The command outputs in the following section are examples only; actual displays may differ depending on supported functionality and user configuration.
This command displays SNMP access group information.
Security Access Group Output
Table 20 describes security access group output fields..
Label | Description |
Group name | The access group name. |
Security model | The security model required to access the views configured in this node. |
Security level | Specifies the required authentication and privacy levels to access the views configured in this node. |
Read view | Specifies the variable of the view to read the MIB objects. |
Write view | Specifies the variable of the view to configure the contents of the agent. |
Notify view | Specifies the variable of the view to send a trap about MIB objects. |
This command displays system login authentication configuration and statistics.
Authentication Output
Table 21 describes system security authentication output fields.
Label | Description |
Sequence | The sequence in which authentication is processed. |
Server address | The IP address of the RADIUS server. |
Status | Current status of the RADIUS server. |
Type | The authentication type. |
Timeout (secs) | The number of seconds the router waits for a response from a RADIUS server. |
Retry count | Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server. |
Connection errors | Displays the number of times a user has attempted to login irrespective of whether the login succeeded or failed. |
Accepted logins | The number of times the user has successfully logged in. |
Rejected logins | The number of unsuccessful login attempts. |
Sent packets | The number of packets sent. |
Rejected packets | The number of packets rejected. |
This command displays SNMP communities.
Communities Output
Table 22 describes community output fields.
Label | Description |
Community | The community string name for SNMPv1 and SNMPv2c access only. |
Access | r — The community string allows read-only access. |
rw — The community string allows read-write access. | |
rwa — The community string allows read-write access. | |
mgmt — The unique SNMP community string assigned to the management router. | |
View | The view name. |
Version | The SNMP version. |
Group Name | The access group name. |
No of Communities | The total number of configured community strings. |
This command displays CPM filters.
This command displays CPM IP filters.
CPM Filter Output
Table 23 describes CPM IP filter output fields..
Label | Description |
Entry-Id | Displays information about the specified management access filter entry |
Dropped | Displays the number of dropped events. |
Forwarded | Displays the number of forwarded events. |
Description | Displays the CPM filter description. |
Log ID | Displays the log ID where matched packets will be logged. |
Src IP | Displays the source IP address(/netmask or prefix-list) |
Dest. IP | Displays the destination IP address(/netmask). |
Src Port | Displays the source port number (range). |
Dest. Port | Displays the destination port number (range). |
Protocol | Displays the Protocol field in the IP header. |
Dscp | Displays the DSCP field in the IP header. |
Fragment | Displays the 3-bit fragment flags or 13-bit fragment offset field. |
ICMP Type | Displays the ICMP type field in the ICMP header. |
ICMP Code | Displays the ICMP code field in the ICMP header. |
TCP-syn | Displays the SYN flag in the TCP header. |
TCP-ack | Displays the ACK flag in the TCP header |
Match action | When the criteria matches, displays drop or forward packet. |
Next Hop | In case match action is forward, indicates destination of the matched packet. |
Dropped pkts | Indicates number of matched dropped packets |
Forwarded pkts | Indicates number of matched forwarded packets. |
This command displays CPM IPv6 filters and only applies to the 7750 SR and 7950 XRS.
CPM Filter Output
Table 24 describes CPM IPv6 filter output fields..
Label | Description |
Entry-Id | Displays information about the specified management access filter entry |
Dropped | Displays the number of dropped events. |
Forwarded | Displays the number of forwarded events. |
Description | Displays the CPM filter description. |
Log ID | Log Id where matched packets will be logged. |
Src IP | Displays Source IP address(/netmask) |
Dest. IP | Displays Destination IP address(/netmask). |
Src Port | Displays Source Port Number (range). |
Dest. Port | Displays Destination Port Number (range). |
next-header | Displays next-header field in the IPv6 header. |
Dscp | Displays Traffic Class field in the IPv6 header. |
ICMP Type | Displays ICMP type field in the icmp header. |
ICMP Code | Displays ICMP code field in the icmp header. |
TCP-syn | Displays the SYN flag in the TCP header. |
TCP-ack | Displays the ACK flag in the TCP header |
Match action | When criteria matches, displays drop or forward packet. |
Next Hop | In case match action is forward, indicates destination of the matched packet. |
Dropped pkts | Indicating number of matched dropped packets |
Forwarded pkts | Indicating number of matched forwarded packets. |
Displays CPM queues.
CPM queue Output
Table 25 describes CPM queue output fields..
