system commands

configure 
system 
alarm-contact-in-power boolean
alarm-contact-input number 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
clear-message string
description string
normal-state keyword
trigger-message string
alarms 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
max-cleared number
allow-boot-license-violations boolean
apply-groups reference
apply-groups-exclude reference
bluetooth 
admin-state keyword
advertising-timeout number
apply-groups reference
apply-groups-exclude reference
device string 
apply-groups reference
apply-groups-exclude reference
description string
module string 
apply-groups reference
apply-groups-exclude reference
provisioned-identifier string
pairing-button boolean
passkey string
power-mode keyword
boot-bad-exec string
boot-good-exec string
central-frequency-clock 
apply-groups reference
apply-groups-exclude reference
bits 
input 
admin-state keyword
interface-type keyword
output 
admin-state keyword
line-length keyword
ql-minimum keyword
source keyword
squelch boolean
ql-override keyword
ssm-bit number
gnss 
admin-state keyword
ql-override keyword
ptp 
admin-state keyword
ql-override keyword
ql-minimum keyword
ql-selection boolean
ref-order 
fifth keyword
first keyword
fourth keyword
second keyword
sixth keyword
third keyword
ref1 
admin-state keyword
ql-override keyword
source-port string
ref2 
admin-state keyword
ql-override keyword
source-port string
revert boolean
synce 
admin-state keyword
ql-override keyword
wait-to-restore number
clli-code string
congestion-management boolean
contact string
coordinates string
cpm-http-redirect 
apply-groups reference
apply-groups-exclude reference
optimized-mode boolean
cron 
apply-groups reference
apply-groups-exclude reference
schedule string owner string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
count number
day-of-month number
description string
end-time 
date-and-time string
day keyword
time string
hour number
interval number
minute number
month (keyword | number)
script-policy 
name string
owner string
type keyword
weekday (keyword | number)
dhcp6 
adv-noaddrs-global keyword
apply-groups reference
apply-groups-exclude reference
dns 
address-pref keyword
apply-groups reference
apply-groups-exclude reference
dnssec 
ad-validation keyword
efm-oam 
apply-groups reference
apply-groups-exclude reference
dying-gasp-tx-on-reset boolean
grace-tx boolean
eth-cfm 
apply-groups reference
apply-groups-exclude reference
grace boolean
md-auto-id 
ma-index-range 
apply-groups reference
apply-groups-exclude reference
end number
start number
md-index-range 
apply-groups reference
apply-groups-exclude reference
end number
start number
named-display boolean
redundancy 
apply-groups reference
apply-groups-exclude reference
mc-lag 
propagate-hold-time (number | keyword)
standby-mep boolean
sender-id 
local-name string
type keyword
slm 
apply-groups reference
apply-groups-exclude reference
inactivity-timer number
fan-control 
apply-groups reference
apply-groups-exclude reference
cooling-profile keyword
grpc 
admin-state keyword
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
delay-on-boot number
gnmi 
admin-state keyword
auto-config-save boolean
proto-version keyword
gnoi 
cert-mgmt 
admin-state keyword
file 
admin-state keyword
system 
admin-state keyword
listening-port number
max-msg-size number
md-cli 
admin-state keyword
rib-api 
admin-state keyword
purge-timeout number
tcp-keepalive 
admin-state keyword
idle-time number
interval number
retries number
tls-server-profile reference
grpc-tunnel 
apply-groups reference
apply-groups-exclude reference
delay-on-boot number
destination-group string 
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
description string
destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number 
apply-groups reference
apply-groups-exclude reference
local-source-address (ipv4-address-no-zone | ipv6-address-no-zone)
originated-qos-marking keyword
router-instance string
tcp-keepalive 
admin-state keyword
idle-time number
interval number
retries number
tls-client-profile reference
tunnel string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
description string
destination-group reference
handler string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
port number
target-type 
custom-type string
grpc-server 
ssh-server 
target-name 
custom-string string
node-name 
user-agent 
icmp-vse boolean
ip 
allow-qinq-network-interface boolean
apply-groups reference
apply-groups-exclude reference
enforce-unique-if-index boolean
forward-6in4 boolean
forward-ip-over-gre boolean
ipv6-eh keyword
mpls 
label-stack-statistics-count number
l2tp 
apply-groups reference
apply-groups-exclude reference
non-multi-chassis-tunnel-id-range 
end number
start number
lacp 
apply-groups reference
apply-groups-exclude reference
system-priority number
lldp 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
message-fast-tx number
message-fast-tx-init number
notification-interval number
reinit-delay number
tx-credit-max number
tx-hold-multiplier number
tx-interval number
load-balancing 
apply-groups reference
apply-groups-exclude reference
l2tp-load-balancing boolean
l4-load-balancing boolean
lsr-load-balancing keyword
mc-enh-load-balancing boolean
service-id-lag-hashing boolean
system-ip-load-balancing boolean
location string
login-control 
apply-groups reference
apply-groups-exclude reference
exponential-backoff boolean
ftp 
inbound-max-sessions number
idle-timeout (keyword | number)
login-banner boolean
login-scripts 
global-script string
per-user-script 
file-name string
user-directory string
motd 
text string
url string
pre-login-message 
message string
name boolean
ssh 
graceful-shutdown boolean
inbound-max-sessions number
outbound-max-sessions number
ttl-security number
telnet 
graceful-shutdown boolean
inbound-max-sessions number
outbound-max-sessions number
ttl-security number
management-interface 
apply-groups reference
apply-groups-exclude reference
cli 
apply-groups reference
apply-groups-exclude reference
classic-cli 
allow-immediate boolean
rollback 
apply-groups reference
apply-groups-exclude reference
local-checkpoints number
location string
remote-checkpoints number
rescue 
location string
cli-engine keyword
md-cli 
apply-groups reference
apply-groups-exclude reference
auto-config-save boolean
environment 
command-alias 
alias string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
cli-command string
description string
mount-point (keyword | string) 
python-script reference
command-completion 
enter boolean
space boolean
tab boolean
console 
length number
width number
info-output 
always-display 
admin-state boolean
message-severity-level 
cli keyword
more boolean
progress-indicator 
admin-state keyword
delay number
type keyword
prompt 
context boolean
newline boolean
timestamp boolean
uncommitted-changes-indicator boolean
python 
memory-reservation number
minimum-available-memory number
timeout number
time-display keyword
time-format keyword
commit-history number
configuration-mode keyword
configuration-save 
apply-groups reference
apply-groups-exclude reference
configuration-backups number
incremental-saves boolean
netconf 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
auto-config-save boolean
capabilities 
candidate boolean
delay-on-boot number
port number
operations 
apply-groups reference
apply-groups-exclude reference
global-timeouts 
asynchronous-execution (number | keyword)
asynchronous-retention (number | keyword)
synchronous-execution (number | keyword)
remote-management 
admin-state keyword
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
client-tls-profile reference
connection-timeout number
delay-on-boot number
device-label string
device-name string
hello-interval number
manager string 
admin-state keyword
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
client-tls-profile reference
connection-timeout number
description string
device-label string
device-name string
manager-address (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)
manager-port number
router-instance string
source-address (ipv4-address-no-zone | ipv6-address-no-zone)
source-port (number | keyword)
router-instance string
source-address (ipv4-address-no-zone | ipv6-address-no-zone)
source-port (number | keyword)
schema-path string
snmp 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
engine-id string
general-port number
max-bulk-duration number
packet-size number
streaming 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
yang-modules 
apply-groups reference
apply-groups-exclude reference
nmda 
nmda-support boolean
nokia-combined-modules boolean
nokia-submodules boolean
openconfig-modules boolean
shared-model-management boolean
name string
network-element-discovery 
apply-groups reference
apply-groups-exclude reference
generate-traps boolean
profile string 
apply-groups reference
apply-groups-exclude reference
neid string
neip 
apply-groups reference
apply-groups-exclude reference
auto-generate 
ipv4 
vendor-id-value number
ipv6 
vendor-id-value number
ipv4 string
ipv6 string
platform-type string
system-mac string
vendor-id string
ospf-dynamic-hostnames boolean
persistence 
ancp 
apply-groups reference
apply-groups-exclude reference
description string
location keyword
application-assurance 
apply-groups reference
apply-groups-exclude reference
description string
location keyword
apply-groups reference
apply-groups-exclude reference
dhcp-server 
apply-groups reference
apply-groups-exclude reference
description string
location keyword
nat-port-forwarding 
apply-groups reference
apply-groups-exclude reference
description string
location keyword
options 
apply-groups reference
apply-groups-exclude reference
dhcp-leasetime-threshold number
python-policy-cache 
apply-groups reference
apply-groups-exclude reference
description string
location keyword
subscriber-mgmt 
apply-groups reference
apply-groups-exclude reference
description string
location keyword
power-management power-zone number 
apply-groups reference
apply-groups-exclude reference
mode keyword
power-safety-alert number
power-safety-level number
ptp 
admin-state keyword
alternate-profile string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
domain number
log-announce-interval number
profile keyword
announce-receipt-timeout number
apply-groups reference
apply-groups-exclude reference
clock-type keyword
domain number
local-priority number
log-announce-interval number
network-type keyword
port reference 
address string
admin-state keyword
alternate-profile reference
apply-groups reference
apply-groups-exclude reference
local-priority number
log-delay-interval number
log-sync-interval number
master-only boolean
priority1 number
priority2 number
profile keyword
ptsf 
monitor-ptsf-unusable 
admin-state keyword
router string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
peer (ipv4-address-no-zone | ipv6-address-no-zone) 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
local-priority number
log-sync-interval number
peer-limit number
tx-while-sync-uncertain boolean
script-control 
apply-groups reference
apply-groups-exclude reference
script string owner string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
description string
location string
script-policy string owner string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
expire-time (number | keyword)
lifetime (number | keyword)
lock-override boolean
max-completed number
python-lifetime number
python-script 
name reference
results string
script 
name string
owner string
security 
aaa 
apply-groups reference
apply-groups-exclude reference
cli-session-group string 
apply-groups reference
apply-groups-exclude reference
combined-max-sessions number
description string
ssh-max-sessions number
telnet-max-sessions number
health-check (number | keyword)
local-profiles 
apply-groups reference
apply-groups-exclude reference
profile string 
apply-groups reference
apply-groups-exclude reference
cli-session-group reference
combined-max-sessions number
default-action keyword
entry number 
action keyword
apply-groups reference
apply-groups-exclude reference
description string
match string
grpc 
rpc-authorization 
gnmi-capabilities keyword
gnmi-get keyword
gnmi-set keyword
gnmi-subscribe keyword
gnoi-cert-mgmt-cangenerate keyword
gnoi-cert-mgmt-getcert keyword
gnoi-cert-mgmt-install keyword
gnoi-cert-mgmt-revoke keyword
gnoi-cert-mgmt-rotate keyword
gnoi-file-get keyword
gnoi-file-put keyword
gnoi-file-remove keyword
gnoi-file-stat keyword
gnoi-file-transfertoremote keyword
gnoi-system-cancelreboot keyword
gnoi-system-ping keyword
gnoi-system-reboot keyword
gnoi-system-rebootstatus keyword
gnoi-system-setpackage keyword
gnoi-system-switchcontrolprocessor keyword
gnoi-system-time keyword
gnoi-system-traceroute keyword
md-cli-session keyword
rib-api-getversion keyword
rib-api-modify keyword
li boolean
netconf 
base-op-authorization 
action boolean
cancel-commit boolean
close-session boolean
commit boolean
copy-config boolean
create-subscription boolean
delete-config boolean
discard-changes boolean
edit-config boolean
get boolean
get-config boolean
get-data boolean
get-schema boolean
kill-session boolean
lock boolean
validate boolean
ssh-max-sessions number
telnet-max-sessions number
management-interface 
apply-groups reference
apply-groups-exclude reference
md-cli 
command-accounting-during-load boolean
output-authorization 
md-interfaces boolean
telemetry-data boolean
remote-servers 
apply-groups reference
apply-groups-exclude reference
ldap 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
public-key-authentication boolean
route-preference keyword
server number 
address (ipv4-address-no-zone | ipv6-address-no-zone) 
apply-groups reference
apply-groups-exclude reference
port number
admin-state keyword
apply-groups reference
apply-groups-exclude reference
bind-authentication 
password string
root-dn string
search 
base-dn string
server-name string
tls-profile reference
server-retry number
server-timeout number
use-default-template boolean
radius 
access-algorithm keyword
accounting boolean
accounting-port number
admin-state keyword
apply-groups reference
apply-groups-exclude reference
authorization boolean
interactive-authentication boolean
port number
route-preference keyword
server number 
address (ipv4-address-no-zone | ipv6-address-no-zone)
apply-groups reference
apply-groups-exclude reference
authenticator keyword
secret string
tls-client-profile reference
server-retry number
server-timeout number
use-default-template boolean
tacplus 
accounting 
record-type keyword
admin-control 
tacplus-map-to-priv-lvl number
admin-state keyword
apply-groups reference
apply-groups-exclude reference
authorization 
request-format 
access-operation-cmd keyword
use-priv-lvl boolean
interactive-authentication boolean
priv-lvl-map 
apply-groups reference
apply-groups-exclude reference
priv-lvl number 
apply-groups reference
apply-groups-exclude reference
user-profile-name reference
route-preference keyword
server number 
address (ipv4-address-no-zone | ipv6-address-no-zone)
apply-groups reference
apply-groups-exclude reference
port number
secret string
server-timeout number
use-default-template boolean
vprn-server 
apply-groups reference
apply-groups-exclude reference
inband reference
outband reference
vprn reference
user-template keyword 
access 
console boolean
ftp boolean
grpc boolean
li boolean
netconf boolean
apply-groups reference
apply-groups-exclude reference
console 
login-exec string
home-directory (sat-url | cflash-without-slot-url)
profile string
restricted-to-home boolean
save-when-restricted boolean
apply-groups reference
apply-groups-exclude reference
cli-script 
apply-groups reference
apply-groups-exclude reference
authorization 
cron 
cli-user reference
event-handler 
cli-user reference
cpm-filter 
apply-groups reference
apply-groups-exclude reference
default-action keyword
ip-filter 
admin-state keyword
entry number 
action 
accept 
default 
drop 
queue reference
apply-groups reference
apply-groups-exclude reference
description string
log reference
match 
dscp keyword
dst-ip 
address (ipv4-prefix-with-host-bits | ipv4-address)
ip-prefix-list reference
mask string
dst-port 
eq number
mask number
port-list reference
range 
end number
start number
fragment keyword
icmp 
code number
type number
ip-option 
mask number
type number
multiple-option boolean
option-present boolean
port 
eq number
mask number
port-list reference
range 
end number
start number
protocol (number | keyword)
router-instance string
src-ip 
address (ipv4-prefix-with-host-bits | ipv4-address)
ip-prefix-list reference
mask string
src-port 
eq number
mask number
port-list reference
range 
end number
start number
tcp-flags 
ack boolean
syn boolean
ipv6-filter 
admin-state keyword
entry number 
action 
accept 
default 
drop 
queue reference
apply-groups reference
apply-groups-exclude reference
description string
log reference
match 
dscp keyword
dst-ip 
address (ipv6-prefix-with-host-bits | ipv6-address)
ipv6-prefix-list reference
mask string
dst-port 
eq number
mask number
port-list reference
range 
end number
start number
extension-header 
hop-by-hop boolean
flow-label number
fragment keyword
icmp 
code number
type number
next-header (number | keyword)
port 
eq number
mask number
port-list reference
range 
end number
start number
router-instance string
src-ip 
address (ipv6-prefix-with-host-bits | ipv6-address)
ipv6-prefix-list reference
mask string
src-port 
eq number
mask number
port-list reference
range 
end number
start number
tcp-flags 
ack boolean
syn boolean
mac-filter 
admin-state keyword
entry number 
action 
accept 
default 
drop 
queue reference
apply-groups reference
apply-groups-exclude reference
description string
log reference
match 
cfm-opcode 
eq number
gt number
lt number
range 
end number
start number
dst-mac 
address string
mask string
etype string
frame-type keyword
llc-dsap 
dsap number
mask number
llc-ssap 
mask number
ssap number
service reference
src-mac 
address string
mask string
cpm-queue 
apply-groups reference
apply-groups-exclude reference
queue number 
apply-groups reference
apply-groups-exclude reference
cbs number
mbs number
rate 
cir (number | keyword)
pir (number | keyword)
cpu-protection 
apply-groups reference
apply-groups-exclude reference
ip-src-monitoring 
included-protocols 
dhcp boolean
gtp boolean
icmp boolean
igmp boolean
link-specific-rate (number | keyword)
policy number 
alarm boolean
apply-groups reference
apply-groups-exclude reference
description string
eth-cfm 
entry number 
apply-groups reference
apply-groups-exclude reference
level start number end number 
opcode start number end number 
pir (number | keyword)
out-profile-rate 
log-events boolean
pir (number | keyword)
overall-rate (number | keyword)
per-source-parameters 
ip-src-monitoring 
limit-dhcp-ci-addr-zero boolean
per-source-rate (number | keyword)
port-overall-rate 
action-low-priority boolean
pir (number | keyword)
protocol-protection 
allow-sham-links boolean
block-pim-tunneled boolean
dist-cpu-protection 
apply-groups reference
apply-groups-exclude reference
policy string 
apply-groups reference
apply-groups-exclude reference
description string
local-monitoring-policer string 
apply-groups reference
apply-groups-exclude reference
description string
exceed-action keyword
log-events keyword
rate 
kbps 
limit (keyword | number)
mbs number
packets 
initial-delay number
limit (keyword | number)
within number
protocol keyword 
apply-groups reference
apply-groups-exclude reference
dynamic-parameters 
detection-time number
exceed-action 
action keyword
hold-down (keyword | number)
log-events keyword
rate 
kbps 
limit (keyword | number)
mbs number
packets 
initial-delay number
limit (keyword | number)
within number
enforcement 
dynamic 
mon-policer-name reference
dynamic-local-mon-bypass 
static 
policer-name reference
static-policer string 
apply-groups reference
apply-groups-exclude reference
description string
detection-time number
exceed-action 
action keyword
hold-down (keyword | number)
log-events keyword
rate 
kbps 
limit (keyword | number)
mbs number
packets 
initial-delay number
limit (keyword | number)
within number
type keyword
dot1x 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
radius-policy string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
retry number
server number 
accounting-port number
address string
apply-groups reference
apply-groups-exclude reference
authentication-port number
secret string
type keyword
source-address string
timeout number
ftp-server boolean
hash-control 
apply-groups reference
apply-groups-exclude reference
management-interface 
classic-cli 
read-algorithm keyword
write-algorithm keyword
grpc 
hash-algorithm keyword
md-cli 
hash-algorithm keyword
netconf 
hash-algorithm keyword
keychains 
keychain string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
bidirectional 
entry number 
admin-state keyword
algorithm keyword
apply-groups reference
apply-groups-exclude reference
authentication-key string
begin-time string
option keyword
tolerance (number | keyword)
description string
receive 
entry number 
admin-state keyword
algorithm keyword
apply-groups reference
apply-groups-exclude reference
authentication-key string
begin-time string
end-time string
tolerance (number | keyword)
send 
entry number 
admin-state keyword
algorithm keyword
apply-groups reference
apply-groups-exclude reference
authentication-key string
begin-time string
tcp-option-number 
receive keyword
send keyword
management 
allow-ftp boolean
allow-grpc boolean
allow-netconf boolean
allow-ssh boolean
allow-telnet boolean
allow-telnet6 boolean
apply-groups reference
apply-groups-exclude reference
management-access-filter 
apply-groups reference
apply-groups-exclude reference
ip-filter 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
default-action keyword
entry number 
action keyword
apply-groups reference
apply-groups-exclude reference
description string
log-events boolean
match 
dst-port 
mask number
port number
mgmt-port 
cpm 
lag string
port-id string
protocol (number | keyword)
router-instance string
src-ip 
address (ipv4-prefix | ipv4-address)
ip-prefix-list reference
mask string
src-port 
mask number
port number
ipv6-filter 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
default-action keyword
entry number 
action keyword
apply-groups reference
apply-groups-exclude reference
description string
log-events boolean
match 
dst-port 
mask number
port number
flow-label number
mgmt-port 
cpm 
lag string
port-id string
next-header (number | keyword)
router-instance string
src-ip 
address (ipv6-prefix | ipv6-address)
ipv6-prefix-list reference
mask string
src-port 
mask number
port number
mac-filter 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
default-action keyword
entry number 
action keyword
apply-groups reference
apply-groups-exclude reference
description string
log-events boolean
match 
cfm-opcode 
eq number
gt number
lt number
range 
end number
start number
dot1p 
mask number
priority number
dst-mac 
address string
mask string
etype string
frame-type keyword
llc-dsap 
dsap number
mask number
llc-ssap 
mask number
ssap number
service string
snap-oui keyword
snap-pid number
src-mac 
address string
mask string
per-peer-queuing boolean
pki 
apply-groups reference
apply-groups-exclude reference
ca-profile string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
auto-crl-update 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
crl-urls 
url-entry number 
apply-groups reference
apply-groups-exclude reference
transmission-profile reference
url http-url-path-loose
periodic-update-interval number
pre-update-time number
retry-interval number
schedule-type keyword
cert-file string
cmpv2 
accept-unprotected-message 
error-message boolean
pkiconf-message boolean
always-set-sender-for-ir boolean
http 
response-timeout number
version keyword
key-list 
key string 
apply-groups reference
apply-groups-exclude reference
password string
recipient-subject string
response-signing-cert string
response-signing-use-extracert 
same-recipient-nonce-for-poll-request boolean
signing-cert-subject string
url 
service-name string
transmission-profile reference
url-string http-optional-url-loose
use-ca-subject 
crl-file string
description string
ocsp 
responder-url http-optional-url-loose
service-name string
transmission-profile reference
revocation-check keyword
certificate-auto-update string 
apply-groups reference
apply-groups-exclude reference
key-file-name string
profile reference
certificate-display-format keyword
certificate-expiration-warning 
hours number
repeat-hours number
certificate-update-profile string 
after-issue number
apply-groups reference
apply-groups-exclude reference
before-expiry number
cmpv2 
ca-profile reference
dsa 
key-size number
ecdsa 
curve keyword
est 
est-profile reference
hash-algorithm keyword
retry-interval number
rsa 
key-size number
same-as-existing-key 
common-name-list string 
apply-groups reference
apply-groups-exclude reference
common-name number 
apply-groups reference
apply-groups-exclude reference
cn-type keyword
cn-value string
crl-expiration-warning 
hours number
repeat-hours number
est-profile string 
apply-groups reference
apply-groups-exclude reference
check-id-kp-cmcra-only boolean
client-tls-profile string
http-authentication 
password string
username string
server 
fqdn string
ipv4 string
ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
port number
transmission-profile string
imported-format keyword
maximum-cert-chain-depth number
python-script 
apply-groups reference
apply-groups-exclude reference
authorization 
cron 
cli-user reference
event-handler 
cli-user reference
snmp 
access string context string security-model keyword security-level keyword 
apply-groups reference
apply-groups-exclude reference
notify string
prefix-match keyword
read string
write string
apply-groups reference
apply-groups-exclude reference
attempts 
apply-groups reference
apply-groups-exclude reference
count number
lockout number
time number
community string 
access-permissions keyword
apply-groups reference
apply-groups-exclude reference
source-access-list reference
version keyword
source-access-list string 
apply-groups reference
apply-groups-exclude reference
source-host string 
address (ipv4-address-no-zone | ipv6-address-no-zone)
apply-groups reference
apply-groups-exclude reference
usm-community string 
apply-groups reference
apply-groups-exclude reference
group string
source-access-list reference
view string subtree string 
apply-groups reference
apply-groups-exclude reference
mask string
type keyword
source-address 
ipv4 keyword 
address string
apply-groups reference
apply-groups-exclude reference
interface-name string
ipv6 keyword 
address string
apply-groups reference
apply-groups-exclude reference
ssh 
apply-groups reference
apply-groups-exclude reference
authentication-method 
server 
public-key-only boolean
client-cipher-list-v2 
apply-groups reference
apply-groups-exclude reference
cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-kex-list-v2 
kex number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-mac-list-v2 
mac number 
apply-groups reference
apply-groups-exclude reference
name keyword
key-re-exchange 
client 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
mbytes (number | keyword)
minutes (number | keyword)
server 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
mbytes (number | keyword)
minutes (number | keyword)
permit-empty-passwords boolean
preserve-key boolean
server-admin-state keyword
server-cipher-list-v2 
apply-groups reference
apply-groups-exclude reference
cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-kex-list-v2 
kex number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-mac-list-v2 
mac number 
apply-groups reference
apply-groups-exclude reference
name keyword
system-passwords 
admin-password string
apply-groups reference
apply-groups-exclude reference
tech-support 
apply-groups reference
apply-groups-exclude reference
ts-location (ts-sat-url | cflash-url | string)
telnet-server boolean
telnet6-server boolean
tls 
apply-groups reference
apply-groups-exclude reference
cert-profile string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
entry number 
apply-groups reference
apply-groups-exclude reference
certificate-file string
key-file string
send-chain 
ca-profile reference 
client-cipher-list string 
apply-groups reference
apply-groups-exclude reference
tls12-cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
tls13-cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-group-list string 
apply-groups reference
apply-groups-exclude reference
tls13-group number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-signature-list string 
apply-groups reference
apply-groups-exclude reference
tls13-signature number 
apply-groups reference
apply-groups-exclude reference
name keyword
client-tls-profile string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
cert-profile reference
cipher-list reference
group-list reference
protocol-version keyword
signature-list reference
status-verify 
default-result keyword
trust-anchor-profile reference
server-cipher-list string 
apply-groups reference
apply-groups-exclude reference
tls12-cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
tls13-cipher number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-group-list string 
apply-groups reference
apply-groups-exclude reference
tls13-group number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-signature-list string 
apply-groups reference
apply-groups-exclude reference
tls13-signature number 
apply-groups reference
apply-groups-exclude reference
name keyword
server-tls-profile string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
authenticate-client 
common-name-list reference
trust-anchor-profile reference
cert-profile reference
cipher-list reference
group-list reference
protocol-version keyword
signature-list reference
status-verify 
default-result keyword
tls-re-negotiate-timer number
trust-anchor-profile string 
apply-groups reference
apply-groups-exclude reference
trust-anchor reference 
user-params 
apply-groups reference
apply-groups-exclude reference
attempts 
count number
lockout number
time number
authentication-order 
exit-on-reject boolean
order keyword
local-user 
password 
aging number
apply-groups reference
apply-groups-exclude reference
complexity-rules 
allow-user-name boolean
credits 
lowercase number
numeric number
special-character number
uppercase number
minimum-classes number
minimum-length number
repeated-characters number
required 
lowercase number
numeric number
special-character number
uppercase number
hashing keyword
history-size number
minimum-age number
minimum-change number
user string 
access 
console boolean
ftp boolean
grpc boolean
li boolean
netconf boolean
snmp boolean
apply-groups reference
apply-groups-exclude reference
cli-engine keyword
console 
cannot-change-password boolean
login-exec (sat-url | cflash-url | ftp-tftp-url | filename)
member reference
new-password-at-login boolean
home-directory (sat-url | cflash-without-slot-url)
password string
public-keys 
ecdsa 
ecdsa-key number 
apply-groups reference
apply-groups-exclude reference
description string
key-value string
rsa 
rsa-key number 
apply-groups reference
apply-groups-exclude reference
description string
key-value string
restricted-to-home boolean
save-when-restricted boolean
snmp 
apply-groups reference
apply-groups-exclude reference
authentication 
authentication-key string
authentication-protocol keyword
privacy 
privacy-key string
privacy-protocol keyword
group string
ssh-authentication-method 
server 
public-key-only keyword
vprn-network-exceptions 
count number
window number
selective-fib boolean
software-repository string 
apply-groups reference
apply-groups-exclude reference
description string
primary-location string
secondary-location string
tertiary-location string
switch-fabric 
apply-groups reference
apply-groups-exclude reference
failure-recovery 
admin-state keyword
sfm-loss-threshold number
telemetry 
apply-groups reference
apply-groups-exclude reference
destination-group string 
allow-unsecure-connection 
apply-groups reference
apply-groups-exclude reference
description string
destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number 
apply-groups reference
apply-groups-exclude reference
router-instance string
tcp-keepalive 
admin-state keyword
idle-time number
interval number
retries number
tls-client-profile reference
notification-bundling 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
max-msg-count number
max-time-granularity number
persistent-subscriptions 
delay-on-boot number
subscription string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
description string
destination-group reference
encoding keyword
local-source-address (ipv4-address-no-zone | ipv6-address-no-zone)
mode keyword
originated-qos-marking keyword
sample-interval number
sensor-group reference
sensor-groups 
sensor-group string 
apply-groups reference
apply-groups-exclude reference
description string
path string 
thresholds 
cflash-cap-alarm-percent string 
apply-groups reference
apply-groups-exclude reference
falling-threshold number
interval number
rising-threshold number
rmon-event-type keyword
startup-alarm keyword
cflash-cap-warn-percent string 
apply-groups reference
apply-groups-exclude reference
falling-threshold number
interval number
rising-threshold number
rmon-event-type keyword
startup-alarm keyword
kb-memory-use-alarm 
apply-groups reference
apply-groups-exclude reference
falling-threshold number
interval number
rising-threshold number
rmon-event-type keyword
startup-alarm keyword
kb-memory-use-warn 
apply-groups reference
apply-groups-exclude reference
falling-threshold number
interval number
rising-threshold number
rmon-event-type keyword
startup-alarm keyword
rmon 
alarm number 
apply-groups reference
apply-groups-exclude reference
falling-event number
falling-threshold number
interval number
owner string
rising-event number
rising-threshold number
sample-type keyword
startup-alarm keyword
variable-oid string
event number 
apply-groups reference
apply-groups-exclude reference
description string
event-type keyword
owner string
time 
apply-groups reference
apply-groups-exclude reference
dst-zone string 
apply-groups reference
apply-groups-exclude reference
end 
day keyword
hours-minutes string
month keyword
week keyword
offset number
start 
day keyword
hours-minutes string
month keyword
week keyword
ntp 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
authentication-check boolean
authentication-key number 
apply-groups reference
apply-groups-exclude reference
key string
type keyword
authentication-keychain reference
broadcast reference interface-name string 
apply-groups reference
apply-groups-exclude reference
authentication-keychain reference
key-id reference
ttl number
version number
broadcast-client string interface-name string 
apply-groups reference
apply-groups-exclude reference
authenticate boolean
multicast 
apply-groups reference
apply-groups-exclude reference
authentication-keychain reference
key-id reference
version number
multicast-client 
apply-groups reference
apply-groups-exclude reference
authenticate boolean
ntp-server 
authenticate boolean
peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string 
apply-groups reference
apply-groups-exclude reference
authentication-keychain reference
key-id reference
prefer boolean
version number
server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string 
apply-groups reference
apply-groups-exclude reference
authentication-keychain reference
key-id reference
prefer boolean
version number
prefer-local-time boolean
sntp 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
server (ipv4-address-no-zone | ipv6-address-no-zone) 
apply-groups reference
apply-groups-exclude reference
interval number
prefer boolean
version number
sntp-state keyword
zone 
non-standard 
name string
offset string
standard 
name keyword
transmission-profile string 
apply-groups reference
apply-groups-exclude reference
http-version keyword
ipv4-source-address string
ipv6-source-address string
redirection number
retry number
router-instance string
timeout number
usb keyword 
admin-state keyword
apply-groups reference
apply-groups-exclude reference

system command descriptions

system

Synopsis Enter the system context
Context configure system
Treesystem
Introduced16.0.R1

Platforms

All

alarm-contact-input [input-pin-number] number

Synopsis Enter the alarm-contact-input list instance
Contextconfigure system alarm-contact-input number
Treealarm-contact-input
Introduced16.0.R1

Platforms

7750 SR-a

[input-pin-number] number
Synopsis Alarm contact input pin
Context configure system alarm-contact-input number
Treealarm-contact-input
Range1 to 4

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7750 SR-a

admin-state keyword
Synopsis Administrative state of the alarm contact input
Contextconfigure system alarm-contact-input number admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

7750 SR-a

clear-message string
Synopsis Text message sent in the log event when an alarm clears
Contextconfigure system alarm-contact-input number clear-message string
Treeclear-message

Description

This command configures a text message to be included in the log event that is sent when the system clears an alarm.

The system generates the default "Alarm Input Cleared" message if no message is configured. The clear-message string is included in the log event when the pin changes to the normal state.

String Length1 to 80
DefaultAlarm Input Cleared
Introduced16.0.R1

Platforms

7750 SR-a

trigger-message string
Synopsis Text message sent in the log event when input changes
Contextconfigure system alarm-contact-input number trigger-message string
Treetrigger-message

Description

This command configures a text message to be included in the log event that is sent when the system generates an alarm.

The system generates the default message "Alarm Input Triggered" if no message is configured. This command's message string is included in the log event when the pin changes from the normal state.

