system commands

configure 
system 
alarms 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
max-cleared number
allow-boot-license-violations boolean
apply-groups reference
apply-groups-exclude reference
boot-bad-exec url
boot-good-exec url
clli-code clli-description
congestion-management boolean
contact description
coordinates description
cron 
apply-groups reference
apply-groups-exclude reference
schedule named-item owner named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
count number
day-of-month number
description description
end-time 
date-and-time date-and-time
day keyword
time hours-minutes-twenty-four
hour number
interval number
minute number
month (keyword | number)
script-policy 
name named-item
owner named-item
type keyword
weekday (keyword | number)
dhcp6 
adv-noaddrs-global keyword
apply-groups reference
apply-groups-exclude reference
dns 
address-pref keyword
apply-groups reference
apply-groups-exclude reference
dnssec 
ad-validation keyword
grpc 
admin-state keyword
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
delay-on-boot number
gnmi 
admin-state keyword
auto-config-save boolean
proto-version keyword
gnoi 
cert-mgmt 
admin-state keyword
file 
admin-state keyword
system 
admin-state keyword
listening-port number
max-msg-size number
md-cli 
admin-state keyword
tcp-keepalive 
admin-state keyword
idle-time number
interval number
retries number
tls-server-profile reference
grpc-tunnel 
apply-groups reference
apply-groups-exclude reference
delay-on-boot number
destination-group named-item 
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
description description
destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number 
apply-groups reference
apply-groups-exclude reference
local-source-address (ipv4-address-no-zone | ipv6-address-no-zone)
originated-qos-marking keyword
router-instance string
tcp-keepalive 
admin-state keyword
idle-time number
interval number
retries number
tls-client-profile reference
tunnel named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
description description
destination-group reference
handler named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
port number
target-type 
custom-type string
grpc-server 
ssh-server 
target-name 
custom-string named-item-64
node-name 
user-agent 
icmp-vse boolean
ip 
apply-groups reference
apply-groups-exclude reference
buffer-unresolved-packets boolean
enforce-unique-if-index boolean
forward-6in4 boolean
forward-ip-over-gre boolean
ipv6-eh keyword
lacp 
apply-groups reference
apply-groups-exclude reference
system-priority number
lldp 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
message-fast-tx number
message-fast-tx-init number
notification-interval number
reinit-delay number
tx-credit-max number
tx-hold-multiplier number
tx-interval number
load-balancing 
apply-groups reference
apply-groups-exclude reference
l4-load-balancing boolean
lsr-load-balancing keyword
service-id-lag-hashing boolean
location description
login-control 
apply-groups reference
apply-groups-exclude reference
exponential-backoff boolean
ftp 
inbound-max-sessions number
idle-timeout (keyword | number)
login-banner boolean
login-scripts 
global-script string-not-all-spaces
per-user-script 
file-name filename
user-directory string-not-all-spaces
motd 
text string-not-all-spaces
url string-not-all-spaces
pre-login-message 
message string-not-all-spaces
name boolean
ssh 
graceful-shutdown boolean
inbound-max-sessions number
max-channels-per-connection number
outbound-max-sessions number
ttl-security number
telnet 
graceful-shutdown boolean
inbound-max-sessions number
outbound-max-sessions number
ttl-security number
management-interface 
apply-groups reference
apply-groups-exclude reference
cli 
apply-groups reference
apply-groups-exclude reference
classic-cli 
allow-immediate boolean
rollback 
apply-groups reference
apply-groups-exclude reference
local-checkpoints number
location url
remote-checkpoints number
rescue 
location url
cli-engine keyword
md-cli 
apply-groups reference
apply-groups-exclude reference
auto-config-save boolean
environment 
command-alias 
alias string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
cli-command string
description string-not-all-spaces
mount-point (keyword | string) 
command-completion 
enter boolean
space boolean
tab boolean
commit-options 
comment boolean
confirm boolean
console 
length number
width number
history 
recall boolean
size number
info-output 
always-display 
admin-state boolean
message-severity-level 
cli keyword
more boolean
progress-indicator 
admin-state keyword
delay number
type keyword
prompt 
context boolean
newline boolean
timestamp boolean
uncommitted-changes-indicator boolean
python 
memory-reservation number
minimum-available-memory number
timeout number
time-display keyword
time-format keyword
commit-history number
configuration-mode keyword
configuration-save 
apply-groups reference
apply-groups-exclude reference
configuration-backups number
incremental-saves boolean
netconf 
apply-groups reference
apply-groups-exclude reference
auto-config-save boolean
call-home 
device-labels 
advertise-operating-system boolean
advertise-software-version boolean
advertise-system-name boolean
apply-groups reference
apply-groups-exclude reference
device-label string
netconf-client named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
connection-type keyword
delay-on-boot number
description description
remote-address (ipv4-address-no-zone | ipv6-address-no-zone)
remote-port number
router-instance string
transport keyword
capabilities 
candidate boolean
listen 
admin-state keyword
delay-on-boot number
port number
operations 
apply-groups reference
apply-groups-exclude reference
global-timeouts 
asynchronous-execution (number | keyword)
asynchronous-retention (number | keyword)
synchronous-execution (number | keyword)
remote-management 
admin-state keyword
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
client-tls-profile reference
connection-timeout number
delay-on-boot number
device-label named-item-64
device-name named-item-64
hello-interval number
manager named-item-64 
admin-state keyword
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
client-tls-profile reference
connection-timeout number
description description
device-label named-item-64
device-name named-item-64
manager-address (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)
manager-port number
router-instance string
source-address (ipv4-address-no-zone | ipv6-address-no-zone)
source-port (number | keyword)
router-instance string
source-address (ipv4-address-no-zone | ipv6-address-no-zone)
source-port (number | keyword)
schema-path url
snmp 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
engine-id engine-id-as-string
general-port number
max-bulk-duration number
packet-size number
streaming 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
transport keyword
yang-modules 
apply-groups reference
apply-groups-exclude reference
nmda 
nmda-support boolean
nokia-combined-modules boolean
nokia-submodules boolean
name named-item-64
network-element-discovery 
apply-groups reference
apply-groups-exclude reference
generate-traps boolean
profile named-item 
apply-groups reference
apply-groups-exclude reference
neid string
neip 
apply-groups reference
apply-groups-exclude reference
auto-generate 
ipv4 
vendor-id-value number
ipv6 
vendor-id-value number
ipv4 ipv4-unicast-address
ipv6 ipv6-address
platform-type named-item-255
system-mac mac-unicast-address-no-zero
vendor-id named-item-255
ospf-dynamic-hostnames boolean
persistence 
ancp 
apply-groups reference
apply-groups-exclude reference
description description
location keyword
apply-groups reference
apply-groups-exclude reference
dhcp-server 
apply-groups reference
apply-groups-exclude reference
description description
location keyword
nat-port-forwarding 
apply-groups reference
apply-groups-exclude reference
description description
location keyword
script-control 
apply-groups reference
apply-groups-exclude reference
script named-item owner named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
description description
location string-not-all-spaces
script-policy named-item owner named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
expire-time (number | keyword)
lifetime (number | keyword)
lock-override boolean
max-completed number
python-lifetime number
python-script 
results string-not-all-spaces
script 
name named-item
owner named-item
security 
aaa 
apply-groups reference
apply-groups-exclude reference
cli-session-group named-item 
apply-groups reference
apply-groups-exclude reference
combined-max-sessions number
description description
ssh-max-sessions number
telnet-max-sessions number
health-check (number | keyword)
local-profiles 
apply-groups reference
apply-groups-exclude reference
profile named-item 
apply-groups reference
apply-groups-exclude reference
cli-session-group reference
combined-max-sessions number
default-action keyword
entry number 
action keyword
apply-groups reference
apply-groups-exclude reference
description description
match display-string
grpc 
rpc-authorization 
gnmi-capabilities keyword
gnmi-get keyword
gnmi-set keyword
gnmi-subscribe keyword
gnoi-cert-mgmt-cangenerate keyword
gnoi-cert-mgmt-getcert keyword
gnoi-cert-mgmt-install keyword
gnoi-cert-mgmt-revoke keyword
gnoi-cert-mgmt-rotate keyword
gnoi-file-get keyword
gnoi-file-put keyword
gnoi-file-remove keyword
gnoi-file-stat keyword
gnoi-file-transfertoremote keyword
gnoi-system-cancelreboot keyword
gnoi-system-ping keyword
gnoi-system-reboot keyword
gnoi-system-rebootstatus keyword
gnoi-system-setpackage keyword
gnoi-system-switchcontrolprocessor keyword
gnoi-system-time keyword
gnoi-system-traceroute keyword
md-cli-session keyword
netconf 
base-op-authorization 
action boolean
cancel-commit boolean
close-session boolean
commit boolean
copy-config boolean
create-subscription boolean
delete-config boolean
discard-changes boolean
edit-config boolean
get boolean
get-config boolean
get-data boolean
get-schema boolean
kill-session boolean
lock boolean
validate boolean
ssh-max-sessions number
telnet-max-sessions number
management-interface 
apply-groups reference
apply-groups-exclude reference
md-cli 
command-accounting-during-load boolean
output-authorization 
md-interfaces boolean
telemetry-data boolean
telemetry-default-user reference
remote-servers 
apply-groups reference
apply-groups-exclude reference
ldap 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
public-key-authentication boolean
route-preference keyword
server number 
address (ipv4-address-no-zone | ipv6-address-no-zone) 
apply-groups reference
apply-groups-exclude reference
port number
admin-state keyword
apply-groups reference
apply-groups-exclude reference
bind-authentication 
password encrypted-leaf
root-dn string-not-all-spaces
search 
base-dn string-not-all-spaces
server-name named-item
tls-profile reference
server-retry number
server-timeout number
use-default-template boolean
radius 
access-algorithm keyword
accounting boolean
accounting-port number
admin-state keyword
apply-groups reference
apply-groups-exclude reference
authorization boolean
interactive-authentication boolean
port number
route-preference keyword
server number 
address (ipv4-address-no-zone | ipv6-address-no-zone)
apply-groups reference
apply-groups-exclude reference
authenticator keyword
secret encrypted-leaf
tls-client-profile reference
server-retry number
server-timeout number
use-default-template boolean
tacplus 
accounting 
record-type keyword
admin-control 
tacplus-map-to-priv-lvl number
admin-state keyword
apply-groups reference
apply-groups-exclude reference
authorization 
request-format 
access-operation-cmd keyword
use-priv-lvl boolean
ignore-unknown-mandatory-vsas boolean
interactive-authentication boolean
priv-lvl-map 
apply-groups reference
apply-groups-exclude reference
priv-lvl number 
apply-groups reference
apply-groups-exclude reference
user-profile-name reference
route-preference keyword
server number 
address (ipv4-address-no-zone | ipv6-address-no-zone)
apply-groups reference
apply-groups-exclude reference
port number
secret encrypted-leaf
server-retry-timeout (number | keyword)
server-timeout number
service-request 
nokia-grpc-rpc-authorization boolean
nokia-netconf-base-op-authorization boolean
nokia-user boolean
nokia-user-profile boolean
use-default-template boolean
vprn-server 
apply-groups reference
apply-groups-exclude reference
inband reference
outband reference
vprn reference
user-template keyword 
access 
bluetooth boolean
console boolean
console-port-cli boolean
ftp boolean
grpc boolean
netconf boolean
scp-sftp boolean
ssh-cli boolean
telnet-cli boolean
apply-groups reference
apply-groups-exclude reference
console 
login-exec string-not-all-spaces
home-directory cflash-without-slot-url
profile named-item
restricted-to-home boolean
save-when-restricted boolean
apply-groups reference
apply-groups-exclude reference
cli-script 
apply-groups reference
apply-groups-exclude reference
authorization 
cron 
cli-user reference
event-handler 
cli-user reference
dist-cpu-protection 
apply-groups reference
apply-groups-exclude reference
policy named-item 
apply-groups reference
apply-groups-exclude reference
description description
local-monitoring-policer named-item 
apply-groups reference
apply-groups-exclude reference
description description
exceed-action keyword
log-events keyword
rate 
kbps 
limit (keyword | number)
mbs number
packets 
initial-delay number
limit (keyword | number)
within number
protocol keyword 
apply-groups reference
apply-groups-exclude reference
dynamic-parameters 
detection-time number
exceed-action 
action keyword
hold-down (keyword | number)
log-events keyword
rate 
kbps 
limit (keyword | number)
mbs number
packets 
initial-delay number
limit (keyword | number)
within number
enforcement 
dynamic 
mon-policer-name reference
dynamic-local-mon-bypass 
static 
policer-name reference
static-policer named-item 
apply-groups reference
apply-groups-exclude reference
description description
detection-time number
exceed-action 
action keyword
hold-down (keyword | number)
log-events keyword
rate 
kbps 
limit (keyword | number)
mbs number
packets 
initial-delay number
limit (keyword | number)
within number
type keyword
ftp-server boolean
hash-control 
apply-groups reference
apply-groups-exclude reference
management-interface 
classic-cli 
read-algorithm keyword
write-algorithm keyword
grpc 
hash-algorithm keyword
md-cli 
hash-algorithm keyword
netconf 
hash-algorithm keyword
keychains 
keychain named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
bidirectional 
entry number 
admin-state keyword
algorithm keyword
apply-groups reference
apply-groups-exclude reference
authentication-key encrypted-leaf
begin-time date-and-time
option keyword
tolerance (number | keyword)
description description
receive 
entry number 
admin-state keyword
algorithm keyword
apply-groups reference
apply-groups-exclude reference
authentication-key encrypted-leaf
begin-time date-and-time
end-time date-and-time
tolerance (number | keyword)
send 
entry number 
admin-state keyword
algorithm keyword
apply-groups reference
apply-groups-exclude reference
authentication-key encrypted-leaf
begin-time date-and-time
tcp-option-number 
receive keyword
send keyword
management 
allow-ftp boolean
allow-grpc boolean
allow-netconf boolean
allow-ssh boolean
allow-telnet boolean
allow-telnet6 boolean
apply-groups reference
apply-groups-exclude reference
management-access-filter 
apply-groups reference
apply-groups-exclude reference
ip-filter 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
default-action keyword
entry number 
action keyword
apply-groups reference
apply-groups-exclude reference
description description
log-events boolean
match 
dst-port 
mask number
port number
mgmt-port 
cpm 
lag lag-interface
port-id port
protocol (number | keyword)
router-instance string
src-ip 
address (ipv4-prefix | ipv4-address)
ip-prefix-list reference
mask ipv4-address
src-port 
mask number
port number
ipv6-filter 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
default-action keyword
entry number 
action keyword
apply-groups reference
apply-groups-exclude reference
description description
log-events boolean
match 
dst-port 
mask number
port number
flow-label number
mgmt-port 
cpm 
lag lag-interface
port-id port
next-header (number | keyword)
router-instance string
src-ip 
address (ipv6-prefix | ipv6-address)
ipv6-prefix-list reference
mask ipv6-address
src-port 
mask number
port number
mac-filter 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
default-action keyword
entry number 
action keyword
apply-groups reference
apply-groups-exclude reference
description description
log-events boolean
match 
dot1p 
mask number
priority number
dst-mac 
address mac-address
mask mac-address
etype etype-value
frame-type keyword
llc-dsap 
dsap number
mask number
llc-ssap 
mask number
ssap number
service service-name
snap-oui keyword
snap-pid number
src-mac 
address mac-address
mask mac-address
pki 
apply-groups reference
apply-groups-exclude reference
ca-profile named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
auto-crl-update 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
crl-urls 
url-entry number 
apply-groups reference
apply-groups-exclude reference
transmission-profile reference
url http-url-path-loose
periodic-update-interval number
pre-update-time number
retry-interval number
schedule-type keyword
cert-file pki-file-name
cmpv2 
accept-unprotected-message 
error-message boolean
pkiconf-message boolean
always-set-sender-for-ir boolean
http 
response-timeout number
version keyword
key-list 
key display-string 
apply-groups reference
apply-groups-exclude reference
password encrypted-leaf
recipient-subject string
response-signing-cert pki-file-name
response-signing-use-extracert 
same-recipient-nonce-for-poll-request boolean
signing-cert-subject string
url 
service-name service-name
transmission-profile reference
url-string http-optional-url-loose
use-ca-subject 
crl-file pki-file-name
description description
ocsp 
responder-url http-optional-url-loose
service-name service-name
transmission-profile reference
revocation-check keyword
certificate-auto-update pki-file-name 
apply-groups reference
apply-groups-exclude reference
key-file-name pki-file-name
profile reference
certificate-display-format keyword
certificate-expiration-warning 
hours number
repeat-hours number
certificate-update-profile named-item 
after-issue number
apply-groups reference
apply-groups-exclude reference
before-expiry number
cmpv2 
ca-profile reference
dsa 
key-size number
ecdsa 
curve keyword
est 
est-profile reference
hash-algorithm keyword
retry-interval number
rsa 
key-size number
same-as-existing-key 
common-name-list named-item 
apply-groups reference
apply-groups-exclude reference
common-name number 
apply-groups reference
apply-groups-exclude reference
cn-type keyword
cn-value regular-expression-not-all-spaces
crl-expiration-warning 
hours number
repeat-hours number
dynamic-ca boolean
est-profile named-item 
apply-groups reference
apply-groups-exclude reference
check-id-kp-cmcra-only boolean
client-tls-profile named-item
http-authentication 
password encrypted-leaf
username string
server 
fqdn fully-qualified-domain-name
ipv4 ipv4-unicast-address
ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
port number
transmission-profile named-item
imported-format keyword
maximum-cert-chain-depth number
python-script 
apply-groups reference
apply-groups-exclude reference
authorization 
cron 
cli-user reference
event-handler 
cli-user reference
subscriber-mgmt 
cli-user reference
snmp 
access named-item context named-item-or-empty security-model keyword security-level keyword 
apply-groups reference
apply-groups-exclude reference
notify named-item
prefix-match keyword
read named-item
write named-item
apply-groups reference
apply-groups-exclude reference
attempts 
apply-groups reference
apply-groups-exclude reference
count number
lockout number
time number
community encrypted-leaf 
access-permissions keyword
apply-groups reference
apply-groups-exclude reference
source-access-list reference
version keyword
source-access-list string-not-all-spaces 
apply-groups reference
apply-groups-exclude reference
source-host named-item 
address (ipv4-address-no-zone | ipv6-address-no-zone)
apply-groups reference
apply-groups-exclude reference
usm-community encrypted-leaf 
apply-groups reference
apply-groups-exclude reference
group named-item
source-access-list reference
view named-item subtree string 
apply-groups reference
apply-groups-exclude reference
mask string
type keyword
source-address 
ipv4 keyword 
address ipv4-address
apply-groups reference
apply-groups-exclude reference
interface-name interface-name
ipv6 keyword 
address ipv6-address
apply-groups reference
apply-groups-exclude reference
ssh 
apply-groups reference
apply-groups-exclude reference
authentication-method 
client 
public-key-only boolean
server 
public-key-only boolean
client-cipher-list-v2 
apply-groups reference
apply-groups-exclude reference
cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-host-key-list-v2 
host-key number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-kex-list-v2 
kex number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-mac-list-v2 
mac number 
apply-groups reference
apply-groups-exclude reference
name keyword
key-re-exchange 
client 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
mbytes (number | keyword)
minutes (number | keyword)
server 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
mbytes (number | keyword)
minutes (number | keyword)
listening-port number
permit-empty-passwords boolean
preserve-key boolean
server-admin-state keyword
server-cipher-list-v2 
apply-groups reference
apply-groups-exclude reference
cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-host-key-list-v2 
host-key number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-kex-list-v2 
kex number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-mac-list-v2 
mac number 
apply-groups reference
apply-groups-exclude reference
name keyword
system-passwords 
admin-password hashed-leaf
apply-groups reference
apply-groups-exclude reference
tech-support 
apply-groups reference
apply-groups-exclude reference
ts-location (ts-sat-url | cflash-url | string)
telnet 
apply-groups reference
apply-groups-exclude reference
listening-port number
telnet-server boolean
telnet6-server boolean
tls 
apply-groups reference
apply-groups-exclude reference
cert-profile named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
entry number 
apply-groups reference
apply-groups-exclude reference
certificate-file string-not-all-spaces
key-file string-not-all-spaces
send-chain 
ca-profile reference 
client-cipher-list named-item 
apply-groups reference
apply-groups-exclude reference
tls12-cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
tls13-cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-group-list named-item 
apply-groups reference
apply-groups-exclude reference
tls13-group number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-signature-list named-item 
apply-groups reference
apply-groups-exclude reference
tls13-signature number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-tls-profile named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
cert-profile reference
cipher-list reference
group-list reference
protocol-version keyword
signature-list reference
status-verify 
default-result keyword
ee-revocation 
primary keyword
secondary keyword
trust-anchor-profile reference
server-cipher-list named-item 
apply-groups reference
apply-groups-exclude reference
tls12-cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
tls13-cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-group-list named-item 
apply-groups reference
apply-groups-exclude reference
tls13-group number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-signature-list named-item 
apply-groups reference
apply-groups-exclude reference
tls13-signature number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-tls-profile named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
authenticate-client 
common-name-list reference
trust-anchor-profile reference
cert-profile reference
cipher-list reference
group-list reference
protocol-version keyword
signature-list reference
status-verify 
default-result keyword
ee-revocation 
primary keyword
secondary keyword
tls-re-negotiate-timer number
trust-anchor-profile named-item 
apply-groups reference
apply-groups-exclude reference
trust-anchor reference 
user-params 
apply-groups reference
apply-groups-exclude reference
attempts 
count number
lockout number
time number
authentication-order 
exit-on-reject boolean
order keyword
local-user 
password 
aging number
apply-groups reference
apply-groups-exclude reference
complexity-rules 
allow-user-name boolean
credits 
lowercase number
numeric number
special-character number
uppercase number
disallow-sequence-keys number
minimum-classes number
minimum-length number
repeated-characters number
required 
lowercase number
numeric number
special-character number
uppercase number
hashing keyword
history-size number
minimum-age number
minimum-change number
user named-item 
access 
bluetooth boolean
console boolean
console-port-cli boolean
ftp boolean
grpc boolean
netconf boolean
scp-sftp boolean
snmp boolean
ssh-cli boolean
telnet-cli boolean
apply-groups reference
apply-groups-exclude reference
cli-engine keyword
console 
cannot-change-password boolean
login-exec (sat-url | cflash-url | ftp-tftp-url | filename)
member reference
new-password-at-login boolean
home-directory cflash-without-slot-url
password hashed-leaf
public-keys 
ecdsa 
ecdsa-key number 
apply-groups reference
apply-groups-exclude reference
description description
key-value string-not-all-spaces
rsa 
rsa-key number 
apply-groups reference
apply-groups-exclude reference
description description
key-value string-not-all-spaces
restricted-to-home boolean
save-when-restricted boolean
snmp 
apply-groups reference
apply-groups-exclude reference
authentication 
authentication-key encrypted-leaf-hex-without-prefix
authentication-protocol keyword
privacy 
privacy-key encrypted-leaf-hex-without-prefix
privacy-protocol keyword
group named-item
ssh-authentication-method 
client 
public-key-only keyword
server 
public-key-only keyword
vprn-network-exceptions 
count number
window number
telemetry 
apply-groups reference
apply-groups-exclude reference
destination-group named-item 
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
description description
destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number 
apply-groups reference
apply-groups-exclude reference
router-instance string
tcp-keepalive 
admin-state keyword
idle-time number
interval number
retries number
tls-client-profile reference
notification-bundling 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
max-msg-count number
max-time-granularity number
persistent-subscriptions 
delay-on-boot number
subscription named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
description description
destination-group reference
encoding keyword
local-source-address (ipv4-address-no-zone | ipv6-address-no-zone)
mode keyword
originated-qos-marking keyword
sample-interval number
sensor-group reference
sensor-groups 
sensor-group named-item 
apply-groups reference
apply-groups-exclude reference
description description
path string 
thresholds 
cflash-cap-alarm-percent thresholds-cflash-url 
apply-groups reference
apply-groups-exclude reference
falling-threshold number
interval number
rising-threshold number
rmon-event-type keyword
startup-alarm keyword
cflash-cap-warn-percent thresholds-cflash-url 
apply-groups reference
apply-groups-exclude reference
falling-threshold number
interval number
rising-threshold number
rmon-event-type keyword
startup-alarm keyword
kb-memory-use-alarm 
apply-groups reference
apply-groups-exclude reference
falling-threshold number
interval number
rising-threshold number
rmon-event-type keyword
startup-alarm keyword
kb-memory-use-warn 
apply-groups reference
apply-groups-exclude reference
falling-threshold number
interval number
rising-threshold number
rmon-event-type keyword
startup-alarm keyword
rmon 
alarm number 
apply-groups reference
apply-groups-exclude reference
falling-event number
falling-threshold number
interval number
owner string
rising-event number
rising-threshold number
sample-type keyword
startup-alarm keyword
variable-oid string
event number 
apply-groups reference
apply-groups-exclude reference
description description
event-type keyword
owner string
time 
apply-groups reference
apply-groups-exclude reference
daylight-saving-time-zone 
apply-groups reference
apply-groups-exclude reference
non-standard 
end 
day keyword
hours-minutes hours-minutes-twenty-four
month keyword
week keyword
name string
offset number
start 
day keyword
hours-minutes hours-minutes-twenty-four
month keyword
week keyword
standard 
name keyword
ntp 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
authentication-check boolean
authentication-key number 
apply-groups reference
apply-groups-exclude reference
key encrypted-leaf
type keyword
authentication-keychain reference
broadcast reference interface-name interface-name 
apply-groups reference
apply-groups-exclude reference
authentication-keychain reference
key-id reference
ttl number
version number
broadcast-client string interface-name interface-name 
apply-groups reference
apply-groups-exclude reference
authenticate boolean
multicast 
apply-groups reference
apply-groups-exclude reference
authentication-keychain reference
key-id reference
version number
multicast-client 
apply-groups reference
apply-groups-exclude reference
authenticate boolean
ntp-server 
authenticate boolean
peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string 
apply-groups reference
apply-groups-exclude reference
authentication-keychain reference
key-id reference
prefer boolean
version number
server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string 
apply-groups reference
apply-groups-exclude reference
authentication-keychain reference
key-id reference
prefer boolean
version number
prefer-local-time boolean
sntp 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
server (ipv4-address-no-zone | ipv6-address-no-zone) 
apply-groups reference
apply-groups-exclude reference
interval number
prefer boolean
version number
sntp-state keyword
zone 
non-standard 
name string
offset hours-minutes-with-range
standard 
name keyword
transmission-profile named-item 
apply-groups reference
apply-groups-exclude reference
http-version keyword
ipv4-source-address ipv4-unicast-address
ipv6-source-address ipv6-address
redirection number
retry number
router-instance router-instance-base-management-vprn-loose
timeout number
usb keyword 
admin-state keyword
apply-groups reference
apply-groups-exclude reference

system command descriptions

system

Synopsis Enter the system context
Context configure system
Treesystem

Description

Commands in this context enable configuring of general system level functions and router management protocols.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

alarms

Synopsis Enter the alarms context
Context configure system alarms
Treealarms
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the system alarm
Contextconfigure system alarms admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

max-cleared number
Synopsis Maximum number of cleared alarms
Context configure system alarms max-cleared number
Treemax-cleared
Range0 to 500
Default500
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

boot-bad-exec url

Synopsis CLI script file to execute following a failed boot-up
Contextconfigure system boot-bad-exec url
Treeboot-bad-exec

Description

This command configures the name of the CLI script file to be run following the failure of a boot-up configuration.