Label | Description |
PIR | Displays the administrative Peak Information Rate (PIR) for the queue. |
CIR | Displays the amount of bandwidth committed to the queue. |
CBS | Displays the amount of buffer drawn from the reserved buffer portion of the queue’s buffer pool. |
MBS | Displays the maximum queue depth to which a queue can grow. |
This command enables the context to display CPU protection information.
This command displays sources exceeding their eth-cfm-monitoring rate limit.
This command displays Distributed CPU Protection parameters and status at the per card and forwarding plane level.
Table 26 describes Distributed CPU Protection output fields.
Label | Description |
Card | The card identifier |
Forwarding Plane(FP) | Identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, an IOM3-XP) and some cards can contain multiple FPs (for example, an IOM2 has two FPs and an XCM can house two FPs via its two XMAs). |
Dynamic Enforcement Policer Pool | The configured size of the dynamic-enforcement-policer-pool for this card/FP. |
Dynamic-Policers Currently In Use | The number of policers from the dynamic enforcement policer pool that are currently in use. The policers are allocated from the pool and instantiated as per-object-per-protocol dynamic enforcement policers after a local monitor triggered for an object (such as a SAP or Network Interface). |
Hi-WaterMark Hit Count | The maximum Currently In Use value since it was last cleared (clear card x fp y dist-cpu-protection) |
Hi-WaterMark Hit Time | The time at which the current Hi-WaterMark Hit Count was first recorded. |
Dynamic-Policers Allocation Fail Count | Indicates how many times the system attempted to allocate dynamic enforcement policers but could not get enough the fill the request. |
This command displays Distributed CPU Protection parameters and status at the per SAP level.
Distributed CPU Protection Policer Output
Table 27 describes Distributed CPU Protection Policer Output output fields.
Label | Description |
Distributed CPU Protection Policy | The DCP policy assigned to the object. |
Policer-Name | The configured name of the static policer |
Card/FP | The card and FP identifier. FP identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, IOM3-XP) and some cards can contain multiple FPs (for example, an IOM2 has two FPs and an XCM can house two FPs via its two XMAs). |
Policer-State | The state of the policer with the following potential values: |
Exceed - The policer has been detected as non-conformant to the associated DCP policy parameters (e.g. packets exceeded the configured rate and the DCP polling process identified this occurrence) | |
Conform - The policer has been detected as conformant to the associated DCP policy parameters (rate) | |
not-applicable - Newly created policers or policers that are not currently instantiated. This includes policers configured on linecards that are not in service. | |
Protocols Mapped | A list of protocols that are configured to map to the particular policer. |
Oper. xyz fields | The actual hardware may not be able to perfectly rate limit to the exact configured rate parameters in a DCP policy. In this case the configured rate parameters will be adapted to the closest supported rate. These adapted operational values are displayed in CLI when the “detail” keyword is included in the show command. The adapted Oper. parameters are only applicable if the policer is instantiated (e.g. if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kbps, etc are displayed. |
Oper. Kbps - The adapted ‘kilobits-per-second’ value for DCP ‘kbps’ rates | |
Oper. MBS - The adapted ‘mbs size’ value for DCP ‘kbps’ rates | |
Oper. Depth - The calculated policer bucket depth in packets (for DCP ‘packets’ rates) or in bytes (for DCP ‘kbps’rates) | |
Oper. Packets - The adapted ‘ppi’ value for DCP ‘packets’ rates | |
Oper. Within - The adapted ‘within seconds’ value for DCP ‘packets’ rates | |
Oper. Init. Delay - The adapted ‘initial-delay packets’ value for DCP ‘packets’ rates | |
Exceed-Count | The count of packets exceeding the policing parameters since the given policer was previously declared as conformant or newly instantiated. This counter has the same behavior as the exceed counter in the DCP the log events – they are baselined (reset) when the policer transitions to conformant. |
Detec. Time Remain | The remaining time in the detection-time countdown during which a policer in the exceed state is being monitored to see if it is once again conformant. |
Hold-Down Remain | The remaining time in the hold-down countdown during which a policer is treating all packets as exceeding. |
All Dyn-Plcr Alloc. | Indicates that all the dynamic enforcement policers have been allocated and instantiated for a given local-monitor. |
Dyn-Policer Alloc. | Indicates that a dynamic policer has been instantiated. |
This command displays Distributed CPU Protection parameters and status at the router Interface level.
Distributed CPU Protection Policer Output
Table 28 describes Distributed CPU Protection Policer Output output fields.