String Length1 to 80
DefaultAlarm Input Triggered
Introduced16.0.R1

Platforms

7750 SR-a

alarms

Synopsis Enter the alarms context
Context configure system alarms
Treealarms
Introduced16.0.R4

Platforms

All

admin-state keyword
Synopsis Administrative state of the system alarm
Contextconfigure system alarms admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced16.0.R4

Platforms

All

max-cleared number
Synopsis Maximum number of cleared alarms
Context configure system alarms max-cleared number
Treemax-cleared
Range0 to 500
Default500
Introduced 16.0.R4

Platforms

All

bluetooth

Synopsis Enter the bluetooth context
Context configure system bluetooth
Treebluetooth
Introduced16.0.R1

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

admin-state keyword
Synopsis Administrative state of the Bluetooth module
Contextconfigure system bluetooth admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced20.2.R1

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

device [mac-address] string
Synopsis Enter the device list instance
Contextconfigure system bluetooth device string
Treedevice
Max. Instances5
Introduced16.0.R1

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

[mac-address] string
Synopsis Bluetooth client device MAC address
Context configure system bluetooth device string
Treedevice

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

module [cpm-slot] string
Synopsis Enter the module list instance
Contextconfigure system bluetooth module string
Treemodule
Introduced16.0.R1

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

[cpm-slot] string
Synopsis CPM slot on which the module resides
Context configure system bluetooth module string
Treemodule
String Length1

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

passkey string
Synopsis Bluetooth passkey
Context configure system bluetooth passkey string
Treepasskey
String Length6
Default123456
Introduced 16.0.R1

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

power-mode keyword
Synopsis Bluetooth module power mode
Context configure system bluetooth power-mode keyword
Treepower-mode
Optionsmanual, automatic
Default automatic
Introduced20.2.R1

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

boot-bad-exec string

Synopsis CLI script file to execute following a failed boot-up
Contextconfigure system boot-bad-exec string
Treeboot-bad-exec

Description

This command configures the name of the CLI script file to be run following the failure of a boot-up configuration.

Note: This command has no effect in model-driven mode.

String Length1 to 180
Introduced16.0.R1

Platforms

All

boot-good-exec string

Synopsis CLI script file to execute following successful boot-up
Contextconfigure system boot-good-exec string
Treeboot-good-exec
String Length1 to 180
Introduced16.0.R1

Platforms

All

central-frequency-clock

Synopsis Enter the central-frequency-clock context
Contextconfigure system central-frequency-clock
Treecentral-frequency-clock
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

bits
Synopsis Enter the bits context
Context configure system central-frequency-clock bits
Treebits
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

input
Synopsis Enter the input context
Context configure system central-frequency-clock bits input
Treeinput
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the BITS input timing reference
Contextconfigure system central-frequency-clock bits input admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

interface-type keyword
Synopsis Interface type of the BITS timing reference
Contextconfigure system central-frequency-clock bits interface-type keyword
Treeinterface-type
Optionsds1-esf, ds1-sf, e1-pcm30crc, e1-pcm31crc, g703-2048khz
Defaultds1-esf
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

output
Synopsis Enter the output context
Context configure system central-frequency-clock bits output
Treeoutput
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

line-length keyword
Synopsis Line length for the BITS output timing reference
Contextconfigure system central-frequency-clock bits output line-length keyword
Treeline-length
Optionslength-not-applicable, 110, 220, 330, 440, 550, 660
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ql-minimum keyword
Synopsis Minimum signal quality level for BITSout port
Contextconfigure system central-frequency-clock bits output ql-minimum keyword
Treeql-minimum
Optionsunused, prs, stu, st2, tnc, st3e, st3, prc, ssua, ssub, sec, eec1, eec2
Defaultunused
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

source keyword
Synopsis Source of the BITS output timing reference
Contextconfigure system central-frequency-clock bits output source keyword
Treesource
Optionsline-ref, internal-clock
Defaultline-ref
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

squelch boolean
Synopsis Squelch the signal of the BITS output timing reference
Contextconfigure system central-frequency-clock bits output squelch boolean
Treesquelch
Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ql-override keyword
Synopsis Override for the quality level of the timing reference
Contextconfigure system central-frequency-clock bits ql-override keyword
Treeql-override
Optionsunused, prs, stu, st2, tnc, st3e, st3, prc, ssua, ssub, sec
Defaultunused
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ssm-bit number
Synopsis Sa bit to convey SSM information
Context configure system central-frequency-clock bits ssm-bit number
Treessm-bit
Range4 to 8
Default8
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

gnss
Synopsis Enter the gnss context
Context configure system central-frequency-clock gnss
Treegnss
Introduced22.10.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se, 7750 SR-2se

admin-state keyword
Synopsis Administrative state of the gnss timing reference
Contextconfigure system central-frequency-clock gnss admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced22.10.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se, 7750 SR-2se

ql-override keyword
Synopsis Quality level override for a timing reference
Contextconfigure system central-frequency-clock gnss ql-override keyword
Treeql-override
Optionsunused, prs, stu, st2, tnc, st3e, st3
Defaultunused
Introduced22.10.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se, 7750 SR-2se

ptp
Synopsis Enter the ptp context
Context configure system central-frequency-clock ptp
Treeptp
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the PTP timing reference
Contextconfigure system central-frequency-clock ptp admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ql-override keyword
Synopsis Quality level of a timing reference that overrides any value provided by the reference's SSM process
Contextconfigure system central-frequency-clock ptp ql-override keyword
Treeql-override
Optionsunused, prs, stu, st2, tnc, st3e, st3, prc, ssua, ssub, sec
Defaultunused
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ql-minimum keyword
Synopsis Minimum signal quality level for system timing module
Contextconfigure system central-frequency-clock ql-minimum keyword
Treeql-minimum
Optionsunused, prs, stu, st2, tnc, st3e, st3, prc, ssua, ssub, sec, eec1, eec2
Defaultunused
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ql-selection boolean
Synopsis Consider quality level in system and BITS output timing
Contextconfigure system central-frequency-clock ql-selection boolean
Treeql-selection
Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ref-order
Synopsis Enter the ref-order context
Context configure system central-frequency-clock ref-order
Treeref-order

Description

Commands in this context specify the priority order of the synchronous equipment timing subsystem.

If a reference source is disabled, this command defines the next reference source for the clock. If all reference sources are disabled, clocking is derived from a local oscillator.

If a timing reference is linked to a source port that is operationally down, the port is no longer a qualified, valid reference.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

fifth keyword
Synopsis Fifth preferred timing reference source
Contextconfigure system central-frequency-clock ref-order fifth keyword
Treefifth
Optionsref1, ref2, bits, ptp, none, synce, gnss
Introduced19.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

first keyword
Synopsis First preferred timing reference source
Contextconfigure system central-frequency-clock ref-order first keyword
Treefirst
Optionsref1, ref2, bits, ptp, none, synce, gnss
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

fourth keyword
Synopsis Fourth preferred timing reference source
Contextconfigure system central-frequency-clock ref-order fourth keyword
Treefourth
Optionsref1, ref2, bits, ptp, none, synce, gnss
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

second keyword
Synopsis Second preferred timing reference source
Contextconfigure system central-frequency-clock ref-order second keyword
Treesecond
Optionsref1, ref2, bits, ptp, none, synce, gnss
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

sixth keyword
Synopsis Sixth preferred timing reference source
Contextconfigure system central-frequency-clock ref-order sixth keyword
Treesixth
Optionsref1, ref2, bits, ptp, none, synce, gnss
Introduced22.10.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se, 7750 SR-2se

third keyword
Synopsis Third preferred timing reference source
Contextconfigure system central-frequency-clock ref-order third keyword
Treethird
Optionsref1, ref2, bits, ptp, none, synce, gnss
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ref1
Synopsis Enter the ref1 context
Context configure system central-frequency-clock ref1
Treeref1
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the first timing reference
Contextconfigure system central-frequency-clock ref1 admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ql-override keyword
Synopsis Quality level override of a timing reference
Contextconfigure system central-frequency-clock ref1 ql-override keyword
Treeql-override
Optionsunused, prs, stu, st2, tnc, st3e, st3, prc, ssua, ssub, sec, eec1, eec2
Defaultunused
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ref2
Synopsis Enter the ref2 context
Context configure system central-frequency-clock ref2
Treeref2
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the second timing reference
Contextconfigure system central-frequency-clock ref2 admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ql-override keyword
Synopsis Quality level override of a timing reference
Contextconfigure system central-frequency-clock ref2 ql-override keyword
Treeql-override
Optionsunused, prs, stu, st2, tnc, st3e, st3, prc, ssua, ssub, sec, eec1, eec2
Defaultunused
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

revert boolean
Synopsis Revert to higher-priority reference source
Contextconfigure system central-frequency-clock revert boolean
Treerevert
Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

synce
Synopsis Enter the synce context
Context configure system central-frequency-clock synce
Treesynce
Introduced19.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the SyncE timing reference
Contextconfigure system central-frequency-clock synce admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced19.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ql-override keyword
Synopsis Override the quality level of a timing reference
Contextconfigure system central-frequency-clock synce ql-override keyword
Treeql-override
Optionsunused, prs, stu, st2, tnc, st3e, st3, prc, ssua, ssub, sec, eec1, eec2
Defaultunused
Introduced19.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

clli-code string

Synopsis CLLI code value for the system
Context configure system clli-code string
Treeclli-code
String Length11
Introduced16.0.R1

Platforms

All

contact string

Synopsis Contact information for the managed node
Contextconfigure system contact string
Treecontact
String Length1 to 80
Introduced16.0.R1

Platforms

All

coordinates string

Synopsis GPS coordinates for the system location
Contextconfigure system coordinates string
Treecoordinates
String Length1 to 80
Introduced16.0.R1

Platforms

All

cron

Synopsis Enter the cron context
Context configure system cron
Treecron
Introduced16.0.R1

Platforms

All

schedule [schedule-name] string owner string
Synopsis Enter the schedule list instance
Contextconfigure system cron schedule string owner string
Treeschedule
Max. Instances255
Introduced16.0.R1

Platforms

All

[schedule-name] string
Synopsis Schedule name
Contextconfigure system cron schedule string owner string
Treeschedule
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

owner string
Synopsis Schedule owner
Contextconfigure system cron schedule string owner string
Treeschedule
String Length1 to 32
MD-CLI DefaultTiMOS CLI

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of the CRON schedule
Contextconfigure system cron schedule string owner string admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

All

count number
Synopsis Number of times to repeat a periodic schedule run
Contextconfigure system cron schedule string owner string count number
Treecount
Range1 to 65535
Introduced16.0.R1

Platforms

All

end-time
Synopsis Enter the end-time context
Context configure system cron schedule string owner string end-time
Treeend-time
Introduced16.0.R1

Platforms

All

date-and-time string
Synopsis Date and time to stop triggering the schedule
Contextconfigure system cron schedule string owner string end-time date-and-time string
Treedate-and-time

Notes

The following elements are part of a choice: date-and-time or (day and time).

Introduced16.0.R1

Platforms

All

day keyword
Synopsis Day to stop triggering the schedule
Context configure system cron schedule string owner string end-time day keyword
Treeday
Optionssunday, monday, tuesday, wednesday, thursday, friday, saturday

Notes

The following elements are part of a choice: date-and-time or (day and time).

Introduced16.0.R1

Platforms

All

time string
Synopsis Time to stop triggering the schedule
Context configure system cron schedule string owner string end-time time string
Treetime
String Length5

Notes

The following elements are part of a choice: date-and-time or (day and time).

Introduced16.0.R1

Platforms

All

hour number
Synopsis Hours within a day when the schedule runs
Contextconfigure system cron schedule string owner string hour number
Treehour
Range0 to 23
Max. Instances24
Introduced 16.0.R1

Platforms

All

interval number
Synopsis Time between each periodic schedule run
Contextconfigure system cron schedule string owner string interval number
Treeinterval
Range30 to 42949672
Unitsseconds
Introduced 16.0.R1

Platforms

All

minute number
Synopsis Minutes in an hour when the schedule runs
Contextconfigure system cron schedule string owner string minute number
Treeminute
Range0 to 59
Max. Instances60
Introduced 16.0.R1

Platforms

All

month (keyword | number)
Synopsis Months when the schedule runs
Context configure system cron schedule string owner string month (keyword | number)
Treemonth
Range1 to 12
Optionsjanuary, february, march, april, may, june, july, august, september, october, november, december
Max. Instances12
Introduced16.0.R1

Platforms

All

script-policy
Synopsis Enter the script-policy context
Contextconfigure system cron schedule string owner string script-policy
Treescript-policy
Introduced16.0.R1

Platforms

All

type keyword
Synopsis Schedule type
Contextconfigure system cron schedule string owner string type keyword
Treetype
Optionsperiodic, calendar, oneshot
Defaultperiodic
Introduced16.0.R1

Platforms

All

weekday (keyword | number)
Synopsis Weekdays when the schedule runs
Context configure system cron schedule string owner string weekday (keyword | number)
Treeweekday
Range1 to 7
Optionssunday, monday, tuesday, wednesday, thursday, friday, saturday
Max. Instances 7
Introduced16.0.R1

Platforms

All

dhcp6

Synopsis Enter the dhcp6 context
Context configure system dhcp6
Treedhcp6
Introduced16.0.R4

Platforms

All

adv-noaddrs-global keyword
Synopsis Applications to send NoAddrsAvail in Advertise messages
Contextconfigure system dhcp6 adv-noaddrs-global keyword
Treeadv-noaddrs-global
Optionsesm-relay, server
Max. Instances 2
Introduced16.0.R4

Platforms

All

dns

Synopsis Enter the dns context
Context configure system dns
Treedns
Introduced16.0.R1

Platforms

All

address-pref keyword
Synopsis Preference in DNS address resolving order
Contextconfigure system dns address-pref keyword
Treeaddress-pref
Optionsipv4-only, ipv6-first
Introduced 16.0.R1

Platforms

All

dnssec
Synopsis Enter the dnssec context
Context configure system dns dnssec
Treednssec
Introduced16.0.R1

Platforms

All

ad-validation keyword
Synopsis Validation of AD-bit presence in DNS server responses
Contextconfigure system dns dnssec ad-validation keyword
Treead-validation
Options

fall-through – Allow non-DNSSEC responses to fall-through to permit resolution in case of validation failure

drop – Drop non-DNSSEC responses in case of validation failure

Introduced16.0.R1

Platforms

All

efm-oam

Synopsis Enter the efm-oam context
Context configure system efm-oam
Treeefm-oam
Introduced16.0.R1

Platforms

All

grace-tx boolean
Synopsis Send Grace TLVs for soft reset graceful recovery events
Contextconfigure system efm-oam grace-tx boolean
Treegrace-tx

Description

When configured to true, the system sends the Nokia Vendor specific Grace TLV in the information PDU after an ISSU or a soft reset. The Grace TLV informs a remote peer to ignore the negotiated interval and multiplier and instead use the new timeout interval.

By default, the command is disabled at the system level and enabled at the port level. Both the system and port level must be enabled to support grace on a specific port. When configured to true, the EFM-OAM protocol does not enter a non-operational state when both nodes acknowledge the grace function. This feature minimizes service interruption by giving the restarting router time to become operationally and administratively up within the grace period.

The peer receiving the Grace TLV must be able to parse and process the vendor-specific messaging. Do not configure grace if the Nokia Vendor Specific Grace TLV is not supported on the remote peer.

When configured to false, the Nokia Vendor Specific Grace TLV is not sent.

Defaultfalse
Introduced16.0.R1

Platforms

All

eth-cfm

Synopsis Enter the eth-cfm context
Context configure system eth-cfm
Treeeth-cfm
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

grace boolean
Synopsis Allow system level capability of grace messaging
Contextconfigure system eth-cfm grace boolean
Treegrace
Defaulttrue
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

md-auto-id
Synopsis Enter the md-auto-id context
Context configure system eth-cfm md-auto-id
Treemd-auto-id
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ma-index-range
Synopsis Enable the ma-index-range context
Contextconfigure system eth-cfm md-auto-id ma-index-range
Treema-index-range
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

end number
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisUpper bound of the range
Contextconfigure system eth-cfm md-auto-id ma-index-range end number
Treeend
Range1 to 4294967295

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

start number
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisLower bound of the range
Contextconfigure system eth-cfm md-auto-id ma-index-range start number
Treestart
Range1 to 4294967295

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

md-index-range
Synopsis Enable the md-index-range context
Contextconfigure system eth-cfm md-auto-id md-index-range
Treemd-index-range
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

end number
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisUpper bound of the range
Contextconfigure system eth-cfm md-auto-id md-index-range end number
Treeend
Range1 to 4294967295

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

start number
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisLower bound of the range
Contextconfigure system eth-cfm md-auto-id md-index-range start number
Treestart
Range1 to 4294967295

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

named-display boolean
Synopsis Enable administrative name display in CLI show outputs
Contextconfigure system eth-cfm named-display boolean
Treenamed-display

Description

When configured to true, the system displays the administrative names for domains, associations, and bridge-identifiers in show eth-cfm command outputs in addition to the numerical maintenance domain (MD) index, maintenance association (MA) index, and bridge ID values. The administrative names are displayed underneath the numerical values, each on a separate row.

When configured to false, the system only displays the numerical MD index, MA index, and bridge ID values in show eth-cfm command outputs.

Defaultfalse
Introduced23.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

redundancy
Synopsis Enter the redundancy context
Context configure system eth-cfm redundancy
Treeredundancy
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mc-lag
Synopsis Enter the mc-lag context
Context configure system eth-cfm redundancy mc-lag
Treemc-lag
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

propagate-hold-time (number | keyword)
Synopsis Delay timer value for the fault propagation
Contextconfigure system eth-cfm redundancy mc-lag propagate-hold-time (number | keyword)
Treepropagate-hold-time
Range1 to 60
Unitsseconds
Options none
Default 1
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

standby-mep boolean
Synopsis Allow standby MC-LAG MEPs to act administratively down
Contextconfigure system eth-cfm redundancy mc-lag standby-mep boolean
Treestandby-mep
Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

sender-id
Synopsis Enter the sender-id context
Context configure system eth-cfm sender-id
Treesender-id
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

local-name string
Synopsis Local name used in CFM PDUs
Context configure system eth-cfm sender-id local-name string
Treelocal-name
String Length1 to 45
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

type keyword
Synopsis ETH-CFM sender ID to be used in CFM PDUs
Contextconfigure system eth-cfm sender-id type keyword
Treetype
Optionssystem, local
Default system
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

slm
Synopsis Enter the slm context
Context configure system eth-cfm slm
Treeslm
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

inactivity-timer number
Synopsis SLR inactivity timer to maintain the stale test data
Contextconfigure system eth-cfm slm inactivity-timer number
Treeinactivity-timer
Range10 to 100
Unitsseconds
Default 100
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

fan-control

Synopsis Enter the fan-control context
Context configure system fan-control
Treefan-control

Description

Commands in this context configure the speed of the router fans.

Caution: Only use commands in this context with authorized direction from Nokia technical support.

Introduced23.7.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se

cooling-profile keyword
Synopsis Cooling profile used to determine fan speeds
Contextconfigure system fan-control cooling-profile keyword
Treecooling-profile

Description

This command configures the cooling profile used to determine the fan speed.

Nokia recommends that the default setting be used unless aggressive cooling is explicitly required.

Optionsdefault, aggressive
Default default
Introduced23.7.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se

grpc

Synopsis Enter the grpc context
Context configure system grpc
Treegrpc
Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of the gRPC server
Contextconfigure system grpc admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

All

allow-unsecure-connection
Synopsis Allow connection without secured transport protocol
Contextconfigure system grpc allow-unsecure-connection
Treeallow-unsecure-connection

Description

When configured, the system allows an unsecured connection to remote managers; TCP connections are not encrypted, including username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-server-profile.

Introduced16.0.R1

Platforms

All

delay-on-boot number
Synopsis Delay for gRPC connections after system boot
Contextconfigure system grpc delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for gRPC connections. When the timer expires, gRPC becomes operational and connections are accepted. This delay prevents automation from managing the system while it is still converging.

When no delay is configured, connections are accepted after the system boots and gRPC becomes operational.

Range1 to 3600
Unitsseconds
Introduced 23.10.R1

Platforms

All

gnmi
Synopsis Enter the gnmi context
Context configure system grpc gnmi
Treegnmi
Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of the gNMI service
Contextconfigure system grpc gnmi admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced16.0.R1

Platforms

All

auto-config-save boolean
Synopsis Automatically save configuration as part of commit
Contextconfigure system grpc gnmi auto-config-save boolean
Treeauto-config-save

Description

When configured to true, the system automatically writes the running configuration to the save configuration file as part of a successful commit operation.

Defaulttrue
Introduced16.0.R1

Platforms

All

proto-version keyword
Synopsis gnmi.proto version
Context configure system grpc gnmi proto-version keyword
Treeproto-version

Description

This command sets the gnmi.proto version that the GRPC server should use for all gNMI RPCs. Only use options other than latest for backward compatibility with legacy collectors.

Options

latest – Latest supported version

v070 – gNMI version 0.7.0

Default latest
Introduced23.3.R1

Platforms

All

gnoi
Synopsis Enter the gnoi context
Context configure system grpc gnoi
Treegnoi
Introduced19.10.R1

Platforms

All

file
Synopsis Enter the file context
Context configure system grpc gnoi file
Treefile
Introduced21.2.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of the gNOI File service
Contextconfigure system grpc gnoi file admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced21.2.R1

Platforms

All

system
Synopsis Enter the system context
Context configure system grpc gnoi system
Treesystem
Introduced20.5.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of the gNOI System service
Contextconfigure system grpc gnoi system admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced20.5.R1

Platforms

All

listening-port number
Synopsis Listening port for the gRPC server
Context configure system grpc listening-port number
Treelistening-port
Range1024 to 49151 | 57400
Default57400
Introduced23.7.R1

Platforms

All

max-msg-size number
Synopsis Maximum size of received message
Context configure system grpc max-msg-size number
Treemax-msg-size
Range1 to 1024
Unitsmegabytes
Default 512
Introduced16.0.R1

Platforms

All

md-cli
Synopsis Enter the md-cli context
Context configure system grpc md-cli
Treemd-cli
Introduced20.5.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of the MD-CLI service
Contextconfigure system grpc md-cli admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced20.5.R1

Platforms

All

rib-api
Synopsis Enter the rib-api context
Context configure system grpc rib-api
Treerib-api
Introduced16.0.R4

Platforms

All

admin-state keyword
Synopsis Administrative state of the RIB API service
Contextconfigure system grpc rib-api admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R4

Platforms

All

tcp-keepalive
Synopsis Enter the tcp-keepalive context
Contextconfigure system grpc tcp-keepalive
Treetcp-keepalive
Introduced16.0.R4

Platforms

All

admin-state keyword
Synopsis Administrative state of the TCP keepalive algorithm
Contextconfigure system grpc tcp-keepalive admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R4

Platforms

All

idle-time number
Synopsis Time until the first TCP keepalive probe is sent
Contextconfigure system grpc tcp-keepalive idle-time number
Treeidle-time

Description

This command configures the amount of time the connection must be idle before TCP keepalives are sent.

Range1 to 100000
Unitsseconds
Default 600
Introduced16.0.R4

Platforms

All

interval number
Synopsis Time between TCP keep-alive probes
Context configure system grpc tcp-keepalive interval number
Treeinterval
Range1 to 100000
Unitsseconds
Default 15
Introduced16.0.R4

Platforms

All

retries number
Synopsis Number of probe retries before closing the connection
Contextconfigure system grpc tcp-keepalive retries number
Treeretries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range3 to 100
Default4
Introduced 16.0.R4

Platforms

All

grpc-tunnel

Synopsis Enter the grpc-tunnel context
Context configure system grpc-tunnel
Treegrpc-tunnel
Introduced22.2.R1

Platforms

All

delay-on-boot number
Synopsis Delay for gRPC tunnels after system boot
Contextconfigure system grpc-tunnel delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for gRPC tunnels. When the timer expires, gRPC tunnels become operational and connections are accepted. This delay prevents the system from trying to initiate gRPC tunnels while it is still converging.

When no delay is configured, gRPC tunnels are initiated after the system boots and gRPC becomes operational.

Range1 to 3600
Unitsseconds
Introduced 23.10.R1

Platforms

All

destination-group [name] string
Synopsis Enter the destination-group list instance
Contextconfigure system grpc-tunnel destination-group string
Treedestination-group

Description

Commands in this context configure parameters for destination groups.

Max. Instances4
Introduced22.2.R1

Platforms

All

allow-unsecure-connection
Synopsis Allow unsecured operation of gRPC connections
Contextconfigure system grpc-tunnel destination-group string allow-unsecure-connection
Treeallow-unsecure-connection

Description

This command allows a gRPC tunnel to run without a secured transport protocol. Data is transferred in unencrypted form.

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-client-profile.

Introduced22.2.R1

Platforms

All

destination [address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Synopsis Enter the destination list instance
Contextconfigure system grpc-tunnel destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
Max. Instances4

Notes

This element is ordered by the user.

Introduced22.2.R1

Platforms

All

[address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)
Synopsis Address of the destination within the destination group
Contextconfigure system grpc-tunnel destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
String Length1 to 255

Notes

This element is part of a list key.

Introduced22.2.R1

Platforms

All

port number
Synopsis TCP port number for the destination
Context configure system grpc-tunnel destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
Range1 to 65535

Notes

This element is part of a list key.

Introduced22.2.R1

Platforms

All

originated-qos-marking keyword
Synopsis QoS marking used for gRPC tunnel packets
Contextconfigure system grpc-tunnel destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number originated-qos-marking keyword
Treeoriginated-qos-marking
Optionsbe, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63
Introduced 22.2.R1

Platforms

All

tcp-keepalive
Synopsis Enter the tcp-keepalive context
Contextconfigure system grpc-tunnel destination-group string tcp-keepalive
Treetcp-keepalive
Introduced22.2.R1

Platforms

All

idle-time number
Synopsis Time until the first TCP keepalive probe is sent
Contextconfigure system grpc-tunnel destination-group string tcp-keepalive idle-time number
Treeidle-time

Description

This command configures the amount of time the connection must be idle before TCP keepalives are sent.

Range1 to 100000
Unitsseconds
Default 600
Introduced22.2.R1

Platforms

All

retries number
Synopsis Number of probe retries before closing the connection
Contextconfigure system grpc-tunnel destination-group string tcp-keepalive retries number
Treeretries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range3 to 100
Default4
Introduced 22.2.R1

Platforms

All

tunnel [name] string
Synopsis Enter the tunnel list instance
Contextconfigure system grpc-tunnel tunnel string
Treetunnel

Description

Commands in this context configure gRPC-tunnel-related parameters.

Max. Instances4
Introduced22.2.R1

Platforms

All

[name] string
Synopsis Tunnel name
Contextconfigure system grpc-tunnel tunnel string
Treetunnel
String Length1 to 32

Notes

This element is part of a list key.

Introduced22.2.R1

Platforms

All

handler [name] string
Synopsis Enter the handler list instance
Contextconfigure system grpc-tunnel tunnel string handler string
Treehandler

Description

Commands in this context configure handler parameters for this instance. Multiple handlers can be created for any tunnel.

Max. Instances8
Introduced22.2.R1

Platforms

All

[name] string
Synopsis Handler name
Contextconfigure system grpc-tunnel tunnel string handler string
Treehandler
String Length1 to 32

Notes

This element is part of a list key.

Introduced22.2.R1

Platforms

All

port number
Synopsis TCP port number the handler listens to internally
Contextconfigure system grpc-tunnel tunnel string handler string port number
Treeport
Range1 to 65535
Introduced22.2.R1

Platforms

All

target-type
Synopsis Enter the target-type context
Context configure system grpc-tunnel tunnel string handler string target-type
Treetarget-type
Introduced22.2.R1

Platforms

All

custom-type string
Synopsis Custom string for target type
Context configure system grpc-tunnel tunnel string handler string target-type custom-type string
Treecustom-type

Description

This command configures a custom string for the target type. This string can correspond to specific values used by the gRPC tunnel protocol, such as GNMI_GNOI or SSH. If a custom string is defined, the gRPC tunnel client must specify the string to request a session for that handler. The string must be unique within a tunnel.

String Length1 to 64

Notes

The following elements are part of a choice: custom-type, grpc-server, or ssh-server.

Introduced22.2.R1

Platforms

All

grpc-server
Synopsis Target type set to GNMI_GNOI
Context configure system grpc-tunnel tunnel string handler string target-type grpc-server
Treegrpc-server

Description

When configured, this command assigns the gRPC server as a handler for all tunnels sessions. At the gRPC tunnel protocol level, this corresponds to a value of GNMI_GNOI.

Notes

The following elements are part of a choice: custom-type, grpc-server, or ssh-server.

Introduced22.2.R1

Platforms

All

ssh-server
Synopsis Target type is SSH
Context configure system grpc-tunnel tunnel string handler string target-type ssh-server
Treessh-server

Description

When configured, this command assigns the SSH server as a handler for all tunnels sessions. At the gRPC tunnel protocol level, this corresponds to a value of SSH.

Notes

The following elements are part of a choice: custom-type, grpc-server, or ssh-server.

Introduced22.2.R1

Platforms

All

target-name
Synopsis Enter the target-name context
Context configure system grpc-tunnel tunnel string target-name
Treetarget-name
Introduced22.2.R1

Platforms

All

node-name
Synopsis Set the node name as target name
Context configure system grpc-tunnel tunnel string target-name node-name
Treenode-name

Description

When configured, this command uses the node name as the target name. The node name is configured by the configure system name command.

Notes

The following elements are part of a choice: custom-string, node-name, or user-agent.

Introduced22.2.R1

Platforms

All

user-agent
Synopsis Set the user agent as the target name
Contextconfigure system grpc-tunnel tunnel string target-name user-agent
Treeuser-agent

Description

When configured, this command uses the user agent as the target name. The agent is a string consisting of node-name:vendor:model:software-version.

Notes

The following elements are part of a choice: custom-string, node-name, or user-agent.

Introduced22.2.R1

Platforms

All

icmp-vse boolean

Synopsis Enable vendor-specific extensions to ICMP
Contextconfigure system icmp-vse boolean
Treeicmp-vse
Defaultfalse
Introduced16.0.R1

Platforms

All

ip

Synopsis Enter the ip context
Context configure system ip
Treeip
Introduced16.0.R1

Platforms

All

forward-6in4 boolean
Synopsis Allow forwarding of IPv6 over IPv4 to system IP address
Contextconfigure system ip forward-6in4 boolean
Treeforward-6in4
Defaultfalse
Introduced19.10.R1

Platforms

All

ipv6-eh keyword
Synopsis Number of IPv6 extension headers parsed in line cards
Contextconfigure system ip ipv6-eh keyword
Treeipv6-eh
Optionsmax, limited
Default max
Introduced20.5.R1

Platforms

All

mpls
Synopsis Enter the mpls context
Context configure system ip mpls
Treempls
Introduced19.10.R3

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

l2tp

Synopsis Enter the l2tp context
Context configure system l2tp
Treel2tp
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

non-multi-chassis-tunnel-id-range
Synopsis Enter the non-multi-chassis-tunnel-id-range context
Contextconfigure system l2tp non-multi-chassis-tunnel-id-range
Treenon-multi-chassis-tunnel-id-range
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

lacp

Synopsis Enter the lacp context
Context configure system lacp
Treelacp
Introduced16.0.R1

Platforms

All

system-priority number
Synopsis LACP system priority on aggregated Ethernet interfaces
Contextconfigure system lacp system-priority number
Treesystem-priority
Range1 to 65535
Default32768
Introduced 16.0.R1

Platforms

All

lldp

Synopsis Enter the lldp context
Context configure system lldp
Treelldp
Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of LLDP
Context configure system lldp admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced16.0.R1

Platforms

All

message-fast-tx number
Synopsis Interval at which LLDP frames are transmitted
Contextconfigure system lldp message-fast-tx number
Treemessage-fast-tx

Description

This command configures the interval at which LLDP frames are transmitted on behalf of the LLDP during a fast transmission period.

Range1 to 3600
Unitsseconds
Default 1
Introduced16.0.R1

Platforms

All

reinit-delay number
Synopsis Time required before re-initializing LLDP on a port
Contextconfigure system lldp reinit-delay number
Treereinit-delay
Range1 to 10
Unitsseconds
Default 2
Introduced16.0.R1

Platforms

All

tx-credit-max number
Synopsis Maximum consecutive LLDPDUs that can be transmitted
Contextconfigure system lldp tx-credit-max number
Treetx-credit-max
Range1 to 100
Default5
Introduced 16.0.R1

Platforms

All

tx-interval number
Synopsis LLDP transmit interval
Context configure system lldp tx-interval number
Treetx-interval
Range5 to 32768
Unitsseconds
Default 30
Introduced16.0.R1

Platforms

All

load-balancing

Synopsis Enter the load-balancing context
Contextconfigure system load-balancing
Treeload-balancing
Introduced16.0.R1

Platforms

All

lsr-load-balancing keyword
Synopsis Algorithm for system-wide LSR load balancing
Contextconfigure system load-balancing lsr-load-balancing keyword
Treelsr-load-balancing
Optionslbl-only, lbl-ip, ip-only, eth-encap-ip, lbl-ip-l4-teid, lbl-eth-ip-l4-teid, lbl-ip-or-teid
Introduced16.0.R1

Platforms

All

location string

Synopsis Site location of the system
Context configure system location string
Treelocation
String Length1 to 80
Introduced16.0.R1

Platforms

All

login-control

Synopsis Enter the login-control context
Contextconfigure system login-control
Treelogin-control
Introduced16.0.R1

Platforms

All

idle-timeout (keyword | number)
Synopsis Idle timeout for FTP, console, or Telnet sessions
Contextconfigure system login-control idle-timeout (keyword | number)
Treeidle-timeout
Range1 to 1440
Unitsminutes
Options none
Default 30
Introduced16.0.R1

Platforms

All

login-scripts
Synopsis Enter the login-scripts context
Contextconfigure system login-control login-scripts
Treelogin-scripts
Introduced16.0.R1

Platforms

All

per-user-script
Synopsis Enter the per-user-script context
Contextconfigure system login-control login-scripts per-user-script
Treeper-user-script
Introduced16.0.R1

Platforms

All

motd
Synopsis Enter the motd context
Context configure system login-control motd
Treemotd
Introduced16.0.R1

Platforms

All

text string
Synopsis Message of the day displayed after console login
Contextconfigure system login-control motd text string
Treetext
String Length1 to 900

Notes

The following elements are part of a choice: text or url.