Note: This command has no effect in model-driven mode.

String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

boot-good-exec url

Synopsis CLI script file to execute following successful boot-up
Contextconfigure system boot-good-exec url
Treeboot-good-exec

Description

This command configures a URL for a CLI script to exec following the success of a bootup configuration.

Related Commands

global-commands exec - This command executes the contents of a text file as if they were CLI commands entered at the console.

String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

clli-code clli-description

Synopsis CLLI code value for the system
Context configure system clli-code clli-description
Treeclli-code
String length11
Introduced25.3.R2

Platforms

7705 SAR Gen 2

contact description

Synopsis Contact information for the managed node
Contextconfigure system contact description
Treecontact
String length1 to 80
Introduced25.3.R2

Platforms

7705 SAR Gen 2

coordinates description

Synopsis GPS coordinates for the system location
Contextconfigure system coordinates description
Treecoordinates
String length1 to 80
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cron

Synopsis Enter the cron context
Context configure system cron
Treecron
Introduced25.3.R2

Platforms

7705 SAR Gen 2

schedule [schedule-name] named-item owner named-item
Synopsis Enter the schedule list instance
Contextconfigure system cron schedule named-item owner named-item
Treeschedule
Max. instances255
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[schedule-name] named-item
Synopsis Schedule name
Contextconfigure system cron schedule named-item owner named-item
Treeschedule
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

owner named-item
Synopsis Schedule owner
Contextconfigure system cron schedule named-item owner named-item
Treeschedule
String length1 to 32
MD-CLI defaultTiMOS CLI

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the CRON schedule
Contextconfigure system cron schedule named-item owner named-item admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

count number
Synopsis Number of times to repeat a periodic schedule run
Contextconfigure system cron schedule named-item owner named-item count number
Treecount
Range1 to 65535
Introduced25.3.R2

Platforms

7705 SAR Gen 2

day-of-month number
Synopsis Days in a month when a schedule runs
Context configure system cron schedule named-item owner named-item day-of-month number
Treeday-of-month
Range-31 to -1 | 1 to 31
Max. instances62
Introduced25.3.R2

Platforms

7705 SAR Gen 2

end-time
Synopsis Enter the end-time context
Context configure system cron schedule named-item owner named-item end-time
Treeend-time
Introduced25.3.R2

Platforms

7705 SAR Gen 2

date-and-time date-and-time
Synopsis Date and time to stop triggering the schedule
Contextconfigure system cron schedule named-item owner named-item end-time date-and-time date-and-time
Treedate-and-time

Notes

The following elements are part of a choice: date-and-time or (day and time).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

day keyword
Synopsis Day to stop triggering the schedule
Context configure system cron schedule named-item owner named-item end-time day keyword
Treeday
Optionssunday, monday, tuesday, wednesday, thursday, friday, saturday

Notes

The following elements are part of a choice: date-and-time or (day and time).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

time hours-minutes-twenty-four
Synopsis Time to stop triggering the schedule
Context configure system cron schedule named-item owner named-item end-time time hours-minutes-twenty-four
Treetime
String length5

Notes

The following elements are part of a choice: date-and-time or (day and time).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

hour number
Synopsis Hours within a day when the schedule runs
Contextconfigure system cron schedule named-item owner named-item hour number
Treehour
Range0 to 23
Max. instances24
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

interval number
Synopsis Time between each periodic schedule run
Contextconfigure system cron schedule named-item owner named-item interval number
Treeinterval
Range30 to 42949672
Unitsseconds
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

minute number
Synopsis Minutes in an hour when the schedule runs
Contextconfigure system cron schedule named-item owner named-item minute number
Treeminute
Range0 to 59
Max. instances60
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

month (keyword | number)
Synopsis Months when the schedule runs
Context configure system cron schedule named-item owner named-item month (keyword | number)
Treemonth
Range1 to 12
Optionsjanuary, february, march, april, may, june, july, august, september, october, november, december
Max. instances12
Introduced25.3.R2

Platforms

7705 SAR Gen 2

script-policy
Synopsis Enter the script-policy context
Contextconfigure system cron schedule named-item owner named-item script-policy
Treescript-policy
Introduced25.3.R2

Platforms

7705 SAR Gen 2

type keyword
Synopsis Schedule type
Contextconfigure system cron schedule named-item owner named-item type keyword
Treetype
Optionsperiodic, calendar, oneshot
Defaultperiodic
Introduced25.3.R2

Platforms

7705 SAR Gen 2

weekday (keyword | number)
Synopsis Weekdays when the schedule runs
Context configure system cron schedule named-item owner named-item weekday (keyword | number)
Treeweekday
Range1 to 7
Optionssunday, monday, tuesday, wednesday, thursday, friday, saturday
Max. instances 7
Introduced25.3.R2

Platforms

7705 SAR Gen 2

dhcp6

Synopsis Enter the dhcp6 context
Context configure system dhcp6
Treedhcp6
Introduced25.3.R2

Platforms

7705 SAR Gen 2

adv-noaddrs-global keyword
Synopsis Applications to send NoAddrsAvail in Advertise messages
Contextconfigure system dhcp6 adv-noaddrs-global keyword
Treeadv-noaddrs-global
Optionsesm-relay, server
Max. instances 2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

dns

Synopsis Enter the dns context
Context configure system dns
Treedns
Introduced25.3.R2

Platforms

7705 SAR Gen 2

address-pref keyword
Synopsis Preference in DNS address resolving order
Contextconfigure system dns address-pref keyword
Treeaddress-pref
Optionsipv4-only, ipv6-first
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

dnssec
Synopsis Enter the dnssec context
Context configure system dns dnssec
Treednssec
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ad-validation keyword
Synopsis Validation of AD-bit presence in DNS server responses
Contextconfigure system dns dnssec ad-validation keyword
Treead-validation
Options

fall-through – Allow non-DNSSEC responses to fall-through to permit resolution in case of validation failure

drop – Drop non-DNSSEC responses in case of validation failure

Introduced25.3.R2

Platforms

7705 SAR Gen 2

grpc

Synopsis Enter the grpc context
Context configure system grpc
Treegrpc
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the gRPC server
Contextconfigure system grpc admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-unsecure-connection
Synopsis Allow connection without secured transport protocol
Contextconfigure system grpc allow-unsecure-connection
Treeallow-unsecure-connection

Description

When configured, the system allows an unsecured connection to remote managers; TCP connections are not encrypted, including username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-server-profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

delay-on-boot number
Synopsis Delay for gRPC connections after system boot
Contextconfigure system grpc delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for gRPC connections. When the timer expires, gRPC becomes operational and connections are accepted. This delay prevents automation from managing the system while it is still converging.

When no delay is configured, connections are accepted after the system boots and gRPC becomes operational.

Range1 to 3600
Unitsseconds
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

gnmi
Synopsis Enter the gnmi context
Context configure system grpc gnmi
Treegnmi
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the gNMI service
Contextconfigure system grpc gnmi admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

auto-config-save boolean
Synopsis Automatically save configuration as part of commit
Contextconfigure system grpc gnmi auto-config-save boolean
Treeauto-config-save

Description

When configured to true, the system automatically writes the running configuration to the saved configuration file as part of a successful commit operation.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

proto-version keyword
Synopsis gnmi.proto version
Context configure system grpc gnmi proto-version keyword
Treeproto-version

Description

This command sets the gnmi.proto version that the gRPC server should use for all gNMI RPCs. Only use options other than latest for backward compatibility with legacy collectors.

Options

latest – Latest supported version

v070 – gNMI version 0.7.0

Default latest
Introduced25.3.R2

Platforms

7705 SAR Gen 2

gnoi
Synopsis Enter the gnoi context
Context configure system grpc gnoi
Treegnoi
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cert-mgmt
Synopsis Enter the cert-mgmt context
Context configure system grpc gnoi cert-mgmt
Treecert-mgmt
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of gNOI CertificateManagement
Contextconfigure system grpc gnoi cert-mgmt admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

file
Synopsis Enter the file context
Context configure system grpc gnoi file
Treefile
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the gNOI File service
Contextconfigure system grpc gnoi file admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

system
Synopsis Enter the system context
Context configure system grpc gnoi system
Treesystem
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the gNOI System service
Contextconfigure system grpc gnoi system admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

listening-port number
Synopsis Listening port for the gRPC server
Context configure system grpc listening-port number
Treelistening-port
Range1024 to 49151 | 57400
Default57400
Introduced25.3.R2

Platforms

7705 SAR Gen 2

max-msg-size number
Synopsis Maximum size of received message
Context configure system grpc max-msg-size number
Treemax-msg-size
Range1 to 1024
Unitsmegabytes
Default 512
Introduced25.3.R2

Platforms

7705 SAR Gen 2

md-cli
Synopsis Enter the md-cli context
Context configure system grpc md-cli
Treemd-cli
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the MD-CLI service
Contextconfigure system grpc md-cli admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tcp-keepalive
Synopsis Enter the tcp-keepalive context
Contextconfigure system grpc tcp-keepalive
Treetcp-keepalive
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the TCP keepalive algorithm
Contextconfigure system grpc tcp-keepalive admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

idle-time number
Synopsis Time until the first TCP keepalive probe is sent
Contextconfigure system grpc tcp-keepalive idle-time number
Treeidle-time

Description

This command configures the amount of time the connection must be idle before TCP keepalives are sent.

Range1 to 100000
Unitsseconds
Default 600
Introduced25.3.R2

Platforms

7705 SAR Gen 2

interval number
Synopsis Time between TCP keep-alive probes
Context configure system grpc tcp-keepalive interval number
Treeinterval
Range1 to 100000
Unitsseconds
Default 15
Introduced25.3.R2

Platforms

7705 SAR Gen 2

retries number
Synopsis Number of probe retries before closing the connection
Contextconfigure system grpc tcp-keepalive retries number
Treeretries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range3 to 100
Default4
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

grpc-tunnel

Synopsis Enter the grpc-tunnel context
Context configure system grpc-tunnel
Treegrpc-tunnel
Introduced25.3.R2

Platforms

7705 SAR Gen 2

delay-on-boot number
Synopsis Delay for gRPC tunnels after system boot
Contextconfigure system grpc-tunnel delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for gRPC tunnels. When the timer expires, gRPC tunnels become operational and connections are accepted. This delay prevents the system from trying to initiate gRPC tunnels while it is still converging.

When no delay is configured, gRPC tunnels are initiated after the system boots and gRPC becomes operational.

Range1 to 3600
Unitsseconds
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

destination-group [name] named-item
Synopsis Enter the destination-group list instance
Contextconfigure system grpc-tunnel destination-group named-item
Treedestination-group

Description

Commands in this context configure parameters for destination groups.

Max. instances4
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-unsecure-connection
Synopsis Allow unsecured operation of gRPC connections
Contextconfigure system grpc-tunnel destination-group named-item allow-unsecure-connection
Treeallow-unsecure-connection

Description

This command allows a gRPC tunnel to run without a secured transport protocol. Data is transferred in unencrypted form.

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-client-profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

destination [address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Synopsis Enter the destination list instance
Contextconfigure system grpc-tunnel destination-group named-item destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
Max. instances4

Notes

This element is ordered by the user.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

[address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)
Synopsis Address of the destination within the destination group
Contextconfigure system grpc-tunnel destination-group named-item destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
String length1 to 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

port number
Synopsis TCP port number for the destination
Context configure system grpc-tunnel destination-group named-item destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
Range1 to 65535

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

originated-qos-marking keyword
Synopsis QoS marking used for gRPC tunnel packets
Contextconfigure system grpc-tunnel destination-group named-item destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number originated-qos-marking keyword
Treeoriginated-qos-marking
Optionsbe, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

tcp-keepalive
Synopsis Enter the tcp-keepalive context
Contextconfigure system grpc-tunnel destination-group named-item tcp-keepalive
Treetcp-keepalive
Introduced25.3.R2

Platforms

7705 SAR Gen 2

idle-time number
Synopsis Time until the first TCP keepalive probe is sent
Contextconfigure system grpc-tunnel destination-group named-item tcp-keepalive idle-time number
Treeidle-time

Description

This command configures the amount of time the connection must be idle before TCP keepalives are sent.

Range1 to 100000
Unitsseconds
Default 600
Introduced25.3.R2

Platforms

7705 SAR Gen 2

retries number
Synopsis Number of probe retries before closing the connection
Contextconfigure system grpc-tunnel destination-group named-item tcp-keepalive retries number
Treeretries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range3 to 100
Default4
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

tunnel [name] named-item
Synopsis Enter the tunnel list instance
Contextconfigure system grpc-tunnel tunnel named-item
Treetunnel

Description

Commands in this context configure gRPC-tunnel-related parameters.

Max. instances4
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[name] named-item
Synopsis Tunnel name
Contextconfigure system grpc-tunnel tunnel named-item
Treetunnel
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the tunnel
Context configure system grpc-tunnel tunnel named-item admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

handler [name] named-item
Synopsis Enter the handler list instance
Contextconfigure system grpc-tunnel tunnel named-item handler named-item
Treehandler

Description

Commands in this context configure handler parameters for this instance. Multiple handlers can be created for any tunnel.

Max. instances8
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[name] named-item
Synopsis Handler name
Contextconfigure system grpc-tunnel tunnel named-item handler named-item
Treehandler
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

port number
Synopsis TCP port number the handler listens to internally
Contextconfigure system grpc-tunnel tunnel named-item handler named-item port number
Treeport
Range1 to 65535
Introduced25.3.R2

Platforms

7705 SAR Gen 2

target-type
Synopsis Enter the target-type context
Context configure system grpc-tunnel tunnel named-item handler named-item target-type
Treetarget-type
Introduced25.3.R2

Platforms

7705 SAR Gen 2

custom-type string
Synopsis Custom string for target type
Context configure system grpc-tunnel tunnel named-item handler named-item target-type custom-type string
Treecustom-type

Description

This command configures a custom string for the target type. This string can correspond to specific values used by the gRPC tunnel protocol, such as GNMI_GNOI or SSH. If a custom string is defined, the gRPC tunnel client must specify the string to request a session for that handler. The string must be unique within a tunnel.

String length1 to 64

Notes

The following elements are part of a choice: custom-type, grpc-server, or ssh-server.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

grpc-server
Synopsis Target type set to GNMI_GNOI
Context configure system grpc-tunnel tunnel named-item handler named-item target-type grpc-server
Treegrpc-server

Description

When configured, this command assigns the gRPC server as a handler for all tunnels sessions. At the gRPC tunnel protocol level, this corresponds to a value of GNMI_GNOI.

Notes

The following elements are part of a choice: custom-type, grpc-server, or ssh-server.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ssh-server
Synopsis Target type is SSH
Context configure system grpc-tunnel tunnel named-item handler named-item target-type ssh-server
Treessh-server

Description

When configured, this command assigns the SSH server as a handler for all tunnels sessions. At the gRPC tunnel protocol level, this corresponds to a value of SSH.

Notes

The following elements are part of a choice: custom-type, grpc-server, or ssh-server.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

target-name
Synopsis Enter the target-name context
Context configure system grpc-tunnel tunnel named-item target-name
Treetarget-name
Introduced25.3.R2

Platforms

7705 SAR Gen 2

custom-string named-item-64
Synopsis Custom target name
Context configure system grpc-tunnel tunnel named-item target-name custom-string named-item-64
Treecustom-string
String length1 to 64

Notes

The following elements are part of a choice: custom-string, node-name, or user-agent.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

node-name
Synopsis Set the node name as target name
Context configure system grpc-tunnel tunnel named-item target-name node-name
Treenode-name

Description

When configured, this command uses the node name as the target name. The node name is configured by the configure system name command.

Notes

The following elements are part of a choice: custom-string, node-name, or user-agent.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

user-agent
Synopsis Set the user agent as the target name
Contextconfigure system grpc-tunnel tunnel named-item target-name user-agent
Treeuser-agent

Description

When configured, this command uses the user agent as the target name. The agent is a string consisting of node-name:vendor:model:software-version.

Notes

The following elements are part of a choice: custom-string, node-name, or user-agent.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

icmp-vse boolean

Synopsis Enable vendor-specific extensions to ICMP
Contextconfigure system icmp-vse boolean
Treeicmp-vse
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ip

Synopsis Enter the ip context
Context configure system ip
Treeip

Description

Commands in this context configure system-wide IP router options.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

buffer-unresolved-packets boolean
Synopsis Buffer unresolved packets during ARP
Context configure system ip buffer-unresolved-packets boolean
Treebuffer-unresolved-packets

Description

When configured to true, the system buffers IPv4 and IPv6 packets waiting for the address resolution process (ARP) or neighbor discovery (ND) reply.

When configured to false, the system discards packets during the address resolution process. The system discards IPv4 and IPv6 traffic needing a destination resolution that is buffered while waiting for a response to avoid any potential of out-of-order delivery of packets to the resolved destination. As a result, after the ARP or ND entry is populated, the system delivers only newly received packets in order.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

forward-6in4 boolean
Synopsis Allow forwarding of IPv6 over IPv4 to system IP address
Contextconfigure system ip forward-6in4 boolean
Treeforward-6in4
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ipv6-eh keyword
Synopsis Number of IPv6 extension headers parsed in line cards
Contextconfigure system ip ipv6-eh keyword
Treeipv6-eh
Optionsmax, limited
Default max
Introduced25.3.R2

Platforms

7705 SAR Gen 2

lacp

Synopsis Enter the lacp context
Context configure system lacp
Treelacp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

system-priority number
Synopsis LACP system priority on aggregated Ethernet interfaces
Contextconfigure system lacp system-priority number
Treesystem-priority
Range1 to 65535
Default32768
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

lldp

Synopsis Enter the lldp context
Context configure system lldp
Treelldp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of LLDP
Context configure system lldp admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

message-fast-tx number
Synopsis Interval at which LLDP frames are transmitted
Contextconfigure system lldp message-fast-tx number
Treemessage-fast-tx

Description

This command configures the interval at which LLDP frames are transmitted on behalf of the LLDP during a fast transmission period.

Range1 to 3600
Unitsseconds
Default 1
Introduced25.3.R2

Platforms

7705 SAR Gen 2

reinit-delay number
Synopsis Time required before re-initializing LLDP on a port
Contextconfigure system lldp reinit-delay number
Treereinit-delay
Range1 to 10
Unitsseconds
Default 2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tx-credit-max number
Synopsis Maximum consecutive LLDPDUs that can be transmitted
Contextconfigure system lldp tx-credit-max number
Treetx-credit-max
Range1 to 100
Default5
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

tx-interval number
Synopsis LLDP transmit interval
Context configure system lldp tx-interval number
Treetx-interval
Range5 to 32768
Unitsseconds
Default 30
Introduced25.3.R2

Platforms

7705 SAR Gen 2

load-balancing

Synopsis Enter the load-balancing context
Contextconfigure system load-balancing
Treeload-balancing

Description

Commands in this context configure the interface per-flow load-balancing options that apply to traffic entering this interface and egressing over a LAG or ECMP on system egress. This setting is per interface.

Load-balancing options configured at the interface level overwrite load-balancing options configured at the system level.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

lsr-load-balancing keyword
Synopsis Algorithm for system-wide LSR load balancing
Contextconfigure system load-balancing lsr-load-balancing keyword
Treelsr-load-balancing

Description

This command configures system-wide LSR load balancing. Hashing can be enabled on the label stack, IP header, or both. The hashing can be at an LSR for spraying labeled IP packets over multiple equal-cost paths, or over multiple links of a LAG group.

The LSR hash routine operates on the label stack and the IP header, if a packet is IPv4. An LSR considers a packet to be IPv4 if the first nibble following the bottom of the label stack is 4. The hash on the label stack and IPv4 and IPv6 headers can be enabled or disabled at the system level or incoming network IP interface level.

lbl-ip-l4-teid - Specifies that the hashing applies as follows for Layer 2 and Layer 3 encapsulated traffic:

  • If an IPv4 or IPv6 header is found immediately after the MPLS label stack, the hashing includes label stack, source and destination IP addresses, TCP/UDP port numbers, and, if present, TEID values.

  • If an IPv4 or IPv6 header is not found immediately after the MPLS label stack, the data plane searches for a valid Ethertype value for the IPv4 and IPv6 payload. If a valid Ethertype value is found and an IP header follows the Ethernet header, hashing includes the source and destination IP addresses, TCP/UDP port numbers, and, if present, TEID values.

eth-encap-ip - Specifies that the hash algorithm parses down the label stack and after it reaches the bottom, the stack assumes the Ethernet II non-tagged, dot1q, or QinQ header follows. At the expected Ethertype offset location, the algorithm checks whether the value present is IPv4/IPv6 (0x0800/0x86DD). If the check passes, the hash algorithm checks the first nibble at the expected IP header location for IPv4/IPv6 (0x0100/0x0110). If the secondary check passes, the algorithm performs the hash using the IP SA/DA fields in the expected IP header. If any of the checks fail, the label-stack hash is performed.

Optionslbl-only, lbl-ip, ip-only, eth-encap-ip, lbl-ip-l4-teid, lbl-eth-ip-l4-teid, lbl-ip-or-teid
Introduced25.3.R2

Platforms

7705 SAR Gen 2

location description

Synopsis Site location of the system
Context configure system location description
Treelocation
String length1 to 80
Introduced25.3.R2

Platforms

7705 SAR Gen 2

login-control

Synopsis Enter the login-control context
Contextconfigure system login-control
Treelogin-control

Description

Commands in this context configure the session control for console, Telnet, SSH, and FTP sessions.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

exponential-backoff boolean
Synopsis Enable exponential-backoff of the login prompt
Contextconfigure system login-control exponential-backoff boolean
Treeexponential-backoff

Description

When configured to true, the router enables exponential backoff for the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to attempt to log in to the admin account with any conceivable password.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ftp
Synopsis Enter the ftp context
Context configure system login-control ftp
Treeftp

Description

Commands in this context configure FTP login control command options.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

inbound-max-sessions number
Synopsis Maximum number of concurrent inbound FTP sessions
Contextconfigure system login-control ftp inbound-max-sessions number
Treeinbound-max-sessions

Description

This command configures the maximum number of concurrent inbound FTP sessions.

This value is the combined total of inbound and outbound sessions.

Range0 to 5
Default3
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

idle-timeout (keyword | number)
Synopsis Idle timeout for console, FTP, Telnet, and SSH sessions
Contextconfigure system login-control idle-timeout (keyword | number)
Treeidle-timeout
Range1 to 1440
Unitsminutes
Options none
Default 30
Introduced25.3.R2

Platforms

7705 SAR Gen 2

login-banner boolean
Synopsis Display login banner
Context configure system login-control login-banner boolean
Treelogin-banner

Description

When configured to true, the system displays a login banner. The login banner contains the SR OS copyright and build date information for a console login attempt.

When configured to false, the system displays only the configured pre-login-message and a generic login prompt.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

login-scripts
Synopsis Enter the login-scripts context
Contextconfigure system login-control login-scripts
Treelogin-scripts

Description

Commands in this context configure CLI scripts that execute when a user (authenticated via any method including local user database, TACACS+, or RADIUS) first logs into a CLI session.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

global-script string-not-all-spaces
Synopsis URL of the global CLI login script
Context configure system login-control login-scripts global-script string-not-all-spaces
Treeglobal-script

Description

This command specifies a common CLI script that executes when any user logs into a CLI session. This login exec script is executed when any user (authenticated by any means including local user database, TACACS+, or RADIUS) opens a CLI session. This allows a user, for example, to define a common set of CLI aliases that are made available on the router for all users. This global login exec script is executed before any user-specific login exec files that may be configured.

This CLI script executes in the context of the user who opens the CLI session. Any commands in the script that the user is not authorized to execute will fail.

String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

per-user-script
Synopsis Enter the per-user-script context
Contextconfigure system login-control login-scripts per-user-script
Treeper-user-script

Description

Commands in this context allow users to define their own login scripts that can be executed each time they first login to a CLI session. The command executes the script “file-url / username / file-name" when the user username logs into a CLI session (authenticated by any means including local user database, TACACS+, or RADIUS).

For example:

per-user user-directory "cf1:/local/users" file-name "login-script.txt"

would search for the following script when user “admin” logs in and authenticates via RADIUS:

cf1:/local/users/admin/login-script.txt

The per user login script is executed after any global script executes and before any login-exec script configured against a local user is executed. This allows users, for example, who are authenticated via TACACS+ or RADIUS to define their own login scripts.

This CLI script executes in the context of the user who opens the CLI session. Any commands in the script that the user is not authorized to execute will fail.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

file-name filename
Synopsis File name of the per-user login script
Contextconfigure system login-control login-scripts per-user-script file-name filename
Treefile-name

Description

This command specifies the name of the file (located in the configure system login-control login-scripts per-user-script user-directory directory) including the extension.

String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

motd
Synopsis Enter the motd context
Context configure system login-control motd
Treemotd

Description

Commands in this context create the message of the day displayed after a successful console login. Only one message can be configured.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

text string-not-all-spaces
Synopsis Message of the day displayed after console login
Contextconfigure system login-control motd text string-not-all-spaces
Treetext
String length1 to 900

Notes

The following elements are part of a choice: text or url.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

url string-not-all-spaces
Synopsis URL of the location of message of the day
Contextconfigure system login-control motd url string-not-all-spaces
Treeurl
String length1 to 180

Notes

The following elements are part of a choice: text or url.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

pre-login-message
Synopsis Enter the pre-login-message context
Contextconfigure system login-control pre-login-message
Treepre-login-message

Description

Commands in this context configure a message to display before logging in to the router using Telnet, SSH, or the console port.

Only one message can be configured. If a new pre-login message is configured, the new message overwrites the previous message.

Note: The pre-login message is displayed on both active and standby systems.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

message string-not-all-spaces
Synopsis Message displayed before the login prompt
Contextconfigure system login-control pre-login-message message string-not-all-spaces
Treemessage

Description

This command configures the pre-login message.

Any printable, 7-bit ASCII characters can be used. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Some special characters can be used to format the message text. Use the newline (\n) character to create multiline messages. A newline (\n) character in the message moves to the beginning of the next line by sending ASCII/UTF-8 characters 0xA (LF) and 0xD (CR) to the client terminal. A carriage return (\r) character in the message sends the ASCII/UTF-8 character 0xD (CR) to the client terminal.

String length1 to 900
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ssh
Synopsis Enter the ssh context
Context configure system login-control ssh
Treessh

Description

Commands in this context configure the SSH command options.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

outbound-max-sessions number
Synopsis Maximum number of concurrent outbound sessions
Contextconfigure system login-control ssh outbound-max-sessions number
Treeoutbound-max-sessions

Description

This command configures the maximum number of outbound Telnet and SSH sessions. The local serial port cannot be disabled.

Range0 to 15
Default5
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

ttl-security number
Synopsis Minimum TTL value for incoming packets
Contextconfigure system login-control ssh ttl-security number
Treettl-security

Description

This command configures TTL security command options for incoming packets. When the feature is enabled, LDP accepts incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer. Per-peer-queueing must be enabled in order for TTL protection to operate.