Label | Description |
Distributed CPU Protection Policy | The DCP policy assigned to the object. |
Policer-Name | The configured name of the static policer |
Card/FP | The card and FP identifier. FP identifies the instance of the FP (FastPath) chipset. Some cards have a single FP (for example, IOM3-XP) and some cards can contain multiple FPs (for example, an IOM2 has two FPs and an XCM can house two FPs via its two XMAs). |
Policer-State | The state of the policer with the following potential values: |
Exceed - The policer has been detected as non-conformant to the associated DCP policy parameters (packets exceeded the configured rate and the DCP polling process identified this occurence) | |
Conform - The policer has been detected as conformant to the associated DCP policy parameters (rate) | |
not-applicable - Newly created policers or policers that are not currently instantiated. This includes policers configured on linecards that are not in service. | |
Protocols Mapped | A list of protocols that are configured to map to the particular policer. |
Oper. xyz fields | The actual hardware may not be able to perfectly rate limit to the exact configured rate parameters in a DCP policy. In this case the configured rate parameters will be adapted to the closest supported rate. These adapted operational values are displayed in CLI when the “detail” keyword is included in the show command. The adapted Oper. parameters are only applicable if the policer is instantiated (e.g. if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kbps, etc are displayed. |
Oper. Kbps - The adapted ‘kilobits-per-second’ value for DCP ‘kbps’ rates | |
Oper. MBS - The adapted ‘mbs size’ value for DCP ‘kbps’ rates | |
Oper. Depth - The calculated policer bucket depth in packets (for DCP ‘packets’ rates) or in bytes (for DCP ‘kbps’rates) | |
Oper. Packets - The adapted ‘ppi’ value for DCP ‘packets’ rates | |
Oper. Within - The adapted ‘within seconds’ value for DCP ‘packets’ rates | |
Oper. Init. Delay - The adapted ‘initial-delay packets’ value for DCP ‘packets’ rates | |
Exceed-Count | The count of packets exceeding the policing parameters since the given policer was previously declared as conformant or newly instantiated. This counter has the same behavior as the exceed counter in the DCP the log events – they are baselined (reset) when the policer transitions to conformant. |
Detec. Time Remain | The remaining time in the detection-time countdown during which a policer in the exceed state is being monitored to see if it is once again conformant. |
Hold-Down Remain | The remaining time in the hold-down countdown during which a policer is treating all packets as exceeding. |
All Dyn-Plcr Alloc. | Indicates that all the dynamic enforcement policers have been allocated and instantiated for a given local-monitor. |
Dyn-Policer Alloc. | Indicates that a dynamic policer has been instantiated. |
This command displays sources exceeding their per-source rate limit.
This command displays CPU protection policy information.
This command display all interfaces with non-zero drop counters.
This command displays all interfaces, ports or SAPs with CPU protection policy violators. It also includes objects (saps, interfaces) that exceed the out-profile-rate and have the log-events keyword enabled for the out-profile-rate in the cpu-protection policy associated with the object.
This command displays CPM MAC filters.
This command displays management access MAC filters.
This command displays keychain information.
This commend displays management access filter information for IP and MAC filters.
This command displays management-access IP filters.
Management Access Filter Output
Table 29 describes management access filter output fields.
Label | Description |
Def. action | Permit Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted. |
Deny Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued. | |
Deny-host-unreachble Specifies that packets not matching the configured selection criteria in the filter entries are denied. | |
Entry | The entry ID in a policy or filter table. |
Description | A text string describing the filter. |
Src IP | The source IP address used for management access filter match criteria. |
Src interface | The interface name for the next hop to which the packet should be forwarded if it hits this filter entry. |
Dest port | The destination port. |
Matches | The number of times a management packet has matched this filter entry. |
Protocol | The IP protocol to match. |
Action | The action to take for packets that match this filter entry. |
This command displays management-access IPv6 filters and only applies to the 7750 SR and 7950 XRS.
This command displays configured password options.
Password Options Output
Table 30 describes password options output fields.
