c Commands

Context

[Tree] (config>port>ethernet>dot1x>macsec>sub-port ca-name)

Full Context

configure port ethernet dot1x macsec sub-port ca-name

Description

This command configures the Connectivity Association (CA) linked to this MACsec sub-port. The specified CA provides the MACsec parameter to be used or negotiated with other peers.

The no form of this command removes the CA from the MACsec sub-port.

Parameters

ca-name

Specifies the appropriate ca to be used under this MACsec sub-port, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>cert-profile>entry>send-chain ca-profile)

Full Context

configure ipsec cert-profile entry send-chain ca-profile

Description

This command specifies a CA certificate in the specified ca-profile to be sent to the peer.

Multiple configurations (up to seven) of this command are allowed in the same entry.

Parameters

name

Specifies the profile name up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki ca-profile)

Full Context

configure system security pki ca-profile

Description

This command creates a new ca-profile or enters the configuration context of an existing ca-profile. Up to 128 ca-profiles can be created in the system. A shutdown of the ca-profile will not affect the current up and running ipsec-tunnel or ipsec-gw that is associated with the ca-profile. However, authentication afterwards will fail with a shutdown ca-profile.

Executing a no shutdown command in this context causes the system to reload the configured cert-file and crl-file.

A ca-profile can be applied under the ipsec-tunnel or ipsec-gw configuration.

The no form of this command removes the name parameter from the configuration. A ca-profile cannot be removed until all the associated entities (ipsec-tunnel/gw) have been removed.

Parameters

name

Specifies the name of the ca-profile up to 32 characters.

create

Keyword used to create a new ca-profile. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>certificate>auto-crl-update ca-profile)

[Tree] (debug>certificate>cmpv2 ca-profile)

[Tree] (debug>certificate>ocsp ca-profile)

Full Context

debug certificate auto-crl-update ca-profile

debug certificate cmpv2 ca-profile

debug certificate ocsp ca-profile

Description

This command debugs output of the specified CA profile.

• Protection method of each message is logged.

• All HTTP messages are logged. Format allows offline analysis using Wireshark.

• In the event of failed transactions, saved certificates are not deleted from file system for further debug and analysis.

• The system allows CMPv2 debugging for multiple ca-profile at the same time.

Parameters

profile-name

Specifies the name of the CA profile, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>cert-profile>entry>send-chain ca-profile)

Full Context

configure system security tls cert-profile entry send-chain ca-profile

Description

This command enables a certificate authority (CA) certificate in the specified CA profile to be sent to the peer. Up to seven configurations of this command are permitted in the same entry.

The no form of the command disables the transmission of a CA certificate from the specified CA profile.

Parameters

name

Specifies the name of the certificate authority profile, up to 32 characters in length.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>certificate>est cacert)

Full Context

admin certificate est cacert

Description

This command downloads a Certificate Authority (CA) certificate from an EST server specified by the EST profile. The downloaded certificate is imported and saved with the filename specified by the output-cert-filename.

Parameters

name

Specifies the EST profile name, up to 32 characters

output-cert-filename

Specifies the filename of the resulting CA certificate, up to 200 characters

force

Overwrites the existing file with same filename

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rpki-session>packet cache-reset)

Full Context

debug router rpki-session packet cache-reset

Description

This command enables debugging for cache reset RPKI packets.

The no form of this command disables debugging for cache reset RPKI packets.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rpki-session>packet cache-response)

Full Context

debug router rpki-session packet cache-response

Description

This command enables debugging for cache response RPKI packets.

The no form of this command disables debugging for cache response RPKI packets.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>macsec>conn-assoc>static-cak>pre-shared-key cak)

Full Context

configure macsec connectivity-association static-cak pre-shared-key cak

Description

Specifies the connectivity association key (CAK) for a pre-shared key. Two values are derived from CAK.

• Key Encryption Key (KEK), this is used to encrypt the MKA and SAK (symmetric key used for data path PDUs) to be distributed between all members.

• Integrity Check Value (ICK), this is used to authenticate the MKA and SAK PDUs to be distributed between all members.

The no form of this command removes the value.

Parameters

hex-string

Specifies the value of the CAK.

Values

up to 64 hexadecimal characters, 32 hexadecimal characters for 128-bit key and 64 hexadecimal characters for 256-bit key

hash

Keyword, specifying the hash scheme.

hash2

Keyword, specifying the hash scheme.

custom

Specifies the custom encryption for management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>rad-auth-plcy>include called-station-id)

[Tree] (config>ipsec>rad-acct-plcy>include called-station-id)

Full Context

configure ipsec radius-authentication-policy include-radius-attribute called-station-id

configure ipsec radius-accounting-policy include-radius-attribute called-station-id

Description

This command includes called station ID attributes.

The no form of this command excludes called station ID attributes.

Default

no called-station-id

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>rad-auth-plcy>include calling-station-id)

[Tree] (config>ipsec>rad-acct-plcy>include calling-station-id)

Full Context

configure ipsec radius-authentication-policy include-radius-attribute calling-station-id

configure ipsec radius-accounting-policy include-radius-attribute calling-station-id

Description

This command enables the inclusion of the calling-station-id attribute in RADIUS authentication requests and RADIUS accounting messages.

Default

no calling-station-id

Platforms

7705 SAR Gen 2

Context

[Tree] (configure>system>security>profile>netconf>base-op-authorization cancel-commit)

Full Context

configure system security profile netconf base-op-authorization cancel-commit

Description

This command enables the NETCONF <cancel-commit> RPC.

The no form of this command disables the RPC.

Default

no cancel-commit

Platforms

7705 SAR Gen 2

Context

[Tree] (candidate)

Full Context

candidate

Description

Commands in this context edit candidate configurations.

Commands in the candidate CLI branch, except candidate edit, are available only when in edit-cfg mode.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>netconf>capabilities candidate)

Full Context

configure system netconf capabilities candidate

Description

This command allows the SR OS NETCONF server to access the candidate configuration datastore. Configuring this command also enables using commit and discard-changes.

When configure system management-interface configuration-mode is set to classic, the candidate capability is disabled, even if this command is configured.

The no form of the command disables the SR OS NETCONF server from accessing the candidate datastore. If the candidate is disabled, requests that reference the candidate datastore return an error, and when a NETCONF client establishes a new session, the candidate capability is not advertised in the SR OS NETCONF Hello message.

Default

candidate

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>user>console cannot-change-password)

Full Context

configure system security user console cannot-change-password

Description

This command allows a user the privilege to change their password for both FTP and console login.

To disable a user’s privilege to change their password, use the cannot-change-password form of this command.

Default

no cannot-change-password

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>pcap capture)

Full Context

debug pcap capture

Description

This command starts and stops the packet capture process for the specified session-name.

Parameters

start

Starts the packet capture process and also start or restarts the FTP or TFTP session. If the FTP or TFTP server is unreachable, the command prompt rejects further input until the retires are timed out after 24 seconds (after four attempts of about six seconds each). If the same file name is unchanged in the config>mirror>mirror-dest>pcap context between captures, this command overwrites the file content.

stop

Stops the packet capture process and also stops the FTP or TFTP session. If the FTP or TFTP server is unreachable, the command prompt rejects further input until the retires are timed out after 24 seconds (after four attempts of about six seconds each).

Platforms

7705 SAR Gen 2

Context

[Tree] (config card)

Full Context

configure card

Description

This mandatory command enables access to the chassis and context. In SR OS cards cover IOM, IMM, and XCM.

The no form of this command removes the card from the configuration. All associated ports, services, and MDAs must be shutdown.

Default

no card

Parameters

slot-number

Specifies the slot number of the card in the chassis. The maximum slot number is platform dependent. Refer to the hardware installation guides.

Values

1 to 10

Platforms

7705 SAR Gen 2

Context

[Tree] (config>card card-type)

Full Context

configure card card-type

Description

This mandatory command adds an IOM/XCM to the device configuration for the slot. The card type can be preprovisioned, meaning that the card does not need to be installed in the chassis.

A card must be provisioned before an MDA, connector, or port can be configured.

A card can only be provisioned in a slot that is vacant, meaning no other card can be provisioned (configured) for that particular slot. To reconfigure a slot position, use the no form of this command to remove the current information.

A card can only be provisioned in a slot if the card type is allowed in the slot. An error message is generated if an attempt is made to provision a card type that is not allowed.

If a card is inserted that does not match the configured card type for the slot, then a log event and facility alarm is raised. The alarm is cleared when the correct card type is installed or the configuration is modified.

A log event and facility alarm are is raised if an administratively enabled card is removed from the chassis. The alarm is cleared when the correct card type is installed or the configuration is modified. A log event is issued when a card is removed that is administratively disabled.

Because IMMs do not have the capability to install separate MDAs, the configuration of the MDA is automatic. This configuration only includes the default parameters such as default buffer policies. Commands to manage the MDA such as shutdown and so on, remain in the MDA configuration context.

Some card hardware can support two different firmware loads. One load includes the base Ethernet functionality, including 10G WAN mode, but does not include 1588 port-based timestamping. The second load includes the base Ethernet functionality and 1588 port-based timestamping, but does not include 10G WAN mode. These are identified as two card types that are the same, except for a "-ptp” suffix to indicate the second loadset; for example, imm40-10gb-sfp and imm40-10gb-sfp-ptp. A hard reset of the card occurs when switching between the two provisioned types.

An appropriate alarm is raised if a partial or complete card failure is detected. The alarm is cleared when the error condition ceases.

New generations of cards include variants controlled by hardware and software licensing. For these cards, the license level must be provisioned in addition to the card type. A card cannot become operational unless the provisioned license level matches the license level of the card installed into the slot. The set of license levels varies by card type.

The provisioned level controls aspects related to connector provisioning and the consumption of hardware egress queues and egress policers. Changes to the provisioned license level may be blocked if configuration exists that would not be permitted with the new target license level.

If the license level is not specified, the level is set to the highest license level for that card.

The no form of this command removes the card from the configuration.

Default

no card-type

Parameters

card-type

Specifies the type of card to be configured and installed in that slot. Values for this attribute vary by platform and release. The release notes include a listing of all supported card-types and their CLI strings. In addition, the command can be queried to check which card-types are relevant for the active platform type. Some examples include iom4-e-b and imm-2pac-fp3.

card-level

Specifies the license level of the card, up to 32 characters. Possible values vary by card type.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn carrier-carrier-vpn)

Full Context

configure service vprn carrier-carrier-vpn

Description

This command configures a VPRN service to support a Carrier Supporting Carrier model. It should be configured on a network provider’s CSC-PE device.

This command cannot be applied to a VPRN unless it has no SAP or spoke-SDP interfaces. Once this command has been entered one or more MPLS-capable CSC interfaces can be created in the VPRN.

The no form of this command removes the Carrier Supporting Carrier capability from a VPRN.

Default

no carrier-carrier-vpn

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap>ingress>queue-override>queue cbs)

[Tree] (config>service>ies>if>sap>ingress>queue-override>queue cbs)

[Tree] (config>service>ies>if>sap>egress>queue-override>queue cbs)

[Tree] (config>service>vpls>sap>egress>queue-override>queue cbs)

Full Context

configure service vpls sap ingress queue-override queue cbs

configure service ies interface sap ingress queue-override queue cbs

configure service ies interface sap egress queue-override queue cbs

configure service vpls sap egress queue-override queue cbs

Description

This command overrides specific attributes of the specified queue’s CBS parameters.

It is permissible, and possibly desirable, to oversubscribe the total CBS reserved buffers for a given access port egress buffer pool. Oversubscription may be desirable due to the potential large number of service queues and the economy of statistical multiplexing the individual queue’s CBS settings into the defined reserved total.

When oversubscribing the reserved total, it is possible for a queue depth to be lower than its CBS setting and still not receive a buffer from the buffer pool for an ingress frame. As more queues are using their CBS buffers and the total in use exceeds the defined reserved total, essentially the buffers are being removed from the shared portion of the pool without the shared in use average and total counts being decremented. This can affect the operation of the high and low priority RED slopes on the pool, causing them to miscalculate when to start randomly drop packets.

If the CBS value is larger than the MBS value, an error will occur, preventing the CBS change.

The no form of this command returns the CBS size to the default value.

Parameters

size-in-kbytes

Specifies the size parameter is an integer expression of the number of kilobytes reserved for the queue. If a value of 10 kbytes is desired, enter the value 10. A value of 0 specifies that no reserved buffers are required by the queue (a minimal reserved size can still be applied for scheduling purposes).

Values

0 to 1048576, default

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap>ingress>queue-override>queue cbs)

[Tree] (config>service>vprn>if>sap>egress>queue-override>queue cbs)

Full Context

configure service vprn interface sap ingress queue-override queue cbs

configure service vprn interface sap egress queue-override queue cbs

Description

This command can be used to override specific attributes of the specified queue’s CBS parameters.

It is permissible, and possibly desirable, to oversubscribe the total CBS reserved buffers for a given access port egress buffer pool. Oversubscription may be desirable due to the potential large number of service queues and the economy of statistical multiplexing the individual queue’s CBS setting into the defined reserved total.

When oversubscribing the reserved total, it is possible for a queue depth to be lower than its CBS setting and still not receive a buffer from the buffer pool for an ingress frame. As more queues are using their CBS buffers and the total in use exceeds the defined reserved total, essentially the buffers are being removed from the shared portion of the pool without the shared in use average and total counts being decremented. This can affect the operation of the high and low priority RED slopes on the pool, causing them to miscalculate when to start randomly drop packets.

If the CBS value is larger than the MBS value, an error occurs, preventing the CBS change.

The no form of this command returns the CBS to the default value.

Default

no cbs

Parameters

size-in-kbytes

The size parameter is an integer expression of the number of kilobytes reserved for the queue. For a value of 10 kbytes, enter the number 10. A value of 0 specifies that no reserved buffers are required by the queue (a minimum reserved size can be applied for scheduling purposes).

Values

0 to 131072 or default

Platforms

7705 SAR Gen 2

Context

[Tree] (config>card>fp>ingress>network>qgrp>policer-over>plcr cbs)

[Tree] (config>card>fp>ingress>access>qgrp>policer-over>plcr cbs)

Full Context

configure card fp ingress network queue-group policer-override policer cbs

configure card fp ingress access queue-group policer-override policer cbs

Description

This command configures the policer’s CIR leaky bucket’s exceed threshold. The CIR bucket’s exceed threshold represents the committed burst tolerance allowed by the policer. If the policer’s forwarding rate is equal to or less than the policer’s defined CIR, the CIR bucket depth hovers around the 0 depth with spikes up to the maximum packet size in the offered load. If the forwarding rate increases beyond the profiling rate, the amount of data allowed to be in-profile above the rate is capped by the threshold.