Range1 to 255
Introduced25.3.R2

Platforms

7705 SAR Gen 2

telnet
Synopsis Enter the telnet context
Context configure system login-control telnet
Treetelnet

Description

Commands in this context configure the Telnet command options.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

outbound-max-sessions number
Synopsis Maximum number of concurrent outbound sessions
Contextconfigure system login-control telnet outbound-max-sessions number
Treeoutbound-max-sessions

Description

This command configures the maximum number of outbound Telnet and SSH sessions. The local serial port cannot be disabled.

Range0 to 15
Default5
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

ttl-security number
Synopsis Minimum TTL value for incoming packets
Contextconfigure system login-control telnet ttl-security number
Treettl-security

Description

This command configures TTL security command options for incoming packets. When the feature is enabled, LDP accepts incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer. Per-peer-queueing must be enabled in order for TTL protection to operate.

Range1 to 255
Introduced25.3.R2

Platforms

7705 SAR Gen 2

management-interface

Synopsis Enter the management-interface context
Contextconfigure system management-interface
Treemanagement-interface

Description

Commands in this context configure the capabilities of router management interfaces such as CLI and NETCONF.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

cli
Synopsis Enter the cli context
Context configure system management-interface cli
Treecli

Description

Commands in this context configure the CLI management interfaces.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

classic-cli
Synopsis Enter the classic-cli context
Context configure system management-interface cli classic-cli
Treeclassic-cli

Description

Commands in this context configure the classic CLI management interface.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-immediate boolean
Synopsis Allow writable access in classic CLI configure branch
Contextconfigure system management-interface cli classic-cli allow-immediate boolean
Treeallow-immediate

Description

When configured to true, this command enables write access in the classic CLI configuration branch without having to use the classic CLI candidate edit functionality.

When configured to false, this command blocks write access and configuration changes in the classic CLI configuration branch, and the classic CLI configuration branch is read-only. This enforces using the classic CLI candidate edit functionality, including candidate commit, to modify the router configuration, instead of allowing immediate line-by-line configuration changes.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rollback
Synopsis Enter the rollback context
Context configure system management-interface cli classic-cli rollback
Treerollback

Description

Commands in this context control classic CLI configuration rollback functionality, such as the maximum number of rollback checkpoints the system maintains. Configuration rollback allows the operator to revert to previous router configuration states while minimizing impacts to services.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

location url
Synopsis Path and filename prefix for rollback checkpoint files
Contextconfigure system management-interface cli classic-cli rollback location url
Treelocation

Description

This command configures the local (for example, compact flash) or remote location and name of the classic CLI rollback checkpoint files. The filename must not contain a suffix. The suffixes for rollback checkpoint files are, for example, .rb, .rb.1, .rb.2, and so on. The suffixes are automatically appended to rollback checkpoint files.

String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rescue
Synopsis Enter the rescue context
Context configure system management-interface cli classic-cli rollback rescue
Treerescue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

location url
Synopsis Location of the rescue configuration file
Contextconfigure system management-interface cli classic-cli rollback rescue location url
Treelocation

Description

This command configures the local or remote location and filename of the classic CLI rescue configuration file. The suffix (.rc) is automatically appended to the filename when a rescue configuration file is saved. Trivial FTP (TFTP) is not supported for remote locations.

String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cli-engine keyword
Synopsis System-wide CLI engine access
Context configure system management-interface cli cli-engine keyword
Treecli-engine

Description

This command configures the system-wide CLI engine. The operator can configure one or both engines. For the configuration to take effect, exit the running CLI session and start a new session after committing the new value.

Optionsclassic-cli, md-cli
Max. instances 2

Notes

This element is ordered by the user.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

md-cli
Synopsis Enter the md-cli context
Context configure system management-interface cli md-cli
Treemd-cli

Description

Commands in this context configure the MD-CLI management interface.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

auto-config-save boolean
Synopsis Automatically save configuration as part of commit
Contextconfigure system management-interface cli md-cli auto-config-save boolean
Treeauto-config-save

Description

When configured to true, the system automatically writes the running configuration to the saved configuration file as part of a successful commit operation.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

environment
Synopsis Enter the environment context
Context configure system management-interface cli md-cli environment
Treeenvironment
Introduced25.3.R2

Platforms

7705 SAR Gen 2

command-alias
Synopsis Enter the command-alias context
Contextconfigure system management-interface cli md-cli environment command-alias
Treecommand-alias
Introduced25.3.R2

Platforms

7705 SAR Gen 2

alias [alias-name] string
Synopsis Enter the alias list instance
Context configure system management-interface cli md-cli environment command-alias alias string
Treealias

Description

Commands in this context create aliases to existing MD-CLI commands or to Python applications.

Aliases may be mounted for use globally or for selected context paths. Arguments and output modifiers may be provided to aliases at configuration or run time.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the alias
Context configure system management-interface cli md-cli environment command-alias alias string admin-state keyword
Treeadmin-state

Description

This command controls the administrative state of the MD-CLI alias.

MD-CLI aliases that are administratively disabled cannot be executed, are not displayed in command completion, and do not appear in ? help.

Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

mount-point [path] (keyword | string)
Synopsis Add a list entry for mount-point
Contextconfigure system management-interface cli md-cli environment command-alias alias string mount-point (keyword | string)
Treemount-point
Min. instances1
Introduced25.3.R2

Platforms

7705 SAR Gen 2

command-completion
Synopsis Enter the command-completion context
Contextconfigure system management-interface cli md-cli environment command-completion
Treecommand-completion
Introduced25.3.R2

Platforms

7705 SAR Gen 2

commit-options
Synopsis Enter the commit-options context
Contextconfigure system management-interface cli md-cli environment commit-options
Treecommit-options
Introduced25.3.R2

Platforms

7705 SAR Gen 2

console
Synopsis Enter the console context
Context configure system management-interface cli md-cli environment console
Treeconsole
Introduced25.3.R2

Platforms

7705 SAR Gen 2

history
Synopsis Enter the history context
Context configure system management-interface cli md-cli environment history
Treehistory
Introduced25.3.R2

Platforms

7705 SAR Gen 2

recall boolean
Synopsis Allow command history recall and search execution
Contextconfigure system management-interface cli md-cli environment history recall boolean
Treerecall

Description

When configured to true, the command history recall (!), substitution (!$), display (:p, Esc+.), and backward search (Ctrl-R) are enabled.

When configured to false, the command history can be displayed using the history command, but commands in the history cannot be executed.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

size number
Synopsis Command history size
Context configure system management-interface cli md-cli environment history size number
Treesize

Description

This command specifies the maximum size of the command history. A value of 0 disables the command history.

Range0 to 1000
Default50
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

info-output
Synopsis Enter the info-output context
Context configure system management-interface cli md-cli environment info-output
Treeinfo-output
Introduced25.3.R2

Platforms

7705 SAR Gen 2

always-display
Synopsis Enter the always-display context
Contextconfigure system management-interface cli md-cli environment info-output always-display
Treealways-display

Description

Commands in this context specify elements that are always displayed in the info output, regardless of whether the detail option is used.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

progress-indicator
Synopsis Enter the progress-indicator context
Contextconfigure system management-interface cli md-cli environment progress-indicator
Treeprogress-indicator
Introduced25.3.R2

Platforms

7705 SAR Gen 2

prompt
Synopsis Enter the prompt context
Context configure system management-interface cli md-cli environment prompt
Treeprompt
Introduced25.3.R2

Platforms

7705 SAR Gen 2

python
Synopsis Enter the python context
Context configure system management-interface cli md-cli environment python
Treepython

Description

Commands in this context customize Python settings used with the Python 3 interpreter in MD-CLI applications such as pyexec, command aliases, EHS, and CRON.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

time-display keyword
Synopsis Time zone to display time
Context configure system management-interface cli md-cli environment time-display keyword
Treetime-display

Description

This command configures the time zone for a timestamp displayed in outputs, such as event logs and show commands for the current CLI session.

In event logs, the selected time is used to control the timestamps in the CLI output of show log log-id and in YANG state in the /state/log/log-id branch (for logs such as session, cli, memory, SNMP, and NETCONF).

Also see the configure log log-id time-format command.

Optionslocal, utc
Default local
Introduced25.3.R2

Platforms

7705 SAR Gen 2

time-format keyword
Synopsis Format to display the date and time
Context configure system management-interface cli md-cli environment time-format keyword
Treetime-format

Description

This command specifies the format of the time display in the prompt, configuration, state, and certain show command output in the current CLI session.

Optionsiso-8601, rfc-1123, rfc-3339
Defaultrfc-3339
Introduced25.3.R2

Platforms

7705 SAR Gen 2

commit-history number
Synopsis Number of commit history IDs to store
Contextconfigure system management-interface commit-history number
Treecommit-history

Description

This command sets the number of IDs to store in the commit history.

Setting the value to 0 disables the commit history.

Range0 to 200
Default50
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

configuration-mode keyword
Synopsis Management interfaces allowed to edit the configuration
Contextconfigure system management-interface configuration-mode keyword
Treeconfiguration-mode

Description

This command controls which of the classic or model-driven management interfaces can modify the configuration of the router.

Any management interface can be used in any configuration mode (to gather state information or perform operations, for example), but only specific management interfaces (CLI, NETCONF, and so on) are allowed to edit the configuration of the router in different modes. For example, only classic CLI and SNMP can be used to edit the configuration when in classic mode.

Optionsclassic, model-driven, mixed
Introduced25.3.R2

Platforms

7705 SAR Gen 2

configuration-save
Synopsis Enter the configuration-save context
Contextconfigure system management-interface configuration-save
Treeconfiguration-save

Description

Commands in this context configure the attributes for saved configuration files.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

configuration-backups number
Synopsis Maximum number of configuration versions maintained
Contextconfigure system management-interface configuration-save configuration-backups number
Treeconfiguration-backups

Description

This command configures the maximum number of saved configuration file versions the router maintains.

When the configuration is saved, configuration file names are appended with a numeric extension. Each subsequent configuration save creates a new configuration file version with an incremented numeric extension until the maximum count is reached, after which the next configuration save overwrites the oldest file version.

Each persistent index file is updated at the same time as the associated configuration file. The system synchronizes the active and standby CPM for all configurations and their associated persistent index files.

Range1 to 200
Default50
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

incremental-saves boolean
Synopsis Use incremental saved configuration files
Contextconfigure system management-interface configuration-save incremental-saves boolean
Treeincremental-saves

Description

When configured to true, the system saves each commit to the configure configuration region in a separate incremental saved configuration file, which allows for faster commits, instead of saving a complete saved configuration file each time.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

netconf
Synopsis Enter the netconf context
Context configure system management-interface netconf
Treenetconf
Introduced25.3.R2

Platforms

7705 SAR Gen 2

auto-config-save boolean
Synopsis Automatically save configuration as part of commit
Contextconfigure system management-interface netconf auto-config-save boolean
Treeauto-config-save

Description

When configured to true, the system automatically writes the running configuration to the saved configuration file as part of a successful commit operation.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

call-home
Synopsis Enter the call-home context
Context configure system management-interface netconf call-home
Treecall-home

Description

Commands in this context configure NETCONF Call Home, which enables an SR OS node to trigger a NETCONF client to start a connection.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

device-labels
Synopsis Enter the device-labels context
Contextconfigure system management-interface netconf call-home device-labels
Treedevice-labels
Introduced25.3.R2

Platforms

7705 SAR Gen 2

netconf-client [name] named-item
Synopsis Enter the netconf-client list instance
Contextconfigure system management-interface netconf call-home netconf-client named-item
Treenetconf-client

Description

Commands in this context configure the list of NETCONF clients with which the NETCONF server maintains simultaneous Call Home connections.

Max. instances10
Introduced25.3.R2

Platforms

7705 SAR Gen 2

capabilities
Synopsis Enter the capabilities context
Contextconfigure system management-interface netconf capabilities
Treecapabilities

Description

Commands in this context configure explicit capabilities for the NETCONF server.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

candidate boolean
Synopsis Allow the NETCONF server to access candidate datastore
Contextconfigure system management-interface netconf capabilities candidate boolean
Treecandidate

Description

When configured to true, this command allows the SR OS NETCONF server to access the candidate configuration datastore. Configuring this command to true also enables using commit and discard-changes.

When configure system management-interface configuration-mode is set to classic, the candidate capability is disabled, even if this command is configured to true.

When configured to false, this command disables the SR OS NETCONF server from accessing the candidate datastore. If the candidate is disabled, requests that reference the candidate datastore return an error, and when a NETCONF client establishes a new session, the candidate capability is not advertised in the SR OS NETCONF Hello message.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

listen
Synopsis Enter the listen context
Context configure system management-interface netconf listen
Treelisten
Introduced25.3.R2

Platforms

7705 SAR Gen 2

delay-on-boot number
Synopsis Delay before NETCONF server is operational after boot
Contextconfigure system management-interface netconf listen delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for NETCONF connections. When the timer expires, NETCONF becomes operational and connections are accepted. This delay prevents automation from managing the system while it is still converging.

When no delay is configured, connections are accepted after the system boots and NETCONF becomes operational.

Range1 to 3600
Unitsseconds
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

port number
Synopsis Port on which NETCONF server listens for connections
Contextconfigure system management-interface netconf listen port number
Treeport

Description

This command specifies the port on which the SR OS NETCONF server listens for new connections. One port can be configured for NETCONF management.

The configured port applies to both non-VPRN and VPRN management. New NETCONF connections are able to use the configured port.

For NETCONF connections not using VPRN management, active NETCONF connections are not disconnected if the connection port changes. For NETCONF connections are not disconnected if the connection port changes. For NETCONF connections using VPRN management, active NETCONF connections are disconnected if the connection port changes.

Range22 | 830
Default830
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

operations
Synopsis Enter the operations context
Context configure system management-interface operations
Treeoperations

Description

Commands in this context configure parameters associated with operational commands in model-driven interfaces.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

global-timeouts
Synopsis Enter the global-timeouts context
Contextconfigure system management-interface operations global-timeouts
Treeglobal-timeouts

Description

Commands in this context configure system timeout parameters for operational commands.

Timeout parameters provide default system-level control for various types of operational commands in model-driven interfaces. The timeout values are used when specific execution and retention timeouts are not requested for a specific operation.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

asynchronous-execution (number | keyword)
Synopsis Timeout for asynchronous operation execution
Contextconfigure system management-interface operations global-timeouts asynchronous-execution (number | keyword)
Treeasynchronous-execution

Description

This command configures the period of time that operations launched as “asynchronous” are allowed to execute before being automatically stopped by the SR OS.

An asynchronous operation is not deleted from the system when it is stopped. See the asynchronous-retention command.

If a specific execution timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Note: This execution timeout is part of the general global operations infrastructure and is separate and independent from any operation-specific timeouts (for example, the ping operation also has its own timeout parameter).

Range1 to 604800
Unitsseconds
Options never
Default 3600
Introduced25.3.R2

Platforms

7705 SAR Gen 2

asynchronous-retention (number | keyword)
Synopsis Timeout for asynchronous operation data retention
Contextconfigure system management-interface operations global-timeouts asynchronous-retention (number | keyword)
Treeasynchronous-retention

Description

This command configures the period of time that data related to operations launched as “asynchronous” is retained in the system. After the retention timeout expires, all information related to the operation is deleted, including any status information and result data.

If a specific retention timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Range1 to 604800
Unitsseconds
Options never
Default 86400
Introduced25.3.R2

Platforms

7705 SAR Gen 2

synchronous-execution (number | keyword)
Synopsis Timeout for synchronous operation execution
Contextconfigure system management-interface operations global-timeouts synchronous-execution (number | keyword)
Treesynchronous-execution

Description

This command configures the period of time that operations launched as “'synchronous” (the default method for all operations) are allowed to execute before they are automatically stopped, and their associated data is deleted.

If a specific execution timeout is not included in the request for a particular synchronous operation, this system-level timeout applies.

Note: This execution timeout is part of the general global operations infrastructure and is separate and independent from any operation-specific timeouts (for example, the ping operation also has its own timeout parameter).

Caution: If this command is set with a specific time value, MD-CLI operations are subject to the timeout and are interrupted if they execute longer than the time value. This situation can arise because the timeout also applies to operations requested in the MD-CLI interface (for example, ping, file dir, and so on).

Range1 to 604800
Unitsseconds
Options never
Default never
Introduced25.3.R2

Platforms

7705 SAR Gen 2

remote-management
Synopsis Enter the remote-management context
Contextconfigure system management-interface remote-management
Treeremote-management

Description

Commands in this context configure the SR OS node to use the remote management service. Configuring remote management enables the SR OS node to report itself to a remote manager service running on a remote server, so that it is included in the dynamic list of available nodes. The manager service streamlines the management of multiple SR OS nodes running different SR OS versions using the same client application providing a similar shell to the MD-CLI.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-unsecure-connection
Synopsis Allow connection without secured transport protocol
Contextconfigure system management-interface remote-management allow-unsecure-connection
Treeallow-unsecure-connection

Description

When configured, this command allows an unsecured connection to remote managers; TCP connections are not encrypted, including username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or client-tls-profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

delay-on-boot number
Synopsis Delay for remote management after system boot
Contextconfigure system management-interface remote-management delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for remote management connections over gRPC. When the timer expires, remote management becomes operational and connections are accepted. This delay prevents automation from managing the system while it is still converging.

When no delay is configured, remote management connections are accepted after the system boots and gRPC becomes operational.

Range1 to 3600
Unitsseconds
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

device-label named-item-64
Synopsis Device label supplied to the remote manager
Contextconfigure system management-interface remote-management device-label named-item-64
Treedevice-label

Description

This command specifies a metadata label that is supplied to the manager. This label is used to group devices or network nodes with a common purpose or goal.

String length1 to 64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

device-name named-item-64
Synopsis Device name supplied to the remote manager
Contextconfigure system management-interface remote-management device-name named-item-64
Treedevice-name

Description

This command specifies a device name that is supplied to the manager. The name identifies a specific SR OS node in the network.

When unconfigured, the default system name is used.

String length1 to 64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

manager [manager-name] named-item-64
Synopsis Enter the manager list instance
Contextconfigure system management-interface remote-management manager named-item-64
Treemanager

Description

Commands in this context configure options for a specific manager.

Commands configured in this context take precedence over command values specified directly in the configure management-interface remote-management context.

If a command is not configured in this context, the command setting is inherited from the higher level context.

Max. instances2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-unsecure-connection
Synopsis Allow connection without secured transport protocol
Contextconfigure system management-interface remote-management manager named-item-64 allow-unsecure-connection
Treeallow-unsecure-connection

Description

When configured, the system allows an unsecured connection to the remote managers; the TCP connection is not encrypted. This includes username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or client-tls-profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

device-label named-item-64
Synopsis Device label supplied to the remote manager
Contextconfigure system management-interface remote-management manager named-item-64 device-label named-item-64
Treedevice-label

Description

This command specifies a metadata label that is supplied to the manager. This label is used to group devices or network nodes with a common purpose or goal.

String length1 to 64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

device-name named-item-64
Synopsis Device name supplied to the remote manager
Contextconfigure system management-interface remote-management manager named-item-64 device-name named-item-64
Treedevice-name

Description

This command specifies a device name that is supplied to the manager. The name identifies a specific SR OS node in the network.

When unconfigured, the default system name is used.

String length1 to 64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

manager-address (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)
Synopsis Destination IP address of the manager
Contextconfigure system management-interface remote-management manager named-item-64 manager-address (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)
Treemanager-address
String length1 to 255
Introduced25.3.R2

Platforms

7705 SAR Gen 2

schema-path url
Synopsis Schema path URL
Context configure system management-interface schema-path url
Treeschema-path

Description

This command specifies the schema path where the SR OS YANG modules can be placed by the user before using a <get-schema> request. Nokia recommends that the URL string not exceed 135 characters for the <get-schema> request to work correctly with all schema files.

If this command is not configured, the software upgrade process manages the YANG schema files to ensure the schema files are synchronized with the software image on both the primary and standby CPM.

String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

snmp
Synopsis Enter the snmp context
Context configure system management-interface snmp
Treesnmp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the SNMP agent
Contextconfigure system management-interface snmp admin-state keyword
Treeadmin-state

Description

This command administratively enables or disables SNMP agent operations. Disabling SNMP does not prevent the agent from sending SNMP notifications to configured SNMP trap destinations.

In classic and mixed configuration mode, the agent is administratively disabled in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof system persistent-indices command is set to true. This prevents an SNMP-based management system from accessing and possibly synchronizing with a partially booted or incomplete network element. This auto-disable behavior is not applicable to model-driven configuration mode.

Optionsenable, disable
Default enable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

engine-id engine-id-as-string
Synopsis SNMP engine ID that identifies the SNMPv3 node
Contextconfigure system management-interface snmp engine-id engine-id-as-string
Treeengine-id

Description

This command sets the SNMP engine ID that uniquely identifies the SNMPv3 node.

If unconfigured, the system uses an engine ID based on the information from the system backplane.

If the SNMP engine ID is changed, the current configuration must be saved and a reboot must be executed. Otherwise, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID.

Note: Changing the SNMP engine ID invalidates all SNMPv3 MD5 and SHA security digest keys, which may render the node unmanageable.

When replacing a chassis, configure the new router to use the same engine ID as the previous router. This preserves SNMPv3 security keys and allows management stations to use their existing authentication keys for the new router.

Ensure that the engine ID of each router is unique. A management domain can only maintain one instance of a specific engine ID.

String length10 to 64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

general-port number
Synopsis Port number used to send general SNMP messages
Contextconfigure system management-interface snmp general-port number
Treegeneral-port

Description

This command configures the port number used to receive SNMP request messages and send replies.

For the port used for SNMP notifications, configure the configure log snmp-trap-group trap-target port command.

Range0 | 1 to 65535
Default161
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

max-bulk-duration number
Synopsis Maximum process duration before responses are returned
Contextconfigure system management-interface snmp max-bulk-duration number
Treemax-bulk-duration

Description

This command sets the maximum duration to process an SNMP request before bulk responses are returned to avoid a timeout on the management system when a lot of information is returned in the response.

Range100 to 5000
Unitsmilliseconds
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

streaming
Synopsis Enter the streaming context
Context configure system management-interface snmp streaming
Treestreaming
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of SNMP streaming
Contextconfigure system management-interface snmp streaming admin-state keyword
Treeadmin-state

Description

This command enables or disables the proprietary SNMP request and response bundling as well as the TCP-based transport mechanism for optimizing network management of the router nodes. In higher latency networks, synchronizing router MIBs from network management using streaming takes less time than synchronizing using classic SNMP UDP requests. Streaming operates on TCP port 1491 and runs over IPv4 or IPv6.

Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

transport keyword
Synopsis Transport protocol used by the SNMP agent
Contextconfigure system management-interface snmp transport keyword
Treetransport
Options

udp – UDP only

tcp – TCP only

both – TCP and UDP

Defaultudp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

yang-modules
Synopsis Enter the yang-modules context
Contextconfigure system management-interface yang-modules
Treeyang-modules

Description

Commands in this context determine the system support of the Nokia YANG models.

The settings affect the data sent in a NETCONF <hello>, data populated in the RFC 6022 /netconf-state/schemas list, data returned in a <get-schema> request, and data populated in the RFC 8525 /yang-library.

See "NETCONF monitoring" and "YANG library" in the 7705 SAR Gen 2 System Management Guide for more information.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

nmda
Synopsis Enter the nmda context
Context configure system management-interface yang-modules nmda
Treenmda

Description

Commands in this context configure the attributes for the Network Management Datastores Architecture (NMDA).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

nmda-support boolean
Synopsis Advertise NMDA support over NETCONF
Context configure system management-interface yang-modules nmda nmda-support boolean
Treenmda-support

Description

When configured to true, this command enables the advertisement of NMDA support over NETCONF through the use of YANG library 1.1.

When configured to false, this command disables NMDA advertisement over NETCONF and YANG library 1.0 is used.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

nokia-combined-modules boolean
Synopsis Support access to combined Nokia YANG models
Contextconfigure system management-interface yang-modules nokia-combined-modules boolean
Treenokia-combined-modules

Description

When configured to true, the system supports the combined Nokia YANG files for both configuration and state data in the NETCONF server.

When the system is operating in classic configuration mode, attempts to access (read or write) the configuration using the Nokia configuration modules or namespace via NETCONF result in errors, even if this command is set to true.

When configured to false, access to the combined Nokia YANG files is not supported.

This command and the nokia-submodules command cannot both be set to true at the same time.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

nokia-submodules boolean
Synopsis Support submodule-based packaging of Nokia YANG models
Contextconfigure system management-interface yang-modules nokia-submodules boolean
Treenokia-submodules

Description

When configured to true, the system supports the alternative submodule-based packaging of the Nokia YANG files for both configuration and state data in the NETCONF server.

When the system is operating in classic configuration mode, attempts to access (read or write) the configuration using the Nokia configuration modules or namespace via NETCONF result in errors, even if this command is set to true.

When configured to false, access to the submodule-based packaging of the Nokia YANG files is not supported.

This command and the nokia-combined-modules command cannot both be set to true at the same time.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name named-item-64

Synopsis Administrative name assigned to the system
Contextconfigure system name named-item-64
Treename
String length1 to 64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

network-element-discovery

Synopsis Enter the network-element-discovery context
Contextconfigure system network-element-discovery
Treenetwork-element-discovery
Introduced25.3.R2

Platforms

7705 SAR Gen 2

profile [name] named-item
Synopsis Enter the profile list instance
Contextconfigure system network-element-discovery profile named-item
Treeprofile
Max. instances1
Introduced25.3.R2

Platforms

7705 SAR Gen 2

neip
Synopsis Enter the neip context
Context configure system network-element-discovery profile named-item neip
Treeneip
Introduced25.3.R2

Platforms

7705 SAR Gen 2

auto-generate
Synopsis Enter the auto-generate context
Contextconfigure system network-element-discovery profile named-item neip auto-generate
Treeauto-generate
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ospf-dynamic-hostnames boolean

Synopsis Process received OSPF dynamic hostname information
Contextconfigure system ospf-dynamic-hostnames boolean
Treeospf-dynamic-hostnames

Description

When configured to true, OSPF dynamic hostnames are enabled. The router receiving the new dynamic hostname within the OSPF Router Information (RI) LSA is instructed to process the received dynamic hostname information.

When configured to false, dynamic hostname information is not processed.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

persistence

Synopsis Enter the persistence context
Context configure system persistence
Treepersistence

Description

Commands in this context configure persistence on the system.

The persistence feature enables the system to retain state information learned through DHCP snooping across reboots. This information includes data such as the IP address and MAC binding information, lease-length information, and ingress SAP information (required for VPLS snooping to identify the ingress interface).