Label | Description |
Password aging in days | Displays the number of days a user password is valid before the user must change their password. |
Time required between password changes | Displays the time interval between changed passwords. |
Number of invalid attempts permitted per login | Displays the number of unsuccessful login attempts allowed for the specified time. |
Time in minutes per login attempt | Displays the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out. |
Lockout period (when threshold breached) | Displays the number of minutes that the user is locked out if the threshold of unsuccessful login attempts has been exceeded. |
Authentication order | Displays the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords. |
User password history length | Displays the size of the password history file to be stored. |
Accepted password length | Displays the minimum length required for local passwords. |
Credits for each character type | Displays the credit for each character type. A credit is obtained for a particular character type; for example, uppercase, lowercase, numeric, or special character. Credits per character type are configurable. Credits can be used towards the minimum length of the password, so a trade-off can be made between a very long, simple password and a short, complex one. |
Required character types | Displays the character types that are required in a password; for example, uppercase, lowercase, numeric, or special character. |
Minimum number different character types | Displays the minimum number of each different character types in a password. |
Required distance with previous password | Displays the minimum Levenshtein distance between a new password and the old password. |
Allow consecutively repeating a character | Displays the number of times the same character is allowed to be repeated consecutively. |
Allow passwords containing username | Displays whether the user name is allowed as part of the password. |
Palindrome allowed | Displays whether palindromes are allowed as part of the password. |
This command enables or disables CPMCFM hardware queuing per peer. TTL security only operates when per-peer-queuing is enabled.
Per-Peer-Queuing Output
Table 31 describes per-peer-queuing output fields.
Label | Description |
Per Peer Queuing | Displays the status (enabled or disabled) of CPM hardware queuing per peer. |
Total Num of Queues | Displays the total number of hardware queues. |
Num of Queues In Use | Displays the total number of hardware queues in use. |
This command displays user profile information.
If the profile-name is not specified, then information for all profiles are displayed.
User Profile Output
Table 32 describes user profile output fields.
Label | Description |
User Profile | Displays the profile name used to deny or permit user console access to a hierarchical branch or to specific commands. |
Def. action | Permit all Permits access to all commands. |
Deny Denies access to all commands. | |
None No action is taken. | |
Entry | The entry ID in a policy or filter table. |
Description | Displays the text string describing the entry. |
Match Command | Displays the command or subtree commands in subordinate command levels. |
Action | Permit all Commands matching the entry command match criteria are permitted. |
Deny Commands not matching the entry command match criteria are not permitted. | |
No. of profiles | The total number of profiles listed. |
This command displays source-address configured for applications.
Source Address Output
Table 33 describes source address output fields.
Label | Description |
Application | Displays the source-address application. |
IP address Interface Name | Displays the source address IP address or interface name. |
Oper status | Up: The source address is operationally up. |
Down: The source address is operationally down. |
This command displays all the SSH sessions as well as the SSH status and fingerprint. The type of SSH application (CLI, SCP, SFTP or NETCONF) is indicated for each SSH connection.
SSH Options Output
Table 34 describes SSH output fields .
Label | Description |
SSH status | SSH is enabled: Displays that SSH server is enabled. SSH is disabled: Displays that SSH server is disabled. |
SSH Preserve Key | Enabled: Displays that preserve-key is enabled. Disabled: Displays that preserve-key is disabled. |
SSH protocol version 1 | Enabled: Displays that SSH1 is enabled. Disabled: Displays that SSH1 is disabled. |
SSH protocol version 2 | Enabled: Displays that SSH2 is enabled. Disabled: Displays that SSH2 is disabled. |
Key fingerprint | The key fingerprint is the server’s identity. Clients trying to connect to the server verify the server's fingerprint. If the server fingerprint is not known, the client may not continue with the SSH session since the server might be spoofed. |
Connection | The IP address of the connected router(s) (remote client). |
Encryption | des: Data encryption using a private (secret) key. 3des: An encryption method that allows proprietary information to be transmitted over untrusted networks. |
Username | The name of the user. |
Version | The SSH version number. |
Server Name | The type of SSH application (CLI, SCP, SFTP or NETCONF) |
Number of SSH sessions | The total number of SSH sessions. |
This command displays user registration information.
If no command line options are specified, summary information for all users displays.
User Output
Table 35 describes user output fields.