Introduced16.0.R1

Platforms

All

url string
Synopsis URL of the location of message of the day
Contextconfigure system login-control motd url string
Treeurl
String Length1 to 180

Notes

The following elements are part of a choice: text or url.

Introduced16.0.R1

Platforms

All

pre-login-message
Synopsis Enter the pre-login-message context
Contextconfigure system login-control pre-login-message
Treepre-login-message

Description

Commands in this context configure a message to display before logging in to the router using Telnet, SSH, or the console port.

Only one message can be configured. If a new pre-login message is configured, the new message overwrites the previous message.

Note: The pre-login message is displayed on both active and standby systems.

Introduced16.0.R1

Platforms

All

message string
Synopsis Message displayed before the login prompt
Contextconfigure system login-control pre-login-message message string
Treemessage

Description

This command configures the pre-login message.

Any printable, 7-bit ASCII characters can be used. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Some special characters can be used to format the message text. Use the newline (\n) character to create multiline messages. A newline (\n) character in the message moves to the beginning of the next line by sending ASCII/UTF-8 characters 0xA (LF) and 0xD (CR) to the client terminal. A carriage return (\r) character in the message sends the ASCII/UTF-8 character 0xD (CR) to the client terminal.

String Length1 to 900
Introduced16.0.R1

Platforms

All

ssh
Synopsis Enter the ssh context
Context configure system login-control ssh
Treessh
Introduced16.0.R1

Platforms

All

telnet
Synopsis Enter the telnet context
Context configure system login-control telnet
Treetelnet
Introduced16.0.R1

Platforms

All

management-interface

Synopsis Enter the management-interface context
Contextconfigure system management-interface
Treemanagement-interface
Introduced16.0.R1

Platforms

All

cli
Synopsis Enter the cli context
Context configure system management-interface cli
Treecli

Description

Commands in this context configure the CLI management interfaces.

Introduced16.0.R1

Platforms

All

classic-cli
Synopsis Enter the classic-cli context
Context configure system management-interface cli classic-cli
Treeclassic-cli

Description

Commands in this context configure the classic CLI management interface.

Introduced16.0.R1

Platforms

All

allow-immediate boolean
Synopsis Allow writable access in classic CLI configure branch
Contextconfigure system management-interface cli classic-cli allow-immediate boolean
Treeallow-immediate

Description

When configured to true, this command enables write access in the classic CLI configuration branch without having to use the classic CLI candidate edit functionality.

When configured to false, this command blocks write access and configuration changes in the classic CLI configuration branch, and the classic CLI configuration branch is read-only. This enforces using the classic CLI candidate edit functionality, including candidate commit, to modify the router configuration, instead of allowing immediate line-by-line configuration changes.

Defaulttrue
Introduced16.0.R1

Platforms

All

rollback
Synopsis Enter the rollback context
Context configure system management-interface cli classic-cli rollback
Treerollback

Description

Commands in this context control classic CLI configuration rollback functionality, such as the maximum number of rollback checkpoints the system maintains. Configuration rollback allows the operator to revert to previous router configuration states while minimizing impacts to services.

Introduced16.0.R1

Platforms

All

location string
Synopsis Path and filename prefix for rollback checkpoint files
Contextconfigure system management-interface cli classic-cli rollback location string
Treelocation

Description

This command configures the local (for example, compact flash) or remote location and name of the classic CLI rollback checkpoint files. The filename must not contain a suffix. The suffixes for rollback checkpoint files are, for example, .rb, .rb.1, .rb.2, and so on. The suffixes are automatically appended to rollback checkpoint files.

String Length1 to 180
Introduced16.0.R1

Platforms

All

rescue
Synopsis Enter the rescue context
Context configure system management-interface cli classic-cli rollback rescue
Treerescue
Introduced16.0.R1

Platforms

All

location string
Synopsis Location of the rescue configuration file
Contextconfigure system management-interface cli classic-cli rollback rescue location string
Treelocation

Description

This command configures the local or remote location and filename of the classic CLI rescue configuration file. The suffix (.rc) is automatically appended to the filename when a rescue configuration file is saved. Trivial FTP (TFTP) is not supported for remote locations.

String Length1 to 180
Introduced16.0.R1

Platforms

All

cli-engine keyword
Synopsis System-wide CLI engine access
Context configure system management-interface cli cli-engine keyword
Treecli-engine

Description

This command configures the system-wide CLI engine. The operator can configure one or both engines. For the configuration to take effect, exit the running CLI session and start a new session after committing the new value.

Optionsclassic-cli, md-cli
Max. Instances 2

Notes

This element is ordered by the user.

Introduced16.0.R1

Platforms

All

md-cli
Synopsis Enter the md-cli context
Context configure system management-interface cli md-cli
Treemd-cli

Description

Commands in this context configure the MD-CLI management interface.

Introduced16.0.R1

Platforms

All

auto-config-save boolean
Synopsis Automatically save configuration as part of commit
Contextconfigure system management-interface cli md-cli auto-config-save boolean
Treeauto-config-save

Description

When configured to true, the system automatically writes the running configuration to the save configuration file as part of a successful commit operation.

Defaulttrue
Introduced16.0.R1

Platforms

All

environment
Synopsis Enter the environment context
Context configure system management-interface cli md-cli environment
Treeenvironment
Introduced16.0.R1

Platforms

All

command-alias
Synopsis Enter the command-alias context
Contextconfigure system management-interface cli md-cli environment command-alias
Treecommand-alias
Introduced21.7.R1

Platforms

All

alias [alias-name] string
Synopsis Enter the alias list instance
Context configure system management-interface cli md-cli environment command-alias alias string
Treealias

Description

Commands in this context create aliases to existing MD-CLI commands or to Python applications.

Aliases may be mounted for use globally or for selected context paths. Arguments and output modifiers may be provided to aliases at configuration or run time.

Introduced21.7.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of the alias
Context configure system management-interface cli md-cli environment command-alias alias string admin-state keyword
Treeadmin-state

Description

This command controls the administrative state of the MD-CLI alias.

MD-CLI aliases that are administratively disabled cannot be executed, are not displayed in command completion, and do not appear in ? help.

Optionsenable, disable
Default disable
Introduced21.10.R1

Platforms

All

mount-point [path] (keyword | string)
Synopsis Add a list entry for mount-point
Contextconfigure system management-interface cli md-cli environment command-alias alias string mount-point (keyword | string)
Treemount-point
Min. Instances1
Introduced21.7.R1

Platforms

All

command-completion
Synopsis Enter the command-completion context
Contextconfigure system management-interface cli md-cli environment command-completion
Treecommand-completion
Introduced16.0.R1

Platforms

All

console
Synopsis Enter the console context
Context configure system management-interface cli md-cli environment console
Treeconsole
Introduced16.0.R1

Platforms

All

info-output
Synopsis Enter the info-output context
Context configure system management-interface cli md-cli environment info-output
Treeinfo-output
Introduced22.2.R1

Platforms

All

always-display
Synopsis Enter the always-display context
Contextconfigure system management-interface cli md-cli environment info-output always-display
Treealways-display

Description

Commands in this context specify elements that are always displayed in the info output, regardless of whether the detail option is used.

Introduced22.2.R1

Platforms

All

progress-indicator
Synopsis Enter the progress-indicator context
Contextconfigure system management-interface cli md-cli environment progress-indicator
Treeprogress-indicator
Introduced16.0.R1

Platforms

All

prompt
Synopsis Enter the prompt context
Context configure system management-interface cli md-cli environment prompt
Treeprompt
Introduced16.0.R1

Platforms

All

python
Synopsis Enter the python context
Context configure system management-interface cli md-cli environment python
Treepython

Description

Commands in this context customize Python settings used with the Python 3 interpreter in MD-CLI applications such as pyexec, command aliases, EHS, and CRON.

Introduced21.10.R1

Platforms

All

time-display keyword
Synopsis Time zone to display time
Context configure system management-interface cli md-cli environment time-display keyword
Treetime-display

Description

This command configures the time zone for a timestamp displayed in outputs, such as event logs and show commands for the current CLI session.

In event logs, the selected time is used to control the timestamps in the CLI output of show log log-id and in YANG state in the /state/log/log-id branch (for logs such as session, cli, memory, SNMP, and NETCONF).

Also see the configure log log-id time-format command.

Optionslocal, utc
Default local
Introduced16.0.R1

Platforms

All

time-format keyword
Synopsis Format to display the date and time
Context configure system management-interface cli md-cli environment time-format keyword
Treetime-format

Description

This command specifies the format of the time display in the prompt, configuration, state, and certain show command output in the current CLI session.

Optionsiso-8601, rfc-1123, rfc-3339
Defaultrfc-3339
Introduced20.5.R1

Platforms

All

commit-history number
Synopsis Number of commit history IDs to store
Contextconfigure system management-interface commit-history number
Treecommit-history

Description

This command sets the number of IDs to store in the commit history.

Setting the value to 0 disables the commit history.

Range0 to 200
Default50
Introduced 21.10.R1

Platforms

All

configuration-mode keyword
Synopsis Management interfaces allowed to edit the configuration
Contextconfigure system management-interface configuration-mode keyword
Treeconfiguration-mode

Description

This command controls which of the classic or model-driven management interfaces can modify the configuration of the router.

Any management interface can be used in any configuration mode (to gather state information or perform operations, for example), but only specific management interfaces (CLI, NETCONF, and so on) are allowed to edit the configuration of the router in different modes. For example, only classic CLI and SNMP can be used to edit the configuration when in classic mode.

Optionsclassic, model-driven, mixed
Introduced16.0.R1

Platforms

All

configuration-save
Synopsis Enter the configuration-save context
Contextconfigure system management-interface configuration-save
Treeconfiguration-save

Description

Commands in this context configure the attributes for saved configuration files.

Introduced16.0.R1

Platforms

All

configuration-backups number
Synopsis Maximum number of configuration versions maintained
Contextconfigure system management-interface configuration-save configuration-backups number
Treeconfiguration-backups

Description

This command configures the maximum number of saved configuration file versions the router maintains.

When the configuration is saved, configuration file names are appended with a numeric extension. Each subsequent configuration save creates a new configuration file version with an incremented numeric extension until the maximum count is reached, after which the next configuration save overwrites the oldest file version.

Each persistent index file is updated at the same time as the associated configuration file. The system synchronizes the active and standby CPM for all configurations and their associated persistent index files.

Range1 to 200
Default50
Introduced 16.0.R1

Platforms

All

incremental-saves boolean
Synopsis Use incremental saved configuration files
Contextconfigure system management-interface configuration-save incremental-saves boolean
Treeincremental-saves

Description

When configured to true, the system saves each commit to the configure configuration region in a separate incremental saved configuration file, which allows for faster commits, instead of saving a complete saved configuration file each time.

Defaulttrue
Introduced22.7.R1

Platforms

All

netconf
Synopsis Enter the netconf context
Context configure system management-interface netconf
Treenetconf
Introduced16.0.R1

Platforms

All

auto-config-save boolean
Synopsis Automatically save configuration as part of commit
Contextconfigure system management-interface netconf auto-config-save boolean
Treeauto-config-save

Description

When configured to true, the system automatically writes the running configuration to the save configuration file as part of a successful commit operation.

Defaulttrue
Introduced16.0.R1

Platforms

All

capabilities
Synopsis Enter the capabilities context
Contextconfigure system management-interface netconf capabilities
Treecapabilities

Description

Commands in this context configure explicit capabilities for the NETCONF server.

Introduced16.0.R1

Platforms

All

candidate boolean
Synopsis Allow the NETCONF server to access candidate datastore
Contextconfigure system management-interface netconf capabilities candidate boolean
Treecandidate

Description

When configured to true, this command allows the SR OS NETCONF server to access the candidate configuration datastore. Configuring this command to true also enables using commit and discard-changes.

When configure system management-interface configuration-mode is set to classic, the candidate capability is disabled, even if this command is configured to true.

When configured to false, this command disables the SR OS NETCONF server from accessing the candidate datastore. If the candidate is disabled, requests that reference the candidate datastore return an error, and when a NETCONF client establishes a new session, the candidate capability is not advertised in the SR OS NETCONF Hello message.

Defaulttrue
Introduced16.0.R1

Platforms

All

delay-on-boot number
Synopsis Delay for NETCONF connections after system boot
Contextconfigure system management-interface netconf delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for NETCONF connections. When the timer expires, NETCONF becomes operational and connections are accepted. This delay prevents automation from managing the system while it is still converging.

When no delay is configured, connections are accepted after the system boots and NETCONF becomes operational.

Range1 to 3600
Unitsseconds
Introduced 23.10.R1

Platforms

All

port number
Synopsis Port on which NETCONF server listens for connections
Contextconfigure system management-interface netconf port number
Treeport

Description

This command specifies the port on which the SR OS NETCONF server listens for new connections. One port can be configured for NETCONF management.

The configured port applies to both non-VPRN and VPRN management. New NETCONF connections are able to use the configured port.

For NETCONF connections not using VPRN management, active NETCONF connections are not disconnected if the connection port changes. For NETCONF connections using VPRN management, active NETCONF connections are disconnected if the connection port changes.

Range22 | 830
Default830
Introduced 19.10.R1

Platforms

All

operations
Synopsis Enter the operations context
Context configure system management-interface operations
Treeoperations

Description

Commands in this context configure parameters associated with operational commands in model-driven interfaces.

Introduced21.5.R1

Platforms

All

global-timeouts
Synopsis Enter the global-timeouts context
Contextconfigure system management-interface operations global-timeouts
Treeglobal-timeouts

Description

Commands in this context configure system timeout parameters for operational commands.

Timeout parameters provide default system-level control for various types of operational commands in model-driven interfaces. The timeout values are used when specific execution and retention timeouts are not requested for a specific operation.

Introduced21.5.R1

Platforms

All

asynchronous-execution (number | keyword)
Synopsis Timeout for asynchronous operation execution
Contextconfigure system management-interface operations global-timeouts asynchronous-execution (number | keyword)
Treeasynchronous-execution

Description

This command configures the period of time that operations launched as “asynchronous” are allowed to execute before being automatically stopped by the SR OS.

An asynchronous operation is not deleted from the system when it is stopped. See the asynchronous-retention command.

If a specific execution timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Note: This execution timeout is part of the general global operations infrastructure and is separate and independent from any operation-specific timeouts (for example, the ping operation also has its own timeout parameter).

Range1 to 604800
Unitsseconds
Options never
Default 3600
Introduced21.5.R1

Platforms

All

asynchronous-retention (number | keyword)
Synopsis Timeout for asynchronous operation data retention
Contextconfigure system management-interface operations global-timeouts asynchronous-retention (number | keyword)
Treeasynchronous-retention

Description

This command configures the period of time that data related to operations launched as “asynchronous” is retained in the system. After the retention timeout expires, all information related to the operation is deleted, including any status information and result data.

If a specific retention timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Range1 to 604800
Unitsseconds
Options never
Default 86400
Introduced21.5.R1

Platforms

All

synchronous-execution (number | keyword)
Synopsis Timeout for synchronous operation execution
Contextconfigure system management-interface operations global-timeouts synchronous-execution (number | keyword)
Treesynchronous-execution

Description

This command configures the period of time that operations launched as “'synchronous” (the default method for all operations) are allowed to execute before they are automatically stopped, and their associated data is deleted.

If a specific execution timeout is not included in the request for a particular synchronous operation, this system-level timeout applies.

Note: This execution timeout is part of the general global operations infrastructure and is separate and independent from any operation-specific timeouts (for example, the ping operation also has its own timeout parameter).

Caution: If this command is set with a specific time value, MD-CLI operations are subject to the timeout and are interrupted if they execute longer than the time value. This situation can arise because the timeout also applies to operations requested in the MD-CLI interface (for example, ping, file dir, and so on).

Range1 to 604800
Unitsseconds
Options never
Default never
Introduced21.5.R1

Platforms

All

remote-management
Synopsis Enter the remote-management context
Contextconfigure system management-interface remote-management
Treeremote-management

Description

Commands in this context configure the SR OS node to use the remote management service. Configuring remote management enables the SR OS node to report itself to a remote manager service running on a remote server, so that it is included in the dynamic list of available nodes. The manager service streamlines the management of multiple SR OS nodes running different SR OS versions using the same client application providing a similar shell to the MD-CLI.

Introduced20.5.R1

Platforms

All

allow-unsecure-connection
Synopsis Allow connection without secured transport protocol
Contextconfigure system management-interface remote-management allow-unsecure-connection
Treeallow-unsecure-connection

Description

When configured, this command allows an unsecured connection to remote managers; TCP connections are not encrypted, including username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or client-tls-profile.

Introduced20.5.R1

Platforms

All

delay-on-boot number
Synopsis Delay for remote management after system boot
Contextconfigure system management-interface remote-management delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for remote management connections over gRPC. When the timer expires, remote management becomes operational and connections are accepted. This delay prevents automation from managing the system while it is still converging.

When no delay is configured, remote management connections are accepted after the system boots and gRPC becomes operational.

Range1 to 3600
Unitsseconds
Introduced 23.10.R1

Platforms

All

device-label string
Synopsis Device label supplied to the remote manager
Contextconfigure system management-interface remote-management device-label string
Treedevice-label

Description

This command specifies a metadata label that is supplied to the manager. This label is used to group devices or network nodes with a common purpose or goal.

String Length1 to 64
Introduced20.5.R1

Platforms

All

device-name string
Synopsis Device name supplied to the remote manager
Contextconfigure system management-interface remote-management device-name string
Treedevice-name

Description

This command specifies a device name that is supplied to the manager. The name identifies a specific SR OS node in the network.

When unconfigured, the default system name is used.

String Length1 to 64
Introduced20.5.R1

Platforms

All

manager [manager-name] string
Synopsis Enter the manager list instance
Contextconfigure system management-interface remote-management manager string
Treemanager

Description

Commands in this context configure options for a specific manager.

Commands configured in this context take precedence over command values specified directly in the configure management-interface remote-management context.

If a command is not configured in this context, the command setting is inherited from the higher level context.

Max. Instances2
Introduced20.5.R1

Platforms

All

allow-unsecure-connection
Synopsis Allow connection without secured transport protocol
Contextconfigure system management-interface remote-management manager string allow-unsecure-connection
Treeallow-unsecure-connection

Description

When configured, the system allows an unsecured connection to the remote managers; the TCP connection is not encrypted. This includes username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or client-tls-profile.

Introduced20.5.R1

Platforms

All

device-label string
Synopsis Device label supplied to the remote manager
Contextconfigure system management-interface remote-management manager string device-label string
Treedevice-label

Description

This command specifies a metadata label that is supplied to the manager. This label is used to group devices or network nodes with a common purpose or goal.

String Length1 to 64
Introduced20.5.R1

Platforms

All

device-name string
Synopsis Device name supplied to the remote manager
Contextconfigure system management-interface remote-management manager string device-name string
Treedevice-name

Description

This command specifies a device name that is supplied to the manager. The name identifies a specific SR OS node in the network.

When unconfigured, the default system name is used.

String Length1 to 64
Introduced20.5.R1

Platforms

All

schema-path string
Synopsis Schema path URL
Context configure system management-interface schema-path string
Treeschema-path

Description

This command specifies the schema path where the SR OS YANG modules can be placed by the user before using a <get-schema> request. Nokia recommends that the URL string not exceed 135 characters for the <get-schema> request to work correctly with all schema files.

If this command is not configured, the software upgrade process manages the YANG schema files to ensure the schema files are synchronized with the software image on both the primary and standby CPM.

String Length1 to 180
Introduced16.0.R4

Platforms

All

snmp
Synopsis Enter the snmp context
Context configure system management-interface snmp
Treesnmp
Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of the SNMP agent
Contextconfigure system management-interface snmp admin-state keyword
Treeadmin-state

Description

This command administratively enables or disables SNMP agent operations. Disabling SNMP does not prevent the agent from sending SNMP notifications to configured SNMP trap destinations.

In classic and mixed configuration mode, the agent is administratively disabled in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof system persistent-indices command is set to true. This prevents an SNMP-based management system from accessing and possibly synchronizing with a partially booted or incomplete network element. This auto-disable behavior is not applicable to model-driven configuration mode.

Optionsenable, disable
Default enable
Introduced16.0.R1

Platforms

All

engine-id string
Synopsis SNMP engine ID that identifies the SNMPv3 node
Contextconfigure system management-interface snmp engine-id string
Treeengine-id

Description

This command sets the SNMP engine ID that uniquely identifies the SNMPv3 node.

If unconfigured, the system uses an engine ID based on the information from the system backplane.

If the SNMP engine ID is changed, the current configuration must be saved and a reboot must be executed. Otherwise, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID.

Note: Changing the SNMP engine ID invalidates all SNMPv3 MD5 and SHA security digest keys, which may render the node unmanageable.

When replacing a chassis, configure the new router to use the same engine ID as the previous router. This preserves SNMPv3 security keys and allows management stations to use their existing authentication keys for the new router.

Ensure that the engine ID of each router is unique. A management domain can only maintain one instance of a specific engine ID.

String Length10 to 64
Introduced16.0.R1

Platforms

All

general-port number
Synopsis Port number used to send general SNMP messages
Contextconfigure system management-interface snmp general-port number
Treegeneral-port

Description

This command configures the port number used to receive SNMP request messages and send replies.

For the port used for SNMP notifications, configure the configure log snmp-trap-group trap-target port command.

Range0 | 1 to 65535
Default161
Introduced 16.0.R1

Platforms

All

max-bulk-duration number
Synopsis Maximum process duration before responses are returned
Contextconfigure system management-interface snmp max-bulk-duration number
Treemax-bulk-duration

Description

This command sets the maximum duration to process an SNMP request before bulk responses are returned to avoid a timeout on the management system when a lot of information is returned in the response.

Range100 to 5000
Unitsmilliseconds
Introduced 23.3.R1

Platforms

All

streaming
Synopsis Enter the streaming context
Context configure system management-interface snmp streaming
Treestreaming
Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of SNMP streaming
Contextconfigure system management-interface snmp streaming admin-state keyword
Treeadmin-state

Description

This command enables or disables the proprietary SNMP request and response bundling as well as the TCP-based transport mechanism for optimizing network management of the router nodes. In higher latency networks, synchronizing router MIBs from network management using streaming takes less time than synchronizing using classic SNMP UDP requests. Streaming operates on TCP port 1491 and runs over IPv4 or IPv6.

Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

All

yang-modules
Synopsis Enter the yang-modules context
Contextconfigure system management-interface yang-modules
Treeyang-modules

Description

Commands in this context determine the system support of the Nokia YANG models.

The settings affect the data sent in a NETCONF <hello>, data populated in the RFC 6022 /netconf-state/schemas list, data returned in a <get-schema> request, and data populated in the RFC 8525 /yang-library.

See "NETCONF monitoring" and "YANG library" in the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for more information.

Introduced16.0.R1

Platforms

All

nmda
Synopsis Enter the nmda context
Context configure system management-interface yang-modules nmda
Treenmda

Description

Commands in this context configure the attributes for the Network Management Datastores Architecture (NMDA).

Introduced21.7.R1

Platforms

All

nmda-support boolean
Synopsis Advertise NMDA support over NETCONF
Context configure system management-interface yang-modules nmda nmda-support boolean
Treenmda-support

Description

When configured to true, this command enables the advertisement of NMDA support over NETCONF through the use of YANG library 1.1.

When configured to false, this command disables NMDA advertisement over NETCONF and YANG library 1.0 is used.

Defaultfalse
Introduced21.7.R1

Platforms

All

nokia-combined-modules boolean
Synopsis Support access to combined Nokia YANG models
Contextconfigure system management-interface yang-modules nokia-combined-modules boolean
Treenokia-combined-modules

Description

When configured to true, the system supports the combined Nokia YANG files for both configuration and state data in the NETCONF server.

When the system is operating in classic configuration mode, attempts to access (read or write) the configuration using the Nokia configuration modules or namespace via NETCONF result in errors, even if this command is set to true.

When configured to false, access to the combined Nokia YANG files is not supported.

This command and the nokia-submodules command cannot both be set to true at the same time.

Introduced16.0.R4

Platforms

All

nokia-submodules boolean
Synopsis Support submodule-based packaging of Nokia YANG models
Contextconfigure system management-interface yang-modules nokia-submodules boolean
Treenokia-submodules

Description

When configured to true, the system supports the alternative submodule-based packaging of the Nokia YANG files for both configuration and state data in the NETCONF server.

When the system is operating in classic configuration mode, attempts to access (read or write) the configuration using the Nokia configuration modules or namespace via NETCONF result in errors, even if this command is set to true.

When configured to false, access to the submodule-based packaging of the Nokia YANG files is not supported.

This command and the nokia-combined-modules command cannot both be set to true at the same time.

Introduced21.2.R1

Platforms

All

openconfig-modules boolean
Synopsis Support access to OpenConfig YANG models
Contextconfigure system management-interface yang-modules openconfig-modules boolean
Treeopenconfig-modules

Description

When configured to true, this command allows access to OpenConfig YANG models in all model-driven interfaces.

Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

shared-model-management boolean
Synopsis Allow multiple models to configure the same elements
Contextconfigure system management-interface yang-modules shared-model-management boolean
Treeshared-model-management

Description

When configured to true, the router allows Nokia and third-party models to configure the same elements in model-driven interfaces.

When configured to false, only one model can be used to configure the same element.

Defaulttrue
Introduced23.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

name string

Synopsis Administrative name assigned to the system
Contextconfigure system name string
Treename
String Length1 to 64
Introduced16.0.R1

Platforms

All

network-element-discovery

Synopsis Enter the network-element-discovery context
Contextconfigure system network-element-discovery
Treenetwork-element-discovery
Introduced19.5.R1

Platforms

All

profile [name] string
Synopsis Enter the profile list instance
Contextconfigure system network-element-discovery profile string
Treeprofile
Max. Instances1
Introduced19.5.R1

Platforms

All

neip
Synopsis Enter the neip context
Context configure system network-element-discovery profile string neip
Treeneip
Introduced19.5.R1

Platforms

All

auto-generate
Synopsis Enter the auto-generate context
Contextconfigure system network-element-discovery profile string neip auto-generate
Treeauto-generate
Introduced21.2.R1

Platforms

All

ospf-dynamic-hostnames boolean

Synopsis Process received OSPF dynamic hostname information
Contextconfigure system ospf-dynamic-hostnames boolean
Treeospf-dynamic-hostnames

Description

When configured to true, OSPF dynamic hostnames are enabled. The router receiving the new dynamic hostname within the OSPF Router Information (RI) LSA is instructed to process the received dynamic hostname information.

When configured to false, dynamic hostname information is not processed.

Defaultfalse
Introduced20.2.R1

Platforms

All

persistence

Synopsis Enter the persistence context
Context configure system persistence
Treepersistence

Description

Commands in this context configure persistence on the system.

The persistence feature enables the system to retain state information learned through DHCP snooping across reboots. This information includes data such as the IP address and MAC binding information, lease-length information, and ingress SAP information (required for VPLS snooping to identify the ingress interface).

If persistence is enabled when there are no DHCP relay or snooping commands enabled, the system creates an empty file.

Introduced16.0.R1

Platforms

All

application-assurance
Synopsis Enter the application-assurance context
Contextconfigure system persistence application-assurance
Treeapplication-assurance

Description

Commands in this context configure AA persistence on the system.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dhcp-server
Synopsis Enter the dhcp-server context
Context configure system persistence dhcp-server
Treedhcp-server
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

location keyword
Synopsis CPM flash card where the information is stored
Contextconfigure system persistence dhcp-server location keyword
Treelocation
Optionscf1, cf2, cf3
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

nat-port-forwarding
Synopsis Enter the nat-port-forwarding context
Contextconfigure system persistence nat-port-forwarding
Treenat-port-forwarding
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

python-policy-cache
Synopsis Enter the python-policy-cache context
Contextconfigure system persistence python-policy-cache
Treepython-policy-cache
Introduced16.0.R1

Platforms

All

subscriber-mgmt
Synopsis Enter the subscriber-mgmt context
Contextconfigure system persistence subscriber-mgmt
Treesubscriber-mgmt
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

location keyword
Synopsis CPM flash card where the information is stored
Contextconfigure system persistence subscriber-mgmt location keyword
Treelocation
Optionscf1, cf2, cf3
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

power-management power-zone number

Synopsis Enter the power-management list instance
Contextconfigure system power-management power-zone number
Treepower-management
Introduced16.0.R1

Platforms

7750 SR-1s, 7750 SR-2s, 7750 SR-2se, 7750 SR-7s, 7750 SR-14s, 7950 XRS

power-zone number
Synopsis Power zone
Contextconfigure system power-management power-zone number
Treepower-management
Range1 to 2
MD-CLI Default1

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7750 SR-1s, 7750 SR-2s, 7750 SR-2se, 7750 SR-7s, 7750 SR-14s, 7950 XRS

mode keyword
Synopsis Power capacity mode algorithm
Context configure system power-management power-zone number mode keyword
Treemode
Optionsnone, basic, advanced
Defaultbasic
Introduced16.0.R1

Platforms

7750 SR-1s, 7750 SR-2s, 7750 SR-2se, 7750 SR-7s, 7750 SR-14s, 7950 XRS

ptp

Synopsis Enter the ptp context
Context configure system ptp
Treeptp

Description

Commands in this context configure Precision Time Control (PTP) parameters based on IEEE 1588-2008, Precision Time Protocol.

The context is only supported on control assemblies that support 1588.

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of PTP
Context configure system ptp admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

alternate-profile [name] string
Synopsis Enter the alternate-profile list instance
Contextconfigure system ptp alternate-profile string
Treealternate-profile

Description

Commands in this context create an alternate profile configuration for use in PTP messaging.

The alternate profile can be used at the edge of a network to provide PTP time or frequency distribution outward to external PTP clocks.

The alternate profile cannot be deleted if it is configured as the profile under a PTP port.

Max. Instances6
Introduced22.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[name] string
Synopsis Alternate profile name
Context configure system ptp alternate-profile string
Treealternate-profile

Description

This command configures an alternate profile name.

The strings "Primary" and "primary" cannot be used for the alternate-profile name.

String Length1 to 64

Notes

This element is part of a list key.

Introduced22.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the alternate PTP profile
Contextconfigure system ptp alternate-profile string admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced22.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

domain number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAlternate profile PTP domain number
Contextconfigure system ptp alternate-profile string domain number
Treedomain
Range0 to 255
Default24
Introduced 22.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-announce-interval number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisPTP announce message interval in log form
Contextconfigure system ptp alternate-profile string log-announce-interval number
Treelog-announce-interval

Description

This command configures the announce message interval used for multicast messages within the alternate profile.

For multicast messages used on PTP Ethernet ports, this command configures the message interval used for announce messages transmitted by the local node.

This value has no impact on the interval used for the BTCA, which is controlled by the value defined for the primary profile.

Range-3 to 4
Default-3
Introduced 22.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

profile keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisStandard based profile used within an alternate profile
Contextconfigure system ptp alternate-profile string profile keyword
Treeprofile

Description

This command specifies the standard based profile that is used as the basis for the alternate profile.

This setting controls the contents of PTP messages sent on ports and peers using this alternate profile.

Optionsg8265dot1-2010, ieee1588-2008, g8275dot1-2014, g8275dot2-2016
Defaultg8275dot1-2014
Introduced 22.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

announce-receipt-timeout number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisExpired intervals count before timeout event declared
Contextconfigure system ptp announce-receipt-timeout number
Treeannounce-receipt-timeout

Description

This command configures the number of Announce message intervals that must expire with no received Announce messages before declaring an ANNOUNCE_RECEIPT_TIMEOUT event.

Range2 to 10
Default3
Introduced 21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

clock-type keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisClock type
Contextconfigure system ptp clock-type keyword
Treeclock-type
Optionsslave-only, master-only, boundary
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

domain number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisPTP domain
Contextconfigure system ptp domain number
Treedomain

Description

This command configures the PTP domain. The default and valid range of the domain depend on the configured PTP profile.

  • IEEE 1588-2008 - domain range of 0 to 255 (default 0)

  • G.8265.1 - domain range of 0 to 255 (default 4)

  • G.8275.1 - domain range of 24 to 43 (default 24)

  • G.8275.2 - domain range of 0 to 255 (default 44)

Range0 to 255
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

local-priority number
Synopsis PTP clock local priority
Context configure system ptp local-priority number
Treelocal-priority

Description

This command configures the local priority used to choose between PTP timeTransmitters in the best timeTransmitter clock algorithm (BTCA). This setting applies when the PTP profile is either configured for G.8275.1 or G.8275.2 and is ignored for any other profile.

For G.8275.1 or G.8275.2, this command configures the localPriority parameter associated with the local clock (ptp context). See G.8275.1 or G.8275.2 for detailed information.

Range1 to 255
Default128
Introduced 21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-announce-interval number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAnnounce message interval in log form
Contextconfigure system ptp log-announce-interval number
Treelog-announce-interval

Description

This command configures the Announce message interval used for both unicast and multicast messages.

For unicast messages, the Announce message interval is requested during unicast negotiation to any peer. This controls the Announce message rate sent from remote peers to the local node. It does not affect the announce message rate that may be sent from the local node to remote peers. Remote peers may request an Announce message rate within the acceptable grant range.

For multicast messages used on PTP Ethernet ports, this command specifies the message interval used for Announce messages transmitted by the local node.

This value also defines the interval between executions of the BTCA within the node.

To minimize BTCA driven reconfigurations, IEEE recommends that the announce interval should be consistent across the entire 1588 network.

