | text
motd-text-string}
The no form of the command removes the message.
url url-prefix:
source-url
The no form of the command reverts to the default value.
Only one message can be configured. If multiple pre-login-messages are configured, the last message entered overwrites the previous entry.
The no form of the command removes the message.
No pre-login-message is defined.
When the keyword name is defined, the configured system name is always displayed first in the login message. To remove the name from the login message, the message must be cleared and a new message entered without the name.
cipher index name
cipher-name
no cipher
index
Note: blowfish and des are not permitted in FIPS-140-2 mode.
|
Values
|
For SSHv2:
Client ciphers: 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes128-cbc, aes192-cbc, aes256-cbc, rijndael-cbc, aes128-ctr, aes192-ctr, aes256-ctr
Server ciphers: 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes128-cbc, aes192-cbc, aes256-cbc, rijndael-cbc, aes128-ctr, aes192-ctr, aes256-ctr
The following default ciphers are used for SSHv2:
|
Note: blowfish-cbc, cast128-cbc, arcfour, and rijndael-cbc are not permitted in FIPS-140-2 mode.
[no
] disable-graceful-shutdown
The no form of the command disables graceful shutdown of SSH sessions.
The no form of the command specifies that the keys will be held in memory by the SSH server and is not restored following a system reboot.
[no
] enable-graceful-shutdown
[no
] management-access-filter
Management access filters control all traffic in and out of the CPM. They can be used to restrict management of the router by other nodes outside either specific (sub)networks or through designated ports.
The no form of the command removes management access filters from the configuration.
action {permit
| deny | deny-host-unreachable
}
The action keyword is required. If no
action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the
default-action must be defined.
[no
] dst-port
value [mask]
The no form of the command removes the source port match criterion.
This command is used to create or edit a management access IP(v4), IPv6, or MAC filter entry. Multiple entries can be created with unique entry-id numbers. The OS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.
The no form of the command removes the specified entry from the management access filter.
|
Values
|
next-header: 0 — 255, protocol numbers accepted in DHB
keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp
|
[no
] protocol
protocol-id
The no form the command removes the protocol from the match criteria.
port tcp/udp port-number [mask]
The no form of this command deletes the specified port match criterion.
The no form the command removes the router name or service ID from the match criteria.
router-name — Specifies a router name up to 32 characters to be used in the match criteria.
service-id — Specifies an existing service ID to be used in the match criteria.
renum old-entry-number new-entry-number
The exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit.
match [frame-type
frame-type]
dot1p dot1p-value [dot1p-mask]
dsap dsap-value [dsap-mask]
dst-mac ieee-address [ieee-address-mask]
The no form of the command removes the previously entered etype field as the match criteria.
The no form of the command removes the criterion from the match criteria.
The no form of the command removes the snap-pid value as the match criteria.
src-mac ieee-address [ieee-address-mask]
The no form of the command removes the source mac as the match criteria.
ssap ssap-value [ssap-mask]
The no form of the command removes the ssap match criterion.
|
Values
|
service-id: 1 — 2147483647 svc-name: 64 characters maximum
|
This command restricts ingress management traffic to either the CPMCCM Ethernet port or any other logical port (for example LAG) on the device.
The no form of the command reverts to the default value.
|
Values
|
port-id slot/ mda/ port[. channel] encap-val 0 for null 0 — 4094 for dot1q aps-id aps- group-id[. channel] aps keyword group-id 1 — 64 ccag-id ccag- id. path-id[ cc-type] ccag keyword id 1 — 8 path-id a, b cc-type .sap-net, .net-sap cc-id 0 — 4094 lag-id lag- id
lag keyword id 1 — 800 cpm keyword
|
[no
] src-ip
{[ip-prefix/
mask] | [ip-prefix] | ip-prefix-list prefix-list-name}
The no form of the command removes the source IP address match criterion.
|
Values
|
1 — 32 (mask length), 0.0.0.0 — 255.255.255.255 (dotted decimal)
|
[no
] src-ip
{[ip-prefix/
mask] | [ip-prefix] | ip-prefix-list prefix-list-name}
The no form of the command removes the source IPv6 address match criterion.
|
Values
|
1 — 32 (mask length), 0.0.0.0 — 255.255.255.255 (dotted decimal)
|
NOTE: See the description for the
enable-admin on the next page. If the admin-password is configured in the config>system>security>password context, then any user can enter the special mode by entering the
enable-admin command.
enable-admin is in the default profile. By default, all users are given access to this command.