Label | Description |
User ID | The name of a system user. |
Need new pwd | Y: The user must change his password at the next login. |
N: The user is not forced to change his password at the next login. | |
Cannot change pw | Y: The user has the ability to change the login password. |
N: The user does not have the ability to change the login password. | |
User permissions | Console Y - The user is authorized for console access. N- The user is not authorized for console access. |
FTP Y - The user is authorized for FTP access. N - The user is not authorized for FTP access. | |
SNMP Y - The user is authorized for SNMP access. N - The user is not authorized for SNMP access. | |
Password expires | The number of days in which the user must change his login password. |
Attempted logins | The number of times the user has attempted to login irrespective of whether the login succeeded or failed. |
Failed logins | The number of unsuccessful login attempts. |
Local conf | Y: Password authentication is based on the local password database. |
N: Password authentication is not based on the local password database. | |
Home directory | Specifies the local home directory for the user for both console and FTP access. |
Restricted to home | Yes: The user is not allowed to navigate to a directory higher in the directory tree on the home directory device. |
No: The user is allowed to navigate to a directory higher in the directory tree on the home directory device. | |
Login exec file | Displays the user’s login exec file which executes whenever the user successfully logs in to a console session. |
profile: the security profile(s) associated with the user | |
locked-out: no / yes (time remaining). Indicates the the user is currently locked-out. After the time expires, or the lockout is manually cleared, the user will be able to attempt to log into the node again. | |
Remaining Login attempts: The number of login attempts remaining until the user will be locked-out | |
Remaining Lockout Time: The time until the lockout is automatically cleared and the user can attempt to log into the node again. |
With the introduction of the PKI on an SR (SSH Server) the authentication process can be done via PKI or password. SSH client usually authenticate via PKI and password if PKI is configured on the client. In this case PKI takes precedence over password in most clients.
All client authentications are logged and display in the show>system>security>user detail. Table 36 shows the rules where pass and fail attempts are logged.
Authentication Order | Client (i.e., putty) | Server (i.e., SR) | CLI Show System Security Attempts (SR) | ||
Private Key Programmed | Public Key Configured | Password Configured | Logins Attempts | Failed Logins | |
1. Public Key | Yes | Yes | N/A | Increment | |
2. Password | Yes | Yes (No match between client and server. Go to password.) | Yes | Increment | |
Yes | No | Yes | Increment | ||
No | N/A | Yes | Increment | ||
No | N/A | No | Increment | ||
1. Public Key (only) | Yes | Yes | N/A | Increment | |
Yes | Yes (No match between client and server. Go go password.) | Increment | |||
Yes | N/A | Increment | |||
No | N/A | Increment | |||
This command displays the SNMP MIB views.
View Output
Table 37 describes show view output fields.
Label | Description |
view name | The name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree. |
oid tree | The object identifier of the ASN.1 subtree. |
mask | The bit mask that defines a family of view subtrees. |
permission | Indicates whether each view is included or excluded |
No. of Views | Displays the total number of views. |
This command displays certificate information.
This command shows certificate-authority profile information.
This command displays the current cached OCSP results. The output includes the following information:
Certificate issuer
Certificate serial number
OCSP result
Cache entry expire time
This command shows certificate related statistics.
Displays console user login and connection information.
Users Output
Table 38 describes show users output fields.
Label | Description |
User | The user name. |
Type | The user is authorized this access type. |
From | The originating IP address. |
Login time | The time the user logged in. |
Idle time | The amount of idle time for a specific login. |
Number of users | Displays the total number of users logged in. |
This command clears authentication statistics.
This command clears IP filter statistics.
This command clears IPv6 filter statistics.
This command clears MAC filter statistics.
This command clears IPv6 filter information and only applies to the 7750 SR and 7950 XRS.
This command enables the context to clear CPU protection data.
This command clears the records of sources exceeding their per-source rate limit.
This command clears the interface counts of packets dropped by protocol protection.
This command clears the rate limit violator record.
This command clears CPM queue information.
This command clears RADIUS proxy server data.
This command enables debugging for RADIUS connections.
The no form of the command disables the debug output.
This command enables debug output of OCSP protocol for the CA profile.
The no form of the command disables the debug output.
This command enables debug output of a specific CA profile.
The no form of the command disables the debug output.
This command displays to release Distributed CPU Protection parameters and status at the per card and forwarding plane level.
This command is used to release a Distributed CPU Protection (DCP) policer from a hold-down countdown (or indefinite hold-down if configured as such).
This command shows the non-conformant enforcement policers and local monitors.
Users Output
Table 39 describes show users output fields.
Label | Description |
Interface | The name of the router interface |
Policer/Protocol | The configured name of the static policer (indicated with an [S]) or the DCP protocol name for a dynamic policer (indicated with a [D]). |
[S] / [D] | indicates a static vs dynamic policer |
Hld Rem | The remaining time in the hold-down countdown during which a policer is treating all packets as exceeding. |
This command is used to clear any lockouts for a specific user, or for all users.
This command is used to clear old passwords used by a specific user, or for all users.