If persistence is enabled when there are no DHCP relay or snooping commands enabled, the system creates an empty file.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ancp
Synopsis Enter the ancp context
Context configure system persistence ancp
Treeancp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

location keyword
Synopsis CPM flash card where the information is stored
Contextconfigure system persistence ancp location keyword
Treelocation
Optionscf1, cf2, cf3
Introduced25.3.R2

Platforms

7705 SAR Gen 2

dhcp-server
Synopsis Enter the dhcp-server context
Context configure system persistence dhcp-server
Treedhcp-server
Introduced25.3.R2

Platforms

7705 SAR Gen 2

nat-port-forwarding
Synopsis Enter the nat-port-forwarding context
Contextconfigure system persistence nat-port-forwarding
Treenat-port-forwarding
Introduced25.3.R2

Platforms

7705 SAR Gen 2

script-control

Synopsis Enter the script-control context
Contextconfigure system script-control
Treescript-control
Introduced25.3.R2

Platforms

7705 SAR Gen 2

script [script-name] named-item owner named-item
Synopsis Enter the script list instance
Contextconfigure system script-control script named-item owner named-item
Treescript
Max. instances1500
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[script-name] named-item
Synopsis Script name
Contextconfigure system script-control script named-item owner named-item
Treescript
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

owner named-item
Synopsis Script owner
Contextconfigure system script-control script named-item owner named-item
Treescript

Description

This command configures the owner to be associated with the script. The owner is optional and "TiMOS CLI" is used if an owner is not specified.

The owner is an arbitrary name and not necessarily a user name. Commands in the scripts are not authorized against the owner. The configure system security cli-script authorization x cli-user command determines the user context against which commands in the scripts are authorized.

String length1 to 32
MD-CLI defaultTiMOS CLI

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

location string-not-all-spaces
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisScript location
Contextconfigure system script-control script named-item owner named-item location string-not-all-spaces
Treelocation
String length1 to 255
Introduced25.3.R2

Platforms

7705 SAR Gen 2

script-policy [policy-name] named-item owner named-item
Synopsis Enter the script-policy list instance
Contextconfigure system script-control script-policy named-item owner named-item
Treescript-policy
Max. instances1500
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[policy-name] named-item
Synopsis Script policy name
Context configure system script-control script-policy named-item owner named-item
Treescript-policy
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

owner named-item
Synopsis Script policy owner
Context configure system script-control script-policy named-item owner named-item
Treescript-policy

Description

This command configures the owner to be associated with the script policy. The owner is optional and "TiMOS CLI" is used if an owner is not specified.

The owner is an arbitrary name and not necessarily a user name. Commands in the scripts are not authorized against the owner. The configure system security cli-script authorization x cli-user command determines the user context against which commands in the scripts are authorized.

String length1 to 32
MD-CLI defaultTiMOS CLI

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

expire-time (number | keyword)
Synopsis Maximum amount of time to keep a run history status
Contextconfigure system script-control script-policy named-item owner named-item expire-time (number | keyword)
Treeexpire-time
Range0 to 21474836
Unitsseconds
Options forever
Default3600
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

lifetime (number | keyword)
Synopsis Maximum amount of time the script may run
Contextconfigure system script-control script-policy named-item owner named-item lifetime (number | keyword)
Treelifetime
Range0 to 21474836
Unitsseconds
Options forever
Default3600

Notes

The following elements are part of a choice: (lifetime and script) or (python-lifetime and python-script).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

python-lifetime number
Synopsis Maximum time the Python application can run
Contextconfigure system script-control script-policy named-item owner named-item python-lifetime number
Treepython-lifetime
Range30 to 86400
Unitsseconds

Notes

The following elements are part of a choice: (lifetime and script) or (python-lifetime and python-script).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

python-script
Synopsis Enter the python-script context
Contextconfigure system script-control script-policy named-item owner named-item python-script
Treepython-script

Notes

The following elements are part of a choice: (lifetime and script) or (python-lifetime and python-script).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

results string-not-all-spaces
Synopsis Location to receive CLI output of a script run
Contextconfigure system script-control script-policy named-item owner named-item results string-not-all-spaces
Treeresults
String length1 to 255
Introduced25.3.R2

Platforms

7705 SAR Gen 2

script
Synopsis Enter the script context
Context configure system script-control script-policy named-item owner named-item script
Treescript

Notes

The following elements are part of a choice: (lifetime and script) or (python-lifetime and python-script).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name named-item
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisScript name
Contextconfigure system script-control script-policy named-item owner named-item script name named-item
Treename
String length1 to 32
Introduced25.3.R2

Platforms

7705 SAR Gen 2

owner named-item
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisScript owner
Contextconfigure system script-control script-policy named-item owner named-item script owner named-item
Treeowner
String length1 to 32
Introduced25.3.R2

Platforms

7705 SAR Gen 2

security

Synopsis Enter the security context
Context configure system security
Treesecurity

Description

Commands in this context configure central security settings such as DDoS protection, users, authorization profiles, and certificates.

Access to these commands should be restricted to highly trusted users and device administrators.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

aaa
Synopsis Enter the aaa context
Context configure system security aaa
Treeaaa
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cli-session-group [cli-session-group-name] named-item
Synopsis Enter the cli-session-group list instance
Contextconfigure system security aaa cli-session-group named-item
Treecli-session-group
Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[cli-session-group-name] named-item
Synopsis CLI session group name
Context configure system security aaa cli-session-group named-item
Treecli-session-group
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

health-check (number | keyword)
Synopsis Polling interval of RADIUS, TACACS+, and LDAP servers
Contextconfigure system security aaa health-check (number | keyword)
Treehealth-check
Range6 to 1500
Unitsseconds
Options none
Default 30
Introduced25.3.R2

Platforms

7705 SAR Gen 2

local-profiles
Synopsis Enter the local-profiles context
Contextconfigure system security aaa local-profiles
Treelocal-profiles
Introduced25.3.R2

Platforms

7705 SAR Gen 2

profile [user-profile-name] named-item
Synopsis Enter the profile list instance
Contextconfigure system security aaa local-profiles profile named-item
Treeprofile
Max. instances128
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[user-profile-name] named-item
Synopsis User profile name
Context configure system security aaa local-profiles profile named-item
Treeprofile
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

default-action keyword
Synopsis Action for non-matching entry
Context configure system security aaa local-profiles profile named-item default-action keyword
Treedefault-action

Description

This command specifies the default action to be applied when no match conditions are met in the list of profile entry match commands. It does not apply in any way to other ports of the profile such as grpc rpc-authorization or netconf base-op-authorization.

Optionsdeny-all, permit-all, none, read-only-all
Defaultnone
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security aaa local-profiles profile named-item entry number
Treeentry
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[entry-id] number
Synopsis User profile entry ID
Context configure system security aaa local-profiles profile named-item entry number
Treeentry
Range1 to 9999

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

grpc
Synopsis Enter the grpc context
Context configure system security aaa local-profiles profile named-item grpc
Treegrpc
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rpc-authorization
Synopsis Enter the rpc-authorization context
Contextconfigure system security aaa local-profiles profile named-item grpc rpc-authorization
Treerpc-authorization

Description

Commands in this context control the authorization of each RPC in gRPC interfaces.  

Introduced25.3.R2

Platforms

7705 SAR Gen 2

netconf
Synopsis Enter the netconf context
Context configure system security aaa local-profiles profile named-item netconf
Treenetconf
Introduced25.3.R2

Platforms

7705 SAR Gen 2

base-op-authorization
Synopsis Enter the base-op-authorization context
Contextconfigure system security aaa local-profiles profile named-item netconf base-op-authorization
Treebase-op-authorization

Description

Commands in this context configure the permission to use NETCONF operations at the base operation level for the specified profile.

The NETCONF operations are authorized by default in the built-in system-generated administrative profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

create-subscription boolean
Synopsis Allow the NETCONF <create-subscription> RPC
Contextconfigure system security aaa local-profiles profile named-item netconf base-op-authorization create-subscription boolean
Treecreate-subscription

Description

When configured to true, the system enables the NETCONF create-subscription operation in the default profile.

The configuration of this command is checked only at the time of the initial subscription. Configuration changes to this command do not cancel any in-progress subscriptions, and users who successfully subscribed initially continue to receive messages.

The operation is enabled by default in the built-in system-generated administrative profile.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

management-interface
Synopsis Enter the management-interface context
Contextconfigure system security aaa management-interface
Treemanagement-interface
Introduced25.3.R2

Platforms

7705 SAR Gen 2

output-authorization
Synopsis Enter the output-authorization context
Contextconfigure system security aaa management-interface output-authorization
Treeoutput-authorization

Description

Commands in this context configure output authorization for model-driven interfaces and telemetry.

When output authorization is performed, commands that display configuration or state output must authorize every element in the output. If a remote AAA server is configured, there may be delays in displaying output while the output is authorized. The remote AAA server may receive a large volume of authorization requests when substantial output displays are needed, such as for system configuration details.

Input to edit the configuration is always authorized, and is not affected by commands in this context.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

md-interfaces boolean
Synopsis Authorize output in model-driven interfaces
Contextconfigure system security aaa management-interface output-authorization md-interfaces boolean
Treemd-interfaces

Description

When configured to true, output is authorized for the following:

  • MD-CLI info and compare commands 

  • MD-CLI command completion of list key values

  • NETCONF <get> and <get-config> RPC

  • gRPC/gNMI Get RPCs

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

telemetry-data boolean
Synopsis Authorize dial-in telemetry output
Context configure system security aaa management-interface output-authorization telemetry-data boolean
Treetelemetry-data

Description

When configured to true, the system authorizes telemetry data in gNMI Subscriber RPC responses for dial-in telemetry.

When configured to false, telemetry data is not authorized.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

telemetry-default-user reference
Synopsis Local user for dial-out telemetry output authorization
Contextconfigure system security aaa management-interface output-authorization telemetry-default-user reference
Treetelemetry-default-user

Description

This command specifies the local user for telemetry data authorization in gNMI Publish RPCs for dial-out telemetry. The administrator must configure the local user to ensure the subscription is operational.

Reference

configure system security user-params local-user user named-item

Introduced25.3.R2

Platforms

7705 SAR Gen 2

remote-servers
Synopsis Enter the remote-servers context
Contextconfigure system security aaa remote-servers
Treeremote-servers
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ldap
Synopsis Enter the ldap context
Context configure system security aaa remote-servers ldap
Treeldap
Introduced25.3.R2

Platforms

7705 SAR Gen 2

route-preference keyword
Synopsis Route preference to reach the AAA server
Contextconfigure system security aaa remote-servers ldap route-preference keyword
Treeroute-preference

Description

This command specifies the routing preference to reach the AAA server. If the configured option is to use both in-band and out-of-band routes, the out-of-band routes in the Base routing instance are used to reach the server before the in-band routes in the management routing instance.

Optionsboth, inband, outband
Defaultboth
Introduced25.3.R2

Platforms

7705 SAR Gen 2

server [index] number
Synopsis Enter the server list instance
Contextconfigure system security aaa remote-servers ldap server number
Treeserver
Max. instances5
Introduced25.3.R2

Platforms

7705 SAR Gen 2

address [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Enter the address list instance
Contextconfigure system security aaa remote-servers ldap server number address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress
Max. instances1
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis LDAP server address
Context configure system security aaa remote-servers ldap server number address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

port number
Synopsis Port number on which to contact the LDAP server
Contextconfigure system security aaa remote-servers ldap server number address (ipv4-address-no-zone | ipv6-address-no-zone) port number
Treeport
Range1 to 65535
Default389
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

bind-authentication
Synopsis Enter the bind-authentication context
Contextconfigure system security aaa remote-servers ldap server number bind-authentication
Treebind-authentication
Introduced25.3.R2

Platforms

7705 SAR Gen 2

radius
Synopsis Enter the radius context
Context configure system security aaa remote-servers radius
Treeradius
Introduced25.3.R2

Platforms

7705 SAR Gen 2

route-preference keyword
Synopsis Route preference to reach the AAA server
Contextconfigure system security aaa remote-servers radius route-preference keyword
Treeroute-preference

Description

This command specifies the routing preference to reach the AAA server. If the configured option is to use both in-band and out-of-band routes, the out-of-band routes in the Base routing instance are used to reach the server before the in-band routes in the management routing instance.

Optionsboth, inband, outband
Defaultboth
Introduced25.3.R2

Platforms

7705 SAR Gen 2

server [index] number
Synopsis Enter the server list instance
Contextconfigure system security aaa remote-servers radius server number
Treeserver
Max. instances5
Introduced25.3.R2

Platforms

7705 SAR Gen 2

address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the RADIUS server
Context configure system security aaa remote-servers radius server number address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

authenticator keyword
Synopsis Authenticator hash algorithm for the RADIUS server
Contextconfigure system security aaa remote-servers radius server number authenticator keyword
Treeauthenticator

Description

This command specifies the hash algorithm used to authenticate RADIUS Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, and Accounting-Response packets.

Optionsmd5, sm3
Default md5
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tacplus
Synopsis Enter the tacplus context
Context configure system security aaa remote-servers tacplus
Treetacplus
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authorization
Synopsis Enable the authorization context
Contextconfigure system security aaa remote-servers tacplus authorization
Treeauthorization
Introduced25.3.R2

Platforms

7705 SAR Gen 2

request-format
Synopsis Enter the request-format context
Contextconfigure system security aaa remote-servers tacplus authorization request-format
Treerequest-format

Description

Commands in this context configure access operations that are sent to the TACACS+ server during authorization.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

access-operation-cmd keyword
Synopsis Access operations sent in authorization requests
Contextconfigure system security aaa remote-servers tacplus authorization request-format access-operation-cmd keyword
Treeaccess-operation-cmd

Description

This command sends an operation argument in authorization requests.

In model-driven interfaces, this command configures the system to send the operation in the cmd argument, and the path in the cmd-args argument, in TACACS+ authorization requests. This command does not apply to authorization requests in classic interfaces.

Optionsdelete
Max. instances1
Introduced25.3.R2

Platforms

7705 SAR Gen 2

use-priv-lvl boolean
Synopsis Allow privilege level mapping
Context configure system security aaa remote-servers tacplus authorization use-priv-lvl boolean
Treeuse-priv-lvl

Description

When configured to true, this command automatically performs a single authorization request to the TACACS+ server for cmd* (all commands) immediately after login, and then uses the local profile associated (via the priv-lvl-map) with the priv-lvl returned by the TACACS+ server for all subsequent authorization (except enable-admin). After the initial authorization for cmd*, no further authorization requests are sent to the TACACS+ server (except enable-admin).

When configured to false, each command is sent to the TACACS+ server for authorization (this is true regardless of whether the tacplus use-default-template setting is enabled).

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ignore-unknown-mandatory-vsas boolean
Synopsis Ignore unknown mandatory VSAs and fail authentication
Contextconfigure system security aaa remote-servers tacplus ignore-unknown-mandatory-vsas boolean
Treeignore-unknown-mandatory-vsas

Description

When configured to true, the system ignores unknown mandatory VSAs and authentication succeeds.

When configured to false, the system ignores unknown mandatory VSAs received in a reply from the TACACS+ server. Authentication fails and the user is disconnected because the system cannot process a mandatory VSA that is unknown.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

priv-lvl-map
Synopsis Enter the priv-lvl-map context
Contextconfigure system security aaa remote-servers tacplus priv-lvl-map
Treepriv-lvl-map
Introduced25.3.R2

Platforms

7705 SAR Gen 2

priv-lvl [level] number
Synopsis Enter the priv-lvl list instance
Contextconfigure system security aaa remote-servers tacplus priv-lvl-map priv-lvl number
Treepriv-lvl
Introduced25.3.R2

Platforms

7705 SAR Gen 2

route-preference keyword
Synopsis Route preference to reach the AAA server
Contextconfigure system security aaa remote-servers tacplus route-preference keyword
Treeroute-preference

Description

This command specifies the routing preference to reach the AAA server. If the configured option is to use both in-band and out-of-band routes, the out-of-band routes in the Base routing instance are used to reach the server before the in-band routes in the management routing instance.

Optionsboth, inband, outband
Defaultboth
Introduced25.3.R2

Platforms

7705 SAR Gen 2

server [index] number
Synopsis Enter the server list instance
Contextconfigure system security aaa remote-servers tacplus server number
Treeserver
Max. instances5
Introduced25.3.R2

Platforms

7705 SAR Gen 2

address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the TACACS+ server
Context configure system security aaa remote-servers tacplus server number address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-retry-timeout (number | keyword)
Synopsis Time before retrying requests when health checks are disabled
Contextconfigure system security aaa remote-servers tacplus server-retry-timeout (number | keyword)
Treeserver-retry-timeout

Description

This command configures the maximum timeout before retrying requests when health checks are disabled and all TACACS+ servers are operationally down. Set the value of this timer to a lower value or disable it to increase the interactive responsiveness of AAA requests after the servers become unreachable.

Range1 to 300
Unitsseconds
Options

none – Disable retry timeout and send requests immediately

Default300
Introduced25.3.R2

Platforms

7705 SAR Gen 2

service-request
Synopsis Enter the service-request context
Contextconfigure system security aaa remote-servers tacplus service-request
Treeservice-request

Description

Commands in this context enable Nokia services to be requested from the TACACS+ server when a user authenticates.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

vprn-server
Synopsis Enter the vprn-server context
Context configure system security aaa remote-servers vprn-server
Treevprn-server
Introduced25.3.R2

Platforms

7705 SAR Gen 2

inband reference
Synopsis VPRN service used for AAA by in-band sessions
Contextconfigure system security aaa remote-servers vprn-server inband reference
Treeinband

Description

This command configures TACACS+ or RADIUS servers in a VPRN to be used for AAA by that VPRN and by sessions in the Base routing instance.

Reference

configure service vprn service-name

Introduced25.3.R2

Platforms

7705 SAR Gen 2

outband reference
Synopsis VPRN service used for AAA by out-of-band sessions
Contextconfigure system security aaa remote-servers vprn-server outband reference
Treeoutband

Description

This command configures TACACS+ and RADIUS servers in a VPRN to be used for AAA by that VPRN and by sessions on the console or out-of-band (OOB) Ethernet ports.

Reference

configure service vprn service-name

Introduced25.3.R2

Platforms

7705 SAR Gen 2

vprn reference
Synopsis VPRN used for AAA in VPRNs without a AAA server
Contextconfigure system security aaa remote-servers vprn-server vprn reference
Treevprn

Description

This command configures TACACS+ or RADIUS servers in a VPRN to be used for AAA by that VPRN and by sessions in VPRNs without a AAA server configured.

Reference

configure service vprn service-name

Introduced25.3.R2

Platforms

7705 SAR Gen 2

user-template [user-template-name] keyword
Synopsis Enter the user-template list instance
Contextconfigure system security aaa user-template keyword
Treeuser-template

Description

Commands in this context configure templates for remote users.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

[user-template-name] keyword
Synopsis Default user template applied to the remote user
Contextconfigure system security aaa user-template keyword
Treeuser-template
Options

ldap-default – Default LDAP user template

radius-default – Default RADIUS user template

tacplus-default – Default TACACS+ user template

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

access
Synopsis Enter the access context
Context configure system security aaa user-template keyword access
Treeaccess

Description

Commands in this context grant a user access to the router management access methods. If a user requires access to more than one method, multiple methods can be specified.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

console boolean
Synopsis Allow Bluetooth, console port CLI, SCP/SFTP, SSH CLI, and Telnet CLI access
Contextconfigure system security aaa user-template keyword access console boolean
Treeconsole

Description

When configured to true, the system allows this access method to take precedence over other access methods in all cases.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

home-directory cflash-without-slot-url
Synopsis User local home directory based on the template
Contextconfigure system security aaa user-template keyword home-directory cflash-without-slot-url
Treehome-directory

Description

This command configures the home directory of the user for file access. Files can be accessed locally by CLI file commands and output modifiers such as > (file redirect), or remotely via FTP and SCP. If the home directory does not exist, a warning message is displayed when the user logs in.

When restricted-to-home is configured, file access is denied unless the home-directory is configured and the directory is created by an administrator.

String length1 to 200
Introduced25.3.R2

Platforms

7705 SAR Gen 2

restricted-to-home boolean
Synopsis Restrict file access to the home directory of the user
Contextconfigure system security aaa user-template keyword restricted-to-home boolean
Treerestricted-to-home

Description

When configured to true, the router denies the user from accessing files outside of their home directory. Files can be accessed locally by CLI file commands and output modifiers such as > (file redirect), or remotely via FTP and SCP. The system denies all configuration save operations (such as admin save) via any management interface (such as CLI and NETCONF) unless save-when-restricted is enabled.

File access is denied unless a home directory is configured and the directory is created by an administrator.

When configured to false, the router permits the user to access all files on the system.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

save-when-restricted boolean
Synopsis Save configurations when the user is restricted to home
Contextconfigure system security aaa user-template keyword save-when-restricted boolean
Treesave-when-restricted

Description

When configured to true, the system permits configuration save operations for all configuration regions (such as bof and configure) via any management interface (such as CLI and NETCONF) even if restricted-to-home is enabled.

The configuration for each region can be saved with admin save CLI commands or when committed over NETCONF and gRPC.

When configured to false, the system denies saving the configuration when restricted-to-home is enabled, unless the home directory of the user includes the location of the saved configuration file.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cli-script
Synopsis Enter the cli-script context
Context configure system security cli-script
Treecli-script
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authorization
Synopsis Enter the authorization context
Contextconfigure system security cli-script authorization
Treeauthorization
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cron
Synopsis Enter the cron context
Context configure system security cli-script authorization cron
Treecron

Description

Commands in this context configure authorization for the cron job scheduler.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

event-handler
Synopsis Enter the event-handler context
Contextconfigure system security cli-script authorization event-handler
Treeevent-handler

Description

Commands in this context configure authorization for the Event Handling System (EHS). EHS allows user-controlled programmatic exception handling by allowing a CLI script to be executed upon the detection of a log event.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

dist-cpu-protection
Synopsis Enter the dist-cpu-protection context
Contextconfigure system security dist-cpu-protection
Treedist-cpu-protection

Description

Commands in this context configure distributed CPU protection (DCP) attributes.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

policy [policy-name] named-item
Synopsis Enter the policy list instance
Contextconfigure system security dist-cpu-protection policy named-item
Treepolicy

Description

Commands in this context configure the attributes of DCP policies. These policies can be applied to objects such as SAPs, network interfaces or ports

Max. instances130
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[policy-name] named-item
Synopsis Policy name
Contextconfigure system security dist-cpu-protection policy named-item
Treepolicy
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

local-monitoring-policer [policer-name] named-item
Synopsis Enter the local-monitoring-policer list instance
Contextconfigure system security dist-cpu-protection policy named-item local-monitoring-policer named-item
Treelocal-monitoring-policer
Max. instances1
Introduced25.3.R2

Platforms

7705 SAR Gen 2

log-events keyword
Synopsis Control of log events creation for status and activity
Contextconfigure system security dist-cpu-protection policy named-item local-monitoring-policer named-item log-events keyword
Treelog-events

Description

This command controls the creation of log events related to the status and activity of the local monitoring policer.

Optionsfalse, true, verbose
Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rate
Synopsis Enter the rate context
Context configure system security dist-cpu-protection policy named-item local-monitoring-policer named-item rate
Treerate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

kbps
Synopsis Enter the kbps context
Context configure system security dist-cpu-protection policy named-item local-monitoring-policer named-item rate kbps
Treekbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

packets
Synopsis Enter the packets context
Context configure system security dist-cpu-protection policy named-item local-monitoring-policer named-item rate packets
Treepackets

Notes

The following elements are part of a choice: kbps or packets.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

initial-delay number
Synopsis Additional packets allowed in an initial burst
Contextconfigure system security dist-cpu-protection policy named-item local-monitoring-policer named-item rate packets initial-delay number
Treeinitial-delay

Description

This command specifies the number of packets allowed in an initial burst (or a burst after the policer bucket has drained to zero) in addition to the packets per interval limit. The typical setting would be a value equal to the number of received packets in several full handshakes or negotiations of the protocol.

Range0 to 255
Unitspackets
Default 0
Introduced25.3.R2

Platforms

7705 SAR Gen 2

protocol [protocol-name] keyword
Synopsis Enter the protocol list instance
Contextconfigure system security dist-cpu-protection policy named-item protocol keyword
Treeprotocol
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[protocol-name] keyword
Synopsis Protocol name
Contextconfigure system security dist-cpu-protection policy named-item protocol keyword
Treeprotocol
Optionsarp, dhcp, http-redirect, icmp, igmp, mld, ndis, pppoe-pppoa, all-unspecified, mpls-ttl, bfd-cpm, bgp, eth-cfm, isis, ldp, ospf, pim, rsvp, icmp-ping-check, lacp, vrrp, multi-chassis, multi-chassis-sync, bfd, ftp, icmp-v4, icmp-v6, l3-to-my-ipv4, l3-to-my-ipv6, lsp-ping, mc-lag, mcast-snooping, radius, rip, sbfd-reflector, snmp, ssh, stp, tacacs, telnet, tftp, twamp, needs-icmp

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

dynamic-parameters
Synopsis Enter the dynamic-parameters context
Contextconfigure system security dist-cpu-protection policy named-item protocol keyword dynamic-parameters
Treedynamic-parameters
Introduced25.3.R2

Platforms

7705 SAR Gen 2

exceed-action
Synopsis Enter the exceed-action context
Contextconfigure system security dist-cpu-protection policy named-item protocol keyword dynamic-parameters exceed-action
Treeexceed-action

Description

Commands in this context specify the settings for the scenario when the configured policer rates are exceeded.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

hold-down (keyword | number)
Synopsis Hold down behavior
Context configure system security dist-cpu-protection policy named-item protocol keyword dynamic-parameters exceed-action hold-down (keyword | number)
Treehold-down

Description

This command specifies the behavior when the system detects that an enforcement policer has marked or discarded one or more packets and there is no action specified for the scenario when the rates are exceeded.

The hold time condition is cleared after the specified time has expired. The detection time (the minimum time that the policer remains allocated) begins after the hold down is complete. The hold down behavior is not applicable to a local monitoring policer.

An indefinite hold down behavior must be cleared using the tools perform security dist-cpu-protection release-hold-down command.

Range1 to 10080
Unitsseconds
Options indefinite, none
Defaultnone
Introduced25.3.R2

Platforms

7705 SAR Gen 2

log-events keyword
Synopsis Control of log events creation for status and activity
Contextconfigure system security dist-cpu-protection policy named-item protocol keyword dynamic-parameters log-events keyword
Treelog-events

Description

This command controls the creation of log events related to the status and activity of the local monitoring policer.

Optionsfalse, true, verbose
Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rate
Synopsis Enter the rate context
Context configure system security dist-cpu-protection policy named-item protocol keyword dynamic-parameters rate
Treerate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

kbps
Synopsis Enter the kbps context
Context configure system security dist-cpu-protection policy named-item protocol keyword dynamic-parameters rate kbps
Treekbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

packets
Synopsis Enter the packets context
Context configure system security dist-cpu-protection policy named-item protocol keyword dynamic-parameters rate packets
Treepackets

Notes

The following elements are part of a choice: kbps or packets.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

initial-delay number
Synopsis Additional packets allowed in an initial burst
Contextconfigure system security dist-cpu-protection policy named-item protocol keyword dynamic-parameters rate packets initial-delay number
Treeinitial-delay

Description

This command specifies the number of packets allowed in an initial burst (or a burst after the policer bucket has drained to zero) in addition to the packets per interval limit. The typical setting would be a value equal to the number of received packets in several full handshakes or negotiations of the protocol.