The policer’s cbs size defined in the QoS policy may be overridden on an sla-profile or SAP where the policy is applied.

The no form of this command returns the policer to its default CBS size.

Parameters

size

Specifies that the size parameter is required when specifying cbs and is expressed as an integer representing the required size in either bytes or kilobytes. The default is kilobytes. The optional bytes and kilobytes keywords are mutually exclusive and are used to explicitly define whether size represents bytes or kilobytes.

Values

0 to 2683435456

bytes

When bytes is defined, the value given for size is interpreted as the queue’s CBS value specified in bytes.

kilobytes

When kilobytes is defined, the value is interpreted as the queue’s CBS value given in kilobytes.

Default

kilobyte

default

Specifying the keyword default sets the CBS to its default value.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>access>egr>qgrp>qover>q cbs)

[Tree] (config>port>ethernet>access>ing>qgrp>qover>q cbs)

Full Context

configure port ethernet access egress queue-group queue-overrides queue cbs

configure port ethernet access ingress queue-group queue-overrides queue cbs

Description

This command defines the default committed buffer size for the template queue. Overall, the CBS command follows the same behavior and provisioning characteristics as the CBS command in the queue-group or network QoS policy. The exception is the addition of the cbs-value qualifier keywords bytes or kilobytes.

The no form of this command restores the default CBS size to the template queue.

Default

cbs default

Parameters

size-in-kbytes

The size parameter is an integer expression of the number of kilobytes reserved for the queue. If a value of 10 kbytes is desired, enter the value 10. A value of 0 specifies that no reserved buffers are required by the queue (a minimal reserved size can still be applied for scheduling purposes).

Values

0 to 1048576 or default

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>sap>ingress>policer-over>plcr cbs)

[Tree] (config>service>epipe>sap>egress>policer-over>plcr cbs)

Full Context

configure service epipe sap ingress policer-override policer cbs

configure service epipe sap egress policer-override policer cbs

Description

This command, within the SAP ingress and egress policer-overrides contexts, is used to override the sap-ingress and sap-egress QoS policy configured CBS parameter for the specified policer-id.

The no form of this command returns the CBS size to the default value.

Default

no cbs

Parameters

size

The size parameter is required when specifying cbs override and is expressed as an integer representing the required size in either bytes or kilobytes. The default is kilobytes. The optional byte and kilobyte keywords are mutually exclusive and are used to explicitly define whether size represents bytes or kilobytes.

Values

0 to 2683435456, default

bytes

When bytes is defined, the value given for size is interpreted as the policer’s MBS value in bytes.

kilobytes

When kilobytes is defined, the value given for size is interpreted as the policer’s MBS value in kilobytes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>sap>ingress>queue-override>queue cbs)

[Tree] (config>service>epipe>sap>egress>queue-override>queue cbs)

Full Context

configure service epipe sap ingress queue-override queue cbs

configure service epipe sap egress queue-override queue cbs

Description

This command can be used to override specific attributes of the specified queue’s CBS parameters.

It is permissible, and possibly desirable, to oversubscribe the total CBS reserved buffers for a specific access port egress buffer pool. Oversubscription may be desirable due to the potential large number of service queues and the economy of statistical multiplexing the individual queue’s CBS setting into the defined reserved total.

When oversubscribing the reserved total, it is possible for a queue depth to be lower than its CBS setting and still not receive a buffer from the buffer pool for an ingress frame. As more queues are using their CBS buffers and the total in use exceeds the defined reserved total, essentially the buffers are being removed from the shared portion of the pool without the shared in use average and total counts being decremented. This can affect the operation of the high and low priority RED slopes on the pool, causing them to miscalculate when to start randomly to drop packets.

The no form of this command returns the CBS size to the default value.

Default

no cbs

Parameters

size-in-kbytes

The size parameter is an integer expression of the number of kilobytes reserved for the queue. If a value of 10KBytes is wanted, enter the value 10. A value of 0 specifies that no reserved buffers are required by the queue (a minimal reserved size can still be applied for scheduling purposes).

Values

0 to 131072, default

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap>ingress>policer-override>plcr cbs)

[Tree] (config>service>vpls>sap>egress>policer-override>plcr cbs)

Full Context

configure service vpls sap ingress policer-override policer cbs

configure service vpls sap egress policer-override policer cbs

Description

This command, within the SAP ingress and egress policer-overrides contexts, is used to override the sap-ingress and sap-egress QoS policy configured CBS parameter for the specified policer-id.

The no form of this command returns the CBS size to the default value.

Default

no cbs

Parameters

size

This parameter is required when specifying CBS override and is expressed as an integer representing the required size in either bytes or kilobytes. The default is kilobytes. The optional byte and kilobyte keywords are mutually exclusive and are used to explicitly define whether size represents bytes or kilobytes.

Values

0 to 2683435456, default

Default

kilobytes

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap>ingress>policer-over>plcr cbs)

[Tree] (config>service>ies>if>sap>egress>policer-over>plcr cbs)

Full Context

configure service ies interface sap ingress policer-override policer cbs

configure service ies interface sap egress policer-override policer cbs

Description

This command, within the SAP ingress and egress policer-overrides contexts, is used to override the sap-ingress and sap-egress QoS policy configured CBS parameter for the specified policer-id.

The no form of this command returns the CBS size to the default value.

Default

no cbs

Parameters

size

This parameter is required when specifying CBS override and is expressed as an integer representing the required size in either bytes or kilobytes. The default is kilobytes. The optional byte and kilobyte keywords are mutually exclusive and are used to explicitly define whether size represents bytes or kilobytes.

Values

0 to 2683435456, default

Default

kilobytes

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap>ingress>policer-over>plcr cbs)

[Tree] (config>service>vprn>if>sap>egress>policer-over>plcr cbs)

Full Context

configure service vprn interface sap ingress policer-override policer cbs

configure service vprn interface sap egress policer-override policer cbs

Description

This command, within the SAP ingress and egress policer-overrides contexts, is used to override the sap-ingress and sap-egress QoS policy configured CBS parameter for the specified policer-id.

The no form of this command returns the CBS size to the default value.

Default

no cbs

Parameters

size

This parameter is required when specifying CBS override and is expressed as an integer representing the required size in either bytes or kilobytes. The default is kilobytes. The optional byte and kilobyte keywords are mutually exclusive and are used to explicitly define whether size represents bytes or kilobytes.

Values

0 to 2683435456, default

Default

kilobytes

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-egress>policer cbs)

[Tree] (config>qos>sap-ingress>policer cbs)

Full Context

configure qos sap-egress policer cbs

configure qos sap-ingress policer cbs

Description

This command configures the policer’s CIR leaky bucket’s exceed threshold. The CIR bucket’s exceed threshold represents the committed burst tolerance allowed by the policer. If the policer’s forwarding rate is equal to or less than the policer's defined CIR, the CIR bucket depth hovers around the 0 depth with spikes up to the maximum packet size in the offered load. If the forwarding rate increases beyond the profiling rate, the amount of data allowed to be in-profile above the rate is capped by the threshold.

The policer’s cbs size defined in the QoS policy may be overridden on an sla-profile or SAP where the policy is applied.

The no form of this command returns the policer to its default CBS size.

By default, the CBS is 16 Mbytes when CIR equals max or is greater than or equal to the FP capacity (this overrides an explicit configured CBS value); otherwise, 10 ms volume of traffic for a configured non-zero/non-max CIR capped to 3968 kbytes, with a minimum of 256 bytes.

Parameters

size [bytes | kilobytes]

Specifies an integer representing the required size in either bytes or kilobytes. The default is kilobytes. The optional byte and kilobyte keywords are mutually exclusive and are used to explicitly define whether size represents bytes or kilobytes.

Values

0 to 2683435456, default

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-egress>queue cbs)

Full Context

configure qos sap-egress queue cbs

Description

This command provides a mechanism to override the default reserved buffers for the queue. It is permissible, and possibly desirable, to oversubscribe the total CBS reserved buffers for a specific access port egress buffer pool. Oversubscription may be desirable because of the potentially large number of service queues and the economy of statistical multiplexing the CBS settings of the individual into the defined reserved total.

When oversubscribing the reserved total, it is possible for a queue depth to be lower than its CBS setting and still not receive a buffer from the buffer pool for an ingress frame. As more queues use their CBS buffers and the total-in-use exceeds the defined reserved total, essentially the buffers are removed from the shared portion of the pool without the shared in-use average and total counts being decremented. This can affect the operation of the high- and low-priority RED slopes on the pool, causing them to miscalculate when to start randomly dropping packets.

If the CBS value is larger than the MBS value, the CBS is capped to the value of the MBS or the minimum CBS value. If the MBS and CBS values are configured to be equal (or nearly equal), this will result in the CBS being slightly higher than the value configured.

The delay-time command option configures the CBS as a function of the expected delay. The system automatically translates this configuration into kilobytes based on the administrative rate of the queue parent (for example, the port, scheduler, or aggregate-shaper).

The delay-percent command option configures the CBS as percentage of the SAP delay budget of the queue configured using the latency-budget command.

The no form of this command returns the CBS size to the default value.

Default

cbs default

Parameters

size-in-kbytes

The size parameter is an integer expression of the number of kilobytes reserved for the queue. If a value of 10 kbytes is required, enter the value 10. A value of 0 specifies that no reserved buffers are required by the queue (a minimal reserved size can still be applied for scheduling purposes). The CBS maximum value used is constrained by the pool size in which the queue exists.

Values

0 to 1048576

Minimum configurable non-zero value: 6 kbytes on an FP2, 7680 bytes on an FP3, and 16 kbytes on an FP4

Minimum non-zero default value: maximum of 10 ms of CIR, or 6 kbytes on an FP2, 7680 bytes on an FP3, and 16 kbytes on an FP4

microseconds

Specifies the CBS as a function of delay time.

Values

0 to 1000000

percent

Specifies the CBS as a percentage of the SAP latency budget.

Values

0.00 to 100.00

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-ingress>queue cbs)

Full Context

configure qos sap-ingress queue cbs

Description

This command provides a mechanism to override the default reserved buffers for the queue. It is permissible, and possibly desirable, to oversubscribe the total CBS reserved buffers for a given access port egress buffer pool. Oversubscription may be desirable due to the potentially large number of service queues and the economy of statistical multiplexing the individual queue’s CBS settings into the defined reserved total.

When oversubscribing the reserved total, it is possible for a queue depth to be lower than its CBS setting and still not receive a buffer from the buffer pool for an ingress frame. As more queues are using their CBS buffers and the total in use exceeds the defined reserved total, essentially the buffers are being removed from the shared portion of the pool without the shared in use average and total counts being decremented. This can affect the operation of the high- and low-priority RED slopes on the pool, causing them to miscalculate when to start randomly dropping packets.

If the CBS value is larger than the MBS value, the CBS is capped to the value of the MBS or the minimum CBS value. If the MBS and CBS values are configured to be equal (or nearly equal), this will result in the CBS being slightly higher than the value configured.

The no form of this command returns the CBS size to the default value.

Default

cbs default

Parameters

size-in-kbytes

The size parameter is an integer expression of the number of kilobytes reserved for the queue. If a value of 10 kbytes is desired, enter the value 10. A value of 0 specifies that no reserved buffers are required by the queue (a minimal reserved size can still be applied for scheduling purposes) The CBS maximum value used is constrained by the pool size in which the queue exists.

Values

0 to 1048576 or default

Minimum configurable non-zero value: 6 kbytes on an FP2, 7680 bytes on an FP3, and 16 kbytes on an FP4

Minimum non-zero default value: maximum of 10 ms of CIR, or 6 kbytes on an FP2, 7680 bytes on an FP3, and 16 kbytes on an FP4

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>network-queue>queue cbs)

Full Context

configure qos network-queue queue cbs

Description

The Committed Burst Size (cbs) command specifies the relative number of reserved buffers for a specific ingress network FP forwarding class queue or egress network port forwarding class queue. The value is entered as a percentage.

The CBS for a queue is used to determine whether it has exhausted its reserved buffers while enqueuing packets. When the queue has exceeded the number of buffers considered in reserve for this queue, it must contend with other queues for the available shared buffer space within the buffer pool. Access to this shared pool space is controlled through Random Early Detection (RED) slope application.

Two RED slopes are maintained in each buffer pool. A high-priority slope is used by in-profile packets. A low-priority slope is used by out-of-profile packets. At egress, there are two additional RED slopes maintained in each buffer pool: the highplus slope is used by inplus-profile packets, and the exceed slope is used by exceed-profile packets. All network control and management packets are considered in-profile. Assured packets are handled by their in-profile and out-of-profile markings. All best-effort packets are considered out-of-profile. Premium queues should be configured such that the CBS percent is sufficient to prevent shared buffering of packets. This is generally taken care of by the CIR scheduling of premium queues and the overall small amount of traffic on the class. Premium queues in a properly designed system will drain before all others, limiting their buffer utilization.

The RED slopes will detect congestion conditions and work to discard packets and slow down random TCP session flows through the queue. The RED slope definitions can be defined, modified, or disabled through the slope policy assigned to the FP for the network ingress buffer pool or assigned to the network port for network egress buffer pools.

The resultant CBS size can be larger than the MBS. This will result in a portion of the CBS for the queue to be unused and should be avoided.

The no form of this command returns the CBS size for the queue to the default for the forwarding class.

Default

The cbs forwarding class defaults are listed in the CBS Forwarding Class Defaults.

Parameters

percent

The percent of buffers reserved from the total buffer pool space, expressed as a decimal integer. If 10 Mbytes is the total buffer space in the buffer pool, a value of 10 would reserve 1 Mbyte (10%) of buffer space for the forwarding class queue. The value 0 specifies that no reserved buffers are required by the queue (a minimal reserved size can be applied for scheduling purposes).

Values

0 to 100

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>qgrps>ing>qgrp>policer cbs)

[Tree] (config>qos>qgrps>egr>qgrp>policer cbs)

Full Context

configure qos queue-group-templates ingress queue-group policer cbs

configure qos queue-group-templates egress queue-group policer cbs

Description

The cbs command is used to define the default committed buffer size for the template queue or the CBS for the template policer. Overall, the cbs command follows the same behavior and provisioning characteristics as the cbs command in the SAP ingress and egress QoS policy.