Range-3 to 4
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

network-type keyword
Synopsis PTP network type
Context configure system ptp network-type keyword
Treenetwork-type

Description

This command configures the codeset to be used for the encoding of QL values into PTP clockClass values and vice versa when the profile is configured for G.8265.1 or G.8275.2.

This setting only applies to the range of values observed in the clockClass values transmitted out of the node in Announce messages. The router supports the reception of any valid value in Table 1/G.8265.1 and Table2/G.8275.2.

Optionssonet, sdh
Default sdh
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port [port-id] reference
Synopsis Enter the port list instance
Context configure system ptp port reference
Treeport

Description

Commands in this context configure PTP over Ethernet on the physical port. The PTP process transmits and receives PTP messages through the port using Ethernet encapsulation (as opposed to UDP/IPv4 encapsulation).

Frames are transmitted with no VLAN tags, even if the port is configured for dot1q or qinq modes for encap-type. The received frames from the external PTP clock must also be untagged.

Two reserved multicast addresses are allocated for PTP messages (see Annex F IEEE Std 1588-2008). Either address can be configured for the PTP messages sent through the port.

A PTP port cannot be created if the PTP profile is configured for G.8265.1.

If the port supports 1588 port-based timestamping, Synchronous Ethernet must be enabled on the MDA when PTP over Ethernet is enabled.

De-provisioning of the card or MDA containing the specified port is not permitted while the port is configured within PTP.

Changing the encapsulation or the port type of the Ethernet port is not permitted when PTP Ethernet Multicast operation is configured on the port.

To allocate an Ethernet satellite client port as a PTP port, the Ethernet satellite must first be enabled for the transparent clock function. For more information, see the configure satellite ethernet-satellite ptp-tc command.

The SyncE/1588 ports of the CPM and CCMs can be specified as PTP ports. These use the ‘A/3’ and ‘B/3’ designation and both must be specified as two PTP ports if both are used. The active CPM sends and receives messages on both ports if they are specified and enabled.

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[port-id] reference
Synopsis Ethernet PTP port ID
Context configure system ptp port reference
Treeport

Reference

configure port string

Notes

This element is part of a list key.

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address string
Synopsis Destination MAC address of the transmitted PTP messages
Contextconfigure system ptp port reference address string
Treeaddress

Description

This command specifies the destination MAC address of the transmitted PTP messages. IEEE Std 1588-2008 Annex F defines two reserved addresses for 1588 messages, which include:

  • 01-1B-19-00-00-00 — all except the peer delay mechanism messages

  • 01-80-C2-00-00-0E — peer delay mechanism messages

Both addresses are supported for reception, independent of the address configured by this command.

Default01:1B:19:00:00:00
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the PTP port
Context configure system ptp port reference admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

alternate-profile reference
Synopsis Alternate profile for the PTP port
Context configure system ptp port reference alternate-profile reference
Treealternate-profile

Description

This command creates the alternate profile that is used in communications with the port or peer. If no alternate profile is specified, the primary profile is used.

Reference

configure system ptp alternate-profile string

Introduced22.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

local-priority number
Synopsis PTP port local priority
Context configure system ptp port reference local-priority number
Treelocal-priority

Description

This command configures the local priority used to choose between PTP timeTransmitters in the best timeTransmitter clock algorithm (BTCA). This setting applies when the PTP profile is either configured for G.8275.1 or G.8275.2 and is ignored for any other profile.

For G.8275.1 or G.8275.2, this command configures the localPriority parameter associated with the Announce messages received from the external clocks (ptp port context). See G.8275.1 or G.8275.2 for detailed information.

Range1 to 255
Default128
Introduced 21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-delay-interval number
Synopsis Minimum interval for Delay_Req messages in log form
Contextconfigure system ptp port reference log-delay-interval number
Treelog-delay-interval

Description

This command configures the minimum interval used for multicast Delay_Req messages for the port. For ports in a slave state, the interval is used, unless the parent port indicates a longer interval. For a port in master state, the interval is advertised to external slave ports as the minimum acceptable interval for Delay_Req messages from the slave ports.

The router supports the 1588 standard requirement for a port in slave state to check the logMessageInterval field of received multicast Delay_Resp messages. If the value of the logMessageInterval field of the messages is greater than the value configured locally for the generation of Delay_Req messages, the slave must use the longer interval for the generation of Delay_Req messages.

The interval value is specified as the logarithm to the base 2.

Range-6 to 0
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-sync-interval number
Synopsis Interval for transmission of Sync messages in log form
Contextconfigure system ptp port reference log-sync-interval number
Treelog-sync-interval

Description

This command configures the interval used for Sync messages transmitted by the local node when the port is in master state.

The interval value is specified as the logarithm to the base 2.

Range-6 to 0
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

master-only boolean
Synopsis Restrict the local port to master state
Contextconfigure system ptp port reference master-only boolean
Treemaster-only

Description

When configured to true, the local port is restricted to master state only, ensuring that the system does not obtain synchronization from attached external devices.

This command is supported only when the PTP profile is set for G.8275.1 or G.8275.2.

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

priority1 number
Synopsis Priority1 of the local clock
Context configure system ptp priority1 number
Treepriority1

Description

This command configures the priority1 parameter of the local clock. The setting is used when the profile is configured for IEEE 1588-2008.

This value is used by the Best Master Clock Algorithm to determine which clock should provide timing for the network and is advertised in Announce messages.

Range0 to 255
Default128
Introduced 21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

priority2 number
Synopsis Priority2 of the local clock
Context configure system ptp priority2 number
Treepriority2

Description

This command configures the priority2 parameter of the local clock. The setting is used when the profile is configured for IEEE 1588-2008, G.8275.1, or G.8275.2.

This value is used by the Best Master Clock algorithm to determine which clock should provide timing for the network and is advertised in Announce messages.

Range0 to 255
Default128
Introduced 21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

profile keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisPTP profile
Contextconfigure system ptp profile keyword
Treeprofile

Description

This command configures the profile to be used for the internal PTP clock. It defines the Best timeTransmitter Clock Algorithm (BTCA) behavior.

Profile changes may affect the settings of other configuration elements, such as the clock type and default settings for the delay interval, announce interval, and the Sync interval.

The following clock types are supported for the indicated profiles:

  • G.8265.1: slave only, master only

  • IEEE 1588 2008: slave only, master only, boundary

  • G.8275.1: slave only, boundary, master only (master only, only if the platform includes an embedded GNSS receiver)

  • G.8275.2: slave only, boundary, master only (master only, only if the platform includes an embedded GNSS receiver)

Optionsg8265dot1-2010, ieee1588-2008, g8275dot1-2014, g8275dot2-2016
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ptsf
Synopsis Enter the ptsf context
Context configure system ptp ptsf
Treeptsf

Description

Commands in this context configure the attributes of Packet Timing Signal Fail (PTSF).

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

monitor-ptsf-unusable
Synopsis Enter the monitor-ptsf-unusable context
Contextconfigure system ptp ptsf monitor-ptsf-unusable
Treemonitor-ptsf-unusable

Description

Commands in this context configure monitoring of neighbor clocks for the PTSF-unusable state (condition) when the profile is set to g8275dot1-2014.

When administratively enabled, the local clock monitors the noise level of PTP event messages between external neighbor PTP ports and the local clock. If it detects a high variation in the network path between the external neighbor port and the local port, it considers the neighbor port unusable. Announce messages from the neighbor are discarded and excluded from the BTCA and the port cannot be selected as the parent clock. The unusable condition must be manually cleared.

When administratively disabled, the monitor PTSF function of the PTP clock clears PTSF-unusable states from all neighbor PTP ports. If no PTP messages are received from a neighbor for 15 minutes, the neighbor information is purged and the PTSF-unusable state is cleared.

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of PTSF unusable monitoring
Contextconfigure system ptp ptsf monitor-ptsf-unusable admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

router [router-instance] string
Synopsis Enter the router list instance
Contextconfigure system ptp router string
Treerouter
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[router-instance] string
Synopsis Router name or VPRN service name
Context configure system ptp router string
Treerouter
MD-CLI DefaultBase

Notes

This element is part of a list key.

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of PTP on the router instance
Contextconfigure system ptp router string admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

peer [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Enter the peer list instance
Context configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone)
Treepeer

Description

Commands in this context configure a remote PTP peer.

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the remote PTP peer
Context configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone)
Treepeer

Notes

This element is part of a list key.

Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the PTP peer
Context configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone) admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

local-priority number
Synopsis PTP peer local priority
Context configure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone) local-priority number
Treelocal-priority

Description

This command configures the local priority for the peer, which is used to choose between PTP timeTransmitters in the best timeTransmitter clock algorithm (BTCA). This setting applies when the PTP profile is configured for G.8265.1, G.8275.1, or G.8275.2 and is ignored for any other profile.

For G.8265.1, this command configures the priority used to choose between timeTransmitter clocks with the same quality (see G.8265.1 for more details).

For G.8275.1 or G.8275.2, this command configures the localPriority parameter associated with the Announce messages received from the external clocks (ptp router peer context). See G.8275.1 or G.8275.2 for detailed information.

Range1 to 255
Default128
Introduced 21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log-sync-interval number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisPTP peer interval for Sync messages in log form
Contextconfigure system ptp router string peer (ipv4-address-no-zone | ipv6-address-no-zone) log-sync-interval number
Treelog-sync-interval

Description

This command configures the message interval used for Sync and Delay_Resp messages that are requested during unicast negotiation to the peer. The setting controls messages sent from remote peers to the local node but the packet rate from the local node to remote peers is not affected. Remote peers may request a packet rate within the acceptable range.

The interval value is specified as the logarithm to the base 2.

Range-6 to 0
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

peer-limit number
Synopsis Number of discovered peers allowed for routing instance
Contextconfigure system ptp router string peer-limit number
Treepeer-limit

Description

This command specifies the maximum number of discovered peers permitted within the routing instance. This ensures that a routing instance does not consume all the possible discovered peers and prevents the routing instance from blocking discovered peers in other routing instances.

The sum of all peer limit values for all routing instances cannot exceed the maximum number of discovered peers supported by the system.

Range0 to 512
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

tx-while-sync-uncertain boolean
Synopsis Send Announce messages while clock is unsynchronized
Contextconfigure system ptp tx-while-sync-uncertain boolean
Treetx-while-sync-uncertain

Description

When configured to true, the local PTP clock transmits Announce messages to downstream clocks to indicate it has not yet stabilized on the recovered synchronization source (upstream clocks or GM clock). While the PTP clock is unsynchronized, the SyncUncertain state is true.

When configured to false, the local PTP clock does not send Announce messages to downstream clocks to indicate it is not synchronized to a valid timing source. If the SyncUncertain state of the clock is true while this command is configured to false, unicast negotiation grant requests are not granted and current grants are canceled. 

Defaulttrue
Introduced22.2.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

script-control

Synopsis Enter the script-control context
Contextconfigure system script-control
Treescript-control
Introduced16.0.R1

Platforms

All

script [script-name] string owner string
Synopsis Enter the script list instance
Contextconfigure system script-control script string owner string
Treescript
Max. Instances1500
Introduced16.0.R1

Platforms

All

[script-name] string
Synopsis Script name
Contextconfigure system script-control script string owner string
Treescript
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

owner string
Synopsis Script owner
Contextconfigure system script-control script string owner string
Treescript

Description

This command configures the owner to be associated with the script. The owner is optional and "TiMOS CLI" is used if an owner is not specified.

The owner is an arbitrary name and not necessarily a user name. Commands in the scripts are not authorized against the owner. The configure system security cli-script authorization x cli-user command determines the user context against which commands in the scripts are authorized.

String Length1 to 32
MD-CLI DefaultTiMOS CLI

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

location string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisScript location
Contextconfigure system script-control script string owner string location string
Treelocation
String Length1 to 255
Introduced16.0.R1

Platforms

All

script-policy [policy-name] string owner string
Synopsis Enter the script-policy list instance
Contextconfigure system script-control script-policy string owner string
Treescript-policy
Max. Instances1500
Introduced16.0.R1

Platforms

All

owner string
Synopsis Script policy owner
Context configure system script-control script-policy string owner string
Treescript-policy

Description

This command configures the owner to be associated with the script policy. The owner is optional and "TiMOS CLI" is used if an owner is not specified.

The owner is an arbitrary name and not necessarily a user name. Commands in the scripts are not authorized against the owner. The configure system security cli-script authorization x cli-user command determines the user context against which commands in the scripts are authorized.

String Length1 to 32
MD-CLI DefaultTiMOS CLI

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

expire-time (number | keyword)
Synopsis Maximum amount of time to keep a run history status
Contextconfigure system script-control script-policy string owner string expire-time (number | keyword)
Treeexpire-time
Range0 to 21474836
Unitsseconds
Options forever
Default3600
Introduced 16.0.R1

Platforms

All

lifetime (number | keyword)
Synopsis Maximum amount of time the script may run
Contextconfigure system script-control script-policy string owner string lifetime (number | keyword)
Treelifetime
Range0 to 21474836
Unitsseconds
Options forever
Default3600

Notes

The following elements are part of a choice: (lifetime and script) or (python-lifetime and python-script).

Introduced16.0.R1

Platforms

All

python-lifetime number
Synopsis Maximum time the Python application can run
Contextconfigure system script-control script-policy string owner string python-lifetime number
Treepython-lifetime
Range30 to 86400
Unitsseconds

Notes

The following elements are part of a choice: (lifetime and script) or (python-lifetime and python-script).

Introduced21.10.R1

Platforms

All

python-script
Synopsis Enter the python-script context
Contextconfigure system script-control script-policy string owner string python-script
Treepython-script

Notes

The following elements are part of a choice: (lifetime and script) or (python-lifetime and python-script).

Introduced21.10.R1

Platforms

All

script
Synopsis Enter the script context
Context configure system script-control script-policy string owner string script
Treescript

Notes

The following elements are part of a choice: (lifetime and script) or (python-lifetime and python-script).

Introduced16.0.R1

Platforms

All

name string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisScript name
Contextconfigure system script-control script-policy string owner string script name string
Treename
String Length1 to 32
Introduced16.0.R1

Platforms

All

owner string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisScript owner
Contextconfigure system script-control script-policy string owner string script owner string
Treeowner
String Length1 to 32
Introduced16.0.R1

Platforms

All

security

Synopsis Enter the security context
Context configure system security
Treesecurity

Description

Commands in this context configure central security settings such as DDoS protection, users, authorization profiles, and certificates.

Access to these commands should be restricted to highly trusted users and device administrators.

Introduced16.0.R1

Platforms

All

aaa
Synopsis Enter the aaa context
Context configure system security aaa
Treeaaa
Introduced16.0.R1

Platforms

All

cli-session-group [cli-session-group-name] string
Synopsis Enter the cli-session-group list instance
Contextconfigure system security aaa cli-session-group string
Treecli-session-group
Max. Instances16
Introduced16.0.R1

Platforms

All

health-check (number | keyword)
Synopsis Polling interval of RADIUS, TACACS+, and LDAP servers
Contextconfigure system security aaa health-check (number | keyword)
Treehealth-check
Range6 to 1500
Unitsseconds
Options none
Default 30
Introduced16.0.R1

Platforms

All

local-profiles
Synopsis Enter the local-profiles context
Contextconfigure system security aaa local-profiles
Treelocal-profiles
Introduced16.0.R1

Platforms

All

profile [user-profile-name] string
Synopsis Enter the profile list instance
Contextconfigure system security aaa local-profiles profile string
Treeprofile
Max. Instances128
Introduced16.0.R1

Platforms

All

[user-profile-name] string
Synopsis User profile name
Context configure system security aaa local-profiles profile string
Treeprofile
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security aaa local-profiles profile string entry number
Treeentry
Introduced16.0.R1

Platforms

All

grpc
Synopsis Enter the grpc context
Context configure system security aaa local-profiles profile string grpc
Treegrpc
Introduced16.0.R1

Platforms

All

rpc-authorization
Synopsis Enter the rpc-authorization context
Contextconfigure system security aaa local-profiles profile string grpc rpc-authorization
Treerpc-authorization

Description

Commands in this context control the authorization of each RPC in gRPC interfaces.  

Introduced16.0.R1

Platforms

All

netconf
Synopsis Enter the netconf context
Context configure system security aaa local-profiles profile string netconf
Treenetconf
Introduced16.0.R1

Platforms

All

base-op-authorization
Synopsis Enter the base-op-authorization context
Contextconfigure system security aaa local-profiles profile string netconf base-op-authorization
Treebase-op-authorization

Description

Commands in this context configure the permission to use NETCONF operations at the base operation level for the specified profile.

The NETCONF operations are authorized by default in the built-in system-generated administrative profile.

Introduced16.0.R1

Platforms

All

create-subscription boolean
Synopsis Allow NETCONF create-subscription operation
Contextconfigure system security aaa local-profiles profile string netconf base-op-authorization create-subscription boolean
Treecreate-subscription

Description

When configured to true, this command enables the NETCONF create-subscription operation in the default profile.

The base-op-authorization create-subscription configuration is not pre-emptive, which means that it is checked only at the time of the initial subscription. Configuration changes to base-op-authorization do not cancel any in-progress subscriptions and operators who successfully subscribed continue to receive messages.

When configured to false, this command disables the NETCONF create-subscription operation in the default profile.

The operation is enabled by default in the built-in system-generated administrative profile.

Defaultfalse
Introduced21.7.R1

Platforms

All

management-interface
Synopsis Enter the management-interface context
Contextconfigure system security aaa management-interface
Treemanagement-interface
Introduced20.10.R1

Platforms

All

output-authorization
Synopsis Enter the output-authorization context
Contextconfigure system security aaa management-interface output-authorization
Treeoutput-authorization

Description

Commands in this context configure output authorization for model-driven interfaces and telemetry.

When output authorization is performed, commands that display configuration or state output must authorize every element in the output. If a remote AAA server is configured, there may be delays in displaying output while the output is authorized. The remote AAA server may receive a large volume of authorization requests when substantial output displays are needed, such as for system configuration details.

Input to edit the configuration is always authorized, and is not affected by commands in this context.

Introduced20.10.R1

Platforms

All

md-interfaces boolean
Synopsis Authorize output in model-driven interfaces
Contextconfigure system security aaa management-interface output-authorization md-interfaces boolean
Treemd-interfaces

Description

When configured to true, output is authorized for the following:

  • MD-CLI info and compare commands 

  • MD-CLI command completion of list key values

  • NETCONF <get> and <get-config> RPC

  • gRPC/gNMI Get RPCs

Defaulttrue
Introduced20.10.R1

Platforms

All

remote-servers
Synopsis Enter the remote-servers context
Contextconfigure system security aaa remote-servers
Treeremote-servers
Introduced16.0.R1

Platforms

All

ldap
Synopsis Enter the ldap context
Context configure system security aaa remote-servers ldap
Treeldap
Introduced16.0.R1

Platforms

All

route-preference keyword
Synopsis Route preference to reach the AAA server
Contextconfigure system security aaa remote-servers ldap route-preference keyword
Treeroute-preference

Description

This command specifies the routing preference to reach the AAA server. If the configured option is to use both in-band and out-of-band routes, the out-of-band routes in the Base routing instance are used to reach the server before the in-band routes in the management routing instance.

Optionsboth, inband, outband
Defaultboth
Introduced21.5.R1

Platforms

All

server [index] number
Synopsis Enter the server list instance
Contextconfigure system security aaa remote-servers ldap server number
Treeserver
Max. Instances5
Introduced16.0.R1

Platforms

All

address [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Enter the address list instance
Contextconfigure system security aaa remote-servers ldap server number address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress
Max. Instances1
Introduced16.0.R1

Platforms

All

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis LDAP server address
Context configure system security aaa remote-servers ldap server number address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

bind-authentication
Synopsis Enter the bind-authentication context
Contextconfigure system security aaa remote-servers ldap server number bind-authentication
Treebind-authentication
Introduced16.0.R1

Platforms

All

radius
Synopsis Enter the radius context
Context configure system security aaa remote-servers radius
Treeradius
Introduced16.0.R1

Platforms

All

route-preference keyword
Synopsis Route preference to reach the AAA server
Contextconfigure system security aaa remote-servers radius route-preference keyword
Treeroute-preference

Description

This command specifies the routing preference to reach the AAA server. If the configured option is to use both in-band and out-of-band routes, the out-of-band routes in the Base routing instance are used to reach the server before the in-band routes in the management routing instance.

Optionsboth, inband, outband
Defaultboth
Introduced21.5.R1

Platforms

All

server [index] number
Synopsis Enter the server list instance
Contextconfigure system security aaa remote-servers radius server number
Treeserver
Max. Instances5
Introduced16.0.R1

Platforms

All

address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the RADIUS server
Context configure system security aaa remote-servers radius server number address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

authenticator keyword
Synopsis Authenticator hash algorithm for the RADIUS server
Contextconfigure system security aaa remote-servers radius server number authenticator keyword
Treeauthenticator

Description

This command specifies the hash algorithm used to authenticate RADIUS Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, and Accounting-Response packets.

Optionsmd5, sm3
Default md5
Introduced22.10.R1

Platforms

All

tacplus
Synopsis Enter the tacplus context
Context configure system security aaa remote-servers tacplus
Treetacplus
Introduced16.0.R1

Platforms

All

authorization
Synopsis Enable the authorization context
Contextconfigure system security aaa remote-servers tacplus authorization
Treeauthorization
Introduced16.0.R1

Platforms

All

request-format
Synopsis Enter the request-format context
Contextconfigure system security aaa remote-servers tacplus authorization request-format
Treerequest-format

Description

Commands in this context configure access operations that are sent to the TACACS+ server during authorization.

Introduced21.10.R3

Platforms

All

access-operation-cmd keyword
Synopsis Access operations sent in authorization requests
Contextconfigure system security aaa remote-servers tacplus authorization request-format access-operation-cmd keyword
Treeaccess-operation-cmd

Description

This command sends an operation argument in authorization requests.

In model-driven interfaces, this command configures the system to send the operation in the cmd argument, and the path in the cmd-args argument, in TACACS+ authorization requests. This command does not apply to authorization requests in classic interfaces.

Optionsdelete
Max. Instances1
Introduced21.10.R3

Platforms

All

use-priv-lvl boolean
Synopsis Allow privilege level mapping
Context configure system security aaa remote-servers tacplus authorization use-priv-lvl boolean
Treeuse-priv-lvl

Description

When configured to true, this command automatically performs a single authorization request to the TACACS+ server for cmd* (all commands) immediately after login, and then uses the local profile associated (via the priv-lvl-map) with the priv-lvl returned by the TACACS+ server for all subsequent authorization (except enable-admin). After the initial authorization for cmd*, no further authorization requests are sent to the TACACS+ server (except enable-admin).

When configured to false, each command is sent to the TACACS+ server for authorization (this is true regardless of whether the tacplus use-default-template setting is enabled).

Defaultfalse
Introduced16.0.R1

Platforms

All

priv-lvl-map
Synopsis Enter the priv-lvl-map context
Contextconfigure system security aaa remote-servers tacplus priv-lvl-map
Treepriv-lvl-map
Introduced16.0.R1

Platforms

All

priv-lvl [level] number
Synopsis Enter the priv-lvl list instance
Contextconfigure system security aaa remote-servers tacplus priv-lvl-map priv-lvl number
Treepriv-lvl
Introduced16.0.R1

Platforms

All

route-preference keyword
Synopsis Route preference to reach the AAA server
Contextconfigure system security aaa remote-servers tacplus route-preference keyword
Treeroute-preference

Description

This command specifies the routing preference to reach the AAA server. If the configured option is to use both in-band and out-of-band routes, the out-of-band routes in the Base routing instance are used to reach the server before the in-band routes in the management routing instance.

Optionsboth, inband, outband
Defaultboth
Introduced21.5.R1

Platforms

All

server [index] number
Synopsis Enter the server list instance
Contextconfigure system security aaa remote-servers tacplus server number
Treeserver
Max. Instances5
Introduced16.0.R1

Platforms

All

address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the TACACS+ server
Context configure system security aaa remote-servers tacplus server number address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

vprn-server
Synopsis Enter the vprn-server context
Context configure system security aaa remote-servers vprn-server
Treevprn-server
Introduced22.2.R1

Platforms

All

inband reference
Synopsis VPRN service used for AAA by in-band sessions
Contextconfigure system security aaa remote-servers vprn-server inband reference
Treeinband

Description

This command configures TACACS+ or RADIUS servers in a VPRN to be used for AAA by that VPRN and by sessions in the Base routing instance.

Reference

configure service vprn string

Introduced22.2.R1

Platforms

All

outband reference
Synopsis VPRN service used for AAA by out-of-band sessions
Contextconfigure system security aaa remote-servers vprn-server outband reference
Treeoutband

Description

This command configures TACACS+ and RADIUS servers in a VPRN to be used for AAA by that VPRN and by sessions on the console or out-of-band (OOB) Ethernet ports.

Reference

configure service vprn string

Introduced22.2.R1

Platforms

All

vprn reference
Synopsis VPRN used for AAA in VPRNs without a AAA server
Contextconfigure system security aaa remote-servers vprn-server vprn reference
Treevprn

Description

This command configures TACACS+ or RADIUS servers in a VPRN to be used for AAA by that VPRN and by sessions in VPRNs without a AAA server configured.

Reference

configure service vprn string

Introduced22.2.R1

Platforms

All

user-template [user-template-name] keyword
Synopsis Enter the user-template list instance
Contextconfigure system security aaa user-template keyword
Treeuser-template
Introduced16.0.R1

Platforms

All

[user-template-name] keyword
Synopsis Default user template applied to the system user
Contextconfigure system security aaa user-template keyword
Treeuser-template
Optionsldap-default, radius-default, tacplus-default

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

access
Synopsis Enter the access context
Context configure system security aaa user-template keyword access
Treeaccess
Introduced16.0.R1

Platforms

All

home-directory (sat-url | cflash-without-slot-url)
Synopsis User local home directory based on the template
Contextconfigure system security aaa user-template keyword home-directory (sat-url | cflash-without-slot-url)
Treehome-directory

Description

This command configures the home directory of the user for file access. Files can be accessed locally by CLI file commands and output modifiers such as > (file redirect), or remotely via FTP and SCP. If the home directory does not exist, a warning message is displayed when the user logs in.

When restricted-to-home is configured, file access is denied unless the home-directory is configured and the directory is created by an administrator.

String Length1 to 200
Introduced16.0.R1

Platforms

All

restricted-to-home boolean
Synopsis Restrict file access to the home directory of the user
Contextconfigure system security aaa user-template keyword restricted-to-home boolean
Treerestricted-to-home

Description

When configured to true, the router denies the user from accessing files outside of their home directory. Files can be accessed locally by CLI file commands and output modifiers such as > (file redirect), or remotely via FTP and SCP. The system denies all configuration save operations (such as admin save) via any management interface (such as CLI and NETCONF) unless save-when-restricted is enabled.

File access is denied unless a home directory is configured and the directory is created by an administrator.

When configured to false, the router permits the user to access all files on the system.

Defaultfalse
Introduced16.0.R1

Platforms

All

save-when-restricted boolean
Synopsis Save configurations when the user is restricted to home
Contextconfigure system security aaa user-template keyword save-when-restricted boolean
Treesave-when-restricted

Description

When configured to true, the system permits configuration save operations for all configuration regions (such as bof and configure) via any management interface (such as CLI and NETCONF) even if restricted-to-home is enabled.

The configuration for each region can be saved with admin save CLI commands or when committed over NETCONF and gRPC.

When configured to false, the system denies saving the configuration when restricted-to-home is enabled, unless the home directory of the user includes the location of the saved configuration file.

Defaultfalse
Introduced22.10.R1

Platforms

All

cli-script
Synopsis Enter the cli-script context
Context configure system security cli-script
Treecli-script
Introduced16.0.R1

Platforms

All

authorization
Synopsis Enter the authorization context
Contextconfigure system security cli-script authorization
Treeauthorization
Introduced16.0.R1

Platforms

All

cron
Synopsis Enter the cron context
Context configure system security cli-script authorization cron
Treecron

Description

Commands in this context configure authorization for the cron job scheduler.

Introduced16.0.R1

Platforms

All

event-handler
Synopsis Enter the event-handler context
Contextconfigure system security cli-script authorization event-handler
Treeevent-handler

Description

Commands in this context configure authorization for the Event Handling System (EHS). EHS allows user-controlled programmatic exception handling by allowing a CLI script to be executed upon the detection of a log event.

Introduced16.0.R1

Platforms

All

cpm-filter
Synopsis Enter the cpm-filter context
Context configure system security cpm-filter
Treecpm-filter
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

default-action keyword
Synopsis Action for packets that do not match any filter entries
Contextconfigure system security cpm-filter default-action keyword
Treedefault-action
Optionsdrop, accept
Default accept
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ip-filter
Synopsis Enter the ip-filter context
Context configure system security cpm-filter ip-filter
Treeip-filter
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the CPM filter
Contextconfigure system security cpm-filter ip-filter admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security cpm-filter ip-filter entry number
Treeentry
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[entry-id] number
Synopsis Filter entry ID
Context configure system security cpm-filter ip-filter entry number
Treeentry
Range1 to 131072

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

action
Synopsis Enter the action context
Context configure system security cpm-filter ip-filter entry number action
Treeaction
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

accept
Synopsis Forward matching packets
Context configure system security cpm-filter ip-filter entry number action accept
Treeaccept

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

default
Synopsis Use default action for matching packets
Contextconfigure system security cpm-filter ip-filter entry number action default
Treedefault

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

drop
Synopsis Drop matching packets
Context configure system security cpm-filter ip-filter entry number action drop
Treedrop

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log reference
Synopsis Log ID where matching packets are entered
Contextconfigure system security cpm-filter ip-filter entry number log reference
Treelog

Reference

configure filter log number

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

match
Synopsis Enter the match context
Context configure system security cpm-filter ip-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry. When the match criteria have been satisfied, the action associated with the entry is executed.

If more than one match criterion is configured, all criteria must be met before the action associated with the entry is executed.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dscp keyword
Synopsis DSCP used as the match criterion on the packet
Contextconfigure system security cpm-filter ip-filter entry number match dscp keyword
Treedscp
Optionsbe, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dst-ip
Synopsis Enter the dst-ip context
Context configure system security cpm-filter ip-filter entry number match dst-ip
Treedst-ip
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address (ipv4-prefix-with-host-bits | ipv4-address)
Synopsis IPv4 address used as the match criterion
Contextconfigure system security cpm-filter ip-filter entry number match dst-ip address (ipv4-prefix-with-host-bits | ipv4-address)
Treeaddress

Notes

The following elements are part of a choice: (address and mask) or ip-prefix-list.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask string
Synopsis IPv4 address mask used as the match criterion
Contextconfigure system security cpm-filter ip-filter entry number match dst-ip mask string
Treemask

Notes

The following elements are part of a choice: (address and mask) or ip-prefix-list.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dst-port
Synopsis Enter the dst-port context
Context configure system security cpm-filter ip-filter entry number match dst-port
Treedst-port

Notes

The following elements are part of a choice: port or (dst-port and src-port).

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number
Synopsis Port number as the match criterion
Context configure system security cpm-filter ip-filter entry number match dst-port eq number
Treeeq
Range0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number
Synopsis Port mask as the match criterion
Context configure system security cpm-filter ip-filter entry number match dst-port mask number
Treemask
Range1 to 65535
Default65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

range
Synopsis Enable the range context
Context configure system security cpm-filter ip-filter entry number match dst-port range
Treerange

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

fragment keyword
Synopsis Match criterion based on presence of fragmented packets
Contextconfigure system security cpm-filter ip-filter entry number match fragment keyword
Treefragment

Description

This command specifies the match criterion based on the existence or absence of fragmented IP packets.

Matching on fragmented IPv4 packets occurs when all packets have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value. For IPv6, the existence of the IPv6 Fragmentation Extension Header results in a fragmented packet match.

Matching on non-fragmented IPv4 packets occurs when all packets have the MF bit set to zero and the Fragment Offset field is also set to zero. For IPv6, the absence of an IPv6 Fragmentation Extension Header results in a non-fragmented packet match.

Optionsfalse, true
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

icmp
Synopsis Enter the icmp context
Context configure system security cpm-filter ip-filter entry number match icmp
Treeicmp
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ip-option
Synopsis Enable the ip-option context
Context configure system security cpm-filter ip-filter entry number match ip-option
Treeip-option
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port
Synopsis Enter the port context
Context configure system security cpm-filter ip-filter entry number match port
Treeport

Notes

The following elements are part of a choice: port or (dst-port and src-port).

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number
Synopsis Port number as the match criterion
Context configure system security cpm-filter ip-filter entry number match port eq number
Treeeq
Range0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number
Synopsis Port mask as the match criterion
Context configure system security cpm-filter ip-filter entry number match port mask number
Treemask
Range1 to 65535
Default65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

range
Synopsis Enable the range context
Context configure system security cpm-filter ip-filter entry number match port range
Treerange

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

end number
Synopsis Upper bound of the port number to match
Contextconfigure system security cpm-filter ip-filter entry number match port range end number
Treeend
Range0 to 65535

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

protocol (number | keyword)
Synopsis IP protocol as the match criterion
Context configure system security cpm-filter ip-filter entry number match protocol (number | keyword)
Treeprotocol
Range0 to 255
Optionstcp-udp, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

src-ip
Synopsis Enter the src-ip context
Context configure system security cpm-filter ip-filter entry number match src-ip
Treesrc-ip
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address (ipv4-prefix-with-host-bits | ipv4-address)
Synopsis IPv4 address used as the match criterion
Contextconfigure system security cpm-filter ip-filter entry number match src-ip address (ipv4-prefix-with-host-bits | ipv4-address)
Treeaddress

Notes

The following elements are part of a choice: (address and mask) or ip-prefix-list.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask string
Synopsis IPv4 address mask used as the match criterion
Contextconfigure system security cpm-filter ip-filter entry number match src-ip mask string
Treemask

Notes

The following elements are part of a choice: (address and mask) or ip-prefix-list.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

src-port
Synopsis Enter the src-port context
Context configure system security cpm-filter ip-filter entry number match src-port
Treesrc-port

Notes

The following elements are part of a choice: port or (dst-port and src-port).