Range0 to 255
Unitspackets
Default 0
Introduced25.3.R2

Platforms

7705 SAR Gen 2

enforcement
Synopsis Enter the enforcement context
Context configure system security dist-cpu-protection policy named-item protocol keyword enforcement
Treeenforcement
Introduced25.3.R2

Platforms

7705 SAR Gen 2

dynamic
Synopsis Enter the dynamic context
Context configure system security dist-cpu-protection policy named-item protocol keyword enforcement dynamic
Treedynamic

Notes

The following elements are part of a choice: dynamic, dynamic-local-mon-bypass, shared, or static.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

mon-policer-name reference
Synopsis Dynamic enforcement policer for the protocol
Contextconfigure system security dist-cpu-protection policy named-item protocol keyword enforcement dynamic mon-policer-name reference
Treemon-policer-name

Description

This command specifies the dynamic enforcement policer that is instantiated when the associated local monitoring policer is determined to be in a nonconforming state (at the end of a minimum monitoring time of 60 seconds to reduce thrashing).

Reference

configure system security dist-cpu-protection policy named-item local-monitoring-policer named-item

Introduced25.3.R2

Platforms

7705 SAR Gen 2

dynamic-local-mon-bypass
Synopsis Do not include packets in the local monitoring function
Contextconfigure system security dist-cpu-protection policy named-item protocol keyword enforcement dynamic-local-mon-bypass
Treedynamic-local-mon-bypass

Description

When configured, packets from the protocol are not included in the local monitoring function and the dynamic enforcement policer is not instantiated for the protocol.

Notes

The following elements are part of a choice: dynamic, dynamic-local-mon-bypass, shared, or static.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

static
Synopsis Enter the static context
Context configure system security dist-cpu-protection policy named-item protocol keyword enforcement static
Treestatic

Notes

The following elements are part of a choice: dynamic, dynamic-local-mon-bypass, shared, or static.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

static-policer [policer-name] named-item
Synopsis Enter the static-policer list instance
Contextconfigure system security dist-cpu-protection policy named-item static-policer named-item
Treestatic-policer

Description

Commands in this context configure a static enforcement policer that can be referenced by one or more protocols in the policy. When a policer is referenced by a protocol, the policer is instantiated for each object (for example, a SAP or network interface) that is created and references the policer.

If no policer resources are available on the associated card or FP, the object is not created.

Max. instances26
Introduced25.3.R2

Platforms

7705 SAR Gen 2

exceed-action
Synopsis Enter the exceed-action context
Contextconfigure system security dist-cpu-protection policy named-item static-policer named-item exceed-action
Treeexceed-action

Description

Commands in this context specify the settings for the scenario when the configured policer rates are exceeded.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

hold-down (keyword | number)
Synopsis Hold down behavior
Context configure system security dist-cpu-protection policy named-item static-policer named-item exceed-action hold-down (keyword | number)
Treehold-down

Description

This command specifies the behavior when the system detects that an enforcement policer has marked or discarded one or more packets and there is no action specified for the scenario when the rates are exceeded.

The hold time condition is cleared after the specified time has expired. The detection time (the minimum time that the policer remains allocated) begins after the hold down is complete. The hold down behavior is not applicable to a local monitoring policer.

An indefinite hold down behavior must be cleared using the tools perform security dist-cpu-protection release-hold-down command.

Range1 to 10080
Unitsseconds
Options indefinite, none
Defaultnone
Introduced25.3.R2

Platforms

7705 SAR Gen 2

log-events keyword
Synopsis Control of log events creation for status and activity
Contextconfigure system security dist-cpu-protection policy named-item static-policer named-item log-events keyword
Treelog-events

Description

This command controls the creation of log events related to the status and activity of the local monitoring policer.

Optionsfalse, true, verbose
Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rate
Synopsis Enter the rate context
Context configure system security dist-cpu-protection policy named-item static-policer named-item rate
Treerate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

kbps
Synopsis Enter the kbps context
Context configure system security dist-cpu-protection policy named-item static-policer named-item rate kbps
Treekbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

packets
Synopsis Enter the packets context
Context configure system security dist-cpu-protection policy named-item static-policer named-item rate packets
Treepackets

Notes

The following elements are part of a choice: kbps or packets.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

initial-delay number
Synopsis Additional packets allowed in an initial burst
Contextconfigure system security dist-cpu-protection policy named-item static-policer named-item rate packets initial-delay number
Treeinitial-delay

Description

This command specifies the number of packets allowed in an initial burst (or a burst after the policer bucket has drained to zero) in addition to the packets per interval limit. The typical setting would be a value equal to the number of received packets in several full handshakes or negotiations of the protocol.

Range0 to 255
Unitspackets
Default 0
Introduced25.3.R2

Platforms

7705 SAR Gen 2

type keyword
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisPolicy type
Contextconfigure system security dist-cpu-protection policy named-item type keyword
Treetype
Optionsaccess-network, port
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

ftp-server boolean
Synopsis Enable FTP servers running on the system
Contextconfigure system security ftp-server boolean
Treeftp-server
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

hash-control
Synopsis Enter the hash-control context
Contextconfigure system security hash-control
Treehash-control
Introduced25.3.R2

Platforms

7705 SAR Gen 2

management-interface
Synopsis Enter the management-interface context
Contextconfigure system security hash-control management-interface
Treemanagement-interface

Description

Commands in this context configure encryption parameters for different management interfaces.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

classic-cli
Synopsis Enter the classic-cli context
Context configure system security hash-control management-interface classic-cli
Treeclassic-cli
Introduced25.3.R2

Platforms

7705 SAR Gen 2

read-algorithm keyword
Synopsis Input encryption algorithm for configuration secrets
Contextconfigure system security hash-control management-interface classic-cli read-algorithm keyword
Treeread-algorithm

Description

This command specifies how encrypted configuration secrets are interpreted and which encryption types are accepted when secrets are input into the system or read from a configuration file (for example, at system bootup time).

Optionsall-hash, hash, hash2, custom
Default all-hash
Introduced25.3.R2

Platforms

7705 SAR Gen 2

write-algorithm keyword
Synopsis Output encryption algorithm for configuration secrets
Contextconfigure system security hash-control management-interface classic-cli write-algorithm keyword
Treewrite-algorithm

Description

This command specifies the format of the output for encrypted configuration secrets (for example, in the saved configuration file, or in the output of the info or show commands).

Optionscleartext, hash, hash2, custom
Default hash2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

grpc
Synopsis Enter the grpc context
Context configure system security hash-control management-interface grpc
Treegrpc
Introduced25.3.R2

Platforms

7705 SAR Gen 2

hash-algorithm keyword
Synopsis Encryption algorithm for configuration secrets
Contextconfigure system security hash-control management-interface grpc hash-algorithm keyword
Treehash-algorithm

Description

This command specifies the format of the input and output for encrypted configuration secrets.

Optionscleartext, hash, hash2, custom
Default hash2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

md-cli
Synopsis Enter the md-cli context
Context configure system security hash-control management-interface md-cli
Treemd-cli
Introduced25.3.R2

Platforms

7705 SAR Gen 2

netconf
Synopsis Enter the netconf context
Context configure system security hash-control management-interface netconf
Treenetconf
Introduced25.3.R2

Platforms

7705 SAR Gen 2

keychains
Synopsis Enter the keychains context
Context configure system security keychains
Treekeychains
Introduced25.3.R2

Platforms

7705 SAR Gen 2

keychain [keychain-name] named-item
Synopsis Enter the keychain list instance
Contextconfigure system security keychains keychain named-item
Treekeychain
Max. instances256
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[keychain-name] named-item
Synopsis Keychain name
Contextconfigure system security keychains keychain named-item
Treekeychain
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

bidirectional
Synopsis Enter the bidirectional context
Contextconfigure system security keychains keychain named-item bidirectional
Treebidirectional
Introduced25.3.R2

Platforms

7705 SAR Gen 2

entry [keychain-entry-index] number
Synopsis Enter the entry list instance
Context configure system security keychains keychain named-item bidirectional entry number
Treeentry
Introduced25.3.R2

Platforms

7705 SAR Gen 2

algorithm keyword
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisEncryption algorithm used by the keychain key
Contextconfigure system security keychains keychain named-item bidirectional entry number algorithm keyword
Treealgorithm
Optionsaes-128-cmac-96, hmac-sha-1-96, password, message-digest, hmac-md5, hmac-sha-1, hmac-sha-256, aes-128-gcm-16, aes-128-cmac-128
Introduced25.3.R2

Platforms

7705 SAR Gen 2

receive
Synopsis Enter the receive context
Context configure system security keychains keychain named-item receive
Treereceive
Introduced25.3.R2

Platforms

7705 SAR Gen 2

entry [keychain-entry-index] number
Synopsis Enter the entry list instance
Context configure system security keychains keychain named-item receive entry number
Treeentry
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[keychain-entry-index] number
Synopsis Keychain identifier
Context configure system security keychains keychain named-item receive entry number
Treeentry
Range0 to 63 | 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

algorithm keyword
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisEncryption algorithm used by the keychain key
Contextconfigure system security keychains keychain named-item receive entry number algorithm keyword
Treealgorithm
Optionsaes-128-cmac-96, hmac-sha-1-96, password, message-digest, hmac-md5, hmac-sha-1, hmac-sha-256, aes-128-gcm-16, aes-128-cmac-128
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-key encrypted-leaf
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisAuthentication key used by the encryption algorithm
Contextconfigure system security keychains keychain named-item receive entry number authentication-key encrypted-leaf
Treeauthentication-key
String length1 to 54
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tolerance (number | keyword)
Synopsis Time eligible receive key overlaps with active send key
Contextconfigure system security keychains keychain named-item receive entry number tolerance (number | keyword)
Treetolerance
Range0 to 4294967294
Unitsseconds
Options infinite
Default300
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

send
Synopsis Enter the send context
Context configure system security keychains keychain named-item send
Treesend
Introduced25.3.R2

Platforms

7705 SAR Gen 2

entry [keychain-entry-index] number
Synopsis Enter the entry list instance
Context configure system security keychains keychain named-item send entry number
Treeentry
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[keychain-entry-index] number
Synopsis Keychain identifier
Context configure system security keychains keychain named-item send entry number
Treeentry
Range0 to 63 | 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

algorithm keyword
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisEncryption algorithm used by the keychain key
Contextconfigure system security keychains keychain named-item send entry number algorithm keyword
Treealgorithm
Optionsaes-128-cmac-96, hmac-sha-1-96, password, message-digest, hmac-md5, hmac-sha-1, hmac-sha-256, aes-128-gcm-16, aes-128-cmac-128
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-key encrypted-leaf
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisAuthentication key used by the encryption algorithm
Contextconfigure system security keychains keychain named-item send entry number authentication-key encrypted-leaf
Treeauthentication-key
String length1 to 54
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tcp-option-number
Synopsis Enter the tcp-option-number context
Contextconfigure system security keychains keychain named-item tcp-option-number
Treetcp-option-number
Introduced25.3.R2

Platforms

7705 SAR Gen 2

management
Synopsis Enter the management context
Context configure system security management
Treemanagement

Description

Commands in this context control which management protocols can be used to access the SR OS router via the 'Base' and 'management' router instances.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-ftp boolean
Synopsis Allow access to the FTP server
Context configure system security management allow-ftp boolean
Treeallow-ftp

Description

When configured to true, this command allows FTP access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, this command disallows access to the SR OS FTP server.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-grpc boolean
Synopsis Allow access to the gRPC server
Context configure system security management allow-grpc boolean
Treeallow-grpc

Description

When configured to true, the system allows access to the gRPC server via the 'Base' and 'management' router instances.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-netconf boolean
Synopsis Allow access to the NETCONF server
Context configure system security management allow-netconf boolean
Treeallow-netconf

Description

When configured to true, the system allows NETCONF server access to the SR OS router via the 'Base' and 'management' router instances.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-ssh boolean
Synopsis Allow access to the SSH server
Context configure system security management allow-ssh boolean
Treeallow-ssh

Description

When configured to true, this command allows SSH server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, this command disallows SSH server access.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-telnet boolean
Synopsis Allow access to the IPv4 Telnet server
Contextconfigure system security management allow-telnet boolean
Treeallow-telnet

Description

When configured to true, the system allows IPv4 Telnet server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, access to the IPv4 Telnet server is not allowed.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-telnet6 boolean
Synopsis Allow access to the Telnet IPv6 server
Contextconfigure system security management allow-telnet6 boolean
Treeallow-telnet6

Description

When configured to true, the system allows IPv6 Telnet server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, the system prevents access to the IPv6 Telnet server.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

management-access-filter
Synopsis Enter the management-access-filter context
Contextconfigure system security management-access-filter
Treemanagement-access-filter

Description

Commands in this context configure the attributes for management access filters.

Management access filters control all traffic in and out of the CPM. The filters can be used to restrict management of the router by other nodes outside of specific networks (or sub-networks) or through designated ports.

Management filters are enforced by the system software.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ip-filter
Synopsis Enter the ip-filter context
Context configure system security management-access-filter ip-filter
Treeip-filter
Introduced25.3.R2

Platforms

7705 SAR Gen 2

default-action keyword
Synopsis Default action for the management access filter
Contextconfigure system security management-access-filter ip-filter default-action keyword
Treedefault-action

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Optionsignore-match, accept, drop, reject
Default ignore-match
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security management-access-filter ip-filter entry number
Treeentry
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[entry-id] number
Synopsis Entry ID to identify the match criteria and the action
Contextconfigure system security management-access-filter ip-filter entry number
Treeentry

Description

This command specifies the entry ID to identify the match criteria and the corresponding action. It is recommended that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Range1 to 9999

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

action keyword
Synopsis Action associated with the management access filter
Contextconfigure system security management-access-filter ip-filter entry number action keyword
Treeaction

Description

This command specifies the action associated with the management access filter match criteria entry.

If the packet does not meet any of the match criteria, the configured default action is applied.

Optionsignore-match, accept, drop, reject
Default ignore-match
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

log-events boolean
Synopsis Enable match logging
Context configure system security management-access-filter ip-filter entry number log-events boolean
Treelog-events

Description

When configured to true, this command enables match logging. When enabled, matches on the entry cause the Security event mafEntryMatch to be raised.

When configured to false, match logging is disabled.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

match
Synopsis Enter the match context
Context configure system security management-access-filter ip-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

dst-port
Synopsis Enable the dst-port context
Context configure system security management-access-filter ip-filter entry number match dst-port
Treedst-port
Introduced25.3.R2

Platforms

7705 SAR Gen 2

mgmt-port
Synopsis Enter the mgmt-port context
Context configure system security management-access-filter ip-filter entry number match mgmt-port
Treemgmt-port

Description

Commands in this context specify match criteria based on the Ethernet port.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

protocol (number | keyword)
Synopsis IP protocol as the match criterion
Context configure system security management-access-filter ip-filter entry number match protocol (number | keyword)
Treeprotocol
Range0 to 255
Optionstcp-udp, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

src-ip
Synopsis Enter the src-ip context
Context configure system security management-access-filter ip-filter entry number match src-ip
Treesrc-ip

Description

Commands in this context specify match criteria based on the source IP address.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

src-port
Synopsis Enable the src-port context
Context configure system security management-access-filter ip-filter entry number match src-port
Treesrc-port
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ipv6-filter
Synopsis Enter the ipv6-filter context
Context configure system security management-access-filter ipv6-filter
Treeipv6-filter
Introduced25.3.R2

Platforms

7705 SAR Gen 2

default-action keyword
Synopsis Default action for the management access filter
Contextconfigure system security management-access-filter ipv6-filter default-action keyword
Treedefault-action

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Optionsignore-match, accept, drop, reject
Default ignore-match
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security management-access-filter ipv6-filter entry number
Treeentry
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[entry-id] number
Synopsis Entry ID to identify the match criteria and the action
Contextconfigure system security management-access-filter ipv6-filter entry number
Treeentry

Description

This command specifies the entry ID to identify the match criteria and the corresponding action. It is recommended that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Range1 to 9999

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

action keyword
Synopsis Action associated with the management access filter
Contextconfigure system security management-access-filter ipv6-filter entry number action keyword
Treeaction

Description

This command specifies the action associated with the management access filter match criteria entry.

If the packet does not meet any of the match criteria, the configured default action is applied.

Optionsignore-match, accept, drop, reject
Default ignore-match
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

log-events boolean
Synopsis Enable match logging
Context configure system security management-access-filter ipv6-filter entry number log-events boolean
Treelog-events

Description

When configured to true, this command enables match logging. When enabled, matches on the entry cause the Security event mafEntryMatch to be raised.

When configured to false, match logging is disabled.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

match
Synopsis Enter the match context
Context configure system security management-access-filter ipv6-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

dst-port
Synopsis Enable the dst-port context
Context configure system security management-access-filter ipv6-filter entry number match dst-port
Treedst-port

Description

Commands in this context specify match criteria based on the destination port.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

mgmt-port
Synopsis Enter the mgmt-port context
Context configure system security management-access-filter ipv6-filter entry number match mgmt-port
Treemgmt-port

Description

Commands in this context specify match criteria based on the Ethernet port.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

next-header (number | keyword)
Synopsis IP protocol to match
Context configure system security management-access-filter ipv6-filter entry number match next-header (number | keyword)
Treenext-header
Range0 to 255
Optionstcp-udp, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

src-ip
Synopsis Enter the src-ip context
Context configure system security management-access-filter ipv6-filter entry number match src-ip
Treesrc-ip

Description

Commands in this context specify match criteria based on the source port.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

src-port
Synopsis Enable the src-port context
Context configure system security management-access-filter ipv6-filter entry number match src-port
Treesrc-port

Description

Commands in this context specify match criteria based on the source port.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

mac-filter
Synopsis Enter the mac-filter context
Context configure system security management-access-filter mac-filter
Treemac-filter
Introduced25.3.R2

Platforms

7705 SAR Gen 2

default-action keyword
Synopsis Default action for the management access filter
Contextconfigure system security management-access-filter mac-filter default-action keyword
Treedefault-action

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Optionsignore-match, accept, drop
Defaultignore-match
Introduced25.3.R2

Platforms

7705 SAR Gen 2

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security management-access-filter mac-filter entry number
Treeentry
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[entry-id] number
Synopsis Entry ID to identify the match criteria and the action
Contextconfigure system security management-access-filter mac-filter entry number
Treeentry

Description

This command specifies the entry ID to identify the match criteria and the corresponding action. It is recommended that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Range1 to 9999

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

action keyword
Synopsis Action associated with the management access filter
Contextconfigure system security management-access-filter mac-filter entry number action keyword
Treeaction

Description

This command specifies the action associated with the management access filter match criteria entry.

If the packet does not meet any of the match criteria, the configured default action is applied.

Optionsignore-match, accept, drop
Defaultignore-match
Introduced25.3.R2

Platforms

7705 SAR Gen 2

log-events boolean
Synopsis Enable match logging
Context configure system security management-access-filter mac-filter entry number log-events boolean
Treelog-events

Description

When configured to true, this command enables match logging. When enabled, matches on the entry cause the Security event mafEntryMatch to be raised.

When configured to false, match logging is disabled.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

match
Synopsis Enter the match context
Context configure system security management-access-filter mac-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

dot1p
Synopsis Enable the dot1p context
Context configure system security management-access-filter mac-filter entry number match dot1p
Treedot1p

Description

Commands in this context specify match criteria based on the IEEE 802.1p value.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

dst-mac
Synopsis Enable the dst-mac context
Context configure system security management-access-filter mac-filter entry number match dst-mac
Treedst-mac

Description

Commands in this context specify match criteria based on the destination MAC.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

etype etype-value
Synopsis Ethernet type II Ethertype value as the match criterion
Contextconfigure system security management-access-filter mac-filter entry number match etype etype-value
Treeetype

Description

This command specifies an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is used by the Ethernet version-II frames and does not apply to IEEE 802.3 Ethernet frames.

String length5 to 6
Introduced25.3.R2

Platforms

7705 SAR Gen 2

llc-dsap
Synopsis Enable the llc-dsap context
Context configure system security management-access-filter mac-filter entry number match llc-dsap
Treellc-dsap

Description

Commands in this context specify match criteria based on the Destination Service Access Point (DSAP).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

llc-ssap
Synopsis Enable the llc-ssap context
Context configure system security management-access-filter mac-filter entry number match llc-ssap
Treellc-ssap

Description

Commands in this context specify match criteria based on the Source Service Access Point (SSAP).

Introduced25.3.R2

Platforms

7705 SAR Gen 2

snap-oui keyword
Synopsis IEEE 802.3 LLC SNAP Ethernet Frame OUI value for match
Contextconfigure system security management-access-filter mac-filter entry number match snap-oui keyword
Treesnap-oui

Description

This command specifies the IEEE 802.3 LLC SNAP Ethernet Frame OUI value as the MAC filter match criterion.

Optionszero, non-zero
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

snap-pid number
Synopsis IEEE 802.3 LLC SNAP Ethernet Frame PID as the match
Contextconfigure system security management-access-filter mac-filter entry number match snap-pid number
Treesnap-pid

Description

This command specifies an IEEE 802.3 LLC SNAP Ethernet Frame PID value used as the MAC filter match criterion.

The SNAP PID match criterion is independent of the OUI field within the SNAP header. Two packets with different 3-byte OUI fields but the same PID field match the same filter entry based on a SNAP PID match criterion.

Range0 to 65535
Introduced25.3.R2

Platforms

7705 SAR Gen 2

src-mac
Synopsis Enable the src-mac context
Context configure system security management-access-filter mac-filter entry number match src-mac
Treesrc-mac

Description

Commands in this context specify match criteria based on the source MAC.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

pki
Synopsis Enter the pki context
Context configure system security pki
Treepki
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ca-profile [ca-profile-name] named-item
Synopsis Enter the ca-profile list instance
Contextconfigure system security pki ca-profile named-item
Treeca-profile
Max. instances128
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[ca-profile-name] named-item
Synopsis CA profile name
Context configure system security pki ca-profile named-item
Treeca-profile
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

auto-crl-update
Synopsis Enable the auto-crl-update context
Contextconfigure system security pki ca-profile named-item auto-crl-update
Treeauto-crl-update
Introduced25.3.R2

Platforms

7705 SAR Gen 2

crl-urls
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the crl-urls context
Contextconfigure system security pki ca-profile named-item auto-crl-update crl-urls
Treecrl-urls
Introduced25.3.R2

Platforms

7705 SAR Gen 2

url-entry [entry-id] number
Synopsis Enter the url-entry list instance
Contextconfigure system security pki ca-profile named-item auto-crl-update crl-urls url-entry number
Treeurl-entry
Introduced25.3.R2

Platforms

7705 SAR Gen 2

pre-update-time number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisTime prior to the next update time of the current CRL
Contextconfigure system security pki ca-profile named-item auto-crl-update pre-update-time number
Treepre-update-time
Range0 to 31622400
Unitsseconds
Default 3600
Introduced25.3.R2

Platforms

7705 SAR Gen 2

retry-interval number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisInterval before retrying to update CRL
Contextconfigure system security pki ca-profile named-item auto-crl-update retry-interval number
Treeretry-interval
Range0 to 31622400
Unitsseconds
Default 3600
Introduced25.3.R2

Platforms

7705 SAR Gen 2

schedule-type keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisTime scheduler type for an automated CRL update
Contextconfigure system security pki ca-profile named-item auto-crl-update schedule-type keyword
Treeschedule-type
Optionsnext-update-based, periodic
Default next-update-based
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

cert-file pki-file-name
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisCertificate file name
Contextconfigure system security pki ca-profile named-item cert-file pki-file-name
Treecert-file
String length1 to 95
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cmpv2
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the cmpv2 context
Contextconfigure system security pki ca-profile named-item cmpv2
Treecmpv2

Description

Commands in this context configure CMPv2 options.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

accept-unprotected-message
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the accept-unprotected-message context
Contextconfigure system security pki ca-profile named-item cmpv2 accept-unprotected-message
Treeaccept-unprotected-message
Introduced25.3.R2

Platforms

7705 SAR Gen 2

always-set-sender-for-ir boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisSet subject name in CMPv2 header for all IR messages
Contextconfigure system security pki ca-profile named-item cmpv2 always-set-sender-for-ir boolean
Treealways-set-sender-for-ir
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

http
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the http context
Contextconfigure system security pki ca-profile named-item cmpv2 http
Treehttp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

response-timeout number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisHTTP response timeout
Contextconfigure system security pki ca-profile named-item cmpv2 http response-timeout number
Treeresponse-timeout
Range1 to 3600
Unitsseconds
Default 30
Introduced25.3.R2

Platforms

7705 SAR Gen 2

version keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisHTTP version for CMPv2 messages
Contextconfigure system security pki ca-profile named-item cmpv2 http version keyword
Treeversion
Options1.0, 1.1
Default 1.1
Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-list
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the key-list context
Contextconfigure system security pki ca-profile named-item cmpv2 key-list
Treekey-list
Introduced25.3.R2

Platforms

7705 SAR Gen 2

key [reference-number] display-string
Synopsis Enter the key list instance
Context configure system security pki ca-profile named-item cmpv2 key-list key display-string
Treekey
Max. instances128
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[reference-number] display-string
Synopsis Unique identifier for the CA initial authentication key
Contextconfigure system security pki ca-profile named-item cmpv2 key-list key display-string
Treekey
String length1 to 64

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

recipient-subject string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisDN attributes for recipient subject of CMPv2 requests
Contextconfigure system security pki ca-profile named-item cmpv2 recipient-subject string
Treerecipient-subject
String length1 to 256

Notes

The following elements are part of a choice: recipient-subject or use-ca-subject.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

response-signing-cert pki-file-name
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisFile name of the certificate to verify CMPv2 responses
Contextconfigure system security pki ca-profile named-item cmpv2 response-signing-cert pki-file-name
Treeresponse-signing-cert

Description

This command specifies an imported certificate used to verify the CMP response message that they are protected by signature.

When unconfigured, CA's certificate is used.

String length1 to 95

Notes

The following elements are part of a choice: response-signing-cert or response-signing-use-extracert.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

response-signing-use-extracert
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisUse extraCerts certificate to verify response signature
Contextconfigure system security pki ca-profile named-item cmpv2 response-signing-use-extracert
Treeresponse-signing-use-extracert

Notes

The following elements are part of a choice: response-signing-cert or response-signing-use-extracert.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

signing-cert-subject string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisSubject DN attributes to identify signing certificate
Contextconfigure system security pki ca-profile named-item cmpv2 signing-cert-subject string
Treesigning-cert-subject
String length1 to 256
Introduced25.3.R2

Platforms

7705 SAR Gen 2

url
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the url context
Contextconfigure system security pki ca-profile named-item cmpv2 url
Treeurl
Introduced25.3.R2

Platforms

7705 SAR Gen 2

service-name service-name
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAdministrative service name
Contextconfigure system security pki ca-profile named-item cmpv2 url service-name service-name
Treeservice-name
String length1 to 64

Notes

The following elements are part of a choice: service-name or transmission-profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

transmission-profile reference
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisTransmission profile for CMPv2
Contextconfigure system security pki ca-profile named-item cmpv2 url transmission-profile reference
Treetransmission-profile

Reference

configure system transmission-profile named-item

Notes

The following elements are part of a choice: service-name or transmission-profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

url-string http-optional-url-loose
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisURL for CMPv2
Contextconfigure system security pki ca-profile named-item cmpv2 url url-string http-optional-url-loose
Treeurl-string
String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

use-ca-subject
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisUse subject DN in CA certificate as CMPv2 request recipient
Contextconfigure system security pki ca-profile named-item cmpv2 use-ca-subject
Treeuse-ca-subject

Notes

The following elements are part of a choice: recipient-subject or use-ca-subject.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

crl-file pki-file-name
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisCertificate Revocation List (CRL) file name
Contextconfigure system security pki ca-profile named-item crl-file pki-file-name
Treecrl-file
String length1 to 95
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ocsp
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the ocsp context
Contextconfigure system security pki ca-profile named-item ocsp
Treeocsp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

responder-url http-optional-url-loose
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisHTTP URL of the OCSP responder for the CA
Contextconfigure system security pki ca-profile named-item ocsp responder-url http-optional-url-loose
Treeresponder-url
String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

service-name service-name
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAdministrative service name
Contextconfigure system security pki ca-profile named-item ocsp service-name service-name
Treeservice-name
String length1 to 64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

revocation-check keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisRevocation method to check status of CA certificates
Contextconfigure system security pki ca-profile named-item revocation-check keyword
Treerevocation-check

Description

This command specifies the revocation method the system uses to check the revocation status of certificate issued by the CA.