The no form of this command restores the default CBS size to the template policer.

Default

default

Parameters

size-in-kbytes

For the queues, the size parameter is an integer expression of the number of kilobytes reserved for the queue. If a value of 10 kbytes is desired, enter the value 10. A value of 0 specifies that no reserved buffers are required by the queue (a minimal reserved size can still be applied for scheduling purposes). For policers, the size parameter is an integer expression of the number of kilobytes for the policer CBS.

Values

0 to 2683435456, default

Minimum default value: 16 Mbytes when CIR equals max or is greater than or equal to the FP capacity (this overrides an explicit configured CBS value); otherwise, 10 ms volume of traffic for a configured non-zero/non-max CIR capped to 3968 kbytes, with a minimum of 256 bytes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>qgrps>ing>qgrp>queue cbs)

[Tree] (config>qos>qgrps>egr>qgrp>queue cbs)

Full Context

configure qos queue-group-templates ingress queue-group queue cbs

configure qos queue-group-templates egress queue-group queue cbs

Description

The cbs command is used to define the default committed buffer size for the template queue or the CBS for the template policer. Overall, the cbs command follows the same behavior and provisioning characteristics as the cbs command in the SAP ingress and egress QoS policy.

The no form of this command restores the default CBS size to the template policer.

Default

default

Parameters

size-in-kbytes

For the queues, the size parameter is an integer expression of the number of kilobytes reserved for the queue. If a value of 10 kbytes is desired, enter the value 10. A value of 0 specifies that no reserved buffers are required by the queue (a minimal reserved size can still be applied for scheduling purposes). For policers, the size parameter is an integer expression of the number of kilobytes for the policer CBS.

Values

0 to 1048576 or default

Minimum configurable non-zero value: 6 kbytes on an FP2, 7680 bytes on an FP3, and 16 kbytes on an FP4

Minimum non-zero default value: maximum of 10 ms of CIR or 6 kbytes on an FP2, 7680 bytes on an FP3, and 16 kbytes on an FP4

Platforms

7705 SAR Gen 2

Context

[Tree] (file cd)

Full Context

file cd

Description

This command displays or changes the current working directory in the local file system.

Parameters

file-url

Specifies the file URL.

Values

local-url	[cflash-id/][file-path] up to 200 characters, including cflash-id directory length 99 chars max each
remote-url	[{ftp:// | tftp://}login:pswd@remote-locn/][file-path]
	up to 247 characters
	directory length up to 199 characters
remote-locn	[hostname | ipv4-address | [ipv6-address]]
ipv4-address	a.b.c.d
ipv6-address	x:x:x:x:x:x:x:x[-interface]
	x:x:x:x:x:x:d.d.d.d[-interface]
	x - [0 to FFFF]H
	d - [0 to 255]D
	interface - up to 32 characters, for link local addresses 255
cflash-id	cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

If no file-url is entered, the current working directory is displayed.

..

signifies the parent directory. This can be used in place of an actual directory name in a directory-url.

directory-url

Specifies the destination directory.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>cert-profile>entry cert)

Full Context

configure ipsec cert-profile entry cert

Description

This command specifies the file name of an imported certificate for the cert-profile entry.

The no form of this command removes the cert-file-name from the entry configuration.

Default

no cert

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>ipsec>ipsec-tunnel>dyn cert)

[Tree] (config>service>ies>if>sap>ipsec-gw cert)

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel>dyn cert)

[Tree] (config>service>vprn>if>sap>ipsec-gw cert)

[Tree] (config>ipsec>trans-mode-prof>dyn cert)

[Tree] (config>router>if>ipsec>ipsec-tunnel>dyn cert)

Full Context

configure service vprn interface ipsec ipsec-tunnel dynamic-keying cert

configure service ies interface sap ipsec-gw cert

configure service ies interface ipsec ipsec-tunnel dynamic-keying cert

configure service vprn interface sap ipsec-gw cert

configure ipsec ipsec-transport-mode-profile dynamic-keying cert

configure router interface ipsec ipsec-tunnel dynamic-keying cert

Description

Commands in this context configure certificate parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>cert-profile>entry cert)

Full Context

configure system security tls cert-profile entry cert

Description

This command specifies the file name of an imported certificate for the cert-profile entry.

The no form of the command removes the certificate.

Default

no cert

Parameters

cert-filename

Specifies the file name of the TLS certificate, up to 95 characters in length.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki>cert-auto-upd cert)

Full Context

configure system security pki certificate-auto-update cert

Description

This command configures the imported certificate filename for the certificate automatic update.

The no form of this command removes the cert-file-name from the configuration.

Parameters

cert-file-name

Specifies the filename of the certificate, up to 95 characters in length.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki>ca-profile cert-file)

Full Context

configure system security pki ca-profile cert-file

Description

This command specifies the filename of a file in cf3:\system-pki\cert as the CA’s certificate of the ca-profile.

Notes:

• The system will perform following checks against configured cert-file when a no shutdown command is issued:

  • Configured cert-file must be a DER formatted X.509v3 certificate file.

  • All non-optional fields defined in section 4.1 of RFC 5280 must exist and conform to the RFC 5280 defined format.

  • Check the version field to see if its value is 0x2.

  • Check The Validity field to see that if the certificate is still in validity period.

  • X509 basic constraints extension must exists, and CA Boolean must be True.

  • If Key Usage extension exists, then at least keyCertSign and cRLSign should be asserted.

  • If the certificate is not a self-signing certificate, then system will try to look for issuer’s CA’s certificate to verify if this certificate is signed by issuer’s CA; but if there is no such CA-profile configured, then system will just proceed with a warning message.

  • If the certificate is not a self-signing certificate, then system will try to look for issuer’s CA’s CRL to verify that it has not been revoked; but if there is no such CA-profile configured or there is no such CRL, then system will just proceed with a warning message.

  If any of above checks fails, then the no shutdown command will fail.

• Changing or removing of cert-file is only allowed when the ca-profile is in a shutdown state.

The no form of this command removes the filename from the configuration.

Parameters

filename

Specifies a local CF card file URL.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec cert-profile)

Full Context

configure ipsec cert-profile

Description

This command creates a new cert-profile or enters the configuration context of an existing cert-profile.

The no form of this command removes the profile name from the cert-profile configuration.

Parameters

profile-name

Specifies the name of the certification profile up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>ipsec>ipsec-tun>dyn>cert cert-profile)

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel>dyn>cert cert-profile)

[Tree] (config>service>ies>if>sap>ipsec-gw>cert cert-profile)

[Tree] (config>service>vprn>if>sap>ipsec-gw>cert cert-profile)

[Tree] (config>service>vprn>if>sap>ipsec-tun>dyn>cert cert-profile)

[Tree] (config>service>vprn>if>ipsec>ipsec-tunnel>dyn>cert cert-profile)

[Tree] (config>ipsec>trans-mode-prof>dyn>cert cert-profile)

Full Context

configure router interface ipsec ipsec-tunnel dynamic-keying cert cert-profile

configure service ies interface ipsec ipsec-tunnel dynamic-keying cert cert-profile

configure service ies interface sap ipsec-gw cert cert-profile

configure service vprn interface sap ipsec-gw cert cert-profile

configure service vprn interface sap ipsec-tunnel dynamic-keying cert cert-profile

configure service vprn interface ipsec ipsec-tunnel dynamic-keying cert cert-profile

configure ipsec ipsec-transport-mode-profile dynamic-keying cert cert-profile

Description

This command specifies the name of certificate profile to be used for authentication.

The no form of this command removes the name from the configuration.

Parameters

name

Specifies the profile name, up to 32 characters

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls cert-profile)

Full Context

configure system security tls cert-profile

Description

This command configures TLS certificate profile information. The certificate profile contains the certificates that are sent to the TLS peer (server or client) to authenticate itself. It is mandatory for the TLS server to send this information. The TLS client may optionally send this information upon request from the TLS server.

The no form of the command deletes the specified TLS certificate profile.

Parameters

profile-name

Specifies the name of the TLS certificate profile, up to 32 characters in length.

create

Keyword used to create the TLS certificate profile.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>client-tls-profile cert-profile)

Full Context

configure system security tls client-tls-profile cert-profile

Description

This command assigns a TLS certificate profile to be used by the TLS client profile. This certificate is sent to the server for authentication of the client and public key.

The no form of the command removes the TLS certificate profile assignment.

Parameters

name

Specifies the name of the TLS certificate profile, up to 32 characters in length.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>server-tls-profile cert-profile)

Full Context

configure system security tls server-tls-profile cert-profile

Description

This command assigns a TLS certificate profile to be used by the TLS server profile. This certificate is sent to the client for authentication of the server and public key.

The no form of the command removes the TLS certificate profile assignment.

Parameters

name

Specifies the name of the TLS certificate profile, up to 32 characters in length.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>certificate>cmpv2 cert-request)

Full Context

admin certificate cmpv2 cert-request

Description

This command requests an additional certificate after the system has obtained the initial certificate from the CA.

The request is authenticated by a signature signed by the current-key, along with the current-cert. The hash algorithm used for signature is depends on the key type:

• DSA key: SHA1

• RSA key: MD5/SHA1/SHA224 | SHA256 | SHA384 | SHA512, by default is SHA1

In some cases, the CA may not return a certificate immediately, due to reasons such as request processing need manual intervention. In such cases, the admin certificate cmpv2 poll command can be used to poll the status of the request.

Parameters

ca ca-profile-name

Specifies a ca-profile name which includes CMP server information up to 32 characters.

current-key key-filename

Specifies corresponding certificate issued by the CA up to 95 characters.

current-cert cert-filename

Specifies the file name of an imported certificate that is attached to the certificate request up to 95 characters.

newkey key-filename

Specifies the file name of the imported key up to 95 characters.

hash-alg hash-algorithm

Specifies the hash algorithm for RSA key.

Values

md5,sha1,sha224,sha256,sha384,sha512

subject-dn dn

Specifies the subject of the requesting certificate up to 256 characters.

Values

attr1=val1,attr2=val2 where: attrN={C | ST | O | OU | CN}

save-as save-path-of-result-cert

Specifies the save full path name of saving the result certificate, up to 200 characters.

domain-name domain-names

Specifies FQDNs for SubjectAltName of the requesting certificate, separated by commas, up to 512 characters.

ip-addr ip-address | ipv6-address

Specifies an IPv4 or IPv6 address for SubjectAltName of the requesting certificate.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>redundancy cert-sync)

Full Context

configure redundancy cert-sync

Description

This command automatically synchronizes the certificate/CRL/key when importing or generating (for the key). If a new CF card is inserted into slot3 into the backup CPM, the system will sync the whole system-pki directory from the active CPM.

Default

enabled

Platforms

7705 SAR Gen 2

Context

[Tree] (admin certificate)

Full Context

admin certificate

Description

Commands in this context configure X.509 certificate related operational parameters. For information about CMPv6 admin certificate commands, see the 7705 SAR Gen 2 Multiservice ISA and ESA Guide

Platforms

7705 SAR Gen 2

Context

[Tree] (debug certificate)

Full Context

debug certificate

Description

Commands in this context debug certificates.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>ipsec certificate)

Full Context

debug ipsec certificate

Description

This command enables debug for certificate chain computation in cert-profile.

Parameters

filename

Displays the filename of imported certificate, up to 95 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki certificate-auto-update)

Full Context

configure system security pki certificate-auto-update

Description

This command configures automatic updates for the specified certificate. This must be an imported certificate.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki certificate-display-format)

Full Context

configure system security pki certificate-display-format

Description

This command specifies the display format used for the Certificates and Certificate Revocation Lists.

Default

certificate-display-format ascii

Parameters

ascii

Specifies the ASCII format to use for the Certificates and Certificate Revocation Lists.

utf8

Specifies the UTF8 format to use for the Certificates and Certificate Revocation Lists.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki certificate-expiration-warning)

Full Context

configure system security pki certificate-expiration-warning

Description

With this command configured, the system issues two types of warnings related to certificate expiration:

• BeforeExp — A warning message issued before certificate expire

• AfterExp — A warning message issued when certificate expire

This command specifies when system will issue BeforeExp message before a certificate expires. For example, with certificate-expiration-warning 5, the system will issue a BeforeExp message 5 hours before a certificate expires. An optional repeat <repeat-hour> parameter will enable the system to repeat the BeforeExp message every hour until the certificate expires.

If the user only wants AfterExp, then certificate-expiration-warning 0 can be used to achieve this.

BeforeExp and AfterExp warnings can be cleared in following cases:

• The certificate is reloaded by the admin certificate reload command. In this case, if the reloaded file is not expired, then AfterExp is cleared. And, if the reloaded file is outside of configured warning window, then the BeforeExp is also cleared.

• When the ca-profile/ipsec-gw/ipsec-tunnel/cert-profile is shutdown, then BeforeExp and AfterExp of corresponding certificates are cleared.

• When no certificate-expiration-warning command is configured, then all existing BeforeExp and AfterExp are cleared.

• Users may change the configuration of the certificate-expiration-warning so that certain certificates are no longer in the warning window. BeforeExp of corresponding certificates are cleared.

• If the system time changes so that the new time causes the certificates to no longer be in the warning window, then BeforeExp is cleared. If the new time causes an expired certificate to come non-expired, then AfterExp is cleared.

Default

no certificate-expiration-warning

Parameters

hours

Specifies the amount of time before a certificate expires when system issues BeforeExp.

Values

0 to 8760

repeat-hours

Specifies the time the system will repeat BeforeExp every repeat-hour.

Values

0 to 8760

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki certificate-update-profile)

Full Context

configure system security pki certificate-update-profile

Description

Commands in this context configure a certificate update profile that specifies the behavior of the automatic update certificate.

The no form of this command removes the profile.

Parameters

profile-name

Specifies the name of the profile, up to 32 characters.

create

Mandatory keyword to create a certificate update profile.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>thresholds cflash-cap-alarm)

Full Context

configure system thresholds cflash-cap-alarm

Description

This command enables capacity monitoring of the compact flash specified in this command. The severity level is alarm. Both a rising and falling threshold can be specified.

The no form of this command removes the configured compact flash threshold alarm.