Once the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the
complexity command.
NOTE: The password argument of this command is not sent to the servers. This is consistent with other commands which configure secrets.
The no form of the command removes the admin password from the configuration.
NOTE: See the description for the
admin-password on the previous page. If the
admin-password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the
enable-admin command.
enable-admin is in the default profile. By default, all users are given access to this command.
Once the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the
complexity command.
A:ALA-1# show users
===============================================================================
User Type From Login time Idle time
===============================================================================
admin Console -- 10AUG2006 13:55:24 0d 19:42:22
admin Telnet 10.20.30.93 09AUG2006 08:35:23 0d 00:00:00 A
-------------------------------------------------------------------------------
Number of users : 2
'A' indicates user is in admin mode
===============================================================================
A:ALA-1#
A:ALA-1# enable-admin
MINOR: CLI Already in admin mode.
A:ALA-1#
The no form of the command reverts to the default value.
attempts count [time
minutes1 [lockout
minutes2]
If multiple attempts commands are entered, each command overwrites the previously entered command.
The no attempts command resets all values to default.
count:
3
time minutes:
5
lockout minutes:
10
The no form of the command reverts to the default authentication sequence.
|
•
|
exit-on-reject is configured and the user does not exist, the user will not be authenticated.
|
The no form of the command does not allow user name to be used as password
credits [lowercase
credits] [uppercase
credits] [numeric
credits] [special-character
credits]
The no form of the command resets to default.
The no form of the command reverts to default value.
The no form of the command resets to default.
required [lowercase
count] [uppercase
count] [numeric
count] [special-character
count]
The no form of the command resets to default.
When tacplus-map-to-priv-lvl is enabled, and tacplus authorization is enabled with the
use-priv-lvl option, typing
enable-admin starts an interactive authentication exchange from the SR OS node to the TACACS+ server. The start message (service=enable) contains the user-id and the requested admin-priv-lvl. Successful authentication results in the use of a new profile (as configured under
config>system>security>tacplus>priv-lvl-map).
[no
] health-check
[interval
interval]
The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server will be up if the last access was successful.
minimum-age [days
days] [hrs
hours] [min
minutes] [sec
seconds]
The no form of the command reverts to default value.
This command creates a new ca-profile or enter the configuration context of an existing
ca-profile. Up to 128 ca-profiles could be created in the system. A
shutdown the ca-profile will not affect the current up and running
ipsec-tunnel or
ipsec-gw that associated with the
ca-profile. But authentication afterwards will fail with a
shutdown ca-profile.
Executing a no shutdown command in this context will cause system to reload the configured cert-file and crl-file.
A ca-profile can be applied under the
ipsec-tunnel or
ipsec-gw configuration.
The no form of the command removes the name parameter from the configuration. A ca-profile can not be removed until all the association(ipsec-tunnel/gw) have been removed.
The no form of the command removes the filename from the configuration.
[no
] accept-unprotected-errormsg
The no form of the command causes the system to only accept protected PKI confirmation message.
[no
] accept-unprotected-pkiconf
The no form of the command causes the system to only accept protected PKI confirmation message.
key password [hash
|hash2
] reference
reference-number
The no form of the command removes the parameters from the configuration.
cmp-url url-string [service-id
service-id]
If the service-id is 0 or omitted, then system will try to resolve the FQDN via DNS server configured in bof.cfg. After resolution, the system will connect to the address in management routing instance first, then base routing instance.
The no form of the command reverts to the default.
[no
] same-recipnonce-for-pollreq
The no form of the command removes the filename from the configuration.
|
•
|
BeforeExp — A warning message issued before certificate expire
|
|
•
|
AfterExp — A warning message issued when certificate expire
|
This command specifies when system will issue BeforeExp message before a certificate expires. For example, with c
ertificate-expiration-warning 5, the system will issue a
BeforeExp message 5 hours before a certificate expires. An optional
repeat <
repeat-hour> parameter will enable the system to repeat the
BeforeExp message every hour until the certificate expires.