Note: The crl-optional command option makes configuration of a valid CRL in a ca-profile optional. However, from a security point of view, it is important to always verify the revocation status of a certificate.

Optionscrl, crl-optional
Default crl
Introduced25.3.R2

Platforms

7705 SAR Gen 2

certificate-auto-update [certificate-file-name] pki-file-name
Synopsis Enter the certificate-auto-update list instance
Contextconfigure system security pki certificate-auto-update pki-file-name
Treecertificate-auto-update

Description

Commands in this context configure automatic certificate update associations.

Max. instances256
Introduced25.3.R2

Platforms

7705 SAR Gen 2

certificate-expiration-warning
Synopsis Enter the certificate-expiration-warning context
Contextconfigure system security pki certificate-expiration-warning
Treecertificate-expiration-warning
Introduced25.3.R2

Platforms

7705 SAR Gen 2

certificate-update-profile [name] named-item
Synopsis Enter the certificate-update-profile list instance
Contextconfigure system security pki certificate-update-profile named-item
Treecertificate-update-profile

Description

Commands in this context configure a certificate update profile that specifies the behavior of the automatic update certificate.

Max. instances256
Introduced25.3.R2

Platforms

7705 SAR Gen 2

after-issue number
Synopsis Time for scheduler updates after certificate issuance
Contextconfigure system security pki certificate-update-profile named-item after-issue number
Treeafter-issue

Description

This command configures the time for scheduler updates after the certificate issue time.

Range864000 to 157680000
Unitsseconds

Notes

The following elements are part of a choice: after-issue or before-expiry.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

before-expiry number
Synopsis Time scheduler updates before certificate expiry
Contextconfigure system security pki certificate-update-profile named-item before-expiry number
Treebefore-expiry

Description

This command configures the time that the scheduler updates before the certificate expiration time.

Range3600 to 157680000
Unitsseconds
Default86400

Notes

The following elements are part of a choice: after-issue or before-expiry.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

cmpv2
Synopsis Enter the cmpv2 context
Context configure system security pki certificate-update-profile named-item cmpv2
Treecmpv2

Notes

The following elements are part of a choice: cmpv2 or est.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

dsa
Synopsis Enter the dsa context
Context configure system security pki certificate-update-profile named-item dsa
Treedsa

Notes

The following elements are part of a choice: dsa, ecdsa, rsa, or same-as-existing-key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-size number
Synopsis Length of the generated DSA key
Context configure system security pki certificate-update-profile named-item dsa key-size number
Treekey-size

Description

This command specifies that the newly generated key is an DSA key with the specified key length in bits.

Range512 to 8192
Default2048
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

ecdsa
Synopsis Enter the ecdsa context
Context configure system security pki certificate-update-profile named-item ecdsa
Treeecdsa

Notes

The following elements are part of a choice: dsa, ecdsa, rsa, or same-as-existing-key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

curve keyword
Synopsis Elliptic curve to be used in ECDSA key generation
Contextconfigure system security pki certificate-update-profile named-item ecdsa curve keyword
Treecurve

Description

This command specifies that the newly generated key is an ECDSA key with the specified curve.

Optionssecp256r1, secp384r1, secp521r1
Defaultsecp256r1
Introduced25.3.R2

Platforms

7705 SAR Gen 2

est
Synopsis Enter the est context
Context configure system security pki certificate-update-profile named-item est
Treeest

Notes

The following elements are part of a choice: cmpv2 or est.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

hash-algorithm keyword
Synopsis Hash algorithm for a certificate request
Contextconfigure system security pki certificate-update-profile named-item hash-algorithm keyword
Treehash-algorithm

Description

This command specifies the hash algorithm used to generate a certificate request.

Optionsmd5, sha1, sha224, sha256, sha384, sha512
Default sha256
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rsa
Synopsis Enter the rsa context
Context configure system security pki certificate-update-profile named-item rsa
Treersa

Notes

The following elements are part of a choice: dsa, ecdsa, rsa, or same-as-existing-key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-size number
Synopsis Length of the generated RSA key
Context configure system security pki certificate-update-profile named-item rsa key-size number
Treekey-size

Description

This command specifies that the newly generated key is a RSA key with the specified key length in bits.

Range512 to 8192
Default2048
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

same-as-existing-key
Synopsis Generate the new key to same type and key length
Contextconfigure system security pki certificate-update-profile named-item same-as-existing-key
Treesame-as-existing-key

Description

When configured, this command specifies that the newly generated key is the same type and key length as the existing key.

Notes

The following elements are part of a choice: dsa, ecdsa, rsa, or same-as-existing-key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

common-name-list [cn-list-name] named-item
Synopsis Enter the common-name-list list instance
Contextconfigure system security pki common-name-list named-item
Treecommon-name-list
Max. instances64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

common-name [cn-index] number
Synopsis Enter the common-name list instance
Contextconfigure system security pki common-name-list named-item common-name number
Treecommon-name
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cn-value regular-expression-not-all-spaces
Synopsis Common name value
Context configure system security pki common-name-list named-item common-name number cn-value regular-expression-not-all-spaces
Treecn-value
String length1 to 255

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

crl-expiration-warning
Synopsis Enter the crl-expiration-warning context
Contextconfigure system security pki crl-expiration-warning
Treecrl-expiration-warning
Introduced25.3.R2

Platforms

7705 SAR Gen 2

dynamic-ca boolean
Synopsis Enable the dynamic sub-CA support for IPsec
Contextconfigure system security pki dynamic-ca boolean
Treedynamic-ca

Description

When configured to true, the system may authenticate the IPsec peer using a certificate without provisioning the peer's sub-CAs locally, if the peer sends sub-CA certificates during IKEv2 exchanges.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

est-profile [name] named-item
Synopsis Enter the est-profile list instance
Contextconfigure system security pki est-profile named-item
Treeest-profile

Description

Commands in this context configure an Enrollment over Secure Transport (EST) profile.

Max. instances128
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[name] named-item
Synopsis Enrollment over Secured Transport profile name
Contextconfigure system security pki est-profile named-item
Treeest-profile

Description

This command configures the EST profile name.

String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-tls-profile named-item
Synopsis TLS client profile assigned to applications
Contextconfigure system security pki est-profile named-item client-tls-profile named-item
Treeclient-tls-profile

Description

This command specifies the TLS client profile to be assigned to applications for encryption. The profile creates the TLS connection to the EST server.

String length1 to 32
Introduced25.3.R2

Platforms

7705 SAR Gen 2

http-authentication
Synopsis Enter the http-authentication context
Contextconfigure system security pki est-profile named-item http-authentication
Treehttp-authentication
Introduced25.3.R2

Platforms

7705 SAR Gen 2

server
Synopsis Enter the server context
Context configure system security pki est-profile named-item server
Treeserver

Description

Commands in this context configure EST server parameters.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

fqdn fully-qualified-domain-name
Synopsis Fully Qualified Domain Name (FQDN) of the EST server
Contextconfigure system security pki est-profile named-item server fqdn fully-qualified-domain-name
Treefqdn

Description

This command specifies to use the FQDN of the EST server.

String length1 to 255

Notes

The following elements are part of a choice: fqdn, ipv4, or ipv6.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ipv4 ipv4-unicast-address
Synopsis IPv4 address of the EST server
Context configure system security pki est-profile named-item server ipv4 ipv4-unicast-address
Treeipv4

Notes

The following elements are part of a choice: fqdn, ipv4, or ipv6.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IPv6 address of the EST server
Context configure system security pki est-profile named-item server ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Treeipv6

Notes

The following elements are part of a choice: fqdn, ipv4, or ipv6.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

transmission-profile named-item
Synopsis Transmission profile name for EST
Context configure system security pki est-profile named-item transmission-profile named-item
Treetransmission-profile

Description

This command associates a file transmission profile to the EST profile.

The transmission profile defines transport parameters for protocol such as HTTP, include routing instance, source address, timeout value, and so on.

String length1 to 32
Introduced25.3.R2

Platforms

7705 SAR Gen 2

python-script
Synopsis Enter the python-script context
Contextconfigure system security python-script
Treepython-script
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authorization
Synopsis Enter the authorization context
Contextconfigure system security python-script authorization
Treeauthorization
Introduced25.3.R2

Platforms

7705 SAR Gen 2

subscriber-mgmt
Synopsis Enter the subscriber-mgmt context
Contextconfigure system security python-script authorization subscriber-mgmt
Treesubscriber-mgmt
Introduced25.3.R2

Platforms

7705 SAR Gen 2

snmp
Synopsis Enter the snmp context
Context configure system security snmp
Treesnmp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

access [group] named-item context named-item-or-empty security-model keyword security-level keyword
Synopsis Enter the access list instance
Contextconfigure system security snmp access named-item context named-item-or-empty security-model keyword security-level keyword
Treeaccess
Introduced25.3.R2

Platforms

7705 SAR Gen 2

context named-item-or-empty
Synopsis String to match context name for access rights
Contextconfigure system security snmp access named-item context named-item-or-empty security-model keyword security-level keyword
Treeaccess
String length0 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

security-level keyword
Synopsis Minimum security level required to gain access rights
Contextconfigure system security snmp access named-item context named-item-or-empty security-model keyword security-level keyword
Treeaccess
Optionsno-auth-no-privacy, auth-no-privacy, privacy

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

notify named-item
Synopsis SNMP view for notification access
Context configure system security snmp access named-item context named-item-or-empty security-model keyword security-level keyword notify named-item
Treenotify

Description

This command specifies the SNMP view used to control which MIB objects can be accessed for notifications.

String length1 to 32
Introduced25.3.R2

Platforms

7705 SAR Gen 2

read named-item
Synopsis SNMP view for read access
Context configure system security snmp access named-item context named-item-or-empty security-model keyword security-level keyword read named-item
Treeread

Description

This command specifies the SNMP view used to control which MIB objects can be accessed using a read (get) operation.

String length1 to 32
Introduced25.3.R2

Platforms

7705 SAR Gen 2

write named-item
Synopsis SNMP view for write access
Context configure system security snmp access named-item context named-item-or-empty security-model keyword security-level keyword write named-item
Treewrite

Description

This command specifies the SNMP view used to control which MIB objects can be accessed using a write (set) operation.

String length1 to 32
Introduced25.3.R2

Platforms

7705 SAR Gen 2

attempts
Synopsis Enter the attempts context
Context configure system security snmp attempts
Treeattempts

Description

Commands in this context configure settings for SNMPv2 or SNMPv3 connection attempts. The command settings are used to counter Denial of Service (DOS) attacks through SNMP.

If the threshold is exceeded, the host is locked out for the lockout time period.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

count number
Synopsis Unsuccessful attempts allowed within time period
Contextconfigure system security snmp attempts count number
Treecount
Range1 to 64
Default20
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

lockout number
Synopsis Lockout period during which the host cannot log in
Contextconfigure system security snmp attempts lockout number
Treelockout

Description

This command configures the time period during which the host cannot log in. When the host exceeds the attempted counts setting, the host is locked out from further login attempts for the configured time period.

Range0 to 1440
Unitsminutes
Default 10
Introduced25.3.R2

Platforms

7705 SAR Gen 2

time number
Synopsis Time before host lockout after unsuccessful attempts
Contextconfigure system security snmp attempts time number
Treetime
Range0 to 60
Unitsminutes
Default 5
Introduced25.3.R2

Platforms

7705 SAR Gen 2

community [community-string] encrypted-leaf
Synopsis Enter the community list instance
Contextconfigure system security snmp community encrypted-leaf
Treecommunity
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[community-string] encrypted-leaf
Synopsis SNMPv1 or SNMPv2c community string
Context configure system security snmp community encrypted-leaf
Treecommunity
String length1 to 114

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

source-access-list [list-name] string-not-all-spaces
Synopsis Enter the source-access-list list instance
Contextconfigure system security snmp source-access-list string-not-all-spaces
Treesource-access-list

Description

Commands in this context configure SNMP source access lists.

SNMP source access lists are used to validate the source IP address of received SNMP requests. Multiple community (VPRN or Base router) and USM community instances can reference the same SNMP source access list.

Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[list-name] string-not-all-spaces
Synopsis Source access list name
Context configure system security snmp source-access-list string-not-all-spaces
Treesource-access-list
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

source-host [host-name] named-item
Synopsis Enter the source-host list instance
Contextconfigure system security snmp source-access-list string-not-all-spaces source-host named-item
Treesource-host
Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Source IP address entry used to validate SNMP requests
Contextconfigure system security snmp source-access-list string-not-all-spaces source-host named-item address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

usm-community [community-string] encrypted-leaf
Synopsis Enter the usm-community list instance
Contextconfigure system security snmp usm-community encrypted-leaf
Treeusm-community
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[community-string] encrypted-leaf
Synopsis Community string associated with SNMPv3 access group
Contextconfigure system security snmp usm-community encrypted-leaf
Treeusm-community
String length1 to 114

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

group named-item
Synopsis Group to manage access rights of the community string
Contextconfigure system security snmp usm-community encrypted-leaf group named-item
Treegroup
String length1 to 32
Introduced25.3.R2

Platforms

7705 SAR Gen 2

view [view-name] named-item subtree string
Synopsis Enter the view list instance
Context configure system security snmp view named-item subtree string
Treeview
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[view-name] named-item
Synopsis View name
Contextconfigure system security snmp view named-item subtree string
Treeview
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

subtree string
Synopsis Object Identifier (OID) value
Context configure system security snmp view named-item subtree string
Treeview
String length1 to 256

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

mask string
Synopsis Mask value as binary value, or hex value
Contextconfigure system security snmp view named-item subtree string mask string
Treemask
String length1 to 16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

type keyword
Synopsis Type of SNMP security view mask
Context configure system security snmp view named-item subtree string type keyword
Treetype
Optionsincluded, excluded
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

source-address
Synopsis Enter the source-address context
Contextconfigure system security source-address
Treesource-address

Description

Commands in this context configure the IP source address that is used in all unsolicited packets sent by the specified applications.

This configuration applies to packets transmitted in-band (for example, a network port on an IOM) and does not apply to packets transmitted out-of-band on the management interface on the CPM Ethernet port. Packets transmitted using the CPM Ethernet port use the address of the CPM Ethernet port as the IP source address in the packet.

When a source address is specified for the PTP application, the port-based 1588 hardware timestamping assist function is applied to PTP packets matching the IPv4 address of the router interface used to ingress the SR/ESS or IP address specified in this command. If the IP address is removed, the port-based 1588 hardware timestamping assist function is only applied to PTP packets matching the IPv4 address of the router interface.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ipv4 [application] keyword
Synopsis Enter the ipv4 list instance
Context configure system security source-address ipv4 keyword
Treeipv4
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[application] keyword
Synopsis Application that uses the source IP address
Contextconfigure system security source-address ipv4 keyword
Treeipv4
Optionstelnet, ftp, ssh, radius, tacplus, snmptrap, syslog, ping, traceroute, dns, sntp, ntp, cflowd, ptp, mcreporter, sflow, icmp-error, ldap

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

address ipv4-address
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisSource IPv4 address
Contextconfigure system security source-address ipv4 keyword address ipv4-address
Treeaddress

Notes

The following elements are part of a mandatory choice: address or interface-name.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

interface-name interface-name
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisIP interface name
Contextconfigure system security source-address ipv4 keyword interface-name interface-name
Treeinterface-name
String length1 to 32

Notes

The following elements are part of a mandatory choice: address or interface-name.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ipv6 [application] keyword
Synopsis Enter the ipv6 list instance
Context configure system security source-address ipv6 keyword
Treeipv6
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[application] keyword
Synopsis Application which uses the source IPv6 address
Contextconfigure system security source-address ipv6 keyword
Treeipv6
Optionstelnet, ftp, radius, tacplus, snmptrap, syslog, ping, traceroute, dns, cflowd, ntp, sflow, icmp6-error, ldap, ssh, ptp

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

address ipv6-address
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisSource IPv6 address
Contextconfigure system security source-address ipv6 keyword address ipv6-address
Treeaddress

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ssh
Synopsis Enter the ssh context
Context configure system security ssh
Treessh
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-method
Synopsis Enter the authentication-method context
Contextconfigure system security ssh authentication-method
Treeauthentication-method
Introduced25.3.R2

Platforms

7705 SAR Gen 2

client
Synopsis Enter the client context
Context configure system security ssh authentication-method client
Treeclient
Introduced25.3.R2

Platforms

7705 SAR Gen 2

public-key-only boolean
Synopsis Accept only public-key authentication for SSH session
Contextconfigure system security ssh authentication-method client public-key-only boolean
Treepublic-key-only

Description

When configured to true, the system accepts only public key client authentication for the SSH server.

This command defines the authentication method at the system level.

When configured to false, the system accepts public key or password client authentication. If interactive-authentication is configured to true in the configure system security aaa remote-servers radius or configure system security aaa remote-servers tacplus context, the system also accepts interactive keyboard authentication.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

server
Synopsis Enter the server context
Context configure system security ssh authentication-method server
Treeserver
Introduced25.3.R2

Platforms

7705 SAR Gen 2

public-key-only boolean
Synopsis Accept only public-key authentication for SSH session
Contextconfigure system security ssh authentication-method server public-key-only boolean
Treepublic-key-only

Description

When configured to true, the system accepts only public key client authentication for the SSH server.

This command defines the authentication method at the system level.

When configured to false, the system accepts public key or password client authentication. If interactive-authentication is configured to true in the configure system security aaa remote-servers radius or configure system security aaa remote-servers tacplus context, the system also accepts interactive keyboard authentication.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-cipher-list-v2
Synopsis Enter the client-cipher-list-v2 context
Contextconfigure system security ssh client-cipher-list-v2
Treeclient-cipher-list-v2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cipher [index] number
Synopsis Enter the cipher list instance
Contextconfigure system security ssh client-cipher-list-v2 cipher number
Treecipher

Description

Commands in this context configure a client-cipher instance. Client-ciphers are used when the SR OS is acting as an SSH client.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Algorithm for performing encryption or decryption
Contextconfigure system security ssh client-cipher-list-v2 cipher number name keyword
Treename
Options3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-host-key-list-v2
Synopsis Enter the client-host-key-list-v2 context
Contextconfigure system security ssh client-host-key-list-v2
Treeclient-host-key-list-v2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

host-key [index] number
Synopsis Enter the host-key list instance
Contextconfigure system security ssh client-host-key-list-v2 host-key number
Treehost-key
Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Host key algorithm for computing a signature
Contextconfigure system security ssh client-host-key-list-v2 host-key number name keyword
Treename
Optionsssh-rsa, rsa-sha2-256, rsa-sha2-512, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-kex-list-v2
Synopsis Enter the client-kex-list-v2 context
Contextconfigure system security ssh client-kex-list-v2
Treeclient-kex-list-v2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

kex [index] number
Synopsis Enter the kex list instance
Context configure system security ssh client-kex-list-v2 kex number
Treekex

Description

Commands in this context configure SSH Key Exchange (KEX) algorithms for SR OS as a client.

If a list is configured, SSH uses the list with the first-listed algorithm having the highest priority.

By default, the client list is empty. The default list contains the following:

  • diffie-hellman-group16-sha512

  • diffie-hellman-group14-sha256

  • diffie-hellman-group14-sha1

  • diffie-hellman-group1-sha1

Introduced25.3.R2

Platforms

7705 SAR Gen 2

[index] number
Synopsis SSHv2 KEX algorithm index
Context configure system security ssh client-kex-list-v2 kex number
Treekex

Description

This command configures the index of the KEX algorithm in the list. The lowest index in the list is negotiated first on the SSH negotiation list, while the highest index is at the bottom of the SSH negotiation list.

Range1 to 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis KEX algorithm for computing a shared secret key
Contextconfigure system security ssh client-kex-list-v2 kex number name keyword
Treename
Optionsdiffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-mac-list-v2
Synopsis Enter the client-mac-list-v2 context
Contextconfigure system security ssh client-mac-list-v2
Treeclient-mac-list-v2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

mac [index] number
Synopsis Enter the mac list instance
Context configure system security ssh client-mac-list-v2 mac number
Treemac

Description

Commands in this context configure SSH MAC algorithms for SR OS as a client.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

[index] number
Synopsis MAC algorithm index
Context configure system security ssh client-mac-list-v2 mac number
Treemac
Range1 to 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Algorithm for calculating message authentication code
Contextconfigure system security ssh client-mac-list-v2 mac number name keyword
Treename
Optionshmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-re-exchange
Synopsis Enter the key-re-exchange context
Contextconfigure system security ssh key-re-exchange
Treekey-re-exchange
Introduced25.3.R2

Platforms

7705 SAR Gen 2

client
Synopsis Enter the client context
Context configure system security ssh key-re-exchange client
Treeclient
Introduced25.3.R2

Platforms

7705 SAR Gen 2

mbytes (number | keyword)
Synopsis Maximum bytes transmitted before key re-exchange begins
Contextconfigure system security ssh key-re-exchange client mbytes (number | keyword)
Treembytes
Range1 to 64000
Unitsmegabytes
Options infinite
Default1024
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

minutes (number | keyword)
Synopsis Maximum time before key re-exchange is initiated
Contextconfigure system security ssh key-re-exchange client minutes (number | keyword)
Treeminutes
Range1 to 1440
Unitsminutes
Options infinite
Default60
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

server
Synopsis Enter the server context
Context configure system security ssh key-re-exchange server
Treeserver
Introduced25.3.R2

Platforms

7705 SAR Gen 2

mbytes (number | keyword)
Synopsis Maximum bytes transmitted before key re-exchange begins
Contextconfigure system security ssh key-re-exchange server mbytes (number | keyword)
Treembytes
Range1 to 64000
Unitsmegabytes
Options infinite
Default1024
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

minutes (number | keyword)
Synopsis Maximum time before key re-exchange is initiated
Contextconfigure system security ssh key-re-exchange server minutes (number | keyword)
Treeminutes
Range1 to 1440
Unitsminutes
Options infinite
Default60
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

listening-port number
Synopsis TCP port for SSH connections for VPRN or base routing
Contextconfigure system security ssh listening-port number
Treelistening-port
Range22 | 1024 to 49151
Default22
Introduced25.3.R2

Platforms

7705 SAR Gen 2

preserve-key boolean
Synopsis Preserve keys and restore on system or server restart
Contextconfigure system security ssh preserve-key boolean
Treepreserve-key

Description

When configured to true, private, public, and host keys are saved by the server. The keys are restored following a system reboot or a restart of an SSH server.

When configured to false, the keys are held in memory by an SSH server but are not restored following a system reboot.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-cipher-list-v2
Synopsis Enter the server-cipher-list-v2 context
Contextconfigure system security ssh server-cipher-list-v2
Treeserver-cipher-list-v2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cipher [index] number
Synopsis Enter the cipher list instance
Contextconfigure system security ssh server-cipher-list-v2 cipher number
Treecipher

Description

Commands in this context configure a server-cipher instance. Server-ciphers are used when SR OS is acting as an SSH server.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Algorithm for performing encryption or decryption
Contextconfigure system security ssh server-cipher-list-v2 cipher number name keyword
Treename
Options3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-host-key-list-v2
Synopsis Enter the server-host-key-list-v2 context
Contextconfigure system security ssh server-host-key-list-v2
Treeserver-host-key-list-v2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

host-key [index] number
Synopsis Enter the host-key list instance
Contextconfigure system security ssh server-host-key-list-v2 host-key number
Treehost-key
Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Host key algorithm for computing a signature
Contextconfigure system security ssh server-host-key-list-v2 host-key number name keyword
Treename
Optionsssh-rsa, rsa-sha2-256, rsa-sha2-512, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-kex-list-v2
Synopsis Enter the server-kex-list-v2 context
Contextconfigure system security ssh server-kex-list-v2
Treeserver-kex-list-v2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

kex [index] number
Synopsis Enter the kex list instance
Context configure system security ssh server-kex-list-v2 kex number
Treekex
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[index] number
Synopsis SSHv2 KEX algorithm index
Context configure system security ssh server-kex-list-v2 kex number
Treekex

Description

This command configures the index of the KEX algorithm in the list. The lowest index in the list is negotiated first on the SSH negotiation list, while the highest index is at the bottom of the SSH negotiation list.

Range1 to 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis KEX algorithm for computing a shared secret key
Contextconfigure system security ssh server-kex-list-v2 kex number name keyword
Treename
Optionsdiffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-mac-list-v2
Synopsis Enter the server-mac-list-v2 context
Contextconfigure system security ssh server-mac-list-v2
Treeserver-mac-list-v2
Introduced25.3.R2

Platforms

7705 SAR Gen 2

mac [index] number
Synopsis Enter the mac list instance
Context configure system security ssh server-mac-list-v2 mac number
Treemac
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[index] number
Synopsis MAC algorithm index
Context configure system security ssh server-mac-list-v2 mac number
Treemac
Range1 to 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Algorithm for calculating message authentication code
Contextconfigure system security ssh server-mac-list-v2 mac number name keyword
Treename
Optionshmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

system-passwords
Synopsis Enter the system-passwords context
Contextconfigure system security system-passwords
Treesystem-passwords

Description

This command enters the context to configure system passwords.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-password hashed-leaf
Synopsis Administrative password for the enable command
Contextconfigure system security system-passwords admin-password hashed-leaf
Treeadmin-password

Description

This command allows a user with administrative permissions to configure a password that enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an administrative user.

If the admin-password is configured in the configure system security system-passwords admin-password context, any user can enter the special mode by entering the enable command.

enable is in the default profile. By default, all users are given access to this command.

After the enable command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the complexity command.

Note: This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP.