Parameters

cflash-id

Specifies the name of the cflash device to be monitored.

Values

cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

rising-threshold threshold

Specifies a threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm is equal to rising or either.

After a rising threshold crossing event is generated, another such event will not be generated until the sampled value falls below this threshold and reaches less than or equal to the falling-threshold value.

The threshold value represents units of 512 bytes.

Values

-2147483648 to 2147483647

Default

0

falling-threshold threshold

Specifies a threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm is equal to falling or either.

After a falling threshold crossing event is generated, another such event will not be generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold value.

The threshold value represents units of 512 bytes.

Values

-2147483648 to 2147483647

Default

0

seconds

Specifies the polling period, in seconds, over which the data is sampled and compared with the rising and falling thresholds.

Values

1 to 2147483647

rmon-event-type

Specifies the type of notification action to be taken when this event occurs.

Values

log — An entry is made in the RMON-MIB log table for each event occurrence. This does not create an SR OS logger entry. The RMON-MIB log table entries can be viewed using the show>system>thresholds CLI command.

trap — An SR OS logger event is generated. The SR OS logger utility then distributes the notification of this event to its configured log destinations, which may be CONSOLE, telnet session, memory log, cflash file, syslog, or SNMP trap destinations logs.

both — Both an entry in the RMON-MIB logTable and an SR OS logger event are generated.

none — No action is taken.

Default

both

alarm-type

Specifies the alarm that may be sent when this alarm is first created

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Values

rising, falling, either

Default

either

Configuration example

cflash-cap-alarm cf1-A: rising-threshold 50000000 falling-threshold 49999900 
interval 120 rmon-event-type both start-alarm rising

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>thresholds cflash-cap-alarm-pct)

Full Context

configure system thresholds cflash-cap-alarm-pct

Description

This command enables capacity monitoring of the compact flash specified in this command. The usage is monitored as a percentage of the capacity of the compact flash. The severity level is alarm. Both a rising and falling threshold can be specified.

The no form of this command removes the configured compact flash threshold alarm.

Parameters

cflash-id

Specifies the name of the cflash device to be monitored.

Values

cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

rising-threshold percentage

Specifies a threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm is equal to rising or either.

After a rising threshold crossing event is generated, another such event will not be generated until the sampled value falls below this threshold and reaches less than or equal to the falling-threshold value.

The threshold value is the percentage of used space versus capacity for the specified compact flash.

Values

0 to 100

Default

0

falling-threshold percentage

Specifies a threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm is equal to falling or either.

After a falling threshold crossing event is generated, another such event will not be generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold value.

The threshold value is the percentage of used space versus capacity for the specified compact flash.

Values

0 to 100

Default

0

seconds

Specifies the polling period, in seconds, over which the data is sampled and compared with the rising and falling thresholds.

Values

1 to 2147483647

event-type

Specifies the type of notification action to be taken when this event occurs.

Values

log — An entry is made in the RMON-MIB log table for each event occurrence. This does not create an SR OS logger entry. The RMON-MIB log table entries can be viewed using the show>system>thresholds CLI command.

trap — An SR OS logger event is generated. The SR OS logger utility then distributes the notification of this event to its configured log destinations, which may be CONSOLE, telnet session, memory log, cflash file, syslog, or SNMP trap destinations logs.

both — Both an entry in the RMON-MIB logTable and an SR OS logger event are generated.

none — No action is taken.

Default

both

alarm-type

Specifies the alarm that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Values

rising, falling, either

Default

either

Configuration example

cflash-cap-alarm-pct cf1-A: rising-threshold 70 falling-
threshold 60 interval 120 rmon-event-type both start-alarm rising

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>thresholds cflash-cap-warn)

Full Context

configure system thresholds cflash-cap-warn

Description

This command enables capacity monitoring of the compact flash specified in this command.

The severity level is warning. Both a rising and falling threshold can be specified. The no form of this command removes the configured compact flash threshold warning.

Parameters

cflash-id

Specifies that the cflash-id specifies the name of the cflash device to be monitored.

Values

cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

rising-threshold threshold

Specifies a threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm is equal to rising or either.

After a rising threshold crossing event is generated, another such event will not be generated until the sampled value falls below this threshold and reaches less than or equal to the falling-threshold value.

The threshold value represents units of 512 bytes.

Values

-2147483648 to 2147483647

Default

0

falling-threshold threshold

Specifies a threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm is equal to falling or either.

After a falling threshold crossing event is generated, another such event will not be generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold value.

The threshold value represents units of 512 bytes.

Values

-2147483648 to 2147483647

Default

0

seconds

Specifies the polling period over which the data is sampled and compared with the rising and falling thresholds.

Values

1 to 2147483647

rmon-event-type

Specifies the type of notification action to be taken when this event occurs.

Values

log — An entry is made in the RMON-MIB log table for each event occurrence. This does not create an SR OS logger entry. The RMON-MIB log table entries can be viewed using the show>system>thresholds CLI command.

trap — An SR OS logger event is generated. The SR OS logger utility then distributes the notification of this event to its configured log destinations, which may be CONSOLE, telnet session, memory log, cflash file, syslog, or SNMP trap destinations logs.

both — Both an entry in the RMON-MIB logTable and a SR OS logger event are generated.

none — No action is taken.

Default

both

alarm-type

Specifies the alarm that may be sent when this alarm is first created. If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Values

rising, falling, either

Default

either

Configuration example

cflash-cap-warn cf1-B: rising-threshold 2000000 falling-threshold 1999900 
interval 240 rmon-event-type trap start-alarm either

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>thresholds cflash-cap-warn-pct)

Full Context

configure system thresholds cflash-cap-warn-pct

Description

This command enables capacity monitoring of the compact flash specified in this command. The usage is monitored as a percentage of the capacity of the compact flash.

The severity level is warning. Both a rising and falling threshold can be specified. The no form of this command removes the configured compact flash threshold warning.

Parameters

cflash-id

Specifies that the cflash-id specifies the name of the cflash device to be monitored.

Values

cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

rising-threshold percentage

Specifies a threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm is equal to rising or either.

After a rising threshold crossing event is generated, another such event will not be generated until the sampled value falls below this threshold and reaches less than or equal to the falling-threshold value.

The threshold value is the percentage of used space versus capacity for the specified compact flash.

Values

0 to 100

Default

0

falling-threshold percentage

Specifies a threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm is equal to falling or either.

After a falling threshold crossing event is generated, another such event will not be generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold value.

The threshold value is the percentage of used space versus capacity for the specified compact flash.

Values

0 to 100

Default

0

seconds

Specifies the polling period over which the data is sampled and compared with the rising and falling thresholds.

Values

1 to 2147483647

event-type

Specifies the type of notification action to be taken when this event occurs.

Values

log — An entry is made in the RMON-MIB log table for each event occurrence. This does not create an SR OS logger entry. The RMON-MIB log table entries can be viewed using the show>system>thresholds CLI command.

trap — An SR OS logger event is generated. The SR OS logger utility then distributes the notification of this event to its configured log destinations, which may be CONSOLE, telnet session, memory log, cflash file, syslog, or SNMP trap destinations logs.

both —Both an entry in the RMON-MIB logTable and an SR OS logger event are generated.

none — No action is taken.

Default

both

alarm-type

Specifies the alarm that may be sent when this alarm is first created. If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Values

rising, falling, either

Default

either

Configuration example

cflash-cap-warn-pct cf1-B: rising-threshold 70 falling-threshold 60 
interval 240 rmon-event-type trap start-alarm either

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ipv6-filter chain-to-system-filter)

[Tree] (config>filter>ip-filter chain-to-system-filter)

Full Context

configure filter ipv6-filter chain-to-system-filter

configure filter ip-filter chain-to-system-filter

Description

This command chains this filter to a currently active system filter. When the filter is chained to the system filter, the system filter rules are executed first, and the filter rules are only evaluated if no match on the system filter was found.

The no form of the command detaches this filter from the system filter.

Operational note:

If no system filter is currently active, the command has no effect.

Default

no chain-to-system-filter

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki>est-profile check-id-kp-cmcra-only)

Full Context

configure system security pki est-profile check-id-kp-cmcra-only

Description

This command enables checking id-kp-cmcRA in the EST certificate. When enabled, instead of the subject or subject alternative name, only the id-kp-cmcRA existence in extended key usage extension of EST server certificate is checked. The id-kp-cmcRA identifies a Registration Authority.

The no form of this command reverts to the default value.

Default

no check-id-kp-cmcra-only

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>rip check-zero)

[Tree] (config>service>vprn>ripng check-zero)

[Tree] (config>service>vprn>rip>group>neighbor check-zero)

[Tree] (config>service>vprn>ripng>group>neighbor check-zero)

[Tree] (config>service>vprn>rip>group check-zero)

[Tree] (config>service>vprn>ripng>group check-zero)

Full Context

configure service vprn rip check-zero

configure service vprn ripng check-zero

configure service vprn rip group neighbor check-zero

configure service vprn ripng group neighbor check-zero

configure service vprn rip group check-zero

configure service vprn ripng group check-zero

Description

This command enables checking for zero values in fields specified to be zero by the RIPv1 and RIPv2 specifications.

The no form of this command disables this check and allows the receipt of RIP messages even if the mandatory zero fields are non-zero.

Default

no check-zero

Parameters

enable

Enables checking of the mandatory zero fields in the RIPv1 and RIPv2 specifications and rejecting noncompliant RIP messages.

disable

Disables the checking and allows the receipt of RIP messages even if the mandatory zero fields are non-zero.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>rip check-zero)

[Tree] (config>router>rip>group>neighbor check-zero)

[Tree] (config>router>ripng>group>neighbor check-zero)

[Tree] (config>router>ripng>group check-zero)

[Tree] (config>router>ripng check-zero)

[Tree] (config>router>rip>group check-zero)

Full Context

configure router rip check-zero

configure router rip group neighbor check-zero

configure router ripng group neighbor check-zero

configure router ripng group check-zero

configure router ripng check-zero

configure router rip group check-zero

Description

This command enables checking for zero values in fields specified to be zero by the RIPv1 and RIPv2 specifications.

The check-zero enable command enables checking of the mandatory zero fields in the RIPv1 and RIPv2 specifications and rejecting non-compliant RIP messages.

The check-zero disable command disables this check and allows the receipt of RIP messages even if the mandatory zero fields are non-zero.

This configuration parameter can be set at three levels: global level (applies to all groups and neighbor interfaces), group level (applies to all neighbor interfaces in the group) or neighbor level (only applies to the specified neighbor interface). The most specific value is used. In particular if no value is set (no check-zero), the setting from the less specific level is inherited by the lower level.

The no form of the command removes the check-zero command from the configuration.

Parameters

enable

Specifies to reject RIP messages which do not have zero in the RIPv1 and RIPv2 mandatory fields.

disable

Specifies allows receipt of RIP messages which do not have the mandatory zero fields reset.

Platforms

7705 SAR Gen 2

Context

[Tree] (file checksum)

Full Context

file checksum

Description

This command computes and displays a checksum for a file.

Parameters

md5

Specifies the use of the MD5 algorithm to produce the file checksum.

sha256

Specifies the use of the SHA-256 algorithm to produce the file checksum.

file-url

Specifies the location of the file.

Values

local-url	[cflash-id/][file-path] up to 200 characters, including cflash-id directory length 99 chars max each
remote-url	[{ftp:// | tftp:// | http:// | https://}login:pswd@remote-locn/][file-path]
	up to 247 characters
	directory length up to 199 characters
remote-locn	[hostname | ipv4-address | [ipv6-address]]
ipv4-address	a.b.c.d
ipv6-address	x:x:x:x:x:x:x:x[-interface]
	x:x:x:x:x:x:d.d.d.d[-interface]
	x - [0 to FFFF]H
	d - [0 to 255]D
	interface - up to 32 characters, for link local addresses 255
cflash-id	cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

Platforms

7705 SAR Gen 2

Context

[Tree] (config>oam-pm>session>ip>twamp-light>loss-events chli-event)

Full Context

configure oam-pm session ip twamp-light loss-events chli-event

Description

This command sets the consecutive high loss interval (CHLI) threshold to be monitored and the associated thresholds using the counter of the specified direction. The aggregate is a function of summing forward and backward. This value is only used as a threshold mechanism and is not part of the stored statistics. If the optional clear clear-threshold parameter is not specified, the traffic crossing alarm is stateless. Stateless means the state is not carried forward to other measurement intervals. Each measurement interval is analyzed independently and regardless of any previous window. Each unique event can only be raised once within measurement interval. If the optional clear clear-threshold parameter is specified, the traffic crossing alarm uses stateful behavior. Stateful means each unique previous event state is carried forward to following measurement intervals. If a threshold crossing event is raised another is raised until a measurement interval completes and the clear threshold has not been exceeded. A clear event is raised under that condition.

The no form of this command removes the event threshold for frame loss ratio. The direction must be included with the no command.

Default

no chli-event forward

no chli-event backward

no chli-event aggregate

Parameters

forward

Specifies the threshold is applied to the forward direction count.

backward

Specifies the threshold is applied to the backward direction count.

aggregate

Specifies the threshold is applied to the aggregate count (sum of forward and backward).

raise-threshold

Specifies the numerical value compared to the CHLI counter that is the rising threshold that determines when the event is to be generated, when the percentage of loss value is reached.

Values

1 to 864000

clear-threshold

Specifies an optional numerical value compared to the CHLI counter used for stateful behavior that allows the operator to configure a value lower than the rising percentage to indicate when the clear event should be generated.

Values

0 to 863999

A value of zero means that the CHLI counter must be 0.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>ssh>server-cipher-list cipher)

[Tree] (config>system>security>ssh>client-cipher-list cipher)

Full Context

configure system security ssh server-cipher-list cipher

configure system security ssh client-cipher-list cipher

Description

This command configures a cipher. Client-ciphers are used when the SR OS is acting as an SSH client. Server-ciphers are used when the SR OS is acting as an SSH server.

The no form of this command removes the index and cipher name from the configuration.

Default

no cipher index

Parameters

index

Specifies the index of the cipher in the list.

Values

1 to 255

cipher-name

Specifies the algorithm used when performing encryption or decryption.

Values

Client ciphers: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr.

Server ciphers: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr.

The following table lists the default ciphers used for SSHv2.