If the user only wants AfterExp, then
certificate-expiration-warning 0 can be used to achieve this.
BeforeExp and
AfterExp warnings can be cleared in following cases:
|
•
|
The certificate is reloaded by the admin certificate reload command. In this case, if the reloaded file is not expired, then AfterExp is cleared. And, if the reloaded file is outside of configured warning window, then the BeforeExp is also cleared.
|
|
•
|
When the ca-profile/ipsec-gw/ipsec-tunnel/cert-profile is shutdown, then BeforeExp and AfterExp of corresponding certificates are cleared.
|
|
•
|
When no certificate-expiration-warning command is configured, then all existing BeforeExp and AfterExp are cleared.
|
This command specifies when system will issue BeforeExp message before a CRL expires. For example, with
certificate-expiration-warning 5, the system will issue a
BeforeExp message 5 hours before a CRL expires. An optional
repeat <
repeat-hour> parameter will enable the system to repeat the
BeforeExp message every hour until the CRL expires.
If the user only wants AfterExp, then
certificate-expiration-warning 0 can be used to achieve this.
BeforeExp and
AfterExp warnings can be cleared in following cases:
|
•
|
The CRL is reloaded by the admin certificate reload command. In this case, if the reloaded file is not expired, then AfterExp is cleared. And, if the reloaded file is outside of configured warning window, then the BeforeExp is also cleared.
|
|
•
|
When the ca-profile is shutdown, then BeforeExp and AfterExp of corresponding certificates are cleared.
|
|
•
|
When no crl-expiration-warning command is configured, then all existing BeforeExp and AfterExp are cleared.
|
The no form of the command reverts to the default.
The ca-profile in a shutdown state cannot be used in certificate authentication.
display type {cert
|key
|crl
|cert-request
} url-string format
{pkcs10
|pkcs12
|pkcs7-der
|pkcs7-pem
|pem
|der
} [password
[32 chars max]]
export type {cert
|key
|crl
} input
filename output
url-string format
output-format [password
[32 chars max]] [pkey
filename]
gen-keypair url-string [size
{512
|1024
|2048
}] [type
{rsa
|dsa
}]
gen-local-cert-req keypair url-string subject-dn
subject-dn [domain-name
[255 chars max]] [ip-addr
ip-address] file
url-string [hash-alg hash-algorithm]
import type {cert
|key
|crl
} input
url-string output
filename format
input-format [password
[32 chars max]]
reload type {cert
|key
|cert-key-pair
} filename [key-file
filename]
This command reloads imported certificate or key file or both at the same time. This command is typically used to update certificate/key file without shutting down ipsec-tunne/ipsec-gw/cert-profile/ca-profile. Note that
type cert and
type key will be deprecated in a future release. Use
type cert-key-pair instead. Instead of
type cert use
type key instead.
|
®
|
If cert and key configuration is used instead of cert-profile then the tunnel will be brought down.
|
|
®
|
If cert-profile is used, then cert-profile will be brought down. The next authentication will fail while the established tunnels are not affected.
|
In the case of type cert-key-pair, if the new file doesn’t exist or is invalid or
cert and
key do not match, then this command will abort with an error message.
config>system>security>profile user-profile-name>entry
entry-id
config>system>security>profile user-profile-name>entry
entry-id
The no form of this command removes a match condition
copy {user
source-user | profile source-profile} to
destination [overwrite
]
Note: permit-all does not change access to security commands. Security commands are only and always available to members of the super-user profile.
config>system>security>profile user-profile-name>entry
entry-id
The description command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of the command removes the string from the context.
More than one entry can be created with unique entry-id numbers. Exits when the first match is found and executes the actions according to the accompanying
action command. Entries should be sequenced from most explicit to least explicit.
The no form of the command removes the specified entry from the user profile.
[no
] profile
user-profile-name
Once the profiles are created, the user command assigns users to one or more profiles. You can define up to 16 user profiles but a maximum of 8 profiles can be assigned to a user. The
user-profile-name can consist of up to 32 alphanumeric characters.