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number
Synopsis Port number as the match criterion
Context configure system security cpm-filter ip-filter entry number match src-port eq number
Treeeq
Range0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number
Synopsis Port mask as the match criterion
Context configure system security cpm-filter ip-filter entry number match src-port mask number
Treemask
Range1 to 65535
Default65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

range
Synopsis Enable the range context
Context configure system security cpm-filter ip-filter entry number match src-port range
Treerange

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

tcp-flags
Synopsis Enter the tcp-flags context
Context configure system security cpm-filter ip-filter entry number match tcp-flags
Treetcp-flags
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ipv6-filter
Synopsis Enter the ipv6-filter context
Context configure system security cpm-filter ipv6-filter
Treeipv6-filter
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the CPM filter
Contextconfigure system security cpm-filter ipv6-filter admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security cpm-filter ipv6-filter entry number
Treeentry
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[entry-id] number
Synopsis Filter entry ID
Context configure system security cpm-filter ipv6-filter entry number
Treeentry
Range1 to 131072

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

action
Synopsis Enter the action context
Context configure system security cpm-filter ipv6-filter entry number action
Treeaction
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

accept
Synopsis Forward matching packets
Context configure system security cpm-filter ipv6-filter entry number action accept
Treeaccept

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

default
Synopsis Use default action for matching packets
Contextconfigure system security cpm-filter ipv6-filter entry number action default
Treedefault

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

drop
Synopsis Drop matching packets
Context configure system security cpm-filter ipv6-filter entry number action drop
Treedrop

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log reference
Synopsis Log ID where matching packets are entered
Contextconfigure system security cpm-filter ipv6-filter entry number log reference
Treelog

Reference

configure filter log number

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

match
Synopsis Enter the match context
Context configure system security cpm-filter ipv6-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry. When the match criteria have been satisfied, the action associated with the entry is executed.

If more than one match criterion is configured, all criteria must be met before the action associated with the entry is executed.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dscp keyword
Synopsis DSCP used as the match criterion on the packet
Contextconfigure system security cpm-filter ipv6-filter entry number match dscp keyword
Treedscp
Optionsbe, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dst-ip
Synopsis Enter the dst-ip context
Context configure system security cpm-filter ipv6-filter entry number match dst-ip
Treedst-ip
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address (ipv6-prefix-with-host-bits | ipv6-address)
Synopsis IPv6 address used as the match criterion
Contextconfigure system security cpm-filter ipv6-filter entry number match dst-ip address (ipv6-prefix-with-host-bits | ipv6-address)
Treeaddress

Notes

The following elements are part of a choice: (address and mask) or ipv6-prefix-list.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask string
Synopsis IPv6 address mask used as the match criterion
Contextconfigure system security cpm-filter ipv6-filter entry number match dst-ip mask string
Treemask

Notes

The following elements are part of a choice: (address and mask) or ipv6-prefix-list.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dst-port
Synopsis Enter the dst-port context
Context configure system security cpm-filter ipv6-filter entry number match dst-port
Treedst-port

Notes

The following elements are part of a choice: port or (dst-port and src-port).

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number
Synopsis Port number as the match criterion
Context configure system security cpm-filter ipv6-filter entry number match dst-port eq number
Treeeq
Range0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number
Synopsis Port mask as the match criterion
Context configure system security cpm-filter ipv6-filter entry number match dst-port mask number
Treemask
Range1 to 65535
Default65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

range
Synopsis Enable the range context
Context configure system security cpm-filter ipv6-filter entry number match dst-port range
Treerange

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

extension-header
Synopsis Enter the extension-header context
Contextconfigure system security cpm-filter ipv6-filter entry number match extension-header
Treeextension-header
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

hop-by-hop boolean
Synopsis Match on existence of Hop-By-Hop Options Header
Contextconfigure system security cpm-filter ipv6-filter entry number match extension-header hop-by-hop boolean
Treehop-by-hop

Description

When configured to true, a match occurs when the Hop-by-Hop Options Extension Header is present.

When configured to false, a match occurs when the Hop-by-Hop Options Extension Header is not present.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

fragment keyword
Synopsis Match criterion based on presence of fragmented packets
Contextconfigure system security cpm-filter ipv6-filter entry number match fragment keyword
Treefragment

Description

This command specifies the match criterion based on the existence or absence of fragmented IP packets.

Matching on fragmented IPv4 packets occurs when all packets have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value. For IPv6, the existence of the IPv6 Fragmentation Extension Header results in a fragmented packet match.

Matching on non-fragmented IPv4 packets occurs when all packets have the MF bit set to zero and the Fragment Offset field is also set to zero. For IPv6, the absence of an IPv6 Fragmentation Extension Header results in a non-fragmented packet match.

Optionsfalse, true
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

icmp
Synopsis Enter the icmp context
Context configure system security cpm-filter ipv6-filter entry number match icmp
Treeicmp
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

next-header (number | keyword)
Synopsis IP protocol to match
Context configure system security cpm-filter ipv6-filter entry number match next-header (number | keyword)
Treenext-header
Range0 to 255
Optionstcp-udp, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

port
Synopsis Enter the port context
Context configure system security cpm-filter ipv6-filter entry number match port
Treeport

Notes

The following elements are part of a choice: port or (dst-port and src-port).

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number
Synopsis Port number as the match criterion
Context configure system security cpm-filter ipv6-filter entry number match port eq number
Treeeq
Range0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number
Synopsis Port mask as the match criterion
Context configure system security cpm-filter ipv6-filter entry number match port mask number
Treemask
Range1 to 65535
Default65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

range
Synopsis Enable the range context
Context configure system security cpm-filter ipv6-filter entry number match port range
Treerange

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

end number
Synopsis Upper bound of the port number to match
Contextconfigure system security cpm-filter ipv6-filter entry number match port range end number
Treeend
Range0 to 65535

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

src-ip
Synopsis Enter the src-ip context
Context configure system security cpm-filter ipv6-filter entry number match src-ip
Treesrc-ip
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address (ipv6-prefix-with-host-bits | ipv6-address)
Synopsis IPv6 address used as the match criterion
Contextconfigure system security cpm-filter ipv6-filter entry number match src-ip address (ipv6-prefix-with-host-bits | ipv6-address)
Treeaddress

Notes

The following elements are part of a choice: (address and mask) or ipv6-prefix-list.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask string
Synopsis IPv6 address mask used as the match criterion
Contextconfigure system security cpm-filter ipv6-filter entry number match src-ip mask string
Treemask

Notes

The following elements are part of a choice: (address and mask) or ipv6-prefix-list.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

src-port
Synopsis Enter the src-port context
Context configure system security cpm-filter ipv6-filter entry number match src-port
Treesrc-port

Notes

The following elements are part of a choice: port or (dst-port and src-port).

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number
Synopsis Port number as the match criterion
Context configure system security cpm-filter ipv6-filter entry number match src-port eq number
Treeeq
Range0 to 65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mask number
Synopsis Port mask as the match criterion
Context configure system security cpm-filter ipv6-filter entry number match src-port mask number
Treemask
Range1 to 65535
Default65535

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

range
Synopsis Enable the range context
Context configure system security cpm-filter ipv6-filter entry number match src-port range
Treerange

Notes

The following elements are part of a choice: (eq and mask), port-list, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

tcp-flags
Synopsis Enter the tcp-flags context
Context configure system security cpm-filter ipv6-filter entry number match tcp-flags
Treetcp-flags
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mac-filter
Synopsis Enter the mac-filter context
Context configure system security cpm-filter mac-filter
Treemac-filter
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

admin-state keyword
Synopsis Administrative state of the CPM filter
Contextconfigure system security cpm-filter mac-filter admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security cpm-filter mac-filter entry number
Treeentry
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[entry-id] number
Synopsis Filter entry ID
Context configure system security cpm-filter mac-filter entry number
Treeentry
Range1 to 131072

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

action
Synopsis Enter the action context
Context configure system security cpm-filter mac-filter entry number action
Treeaction
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

accept
Synopsis Forward matching packets
Context configure system security cpm-filter mac-filter entry number action accept
Treeaccept

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

default
Synopsis Use default action for matching packets
Contextconfigure system security cpm-filter mac-filter entry number action default
Treedefault

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

drop
Synopsis Drop matching packets
Context configure system security cpm-filter mac-filter entry number action drop
Treedrop

Notes

The following elements are part of a choice: accept, default, drop, or queue.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

log reference
Synopsis Log ID where matching packets are entered
Contextconfigure system security cpm-filter mac-filter entry number log reference
Treelog

Reference

configure filter log number

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

match
Synopsis Enter the match context
Context configure system security cpm-filter mac-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry. When the match criteria have been satisfied, the action associated with the entry is executed.

If more than one match criterion is configured, all criteria must be met before the action associated with the entry is executed.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

cfm-opcode
Synopsis Enter the cfm-opcode context
Context configure system security cpm-filter mac-filter entry number match cfm-opcode
Treecfm-opcode

Description

Commands in this context specify match criteria based on the CFM opcode.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

eq number
Synopsis Equal to comparison operator for the CFM opcode
Contextconfigure system security cpm-filter mac-filter entry number match cfm-opcode eq number
Treeeq
Range0 to 255

Notes

The following elements are part of a choice: eq, gt, lt, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

gt number
Synopsis Greater than comparison operator for the CFM opcode
Contextconfigure system security cpm-filter mac-filter entry number match cfm-opcode gt number
Treegt
Range0 to 254

Notes

The following elements are part of a choice: eq, gt, lt, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

lt number
Synopsis Less than comparison operator for the CFM opcode
Contextconfigure system security cpm-filter mac-filter entry number match cfm-opcode lt number
Treelt
Range1 to 255

Notes

The following elements are part of a choice: eq, gt, lt, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

range
Synopsis Enable the range context
Context configure system security cpm-filter mac-filter entry number match cfm-opcode range
Treerange

Notes

The following elements are part of a choice: eq, gt, lt, or range.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

dst-mac
Synopsis Enable the dst-mac context
Context configure system security cpm-filter mac-filter entry number match dst-mac
Treedst-mac
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

etype string
Synopsis Ethernet type as the match criterion
Context configure system security cpm-filter mac-filter entry number match etype string
Treeetype

Description

This command specifies an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is used by the Ethernet version-II frames and does not apply to IEEE 802.3 Ethernet frames.

String Length5 to 6
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

llc-dsap
Synopsis Enable the llc-dsap context
Context configure system security cpm-filter mac-filter entry number match llc-dsap
Treellc-dsap

Description

Commands in this context specify match criteria based on the Destination Service Access Point (DSAP).

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

llc-ssap
Synopsis Enable the llc-ssap context
Context configure system security cpm-filter mac-filter entry number match llc-ssap
Treellc-ssap

Description

Commands in this context specify match criteria based on the Source Service Access Point (SSAP).

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

src-mac
Synopsis Enable the src-mac context
Context configure system security cpm-filter mac-filter entry number match src-mac
Treesrc-mac
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

cpm-queue
Synopsis Enter the cpm-queue context
Context configure system security cpm-queue
Treecpm-queue
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

queue [queue-id] number
Synopsis Enter the queue list instance
Context configure system security cpm-queue queue number
Treequeue
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[queue-id] number
Synopsis CPM queue ID
Contextconfigure system security cpm-queue queue number
Treequeue
Range33 to 2000

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

cbs number
Synopsis Buffer size that can be drawn from queue buffer pool
Contextconfigure system security cpm-queue queue number cbs number
Treecbs

Description

This command specifies the amount of buffer that can be drawn from the reserved buffer portion of the buffer pool of the queue.

Range0 to 131072
Unitskilobps
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mbs number
Synopsis Maximum queue depth to which the queue can grow
Contextconfigure system security cpm-queue queue number mbs number
Treembs
Range0 to 131072
Unitskilobps
Introduced 16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

rate
Synopsis Enter the rate context
Context configure system security cpm-queue queue number rate
Treerate
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

cir (number | keyword)
Synopsis Amount of bandwidth committed to the queue
Contextconfigure system security cpm-queue queue number rate cir (number | keyword)
Treecir
Range0 to 100000000
Unitskilobps
Options max
Default max
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

pir (number | keyword)
Synopsis Peak Information Rate for the queue
Context configure system security cpm-queue queue number rate pir (number | keyword)
Treepir
Range1 to 100000000
Unitskilobps
Options max
Default max
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

cpu-protection
Synopsis Enter the cpu-protection context
Contextconfigure system security cpu-protection
Treecpu-protection

Description

Commands in this context configure CPU protection policies.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

ip-src-monitoring
Synopsis Enter the ip-src-monitoring context
Contextconfigure system security cpu-protection ip-src-monitoring
Treeip-src-monitoring
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

included-protocols
Synopsis Enter the included-protocols context
Contextconfigure system security cpu-protection ip-src-monitoring included-protocols
Treeincluded-protocols

Description

Commands in this context specify the protocols included in IP source monitoring. The protocol packets will be subject to the per-source-rate of CPU protection policies.

This configuration applies system wide and applies to CPU protection globally.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

link-specific-rate (number | keyword)
Synopsis Packet arrival rate limit for link level protocols
Contextconfigure system security cpu-protection link-specific-rate (number | keyword)
Treelink-specific-rate

Description

This command configures a link-specific rate for CPU protection. The limit is applied to all ports within the system. The CPU receives no more than the configured packet rate for all link level protocols, such as LACP, from any one port.

The measurement is cleared each second and is based on the ingress port.

Range1 to 65535
Unitspackets per second
Optionsmax
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

policy [policy-id] number
Synopsis Enter the policy list instance
Contextconfigure system security cpu-protection policy number
Treepolicy
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

[policy-id] number
Synopsis Policy ID
Contextconfigure system security cpu-protection policy number
Treepolicy
Range1 to 255

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

alarm boolean
Synopsis Generate an event when the rate is exceeded
Contextconfigure system security cpu-protection policy number alarm boolean
Treealarm

Description

When configured to true, an event is generated when the rate is exceeded. The event includes information about the offending source. Only one event is generated per monitor period.

When configured to false, notifications are disabled.

Defaulttrue
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

eth-cfm
Synopsis Enter the eth-cfm context
Context configure system security cpu-protection policy number eth-cfm
Treeeth-cfm

Description

Commands in this context configure CPU policy entries that determine match criteria and overall arrival rate of the Ethernet Connectivity and Fault Management (ETH-CFM) packets at the CPU.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

entry [id] number
Synopsis Enter the entry list instance
Context configure system security cpu-protection policy number eth-cfm entry number
Treeentry
Max. Instances10
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

[id] number
Synopsis Entry ID
Contextconfigure system security cpu-protection policy number eth-cfm entry number
Treeentry
Range1 to 100

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

level start number end number
Synopsis Add a list entry for level
Context configure system security cpu-protection policy number eth-cfm entry number level start number end number
Treelevel

Description

Commands in this context specify the range of domain levels for the match criterion.

Min. Instances1
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

opcode start number end number
Synopsis Add a list entry for opcode
Context configure system security cpu-protection policy number eth-cfm entry number opcode start number end number
Treeopcode

Description

Commands in this context specify the range of operational codes (that identify the application) for the match criterion.

Min. Instances1
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

pir (number | keyword)
Synopsis Packet arrival rate limit
Context configure system security cpu-protection policy number eth-cfm entry number pir (number | keyword)
Treepir
Range0 to 65534
Unitspackets per second
Optionsmax
Defaultmax
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

out-profile-rate
Synopsis Enter the out-profile-rate context
Contextconfigure system security cpu-protection policy number out-profile-rate
Treeout-profile-rate
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

pir (number | keyword)
Synopsis Packet arrival rate limit
Context configure system security cpu-protection policy number out-profile-rate pir (number | keyword)
Treepir
Range1 to 65534
Unitspackets per second
Optionsmax
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

overall-rate (number | keyword)
Synopsis Packet arrival rate limit for all packets
Contextconfigure system security cpu-protection policy number overall-rate (number | keyword)
Treeoverall-rate
Range1 to 65534
Unitspackets per second
Optionsmax
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

per-source-parameters
Synopsis Enter the per-source-parameters context
Contextconfigure system security cpu-protection policy number per-source-parameters
Treeper-source-parameters
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

ip-src-monitoring
Synopsis Enter the ip-src-monitoring context
Contextconfigure system security cpu-protection policy number per-source-parameters ip-src-monitoring
Treeip-src-monitoring
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

per-source-rate (number | keyword)
Synopsis Per-source packet arrival rate limit
Context configure system security cpu-protection policy number per-source-rate (number | keyword)
Treeper-source-rate

Description

This command configures the per-source packet arrival rate limit.

A source is defined as a unique combination of SAP and MAC source address or SAP and source IP address. The CPU receives no more than the specified packet rate from each source. The measurement is cleared every second.

This configuration is applicable only if the policy is assigned to an interface (such as SAPs, subscriber interfaces, and spoke SDPs), and MAC monitoring or IP source monitoring is specified in the CPU protection configuration of the interface.

Range1 to 65534
Unitspackets per second
Optionsmax
Defaultmax
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

port-overall-rate
Synopsis Enter the port-overall-rate context
Contextconfigure system security cpu-protection port-overall-rate
Treeport-overall-rate
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

action-low-priority boolean
Synopsis Mark packets that exceed the rate as low-priority
Contextconfigure system security cpu-protection port-overall-rate action-low-priority boolean
Treeaction-low-priority

Description

When configured to true, packets that exceed the per-port packet arrival rate limit are marked as low priority for preferential discard later (if there is congestion in the control plane) rather than discarded immediately.

Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

pir (number | keyword)
Synopsis Per-port packet arrival rate limit
Context configure system security cpu-protection port-overall-rate pir (number | keyword)
Treepir
Range1 to 65535
Unitspackets per second
Optionsmax
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

protocol-protection
Synopsis Enable the protocol-protection context
Contextconfigure system security cpu-protection protocol-protection
Treeprotocol-protection

Description

When enabled, the network processor on the CPM discards all packets received for protocols that are not configured on the interface. This action helps to mitigate DoS attacks by filtering invalid control traffic before it ingresses the CPU. For example, if IS-IS is not configured on an interface, protocol protection discards any IS-IS packets received on the interface.

Commands in this context further define the action when the context is enabled.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

allow-sham-links boolean
Synopsis Allow OSPF sham link traffic
Context configure system security cpu-protection protocol-protection allow-sham-links boolean
Treeallow-sham-links

Description

When configured to true, tunneled OSPF packets received over the backbone network must be explicitly allowed when OSPF sham links form an adjacency over the MPLS-VPRN backbone network.

Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

block-pim-tunneled boolean
Synopsis Block extraction and processing of PIM packets
Contextconfigure system security cpu-protection protocol-protection block-pim-tunneled boolean
Treeblock-pim-tunneled

Description

When configured to true, PIM packets arriving at the SR OS node inside a tunnel (for example, MPLS or GRE) on a network interface are blocked and not processed. Traffic is not switched from the (*,G) to the (S,G) tree for PIM in an mVPN on the egress DR.

Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

dist-cpu-protection
Synopsis Enter the dist-cpu-protection context
Contextconfigure system security dist-cpu-protection
Treedist-cpu-protection

Description

Commands in this context configure distributed CPU protection (DCP) attributes.

Introduced16.0.R1

Platforms

All

policy [policy-name] string
Synopsis Enter the policy list instance
Contextconfigure system security dist-cpu-protection policy string
Treepolicy

Description

Commands in this context configure the attributes of DCP policies. These policies can be applied to objects such as SAPs, network interfaces or ports

Max. Instances130
Introduced16.0.R1

Platforms

All

local-monitoring-policer [policer-name] string
Synopsis Enter the local-monitoring-policer list instance
Contextconfigure system security dist-cpu-protection policy string local-monitoring-policer string
Treelocal-monitoring-policer
Max. Instances1
Introduced16.0.R1

Platforms

All

log-events keyword
Synopsis Control of log events creation for status and activity
Contextconfigure system security dist-cpu-protection policy string local-monitoring-policer string log-events keyword
Treelog-events

Description

This command controls the creation of log events related to the status and activity of the local monitoring policer.

Optionsfalse, true, verbose
Defaulttrue
Introduced16.0.R1

Platforms

All

rate
Synopsis Enter the rate context
Context configure system security dist-cpu-protection policy string local-monitoring-policer string rate
Treerate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced16.0.R1

Platforms

All

kbps
Synopsis Enter the kbps context
Context configure system security dist-cpu-protection policy string local-monitoring-policer string rate kbps
Treekbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced16.0.R1

Platforms

All

packets
Synopsis Enter the packets context
Context configure system security dist-cpu-protection policy string local-monitoring-policer string rate packets
Treepackets

Notes

The following elements are part of a choice: kbps or packets.

Introduced16.0.R1

Platforms

All

initial-delay number
Synopsis Additional packets allowed in an initial burst
Contextconfigure system security dist-cpu-protection policy string local-monitoring-policer string rate packets initial-delay number
Treeinitial-delay

Description

This command specifies the number of packets allowed in an initial burst (or a burst after the policer bucket has drained to zero) in addition to the packets per interval limit. The typical setting would be a value equal to the number of received packets in several full handshakes or negotiations of the protocol.

Range0 to 255
Unitspackets
Default 0
Introduced16.0.R1

Platforms

All

protocol [protocol-name] keyword
Synopsis Enter the protocol list instance
Contextconfigure system security dist-cpu-protection policy string protocol keyword
Treeprotocol
Introduced16.0.R1

Platforms

All

[protocol-name] keyword
Synopsis Protocol name
Contextconfigure system security dist-cpu-protection policy string protocol keyword
Treeprotocol
Optionsarp, dhcp, http-redirect, icmp, igmp, mld, ndis, pppoe-pppoa, all-unspecified, mpls-ttl, bfd-cpm, bgp, eth-cfm, isis, ldp, ospf, pim, rsvp, icmp-ping-check, lacp, vrrp, multi-chassis, multi-chassis-sync, bfd, ftp, icmp-v4, icmp-v6, l3-to-my-ipv4, l3-to-my-ipv6, lsp-ping, mc-lag, mcast-snooping, radius, rip, sbfd-reflector, snmp, ssh, stp, tacacs, telnet, tftp, twamp

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

dynamic-parameters
Synopsis Enter the dynamic-parameters context
Contextconfigure system security dist-cpu-protection policy string protocol keyword dynamic-parameters
Treedynamic-parameters
Introduced16.0.R1

Platforms

All

exceed-action
Synopsis Enter the exceed-action context
Contextconfigure system security dist-cpu-protection policy string protocol keyword dynamic-parameters exceed-action
Treeexceed-action

Description

Commands in this context specify the settings for the scenario when the configured policer rates are exceeded.

Introduced16.0.R1

Platforms

All

hold-down (keyword | number)
Synopsis Hold down behavior
Context configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters exceed-action hold-down (keyword | number)
Treehold-down

Description

This command specifies the behavior when the system detects that an enforcement policer has marked or discarded one or more packets and there is no action specified for the scenario when the rates are exceeded.

The hold time condition is cleared after the specified time has expired. The detection time (the minimum time that the policer remains allocated) begins after the hold down is complete. The hold down behavior is not applicable to a local monitoring policer.

An indefinite hold down behavior must be cleared using the tools perform security dist-cpu-protection release-hold-down command.

Range1 to 10080
Unitsseconds
Options indefinite, none
Defaultnone
Introduced16.0.R1

Platforms

All

rate
Synopsis Enter the rate context
Context configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate
Treerate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced16.0.R1

Platforms

All

kbps
Synopsis Enter the kbps context
Context configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate kbps
Treekbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced16.0.R1

Platforms

All

packets
Synopsis Enter the packets context
Context configure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate packets
Treepackets

Notes

The following elements are part of a choice: kbps or packets.

Introduced16.0.R1

Platforms

All

initial-delay number
Synopsis Additional packets allowed in an initial burst
Contextconfigure system security dist-cpu-protection policy string protocol keyword dynamic-parameters rate packets initial-delay number
Treeinitial-delay

Description

This command specifies the number of packets allowed in an initial burst (or a burst after the policer bucket has drained to zero) in addition to the packets per interval limit. The typical setting would be a value equal to the number of received packets in several full handshakes or negotiations of the protocol.

Range0 to 255
Unitspackets
Default 0
Introduced16.0.R1

Platforms

All

enforcement
Synopsis Enter the enforcement context
Context configure system security dist-cpu-protection policy string protocol keyword enforcement
Treeenforcement
Introduced16.0.R1

Platforms

All

dynamic
Synopsis Enter the dynamic context
Context configure system security dist-cpu-protection policy string protocol keyword enforcement dynamic
Treedynamic

Notes

The following elements are part of a choice: dynamic, dynamic-local-mon-bypass, shared, or static.

Introduced16.0.R1

Platforms

All

mon-policer-name reference
Synopsis Dynamic enforcement policer for the protocol
Contextconfigure system security dist-cpu-protection policy string protocol keyword enforcement dynamic mon-policer-name reference
Treemon-policer-name

Description

This command specifies the dynamic enforcement policer that is instantiated when the associated local monitoring policer is determined to be in a nonconforming state (at the end of a minimum monitoring time of 60 seconds to reduce thrashing).

Reference

configure system security dist-cpu-protection policy string local-monitoring-policer string

Introduced16.0.R1

Platforms

All

dynamic-local-mon-bypass
Synopsis Do not include packets in the local monitoring function
Contextconfigure system security dist-cpu-protection policy string protocol keyword enforcement dynamic-local-mon-bypass
Treedynamic-local-mon-bypass

Description

When configured, packets from the protocol are not included in the local monitoring function and the dynamic enforcement policer is not instantiated for the protocol.

Notes

The following elements are part of a choice: dynamic, dynamic-local-mon-bypass, shared, or static.

Introduced16.0.R1

Platforms

All

static
Synopsis Enter the static context
Context configure system security dist-cpu-protection policy string protocol keyword enforcement static
Treestatic

Notes

The following elements are part of a choice: dynamic, dynamic-local-mon-bypass, shared, or static.

Introduced16.0.R1

Platforms

All

static-policer [policer-name] string
Synopsis Enter the static-policer list instance
Contextconfigure system security dist-cpu-protection policy string static-policer string
Treestatic-policer

Description

Commands in this context configure a static enforcement policer that can be referenced by one or more protocols in the policy. When a policer is referenced by a protocol, the policer is instantiated for each object (for example, a SAP or network interface) that is created and references the policer.

If no policer resources are available on the associated card or FP, the object is not created.

Max. Instances18
Introduced16.0.R1

Platforms

All

exceed-action
Synopsis Enter the exceed-action context
Contextconfigure system security dist-cpu-protection policy string static-policer string exceed-action
Treeexceed-action

Description

Commands in this context specify the settings for the scenario when the configured policer rates are exceeded.

Introduced16.0.R1

Platforms

All

hold-down (keyword | number)
Synopsis Hold down behavior
Context configure system security dist-cpu-protection policy string static-policer string exceed-action hold-down (keyword | number)
Treehold-down

Description

This command specifies the behavior when the system detects that an enforcement policer has marked or discarded one or more packets and there is no action specified for the scenario when the rates are exceeded.

The hold time condition is cleared after the specified time has expired. The detection time (the minimum time that the policer remains allocated) begins after the hold down is complete. The hold down behavior is not applicable to a local monitoring policer.

An indefinite hold down behavior must be cleared using the tools perform security dist-cpu-protection release-hold-down command.

Range1 to 10080
Unitsseconds
Options indefinite, none
Defaultnone
Introduced16.0.R1

Platforms

All

log-events keyword
Synopsis Control of log events creation for status and activity
Contextconfigure system security dist-cpu-protection policy string static-policer string log-events keyword
Treelog-events

Description

This command controls the creation of log events related to the status and activity of the local monitoring policer.

Optionsfalse, true, verbose
Defaulttrue
Introduced16.0.R1

Platforms

All

rate
Synopsis Enter the rate context
Context configure system security dist-cpu-protection policy string static-policer string rate
Treerate

Description

Commands in this context specify the rate and burst tolerance for the policer.

The actual hardware may not be able to perfectly rate limit to the exact configured parameters. In this case, the configured parameters will be adapted to the closest supported rate.

Introduced16.0.R1

Platforms

All

kbps
Synopsis Enter the kbps context
Context configure system security dist-cpu-protection policy string static-policer string rate kbps
Treekbps

Notes

The following elements are part of a choice: kbps or packets.

Introduced16.0.R1

Platforms

All

packets
Synopsis Enter the packets context
Context configure system security dist-cpu-protection policy string static-policer string rate packets
Treepackets

Notes

The following elements are part of a choice: kbps or packets.

Introduced16.0.R1

Platforms

All

initial-delay number
Synopsis Additional packets allowed in an initial burst
Contextconfigure system security dist-cpu-protection policy string static-policer string rate packets initial-delay number
Treeinitial-delay

Description

This command specifies the number of packets allowed in an initial burst (or a burst after the policer bucket has drained to zero) in addition to the packets per interval limit. The typical setting would be a value equal to the number of received packets in several full handshakes or negotiations of the protocol.

Range0 to 255
Unitspackets
Default 0
Introduced16.0.R1

Platforms

All

type keyword
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisPolicy type
Contextconfigure system security dist-cpu-protection policy string type keyword
Treetype
Optionsaccess-network, port
Introduced 21.5.R1

Platforms

All

dot1x
Synopsis Enter the dot1x context
Context configure system security dot1x
Treedot1x
Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of 802.1x network access control
Contextconfigure system security dot1x admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

All

radius-policy [policy-name] string
Synopsis Enter the radius-policy list instance
Contextconfigure system security dot1x radius-policy string
Treeradius-policy
Introduced16.0.R1

Platforms

All

[policy-name] string
Synopsis RADIUS server policy name for 802.1X authentication
Contextconfigure system security dot1x radius-policy string
Treeradius-policy
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

retry number
Synopsis Number of RADIUS requests toward the same RADIUS server
Contextconfigure system security dot1x radius-policy string retry number
Treeretry
Range1 to 10
Default3
Introduced 16.0.R1

Platforms

All

server [server-index] number
Synopsis Enter the server list instance
Contextconfigure system security dot1x radius-policy string server number
Treeserver
Max. Instances5
Introduced16.0.R1

Platforms

All

[server-index] number
Synopsis RADIUS server index
Context configure system security dot1x radius-policy string server number
Treeserver
Range1 to 5

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

secret string
Synopsis Secret key associated with the RADIUS server
Contextconfigure system security dot1x radius-policy string server number secret string
Treesecret
String Length1 to 54

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

type keyword
Synopsis RADIUS server type
Context configure system security dot1x radius-policy string server number type keyword
Treetype
Optionsauthorization, accounting, combined
Defaultauthorization
Introduced16.0.R1

Platforms

All

ftp-server boolean
Synopsis Enable FTP servers running on the system
Contextconfigure system security ftp-server boolean
Treeftp-server
Defaultfalse
Introduced16.0.R1

Platforms

All

hash-control
Synopsis Enter the hash-control context
Contextconfigure system security hash-control
Treehash-control
Introduced16.0.R4

Platforms

All

management-interface
Synopsis Enter the management-interface context
Contextconfigure system security hash-control management-interface
Treemanagement-interface

Description

Commands in this context configure encryption parameters for different management interfaces.

Introduced16.0.R4

Platforms

All

classic-cli
Synopsis Enter the classic-cli context
Context configure system security hash-control management-interface classic-cli
Treeclassic-cli
Introduced16.0.R4

Platforms

All

read-algorithm keyword
Synopsis Input encryption algorithm for configuration secrets
Contextconfigure system security hash-control management-interface classic-cli read-algorithm keyword
Treeread-algorithm

Description

This command specifies how encrypted configuration secrets are interpreted and which encryption types are accepted when secrets are input into the system or read from a configuration file (for example, at system bootup time).

Optionsall-hash, hash, hash2, custom
Default all-hash
Introduced16.0.R4

Platforms

All

write-algorithm keyword
Synopsis Output encryption algorithm for configuration secrets
Contextconfigure system security hash-control management-interface classic-cli write-algorithm keyword
Treewrite-algorithm

Description

This command specifies the format of the output for encrypted configuration secrets (for example, in the saved configuration file, or in the output of the info or show commands).