Table 2. SSHv2 Default Ciphers

Cipher index value	Cipher name
190	aes256-ctr
192	aes192-ctr
194	aes128-ctr
200	aes128-cbc
205	3des-cbc
225	aes192-cbc
230	aes256-cbc

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>server-cipher-list cipher)

[Tree] (config>system>security>tls>client-cipher-list cipher)

Full Context

configure system security tls server-cipher-list cipher

configure system security tls client-cipher-list cipher

Description

This command configures the cipher suite to be negotiated by the server and client.

Parameters

index

Specifies the index number. The index number provides the location of the cipher in the negotiation list, with the lower index numbers being higher in the negotiation list and the higher index numbers being at the bottom of the list.

Values

1 to 255

cipher-suite-code

Specifies the cipher suite code.

Values

tls-rsa-with-3des-ede-cbc-sha

tls-rsa-with-aes128-cbc-sha

tls-rsa-with-aes256-cbc-sha

tls-rsa-with-aes128-cbc-sha256

tls-rsa-with-aes256-cbc-sha256

tls-rsa-with-aes128-gcm-sha256

tls-rsa-with-aes256-gcm-sha384

tls-ecdhe-rsa-aes128-gcm-sha256

tls-ecdhe-rsa-aes256-gcm-sha384

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>client-tls-profile cipher-list)

Full Context

configure system security tls client-tls-profile cipher-list

Description

This command assigns the cipher list to be used by the TLS client profile for negotiation in the client Hello message.

Parameters

name

Specifies the name of the cipher list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>server-tls-profile cipher-list)

Full Context

configure system security tls server-tls-profile cipher-list

Description

This command assigns a cipher list to be used by the TLS server profile. This cipher list is used to find matching ciphers with the cipher list that is received from the client.

The no form of the command removes the cipher list.

Parameters

name

Specifies the name of the cipher list, up to 32 characters in length.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>macsec>connectivity-association cipher-suite)

Full Context

configure macsec connectivity-association cipher-suite

Description

This command configures encryption of data path PDUs. When all parties in the Connectivity Association (CA) have the SAK, they use the above algorithm in conjunction with the SAK to encrypt the data path PDUs.

The XPN 64 bit (extended packet number) can be used for higher rate ports such as 10 GigE to minimize the window rollover and renegotiation of the SAK.

The no form of this command disables encryption of data path PDUs.

Default

cipher-suite gcm-aes-128

Parameters

cypher-suite

Specifies the algorithm.

Values

gcm-aes-128 — algorithm is used for control plain encryption

gcm-aes-256 — algorithm is used for control plain encryption

gcm-aes-xpn-128 — algorithm with extended packet number is used for control plain encryption

gcm-aes-xpn-256 — algorithm with extended packet number is used for control plain encryption

Platforms

7705 SAR Gen 2

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host>host-ident circuit-id)

Full Context

configure subscriber-mgmt local-user-db ipoe host host-identification circuit-id

Description

This command specifies the circuit ID to match for a host lookup. When the LUDB is accessed using a DHCPv4 server, the circuit ID is matched against DHCP Option 82.

The no form of this command removes the circuit ID from the configuration.

Parameters

ascii-string

Specifies the circuit ID from the Option 82, up to 127 characters.

hex-string

Specifies the circuit ID in hexadecimal format from the Option 82.

Values

0x0 to 0xFFFFFFFF (maximum 254 hex nibbles)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>dhcp>option circuit-id)

[Tree] (config>service>vpls>sap>dhcp>option circuit-id)

[Tree] (config>service>ies>if>dhcp>option circuit-id)

Full Context

configure service vprn interface dhcp option circuit-id

configure service vpls sap dhcp option circuit-id

configure service ies interface dhcp option circuit-id

Description

When enabled, the router sends an ASCII-encoded tuple in the circuit-id sub-option of the DHCP packet. This ASCII-tuple consists of the access-node-identifier, service-id, and SAP-ID, separated by "|”. If no keyword is configured, then the circuit-id sub-option will not be part of the information option (Option 82). When the command is configured without any parameters, it equals to circuit-id ascii-tuple.

To send a tuple in the circuit ID, the action replace command must be configured in the same context.

If disabled, the circuit-id sub-option of the DHCP packet is left empty.

The no form of this command specifies to leave the circuit-id option of the packet empty.

Default

circuit-id ascii-tuple

Parameters

ascii-tuple

Specifies that the ASCII-encoded concatenated tuple consisting of the access-node-identifier, service-id, and interface-name is used.

ifindex

Specifies that the interface index is used. The If Index of a router interface can be displayed using the command show>router>if>detail.

sap-id

Specifies that the SAP identifier is used.

vlan-ascii-tuple

Specifies that the format will include VLAN-id and dot1p bits in addition to what is included in ascii-tuple already. The format is supported on dot1q and qinq ports only. Thus, when the Option 82 bits are stripped, dot1p bits are copied to the Ethernet header of an outgoing packet.

hex-string

Specifies the hex value of this option.

Values

0x0 to 0xFFFFFFFF...(up to 64 hex nibbles)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>dhcp>option circuit-id)

Full Context

configure router interface dhcp option circuit-id

Description

When enabled, the router sends the interface index (If Index) in the circuit-id suboption of the DHCP packet. The If Index of a router interface can be displayed using the command show router interface detail. This option specifies data that must be unique to the router that is relaying the circuit.

If disabled, the circuit-id suboption of the DHCP packet will be left empty.

The no form of this command returns the system to the default.

Default

circuit-id ascii-tuple

Parameters

ascii-tuple

Specifies that the ASCII-encoded concatenated tuple will be used which consists of the access-node-identifier, service-id, and interface-name, separated by a pipe ( | ).

ifindex

Specifies that the interface index will be used. The If Index of a router interface can be displayed using the command show router interface detail.

if-name

Specifies the interface name.

port-id

Specifies the port ID.

vlan-ascii-tuple

Specifies that the format will include VLAN-id and dot1p bits in addition to what is included in ascii-tuple already. The format is supported on dot1q and qinq ports only. Therefore, when the Option 82 bits are stripped, dot1p bits will be copied to the Ethernet header of an outgoing packet.

none

Specifies that no circuit should be used.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>macsec>conn-assoc>static-cak>pre-shared-key ckn)

Full Context

configure macsec connectivity-association static-cak pre-shared-key ckn

Description

Specifies the connectivity association key name (CKN) for a pre-shared key.

CKN is appended to the MKA for identification of the appropriate CAK by the peer.

The no form of this command reverts to the default value.

Parameters

hex-string

Specifies the value of the CKN.

Values

32 octets char (64 hex)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls>lsp>primary class-type)

[Tree] (config>router>mpls>lsp-template class-type)

[Tree] (config>router>mpls>lsp class-type)

[Tree] (config>router>mpls>lsp>secondary class-type)

Full Context

configure router mpls lsp primary class-type

configure router mpls lsp-template class-type

configure router mpls lsp class-type

configure router mpls lsp secondary class-type

Description

This command configures the Diff-Serv Class Type (CT) for an LSP, the LSP primary path, or the LSP secondary path. The path level configuration overrides the LSP level configuration. However, only one CT per LSP path will be allowed as per RFC 4124.

The signaled CT of a dynamic bypass is always be CT0 regardless of the CT of the primary LSP path. The setup and hold priorities must be set to default values, that is, 7 and 0 respectively. This assumes that the operator configured a couple of TE classes, one which combines CT0 and a priority of 7 and the other which combines CT0 and a priority of 0. If not, the bypass LSP will not be signaled and will go into the down state.

The operator cannot configure the CT, setup priority, and hold priority of a manual bypass. They are always signaled with CT0 and the default setup and holding priorities.

The signaled CT and setup priority of a detour LSP must match those of the primary LSP path it is associated with.

If the operator changes the CT of an LSP or of an LSP path, or changes the setup and holding priorities of an LSP path, the path will be torn down and retried.

An LSP which does not have the CT explicitly configured will behave like a CT0 LSP when Diff-Serv is enabled.

If the operator configured a combination of a CT and a setup priority and/or a combination of a CT and a holding priority for an LSP path that are not supported by the user-defined TE classes, the LSP path will be kept in a down state and an error code will be displayed in the show command output for the LSP path.

The no form of this command reverts to the default value.

Default

class-type 0

Parameters

ct-number

Specifies the Diff-Serv Class Type number.

Values

0 to 7

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>rsvp>interface class-type-bw)

[Tree] (config>router>rsvp>diffserv-te class-type-bw)

Full Context

configure router rsvp interface class-type-bw

configure router rsvp diffserv-te class-type-bw

Description

This command configures the percentage of RSVP interface bandwidth each CT shares, for example, the Bandwidth Constraint (BC).

The absolute value of the CT share of the interface bandwidth is derived as the percentage of the bandwidth advertised by IGP in the Maximum Reservable Link Bandwidth TE parameter, for example, the link bandwidth multiplied by the RSVP interface subscription percentage parameter.

The RSVP interface subscription percentage parameter is configured in the config>router>rsvp>interface context.

The operator can specify the Bandwidth Constraint (BC) for a CT which is not used in any of the TE class definition but that does not get used by any LSP originating or transiting this node.

When Diff-Serv is disabled on the node, this model degenerates into a single default CT internally with eight preemption priorities and a non-configurable BC equal to the Maximum Reservable Link Bandwidth. This would behave exactly like CT0 with eight preemption priorities and BC= Maximum Reservable Link Bandwidth if Diff-Serv was enabled.

The no form of this command reverts to the default value.

Parameters

ct0 (ct1/ct2/ —ct7) %link-bandwidth

The Diff-Serv Class Type number. One or more system forwarding classes can be mapped to a CT.

Values

0 to 100 %

Default

0

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli classic-cli)

Full Context

configure system management-interface cli classic-cli

Description

Commands in this context configure the classic CLI management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>management-interface classic-cli)

Full Context

configure system security management-interface classic-cli

Description

Commands in this context configure hash-control for the classic CLI interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>nat>inside classic-lsn-max-subscriber-limit)

[Tree] (config>service>vprn>nat>inside classic-lsn-max-subscriber-limit)

Full Context

configure router nat inside classic-lsn-max-subscriber-limit

configure service vprn nat inside classic-lsn-max-subscriber-limit

Description

This command sets the granularity of traffic distribution in the upstream direction across the MS-ISA within the scope of an inside routing context. Traffic distribution mechanism is based on the source IPv4 addresses/prefixes. More granular distribution is based on the IPv4 address, while distribution based on the IPv4 prefix (determined by prefix length) will be less granular. The granularity will further decrease with shorter prefix length.

For example, a prefix length of 32 will distribute individual /32 IPv4 addresses over multiple MS-ISAs in an ISA group. This will ensure better traffic load balancing at the expense of forwarding table utilization on the outside (public side) where each /32 is installed in the forwarding table. On the contrary, shorter prefixes will ensure better utilization of the forwarding table on the outside, at the expense of coarser spread of IP addresses over multiple MS-ISAs.

This command affects all flavors of LSN44 within the inside routing contexts, although its primary use is intended for deterministic NAT and dnat-only.

The length of the prefix that is used for distribution purposes is (32-n), where 2^n= classic-lsn-max-subscriber-limit. For example, if traffic distribution is based on the IPv4 address (prefix length = 32), then n must be 0. From here, it follows that classic-lsn-max-subscriber-limit must be set to 1:

Prefix length = 32 -> 32-n = 32 -> n=0 -> 2^0= 1 = classic-lsn-max-subscriber-limit classic-lsn-max-subscriber-limit = 1

The implicit method given by this command uses power of 2 calculations to provide prefix length for traffic distribution purposes. This roundabout approach to determine the prefix-length has roots in deterministic NAT where this command was originally introduced.

Even though deterministic NAT and dnat-only have very little in common, the method (and CLI syntax) for calculating the prefix length using the classic-lsn-max-subscriber-limit parameter for traffic distribution purposes is shared between the two. In dnat-only, this parameter is important from an operational perspective since it affects traffic load balancing over MS-ISA and the size of the routing table.

This command must be configured before any prefix is configured and can be modified only if there are no prefixes configured under the deterministic NAT.

Parameters

max

The power of 2 (2^n) value which in deterministic NAT must match the largest subscriber-limit value in any deterministic pool referenced from this inside routing instance.

In dnat-only, this value can be set to any value from the allowed range.

In both cases, this value will determine the prefix-length (17-32) that will directly influence load distribution between the MS-ISAs and the size of the routing table.

Values

1,2,4,8 to 32768

Platforms

7705 SAR Gen 2

Context

[Tree] (admin clear)

Full Context

admin clear

Description

Commands in this context clear statistics.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>system>license clear)

Full Context

admin system license clear

Description

This command removes the entitlements that were installed using a license file.

All the entitlements must be unallocated; otherwise, the command fails.

Parameters

now

Keyword used to specify the immediate removal of the license file entitlements. If the now keyword is not present, the user is prompted to confirm the removal.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap>ip-tunnel clear-df-bit)

[Tree] (config>service>vprn>if>sap>ipsec-tunnel clear-df-bit)

[Tree] (config>router>if>ipsec>ipsec-tunnel clear-df-bit)

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel clear-df-bit)

Full Context

configure service ies interface sap ip-tunnel clear-df-bit

configure service vprn interface sap ipsec-tunnel clear-df-bit

configure router interface ipsec ipsec-tunnel clear-df-bit

configure service ies interface ipsec ipsec-tunnel clear-df-bit

Description

This command instructs the MS-ISA to reset the DF bit to 0 in all payload IP packets associated with the GRE or IPsec tunnel, before any potential fragmentation resulting from the ip-mtu command (this requires a modification of the header checksum).

The no form of this command disables the DF bit reset.

Default

no clear-df-bit

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>tnl-temp clear-df-bit)

Full Context

configure ipsec tunnel-template clear-df-bit

Description

This command enables clearing of the Do-not-Fragment bit.

Default

no clear-df-bit

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>certificate clear-ocsp-cache)

Full Context

admin certificate clear-ocsp-cache

Description

This command clears the current OCSP response cache. If optional issuer and serial-number are not specified, then all current cached results are cleared.

Parameters

entry-id

Specifies the local cache entry identifier of the certificate to clear.

Values

1 to 2000

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>certificate>cmpv2 clear-request)

Full Context

admin certificate cmpv2 clear-request

Description

This command clears current pending CMPv2 requests toward the specified CA. If there are no pending requests, it will clear the saved result of prior request.