String length3 to 136
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tech-support
Synopsis Enter the tech-support context
Contextconfigure system security tech-support
Treetech-support
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ts-location (ts-sat-url | cflash-url | string)
Synopsis Default file path for generated tech-support files
Contextconfigure system security tech-support ts-location (ts-sat-url | cflash-url | string)
Treets-location
String length1 to 180
Introduced25.3.R2

Platforms

7705 SAR Gen 2

telnet
Synopsis Enter the telnet context
Context configure system security telnet
Treetelnet
Introduced25.3.R2

Platforms

7705 SAR Gen 2

listening-port number
Synopsis TCP port for Telnet connections for VPRN or base routing
Contextconfigure system security telnet listening-port number
Treelistening-port
Range23 | 1024 to 49151
Default23
Introduced25.3.R2

Platforms

7705 SAR Gen 2

telnet-server boolean
Synopsis Enable Telnet servers running on the system
Contextconfigure system security telnet-server boolean
Treetelnet-server
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

telnet6-server boolean
Synopsis Enable Telnet IPv6 servers running on the system
Contextconfigure system security telnet6-server boolean
Treetelnet6-server
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls
Synopsis Enter the tls context
Context configure system security tls
Treetls
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cert-profile [cert-profile-name] named-item
Synopsis Enter the cert-profile list instance
Contextconfigure system security tls cert-profile named-item
Treecert-profile
Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[cert-profile-name] named-item
Synopsis TLS certificate profile name
Context configure system security tls cert-profile named-item
Treecert-profile
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security tls cert-profile named-item entry number
Treeentry
Max. instances8
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[entry-id] number
Synopsis Certificate profile ID
Context configure system security tls cert-profile named-item entry number
Treeentry
Range1 to 8

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

send-chain
Synopsis Enter the send-chain context
Context configure system security tls cert-profile named-item entry number send-chain
Treesend-chain
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ca-profile [ca-profile-name] reference
Synopsis Add a list entry for ca-profile
Contextconfigure system security tls cert-profile named-item entry number send-chain ca-profile reference
Treeca-profile
Max. instances7
Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-cipher-list [client-cipher-list-name] named-item
Synopsis Enter the client-cipher-list list instance
Contextconfigure system security tls client-cipher-list named-item
Treeclient-cipher-list
Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls12-cipher [index] number
Synopsis Enter the tls12-cipher list instance
Contextconfigure system security tls client-cipher-list named-item tls12-cipher number
Treetls12-cipher
Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Cipher suite code
Context configure system security tls client-cipher-list named-item tls12-cipher number name keyword
Treename
Optionstls-rsa-with3des-ede-cbc-sha, tls-rsa-with-aes128-cbc-sha, tls-rsa-with-aes256-cbc-sha, tls-rsa-with-aes128-cbc-sha256, tls-rsa-with-aes256-cbc-sha256, tls-rsa-with-aes128-gcm-sha256, tls-rsa-with-aes256-gcm-sha384, tls-ecdhe-rsa-aes128-gcm-sha256, tls-ecdhe-rsa-aes256-gcm-sha384

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls13-cipher [index] number
Synopsis Enter the tls13-cipher list instance
Contextconfigure system security tls client-cipher-list named-item tls13-cipher number
Treetls13-cipher

Description

Commands in this context configure the TLS 1.3-supported ciphers used by the client.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Name of the TLS 1.3 cipher suite code
Contextconfigure system security tls client-cipher-list named-item tls13-cipher number name keyword
Treename
Optionstls-aes128-gcm-sha256, tls-aes256-gcm-sha384, tls-chacha20-poly1305-sha256, tls-aes128-ccm-sha256, tls-aes128-ccm8-sha256

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-group-list [client-group-list-name] named-item
Synopsis Enter the client-group-list list instance
Contextconfigure system security tls client-group-list named-item
Treeclient-group-list

Description

Commands in this context configure the list of TLS 1.3-supported group suite codes that the client sends in a client Hello message.

Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[client-group-list-name] named-item
Synopsis Name of the TLS client group list
Context configure system security tls client-group-list named-item
Treeclient-group-list
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls13-group [index] number
Synopsis Enter the tls13-group list instance
Contextconfigure system security tls client-group-list named-item tls13-group number
Treetls13-group

Description

Commands in this context configure the TLS 1.3-supported group suite codes sent by the client in its Hello messages.

SR OS supports the use of Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) groups.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Name of the TLS 1.3 group suite code
Context configure system security tls client-group-list named-item tls13-group number name keyword
Treename
Optionstls-ecdhe-256, tls-ecdhe-384, tls-ecdhe-521, tls-x25519, tls-x448

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-signature-list [client-signature-list-name] named-item
Synopsis Enter the client-signature-list list instance
Contextconfigure system security tls client-signature-list named-item
Treeclient-signature-list

Description

Commands in this context configure the list of TLS 1.3-supported signature suite codes that the client sends in a client Hello message.

Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls13-signature [index] number
Synopsis Enter the tls13-signature list instance
Contextconfigure system security tls client-signature-list named-item tls13-signature number
Treetls13-signature

Description

Commands in this context configure the TLS 1.3-supported signature suite codes sent by the client in its Hello messages.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Name of the TLS 1.3 signature suite code
Contextconfigure system security tls client-signature-list named-item tls13-signature number name keyword
Treename
Optionstls-rsa-pkcs1-sha256, tls-ecdsa-secp256r1-sha256, tls-rsa-pkcs1-sha384, tls-ecdsa-secp384r1-sha384, tls-rsa-pkcs1-sha512, tls-ecdsa-secp521r1-sha512, tls-rsa-pss-rsae-sha256, tls-rsa-pss-rsae-sha384, tls-rsa-pss-rsae-sha512, tls-ed25519, tls-ed448, tls-rsa-pss-pss-sha256, tls-rsa-pss-pss-sha384, tls-rsa-pss-pss-sha512

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

client-tls-profile [client-profile-name] named-item
Synopsis Enter the client-tls-profile list instance
Contextconfigure system security tls client-tls-profile named-item
Treeclient-tls-profile
Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

protocol-version keyword
Synopsis TLS protocol version used by the TLS client profile
Contextconfigure system security tls client-tls-profile named-item protocol-version keyword
Treeprotocol-version

Description

This command configures the TLS version to be negotiated between the client and the server.

The client adds the specified version as a supported version in its Hello message to the server.

Optionstls-version-all, tls-version-12, tls-version-13
Defaulttls-version-12
Introduced25.3.R2

Platforms

7705 SAR Gen 2

status-verify
Synopsis Enter the status-verify context
Contextconfigure system security tls client-tls-profile named-item status-verify
Treestatus-verify

Description

Commands in this context configure certificate revocation status verification options for the end-entity certificate in a TLS client.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

default-result keyword
Synopsis Default result of certificate status verification
Contextconfigure system security tls client-tls-profile named-item status-verify default-result keyword
Treedefault-result

Description

This command configures the default result of the entity certificate verification in the TLS client profile. This command overwrites the EE certificate revocation verification for the TLS client profile.

By default the router checks the certification revocation status, but if this command is set to good, the end-entity certificate revocation status is overwritten and a good revocation status is returned for the EE certificate.

If this command is set to revoked, the router returns the actual revocation status of the end-entity certificate.

Optionsrevoked, good
Default revoked
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ee-revocation
Synopsis Enter the ee-revocation context
Contextconfigure system security tls client-tls-profile named-item status-verify ee-revocation
Treeee-revocation

Description

Commands in this context configure the methods used to verify the end entity certificate revocation status for the TLS client profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-cipher-list [server-cipher-list-name] named-item
Synopsis Enter the server-cipher-list list instance
Contextconfigure system security tls server-cipher-list named-item
Treeserver-cipher-list
Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls12-cipher [index] number
Synopsis Enter the tls12-cipher list instance
Contextconfigure system security tls server-cipher-list named-item tls12-cipher number
Treetls12-cipher
Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Cipher suite code
Context configure system security tls server-cipher-list named-item tls12-cipher number name keyword
Treename
Optionstls-rsa-with3des-ede-cbc-sha, tls-rsa-with-aes128-cbc-sha, tls-rsa-with-aes256-cbc-sha, tls-rsa-with-aes128-cbc-sha256, tls-rsa-with-aes256-cbc-sha256, tls-rsa-with-aes128-gcm-sha256, tls-rsa-with-aes256-gcm-sha384, tls-ecdhe-rsa-aes128-gcm-sha256, tls-ecdhe-rsa-aes256-gcm-sha384

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls13-cipher [index] number
Synopsis Enter the tls13-cipher list instance
Contextconfigure system security tls server-cipher-list named-item tls13-cipher number
Treetls13-cipher

Description

Commands in this context configure the TLS 1.3-supported ciphers used by the server.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Name of the TLS 1.3 cipher suite code
Contextconfigure system security tls server-cipher-list named-item tls13-cipher number name keyword
Treename
Optionstls-aes128-gcm-sha256, tls-aes256-gcm-sha384, tls-chacha20-poly1305-sha256, tls-aes128-ccm-sha256, tls-aes128-ccm8-sha256

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-group-list [server-group-list-name] named-item
Synopsis Enter the server-group-list list instance
Contextconfigure system security tls server-group-list named-item
Treeserver-group-list

Description

Commands in this context configure the list of TLS 1.3-supported group suite codes that the server sends in a server Hello message.

Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[server-group-list-name] named-item
Synopsis Name of the TLS server group list
Context configure system security tls server-group-list named-item
Treeserver-group-list
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls13-group [index] number
Synopsis Enter the tls13-group list instance
Contextconfigure system security tls server-group-list named-item tls13-group number
Treetls13-group

Description

Commands in this context configure the TLS 1.3-supported group suite codes sent by the server in its Hello messages.

SR OS supports the use of Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) groups.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Name of the TLS 1.3 group suite code
Context configure system security tls server-group-list named-item tls13-group number name keyword
Treename
Optionstls-ecdhe-256, tls-ecdhe-384, tls-ecdhe-521, tls-x25519, tls-x448

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-signature-list [server-signature-list-name] named-item
Synopsis Enter the server-signature-list list instance
Contextconfigure system security tls server-signature-list named-item
Treeserver-signature-list

Description

Commands in this context configure the list of TLS 1.3-supported signature suite codes for the digital signature that the server sends in a server Hello message.

Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

tls13-signature [index] number
Synopsis Enter the tls13-signature list instance
Contextconfigure system security tls server-signature-list named-item tls13-signature number
Treetls13-signature

Description

Commands in this context configure the TLS 1.3-supported signature suite codes sent by the server in its Hello messages.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Name of the TLS 1.3 signature suite code
Contextconfigure system security tls server-signature-list named-item tls13-signature number name keyword
Treename
Optionstls-rsa-pkcs1-sha256, tls-ecdsa-secp256r1-sha256, tls-rsa-pkcs1-sha384, tls-ecdsa-secp384r1-sha384, tls-rsa-pkcs1-sha512, tls-ecdsa-secp521r1-sha512, tls-rsa-pss-rsae-sha256, tls-rsa-pss-rsae-sha384, tls-rsa-pss-rsae-sha512, tls-ed25519, tls-ed448, tls-rsa-pss-pss-sha256, tls-rsa-pss-pss-sha384, tls-rsa-pss-pss-sha512

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

server-tls-profile [server-profile-name] named-item
Synopsis Enter the server-tls-profile list instance
Contextconfigure system security tls server-tls-profile named-item
Treeserver-tls-profile
Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authenticate-client
Synopsis Enter the authenticate-client context
Contextconfigure system security tls server-tls-profile named-item authenticate-client
Treeauthenticate-client
Introduced25.3.R2

Platforms

7705 SAR Gen 2

protocol-version keyword
Synopsis TLS protocol version used by the TLS server profile
Contextconfigure system security tls server-tls-profile named-item protocol-version keyword
Treeprotocol-version

Description

This command configures the TLS version to be negotiated between the server and the client.

The server adds the specified version as a supported version in its Hello message to the client.

Optionstls-version-all, tls-version-12, tls-version-13
Defaulttls-version-12
Introduced25.3.R2

Platforms

7705 SAR Gen 2

status-verify
Synopsis Enter the status-verify context
Contextconfigure system security tls server-tls-profile named-item status-verify
Treestatus-verify

Description

Commands in this context configure certificate revocation status verification options for the end-entity certificate in a TLS server.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

default-result keyword
Synopsis Default result of certificate status verification
Contextconfigure system security tls server-tls-profile named-item status-verify default-result keyword
Treedefault-result

Description

This command configures the default result of the entity certificate verification in the TLS server profile. This command overwrites the EE certificate revocation verification for the TLS server profile.

By default the router checks the certification revocation status, but if this command is set to good, the end-entity certificate revocation status is overwritten and a good revocation status is returned for the EE certificate.

If this command is set to revoked, the router returns the actual revocation status of the end-entity certificate.

Optionsrevoked, good
Default revoked
Introduced25.3.R2

Platforms

7705 SAR Gen 2

ee-revocation
Synopsis Enter the ee-revocation context
Contextconfigure system security tls server-tls-profile named-item status-verify ee-revocation
Treeee-revocation

Description

Commands in this context configure the methods used to verify the end entity certificate revocation status for the TLS server profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

trust-anchor-profile [trust-anchor-profile-name] named-item
Synopsis Enter the trust-anchor-profile list instance
Contextconfigure system security tls trust-anchor-profile named-item
Treetrust-anchor-profile
Max. instances16
Introduced25.3.R2

Platforms

7705 SAR Gen 2

trust-anchor [ca-profile-name] reference
Synopsis Add a list entry for trust-anchor
Contextconfigure system security tls trust-anchor-profile named-item trust-anchor reference
Treetrust-anchor
Max. instances8
Introduced25.3.R2

Platforms

7705 SAR Gen 2

user-params
Synopsis Enter the user-params context
Context configure system security user-params
Treeuser-params
Introduced25.3.R2

Platforms

7705 SAR Gen 2

attempts
Synopsis Enter the attempts context
Context configure system security user-params attempts
Treeattempts
Introduced25.3.R2

Platforms

7705 SAR Gen 2

time number
Synopsis Time frame of unsuccessful login attempts
Contextconfigure system security user-params attempts time number
Treetime
Range0 to 60
Unitsminutes
Default 5
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-order
Synopsis Enter the authentication-order context
Contextconfigure system security user-params authentication-order
Treeauthentication-order

Description

Commands in this context configure the sequence in which the system attempts authentication and authorization among the local user database, RADIUS servers, TACACS+ servers, and LDAP servers.

Configure the order from the most preferred method to the least preferred. The presence of all methods in the command line does not guarantee they are all operational. Specifying options that are not available delays user authentication.

If all operational methods are attempted and no authentication for a particular login has been granted, an entry in the security log records the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.

The default order is [radius tacplus ldap local].

The order is not applicable to SNMPv3. SNMPv3 messages ignore the configured order and are authorized using the locally configured users only. TACACS+, RADIUS, and LDAP are not supported for SNMPv3 authentication.

Note: This command applies to a local user, in addition to users on RADIUS, TACACS+, and LDAP.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

exit-on-reject boolean
Synopsis Ignore subsequent AAA methods after a reject
Contextconfigure system security user-params authentication-order exit-on-reject boolean
Treeexit-on-reject

Description

When configured to true, the router stops authentication if one of the AAA methods configured in the authentication order sends a rejection.

When configured to false, the router attempts the next AAA method if a AAA method sends a rejection. If all AAA methods are exhausted, authentication and authorization is rejected.

If the order specifies local as the first method, the following actions apply:

  • If this command is set to true and the user does not exist, the user is not authenticated.

  • If the user can be authenticated locally, other methods, if configured, are used for authorization and accounting.

  • If the user is configured locally but without console access, login is denied.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

order keyword
Synopsis Authentication and authorization order
Contextconfigure system security user-params authentication-order order keyword
Treeorder

Description

This command specifies the order of authentication and authorization.

The default order is [radius tacplus ldap local]

Optionslocal, radius, tacplus, ldap
Max. instances 4

Notes

This element is ordered by the user.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

local-user
Synopsis Enter the local-user context
Context configure system security user-params local-user
Treelocal-user
Introduced25.3.R2

Platforms

7705 SAR Gen 2

password
Synopsis Enter the password context
Context configure system security user-params local-user password
Treepassword
Introduced25.3.R2

Platforms

7705 SAR Gen 2

complexity-rules
Synopsis Enter the complexity-rules context
Contextconfigure system security user-params local-user password complexity-rules
Treecomplexity-rules
Introduced25.3.R2

Platforms

7705 SAR Gen 2

credits
Synopsis Enter the credits context
Context configure system security user-params local-user password complexity-rules credits
Treecredits

Notes

The following elements are part of a choice: credits or required.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

disallow-sequence-keys number
Synopsis Minimum length of disallowed sequential characters
Contextconfigure system security user-params local-user password complexity-rules disallow-sequence-keys number
Treedisallow-sequence-keys

Description

This command configures the number of consecutive characters that are not allowed to be entered as part of the password on a U.S. English or Korean keyboard. These characters can be lowercase or uppercase letters, or numbers. Special characters are not taken into account. These consecutive characters can be horizontal (left to right) or (right to left) or diagonal (up to bottom or bottom to top). If the number of consecutive characters is equal to or larger than the configured value, the password is disallowed.

For example, if the user attempts to use the password "dsalkjhgfdsa", with this command configured to 8, the system rejects the password because the first consecutive sequence "dsa" is 3 lowercase letters, which passes the check, but the second consecutive sequence is "lkjhgfdsa", which consists of 9 consecutive lowercase letters and this does not pass the check.

Range2 to 8
Introduced25.3.R2

Platforms

7705 SAR Gen 2

required
Synopsis Enter the required context
Context configure system security user-params local-user password complexity-rules required
Treerequired

Notes

The following elements are part of a choice: credits or required.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

user [user-name] named-item
Synopsis Enter the user list instance
Context configure system security user-params local-user user named-item
Treeuser

Description

Commands in this context configure local users.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

[user-name] named-item
Synopsis Local user name
Context configure system security user-params local-user user named-item
Treeuser
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

access
Synopsis Enter the access context
Context configure system security user-params local-user user named-item access
Treeaccess

Description

Commands in this context grant a user access to the router management access methods. If a user requires access to more than one method, multiple methods can be specified.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

console boolean
Synopsis Allow Bluetooth, console port CLI, SCP/SFTP, SSH CLI, and Telnet CLI access
Contextconfigure system security user-params local-user user named-item access console boolean
Treeconsole

Description

When configured to true, the system allows this access method to take precedence over other access methods in all cases.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cli-engine keyword
Synopsis User level override for CLI engine access
Contextconfigure system security user-params local-user user named-item cli-engine keyword
Treecli-engine
Optionsclassic-cli, md-cli
Max. instances 2

Notes

This element is ordered by the user.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

console
Synopsis Enter the console context
Context configure system security user-params local-user user named-item console
Treeconsole
Introduced25.3.R2

Platforms

7705 SAR Gen 2

login-exec (sat-url | cflash-url | ftp-tftp-url | filename)
Synopsis File to execute when the user logs in
Contextconfigure system security user-params local-user user named-item console login-exec (sat-url | cflash-url | ftp-tftp-url | filename)
Treelogin-exec

String length

1 to 200 (sat-url, cflash-url)

1 to 180 (ftp-tftp-url, filename)

Introduced25.3.R2

Platforms

7705 SAR Gen 2

home-directory cflash-without-slot-url
Synopsis Home directory for the user
Context configure system security user-params local-user user named-item home-directory cflash-without-slot-url
Treehome-directory

Description

This command configures the home directory of the user for file access. Files can be accessed locally by CLI file commands and output modifiers such as > (file redirect), or remotely via FTP and SCP. If the home directory does not exist, a warning message is displayed when the user logs in.

When restricted-to-home is configured, file access is denied unless the home-directory is configured and the directory is created by an administrator.

String length1 to 200
Introduced25.3.R2

Platforms

7705 SAR Gen 2

public-keys
Synopsis Enter the public-keys context
Context configure system security user-params local-user user named-item public-keys
Treepublic-keys

Description

Commands in this context configure public keys for SSH.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ecdsa
Synopsis Enter the ecdsa context
Context configure system security user-params local-user user named-item public-keys ecdsa
Treeecdsa

Description

Commands in this context configure Elliptic Curve Digital Signature Algorithm (ECDSA) public keys.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ecdsa-key [ecdsa-public-key-id] number
Synopsis Enter the ecdsa-key list instance
Contextconfigure system security user-params local-user user named-item public-keys ecdsa ecdsa-key number
Treeecdsa-key

Description

Commands in this context configure an ECDSA public key and associate the key with a username. A user can associate multiple public keys with a username. The key ID identifies these keys for the user.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-value string-not-all-spaces
Synopsis ECDSA public key value
Context configure system security user-params local-user user named-item public-keys ecdsa ecdsa-key number key-value string-not-all-spaces
Treekey-value

Description

This command configures a value for the ECDSA public key. The public key must be enclosed in quotation marks. For ECDSA, the key is between 1 and 1024 bits.

String length1 to 255
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rsa
Synopsis Enter the rsa context
Context configure system security user-params local-user user named-item public-keys rsa
Treersa

Description

Commands in this context configure RSA public keys.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

rsa-key [rsa-public-key-id] number
Synopsis Enter the rsa-key list instance
Contextconfigure system security user-params local-user user named-item public-keys rsa rsa-key number
Treersa-key

Description

Commands in this context configure an RSA public key and associate the key with a username. A user can associate multiple public keys with a username. The key ID identifies these keys for the user.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-value string-not-all-spaces
Synopsis RSA public key value
Context configure system security user-params local-user user named-item public-keys rsa rsa-key number key-value string-not-all-spaces
Treekey-value

Description

This command configures a value for the RSA public key. The public key must be enclosed in quotation marks. For RSA, the key is between 768 and 4096 bits.

String length1 to 800
Introduced25.3.R2

Platforms

7705 SAR Gen 2

restricted-to-home boolean
Synopsis Restrict file access to the home directory of the user
Contextconfigure system security user-params local-user user named-item restricted-to-home boolean
Treerestricted-to-home

Description

When configured to true, the router denies the user from accessing files outside of their home directory. Files can be accessed locally by CLI file commands and output modifiers such as > (file redirect), or remotely via FTP and SCP. The system denies all configuration save operations (such as admin save) via any management interface (such as CLI and NETCONF) unless save-when-restricted is enabled.

File access is denied unless a home directory is configured and the directory is created by an administrator.

When configured to false, the router permits the user to access all files on the system.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

save-when-restricted boolean
Synopsis Save configurations when the user is restricted to home
Contextconfigure system security user-params local-user user named-item save-when-restricted boolean
Treesave-when-restricted

Description

When configured to true, the system permits configuration save operations for all configuration regions (such as bof and configure) via any management interface (such as CLI and NETCONF) even if restricted-to-home is enabled.

The configuration for each region can be saved with admin save CLI commands or when committed over NETCONF and gRPC.

When configured to false, the system denies saving the configuration when restricted-to-home is enabled, unless the home directory of the user includes the location of the saved configuration file.

Defaulttrue
Introduced25.3.R2

Platforms

7705 SAR Gen 2

snmp
Synopsis Enter the snmp context
Context configure system security user-params local-user user named-item snmp
Treesnmp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication
Synopsis Enable the authentication context
Contextconfigure system security user-params local-user user named-item snmp authentication
Treeauthentication

Description

Commands in this context configure the SNMPv3 authentication and privacy protocols for the user to communicate with the router. The keys are stored in an encrypted format in the configuration.

The keys configured with these commands must be localized keys, which are a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate localized authentication and privacy keys.

If authentication is not configured, only the username is required to allow and authenticate SNMPv3 operations.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-key encrypted-leaf-hex-without-prefix
Synopsis Localized authentication key
Context configure system security user-params local-user user named-item snmp authentication authentication-key encrypted-leaf-hex-without-prefix
Treeauthentication-key

Description

This command specifies the authentication key for the authentication protocol. The key must be a localized key, which is a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate a localized authentication key.

String length1 to 115
Introduced25.3.R2

Platforms

7705 SAR Gen 2

privacy
Synopsis Enable the privacy context
Context configure system security user-params local-user user named-item snmp authentication privacy
Treeprivacy
Introduced25.3.R2

Platforms

7705 SAR Gen 2

privacy-key encrypted-leaf-hex-without-prefix
Synopsis Localized privacy key
Context configure system security user-params local-user user named-item snmp authentication privacy privacy-key encrypted-leaf-hex-without-prefix
Treeprivacy-key

Description

This command specifies the privacy key for the privacy protocol. The key must be a localized key, which is a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate a localized privacy key.

String length1 to 71

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ssh-authentication-method
Synopsis Enter the ssh-authentication-method context
Contextconfigure system security user-params local-user user named-item ssh-authentication-method
Treessh-authentication-method
Introduced25.3.R2

Platforms

7705 SAR Gen 2

client
Synopsis Enter the client context
Context configure system security user-params local-user user named-item ssh-authentication-method client
Treeclient
Introduced25.3.R2

Platforms

7705 SAR Gen 2

public-key-only keyword
Synopsis Public key only SSH authentication for this user
Contextconfigure system security user-params local-user user named-item ssh-authentication-method client public-key-only keyword
Treepublic-key-only

Description

This command configures the authentication method accepted for the SSH session for the specified user. This user-level configuration overrides the system-level configuration defined in the configure system security ssh authentication-method public-key-only command.

When unconfigured, the command inherits the setting from the system level command.

The command options are:

  • true — accept only public key client authentication for the SSH server

  • false — accept public key or password client authentication for the SSH server. If interactive-authentication is configured to true in the configure system security aaa remote-servers radius or configure system security aaa remote-servers tacplus context, the system also accepts interactive keyboard authentication.

Optionsfalse, true
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

server
Synopsis Enter the server context
Context configure system security user-params local-user user named-item ssh-authentication-method server
Treeserver
Introduced25.3.R2

Platforms

7705 SAR Gen 2

public-key-only keyword
Synopsis Public key only SSH authentication for this user
Contextconfigure system security user-params local-user user named-item ssh-authentication-method server public-key-only keyword
Treepublic-key-only

Description

This command configures the authentication method accepted for the SSH session for the specified user. This user-level configuration overrides the system-level configuration defined in the configure system security ssh authentication-method public-key-only command.

When unconfigured, the command inherits the setting from the system level command.

The command options are:

  • true — accept only public key client authentication for the SSH server

  • false — accept public key or password client authentication for the SSH server. If interactive-authentication is configured to true in the configure system security aaa remote-servers radius or configure system security aaa remote-servers tacplus context, the system also accepts interactive keyboard authentication.

Optionsfalse, true
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

vprn-network-exceptions
Synopsis Enable the vprn-network-exceptions context
Contextconfigure system security vprn-network-exceptions
Treevprn-network-exceptions

Description

Commands in this context configure the rate limiting attributes for processing packets with label TTL expiry received within an LSP shortcut or VPRN instances in the system and from all network IP interfaces. This includes labeled user and control plan packets, ping, and traceroute packets within GRT and VPRN, and ICMP replies.

These commands do not rate limit MPLS or service OAM packets.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

count number
Synopsis Limit of exception messages received
Context configure system security vprn-network-exceptions count number
Treecount

Description

This command specifies the threshold limit of exception messages. If the threshold value is exceeded within the configured time interval, packets are dropped.

Range10 to 1000
Default100
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

window number
Synopsis Time interval to measure exception messages
Contextconfigure system security vprn-network-exceptions window number
Treewindow

Description

This command configures the time interval within which exception messages are counted. If the threshold value is exceeded within the configured time interval, packets are dropped.

Range1 to 60
Unitsseconds
Default 10
Introduced25.3.R2

Platforms

7705 SAR Gen 2

telemetry

Synopsis Enter the telemetry context
Context configure system telemetry
Treetelemetry

Description

Commands in this context configure the parameters for the dial-out telemetry functionality.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

destination-group [name] named-item
Synopsis Enter the destination-group list instance
Contextconfigure system telemetry destination-group named-item
Treedestination-group

Description

Commands in this context configure parameters for destination groups.