The no form of the command deletes a user profile.
renum old-entry-number new-entry-number
[no
] access
[ftp
] [snmp
] [console
] [li] [netconf
]
The no form of command removes access for a specific application.
no access denies permission for all management access methods. To deny a single access method, enter the
no form of the command followed by the method to be denied, for example,
no access FTP denies FTP access.
authentication {[none
] | [[hash
] {md5
key-1 | sha
key-1} privacy
{none|des-key|aes-128-cfb-key key-2}]
When hash is not specified, then non-encrypted characters can be entered. When
hash is
configured, then all specified keys are stored in an encrypted format in the configuration file. The password must be entered in encrypted form when the
hash parameter is used.
The sha authentication key is stored in an encrypted format. The minimum key length is determined by the
config>system>security>password>minimum-length value. The maximum length is 20 octets (40 printable characters).
This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user >snmp>group command. The
access command links the group with one or more views, security model (s), security level (s), and read, write, and notify permissions
[no
] cannot-change-password
copy {user
source-user | profile
source-profile} to
destination [overwrite
]
The no form of the command removes the configured home directory.
[no
] login-exec
url-prefix:
source-url
Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.
The no form of the command disables the login exec file for the user.
member user-profile-name [user-profile-name…]
The no form of this command deletes access user access to a profile.
[no
] new-password-at-login
The no form of the command does not force the user to change passwords.
config>system>security>user# password testuser1
config>system>security# user testuser1
config>system>security>user$ password xyzabcd1
config>system>security>user# exit
config>system>security# info
-------------------------------------
...
user "testuser1"
password "$2y$10$pFoehOg/tCbBMPDJ/kqpu.8af0AoVGY2xsR7WFqyn5fVTnwRzGmOK"
exit
...
-------------------------------------
config>system>security#
The password command allows you also to enter the password as a hashed value.
config>system>security# user testuser1
config>system>security>user$ password "$2y$10$pFoehOg/tCbBMPDJ/kqpu.8af0AoVGY2xsR7WFqyn5fVTnwRzGmOK"
config>system>security>user# exit
config>system>security# info
-------------------------------------
...
user "testuser1"
password "$2y$10$pFoehOg/tCbBMPDJ/kqpu.8af0AoVGY2xsR7WFqyn5fVTnwRzGmOK"
exit
...
-------------------------------------
config>system>security#
For example: config>system>security>user# password “south#bay?”
To insert a # or
? characters, they must be entered inside a notepad or clipboard program and then cut and pasted into the Telnet session in the password field that is encased in the double quotes as delimiters for the password.
If a password is entered without any parameters, a password length of zero is implied: (carriage return).
The no form of the command allows the user access to navigate to directories above their home directory.
If a new user-name is entered, the user is created. When an existing
user-name is specified, the user parameters can be edited.
When creating a new user and then entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that user name, there will be no password required. The user can login to the system and then <ENTER> at the password prompt, the user will be logged in.
The no form of the command deletes the user and all configuration data. Users cannot delete themselves.
[no
] cli-session-group
session-group-name [create
]
The no form of this command disables the command and the profile/group limit is not applied to the number of combined sessions.
The no form of this command disables RADIUS accounting.
The no form of the command reverts to the default value.
1812 (as specified in RFC 2865,
Remote Authentication Dial In User Service (
RADIUS) )
The no form of the command removes the RADIUS configuration.
The no form of the command reverts to the default value.
server index address
ip-address secret
key [hash
| hash2
]
The no form of the command removes the server from the configuration.
Specifies the key is entered in a more complex encrypted form. If the
hash2 parameter is not used, the less encrypted
hash form is assumed.
This command administratively disables the RADIUS protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The no form of the command administratively enables the protocol which is the default state.
The no form of the command reverts to the default value.
[no
] use-default-template
server index address
ip-address secret
key [port port]
The no form of the command removes the server from the configuration.
Specifies the key is entered in a more complex encrypted form. If the
hash2 parameter is not used, the less encrypted
hash form is assumed.
This command administratively disables the TACACS+
protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The no form of the command administratively enables the protocol which is the default state.
The no form of the command removes the TACACS+ configuration.
This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.
Specifies that a TACACS+ start packet is sent whenever the user executes a command.
Specifies that a stop packet is sent whenever the command execution is complete.