Parameters

ca ca-profile-name

Specifies a ca-profile name up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>macsec>connectivity-association clear-tag-mode)

Full Context

configure macsec connectivity-association clear-tag-mode

Description

This command puts 802.1Q tags in cleartext before the SecTAG. There are two modes: single-tag and dual-tag.

Encrypted Dot1q and QinQ Packet Format explains the encrypted dot1q and QinQ packet format when clear-tag-mode single-tag or dual-tag is configured.

The no form of this command puts all dot1q tags encrypted after the SecTAG.

Default

no clear-tag-mode

Parameters

clear-tag-mode

Specifies the clear tag mode.

Values

single-tag, dual-tag

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface cli)

Full Context

configure system management-interface cli

Description

Commands in this context configure the CLI management interfaces.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>md-cli>environment>message-severity-level cli)

Full Context

configure system management-interface cli md-cli environment message-severity-level cli

Description

This command specifies the threshold for CLI messages.

Default

cli info

Parameters

warning

Specifies that WARNING messages are displayed but INFO messages are suppressed.

info

Specifies that INFO messages and WARNING messages are displayed.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli cli-engine)

Full Context

configure system management-interface cli cli-engine

Description

This command configures the system-wide CLI engine. The operator can configure one or both engines. For the configuration to take effect, exit the running CLI session and start a new session after committing the new value.

Parameters

classic-cli

Specifies the classic CLI.

md-cli

Specifies the MD-CLI.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security cli-script)

Full Context

configure system security cli-script

Description

Commands in this context configure the security parameters in the system.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security cli-session-group)

Full Context

configure system security cli-session-group

Description

This command is used to configure a session group that can be used to limit the number of CLI sessions available to members of the group.

Parameters

session-group-name

Specifies a particular session group.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>cli-script>authorization>event-handler cli-user)

[Tree] (config>system>security>cli-script>authorization>cron cli-user)

Full Context

configure system security cli-script authorization event-handler cli-user

configure system security cli-script authorization cron cli-user

Description

This command configures the user context under which various types of CLI scripts should execute in order to authorize the script commands. TACACS+ and RADIUS users and authorization are not permitted for cli-script authorization.

The no form of this command configures scripts to execute with no restrictions and without performing authorization.

Default

no cli-user

Parameters

user-name

The name of a user in the local node database. TACACS+ or RADIUS users cannot be used. The user configuration should reference a valid local profile for authorization.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>client-db client)

Full Context

configure ipsec client-db client

Description

This command creates a new IPsec client entry in the client-db or enters the configuration context of an existing client entry.

There may be multiple client entries defined in the same client-db. If there are multiple entries that match the new tunnel request, then the system will select the entry that has smallest client-index.

The no form of this command reverts to the default.

Parameters

client-index

Specifies the ID of the client entry.

Values

1 to 8000

create

Keyword used to create the security policy instance. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>system>grpc client)

Full Context

debug system grpc client

Description

This command enables debug output for all clients for a particular client.

The no form of this command deactivates debugging for all clients.

Parameters

all

Specifies that debugging will occur for all clients.

ip-address

Specifies the IPv4 or IPv6 address of the client.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>ssh>key-re-exchange client)

Full Context

configure system security ssh key-re-exchange client

Description

Commands in this context enable the key re-exchange for SR OS as an SSH client.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>rad-auth-plcy>include client-cert-subject-key-id)

Full Context

configure ipsec radius-authentication-policy include-radius-attribute client-cert-subject-key-id

Description

This command enables the inclusion of the Subject Key Identifier of the peer's certificate in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier.

Default

no client-cert-subject-key-id

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>ssh client-cipher-list)

Full Context

configure system security ssh client-cipher-list

Description

Commands in this context configure a list of allowed ciphers by the SSH client.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls client-cipher-list)

Full Context

configure system security tls client-cipher-list

Description

This command creates a cipher list that the client sends to the server in the client Hello message. It is a list of ciphers that are supported and preferred by the SR OS to be used in the TLS session. The server matches this list against the server cipher list. The most preferred cipher found in both lists is chosen.

Parameters

name

Specifies the name of the client cipher list, up to 32 characters in length.

create

Keyword used to create the client cipher list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec client-db)

Full Context

configure ipsec client-db

Description

This command creates a new IPsec client-db or enters the configuration context of an existing client-db.

An IPsec client-db can be used for IKEv2 dynamic LAN-to-LAN tunnel authentication and authorization. When a new tunnel request is received, the system will match the request to the client entries configured in client-db and use credentials returned by the matched client entry for authentication. If authentication succeeds, the system could also use the IPsec configuration parameters (such as private-service-id) returned by the matched entry to set up the tunnel.

The configured client-db is referenced under the ipsec-gw configuration context using the client-db command.

The no form of this command removes the db-name from the configuration.

Parameters

db-name

Specifies the name of this IPsec client up to 32 characters.

create

Keyword used to create the security policy instance. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap>ipsec-gw client-db)

[Tree] (config>service>vprn>if>sap>ipsec-gw client-db)

Full Context

configure service ies interface sap ipsec-gw client-db

configure service vprn interface sap ipsec-gw client-db

Description

This command enables the use of an IPsec client database. The system uses the specified client database to authenticate IKEv2 dynamic LAN-to-LAN tunnel.

Default

no client-db

Parameters

name

Specifies the name of the client database.

fallback

Specifies whether or not this IPsec gateway falls back to the default authentication policy when the IPsec tunnel authentication request fails to match any clients in the IPsec database.

no-fallback

Specifies that if the client database lookup fails to return a matched result, the system will fail the tunnel setup.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>ipsec client-db)

Full Context

debug ipsec client-db

Description

This command enables debugging for the specified IPsec client-db.

Parameters

db-name

Specifies the IPsec client database name, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls client-group-list)

Full Context

configure system security tls client-group-list

Description

This command configures a list of group suite codes that the client sends in a client Hello message.

The no form of this command removes the client group list.

Parameters

name

Specifies the name of the client group list, up to 32 characters.

create

Keyword used to create the client group list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>ssh client-host-key-list)

Full Context

configure system security ssh client-host-key-list

Description

Commands in this context configure the list of host key algorithms negotiated by the SR OS acting as the SSH client.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>client-db>client client-identification)

Full Context

configure ipsec client-db client client-identification

Description

Commands in this context configure client ID information of this IPsec client.

If there are multiple match input are configured in the match-list of the client-db, then all corresponding match criteria must be configured for the client-entry.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>ssh client-kex-list)

Full Context

configure system security ssh client-kex-list

Description

Commands in this context configure SSH KEX algorithms for SR OS as a client.

An empty list is the default list that the SSH KEX advertises. The default list contains the following:

ecdh-sha2-nistp512

ecdh-sha2-nistp384

ecdh-sha2-nistp256

diffie-hellman-group16-sha512

diffie-hellman-group14-sha256

diffie-hellman-group14-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group1-sha1

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap>dhcp>option>vendor client-mac-address)

[Tree] (config>service>vprn>if>dhcp>option>vendor client-mac-address)

[Tree] (config>service>ies>if>dhcp>option>vendor client-mac-address)

Full Context

configure service vpls sap dhcp option vendor-specific-option client-mac-address

configure service vprn interface dhcp option vendor-specific-option client-mac-address

configure service ies interface dhcp option vendor-specific-option client-mac-address

Description

This command enables the sending of the MAC address in the Nokia vendor-specific sub-option of the DHCP relay packet.

The no form of this command disables the sending of the MAC address in the Nokia vendor-specific sub-option of the DHCP relay packet.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>ssh client-mac-list)

Full Context

configure system security ssh client-mac-list

Description

Commands in this context configure SSH MAC algorithms for SR OS as a client.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>client-db>client client-name)

Full Context

configure ipsec client-db client client-name

Description

This command specifies the name of the client entry. The client name can be used in CLI navigation or in show commands.

Default

no client-name

Parameters

name

Specifies the name of the client.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls client-signature-list)

Full Context

configure system security tls client-signature-list

Description

This command configures a list of TLS 1.3-supported signature suite codes that the client sends in a client Hello message.

The no form of this command removes the client signature list.

Parameters

name

Specifies the name of the client signature list, up to 32 characters.

create

Keyword used to create the client signature list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki>est-profile client-tls-profile)

Full Context

configure system security pki est-profile client-tls-profile

Description

This command configures the TLS client profile to be assigned to applications for encryption. The profile creates the TLS connection to the EST server.

The no form of this command removes the name from the configuration.

Default

no client-tls-profile

Parameters

name

Specifies the name of the client TLS profile, up to 32 characters

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls client-tls-profile)

Full Context

configure system security tls client-tls-profile

Description

This command configures the TLS client profile to be assigned to applications for encryption.

Parameters

name

Specifies the name of the client TLS profile, up to 32 characters in length.

create

Keyword used to create the client TLS profile.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>remote-management client-tls-profile)

Full Context

configure system management-interface remote-management client-tls-profile

Description

This command configures the TLS client profile used for encryption by all remote managers. This command and allow-unsecure-connection are mutually exclusive.

If this command is also configured for a specific manager in the config>system> management-interface>remote-management>manager context, that configuration takes precedence.

The no form of this command causes the profile configuration not to be used.

Parameters

name

Specifies the name of the client TLS profile, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>remote-management>manager client-tls-profile)

Full Context

configure system management-interface remote-management manager client-tls-profile

Description

This command configures the TLS client profile used for encryption by this remote manager. This command and allow-unsecure-connection are mutually exclusive.

This command takes precedence over the same command configured in the global context (config>system>management-interface>remote-management).

The no form of this command causes the profile configuration to be inherited from the global context (config>system>management-interface>remote-management).

Parameters

name

Specifies the name of the client TLS profile, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system clli-code)

Full Context

configure system clli-code

Description

This command creates a Common Language Location Identifier (CLLI) code string for the router. A CLLI code is an 11-character standardized geographic identifier that uniquely identifies geographic locations and certain functional categories of equipment unique to the telecommunications industry.

No CLLI validity checks other than truncating or padding the string to eleven characters are performed.

Only one CLLI code can be configured, if multiple CLLI codes are configured the last one entered overwrites the previous entry.

The no form of the command removes the CLLI code.

Default

no clli-code

Parameters

clli-code

Specifies the 11 character string CLLI code. Any printable, seven bit ASCII characters can be used within the string. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. If more than 11 characters are entered, the string is truncated. If less than 11 characters are entered the string is padded with spaces.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>oam-pm>session>meas-interval clock-offset)

Full Context

configure oam-pm session meas-interval clock-offset

Description

This command allows measurement intervals with a boundary-type of clock aligned to be offset from the default time of day clock. The configured offset must be smaller than the size of the measurement interval. As an example, an offset of 120 (seconds) shifts the start times of the measurement intervals by two minutes from their default alignments with respect to the time of day clock.

The no form of this command sets the offset to 0.

Default

clock-offset 0

Parameters

seconds

Specifies the number of seconds to offset a clock-alignment measurement interval from its default.

Values

0 to 86399

Default

0

Platforms

7705 SAR Gen 2

Context

[Tree] (configure>system>security>profile>netconf>base-op-authorization close-session)

Full Context

configure system security profile netconf base-op-authorization close-session

Description

This command enables the NETCONF <close-session> RPC.

The no form of this command disables the RPC.

Default

no close-session

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp cluster)

[Tree] (config>service>vprn>bgp>group>neighbor cluster)

[Tree] (config>service>vprn>bgp>group cluster)

Full Context

configure service vprn bgp cluster

configure service vprn bgp group neighbor cluster

configure service vprn bgp group cluster

Description

This command configures the cluster ID for a route reflector server.

Route reflectors are used to reduce the number of IBGP sessions required within an AS. Normally, all BGP speakers within an AS must have a BGP peering with every other BGP speaker in an AS. A route reflector and its clients form a cluster. Peers that are not part of the cluster are considered to be non-clients.

When a route reflector receives a route, first it must select the best path from all the paths received. If the route was received from a non-client peer, then the route reflector sends the route to all clients in the cluster. If the route came from a client peer, the route reflector sends the route to all non-client peers and to all client peers except the originator.

For redundancy, a cluster can have multiple route reflectors.

Confederations can also be used to remove the full IBGP mesh requirement within an AS.

The no form of this command deletes the cluster ID and effectively disables the Route Reflection for the given group.

Default

no cluster — No cluster ID is defined.

Parameters

cluster-id

The route reflector cluster ID is expressed in dot decimal notation.

Values

Any 32 bit number in dot decimal notation. (0.0.0.1 to 255.255.255.255)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp cluster)

Full Context

configure router bgp cluster

Description

This command configures the cluster ID for a route reflector server ID and implicitly configures the associated BGP sessions as route reflector clients of the BGP instance. If an ORR location ID is specified with the cluster ID, the clients in that cluster receive routes optimal for that specific location; refer to draft-ietf-idr-bgp-optimal-route-reflection for more information.

Route reflectors are used to reduce the number of IBGP sessions required within an AS. Normally, all BGP speakers within an AS must have a BGP peering with every other BGP speaker in an AS. A route reflector and its clients form a cluster. Peers that are not part of the cluster are considered to be non-clients.

When a route reflector receives best path from a non-client peer, it sends the route to all clients. When the route reflector receives a best path from a client peer it sends the route to all non-client and all client peers except the originator.

With optimal route reflection, the best path advertised to a client takes location ID into account, which means that if the tie-break for best path (or Add-Paths) comes down to next-hop IGP cost, the IGP costs will be calculated relative to the specified location. In the SR OS implementation, the IGP costs from arbitrary ORR locations are calculated using OSPF/OSPFv3, IS-IS, or BGP-LS information in the TE DB.

Default

no cluster

Parameters

ip-address

Specifies the route reflector cluster ID is expressed in dot decimal notation.

Values

Any 32 bit number in dot decimal notation. (0.0.0.1 to 255.255.255.255)

orr-location location-id

Specifies the optimal route reflection location index for this set of route reflector clients.