Optionscleartext, hash, hash2, custom
Default hash2
Introduced16.0.R4

Platforms

All

grpc
Synopsis Enter the grpc context
Context configure system security hash-control management-interface grpc
Treegrpc
Introduced16.0.R4

Platforms

All

md-cli
Synopsis Enter the md-cli context
Context configure system security hash-control management-interface md-cli
Treemd-cli
Introduced16.0.R4

Platforms

All

netconf
Synopsis Enter the netconf context
Context configure system security hash-control management-interface netconf
Treenetconf
Introduced16.0.R4

Platforms

All

keychains
Synopsis Enter the keychains context
Context configure system security keychains
Treekeychains
Introduced16.0.R1

Platforms

All

keychain [keychain-name] string
Synopsis Enter the keychain list instance
Contextconfigure system security keychains keychain string
Treekeychain
Max. Instances256
Introduced16.0.R1

Platforms

All

[keychain-name] string
Synopsis Keychain name
Contextconfigure system security keychains keychain string
Treekeychain
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

bidirectional
Synopsis Enter the bidirectional context
Contextconfigure system security keychains keychain string bidirectional
Treebidirectional
Introduced16.0.R1

Platforms

All

entry [keychain-entry-index] number
Synopsis Enter the entry list instance
Context configure system security keychains keychain string bidirectional entry number
Treeentry
Introduced16.0.R1

Platforms

All

algorithm keyword
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisEncryption algorithm used by the keychain key
Contextconfigure system security keychains keychain string bidirectional entry number algorithm keyword
Treealgorithm
Optionsaes-128-cmac-96, hmac-sha-1-96, password, message-digest, hmac-md5, hmac-sha-1, hmac-sha-256, aes-128-gcm-16, aes-128-cmac-128
Introduced16.0.R1

Platforms

All

receive
Synopsis Enter the receive context
Context configure system security keychains keychain string receive
Treereceive
Introduced16.0.R1

Platforms

All

entry [keychain-entry-index] number
Synopsis Enter the entry list instance
Context configure system security keychains keychain string receive entry number
Treeentry
Introduced16.0.R1

Platforms

All

[keychain-entry-index] number
Synopsis Keychain identifier
Context configure system security keychains keychain string receive entry number
Treeentry
Range0 to 63 | 255

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

algorithm keyword
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisEncryption algorithm used by the keychain key
Contextconfigure system security keychains keychain string receive entry number algorithm keyword
Treealgorithm
Optionsaes-128-cmac-96, hmac-sha-1-96, password, message-digest, hmac-md5, hmac-sha-1, hmac-sha-256, aes-128-gcm-16, aes-128-cmac-128
Introduced16.0.R1

Platforms

All

tolerance (number | keyword)
Synopsis Time eligible receive key overlaps with active send key
Contextconfigure system security keychains keychain string receive entry number tolerance (number | keyword)
Treetolerance
Range0 to 4294967294
Unitsseconds
Options infinite
Default300
Introduced 16.0.R1

Platforms

All

send
Synopsis Enter the send context
Context configure system security keychains keychain string send
Treesend
Introduced16.0.R1

Platforms

All

entry [keychain-entry-index] number
Synopsis Enter the entry list instance
Context configure system security keychains keychain string send entry number
Treeentry
Introduced16.0.R1

Platforms

All

[keychain-entry-index] number
Synopsis Keychain identifier
Context configure system security keychains keychain string send entry number
Treeentry
Range0 to 63 | 255

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

algorithm keyword
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisEncryption algorithm used by the keychain key
Contextconfigure system security keychains keychain string send entry number algorithm keyword
Treealgorithm
Optionsaes-128-cmac-96, hmac-sha-1-96, password, message-digest, hmac-md5, hmac-sha-1, hmac-sha-256, aes-128-gcm-16, aes-128-cmac-128
Introduced16.0.R1

Platforms

All

tcp-option-number
Synopsis Enter the tcp-option-number context
Contextconfigure system security keychains keychain string tcp-option-number
Treetcp-option-number
Introduced16.0.R1

Platforms

All

management
Synopsis Enter the management context
Context configure system security management
Treemanagement

Description

Commands in this context control which management protocols can be used to access the SR OS router via the 'Base' and 'management' router instances.

Introduced16.0.R5

Platforms

All

allow-ftp boolean
Synopsis Allow access to the FTP server
Context configure system security management allow-ftp boolean
Treeallow-ftp

Description

When configured to true, this command allows FTP access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, this command disallows access to the SR OS FTP server.

Defaulttrue
Introduced16.0.R6

Platforms

All

allow-grpc boolean
Synopsis Allow access to the gRPC server
Context configure system security management allow-grpc boolean
Treeallow-grpc

Description

When configured to true, the system allows access to the gRPC server via the 'Base' and 'management' router instances.

Defaulttrue
Introduced19.5.R1

Platforms

All

allow-netconf boolean
Synopsis Allow access to the NETCONF server
Context configure system security management allow-netconf boolean
Treeallow-netconf

Description

When configured to true, the system allows NETCONF server access to the SR OS router via the 'Base' and 'management' router instances.

Defaulttrue
Introduced19.5.R1

Platforms

All

allow-ssh boolean
Synopsis Allow access to the SSH server
Context configure system security management allow-ssh boolean
Treeallow-ssh

Description

When configured to true, this command allows SSH server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, this command disallows SSH server access.

Defaulttrue
Introduced16.0.R5

Platforms

All

allow-telnet boolean
Synopsis Allow access to the IPv4 Telnet server
Contextconfigure system security management allow-telnet boolean
Treeallow-telnet

Description

When configured to true, the system allows IPv4 Telnet server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, access to the IPv4 Telnet server is not allowed.

Defaulttrue
Introduced16.0.R5

Platforms

All

allow-telnet6 boolean
Synopsis Allow access to the Telnet IPv6 server
Contextconfigure system security management allow-telnet6 boolean
Treeallow-telnet6

Description

When configured to true, the system allows IPv6 Telnet server access to the SR OS router via the 'Base' and 'management' router instances.

When configured to false, the system prevents access to the IPv6 Telnet server.

Defaulttrue
Introduced16.0.R5

Platforms

All

management-access-filter
Synopsis Enter the management-access-filter context
Contextconfigure system security management-access-filter
Treemanagement-access-filter

Description

Commands in this context configure the attributes for management access filters.

Management access filters control all traffic in and out of the CPM. The filters can be used to restrict management of the router by other nodes outside of specific networks (or sub-networks) or through designated ports.

Management filters are enforced by the system software.

Introduced16.0.R4

Platforms

All

ip-filter
Synopsis Enter the ip-filter context
Context configure system security management-access-filter ip-filter
Treeip-filter
Introduced16.0.R4

Platforms

All

default-action keyword
Synopsis Default action for the management access filter
Contextconfigure system security management-access-filter ip-filter default-action keyword
Treedefault-action

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Optionsignore-match, accept, drop, reject
Default ignore-match
Introduced 16.0.R4

Platforms

All

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security management-access-filter ip-filter entry number
Treeentry
Introduced16.0.R4

Platforms

All

[entry-id] number
Synopsis Entry ID to identify the match criteria and the action
Contextconfigure system security management-access-filter ip-filter entry number
Treeentry

Description

This command specifies the entry ID to identify the match criteria and the corresponding action. It is recommended that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Range1 to 9999

Notes

This element is part of a list key.

Introduced16.0.R4

Platforms

All

action keyword
Synopsis Action associated with the management access filter
Contextconfigure system security management-access-filter ip-filter entry number action keyword
Treeaction

Description

This command specifies the action associated with the management access filter match criteria entry.

If the packet does not meet any of the match criteria, the configured default action is applied.

Optionsignore-match, accept, drop, reject
Default ignore-match
Introduced 16.0.R4

Platforms

All

log-events boolean
Synopsis Enable match logging
Context configure system security management-access-filter ip-filter entry number log-events boolean
Treelog-events

Description

When configured to true, this command enables match logging. When enabled, matches on the entry cause the Security event mafEntryMatch to be raised.

When configured to false, match logging is disabled.

Defaultfalse
Introduced16.0.R4

Platforms

All

match
Synopsis Enter the match context
Context configure system security management-access-filter ip-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry.

Introduced16.0.R4

Platforms

All

dst-port
Synopsis Enable the dst-port context
Context configure system security management-access-filter ip-filter entry number match dst-port
Treedst-port
Introduced16.0.R4

Platforms

All

mgmt-port
Synopsis Enter the mgmt-port context
Context configure system security management-access-filter ip-filter entry number match mgmt-port
Treemgmt-port

Description

Commands in this context specify match criteria based on the Ethernet port.

Introduced16.0.R4

Platforms

All

protocol (number | keyword)
Synopsis IP protocol as the match criterion
Context configure system security management-access-filter ip-filter entry number match protocol (number | keyword)
Treeprotocol
Range0 to 255
Optionstcp-udp, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp
Introduced 16.0.R4

Platforms

All

src-ip
Synopsis Enter the src-ip context
Context configure system security management-access-filter ip-filter entry number match src-ip
Treesrc-ip

Description

Commands in this context specify match criteria based on the source IP address.

Introduced16.0.R4

Platforms

All

src-port
Synopsis Enable the src-port context
Context configure system security management-access-filter ip-filter entry number match src-port
Treesrc-port
Introduced21.7.R1

Platforms

All

ipv6-filter
Synopsis Enter the ipv6-filter context
Context configure system security management-access-filter ipv6-filter
Treeipv6-filter
Introduced16.0.R4

Platforms

All

default-action keyword
Synopsis Default action for the management access filter
Contextconfigure system security management-access-filter ipv6-filter default-action keyword
Treedefault-action

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Optionsignore-match, accept, drop, reject
Default ignore-match
Introduced 16.0.R4

Platforms

All

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security management-access-filter ipv6-filter entry number
Treeentry
Introduced16.0.R4

Platforms

All

[entry-id] number
Synopsis Entry ID to identify the match criteria and the action
Contextconfigure system security management-access-filter ipv6-filter entry number
Treeentry

Description

This command specifies the entry ID to identify the match criteria and the corresponding action. It is recommended that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Range1 to 9999

Notes

This element is part of a list key.

Introduced16.0.R4

Platforms

All

action keyword
Synopsis Action associated with the management access filter
Contextconfigure system security management-access-filter ipv6-filter entry number action keyword
Treeaction

Description

This command specifies the action associated with the management access filter match criteria entry.

If the packet does not meet any of the match criteria, the configured default action is applied.

Optionsignore-match, accept, drop, reject
Default ignore-match
Introduced 16.0.R4

Platforms

All

log-events boolean
Synopsis Enable match logging
Context configure system security management-access-filter ipv6-filter entry number log-events boolean
Treelog-events

Description

When configured to true, this command enables match logging. When enabled, matches on the entry cause the Security event mafEntryMatch to be raised.

When configured to false, match logging is disabled.

Defaultfalse
Introduced16.0.R4

Platforms

All

match
Synopsis Enter the match context
Context configure system security management-access-filter ipv6-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry.

Introduced16.0.R4

Platforms

All

dst-port
Synopsis Enable the dst-port context
Context configure system security management-access-filter ipv6-filter entry number match dst-port
Treedst-port

Description

Commands in this context specify match criteria based on the destination port.

Introduced16.0.R4

Platforms

All

mgmt-port
Synopsis Enter the mgmt-port context
Context configure system security management-access-filter ipv6-filter entry number match mgmt-port
Treemgmt-port

Description

Commands in this context specify match criteria based on the Ethernet port.

Introduced16.0.R4

Platforms

All

next-header (number | keyword)
Synopsis IP protocol to match
Context configure system security management-access-filter ipv6-filter entry number match next-header (number | keyword)
Treenext-header
Range0 to 255
Optionstcp-udp, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp
Introduced 16.0.R4

Platforms

All

src-ip
Synopsis Enter the src-ip context
Context configure system security management-access-filter ipv6-filter entry number match src-ip
Treesrc-ip

Description

Commands in this context specify match criteria based on the source port.

Introduced16.0.R4

Platforms

All

src-port
Synopsis Enable the src-port context
Context configure system security management-access-filter ipv6-filter entry number match src-port
Treesrc-port

Description

Commands in this context specify match criteria based on the source port.

Introduced21.7.R1

Platforms

All

mac-filter
Synopsis Enter the mac-filter context
Context configure system security management-access-filter mac-filter
Treemac-filter
Introduced16.0.R4

Platforms

All

default-action keyword
Synopsis Default action for the management access filter
Contextconfigure system security management-access-filter mac-filter default-action keyword
Treedefault-action

Description

This command specifies the default action for management access in the absence of a specific management access filter match.

Optionsignore-match, accept, drop
Defaultignore-match
Introduced16.0.R4

Platforms

All

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security management-access-filter mac-filter entry number
Treeentry
Introduced16.0.R4

Platforms

All

[entry-id] number
Synopsis Entry ID to identify the match criteria and the action
Contextconfigure system security management-access-filter mac-filter entry number
Treeentry

Description

This command specifies the entry ID to identify the match criteria and the corresponding action. It is recommended that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Range1 to 9999

Notes

This element is part of a list key.

Introduced16.0.R4

Platforms

All

action keyword
Synopsis Action associated with the management access filter
Contextconfigure system security management-access-filter mac-filter entry number action keyword
Treeaction

Description

This command specifies the action associated with the management access filter match criteria entry.

If the packet does not meet any of the match criteria, the configured default action is applied.

Optionsignore-match, accept, drop
Defaultignore-match
Introduced16.0.R4

Platforms

All

log-events boolean
Synopsis Enable match logging
Context configure system security management-access-filter mac-filter entry number log-events boolean
Treelog-events

Description

When configured to true, this command enables match logging. When enabled, matches on the entry cause the Security event mafEntryMatch to be raised.

When configured to false, match logging is disabled.

Defaultfalse
Introduced16.0.R4

Platforms

All

match
Synopsis Enter the match context
Context configure system security management-access-filter mac-filter entry number match
Treematch

Description

Commands in this context specify match criteria for the entry.

Introduced16.0.R4

Platforms

All

cfm-opcode
Synopsis Enter the cfm-opcode context
Context configure system security management-access-filter mac-filter entry number match cfm-opcode
Treecfm-opcode

Description

Commands in this context specify match criteria based on the CFM opcode.

Introduced16.0.R4

Platforms

All

range
Synopsis Enable the range context
Context configure system security management-access-filter mac-filter entry number match cfm-opcode range
Treerange

Notes

The following elements are part of a choice: eq, gt, lt, or range.

Introduced16.0.R4

Platforms

All

dot1p
Synopsis Enable the dot1p context
Context configure system security management-access-filter mac-filter entry number match dot1p
Treedot1p

Description

Commands in this context specify match criteria based on the IEEE 802.1p value.

Introduced16.0.R4

Platforms

All

dst-mac
Synopsis Enable the dst-mac context
Context configure system security management-access-filter mac-filter entry number match dst-mac
Treedst-mac

Description

Commands in this context specify match criteria based on the destination MAC.

Introduced16.0.R4

Platforms

All

etype string
Synopsis Ethernet type II Ethertype value as the match criterion
Contextconfigure system security management-access-filter mac-filter entry number match etype string
Treeetype

Description

This command specifies an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is used by the Ethernet version-II frames and does not apply to IEEE 802.3 Ethernet frames.

String Length5 to 6
Introduced16.0.R4

Platforms

All

llc-dsap
Synopsis Enable the llc-dsap context
Context configure system security management-access-filter mac-filter entry number match llc-dsap
Treellc-dsap

Description

Commands in this context specify match criteria based on the Destination Service Access Point (DSAP).

Introduced16.0.R4

Platforms

All

llc-ssap
Synopsis Enable the llc-ssap context
Context configure system security management-access-filter mac-filter entry number match llc-ssap
Treellc-ssap

Description

Commands in this context specify match criteria based on the Source Service Access Point (SSAP).

Introduced16.0.R4

Platforms

All

snap-oui keyword
Synopsis IEEE 802.3 LLC SNAP Ethernet Frame OUI value for match
Contextconfigure system security management-access-filter mac-filter entry number match snap-oui keyword
Treesnap-oui

Description

This command specifies the IEEE 802.3 LLC SNAP Ethernet Frame OUI value as the MAC filter match criterion.

Optionszero, non-zero
Introduced 16.0.R4

Platforms

All

snap-pid number
Synopsis IEEE 802.3 LLC SNAP Ethernet Frame PID as the match
Contextconfigure system security management-access-filter mac-filter entry number match snap-pid number
Treesnap-pid

Description

This command specifies an IEEE 802.3 LLC SNAP Ethernet Frame PID value used as the MAC filter match criterion.

The SNAP PID match criterion is independent of the OUI field within the SNAP header. Two packets with different 3-byte OUI fields but the same PID field match the same filter entry based on a SNAP PID match criterion.

Range0 to 65535
Introduced16.0.R4

Platforms

All

src-mac
Synopsis Enable the src-mac context
Context configure system security management-access-filter mac-filter entry number match src-mac
Treesrc-mac

Description

Commands in this context specify match criteria based on the source MAC.

Introduced16.0.R4

Platforms

All

per-peer-queuing boolean
Synopsis Allow CPM hardware queuing per peer
Context configure system security per-peer-queuing boolean
Treeper-peer-queuing

Description

When configured to true, the router automatically allocates a separate CPM hardware queue for the peer when a peering session is established.

When configured to false, a separate CPM hardware queue is not allowed.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

pki
Synopsis Enter the pki context
Context configure system security pki
Treepki
Introduced16.0.R1

Platforms

All

ca-profile [ca-profile-name] string
Synopsis Enter the ca-profile list instance
Contextconfigure system security pki ca-profile string
Treeca-profile
Max. Instances128
Introduced16.0.R1

Platforms

All

[ca-profile-name] string
Synopsis CA profile name
Context configure system security pki ca-profile string
Treeca-profile
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

auto-crl-update
Synopsis Enable the auto-crl-update context
Contextconfigure system security pki ca-profile string auto-crl-update
Treeauto-crl-update
Introduced16.0.R1

Platforms

All

crl-urls
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the crl-urls context
Contextconfigure system security pki ca-profile string auto-crl-update crl-urls
Treecrl-urls
Introduced16.0.R1

Platforms

All

url-entry [entry-id] number
Synopsis Enter the url-entry list instance
Contextconfigure system security pki ca-profile string auto-crl-update crl-urls url-entry number
Treeurl-entry
Introduced16.0.R1

Platforms

All

pre-update-time number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisTime prior to the next update time of the current CRL
Contextconfigure system security pki ca-profile string auto-crl-update pre-update-time number
Treepre-update-time
Range0 to 31622400
Unitsseconds
Default 3600
Introduced16.0.R1

Platforms

All

retry-interval number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisInterval before retrying to update CRL
Contextconfigure system security pki ca-profile string auto-crl-update retry-interval number
Treeretry-interval
Range0 to 31622400
Unitsseconds
Default 3600
Introduced16.0.R1

Platforms

All

schedule-type keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisTime scheduler type for an automated CRL update
Contextconfigure system security pki ca-profile string auto-crl-update schedule-type keyword
Treeschedule-type
Optionsnext-update-based, periodic
Default next-update-based
Introduced 16.0.R1

Platforms

All

cert-file string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisCertificate file name
Contextconfigure system security pki ca-profile string cert-file string
Treecert-file
String Length1 to 95
Introduced16.0.R1

Platforms

All

cmpv2
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the cmpv2 context
Contextconfigure system security pki ca-profile string cmpv2
Treecmpv2

Description

Commands in this context configure CMPv2 options.

Introduced16.0.R1

Platforms

All

accept-unprotected-message
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the accept-unprotected-message context
Contextconfigure system security pki ca-profile string cmpv2 accept-unprotected-message
Treeaccept-unprotected-message
Introduced16.0.R1

Platforms

All

http
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the http context
Contextconfigure system security pki ca-profile string cmpv2 http
Treehttp
Introduced16.0.R1

Platforms

All

response-timeout number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisHTTP response timeout
Contextconfigure system security pki ca-profile string cmpv2 http response-timeout number
Treeresponse-timeout
Range1 to 3600
Unitsseconds
Default 30
Introduced16.0.R1

Platforms

All

version keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisHTTP version for CMPv2 messages
Contextconfigure system security pki ca-profile string cmpv2 http version keyword
Treeversion
Options1.0, 1.1
Default 1.1
Introduced16.0.R1

Platforms

All

key-list
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the key-list context
Contextconfigure system security pki ca-profile string cmpv2 key-list
Treekey-list
Introduced16.0.R1

Platforms

All

key [reference-number] string
Synopsis Enter the key list instance
Context configure system security pki ca-profile string cmpv2 key-list key string
Treekey
Max. Instances128
Introduced16.0.R1

Platforms

All

[reference-number] string
Synopsis Unique identifier for the CA initial authentication key
Contextconfigure system security pki ca-profile string cmpv2 key-list key string
Treekey
String Length1 to 64

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

recipient-subject string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisDN attributes for recipient subject of CMPv2 requests
Contextconfigure system security pki ca-profile string cmpv2 recipient-subject string
Treerecipient-subject
String Length1 to 256

Notes

The following elements are part of a choice: recipient-subject or use-ca-subject.

Introduced22.10.R1

Platforms

All

response-signing-cert string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisFile name of the certificate to verify CMPv2 responses
Contextconfigure system security pki ca-profile string cmpv2 response-signing-cert string
Treeresponse-signing-cert

Description

This command specifies an imported certificate used to verify the CMP response message that they are protected by signature.

When unconfigured, CA's certificate is used.

String Length1 to 95

Notes

The following elements are part of a choice: response-signing-cert or response-signing-use-extracert.

Introduced16.0.R1

Platforms

All

response-signing-use-extracert
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisUse extraCerts certificate to verify response signature
Contextconfigure system security pki ca-profile string cmpv2 response-signing-use-extracert
Treeresponse-signing-use-extracert

Notes

The following elements are part of a choice: response-signing-cert or response-signing-use-extracert.

Introduced22.10.R1

Platforms

All

signing-cert-subject string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisSubject DN attributes to identify signing certificate
Contextconfigure system security pki ca-profile string cmpv2 signing-cert-subject string
Treesigning-cert-subject
String Length1 to 256
Introduced23.3.R1

Platforms

All

url
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the url context
Contextconfigure system security pki ca-profile string cmpv2 url
Treeurl
Introduced16.0.R1

Platforms

All

service-name string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAdministrative service name
Contextconfigure system security pki ca-profile string cmpv2 url service-name string
Treeservice-name
String Length1 to 64

Notes

The following elements are part of a choice: service-name or transmission-profile.

Introduced16.0.R1

Platforms

All

url-string http-optional-url-loose
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisURL for CMPv2
Contextconfigure system security pki ca-profile string cmpv2 url url-string http-optional-url-loose
Treeurl-string
String Length1 to 180
Introduced16.0.R1

Platforms

All

use-ca-subject
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisUse subject DN in CA certificate as CMPv2 request recipient
Contextconfigure system security pki ca-profile string cmpv2 use-ca-subject
Treeuse-ca-subject

Notes

The following elements are part of a choice: recipient-subject or use-ca-subject.

Introduced22.10.R1

Platforms

All

crl-file string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisCertificate Revocation List (CRL) file name
Contextconfigure system security pki ca-profile string crl-file string
Treecrl-file
String Length1 to 95
Introduced16.0.R1

Platforms

All

ocsp
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the ocsp context
Contextconfigure system security pki ca-profile string ocsp
Treeocsp
Introduced16.0.R1

Platforms

All

responder-url http-optional-url-loose
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisHTTP URL of the OCSP responder for the CA
Contextconfigure system security pki ca-profile string ocsp responder-url http-optional-url-loose
Treeresponder-url
String Length1 to 180
Introduced16.0.R1

Platforms

All

service-name string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAdministrative service name
Contextconfigure system security pki ca-profile string ocsp service-name string
Treeservice-name
String Length1 to 64
Introduced16.0.R1

Platforms

All

revocation-check keyword
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisRevocation method to check status of CA certificates
Contextconfigure system security pki ca-profile string revocation-check keyword
Treerevocation-check
Optionscrl, crl-optional
Default crl
Introduced16.0.R1

Platforms

All

certificate-auto-update [certificate-file-name] string
Synopsis Enter the certificate-auto-update list instance
Contextconfigure system security pki certificate-auto-update string
Treecertificate-auto-update

Description

Commands in this context configure automatic certificate update associations.

Max. Instances256
Introduced22.10.R1

Platforms

All

certificate-expiration-warning
Synopsis Enter the certificate-expiration-warning context
Contextconfigure system security pki certificate-expiration-warning
Treecertificate-expiration-warning
Introduced16.0.R1

Platforms

All

certificate-update-profile [name] string
Synopsis Enter the certificate-update-profile list instance
Contextconfigure system security pki certificate-update-profile string
Treecertificate-update-profile

Description

Commands in this context configure a certificate update profile that specifies the behavior of the automatic update certificate.

Max. Instances256
Introduced22.10.R1

Platforms

All

after-issue number
Synopsis Time for scheduler updates after certificate issuance
Contextconfigure system security pki certificate-update-profile string after-issue number
Treeafter-issue

Description

This command configures the time for scheduler updates after the certificate issue time.

Range864000 to 157680000
Unitsseconds

Notes

The following elements are part of a choice: after-issue or before-expiry.

Introduced22.10.R1

Platforms

All

before-expiry number
Synopsis Time scheduler updates before certificate expiry
Contextconfigure system security pki certificate-update-profile string before-expiry number
Treebefore-expiry

Description

This command configures the time that the scheduler updates before the certificate expiration time.

Range3600 to 157680000
Unitsseconds
Default86400

Notes

The following elements are part of a choice: after-issue or before-expiry.

Introduced22.10.R1

Platforms

All

cmpv2
Synopsis Enter the cmpv2 context
Context configure system security pki certificate-update-profile string cmpv2
Treecmpv2

Notes

The following elements are part of a choice: cmpv2 or est.

Introduced22.10.R1

Platforms

All

dsa
Synopsis Enter the dsa context
Context configure system security pki certificate-update-profile string dsa
Treedsa

Notes

The following elements are part of a choice: dsa, ecdsa, rsa, or same-as-existing-key.

Introduced22.10.R1

Platforms

All

key-size number
Synopsis Length of the generated DSA key
Context configure system security pki certificate-update-profile string dsa key-size number
Treekey-size

Description

This command specifies that the newly generated key is an DSA key with the specified key length in bits.

Range512 to 8192
Default2048
Introduced 22.10.R1

Platforms

All

ecdsa
Synopsis Enter the ecdsa context
Context configure system security pki certificate-update-profile string ecdsa
Treeecdsa

Notes

The following elements are part of a choice: dsa, ecdsa, rsa, or same-as-existing-key.

Introduced22.10.R1

Platforms

All

curve keyword
Synopsis Elliptic curve to be used in ECDSA key generation
Contextconfigure system security pki certificate-update-profile string ecdsa curve keyword
Treecurve

Description

This command specifies that the newly generated key is an ECDSA key with the specified curve.

Optionssecp256r1, secp384r1, secp521r1
Defaultsecp256r1
Introduced22.10.R1

Platforms

All

est
Synopsis Enter the est context
Context configure system security pki certificate-update-profile string est
Treeest

Notes

The following elements are part of a choice: cmpv2 or est.

Introduced22.10.R1

Platforms

All

hash-algorithm keyword
Synopsis Hash algorithm for a certificate request
Contextconfigure system security pki certificate-update-profile string hash-algorithm keyword
Treehash-algorithm

Description

This command specifies the hash algorithm used to generate a certificate request.

Optionsmd5, sha1, sha224, sha256, sha384, sha512
Default sha256
Introduced22.10.R1

Platforms

All

rsa
Synopsis Enter the rsa context
Context configure system security pki certificate-update-profile string rsa
Treersa

Notes

The following elements are part of a choice: dsa, ecdsa, rsa, or same-as-existing-key.

Introduced22.10.R1

Platforms

All

key-size number
Synopsis Length of the generated RSA key
Context configure system security pki certificate-update-profile string rsa key-size number
Treekey-size

Description

This command specifies that the newly generated key is a RSA key with the specified key length in bits.

Range512 to 8192
Default2048
Introduced 22.10.R1

Platforms

All

same-as-existing-key
Synopsis Generate the new key to same type and key length
Contextconfigure system security pki certificate-update-profile string same-as-existing-key
Treesame-as-existing-key

Description

When configured, this command specifies that the newly generated key is the same type and key length as the existing key.

Notes

The following elements are part of a choice: dsa, ecdsa, rsa, or same-as-existing-key.

Introduced22.10.R1

Platforms

All

common-name-list [cn-list-name] string
Synopsis Enter the common-name-list list instance
Contextconfigure system security pki common-name-list string
Treecommon-name-list
Max. Instances64
Introduced16.0.R1

Platforms

All

common-name [cn-index] number
Synopsis Enter the common-name list instance
Contextconfigure system security pki common-name-list string common-name number
Treecommon-name
Introduced16.0.R1

Platforms

All

crl-expiration-warning
Synopsis Enter the crl-expiration-warning context
Contextconfigure system security pki crl-expiration-warning
Treecrl-expiration-warning
Introduced16.0.R1

Platforms

All

est-profile [name] string
Synopsis Enter the est-profile list instance
Contextconfigure system security pki est-profile string
Treeest-profile

Description

Commands in this context configure an Enrollment over Secure Transport (EST) profile.

Max. Instances128
Introduced21.10.R1

Platforms

All

[name] string
Synopsis Enrollment over Secured Transport profile name
Contextconfigure system security pki est-profile string
Treeest-profile

Description

This command configures the EST profile name.

String Length1 to 32

Notes

This element is part of a list key.

Introduced21.10.R1

Platforms

All

client-tls-profile string
Synopsis TLS client profile assigned to applications
Contextconfigure system security pki est-profile string client-tls-profile string
Treeclient-tls-profile

Description

This command specifies the TLS client profile to be assigned to applications for encryption. The profile creates the TLS connection to the EST server.

String Length1 to 32
Introduced21.10.R1

Platforms

All

http-authentication
Synopsis Enter the http-authentication context
Contextconfigure system security pki est-profile string http-authentication
Treehttp-authentication
Introduced21.10.R1

Platforms

All

server
Synopsis Enter the server context
Context configure system security pki est-profile string server
Treeserver

Description

Commands in this context configure EST server parameters.

Introduced21.10.R1

Platforms

All

fqdn string
Synopsis Fully Qualified Domain Name (FQDN) of the EST server
Contextconfigure system security pki est-profile string server fqdn string
Treefqdn

Description

This command specifies to use the FQDN of the EST server.

String Length1 to 255

Notes

The following elements are part of a choice: fqdn, ipv4, or ipv6.

Introduced21.10.R1

Platforms

All

ipv4 string
Synopsis IPv4 address of the EST server
Context configure system security pki est-profile string server ipv4 string
Treeipv4

Notes

The following elements are part of a choice: fqdn, ipv4, or ipv6.

Introduced21.10.R1

Platforms

All

ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IPv6 address of the EST server
Context configure system security pki est-profile string server ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Treeipv6

Notes

The following elements are part of a choice: fqdn, ipv4, or ipv6.

Introduced21.10.R1

Platforms

All

transmission-profile string
Synopsis Transmission profile name for EST
Context configure system security pki est-profile string transmission-profile string
Treetransmission-profile

Description

This command associates a file transmission profile to the EST profile.

The transmission profile defines transport parameters for protocol such as HTTP, include routing instance, source address, timeout value, and so on.

String Length1 to 32
Introduced21.10.R1

Platforms

All

python-script
Synopsis Enter the python-script context
Contextconfigure system security python-script
Treepython-script
Introduced21.10.R1

Platforms

All

authorization
Synopsis Enter the authorization context
Contextconfigure system security python-script authorization
Treeauthorization
Introduced21.10.R1

Platforms

All

snmp
Synopsis Enter the snmp context
Context configure system security snmp
Treesnmp
Introduced16.0.R1

Platforms

All

access [group] string context string security-model keyword security-level keyword
Synopsis Enter the access list instance
Contextconfigure system security snmp access string context string security-model keyword security-level keyword
Treeaccess
Introduced16.0.R1

Platforms

All

security-level keyword
Synopsis Minimum security level required to gain access rights
Contextconfigure system security snmp access string context string security-model keyword security-level keyword
Treeaccess
Optionsno-auth-no-privacy, auth-no-privacy, privacy

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

notify string
Synopsis SNMP view for notification access
Context configure system security snmp access string context string security-model keyword security-level keyword notify string
Treenotify

Description

This command specifies the SNMP view used to control which MIB objects can be accessed for notifications.

String Length1 to 32
Introduced16.0.R1

Platforms

All

read string
Synopsis SNMP view for read access
Context configure system security snmp access string context string security-model keyword security-level keyword read string
Treeread

Description

This command specifies the SNMP view used to control which MIB objects can be accessed using a read (get) operation.

String Length1 to 32
Introduced16.0.R1

Platforms

All

write string
Synopsis SNMP view for write access
Context configure system security snmp access string context string security-model keyword security-level keyword write string
Treewrite

Description

This command specifies the SNMP view used to control which MIB objects can be accessed using a write (set) operation.

String Length1 to 32
Introduced16.0.R1

Platforms

All

attempts
Synopsis Enter the attempts context
Context configure system security snmp attempts
Treeattempts

Description

Commands in this context configure settings for SNMPv2 or SNMPv3 connection attempts. The command settings are used to counter Denial of Service (DOS) attacks through SNMP.

If the threshold is exceeded, the host is locked out for the lockout time period.

Introduced16.0.R1

Platforms

All

count number
Synopsis Unsuccessful attempts allowed within time period
Contextconfigure system security snmp attempts count number
Treecount
Range1 to 64
Default20
Introduced 16.0.R1

Platforms

All

lockout number
Synopsis Lockout period during which the host cannot log in
Contextconfigure system security snmp attempts lockout number
Treelockout

Description

This command configures the time period during which the host cannot log in. When the host exceeds the attempted counts setting, the host is locked out from further login attempts for the configured time period.

Range0 to 1440
Unitsminutes
Default 10
Introduced16.0.R1

Platforms

All

time number
Synopsis Time before host lockout after unsuccessful attempts
Contextconfigure system security snmp attempts time number
Treetime
Range0 to 60
Unitsminutes
Default 5
Introduced16.0.R1

Platforms

All

community [community-string] string
Synopsis Enter the community list instance
Contextconfigure system security snmp community string
Treecommunity
Introduced16.0.R1

Platforms

All

[community-string] string
Synopsis SNMPv1 or SNMPv2c community string
Context configure system security snmp community string
Treecommunity
String Length1 to 114

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

source-access-list [list-name] string
Synopsis Enter the source-access-list list instance
Contextconfigure system security snmp source-access-list string
Treesource-access-list

Description

Commands in this context configure SNMP source access lists.