[no
] authorization
[use-priv-lvl
]
This configuration instructs SR OS to send no username nor password in the TACACS+ start message, and to display the server_msg in the GETUSER and GETPASS response from the TACACS+ server. Interactive authentication can be used to support a One Time Password scheme (e.g. S/Key). An example flow (e.g. with a telnet connection) is as follows:
|
•
|
SR OS displays the server_msg (which may contain, for example, an S/Key for One Time Password operation), and collects the password.
|
|
→
|
the password in the user_msg field (note: this is non-standard but doesn’t cause interoperability problems).
|
The no form of the command reverts to the default value.
This command administratively disables the TACACS+
protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The no form of the command administratively enables the protocol which is the default state.
[no
] use-default-template
The no form of the command removes the 802.1x configuration.
NOTE: The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the router as opposed to the RADIUS server configured under the
config>system>radius context which authenticates CLI login users who get access to the management plane of the router.
The no form of the command removes the RADIUS server configuration for 802.1x.
The no form of the command reverts to the default value.
server server-index address
ip-address secret
key [hash
| hash2
] [auth-port
auth-port] [acct-port
acct-port] [type
server-type]
The no form of the command removes the server from the configuration.
Specifies the key is entered in a more complex encrypted form. If the
hash2 parameter is not used, the less encrypted
hash form is assumed.
The no form of the command reverts to the default value.
The no form of the command administratively enables the protocol which is the default state.
The no form of the command reverts to the default value.
[no
] keychain
keychain-name
The no form of the command removes the keychain nodal context and everything under it from the configuration. If the keychain to be removed is in use when the no keychain command is entered, the command will not be accepted and an error indicating that the keychain is in use will be printed.
entry entry-id key
[authentication-key | hash-key | hash2-key] [hash
| hash2
] algorithm
algorithm
The no form of the command removes the entry from the keychain. If the entry is the active entry for sending, then this will cause a new active key to be selected (if one is available using the youngest key rule). If it is the ONLY possible send key, then the system will reject the command with an error indicating the configured key is the only available send key.
The no form of the command deletes the entry.
Specifies the authentication-key that will be used by the encryption algorithm. The key is used to sign and authenticate a protocol packet.
The authentication-key can be any combination of letters or numbers. .
Specifies the key is entered in a more complex encrypted form.
begin-time [date] [hours-minutes] [UTC
] [now
] [forever
]
end-time [date] [hours-minutes] [UTC
] [now
] [forever
]
option {basic
| isis-enhanced
}
The no form of the command removes all authorizations for the VSD server.
The no form of this command configures scripts to execute with no restrictions and without performing authorization.
The no form of the command disables the CPM filter.
action [accept | drop | queue
queue-id]
The no form of the command deletes the log ID.
match [protocol
protocol-id]
A match context may consist of multiple match criteria, but multiple
match statements cannot be entered per entry.
The no form of the command removes the match criteria for the
entry-id.
|
Values
|
1 — 255 (values can be expressed in decimal, hexidecimal, or binary)
keywords - none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp , * — udp/tcp wildcard
|
match [next-header
next-header]
The no form of this command removes the match criteria for the
entry-id.
|
Values
|
next-header: 1 — 42, 45— 49, 52— 59, 61— 255 protocol numbers accepted in DHB
keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp
* — udp/tcp wildcard
|
The action keyword is required. If no
action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the
default-action must be defined.
The no form of the command removes the DSCP match criterion.
dst-ip ipv6-address/prefix-length
The no form of the command removes the destination IP address match criterion.
dst-ip [ipv6-address /prefix-length] [ipv6-prefix-list ipv6-prefix-list-name]
The no form of the command removes the destination IP address match criterion.
config>sys>sec>cpm>ip-filter>entry
>match
The no form of the command removes the destination port match criterion.
The no form of the command removes the match criterion.
Specifies to match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero. For IPv6, packet matches if it does not contain IPv6 Fragmentation Extension Header.
The no form of this command ignores Hop-by-Hop Options Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
The behavior of the icmp-code value is dependent on the configured
icmp-type value, thus a configuration with only an
icmp-code value specified will have no effect. To match on the
icmp-code, an associated
icmp-type must also be specified.
The no form of the command removes the criterion from the match entry.
The no form of the command removes the criterion from the match entry.
The no form of the command removes the match criterion.
The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.