Max. instances225
Introduced25.3.R2

Platforms

7705 SAR Gen 2

allow-unsecure-connection
Synopsis Allow connection without secured transport protocol
Contextconfigure system telemetry destination-group named-item allow-unsecure-connection
Treeallow-unsecure-connection

Description

When configured, this command allows an unsecured connection to remote managers; TCP connections are not encrypted, including username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-client-profile.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

destination [address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Synopsis Enter the destination list instance
Contextconfigure system telemetry destination-group named-item destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
Max. instances4

Notes

This element is ordered by the user.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

[address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)
Synopsis Address of the destination within the destination group
Contextconfigure system telemetry destination-group named-item destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
String length1 to 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

port number
Synopsis TCP port number for the destination
Context configure system telemetry destination-group named-item destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
Range0 | 1 to 65535

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

tcp-keepalive
Synopsis Enter the tcp-keepalive context
Contextconfigure system telemetry destination-group named-item tcp-keepalive
Treetcp-keepalive
Introduced25.3.R2

Platforms

7705 SAR Gen 2

retries number
Synopsis Number of probe retries before closing the connection
Contextconfigure system telemetry destination-group named-item tcp-keepalive retries number
Treeretries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range3 to 100
Default4
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

notification-bundling
Synopsis Enter the notification-bundling context
Contextconfigure system telemetry notification-bundling
Treenotification-bundling

Description

Commands in this context configure the bundling of multiple notifications into one telemetry message.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

max-time-granularity number
Synopsis Maximum interval when bundling of notifications occurs
Contextconfigure system telemetry notification-bundling max-time-granularity number
Treemax-time-granularity

Description

This command sets the maximum time interval during which telemetry notifications are bundled. All bundled notifications have the same timestamp, which is the timestamp of the bundle.

Range1 to 1000
Unitsmilliseconds
Default 100
Introduced25.3.R2

Platforms

7705 SAR Gen 2

persistent-subscriptions
Synopsis Enter the persistent-subscriptions context
Contextconfigure system telemetry persistent-subscriptions
Treepersistent-subscriptions
Introduced25.3.R2

Platforms

7705 SAR Gen 2

delay-on-boot number
Synopsis Delay for persistent subscriptions after system boot
Contextconfigure system telemetry persistent-subscriptions delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for gRPC telemetry persistent subscriptions. When the timer expires, gRPC telemetry persistent subscriptions become operational and connections are initiated. This delay prevents the system from trying to establish gRPC persistent subscriptions while it is still converging.

When no delay is configured, gRPC telemetry persistent subscriptions are initiated after the system boots and gRPC becomes operational.

Range1 to 3600
Unitsseconds
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

subscription [name] named-item
Synopsis Enter the subscription list instance
Contextconfigure system telemetry persistent-subscriptions subscription named-item
Treesubscription
Max. instances225
Introduced25.3.R2

Platforms

7705 SAR Gen 2

encoding keyword
Synopsis Encoding used for telemetry notifications
Contextconfigure system telemetry persistent-subscriptions subscription named-item encoding keyword
Treeencoding

Description

This command specifies the encoding used for telemetry notifications as defined by the gNMI OpenConfig standard.

Options

json – JSON encoded text

bytes – Encoded according to gnmi.schemas

proto – Encoded with scalar TypedValue values

json-ietf – JSON encoded text as per RFC 7951

Defaultjson
Introduced25.3.R2

Platforms

7705 SAR Gen 2

mode keyword
Synopsis Mode for telemetry notifications
Context configure system telemetry persistent-subscriptions subscription named-item mode keyword
Treemode

Description

This command specifies the subscription path mode for telemetry notifications sent out for the persistent subscription.

Optionstarget-defined, on-change, sample
Introduced25.3.R2

Platforms

7705 SAR Gen 2

originated-qos-marking keyword
Synopsis QoS marking used for telemetry notification packets
Contextconfigure system telemetry persistent-subscriptions subscription named-item originated-qos-marking keyword
Treeoriginated-qos-marking
Optionsbe, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

sample-interval number
Synopsis Sampling interval for the persistent subscription
Contextconfigure system telemetry persistent-subscriptions subscription named-item sample-interval number
Treesample-interval

Description

This command configures the sampling interval for the persistent subscription. The interval applies only in sampling or target-defined modes.

Range1000 to 18446744073709551615
Unitsmilliseconds
Default10000
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

sensor-group reference
Synopsis Sensor group used in the persistent subscription
Contextconfigure system telemetry persistent-subscriptions subscription named-item sensor-group reference
Treesensor-group

Description

This command specifies the sensor group to be used in the persistent subscription. If no valid paths exist in the sensor group, the configuration is accepted, however, no gRPC connection is established when persistent subscription is activated.

Reference

configure system telemetry sensor-groups sensor-group named-item

Introduced25.3.R2

Platforms

7705 SAR Gen 2

sensor-groups
Synopsis Enter the sensor-groups context
Contextconfigure system telemetry sensor-groups
Treesensor-groups
Introduced25.3.R2

Platforms

7705 SAR Gen 2

sensor-group [name] named-item
Synopsis Enter the sensor-group list instance
Contextconfigure system telemetry sensor-groups sensor-group named-item
Treesensor-group
Max. instances225
Introduced25.3.R2

Platforms

7705 SAR Gen 2

path [xpath] string
Synopsis Add a list entry for path
Context configure system telemetry sensor-groups sensor-group named-item path string
Treepath
Max. instances4500
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[xpath] string
Synopsis gNMI path to be streamed
Context configure system telemetry sensor-groups sensor-group named-item path string
Treepath

Description

This command configures a path for the specified sensor group. Multiple paths can be defined for a single sensor group. Streamed data includes all descendants of the tree indicated by the path. The path is defined in the form of an XML Path (XPath) syntax that refers to single or multiple objects within the YANG model. The path must be enclosed in quotation marks (") when it includes a list key, for example, "/state/router[router-name=Base]".

String length1 to 512

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

thresholds

Synopsis Enter the thresholds context
Context configure system thresholds
Treethresholds
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cflash-cap-alarm-percent [cflash-id] thresholds-cflash-url
Synopsis Enter the cflash-cap-alarm-percent list instance
Contextconfigure system thresholds cflash-cap-alarm-percent thresholds-cflash-url
Treecflash-cap-alarm-percent
Introduced25.3.R2

Platforms

7705 SAR Gen 2

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds cflash-cap-alarm-percent thresholds-cflash-url falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range0 to 100
Unitspercent
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds cflash-cap-alarm-percent thresholds-cflash-url interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range1 to 2147483647

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds cflash-cap-alarm-percent thresholds-cflash-url rising-threshold number
Treerising-threshold

Description

This command specifies a rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold-crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is equal to the rising or either values.

After a rising threshold-crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold command.

Range0 to 100
Unitspercent

Notes

This element is mandatory.

Introduced 25.3.R2

Platforms

7705 SAR Gen 2

startup-alarm keyword
Synopsis Alarm type when the alarm is first created
Contextconfigure system thresholds cflash-cap-alarm-percent thresholds-cflash-url startup-alarm keyword
Treestartup-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Optionsrising, falling, either
Defaulteither
Introduced25.3.R2

Platforms

7705 SAR Gen 2

cflash-cap-warn-percent [cflash-id] thresholds-cflash-url
Synopsis Enter the cflash-cap-warn-percent list instance
Contextconfigure system thresholds cflash-cap-warn-percent thresholds-cflash-url
Treecflash-cap-warn-percent

Description

Commands in this context configure the capacity monitoring of the compact flash. The usage is monitored as a percentage of the capacity of the compact flash. The severity level is warning. Both a rising and falling threshold can be specified. 

Introduced25.3.R2

Platforms

7705 SAR Gen 2

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds cflash-cap-warn-percent thresholds-cflash-url falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range0 to 100
Unitspercent
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds cflash-cap-warn-percent thresholds-cflash-url interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range1 to 2147483647

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds cflash-cap-warn-percent thresholds-cflash-url rising-threshold number
Treerising-threshold

Description

This command specifies a rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold-crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is equal to the rising or either values.

After a rising threshold-crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold command.

Range0 to 100
Unitspercent

Notes

This element is mandatory.

Introduced 25.3.R2

Platforms

7705 SAR Gen 2

startup-alarm keyword
Synopsis Alarm type when the alarm is first created
Contextconfigure system thresholds cflash-cap-warn-percent thresholds-cflash-url startup-alarm keyword
Treestartup-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Optionsrising, falling, either
Defaulteither
Introduced25.3.R2

Platforms

7705 SAR Gen 2

kb-memory-use-alarm
Synopsis Enable the kb-memory-use-alarm context
Contextconfigure system thresholds kb-memory-use-alarm
Treekb-memory-use-alarm
Introduced25.3.R2

Platforms

7705 SAR Gen 2

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds kb-memory-use-alarm falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range-2147483648 to 2147483647
Introduced25.3.R2

Platforms

7705 SAR Gen 2

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds kb-memory-use-alarm interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range1 to 2147483647

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds kb-memory-use-alarm rising-threshold number
Treerising-threshold

Description

This command specifies a rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold-crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is equal to the rising or either values.

After a rising threshold-crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold command.

Range-2147483648 to 2147483647

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

startup-alarm keyword
Synopsis Alarm type when the alarm is first created
Contextconfigure system thresholds kb-memory-use-alarm startup-alarm keyword
Treestartup-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Optionsrising, falling, either
Defaulteither
Introduced25.3.R2

Platforms

7705 SAR Gen 2

kb-memory-use-warn
Synopsis Enable the kb-memory-use-warn context
Contextconfigure system thresholds kb-memory-use-warn
Treekb-memory-use-warn
Introduced25.3.R2

Platforms

7705 SAR Gen 2

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds kb-memory-use-warn falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range-2147483648 to 2147483647
Introduced25.3.R2

Platforms

7705 SAR Gen 2

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds kb-memory-use-warn interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range1 to 2147483647

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds kb-memory-use-warn rising-threshold number
Treerising-threshold

Description

This command specifies a rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold-crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is equal to the rising or either values.

After a rising threshold-crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold command.

Range-2147483648 to 2147483647

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

startup-alarm keyword
Synopsis Alarm type when the alarm is first created
Contextconfigure system thresholds kb-memory-use-warn startup-alarm keyword
Treestartup-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Optionsrising, falling, either
Defaulteither
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rmon
Synopsis Enter the rmon context
Context configure system thresholds rmon
Treermon
Introduced25.3.R2

Platforms

7705 SAR Gen 2

alarm [rmon-alarm-id] number
Synopsis Enter the alarm list instance
Context configure system thresholds rmon alarm number
Treealarm
Max. instances1200
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[rmon-alarm-id] number
Synopsis Index ID for an entry in the alarm table
Contextconfigure system thresholds rmon alarm number
Treealarm
Range0 to 65400

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds rmon alarm number falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold and the value at the last sampling interval was greater than this threshold, a single threshold crossing event is generated. A single threshold crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is set to falling or either.

After a falling threshold crossing event is generated, another such event is not generated until the sampled value exceeds this threshold and reaches or exceeds the rising-threshold command setting.

Range-2147483648 to 2147483647
Introduced25.3.R2

Platforms

7705 SAR Gen 2

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds rmon alarm number interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds

Range1 to 2147483647

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

owner string
Synopsis Owner that created this entry and uses the resources
Contextconfigure system thresholds rmon alarm number owner string
Treeowner
String length1 to 80
DefaultTiMOS CLI
Introduced25.3.R2

Platforms

7705 SAR Gen 2

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds rmon alarm number rising-threshold number
Treerising-threshold

Description

This command specifies the rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold and the value at the last sampling interval was below this threshold, a single threshold crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is set to rising or either.

After a rising threshold crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches or falls below the falling-threshold command setting.

Range-2147483648 to 2147483647
Introduced25.3.R2

Platforms

7705 SAR Gen 2

sample-type keyword
Synopsis Sampling type for value comparison with thresholds
Contextconfigure system thresholds rmon alarm number sample-type keyword
Treesample-type
Optionsabsolute, delta
Default absolute
Introduced25.3.R2

Platforms

7705 SAR Gen 2

startup-alarm keyword
Synopsis Alarm to send when this entry is first set to valid
Contextconfigure system thresholds rmon alarm number startup-alarm keyword
Treestartup-alarm
Optionsrising, falling, either
Defaulteither
Introduced25.3.R2

Platforms

7705 SAR Gen 2

variable-oid string
Synopsis Object identifier to sample the specific variable
Contextconfigure system thresholds rmon alarm number variable-oid string
Treevariable-oid
String length1 to 255

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

event [rmon-event-id] number
Synopsis Enter the event list instance
Context configure system thresholds rmon event number
Treeevent
Max. instances1200
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[rmon-event-id] number
Synopsis Index ID for an entry in the event table
Contextconfigure system thresholds rmon event number
Treeevent
Range1 to 65400

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

event-type keyword
Synopsis Notification action to be taken when the event occurs
Contextconfigure system thresholds rmon event number event-type keyword
Treeevent-type
Optionsnone, log, trap, both
Default both
Introduced25.3.R2

Platforms

7705 SAR Gen 2

owner string
Synopsis Owner that created this entry and uses the resources
Contextconfigure system thresholds rmon event number owner string
Treeowner
String length1 to 80
DefaultTiMOS CLI
Introduced25.3.R2

Platforms

7705 SAR Gen 2

time

Synopsis Enter the time context
Context configure system time
Treetime
Introduced25.3.R2

Platforms

7705 SAR Gen 2

daylight-saving-time-zone
Synopsis Enter the daylight-saving-time-zone context
Contextconfigure system time daylight-saving-time-zone
Treedaylight-saving-time-zone

Description

Commands in this context configure the start and end dates and offset for summer time (or Daylight Savings Time [DST]).

A daylight savings time zone can be specified using a standard name or a non-standard name. The parameters (start day, end day, and offset) for a standard name zone are well defined and not configurable. The parameters for a nonstandard name zone are configurable. The time is adjusted by adding the offset when summer time starts and subtracting the offset when summer time ends.

If no summer (daylight savings) time is supplied, the system assumes no summer time adjustment is required.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

non-standard
Synopsis Enter the non-standard context
Contextconfigure system time daylight-saving-time-zone non-standard
Treenon-standard

Notes

The following elements are part of a choice: non-standard or standard.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

end
Synopsis Enter the end context
Context configure system time daylight-saving-time-zone non-standard end
Treeend

Description

Commands in this context configure the end of summer time settings.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

month keyword
Synopsis Month when summer time ends
Context configure system time daylight-saving-time-zone non-standard end month keyword
Treemonth
Optionsjanuary, february, march, april, may, june, july, august, september, october, november, december
Default january
Introduced25.3.R2

Platforms

7705 SAR Gen 2

offset number
Synopsis Summer time offset
Context configure system time daylight-saving-time-zone non-standard offset number
Treeoffset

Description

This command configures the number of minutes that are added to the time when summer time takes effect. The same number of minutes are subtracted from the time when summer time ends.

Range0 to 60
Unitsminutes
Default 60
Introduced25.3.R2

Platforms

7705 SAR Gen 2

start
Synopsis Enter the start context
Context configure system time daylight-saving-time-zone non-standard start
Treestart

Description

Commands in this context configure the start of summer time settings.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

month keyword
Synopsis Month when summer time starts
Context configure system time daylight-saving-time-zone non-standard start month keyword
Treemonth
Optionsjanuary, february, march, april, may, june, july, august, september, october, november, december
Default january
Introduced25.3.R2

Platforms

7705 SAR Gen 2

standard
Synopsis Enter the standard context
Context configure system time daylight-saving-time-zone standard
Treestandard

Notes

The following elements are part of a choice: non-standard or standard.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Standard time zone name
Context configure system time daylight-saving-time-zone standard name keyword
Treename
Options

adt – Atlantic Daylight Time

ndt – Newfoundland Daylight Time

akdt – Alaska Daylight Time

cdt – Central Daylight Time

cest – Central European Summer Time

edt – Eastern Daylight Time

eest – Eastern European Summer Time

mdt – Mountain Daylight Time

nzdt – New Zealand Daylight Time

pdt – Pacific Daylight Time

west – Western European Summer Time

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ntp
Synopsis Enable the ntp context
Context configure system time ntp
Treentp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of NTP execution
Contextconfigure system time ntp admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-key [key-id] number
Synopsis Enter the authentication-key list instance
Contextconfigure system time ntp authentication-key number
Treeauthentication-key
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[key-id] number
Synopsis Authentication key ID used for NTP packets
Contextconfigure system time ntp authentication-key number
Treeauthentication-key
Range1 to 255

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key encrypted-leaf
Synopsis Key to authenticate NTP packets
Context configure system time ntp authentication-key number key encrypted-leaf
Treekey
String length1 to 71

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

type keyword
Synopsis Authentication method to authenticate NTP packet
Contextconfigure system time ntp authentication-key number type keyword
Treetype
Optionsdes, message-digest

Notes

This element is mandatory.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-keychain reference
Synopsis Authentication keychain for unsolicited traffic
Contextconfigure system time ntp authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the authentication keychain used to handle unsolicited NTP requests.

If a request is received with a key ID that matches both a configured key and the keychain, the MAC is checked first using the key information. If the authentication fails, the MAC is checked using the information from the keychain.

Reference

configure system security keychains keychain named-item

Introduced25.3.R2

Platforms

7705 SAR Gen 2

broadcast [router-instance] reference interface-name interface-name
Synopsis Enter the broadcast list instance
Contextconfigure system time ntp broadcast reference interface-name interface-name
Treebroadcast
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[router-instance] reference
Synopsis Router name
Contextconfigure system time ntp broadcast reference interface-name interface-name
Treebroadcast

Reference

configure router named-item-64

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

interface-name interface-name
Synopsis Interface to transmit or receive NTP broadcast packets
Contextconfigure system time ntp broadcast reference interface-name interface-name
Treebroadcast
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-keychain reference
Synopsis Keychain used to authenticate broadcast messages
Contextconfigure system time ntp broadcast reference interface-name interface-name authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the keychain used to authenticate messages sent by this node.

The keychain infrastructure is queried using this keychain name to get the youngest key used for generating the authentication value for the message. When an NTP packet is received by this node, the keychain infrastructure is queried using the keychain name and the key ID extracted from the received message to get the key used to perform the authentication check. If authentication does not pass, the packet is rejected. Keychain entries also have a direction. The key ID and authentication keychain are mutually exclusive. When neither one is set, for example, the key ID has a value of '0' and the value of this command is empty, no authentication is performed.

Reference

configure system security keychains keychain named-item

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

ttl number
Synopsis TTL of messages transmitted by the broadcast address
Contextconfigure system time ntp broadcast reference interface-name interface-name ttl number
Treettl
Range1 to 255
Default127
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

broadcast-client [router-instance] string interface-name interface-name
Synopsis Enter the broadcast-client list instance
Contextconfigure system time ntp broadcast-client string interface-name interface-name
Treebroadcast-client
Introduced25.3.R2

Platforms

7705 SAR Gen 2

interface-name interface-name
Synopsis Interface to transmit or receive NTP broadcast packets
Contextconfigure system time ntp broadcast-client string interface-name interface-name
Treebroadcast-client
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

multicast
Synopsis Enable the multicast context
Context configure system time ntp multicast
Treemulticast
Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-keychain reference
Synopsis Keychain used to authenticate broadcast messages
Contextconfigure system time ntp multicast authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the keychain used to authenticate messages sent by this node.

The keychain infrastructure is queried using this keychain name to get the youngest key used for generating the authentication value for the message. When an NTP packet is received by this node, the keychain infrastructure is queried using the keychain name and the key ID extracted from the received message to get the key used to perform the authentication check. If authentication does not pass, the packet is rejected. Keychain entries also have a direction. The key ID and authentication keychain are mutually exclusive. When neither one is set, for example, the key ID has a value of '0' and the value of this command is empty, no authentication is performed.

Reference

configure system security keychains keychain named-item

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-id reference
Synopsis Authentication key and type used by the node
Contextconfigure system time ntp multicast key-id reference
Treekey-id

Reference

configure system time ntp authentication-key number

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

version number
Synopsis NTP version number generated by the node
Contextconfigure system time ntp multicast version number
Treeversion

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range2 to 4
Default4
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

peer [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string
Synopsis Enter the peer list instance
Context configure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string
Treepeer
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the peer for a peering relationship
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string
Treepeer

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

router-instance string
Synopsis Router name or VPRN service name
Context configure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string
Treepeer

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-keychain reference
Synopsis Keychain used to authenticate broadcast messages
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the keychain used to authenticate messages sent by this node.

The keychain infrastructure is queried using this keychain name to get the youngest key used for generating the authentication value for the message. When an NTP packet is received by this node, the keychain infrastructure is queried using the keychain name and the key ID extracted from the received message to get the key used to perform the authentication check. If authentication does not pass, the packet is rejected. Keychain entries also have a direction. The key ID and authentication keychain are mutually exclusive. When neither one is set, for example, the key ID has a value of '0' and the value of this command is empty, no authentication is performed.

Reference

configure system security keychains keychain named-item

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-id reference
Synopsis Authentication key and type used by the node
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string key-id reference
Treekey-id

Reference

configure system time ntp authentication-key number

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

prefer boolean
Synopsis Set NTP server as preferred to receive time
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string prefer boolean
Treeprefer
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

version number
Synopsis NTP version number generated by the node
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string version number
Treeversion

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range2 to 4
Default4
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

server [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string
Synopsis Enter the server list instance
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string
Treeserver
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone | keyword)
Synopsis IP address of an external NTP server
Context configure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string
Treeserver
Optionsptp

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

router-instance string
Synopsis Router name or VPRN service name
Context configure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string
Treeserver

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

authentication-keychain reference
Synopsis Keychain used to authenticate broadcast messages
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the keychain used to authenticate messages sent by this node.

The keychain infrastructure is queried using this keychain name to get the youngest key used for generating the authentication value for the message. When an NTP packet is received by this node, the keychain infrastructure is queried using the keychain name and the key ID extracted from the received message to get the key used to perform the authentication check. If authentication does not pass, the packet is rejected. Keychain entries also have a direction. The key ID and authentication keychain are mutually exclusive. When neither one is set, for example, the key ID has a value of '0' and the value of this command is empty, no authentication is performed.

Reference

configure system security keychains keychain named-item

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

key-id reference
Synopsis Authentication key and type used by the node
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string key-id reference
Treekey-id

Reference

configure system time ntp authentication-key number

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

prefer boolean
Synopsis Set NTP server as preferred to receive time
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string prefer boolean
Treeprefer
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

version number
Synopsis NTP version number generated by the node
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string version number
Treeversion

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range2 to 4
Default4
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

prefer-local-time boolean
Synopsis Use local time over UTC time in the system
Contextconfigure system time prefer-local-time boolean
Treeprefer-local-time

Description

When configured to true, the system uses local time. This preference is applied to objects such as log file names, created and completed times reported in log files, NETCONF and gRPC date-and-time leafs, and rollback times displayed in show command outputs.

When configured to false, the system uses UTC time.

Note: The timezone used for show command outputs during a CLI session can be controlled using the environment time-display command.

Note: The format used for the date-time strings may change, depending on the command setting. For example, when this command is set to true, all date-time strings include a suffix of three to five characters that indicates the timezone used.

Note: The time format for timestamps on log events is controlled on a per-log basis, using the configure log log-id time-format command.

Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

sntp
Synopsis Enter the sntp context
Context configure system time sntp
Treesntp
Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of SNTP
Context configure system time sntp admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2

server [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Enter the server list instance
Contextconfigure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone)
Treeserver
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the SNTP server
Context configure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone)
Treeserver

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

interval number
Synopsis Frequency of querying the server
Context configure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) interval number
Treeinterval
Range64 to 1024
Unitsseconds
Default 64
Introduced25.3.R2

Platforms

7705 SAR Gen 2

prefer boolean
Synopsis Preference value for this SNTP server
Contextconfigure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) prefer boolean
Treeprefer
Defaultfalse
Introduced25.3.R2

Platforms

7705 SAR Gen 2

version number
Synopsis SNTP version supported by this server
Contextconfigure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) version number
Treeversion
Range1 to 3
Default3
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

sntp-state keyword
Synopsis Mode for Simple Network Time Protocol (SNTP)
Contextconfigure system time sntp sntp-state keyword
Treesntp-state
Optionsunicast, broadcast
Default unicast
Introduced25.3.R2

Platforms

7705 SAR Gen 2

zone
Synopsis Enter the zone context
Context configure system time zone
Treezone
Introduced25.3.R2

Platforms

7705 SAR Gen 2

non-standard
Synopsis Enter the non-standard context
Contextconfigure system time zone non-standard
Treenon-standard

Notes

The following elements are part of a choice: non-standard or standard.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name string
Synopsis Non-standard time zone name
Context configure system time zone non-standard name string
Treename
String length1 to 5
Introduced25.3.R2

Platforms

7705 SAR Gen 2

offset hours-minutes-with-range
Synopsis Offset from UTC
Context configure system time zone non-standard offset hours-minutes-with-range
Treeoffset
String length5 to 6
Introduced25.3.R2

Platforms

7705 SAR Gen 2

standard
Synopsis Enter the standard context
Context configure system time zone standard
Treestandard

Notes

The following elements are part of a choice: non-standard or standard.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

name keyword
Synopsis Standard time zone name
Context configure system time zone standard name keyword
Treename
Optionshst, akst, pst, mst, cst, est, ast, nst, utc, gmt, wet, cet, eet, msk, msd, awst, acst, aest, nzst
Defaultutc
Introduced25.3.R2

Platforms

7705 SAR Gen 2

transmission-profile [name] named-item

Synopsis Enter the transmission-profile list instance
Contextconfigure system transmission-profile named-item
Treetransmission-profile
Introduced25.3.R2

Platforms

7705 SAR Gen 2

[name] named-item
Synopsis File transmission profile name
Context configure system transmission-profile named-item
Treetransmission-profile
String length1 to 32

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

retry number
Synopsis Number of attempts to reconnecting to the server
Contextconfigure system transmission-profile named-item retry number
Treeretry
Range1 to 256
Introduced25.3.R2

Platforms

7705 SAR Gen 2

router-instance router-instance-base-management-vprn-loose
Synopsis Router instance used by the transport protocol
Contextconfigure system transmission-profile named-item router-instance router-instance-base-management-vprn-loose
Treerouter-instance
String length1 to 64
DefaultBase
Introduced 25.3.R2

Platforms

7705 SAR Gen 2

timeout number
Synopsis Timeout for a response from the server
Contextconfigure system transmission-profile named-item timeout number
Treetimeout
Range1 to 3600
Unitsseconds
Default 60
Introduced25.3.R2

Platforms

7705 SAR Gen 2

usb [usb-cflash] keyword

Synopsis Enter the usb list instance
Context configure system usb keyword
Treeusb

Description

Commands in this context configure the operational state of the USB port.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

[usb-cflash] keyword
Synopsis Specifies the compact flash ID
Context configure system usb keyword
Treeusb
Optionscf2

Notes

This element is part of a list key.

Introduced25.3.R2

Platforms

7705 SAR Gen 2

admin-state keyword
Synopsis Administrative state of the USB port
Context configure system usb keyword admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced25.3.R2

Platforms

7705 SAR Gen 2