SNMP source access lists are used to validate the source IP address of received SNMP requests. Multiple community (VPRN or Base router) and USM community instances can reference the same SNMP source access list.

Max. Instances16
Introduced16.0.R1

Platforms

All

source-host [host-name] string
Synopsis Enter the source-host list instance
Contextconfigure system security snmp source-access-list string source-host string
Treesource-host
Max. Instances16
Introduced16.0.R1

Platforms

All

address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Source IP address entry used to validate SNMP requests
Contextconfigure system security snmp source-access-list string source-host string address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

usm-community [community-string] string
Synopsis Enter the usm-community list instance
Contextconfigure system security snmp usm-community string
Treeusm-community
Introduced16.0.R1

Platforms

All

[community-string] string
Synopsis Community string associated with SNMPv3 access group
Contextconfigure system security snmp usm-community string
Treeusm-community
String Length1 to 114

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

group string
Synopsis Group to manage access rights of the community string
Contextconfigure system security snmp usm-community string group string
Treegroup
String Length1 to 32
Introduced16.0.R1

Platforms

All

view [view-name] string subtree string
Synopsis Enter the view list instance
Context configure system security snmp view string subtree string
Treeview
Introduced16.0.R1

Platforms

All

[view-name] string
Synopsis View name
Contextconfigure system security snmp view string subtree string
Treeview
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

subtree string
Synopsis Object Identifier (OID) value
Context configure system security snmp view string subtree string
Treeview
String Length1 to 256

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

mask string
Synopsis Mask value as binary value, or hex value
Contextconfigure system security snmp view string subtree string mask string
Treemask
String Length1 to 16
Introduced16.0.R1

Platforms

All

type keyword
Synopsis Type of SNMP security view mask
Context configure system security snmp view string subtree string type keyword
Treetype
Optionsincluded, excluded
Introduced 16.0.R1

Platforms

All

source-address
Synopsis Enter the source-address context
Contextconfigure system security source-address
Treesource-address

Description

Commands in this context configure the IP source address that is used in all unsolicited packets sent by the specified applications.

This configuration applies to packets transmitted in-band (for example, a network port on an IOM) and does not apply to packets transmitted out-of-band on the management interface on the CPM Ethernet port. Packets transmitted using the CPM Ethernet port use the address of the CPM Ethernet port as the IP source address in the packet.

When a source address is specified for the PTP application, the port-based 1588 hardware timestamping assist function is applied to PTP packets matching the IPv4 address of the router interface used to ingress the SR/ESS or IP address specified in this command. If the IP address is removed, the port-based 1588 hardware timestamping assist function is only applied to PTP packets matching the IPv4 address of the router interface.

Introduced16.0.R1

Platforms

All

ipv4 [application] keyword
Synopsis Enter the ipv4 list instance
Context configure system security source-address ipv4 keyword
Treeipv4
Introduced16.0.R1

Platforms

All

[application] keyword
Synopsis Application that uses the source IP address
Contextconfigure system security source-address ipv4 keyword
Treeipv4
Optionstelnet, ftp, ssh, radius, tacplus, snmptrap, syslog, ping, traceroute, dns, sntp, ntp, cflowd, ptp, mcreporter, sflow, icmp-error, ldap

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

address string
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisSource IPv4 address
Contextconfigure system security source-address ipv4 keyword address string
Treeaddress

Notes

The following elements are part of a mandatory choice: address or interface-name.

Introduced16.0.R1

Platforms

All

interface-name string
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisIP interface name
Contextconfigure system security source-address ipv4 keyword interface-name string
Treeinterface-name
String Length1 to 32

Notes

The following elements are part of a mandatory choice: address or interface-name.

Introduced16.0.R1

Platforms

All

ipv6 [application] keyword
Synopsis Enter the ipv6 list instance
Context configure system security source-address ipv6 keyword
Treeipv6
Introduced16.0.R1

Platforms

All

[application] keyword
Synopsis Application which uses the source IPv6 address
Contextconfigure system security source-address ipv6 keyword
Treeipv6
Optionstelnet, ftp, radius, tacplus, snmptrap, syslog, ping, traceroute, dns, cflowd, ntp, sflow, icmp6-error, ldap, ssh, ptp

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

address string
WARNING:

Modifying this element recreates the parent element automatically for the new value to take effect.

SynopsisSource IPv6 address
Contextconfigure system security source-address ipv6 keyword address string
Treeaddress

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

ssh
Synopsis Enter the ssh context
Context configure system security ssh
Treessh
Introduced16.0.R1

Platforms

All

authentication-method
Synopsis Enter the authentication-method context
Contextconfigure system security ssh authentication-method
Treeauthentication-method
Introduced23.7.R1

Platforms

All

server
Synopsis Enter the server context
Context configure system security ssh authentication-method server
Treeserver
Introduced23.7.R1

Platforms

All

public-key-only boolean
Synopsis Accept only public-key authentication for SSH session
Contextconfigure system security ssh authentication-method server public-key-only boolean
Treepublic-key-only

Description

When configured to true, the system accepts only public key client authentication for the SSH server.

This command defines the authentication method at the system level.

When configured to false, the system accepts public key or password client authentication. If interactive-authentication is configured to true in the configure system security aaa remote-servers radius or configure system security aaa remote-servers tacplus context, the system also accepts interactive keyboard authentication.

Defaultfalse
Introduced23.7.R1

Platforms

All

client-cipher-list-v2
Synopsis Enter the client-cipher-list-v2 context
Contextconfigure system security ssh client-cipher-list-v2
Treeclient-cipher-list-v2
Introduced16.0.R1

Platforms

All

cipher [index] number
Synopsis Enter the cipher list instance
Contextconfigure system security ssh client-cipher-list-v2 cipher number
Treecipher

Description

Commands in this context configure a client-cipher instance. Client-ciphers are used when the SR OS is acting as an SSH client.

Introduced16.0.R1

Platforms

All

name keyword
Synopsis Algorithm for performing encryption or decryption
Contextconfigure system security ssh client-cipher-list-v2 cipher number name keyword
Treename
Options3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

client-kex-list-v2
Synopsis Enter the client-kex-list-v2 context
Contextconfigure system security ssh client-kex-list-v2
Treeclient-kex-list-v2
Introduced19.10.R3

Platforms

All

kex [index] number
Synopsis Enter the kex list instance
Context configure system security ssh client-kex-list-v2 kex number
Treekex

Description

Commands in this context configure SSH Key Exchange (KEX) algorithms for SR OS as a client.

If a list is configured, SSH uses the list with the first-listed algorithm having the highest priority.

By default, the client list is empty. The default list contains the following:

  • diffie-hellman-group16-sha512

  • diffie-hellman-group14-sha256

  • diffie-hellman-group14-sha1

  • diffie-hellman-group1-sha1

Introduced19.10.R3

Platforms

All

[index] number
Synopsis SSHv2 KEX algorithm index
Context configure system security ssh client-kex-list-v2 kex number
Treekex

Description

This command configures the index of the KEX algorithm in the list. The lowest index in the list is negotiated first on the SSH negotiation list, while the highest index is at the bottom of the SSH negotiation list.

Range1 to 255

Notes

This element is part of a list key.

Introduced19.10.R3

Platforms

All

name keyword
Synopsis KEX algorithm for computing a shared secret key
Contextconfigure system security ssh client-kex-list-v2 kex number name keyword
Treename
Optionsdiffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group16-sha512

Notes

This element is mandatory.

Introduced19.10.R3

Platforms

All

client-mac-list-v2
Synopsis Enter the client-mac-list-v2 context
Contextconfigure system security ssh client-mac-list-v2
Treeclient-mac-list-v2
Introduced16.0.R1

Platforms

All

mac [index] number
Synopsis Enter the mac list instance
Context configure system security ssh client-mac-list-v2 mac number
Treemac

Description

Commands in this context configure SSH MAC algorithms for SR OS as a client.

Introduced16.0.R1

Platforms

All

[index] number
Synopsis MAC algorithm index
Context configure system security ssh client-mac-list-v2 mac number
Treemac
Range1 to 255

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

name keyword
Synopsis Algorithm for calculating message authentication code
Contextconfigure system security ssh client-mac-list-v2 mac number name keyword
Treename
Optionshmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

key-re-exchange
Synopsis Enter the key-re-exchange context
Contextconfigure system security ssh key-re-exchange
Treekey-re-exchange
Introduced16.0.R1

Platforms

All

client
Synopsis Enter the client context
Context configure system security ssh key-re-exchange client
Treeclient
Introduced16.0.R1

Platforms

All

mbytes (number | keyword)
Synopsis Maximum bytes transmitted before key re-exchange begins
Contextconfigure system security ssh key-re-exchange client mbytes (number | keyword)
Treembytes
Range1 to 64000
Unitsmegabytes
Options infinite
Default1024
Introduced 16.0.R1

Platforms

All

minutes (number | keyword)
Synopsis Maximum time before key re-exchange is initiated
Contextconfigure system security ssh key-re-exchange client minutes (number | keyword)
Treeminutes
Range1 to 1440
Unitsminutes
Options infinite
Default60
Introduced 16.0.R1

Platforms

All

server
Synopsis Enter the server context
Context configure system security ssh key-re-exchange server
Treeserver
Introduced16.0.R1

Platforms

All

mbytes (number | keyword)
Synopsis Maximum bytes transmitted before key re-exchange begins
Contextconfigure system security ssh key-re-exchange server mbytes (number | keyword)
Treembytes
Range1 to 64000
Unitsmegabytes
Options infinite
Default1024
Introduced 16.0.R1

Platforms

All

minutes (number | keyword)
Synopsis Maximum time before key re-exchange is initiated
Contextconfigure system security ssh key-re-exchange server minutes (number | keyword)
Treeminutes
Range1 to 1440
Unitsminutes
Options infinite
Default60
Introduced 16.0.R1

Platforms

All

preserve-key boolean
Synopsis Preserve keys and restore on system or server restart
Contextconfigure system security ssh preserve-key boolean
Treepreserve-key

Description

When configured to true, private, public, and host keys are saved by the server. The keys are restored following a system reboot or a restart of an SSH server.

When configured to false, the keys are held in memory by an SSH server but are not restored following a system reboot.

Defaultfalse
Introduced16.0.R1

Platforms

All

server-cipher-list-v2
Synopsis Enter the server-cipher-list-v2 context
Contextconfigure system security ssh server-cipher-list-v2
Treeserver-cipher-list-v2
Introduced16.0.R1

Platforms

All

cipher [index] number
Synopsis Enter the cipher list instance
Contextconfigure system security ssh server-cipher-list-v2 cipher number
Treecipher

Description

Commands in this context configure a server-cipher instance. Server-ciphers are used when SR OS is acting as an SSH server.

Introduced16.0.R1

Platforms

All

name keyword
Synopsis Algorithm for performing encryption or decryption
Contextconfigure system security ssh server-cipher-list-v2 cipher number name keyword
Treename
Options3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

server-kex-list-v2
Synopsis Enter the server-kex-list-v2 context
Contextconfigure system security ssh server-kex-list-v2
Treeserver-kex-list-v2
Introduced19.10.R3

Platforms

All

kex [index] number
Synopsis Enter the kex list instance
Context configure system security ssh server-kex-list-v2 kex number
Treekex
Introduced19.10.R3

Platforms

All

[index] number
Synopsis SSHv2 KEX algorithm index
Context configure system security ssh server-kex-list-v2 kex number
Treekex

Description

This command configures the index of the KEX algorithm in the list. The lowest index in the list is negotiated first on the SSH negotiation list, while the highest index is at the bottom of the SSH negotiation list.

Range1 to 255

Notes

This element is part of a list key.

Introduced19.10.R3

Platforms

All

name keyword
Synopsis KEX algorithm for computing a shared secret key
Contextconfigure system security ssh server-kex-list-v2 kex number name keyword
Treename
Optionsdiffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group16-sha512

Notes

This element is mandatory.

Introduced19.10.R3

Platforms

All

server-mac-list-v2
Synopsis Enter the server-mac-list-v2 context
Contextconfigure system security ssh server-mac-list-v2
Treeserver-mac-list-v2
Introduced16.0.R1

Platforms

All

mac [index] number
Synopsis Enter the mac list instance
Context configure system security ssh server-mac-list-v2 mac number
Treemac
Introduced16.0.R1

Platforms

All

[index] number
Synopsis MAC algorithm index
Context configure system security ssh server-mac-list-v2 mac number
Treemac
Range1 to 255

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

name keyword
Synopsis Algorithm for calculating message authentication code
Contextconfigure system security ssh server-mac-list-v2 mac number name keyword
Treename
Optionshmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

system-passwords
Synopsis Enter the system-passwords context
Contextconfigure system security system-passwords
Treesystem-passwords

Description

This command enters the context to configure system passwords.

Introduced16.0.R1

Platforms

All

admin-password string
Synopsis Context to configure system passwords
Contextconfigure system security system-passwords admin-password string
Treeadmin-password

Description

This command allows a user with administrative permissions to configure a password that enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an administrative user.

If the admin-password is configured in the configure system security system-passwords admin-password context, any user can enter the special mode by entering the enable command.

enable is in the default profile. By default, all users are given access to this command.

After the enable command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the complexity command.

Note: This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP.

String Length3 to 136
Introduced16.0.R1

Platforms

All

tls
Synopsis Enter the tls context
Context configure system security tls
Treetls
Introduced16.0.R1

Platforms

All

cert-profile [cert-profile-name] string
Synopsis Enter the cert-profile list instance
Contextconfigure system security tls cert-profile string
Treecert-profile
Max. Instances16
Introduced16.0.R1

Platforms

All

[cert-profile-name] string
Synopsis TLS certificate profile name
Context configure system security tls cert-profile string
Treecert-profile
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

entry [entry-id] number
Synopsis Enter the entry list instance
Context configure system security tls cert-profile string entry number
Treeentry
Max. Instances8
Introduced16.0.R1

Platforms

All

[entry-id] number
Synopsis Certificate profile ID
Context configure system security tls cert-profile string entry number
Treeentry
Range1 to 8

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

send-chain
Synopsis Enter the send-chain context
Context configure system security tls cert-profile string entry number send-chain
Treesend-chain
Introduced16.0.R1

Platforms

All

ca-profile [ca-profile-name] reference
Synopsis Add a list entry for ca-profile
Contextconfigure system security tls cert-profile string entry number send-chain ca-profile reference
Treeca-profile
Max. Instances7
Introduced16.0.R1

Platforms

All

client-cipher-list [client-cipher-list-name] string
Synopsis Enter the client-cipher-list list instance
Contextconfigure system security tls client-cipher-list string
Treeclient-cipher-list
Max. Instances16
Introduced16.0.R1

Platforms

All

tls12-cipher [index] number
Synopsis Enter the tls12-cipher list instance
Contextconfigure system security tls client-cipher-list string tls12-cipher number
Treetls12-cipher
Introduced22.2.R1

Platforms

All

name keyword
Synopsis Cipher suite code
Context configure system security tls client-cipher-list string tls12-cipher number name keyword
Treename
Optionstls-rsa-with3des-ede-cbc-sha, tls-rsa-with-aes128-cbc-sha, tls-rsa-with-aes256-cbc-sha, tls-rsa-with-aes128-cbc-sha256, tls-rsa-with-aes256-cbc-sha256, tls-rsa-with-aes128-gcm-sha256, tls-rsa-with-aes256-gcm-sha384

Notes

This element is mandatory.

Introduced22.2.R1

Platforms

All

tls13-cipher [index] number
Synopsis Enter the tls13-cipher list instance
Contextconfigure system security tls client-cipher-list string tls13-cipher number
Treetls13-cipher

Description

Commands in this context configure the TLS 1.3-supported ciphers used by the client.

Introduced22.7.R1

Platforms

All

name keyword
Synopsis Name of the TLS 1.3 cipher suite code
Contextconfigure system security tls client-cipher-list string tls13-cipher number name keyword
Treename
Optionstls-aes256-gcm-sha384, tls-aes128-gcm-sha256, tls-chacha20-poly1305-sha256, tls-aes128-ccm8-sha256, tls-aes128-ccm-sha256

Notes

This element is mandatory.

Introduced22.7.R1

Platforms

All

client-group-list [client-group-list-name] string
Synopsis Enter the client-group-list list instance
Contextconfigure system security tls client-group-list string
Treeclient-group-list

Description

Commands in this context configure the list of TLS 1.3-supported group suite codes that the client sends in a client Hello message.

Max. Instances16
Introduced22.7.R1

Platforms

All

tls13-group [index] number
Synopsis Enter the tls13-group list instance
Contextconfigure system security tls client-group-list string tls13-group number
Treetls13-group

Description

Commands in this context configure the TLS 1.3-supported group suite codes sent by the client in its Hello messages.

SR OS supports the use of Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) groups.

Introduced22.7.R1

Platforms

All

name keyword
Synopsis Name of the TLS 1.3 group suite code
Context configure system security tls client-group-list string tls13-group number name keyword
Treename
Optionstls-ecdhe-256, tls-ecdhe-384, tls-ecdhe-521, tls-x25519, tls-x448

Notes

This element is mandatory.

Introduced22.7.R1

Platforms

All

client-signature-list [client-signature-list-name] string
Synopsis Enter the client-signature-list list instance
Contextconfigure system security tls client-signature-list string
Treeclient-signature-list

Description

Commands in this context configure the list of TLS 1.3-supported signature suite codes that the client sends in a client Hello message.

Max. Instances16
Introduced22.7.R1

Platforms

All

tls13-signature [index] number
Synopsis Enter the tls13-signature list instance
Contextconfigure system security tls client-signature-list string tls13-signature number
Treetls13-signature

Description

Commands in this context configure the TLS 1.3-supported signature suite codes sent by the client in its Hello messages.

Introduced22.7.R1

Platforms

All

name keyword
Synopsis Name of the TLS 1.3 signature suite code
Contextconfigure system security tls client-signature-list string tls13-signature number name keyword
Treename
Optionstls-rsa-pkcs1-sha256, tls-ecdsa-secp256r1-sha256, tls-rsa-pkcs1-sha384, tls-ecdsa-secp384r1-sha384, tls-rsa-pkcs1-sha512, tls-ecdsa-secp521r1-sha512, tls-rsa-pss-rsae-sha256, tls-rsa-pss-rsae-sha384, tls-rsa-pss-rsae-sha512, tls-ed25519, tls-ed448, tls-rsa-pss-pss-sha256, tls-rsa-pss-pss-sha384, tls-rsa-pss-pss-sha512

Notes

This element is mandatory.

Introduced22.7.R1

Platforms

All

client-tls-profile [client-profile-name] string
Synopsis Enter the client-tls-profile list instance
Contextconfigure system security tls client-tls-profile string
Treeclient-tls-profile
Max. Instances16
Introduced16.0.R1

Platforms

All

protocol-version keyword
Synopsis TLS protocol version used by the TLS client profile
Contextconfigure system security tls client-tls-profile string protocol-version keyword
Treeprotocol-version

Description

This command configures the TLS version to be negotiated between the client and the server.

The client adds the specified version as a supported version in its Hello message to the server.

Optionstls-version-all, tls-version-12, tls-version-13
Defaulttls-version-12
Introduced22.7.R1

Platforms

All

status-verify
Synopsis Enter the status-verify context
Contextconfigure system security tls client-tls-profile string status-verify
Treestatus-verify

Description

Commands in this context configure certificate revocation status verification options for the end-entity certificate in a TLS client.

Introduced23.7.R1

Platforms

All

default-result keyword
Synopsis Default result of certificate status verification
Contextconfigure system security tls client-tls-profile string status-verify default-result keyword
Treedefault-result

Description

This command configures the default result of the entity certificate verification in the TLS client profile. This command overwrites the EE certificate revocation verification for the TLS client profile.

By default the router checks the certification revocation status, but if this command is set to good, the end-entity certificate revocation status is overwritten and a good revocation status is returned for the EE certificate.

If this command is set to revoked, the router returns the actual revocation status of the end-entity certificate.

Optionsrevoked, good
Default revoked
Introduced23.7.R1

Platforms

All

server-cipher-list [server-cipher-list-name] string
Synopsis Enter the server-cipher-list list instance
Contextconfigure system security tls server-cipher-list string
Treeserver-cipher-list
Max. Instances16
Introduced16.0.R1

Platforms

All

tls12-cipher [index] number
Synopsis Enter the tls12-cipher list instance
Contextconfigure system security tls server-cipher-list string tls12-cipher number
Treetls12-cipher
Introduced22.2.R1

Platforms

All

name keyword
Synopsis Cipher suite code
Context configure system security tls server-cipher-list string tls12-cipher number name keyword
Treename
Optionstls-rsa-with3des-ede-cbc-sha, tls-rsa-with-aes128-cbc-sha, tls-rsa-with-aes256-cbc-sha, tls-rsa-with-aes128-cbc-sha256, tls-rsa-with-aes256-cbc-sha256, tls-rsa-with-aes128-gcm-sha256, tls-rsa-with-aes256-gcm-sha384

Notes

This element is mandatory.

Introduced22.2.R1

Platforms

All

tls13-cipher [index] number
Synopsis Enter the tls13-cipher list instance
Contextconfigure system security tls server-cipher-list string tls13-cipher number
Treetls13-cipher

Description

Commands in this context configure the TLS 1.3-supported ciphers used by the server.

Introduced22.7.R1

Platforms

All

name keyword
Synopsis Name of the TLS 1.3 cipher suite code
Contextconfigure system security tls server-cipher-list string tls13-cipher number name keyword
Treename
Optionstls-aes256-gcm-sha384, tls-aes128-gcm-sha256, tls-chacha20-poly1305-sha256, tls-aes128-ccm8-sha256, tls-aes128-ccm-sha256

Notes

This element is mandatory.

Introduced22.7.R1

Platforms

All

server-group-list [server-group-list-name] string
Synopsis Enter the server-group-list list instance
Contextconfigure system security tls server-group-list string
Treeserver-group-list

Description

Commands in this context configure the list of TLS 1.3-supported group suite codes that the server sends in a server Hello message.

Max. Instances16
Introduced22.7.R1

Platforms

All

tls13-group [index] number
Synopsis Enter the tls13-group list instance
Contextconfigure system security tls server-group-list string tls13-group number
Treetls13-group

Description

Commands in this context configure the TLS 1.3-supported group suite codes sent by the server in its Hello messages.

SR OS supports the use of Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) groups.

Introduced22.7.R1

Platforms

All

name keyword
Synopsis Name of the TLS 1.3 group suite code
Context configure system security tls server-group-list string tls13-group number name keyword
Treename
Optionstls-ecdhe-256, tls-ecdhe-384, tls-ecdhe-521, tls-x25519, tls-x448

Notes

This element is mandatory.

Introduced22.7.R1

Platforms

All

server-signature-list [server-signature-list-name] string
Synopsis Enter the server-signature-list list instance
Contextconfigure system security tls server-signature-list string
Treeserver-signature-list

Description

Commands in this context configure the list of TLS 1.3-supported signature suite codes for the digital signature that the server sends in a server Hello message.

Max. Instances16
Introduced22.7.R1

Platforms

All

tls13-signature [index] number
Synopsis Enter the tls13-signature list instance
Contextconfigure system security tls server-signature-list string tls13-signature number
Treetls13-signature

Description

Commands in this context configure the TLS 1.3-supported signature suite codes sent by the server in its Hello messages.

Introduced22.7.R1

Platforms

All

name keyword
Synopsis Name of the TLS 1.3 signature suite code
Contextconfigure system security tls server-signature-list string tls13-signature number name keyword
Treename
Optionstls-rsa-pkcs1-sha256, tls-ecdsa-secp256r1-sha256, tls-rsa-pkcs1-sha384, tls-ecdsa-secp384r1-sha384, tls-rsa-pkcs1-sha512, tls-ecdsa-secp521r1-sha512, tls-rsa-pss-rsae-sha256, tls-rsa-pss-rsae-sha384, tls-rsa-pss-rsae-sha512, tls-ed25519, tls-ed448, tls-rsa-pss-pss-sha256, tls-rsa-pss-pss-sha384, tls-rsa-pss-pss-sha512

Notes

This element is mandatory.

Introduced22.7.R1

Platforms

All

server-tls-profile [server-profile-name] string
Synopsis Enter the server-tls-profile list instance
Contextconfigure system security tls server-tls-profile string
Treeserver-tls-profile
Max. Instances16
Introduced16.0.R1

Platforms

All

authenticate-client
Synopsis Enter the authenticate-client context
Contextconfigure system security tls server-tls-profile string authenticate-client
Treeauthenticate-client
Introduced16.0.R1

Platforms

All

protocol-version keyword
Synopsis TLS protocol version used by the TLS server profile
Contextconfigure system security tls server-tls-profile string protocol-version keyword
Treeprotocol-version

Description

This command configures the TLS version to be negotiated between the server and the client.

The server adds the specified version as a supported version in its Hello message to the client.

Optionstls-version-all, tls-version-12, tls-version-13
Defaulttls-version-12
Introduced22.7.R1

Platforms

All

status-verify
Synopsis Enter the status-verify context
Contextconfigure system security tls server-tls-profile string status-verify
Treestatus-verify

Description

Commands in this context configure certificate revocation status verification options for the end-entity certificate in a TLS server.

Introduced23.7.R1

Platforms

All

default-result keyword
Synopsis Default result of certificate status verification
Contextconfigure system security tls server-tls-profile string status-verify default-result keyword
Treedefault-result

Description

This command configures the default result of the entity certificate verification in the TLS server profile. This command overwrites the EE certificate revocation verification for the TLS server profile.

By default the router checks the certification revocation status, but if this command is set to good, the end-entity certificate revocation status is overwritten and a good revocation status is returned for the EE certificate.

If this command is set to revoked, the router returns the actual revocation status of the end-entity certificate.

Optionsrevoked, good
Default revoked
Introduced23.7.R1

Platforms

All

trust-anchor-profile [trust-anchor-profile-name] string
Synopsis Enter the trust-anchor-profile list instance
Contextconfigure system security tls trust-anchor-profile string
Treetrust-anchor-profile
Max. Instances16
Introduced16.0.R1

Platforms

All

trust-anchor [ca-profile-name] reference
Synopsis Add a list entry for trust-anchor
Contextconfigure system security tls trust-anchor-profile string trust-anchor reference
Treetrust-anchor
Max. Instances8
Introduced16.0.R1

Platforms

All

user-params
Synopsis Enter the user-params context
Context configure system security user-params
Treeuser-params
Introduced16.0.R1

Platforms

All

attempts
Synopsis Enter the attempts context
Context configure system security user-params attempts
Treeattempts
Introduced16.0.R1

Platforms

All

authentication-order
Synopsis Enter the authentication-order context
Contextconfigure system security user-params authentication-order
Treeauthentication-order

Description

Commands in this context configure the sequence in which the system attempts authentication and authorization among the local user database, RADIUS servers, TACACS+ servers, and LDAP servers.

Configure the order from the most preferred method to the least preferred. The presence of all methods in the command line does not guarantee they are all operational. Specifying options that are not available delays user authentication.

If all operational methods are attempted and no authentication for a particular login has been granted, an entry in the security log records the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.

The default order is [radius tacplus ldap local].

The order is not applicable to SNMPv3. SNMPv3 messages ignore the configured order and are authorized using the locally configured users only. TACACS+, RADIUS, and LDAP are not supported for SNMPv3 authentication.

Note: This command applies to a local user, in addition to users on RADIUS, TACACS+, and LDAP.

Introduced16.0.R1

Platforms

All

exit-on-reject boolean
Synopsis Ignore subsequent AAA methods after a reject
Contextconfigure system security user-params authentication-order exit-on-reject boolean
Treeexit-on-reject

Description

When configured to true, the router stops authentication if one of the AAA methods configured in the authentication order sends a rejection.

When configured to false, the router attempts the next AAA method if a AAA method sends a rejection. If all AAA methods are exhausted, authentication and authorization is rejected.

If the order specifies local as the first method, the following actions apply:

  • If this command is set to true and the user does not exist, the user is not authenticated.

  • If the user can be authenticated locally, other methods, if configured, are used for authorization and accounting.

  • If the user is configured locally but without console access, login is denied.

Defaultfalse
Introduced16.0.R1

Platforms

All

order keyword
Synopsis Preferred order of password authentication
Contextconfigure system security user-params authentication-order order keyword
Treeorder
Optionslocal, radius, tacplus, ldap
Max. Instances 4

Notes

This element is ordered by the user.

Introduced16.0.R1

Platforms

All

local-user
Synopsis Enter the local-user context
Context configure system security user-params local-user
Treelocal-user
Introduced16.0.R1

Platforms

All

password
Synopsis Enter the password context
Context configure system security user-params local-user password
Treepassword
Introduced16.0.R1

Platforms

All

complexity-rules
Synopsis Enter the complexity-rules context
Contextconfigure system security user-params local-user password complexity-rules
Treecomplexity-rules
Introduced16.0.R1

Platforms

All

credits
Synopsis Enter the credits context
Context configure system security user-params local-user password complexity-rules credits
Treecredits

Notes

The following elements are part of a choice: credits or required.

Introduced16.0.R1

Platforms

All

required
Synopsis Enter the required context
Context configure system security user-params local-user password complexity-rules required
Treerequired

Notes

The following elements are part of a choice: credits or required.

Introduced16.0.R1

Platforms

All

user [user-name] string
Synopsis Enter the user list instance
Context configure system security user-params local-user user string
Treeuser
Introduced16.0.R1

Platforms

All

access
Synopsis Enter the access context
Context configure system security user-params local-user user string access
Treeaccess
Introduced16.0.R1

Platforms

All

console
Synopsis Enter the console context
Context configure system security user-params local-user user string console
Treeconsole
Introduced16.0.R1

Platforms

All

home-directory (sat-url | cflash-without-slot-url)
Synopsis Home directory for the user
Context configure system security user-params local-user user string home-directory (sat-url | cflash-without-slot-url)
Treehome-directory

Description

This command configures the home directory of the user for file access. Files can be accessed locally by CLI file commands and output modifiers such as > (file redirect), or remotely via FTP and SCP. If the home directory does not exist, a warning message is displayed when the user logs in.

When restricted-to-home is configured, file access is denied unless the home-directory is configured and the directory is created by an administrator.

String Length1 to 200
Introduced16.0.R1

Platforms

All

public-keys
Synopsis Enter the public-keys context
Context configure system security user-params local-user user string public-keys
Treepublic-keys

Description

Commands in this context configure public keys for SSH.

Introduced16.0.R1

Platforms

All

ecdsa
Synopsis Enter the ecdsa context
Context configure system security user-params local-user user string public-keys ecdsa
Treeecdsa

Description

Commands in this context configure Elliptic Curve Digital Signature Algorithm (ECDSA) public keys.

Introduced16.0.R1

Platforms

All

ecdsa-key [ecdsa-public-key-id] number
Synopsis Enter the ecdsa-key list instance
Contextconfigure system security user-params local-user user string public-keys ecdsa ecdsa-key number
Treeecdsa-key

Description

Commands in this context configure an ECDSA public key and associate the key with a username. A user can associate multiple public keys with a username. The key ID identifies these keys for the user.

Introduced16.0.R1

Platforms

All

rsa
Synopsis Enter the rsa context
Context configure system security user-params local-user user string public-keys rsa
Treersa

Description

Commands in this context configure RSA public keys.

Introduced16.0.R1

Platforms

All

rsa-key [rsa-public-key-id] number
Synopsis Enter the rsa-key list instance
Contextconfigure system security user-params local-user user string public-keys rsa rsa-key number
Treersa-key

Description

Commands in this context configure an RSA public key and associate the key with a username. A user can associate multiple public keys with a username. The key ID identifies these keys for the user.

Introduced16.0.R1

Platforms

All

key-value string
Synopsis RSA public key value
Context configure system security user-params local-user user string public-keys rsa rsa-key number key-value string
Treekey-value

Description

This command configures a value for the RSA public key. The public key must be enclosed in quotation marks. For RSA, the key is between 768 and 4096 bits.

String Length1 to 800
Introduced16.0.R1

Platforms

All

restricted-to-home boolean
Synopsis Restrict file access to the home directory of the user
Contextconfigure system security user-params local-user user string restricted-to-home boolean
Treerestricted-to-home

Description

When configured to true, the router denies the user from accessing files outside of their home directory. Files can be accessed locally by CLI file commands and output modifiers such as > (file redirect), or remotely via FTP and SCP. The system denies all configuration save operations (such as admin save) via any management interface (such as CLI and NETCONF) unless save-when-restricted is enabled.

File access is denied unless a home directory is configured and the directory is created by an administrator.

When configured to false, the router permits the user to access all files on the system.

Defaultfalse
Introduced16.0.R1

Platforms

All

save-when-restricted boolean
Synopsis Save configurations when the user is restricted to home
Contextconfigure system security user-params local-user user string save-when-restricted boolean
Treesave-when-restricted

Description

When configured to true, the system permits configuration save operations for all configuration regions (such as bof and configure) via any management interface (such as CLI and NETCONF) even if restricted-to-home is enabled.

The configuration for each region can be saved with admin save CLI commands or when committed over NETCONF and gRPC.

When configured to false, the system denies saving the configuration when restricted-to-home is enabled, unless the home directory of the user includes the location of the saved configuration file.

Defaultfalse
Introduced22.10.R1

Platforms

All

snmp
Synopsis Enter the snmp context
Context configure system security user-params local-user user string snmp
Treesnmp
Introduced16.0.R1

Platforms

All

authentication
Synopsis Enable the authentication context
Contextconfigure system security user-params local-user user string snmp authentication
Treeauthentication

Description

Commands in this context configure the SNMPv3 authentication and privacy protocols for the user to communicate with the router. The keys are stored in an encrypted format in the configuration.