The no form of the command removes the checking of the option field in the IP header as a match criterion.
router-name — Specifies a router name up to 32 characters to be used in the match criteria.
service-id — Specifies an existing service ID to be used in the match criteria.
src-ip [ip-address/mask | ip-prefix-list
prefix-list-name]
The no form of the command removes the source IP address match criterion.
src-ip [ip-address/mask | ipv6-prefix-list
ipv6-prefix-list-name]
The no form of the command removes the source IP address match criterion.
The no form of the command removes the criterion from the match entry.
The no form of the command removes the criterion from the match entry.
renum old-entry-id new-entry-id
The no form of this command disable the filter.
The no form of the command disables TTL security.
The no form of the command disables TTL security.
The no form of the command disables TTL security.
policy cpu-protection-policy-id [create
]
The no form of the command deletes the specified policy from the configuration.
The no form of the command disables the notifications.
entry <
entry>
levels <
levels>
opcodes <
opcodes>
rate <
packet-rate-limit>
The no form of the command reverses the match and rate criteria configured.
The no form of the command sets out-profile-rate parameter back to the default value.
3000 for cpu-protection-policy-id 1-253
6000 for cpu-protection-policy-id 254 (default access interface policy)
3000 for cpu-protection-policy-id 255 (default network interface policy)
The no form of the command sets overall-rate parameter back to the default value.
max for cpu-protection-policy-id 1 — 253
6000 for cpu-protection-policy-id 254 (default access interface policy)
max for cpu-protection-policy-id 255 (default network interface policy)
This command configures a per-source packet arrival rate limit. Use this command to apply a packet arrival rate limit on a per source basis. A source is defined as a unique combination of SAP and MAC source address (mac-monitoring) or SAP and source IP address (ip-src-monitoring). The CPU will receive no more than the configured packet rate from each source (only certain protocols are rate limited for ip-src-monitoring as configured under ‘include-protocols’ in the cpu protection policy). The measurement is cleared each second.
This parameter is only applicable if the policy is assigned to an interface (some examples include saps, subscriber-interfaces, and spoke-sdps), and the
mac-monitor or
ip-src-monitor keyword is specified in the
cpu-protection configuration of that interface.
The no form of the command reverts to the default values.
The configuration of no cpu-protection returns the interface to the default policies as shown above.
The no form of the command reverts to the default values.
cpu-protection policy-id [
mac-monitoring]|[
eth-cfm-monitoring [
aggregate][
car]] |[
ip-src-monitoring]
The no form of the command reverts to the default values.
cpu-protection policy-id [
mac-monitoring]|[
eth-cfm-monitoring [
aggregate][
car]]
The no form of the command reverts to the default values.
The configuration of no cpu-protection returns the SAP/SDP/template to the default policies as shown above.
rate kbps kilobits-per-second|max [mbs
size] [bytes|kilobytes]
When a policer is declared as in an “exceed” state, it will remain as exceeding until a contiguous conformant period of detection-time passes. The
detection-time only starts after the exceed-action hold-down is complete. If the policer detects another exceed during the detection count down then a hold-down is once again triggered before the policer re-enters the detection time (that is, the countdown timer starts again at the configured value). During the hold-down (and the detection-time), the policer is considered as in an “exceed” state.
The hold-down is cleared after approximately the configured time in seconds after it was set. The
hold-down seconds option should be selected for protocols that receive more than one packet in a complete handshake/negotiation (for example, DHCP, PPP).
hold-down is not applicable to a local monitoring policer. The “detection-time” will only start after any
hold-down is complete. During the
hold-down (and the detection-time), the policer is considered as in an “exceed” state. The policer may re-enter the hold-down state if an exceed packet is detected during the detection-time countdown. The allowed values are [none|1..10080|indefinite].
This command configures a monitoring policier that is used to monitor the aggregate rate of several protocols arriving on an object (for example, SAP). When the local-monitoring-policer is determined to be in a non-conformant state (at the end of a minimum monitoring time of 60 seconds) then the system will attempt to allocate dynamic policers for the particular object for any protocols associated with the local monitor (for example, via the “protocol xyz enforcement” CLI command).
Once this policer-name is referenced by a protocol then this policer will be instantiated for each “object” that is created and references this DDoS policy. If there is no policer free then the object will be blocked from being created.