Values

1 to 255

allow-local-fallback

Controls the behavior when there are no BGP routes to advertise to the RR clients that are reachable from the perspective of their ORR location. If this option is configured, the RR is allowed (in this circumstance only), to advertise the best reachable BGP path from its own topology location. If this option is not configured and this situation applies, then no route is advertised to the clients.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group cluster)

[Tree] (config>router>bgp>group>neighbor cluster)

Full Context

configure router bgp group cluster

configure router bgp group neighbor cluster

Description

This command configures the cluster ID for a route reflector server ID and implicitly configures the associated BGP sessions as route reflector clients of the BGP instance. If an ORR location ID is specified with the cluster ID, the clients in that cluster receive routes optimal for that specific location; see draft-ietf-idr-bgp-optimal-route-reflection for more information.

Route reflectors are used to reduce the number of IBGP sessions required within an AS. Normally, all BGP speakers within an AS must have a BGP peering with every other BGP speaker in an AS. A route reflector and its clients form a cluster. Peers that are not part of the cluster are considered to be non-clients.

When a route reflector receives best path from a non-client peer, it sends the route to all clients. When the route reflector receives a best path from a client peer it sends the route to all non-client and all client peers except the originator.

With optimal route reflection, the best path advertised to a client takes location ID into account, which means that if the tie-break for best path (or Add-Paths) comes down to next-hop IGP cost, the IGP costs will be calculated relative to the specified location. In the SR OS implementation, the IGP costs from arbitrary ORR locations are calculated using OSPF/OSPFv3, IS-IS, or BGP-LS information in the TE DB.

The no form of this command deletes the cluster ID and effectively disables route reflection for the group.

Default

no cluster

Parameters

ip-address

Specifies the route reflector cluster ID is expressed in dot decimal notation.

Values

Any 32 bit number in dot decimal notation. (0.0.0.1 to 255.255.255.255)

orr-location location-id

Specifies the optimal route reflection location index for this set of route reflector clients.

Values

1 to 255

allow-local-fallback

Controls the behavior when there are no BGP routes to advertise to the RR clients that are reachable from the perspective of their ORR location. If this option is configured, the RR is allowed (in this circumstance only), to advertise the best reachable BGP path from its own topology location. If this option is not configured and this situation applies, then no route is advertised to the clients.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>entry>from cluster-id)

Full Context

configure router policy-options policy-statement entry from cluster-id

Description

This command enables BGP routes to be matched based on the IP addresses encoded in the CLUSTER_LIST attribute.

The first ip-address/mask pair is matched against the most recently added cluster ID. Each subsequent ip-address/mask pair is tested against the next most recent cluster ID.

For example, to match all routes reflected by the RR with cluster ID 1.1.1.1 and then any other RR before reaching the router where the policy is applied, use the command cluster-id 0.0.0.0/0 1.1.1.1/32.

The cluster-id none form of this command only matches BGP routes without any CLUSTER_LIST attribute.

A non-BGP route does not match a policy entry if it contains the cluster-id command.

Default

no cluster-id

Parameters

ip-address

Specifies the 32-bit cluster ID in dotted decimal notation.

Values

a.b.c.d

mask

Specifies a bit mask to apply to the ip-address parameter.

Values

0 to 32 (0 is only allowed if the ip-address is 0.0.0.0)

none

Specifies that only BGP routes without a CLUSTER_LIST attribute should be matched.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>certificate cmpv2)

Full Context

admin certificate cmpv2

Description

Commands in this context configure CMPv2 operations.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki>ca-profile cmpv2)

Full Context

configure system security pki ca-profile cmpv2

Description

Commands in this context configure CMPv2 parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>certificate cmpv2)

Full Context

debug certificate cmpv2

Description

This command enables debugging of CMPv2 operations.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>radius-server>server coa-script-policy)

[Tree] (config>router>radius-server>server coa-script-policy)

Full Context

configure service vprn radius-server server coa-script-policy

configure router radius-server server coa-script-policy

Description

This command specifies the RADIUS script policy to modify the Change-of-Authorization messages sent from this RADIUS server.

The no form of this command removes the policy name from the configuration.

Parameters

policy-name

Specifies the name of radius-script-policy up to 80 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>ssm code-type)

Full Context

configure port ethernet ssm code-type

Description

This command configures the encoding of synchronization status messages. For example, whether to use an SDH or SONET set of values. Configuring the network-type is only applicable to SyncE ports. It is not configurable on SONET/SDH ports. For the network-type, sdh refers to ITU-T G.781 Option I, while sonet refers to G.781 Option II (equivalent to Telcordia GR-253-CORE).

Default

code-type sdh

Parameters

sdh

Specifies the values used on a G.781 Option 1 compliant network.

sonet

Specifies the values used on a G.781 Option 2 compliant network.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>dwdm coherent)

Full Context

configure port dwdm coherent

Description

This command configures the coherent optical module parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>app-route-notifications cold-start-wait)

Full Context

configure log app-route-notifications cold-start-wait

Description

The time delay that must pass before notifying specific CPM applications that a route is available after a cold reboot.

Default

no cold-start-wait

Parameters

seconds

Time delay in seconds.

Values

1 to 300

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>mesh-sdp collect-stats)

[Tree] (config>service>vpls>spoke-sdp collect-stats)

[Tree] (config>service>ies>if>sap collect-stats)

[Tree] (config>service>vpls>sap collect-stats)

Full Context

configure service vpls mesh-sdp collect-stats

configure service vpls spoke-sdp collect-stats

configure service ies interface sap collect-stats

configure service vpls sap collect-stats

Description

This command enables accounting and statistical data collection for either the SAP or SDP, network port, or IP interface. When applying accounting policies the data, by default, is collected in the appropriate records and written to the designated billing file.

When the no collect-stats command is issued the statistics are still accumulated by the IOM cards. However, the CPU does not obtain the results and write them to the billing file. If a subsequent collect-stats command is issued then the counters written to the billing file include all the traffic while the no collect-stats command was in effect.

Default

collect-stats

Platforms

7705 SAR Gen 2

Context

[Tree] (config>card>fp>ingress>access>queue-group collect-stats)

[Tree] (config>card>fp>ingress>network>queue-group collect-stats)

Full Context

configure card fp ingress access queue-group collect-stats

configure card fp ingress network queue-group collect-stats

Description

This command enables the collection of accounting and statistical data for the queue group on the forwarding plane. When applying accounting policies, the data, by default, is collected in the appropriate records and written to the designated billing file.

When the no collect-stats command is issued, the statistics are still accumulated, however, the CPU does not obtain the results and write them to the billing file. If the collect-stats command is issued again (enabled), then the counters written to the billing file will include the traffic collected while the no collect-stats command was in effect.

Default

no collect-stats

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet collect-stats)

[Tree] (config>port>ethernet>access>egr>qgrp collect-stats)

[Tree] (config>port>ethernet>network>egr>qgrp collect-stats)

[Tree] (config>port>ethernet>access>ing>qgrp collect-stats)

[Tree] (config>port>ethernet>network collect-stats)

Full Context

configure port ethernet collect-stats

configure port ethernet access egress queue-group collect-stats

configure port ethernet network egress queue-group collect-stats

configure port ethernet access ingress queue-group collect-stats

configure port ethernet network collect-stats

Description

This command enables the collection of accounting and statistical data for the network interface. When applying accounting policies, the data, by default, is collected in the appropriate records and written to the designated billing file.

When the no collect-stats command is issued, the statistics are still accumulated by the XCM/IOM cards, however, the CPU does not obtain the results and write them to the billing file. If the collect-stats command is issued again (enabled), then the counters written to the billing file will include the traffic collected while the no collect-stats command was in effect.

Default

no collect-stats

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>sap collect-stats)

[Tree] (config>service>epipe>spoke-sdp collect-stats)

Full Context

configure service epipe sap collect-stats

configure service epipe spoke-sdp collect-stats

Description

This command enables accounting and statistical data collection for either the SAP, network port, or IP interface. When applying accounting policies the data, by default, is collected in the appropriate records and written to the designated billing file.

When the no collect-stats command is issued the statistics are still accumulated by the cards. However, the CPU will not obtain the results and write them to the billing file. If a subsequent collect-stats command is issued, then the counters written to the billing file include all the traffic while the no collect-stats command was in effect.

Default

no collect-stats

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>spoke-sdp collect-stats)

Full Context

configure service ies interface spoke-sdp collect-stats

Description

This command enables statistics collection.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>spoke-sdp collect-stats)

[Tree] (config>service>vprn>if>sap collect-stats)

Full Context

configure service vprn interface spoke-sdp collect-stats

configure service vprn interface sap collect-stats

Description

This command enables accounting and statistical data collection for either an interface SAP or interface SAP spoke SDP, or network port. When applying accounting policies the data, by default, is collected in the appropriate records and written to the designated billing file.

When the no collect-stats command is issued the statistics are still accumulated by the IOM cards. However, the CPU will not obtain the results and write them to the billing file. If a subsequent collect-stats command is issued then the counters written to the billing file include all the traffic while the no collect-stats command was in effect.

Default

no collect-stats

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>sdp collect-stats)

[Tree] (config>service>pw-template collect-stats)

Full Context

configure service sdp collect-stats

configure service pw-template collect-stats

Description

This command enables accounting and statistical data collection for either the SDP. When applying accounting policies the data, by default, is collected in the appropriate records and written to the designated billing file.

When the no collect-stats command is issued the statistics are still accumulated by the IOM or XCM cards. However, the CPU will not obtain the results and write them to the billing file. If a subsequent collect-stats command is issued then the counters written to the billing file include all the traffic while the no collect-stats command was in effect.

Default

no collect-stats

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>acct-policy collection-interval)

Full Context

configure log accounting-policy collection-interval

Description

This command configures the accounting collection interval.

Parameters

minutes

Specifies the interval between collections, in minutes.

Values

1 to 120 A range of 1 to 4 is only allowed when the record type is set to SAA.

Platforms

7705 SAR Gen 2

Context

[Tree] (conf>router>segment-routing>sr-policies>policy color)

Full Context

configure router segment-routing sr-policies static-policy color

Description

This command associates a color value with a statically defined segment routing policy. This is a mandatory parameter and configuration command to enable the segment routing policy; if the color parameter value is not configured, the execution of the no shutdown command on the static segment routing policy fails.

The no form of this command removes the color association.

Default

no color

Parameters

color

Specifies the color ID.

Values

0 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>entry>from color)

Full Context

configure router policy-options policy-statement entry from color

Description

This command configures an SR Policy color ID as a route policy match criterion.

This match criterion is only used in import policies.

The no form of this command removes the configuration.

Parameters

color-id

Specifies the SR policy color ID.

Values

0 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>oam-pm>session>ip>tunnel>mpls>sr-policy color)

Full Context

configure oam-pm session ip tunnel mpls sr-policy color

Description

This command configures the color for associating the SR policy with an objective.

Default

color 0

Parameters

color-id

Specifies the color ID.

Values

0 to 4294967295

Default

0

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>profile combined-max-sessions)

[Tree] (config>system>security>cli-session-group combined-max-sessions)

Full Context

configure system security profile combined-max-sessions

configure system security cli-session-group combined-max-sessions

Description

This command is used to limit the number of combined SSH/TELNET based sessions available to all users that are part of a specific profile, or to all users of all profiles that are part of the same cli-session-group.

The no form of this command disables the command and the profile or group limit is not applied to the number of combined sessions.

Default

no combined-max-sessions

Parameters

number-of-sessions

Specifies the maximum number of allowed combined SSH/TELNET based sessions.

Values

0 to 50

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>management-interface>md-cli command-accounting-during-load)

Full Context

configure system security management-interface md-cli command-accounting-during-load

Description

This command controls command accounting performed on the contents of a file loaded using the MD-CLI load or rollback command.

When enabled, all commands in the loaded file are logged, which may decrease the system response time with large files.

When disabled, command accounting is not performed during a load or rollback operation, which may increase the system response time by reducing the number of command accounting messages, especially when remote AAA servers are used.

The load or rollback command itself is always logged.

The no form of this command disables command accounting during a load or rollback operation.

Default

command-accounting-during-load

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>md-cli>environment command-completion)

Full Context

configure system management-interface cli md-cli environment command-completion

Description

This command configures keystrokes to trigger command completion.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>md-cli>environment>commit-options comment)

Full Context

configure system management-interface cli md-cli environment commit-options comment

Description

This command configures the requirement for a commit comment when committing configuration.

The no form of this command does not require a commit comment when committing configuration

Default

no comment

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bfd commit)

Full Context

configure router bfd commit

Description

This command saves the changes made to a BFD template during an active session and makes the changes active.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>route-next-hop-policy commit)

Full Context

configure router route-next-hop-policy commit

Description

This command saves the changes made to route next-hop templates during an active session.

Default

commit

Platforms

7705 SAR Gen 2

Context

[Tree] (candidate commit)

Full Context

candidate commit

Description

This command applies the changes in the candidate configuration to the active running configuration. The candidate changes will take operational effect.

If a commit operation is successful then all of the candidate changes will take operational effect and the candidate is cleared. If there is an error in the processing of the commit, or a 'commit confirmed’ is not confirmed and an auto-revert occurs, then the router will return to a configuration state with none of the candidate changes applied. The operator can then continue editing the candidate and try a commit later.

By default, the SR OS will automatically create a new rollback checkpoint after a commit operation. The rollback checkpoint will contain the new configuration changes made by the commit. An optional no-checkpoint keyword can be used to avoid the auto-creation of a rollback checkpoint after a commit.

A commit operation is blocked if a rollback revert is currently being processed.

Parameters

confirmed

specifies that the commit operation (if successful) should be automatically reverted (undone) at the end of the timeout period unless the operator issues the confirm command before the timeout period expires. A rollback checkpoint is created after the commit operation (if successful) and will remain available whether the commit is auto-reverted or not. The contents of the candidate will remain visible (candidate view) and changes to the candidate are blocked until the timeout is completed or the candidate confirm command is executed. If the timeout expires and an auto-revert occurs, then the original candidate config will be available in edit-cfg mode.

Standard line-by-line non-transactional configuration commands (including via SNMP) are not blocked during the countdown period and any changes made to the configuration during the countdown period will be rolled back if the timeout expires. The confirmed option is useful when changes are being made that could impact management reachability to the router.

A rollback revert is blocked during the countdown period until the commit has been confirmed.

timeout

Specifies the auto-revert timeout period, in minutes.

Values

1 to 168

no-checkpoint

Specifies to avoid the automatic creation of a rollback checkpoint for a successful commit.

comment comment

Adds a comment up to 255 characters to the automatic rollback checkpoint.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options commit)

Full Context

configure router policy-options commit

Description

This command is required to save changes made to a route policy.