The keys configured with these commands must be localized keys, which are a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate localized authentication and privacy keys.

If authentication is not configured, only the username is required to allow and authenticate SNMPv3 operations.

Introduced16.0.R1

Platforms

All

authentication-key string
Synopsis Localized authentication key
Context configure system security user-params local-user user string snmp authentication authentication-key string
Treeauthentication-key

Description

This command specifies the authentication key for the authentication protocol. The key must be a localized key, which is a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate a localized authentication key.

String Length1 to 115
Introduced16.0.R1

Platforms

All

privacy
Synopsis Enable the privacy context
Context configure system security user-params local-user user string snmp authentication privacy
Treeprivacy
Introduced16.0.R1

Platforms

All

privacy-key string
Synopsis Localized privacy key
Context configure system security user-params local-user user string snmp authentication privacy privacy-key string
Treeprivacy-key

Description

This command specifies the privacy key for the privacy protocol. The key must be a localized key, which is a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate a localized privacy key.

String Length1 to 71

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

ssh-authentication-method
Synopsis Enter the ssh-authentication-method context
Contextconfigure system security user-params local-user user string ssh-authentication-method
Treessh-authentication-method
Introduced23.7.R1

Platforms

All

server
Synopsis Enter the server context
Context configure system security user-params local-user user string ssh-authentication-method server
Treeserver
Introduced23.7.R1

Platforms

All

public-key-only keyword
Synopsis Public key only SSH authentication for this user
Contextconfigure system security user-params local-user user string ssh-authentication-method server public-key-only keyword
Treepublic-key-only

Description

This command configures the authentication method accepted for the SSH session for the specified user. This user-level configuration overrides the system-level configuration defined in the configure system security ssh authentication-method public-key-only command.

When unconfigured, the command inherits the setting from the system level command.

The command options are:

  • true — accept only public key client authentication for the SSH server

  • false — accept public key or password client authentication for the SSH server. If interactive-authentication is configured to true in the configure system security aaa remote-servers radius or configure system security aaa remote-servers tacplus context, the system also accepts interactive keyboard authentication.

Optionsfalse, true
Introduced 23.7.R1

Platforms

All

vprn-network-exceptions
Synopsis Enable the vprn-network-exceptions context
Contextconfigure system security vprn-network-exceptions
Treevprn-network-exceptions

Description

Commands in this context configure the rate limiting attributes for processing packets with label TTL expiry received within an LSP shortcut or VPRN instances in the system and from all network IP interfaces. This includes labeled user and control plan packets, ping, and traceroute packets within GRT and VPRN, and ICMP replies.

These commands do not rate limit MPLS or service OAM packets.

Introduced16.0.R1

Platforms

All

count number
Synopsis Limit of exception messages received
Context configure system security vprn-network-exceptions count number
Treecount

Description

This command specifies the threshold limit of exception messages. If the threshold value is exceeded within the configured time interval, packets are dropped.

Range10 to 1000
Default100
Introduced 16.0.R1

Platforms

All

window number
Synopsis Time interval to measure exception messages
Contextconfigure system security vprn-network-exceptions window number
Treewindow

Description

This command configures the time interval within which exception messages are counted. If the threshold value is exceeded within the configured time interval, packets are dropped.

Range1 to 60
Unitsseconds
Default 10
Introduced16.0.R1

Platforms

All

selective-fib boolean

Synopsis FIB assigned to the system
Context configure system selective-fib boolean
Treeselective-fib
Defaultfalse
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

software-repository [repository-name] string

Synopsis Enter the software-repository list instance
Contextconfigure system software-repository string
Treesoftware-repository
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[repository-name] string
Synopsis Software repository name
Context configure system software-repository string
Treesoftware-repository
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

description string
Synopsis Text description
Context configure system software-repository string description string
Treedescription
String Length1 to 80
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

primary-location string
Synopsis Primary location for files in the software repository
Contextconfigure system software-repository string primary-location string
Treeprimary-location
String Length1 to 180
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

tertiary-location string
Synopsis Tertiary location for files in the software repository
Contextconfigure system software-repository string tertiary-location string
Treetertiary-location
String Length1 to 180
Introduced16.0.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

switch-fabric

Synopsis Enter the switch-fabric context
Contextconfigure system switch-fabric
Treeswitch-fabric

Description

Commands in this context configure system level attributes related to the switch fabric.

Introduced20.5.R1

Platforms

7450 ESS, 7750 SR-7, 7750 SR-12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

failure-recovery
Synopsis Enter the failure-recovery context
Contextconfigure system switch-fabric failure-recovery
Treefailure-recovery

Description

Commands in this context configure the attributes related to the automatic switch fabric recovery process. This process is triggered when there are two resets of an IOM/XCM due to ICC failures within a small time frame. The recovery process involves the sequential resetting of SFM in case the issues are due to one of the SFM in the ICC communication path. As the final step in the recovery process, a CPM switchover is triggered to reset the active CPM.

Introduced21.2.R1

Platforms

7450 ESS, 7750 SR-7, 7750 SR-12e, 7950 XRS

sfm-loss-threshold number
Synopsis Number of SFMs that can fail before SFM overload state
Contextconfigure system switch-fabric sfm-loss-threshold number
Treesfm-loss-threshold

Description

This command specifies the number of SFMs that are permitted to fail before the system goes into SFM overload state.

The default value for the 7750 SR-7s is 1 and the default value for the 7750 SR-14s is 2. Users can select the SFM limit based on the number possible for the system minus one. For the 7750 SR-7s, the limit is 3 and the limit for the 7750 SR-14s is 7.

Range1 to 7
Introduced20.5.R1

Platforms

7750 SR-7s, 7750 SR-14s

telemetry

Synopsis Enter the telemetry context
Context configure system telemetry
Treetelemetry

Description

Commands in this context configure the parameters for the dial-out telemetry functionality.

Introduced20.2.R1

Platforms

All

destination-group [name] string
Synopsis Enter the destination-group list instance
Contextconfigure system telemetry destination-group string
Treedestination-group

Description

Commands in this context configure parameters for destination groups.

Max. Instances225
Introduced20.5.R1

Platforms

All

allow-unsecure-connection
Synopsis Allow connection without secured transport protocol
Contextconfigure system telemetry destination-group string allow-unsecure-connection
Treeallow-unsecure-connection

Description

When configured, this command allows an unsecured connection to remote managers; TCP connections are not encrypted, including username and password information.

Notes

The following elements are part of a choice: allow-unsecure-connection or tls-client-profile.

Introduced20.5.R1

Platforms

All

destination [address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Synopsis Enter the destination list instance
Contextconfigure system telemetry destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
Max. Instances4

Notes

This element is ordered by the user.

Introduced20.5.R1

Platforms

All

[address] (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name)
Synopsis Address of the destination within the destination group
Contextconfigure system telemetry destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
String Length1 to 255

Notes

This element is part of a list key.

Introduced20.5.R1

Platforms

All

port number
Synopsis TCP port number for the destination
Context configure system telemetry destination-group string destination (ipv4-address-no-zone | ipv6-address-no-zone | fully-qualified-domain-name) port number
Treedestination
Range0 | 1 to 65535

Notes

This element is part of a list key.

Introduced20.5.R1

Platforms

All

tcp-keepalive
Synopsis Enter the tcp-keepalive context
Contextconfigure system telemetry destination-group string tcp-keepalive
Treetcp-keepalive
Introduced20.5.R1

Platforms

All

retries number
Synopsis Number of probe retries before closing the connection
Contextconfigure system telemetry destination-group string tcp-keepalive retries number
Treeretries

Description

This command configures the number of missed TCP keepalive probes before closing the TCP connection and attempting to reach the other destinations within the same destination group.

Range3 to 100
Default4
Introduced 20.5.R1

Platforms

All

notification-bundling
Synopsis Enter the notification-bundling context
Contextconfigure system telemetry notification-bundling
Treenotification-bundling

Description

Commands in this context configure the bundling of multiple notifications into one telemetry message.

Introduced21.10.R1

Platforms

All

max-time-granularity number
Synopsis Maximum interval when bundling of notifications occurs
Contextconfigure system telemetry notification-bundling max-time-granularity number
Treemax-time-granularity

Description

This command sets the maximum time interval during which telemetry notifications are bundled. All bundled notifications have the same timestamp, which is the timestamp of the bundle.

Range1 to 1000
Unitsmilliseconds
Default 100
Introduced21.10.R1

Platforms

All

persistent-subscriptions
Synopsis Enter the persistent-subscriptions context
Contextconfigure system telemetry persistent-subscriptions
Treepersistent-subscriptions
Introduced20.5.R1

Platforms

All

delay-on-boot number
Synopsis Delay for persistent subscriptions after system boot
Contextconfigure system telemetry persistent-subscriptions delay-on-boot number
Treedelay-on-boot

Description

This command configures the delay timer for gRPC telemetry persistent subscriptions. When the timer expires, gRPC telemetry persistent subscriptions become operational and connections are initiated. This delay prevents the system from trying to establish gRPC persistent subscriptions while it is still converging.

When no delay is configured, gRPC telemetry persistent subscriptions are initiated after the system boots and gRPC becomes operational.

Range1 to 3600
Unitsseconds
Introduced 23.10.R1

Platforms

All

subscription [name] string
Synopsis Enter the subscription list instance
Contextconfigure system telemetry persistent-subscriptions subscription string
Treesubscription
Max. Instances225
Introduced20.5.R1

Platforms

All

encoding keyword
Synopsis Encoding used for telemetry notifications
Contextconfigure system telemetry persistent-subscriptions subscription string encoding keyword
Treeencoding

Description

This command specifies the encoding used for telemetry notifications as defined by the gNMI OpenConfig standard.

Options

json – JSON encoded text

bytes – Encoded according to gnmi.schemas

proto – Encoded with scalar TypedValue values

json-ietf – JSON encoded text as per RFC 7951

Defaultjson
Introduced20.5.R1

Platforms

All

mode keyword
Synopsis Mode for telemetry notifications
Context configure system telemetry persistent-subscriptions subscription string mode keyword
Treemode

Description

This command specifies the subscription path mode for telemetry notifications sent out for the persistent subscription.

Optionstarget-defined, on-change, sample
Introduced20.5.R1

Platforms

All

originated-qos-marking keyword
Synopsis QoS marking used for telemetry notification packets
Contextconfigure system telemetry persistent-subscriptions subscription string originated-qos-marking keyword
Treeoriginated-qos-marking
Optionsbe, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63
Introduced 20.5.R1

Platforms

All

sample-interval number
Synopsis Sampling interval for the persistent subscription
Contextconfigure system telemetry persistent-subscriptions subscription string sample-interval number
Treesample-interval

Description

This command configures the sampling interval for the persistent subscription. The interval applies only in sampling or target-defined modes.

Range1000 to 18446744073709551615
Unitsmilliseconds
Default10000
Introduced 20.5.R1

Platforms

All

sensor-group reference
Synopsis Sensor group used in the persistent subscription
Contextconfigure system telemetry persistent-subscriptions subscription string sensor-group reference
Treesensor-group

Description

This command specifies the sensor group to be used in the persistent subscription. If no valid paths exist in the sensor group, the configuration is accepted, however, no gRPC connection is established when persistent subscription is activated.

Reference

configure system telemetry sensor-groups sensor-group string

Introduced20.5.R1

Platforms

All

sensor-groups
Synopsis Enter the sensor-groups context
Contextconfigure system telemetry sensor-groups
Treesensor-groups
Introduced20.5.R1

Platforms

All

sensor-group [name] string
Synopsis Enter the sensor-group list instance
Contextconfigure system telemetry sensor-groups sensor-group string
Treesensor-group
Max. Instances225
Introduced20.5.R1

Platforms

All

path [xpath] string
Synopsis Add a list entry for path
Context configure system telemetry sensor-groups sensor-group string path string
Treepath
Max. Instances4500
Introduced20.5.R1

Platforms

All

[xpath] string
Synopsis gNMI path to be streamed
Context configure system telemetry sensor-groups sensor-group string path string
Treepath

Description

The command specifies the path from which data is streamed to the collector. Streamed data includes all descendants of the tree indicated by the path.

String Length1 to 512

Notes

This element is part of a list key.

Introduced20.5.R1

Platforms

All

thresholds

Synopsis Enter the thresholds context
Context configure system thresholds
Treethresholds
Introduced16.0.R1

Platforms

All

cflash-cap-alarm-percent [cflash-id] string
Synopsis Enter the cflash-cap-alarm-percent list instance
Contextconfigure system thresholds cflash-cap-alarm-percent string
Treecflash-cap-alarm-percent
Introduced16.0.R1

Platforms

All

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds cflash-cap-alarm-percent string falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range0 to 100
Unitspercent
Introduced 16.0.R4

Platforms

All

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds cflash-cap-alarm-percent string interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range1 to 2147483647

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds cflash-cap-alarm-percent string rising-threshold number
Treerising-threshold

Description

This command specifies a rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold-crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is equal to the rising or either values.

After a rising threshold-crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold command.

Range0 to 100
Unitspercent

Notes

This element is mandatory.

Introduced 16.0.R4

Platforms

All

startup-alarm keyword
Synopsis Alarm type when the alarm is first created
Contextconfigure system thresholds cflash-cap-alarm-percent string startup-alarm keyword
Treestartup-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Optionsrising, falling, either
Defaulteither
Introduced16.0.R1

Platforms

All

cflash-cap-warn-percent [cflash-id] string
Synopsis Enter the cflash-cap-warn-percent list instance
Contextconfigure system thresholds cflash-cap-warn-percent string
Treecflash-cap-warn-percent

Description

Commands in this context configure the capacity monitoring of the compact flash. The usage is monitored as a percentage of the capacity of the compact flash. The severity level is warning. Both a rising and falling threshold can be specified. 

Introduced16.0.R1

Platforms

All

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds cflash-cap-warn-percent string falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range0 to 100
Unitspercent
Introduced 16.0.R4

Platforms

All

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds cflash-cap-warn-percent string interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range1 to 2147483647

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds cflash-cap-warn-percent string rising-threshold number
Treerising-threshold

Description

This command specifies a rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold-crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is equal to the rising or either values.

After a rising threshold-crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold command.

Range0 to 100
Unitspercent

Notes

This element is mandatory.

Introduced 16.0.R4

Platforms

All

startup-alarm keyword
Synopsis Alarm type when the alarm is first created
Contextconfigure system thresholds cflash-cap-warn-percent string startup-alarm keyword
Treestartup-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Optionsrising, falling, either
Defaulteither
Introduced16.0.R1

Platforms

All

kb-memory-use-alarm
Synopsis Enable the kb-memory-use-alarm context
Contextconfigure system thresholds kb-memory-use-alarm
Treekb-memory-use-alarm
Introduced16.0.R4

Platforms

All

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds kb-memory-use-alarm falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range-2147483648 to 2147483647
Introduced16.0.R4

Platforms

All

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds kb-memory-use-alarm interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range1 to 2147483647

Notes

This element is mandatory.

Introduced16.0.R4

Platforms

All

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds kb-memory-use-alarm rising-threshold number
Treerising-threshold

Description

This command specifies a rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold-crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is equal to the rising or either values.

After a rising threshold-crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold command.

Range-2147483648 to 2147483647

Notes

This element is mandatory.

Introduced16.0.R4

Platforms

All

startup-alarm keyword
Synopsis Alarm type when the alarm is first created
Contextconfigure system thresholds kb-memory-use-alarm startup-alarm keyword
Treestartup-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Optionsrising, falling, either
Defaulteither
Introduced16.0.R4

Platforms

All

kb-memory-use-warn
Synopsis Enable the kb-memory-use-warn context
Contextconfigure system thresholds kb-memory-use-warn
Treekb-memory-use-warn
Introduced16.0.R4

Platforms

All

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds kb-memory-use-warn falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold-crossing event is generated. A single threshold-crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is equal to the falling or either values.

After a falling threshold-crossing event is generated, another such event is not generated until the sampled value rises above this threshold and reaches greater than or equal to the rising-threshold command.

Range-2147483648 to 2147483647
Introduced16.0.R4

Platforms

All

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds kb-memory-use-warn interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds.

Range1 to 2147483647

Notes

This element is mandatory.

Introduced16.0.R4

Platforms

All

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds kb-memory-use-warn rising-threshold number
Treerising-threshold

Description

This command specifies a rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold-crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is equal to the rising or either values.

After a rising threshold-crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold command.

Range-2147483648 to 2147483647

Notes

This element is mandatory.

Introduced16.0.R4

Platforms

All

startup-alarm keyword
Synopsis Alarm type when the alarm is first created
Contextconfigure system thresholds kb-memory-use-warn startup-alarm keyword
Treestartup-alarm

Description

This command specifies the alarm type that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Optionsrising, falling, either
Defaulteither
Introduced16.0.R4

Platforms

All

rmon
Synopsis Enter the rmon context
Context configure system thresholds rmon
Treermon
Introduced16.0.R1

Platforms

All

alarm [rmon-alarm-id] number
Synopsis Enter the alarm list instance
Context configure system thresholds rmon alarm number
Treealarm
Max. Instances1200
Introduced16.0.R1

Platforms

All

[rmon-alarm-id] number
Synopsis Index ID for an entry in the alarm table
Contextconfigure system thresholds rmon alarm number
Treealarm
Range0 to 65400

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

falling-threshold number
Synopsis Falling threshold for the sampled statistic
Contextconfigure system thresholds rmon alarm number falling-threshold number
Treefalling-threshold

Description

This command specifies a falling threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold and the value at the last sampling interval was greater than this threshold, a single threshold crossing event is generated. A single threshold crossing event is also generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm command is set to falling or either.

After a falling threshold crossing event is generated, another such event is not generated until the sampled value exceeds this threshold and reaches or exceeds the rising-threshold command setting.

Range-2147483648 to 2147483647
Introduced16.0.R1

Platforms

All

interval number
Synopsis Polling period over which data is sampled and compared
Contextconfigure system thresholds rmon alarm number interval number
Treeinterval

Description

This command specifies the polling interval over which the data is sampled and compared with the rising and falling thresholds

Range1 to 2147483647

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

owner string
Synopsis Owner that created this entry and uses the resources
Contextconfigure system thresholds rmon alarm number owner string
Treeowner
String Length1 to 80
DefaultTiMOS CLI
Introduced16.0.R1

Platforms

All

rising-threshold number
Synopsis Rising threshold for the sampled statistic
Contextconfigure system thresholds rmon alarm number rising-threshold number
Treerising-threshold

Description

This command specifies the rising threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold and the value at the last sampling interval was below this threshold, a single threshold crossing event is generated. A single threshold crossing event is also generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm command is set to rising or either.

After a rising threshold crossing event is generated, another such event is not generated until the sampled value falls below this threshold and reaches or falls below the falling-threshold command setting.

Range-2147483648 to 2147483647
Introduced16.0.R1

Platforms

All

sample-type keyword
Synopsis Sampling type for value comparison with thresholds
Contextconfigure system thresholds rmon alarm number sample-type keyword
Treesample-type
Optionsabsolute, delta
Default absolute
Introduced16.0.R1

Platforms

All

variable-oid string
Synopsis Object identifier to sample the specific variable
Contextconfigure system thresholds rmon alarm number variable-oid string
Treevariable-oid
String Length1 to 255

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

event [rmon-event-id] number
Synopsis Enter the event list instance
Context configure system thresholds rmon event number
Treeevent
Max. Instances1200
Introduced16.0.R1

Platforms

All

[rmon-event-id] number
Synopsis Index ID for an entry in the event table
Contextconfigure system thresholds rmon event number
Treeevent
Range1 to 65400

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

event-type keyword
Synopsis Notification action to be taken when the event occurs
Contextconfigure system thresholds rmon event number event-type keyword
Treeevent-type
Optionsnone, log, trap, both
Default both
Introduced16.0.R1

Platforms

All

owner string
Synopsis Owner that created this entry and uses the resources
Contextconfigure system thresholds rmon event number owner string
Treeowner
String Length1 to 80
DefaultTiMOS CLI
Introduced16.0.R1

Platforms

All

time

Synopsis Enter the time context
Context configure system time
Treetime
Introduced16.0.R1

Platforms

All

dst-zone [summer-time-zone] string
Synopsis Enter the dst-zone list instance
Contextconfigure system time dst-zone string
Treedst-zone
Max. Instances1
Introduced16.0.R1

Platforms

All

[summer-time-zone] string
Synopsis Summer time zone name
Context configure system time dst-zone string
Treedst-zone
String Length1 to 5

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

end
Synopsis Enter the end context
Context configure system time dst-zone string end
Treeend
Introduced16.0.R1

Platforms

All

day keyword
Synopsis Day of the week to end Daylight Savings Time
Contextconfigure system time dst-zone string end day keyword
Treeday
Optionssunday, monday, tuesday, wednesday, thursday, friday, saturday
Defaultsunday
Introduced16.0.R1

Platforms

All

month keyword
Synopsis Month to end Daylight Savings Time
Context configure system time dst-zone string end month keyword
Treemonth
Optionsjanuary, february, march, april, may, june, july, august, september, october, november, december
Default january
Introduced16.0.R1

Platforms

All

week keyword
Synopsis Week of the month to end Daylight Savings Time
Contextconfigure system time dst-zone string end week keyword
Treeweek
Optionsfirst, second, third, fourth, last
Defaultfirst
Introduced16.0.R1

Platforms

All

offset number
Synopsis Offset for Daylight Savings Time
Context configure system time dst-zone string offset number
Treeoffset
Range0 to 60
Unitsminutes
Default 60
Introduced16.0.R1

Platforms

All

start
Synopsis Enter the start context
Context configure system time dst-zone string start
Treestart
Introduced16.0.R1

Platforms

All

day keyword
Synopsis Day of the week to start Daylight Savings Time
Contextconfigure system time dst-zone string start day keyword
Treeday
Optionssunday, monday, tuesday, wednesday, thursday, friday, saturday
Defaultsunday
Introduced16.0.R1

Platforms

All

month keyword
Synopsis Month to start Daylight Savings Time
Context configure system time dst-zone string start month keyword
Treemonth
Optionsjanuary, february, march, april, may, june, july, august, september, october, november, december
Default january
Introduced16.0.R1

Platforms

All

week keyword
Synopsis Week of the month to start Daylight Savings Time
Contextconfigure system time dst-zone string start week keyword
Treeweek
Optionsfirst, second, third, fourth, last
Defaultfirst
Introduced16.0.R1

Platforms

All

ntp
Synopsis Enable the ntp context
Context configure system time ntp
Treentp
Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of NTP execution
Contextconfigure system time ntp admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

All

authentication-key [key-id] number
Synopsis Enter the authentication-key list instance
Contextconfigure system time ntp authentication-key number
Treeauthentication-key
Introduced16.0.R1

Platforms

All

key string
Synopsis Key to authenticate NTP packets
Context configure system time ntp authentication-key number key string
Treekey
String Length1 to 71

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

type keyword
Synopsis Authentication method to authenticate NTP packet
Contextconfigure system time ntp authentication-key number type keyword
Treetype
Optionsdes, message-digest

Notes

This element is mandatory.

Introduced16.0.R1

Platforms

All

authentication-keychain reference
Synopsis Authentication keychain for unsolicited traffic
Contextconfigure system time ntp authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the authentication keychain used to handle unsolicited NTP requests.

If a request is received with a key ID that matches both a configured key and the keychain, the MAC is checked first using the key information. If the authentication fails, the MAC is checked using the information from the keychain.

Reference

configure system security keychains keychain string

Introduced23.10.R1

Platforms

All

broadcast [router-instance] reference interface-name string
Synopsis Enter the broadcast list instance
Contextconfigure system time ntp broadcast reference interface-name string
Treebroadcast
Introduced16.0.R1

Platforms

All

interface-name string
Synopsis Interface to transmit or receive NTP broadcast packets
Contextconfigure system time ntp broadcast reference interface-name string
Treebroadcast
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

authentication-keychain reference
Synopsis Keychain used to authenticate broadcast messages
Contextconfigure system time ntp broadcast reference interface-name string authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the keychain used to authenticate messages sent by this node.

The keychain infrastructure is queried using this keychain name to get the youngest key used for generating the authentication value for the message. When an NTP packet is received by this node, the keychain infrastructure is queried using the keychain name and the key ID extracted from the received message to get the key used to perform the authentication check. If authentication does not pass, the packet is rejected. Keychain entries also have a direction. The key ID and authentication keychain are mutually exclusive. When neither one is set, for example, the key ID has a value of '0' and the value of this command is empty, no authentication is performed.

Reference

configure system security keychains keychain string

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced23.10.R1

Platforms

All

ttl number
Synopsis TTL of messages transmitted by the broadcast address
Contextconfigure system time ntp broadcast reference interface-name string ttl number
Treettl
Range1 to 255
Default127
Introduced 16.0.R1

Platforms

All

broadcast-client [router-instance] string interface-name string
Synopsis Enter the broadcast-client list instance
Contextconfigure system time ntp broadcast-client string interface-name string
Treebroadcast-client
Introduced16.0.R1

Platforms

All

multicast
Synopsis Enable the multicast context
Context configure system time ntp multicast
Treemulticast
Introduced16.0.R1

Platforms

All

authentication-keychain reference
Synopsis Keychain used to authenticate broadcast messages
Contextconfigure system time ntp multicast authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the keychain used to authenticate messages sent by this node.

The keychain infrastructure is queried using this keychain name to get the youngest key used for generating the authentication value for the message. When an NTP packet is received by this node, the keychain infrastructure is queried using the keychain name and the key ID extracted from the received message to get the key used to perform the authentication check. If authentication does not pass, the packet is rejected. Keychain entries also have a direction. The key ID and authentication keychain are mutually exclusive. When neither one is set, for example, the key ID has a value of '0' and the value of this command is empty, no authentication is performed.

Reference

configure system security keychains keychain string

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced23.10.R1

Platforms

All

version number
Synopsis NTP version number generated by the node
Contextconfigure system time ntp multicast version number
Treeversion

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range2 to 4
Default4
Introduced 16.0.R1

Platforms

All

peer [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string
Synopsis Enter the peer list instance
Context configure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string
Treepeer
Introduced16.0.R1

Platforms

All

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the peer for a peering relationship
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string
Treepeer

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

router-instance string
Synopsis Router name or VPRN service name
Context configure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string
Treepeer

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

authentication-keychain reference
Synopsis Keychain used to authenticate broadcast messages
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the keychain used to authenticate messages sent by this node.

The keychain infrastructure is queried using this keychain name to get the youngest key used for generating the authentication value for the message. When an NTP packet is received by this node, the keychain infrastructure is queried using the keychain name and the key ID extracted from the received message to get the key used to perform the authentication check. If authentication does not pass, the packet is rejected. Keychain entries also have a direction. The key ID and authentication keychain are mutually exclusive. When neither one is set, for example, the key ID has a value of '0' and the value of this command is empty, no authentication is performed.

Reference

configure system security keychains keychain string

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced23.10.R1

Platforms

All

key-id reference
Synopsis Authentication key and type used by the node
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string key-id reference
Treekey-id

Reference

configure system time ntp authentication-key number

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced16.0.R1

Platforms

All

prefer boolean
Synopsis Set NTP server as preferred to receive time
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string prefer boolean
Treeprefer
Defaultfalse
Introduced16.0.R1

Platforms

All

version number
Synopsis NTP version number generated by the node
Contextconfigure system time ntp peer (ipv4-address-no-zone | ipv6-address-no-zone) router-instance string version number
Treeversion

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range2 to 4
Default4
Introduced 16.0.R1

Platforms

All

server [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string
Synopsis Enter the server list instance
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string
Treeserver
Introduced16.0.R1

Platforms

All

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone | keyword)
Synopsis IP address of an external NTP server
Context configure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string
Treeserver
Optionsptp

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

router-instance string
Synopsis Router name or VPRN service name
Context configure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string
Treeserver

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

authentication-keychain reference
Synopsis Keychain used to authenticate broadcast messages
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string authentication-keychain reference
Treeauthentication-keychain

Description

This command configures the keychain used to authenticate messages sent by this node.

The keychain infrastructure is queried using this keychain name to get the youngest key used for generating the authentication value for the message. When an NTP packet is received by this node, the keychain infrastructure is queried using the keychain name and the key ID extracted from the received message to get the key used to perform the authentication check. If authentication does not pass, the packet is rejected. Keychain entries also have a direction. The key ID and authentication keychain are mutually exclusive. When neither one is set, for example, the key ID has a value of '0' and the value of this command is empty, no authentication is performed.

Reference

configure system security keychains keychain string

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced23.10.R1

Platforms

All

key-id reference
Synopsis Authentication key and type used by the node
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string key-id reference
Treekey-id

Reference

configure system time ntp authentication-key number

Notes

The following elements are part of a choice: authentication-keychain or key-id.

Introduced16.0.R1

Platforms

All

prefer boolean
Synopsis Set NTP server as preferred to receive time
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string prefer boolean
Treeprefer
Defaultfalse
Introduced16.0.R1

Platforms

All

version number
Synopsis NTP version number generated by the node
Contextconfigure system time ntp server (ipv4-address-no-zone | ipv6-address-no-zone | keyword) router-instance string version number
Treeversion

Description

This command specifies the NTP version number that is generated by the node. This command does not need to be configured when in client mode, in which case all three versions are accepted.

Range2 to 4
Default4
Introduced 16.0.R1

Platforms

All

prefer-local-time boolean
Synopsis Use local time over UTC time in the system
Contextconfigure system time prefer-local-time boolean
Treeprefer-local-time

Description

When configured to true, the system uses local time. This preference is applied to objects such as log file names, created and completed times reported in log files, NETCONF and gRPC date-and-time leafs, and rollback times displayed in show command outputs.

When configured to false, the system uses UTC time.

Note: The timezone used for show command outputs during a CLI session can be controlled using the environment time-display command.

Note: The format used for the date-time strings may change, depending on the command setting. For example, when this command is set to true, all date-time strings include a suffix of three to five characters that indicates the timezone used.

Note: The time format for timestamps on log events is controlled on a per-log basis, using the configure log log-id time-format command.

Defaultfalse
Introduced16.0.R1

Platforms

All

sntp
Synopsis Enter the sntp context
Context configure system time sntp
Treesntp
Introduced16.0.R1

Platforms

All

admin-state keyword
Synopsis Administrative state of SNTP
Context configure system time sntp admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced16.0.R1

Platforms

All

server [ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Enter the server list instance
Contextconfigure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone)
Treeserver
Introduced16.0.R1

Platforms

All

[ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the SNTP server
Context configure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone)
Treeserver

Notes

This element is part of a list key.

Introduced16.0.R1

Platforms

All

interval number
Synopsis Frequency of querying the server
Context configure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) interval number
Treeinterval
Range64 to 1024
Unitsseconds
Default 64
Introduced16.0.R1

Platforms

All

prefer boolean
Synopsis Preference value for this SNTP server
Contextconfigure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) prefer boolean
Treeprefer
Defaultfalse
Introduced16.0.R1

Platforms

All

version number
Synopsis SNTP version supported by this server
Contextconfigure system time sntp server (ipv4-address-no-zone | ipv6-address-no-zone) version number
Treeversion
Range1 to 3
Default3
Introduced 16.0.R1

Platforms

All

sntp-state keyword
Synopsis Mode for Simple Network Time Protocol (SNTP)
Contextconfigure system time sntp sntp-state keyword
Treesntp-state
Optionsunicast, broadcast
Default unicast
Introduced16.0.R1

Platforms

All

zone
Synopsis Enter the zone context
Context configure system time zone
Treezone
Introduced16.0.R1

Platforms

All

non-standard
Synopsis Enter the non-standard context
Contextconfigure system time zone non-standard
Treenon-standard

Notes

The following elements are part of a choice: non-standard or standard.

Introduced16.0.R1

Platforms

All

standard
Synopsis Enter the standard context
Context configure system time zone standard
Treestandard

Notes

The following elements are part of a choice: non-standard or standard.

Introduced16.0.R1

Platforms

All

name keyword
Synopsis Standard time zone name
Context configure system time zone standard name keyword
Treename
Optionshst, akst, pst, mst, cst, est, ast, nst, utc, gmt, wet, cet, eet, msk, msd, awst, acst, aest, nzst
Defaultutc
Introduced16.0.R1

Platforms

All

transmission-profile [name] string

Synopsis Enter the transmission-profile list instance
Contextconfigure system transmission-profile string
Treetransmission-profile
Introduced16.0.R4

Platforms

All

retry number
Synopsis Number of attempts to reconnecting to the server
Contextconfigure system transmission-profile string retry number
Treeretry
Range1 to 256
Introduced16.0.R4

Platforms

All

timeout number
Synopsis Timeout for a response from the server
Contextconfigure system transmission-profile string timeout number
Treetimeout
Range1 to 3600
Unitsseconds
Default 60
Introduced16.0.R4

Platforms

All

usb [usb-cflash] keyword

Synopsis Enter the usb list instance
Context configure system usb keyword
Treeusb

Description

Commands in this context configure the operational state of the USB port.

Introduced22.10.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se, 7750 SR-2se

[usb-cflash] keyword
Synopsis Specifies the compact flash ID
Context configure system usb keyword
Treeusb
Optionscf2

Notes

This element is part of a list key.

Introduced22.10.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se, 7750 SR-2se

admin-state keyword
Synopsis Administrative state of the USB port
Context configure system usb keyword admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced22.10.R1

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se, 7750 SR-2se