Platforms

7705 SAR Gen 2

Context

[Tree] (configure>system>security>profile>netconf>base-op-authorization commit)

Full Context

configure system security profile netconf base-op-authorization commit

Description

This command enables the NETCONF <commit> RPC.

The no form of this command disables the RPC.

Default

no commit

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>md-cli>environment commit-options)

Full Context

configure system management-interface cli md-cli environment commit-options

Description

Commands in this context configure commit options.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki common-name-list)

Full Context

configure system security pki common-name-list

Description

This command configures a list of common names (CNs) that will be used to authenticate X.509.3 certificates. If the CN field of the X.509.3 certificate matches any of the CNs in the list, then the certificate can be used.

Parameters

name

Specifies the name of the CN list, up to 32 characters maximum.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>snmp community)

Full Context

configure service vprn snmp community

Description

This command sets the SNMP community name(s) to be used with the associated VPRN instance. These VPRN community names are used to associate SNMP v1/v2c requests with a particular vprn context and to return a reply that contains VPRN-specific data or limit SNMP access to data in a specific VPRN instance.

VPRN snmp communities configured with an access permission of 'r' are automatically associated with the default access group "snmp-vprn-ro” and the "vprn-view” view (read only). VPRN snmp communities configured with an access permission of 'rw' are automatically associated with the default access group "snmp-vprn” and the "vprn-view” view (read/write).

The community in an SNMP v1/v2 request determines the SNMP context (i.e., the vprn# for accessing SNMP tables) and not the VPRN of the incoming interface on which the request was received. When an SNMP request arrives on VPRN 5 interface "ringo” with a destination IP address equal to the "ringo” interface, but the community in the SNMP request is the community configured against VPRN 101, then the SNMP request will be processed using the VPRN 101 context. (the response will contain information about VPRN 101). It is recommended to avoid using a simple series of vprn snmp-community values that are similar to each other (for example, avoid my-vprncomm-1, my-vprn-comm-2, etc).

The no form of this command removes the SNMP community name from the given VPRN context.

Parameters

community-name

Specifies the SNMP v1/v2c community name. This is a secret/confidential key used to access SNMP and specify a context (base vs vprn1 vs vprn2).

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

version SNMP-version

Specifies the SNMP version.

Values

v1, v2c, both

access-permissions

Specifies the access rights to MIB objects.

Values

r — Grants only read access to MIB objects. Creates an association of the community-name with the snmp-vprn-ro access group.rw — Grants read and write access to MIB objects. Creates an association of the community-name with the snmp-vprn access group.

list-name

Configures the community to reference a specific src-access-list (created under configure system security snmp), which will be used to validate the source IP address of all received SNMP requests that use this community. Multiple community (vprn or base router) and usm-community instances can reference the same src-access-list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>static-route-entry community)

Full Context

configure service vprn static-route-entry community

Description

This command associates a list of up to 12 BGP communities (any mix of standard, extended, and large communities) with the static route. These communities can be matched in route policies and are automatically added to BGP routes that are created from the static route.

The communities specified at this level of the static route causes communities configured under the next-hop, black-hole, and indirect contexts of the static route to be ignored.

The no form of this command removes the association.

Default

no community

Parameters

comm-id

Specifies a BGP community value, up to 72 characters.

Values

[as-num:comm-val | well-known-comm | ext-comm | large-comm]

where:

• as-num — 0 to 65535

• comm-val — 0 to 65535

• well-known-comm — null | no-export | no-export-subconfed | no-advertise | llgr-stale | no-llgr | blackhole

• ext-comm — the extended community, defined as one of the following:

  • {target | origin}:ip-address:comm-val

  • {target | origin}:asnum:ext-comm-val

  • {target | origin}:ext-asnum:comm-val

  • bandwidth:asnum:val-in-mbps

  • ext:4300:ovstate

  • ext:value1:value2

  • color:co-bits:color-value

  where:

  • target — route target

  • origin — route origin

  • ip-address — a.b.c.d

  • ext-comm-val — 0 to 4294967295

  • ext-asnum — 0 to 4294967295

  • val-in-mbps — 0 to 16777215

  • ovstate — 0, 1, or 2 (0 for valid, 1 for not found, 2 for invalid)

  • value1 — 0000 to FFFF

  • value2 — 0 to FFFFFFFFFFFF

  • co-bits — 00, 01, 10 or 11

  • color-value — 0 to 4294967295

• large-comm — asn-or-ex:val-or-ex:val-or-ex

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>static-route-entry>next-hop community)

[Tree] (config>service>vprn>static-route-entry>indirect community)

[Tree] (config>service>vprn>static-route-entry>black-hole community)

Full Context

configure service vprn static-route-entry next-hop community

configure service vprn static-route-entry indirect community

configure service vprn static-route-entry black-hole community

Description

This command associates one BGP community (standard, extended or large) with a next-hop of the static route. This community can be matched in route policies and automatically added to BGP routes that are created from the static route.

Any community specified in one of these contexts is overridden by any communities specified at the prefix level of the static route entry.

The no form of this command removes the association.

Default

no community

Parameters

comm-id

Specifies a BGP community value, up to 72 characters.

Values

[as-num:comm-val | well-known-comm | ext-comm | large-comm]

where:

• as-num — 0 to 65535

• comm-val — 0 to 65535

• well-known-comm — null | no-export | no-export-subconfed | no-advertise | llgr-stale | no-llgr | blackhole

• ext-comm — the extended community, defined as one of the following:

  • {target | origin}:ip-address:comm-val

  • {target | origin}:asnum:ext-comm-val

  • {target | origin}:ext-asnum:comm-val

  • bandwidth:asnum:val-in-mbps

  • ext:4300:ovstate

  • ext:value1:value2

  • color:co-bits:color-value

  where:

  • target — route target

  • origin — route origin

  • ip-address — a.b.c.d

  • ext-comm-val — 0 to 4294967295

  • ext-asnum — 0 to 4294967295

  • val-in-mbps — 0 to 16777215

  • ovstate — 0, 1, or 2 (0 for valid, 1 for not found, 2 for invalid)

  • value1 — 0000 to FFFF

  • value2 — 0 to FFFFFFFFFFFF

  • co-bits — 00, 01, 10 or 11

  • color-value — 0 to 4294967295

• large-comm — asn-or-ex:val-or-ex:val-or-ex

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>static-route-entry>ipsec-tunnel community)

Full Context

configure service vprn static-route-entry ipsec-tunnel community

Description

This configuration option associates a BGP community with the static route. The community can be matched in route policies and is automatically added to BGP routes exported from the static route.

The no form of this command removes the community association.

Default

no community

Parameters

comm-id

Specifies community IDs, up to 72 characters.

Values

[2 byte asnumber:comm-val | well-known-comm]

where:

• 2 byte as-number — 0 to 65535

• comm-val — 0 to 65535

• well-known-comm — no-export | no-export-subconfed | no-advertise

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ldp>session-params>peer community)

[Tree] (config>router>ldp>targeted-session>peer-template community)

Full Context

configure router ldp session-parameters peer community

configure router ldp targeted-session peer-template community

Description

This command configures a community name associated with a targeted session to a specified peer. The community is a local configuration for a targeted session. FECs received over a session of a given community are taken to belong to that community, and are redistributed over sessions of the same community.

The SR OS router uses the following rules for community:

• If both the session parameters for a specified peer and targeted peer template that is applied to session have the default configuration then no community applies.

• If the session parameters for a peer have the default configuration, but targeted session peer template has an explicit configuration for community, then the targeted peer template configuration will be used.

• If the session parameters have an explicit configuration for community, and the targeted session peer template has the default configuration, then the session parameter configuration applies.

• If both session parameters and targeted peer template have an explicit configuration for community, then the session parameter configuration is used.

The no form of this command removes the community from the session to the peer. FEC subsequently received over the session are treated as having no community.

Default

no community

Parameters

community-name

Specifies the string defining the LDP community assigned to the session. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters excluding double quotes. If the string contains spaces, use double quotes to delimit the start and end of the string.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>static-route-entry>black-hole community)

[Tree] (config>router>static-route-entry>indirect community)

[Tree] (config>router>static-route-entry>next-hop community)

Full Context

configure router static-route-entry black-hole community

configure router static-route-entry indirect community

configure router static-route-entry next-hop community

Description

This command associates one BGP community (standard, extended or large) with a next-hop of the static route. This community can be matched in route policies and automatically added to BGP routes that are created from the static route.

Any community specified in one of these contexts is overridden by any communities specified at the prefix level of the static route entry.

The no form of this command removes the association.

Default

no community

Parameters

comm-id

Specifies a BGP community value, up to 72 characters.

Values

[as-num:comm-val | well-known-comm | ext-comm | large-comm]

where:

• as-num — 0 to 65535

• comm-val — 0 to 65535

• well-known-comm — null | no-export | no-export-subconfed | no-advertise | llgr-stale | no-llgr | blackhole

• ext-comm — the extended community, defined as one of the following:

  • {target | origin}:ip-address:comm-val

  • {target | origin}:asnum:ext-comm-val

  • {target | origin}:ext-asnum:comm-val

  • bandwidth:asnum:val-in-mbps

  • ext:4300:ovstate

  • ext:value1:value2

  • color:co-bits:color-value

  where:

  • target — route target

  • origin — route origin

  • ip-address — a.b.c.d

  • ext-comm-val — 0 to 4294967295

  • ext-asnum — 0 to 4294967295

  • val-in-mbps — 0 to 16777215

  • ovstate — 0, 1, or 2 (0 for valid, 1 for not found, 2 for invalid)

  • value1 — 0000 to FFFF

  • value2 — 0 to FFFFFFFFFFFF

  • co-bits — 00, 01, 10 or 11

  • color-value — 0 to 4294967295

• large-comm — asn-or-ex:val-or-ex:val-or-ex

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>static-route-entry community)

Full Context

configure router static-route-entry community

Description

This command associates a list of up to 12 BGP communities (any mix of standard, extended, and large communities) with the static route. These communities can be matched in route policies and are automatically added to BGP routes that are created from the static route.

The communities specified at this level of the static route causes communities configured under the next-hop, black-hole and indirect contexts of the static route to be ignored.

The no form of this command removes the association.

Default

no community

Parameters

comm-id

Specifies a BGP community value, up to 72 characters.

Values

[as-num:comm-val | well-known-comm | ext-comm | large-comm]

where:

• as-num — 0 to 65535

• comm-val — 0 to 65535

• well-known-comm — null | no-export | no-export-subconfed | no-advertise | llgr-stale | no-llgr | blackhole

• ext-comm — the extended community, defined as one of the following:

  • {target | origin}:ip-address:comm-val

  • {target | origin}:asnum:ext-comm-val

  • {target | origin}:ext-asnum:comm-val

  • bandwidth:asnum:val-in-mbps

  • ext:4300:ovstate

  • ext:value1:value2

  • color:co-bits:color-value

  where:

  • target — route target

  • origin — route origin

  • ip-address — a.b.c.d

  • ext-comm-val — 0 to 4294967295

  • ext-asnum — 0 to 4294967295

  • val-in-mbps — 0 to 16777215

  • ovstate — 0, 1, or 2 (0 for valid, 1 for not found, 2 for invalid)

  • value1 — 0000 to FFFF

  • value2 — 0 to FFFFFFFFFFFF

  • co-bits — 00, 01, 10 or 11

  • color-value — 0 to 4294967295

• large-comm — asn-or-ex:val-or-ex:val-or-ex

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>snmp community)

Full Context

configure system security snmp community

Description

This command creates SNMP community strings for SNMPv1 and SNMPv2c access. This command is used in combination with the predefined access groups and views. To create custom access groups and views and associate them with SNMPv1 or SNMPv2c access use the usm-community command.

When configured, community implies a security model for SNMPv1 and SNMPv2c only.

For SNMPv3 security, the access group command must be configured.

The no form of the command removes the specified community string.

Parameters

community-string

Configures the SNMPv1 and/or SNMPv2c community string.

Values

community-string — Specifies the community string. Allowed values are any string up to 32 characters, composed of printable, 7-bit ASCII characters. If the string contains special characters (for example, #, $, spaces), the entire string must be enclosed within double quotes.

hash-key — Up to 33 characters

hash2-key — Up to 96 characters

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

access-permissions

Configures the access permissions for objects in the MIB.

r — Grants only read access to objects in the MIB, except security objects, using the internal "snmp-ro" access group and the "no-security" snmp view.

rw — Grants read and write access to all objects in the MIB, using the internal "snmp-rw" access group and the "no-security" snmp view.

rwa — Grants read and write access to all objects in the MIB, including security, using the internal snmp-rwa access group and the iso snmp view.

mgmt — Assigns a unique SNMP community string for SNMP access via the management router instance. This community uses the internal snmp-mgmt access group and the mgmt snmp view.

vpls-mgmt — Assigns a unique SNMP community string for SNMP access via the vpls-management router instance. This community uses the internal snmp-vpls-mgmt access group and mgmt-view snmp view.

version {v1 | v2c | both}

Configures the scope of the community string to be for SNMPv1, SNMPv2c, or both SNMPv1 and SNMPv2c access.

Default

both

list-name

Configures the community to reference a specific src-access-list, which will be used to validate the source IP address of all received SNMP requests that use this community. Multiple community, usm-community, or VPRN SNMP community instances can reference the same src-access-list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options community)

Full Context

configure router policy-options community

Description

This command creates a route policy community list or expression to use in route policy entries. A community list is an unordered set of community values (members). In general a route matches a community list if it has any of the member values. A community expression is a set of community values that are arranged in a logical expression using operators such as AND, OR, and NOT. A route matches a community expression if it satisfies the logic of the expression.

For additional information, see the expression and members commands in the config> router>policy-options>community context.

The no form of this command deletes the community list or the provided community ID.

Default

no community

Parameters

name

Specifies the community list name. Allowed values are any string up to 64 characters, composed of printable, 7-bit ASCII characters. If the string contains special characters (for example, #, $, spaces), the entire string must be enclosed within double quotes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>default-action community)

[Tree] (config>router>policy-options>policy-statement>entry>action community)

Full Context

configure router policy-options policy-statement default-action community

configure router policy-options policy-statement entry action community

Description

This command adds or removes a BGP community list to or from routes matching the route policy statement entry.

If no community list is specified, the community path attribute is not changed.

The community list changes the community path attribute according to the add and remove keywords.