DO NOT SHARE THESE DOCS WITH CUSTOMERS!
This is an LA release that will only be provided to a select number of PLM-sanctioned customers (PDFs only). Contact PLM for details.
In this section:
The request system
command applies to both system-level and configure modes except where noted.
% request system admin <SYSTEM NAME> adManualSync discardCandidateConfiguration license loadLicenseFile bundleName <license bundle name> fileName <license filename> loadConfig allowOldVersion <no | yes> filename reenableOSaccount userName <username> reGenerateSshRsaKeys reKeyConfdEncryptionKeys removeSavedConfig fileName <filename> restart restoreRevision revision <revision number> saveAndActivate saveConfig fileNameSuffix <suffix> saveLIGenericKey hexEncryptionKey <hex key> searchAdData adAttributeIdentifier <AD Attribute> searchString <search data> setHaConfig bondMonitoring <currentValue | direct-connect | network-connect> leaderElection <currentValue | enhanced | standard> softReset switchover verifyDatabaseIntegrity <activeAndStandbyPolicy | activeConfigAndActivePolicy | all> viewConfigurationChanges revision <revision number> zeroizePersistenKeys
Geographical Redundancy High Availability (GRHA) is supported on SBC hardware platforms and SWe 1:1 HA deployments. It is not supported in N:1 HA or cloud-based deployments.
The following is an example of how to request manual sync:
request system admin TICKS adManualSync
The following is an example of how to search AD Data:
request system admin TITAS searchAdData adAttributeIdentifier adAttribute2 searchString 8067100197
The following command is an example of encrypting the LI Master Key:
request system admin PLUM saveLIGenericKey hexEncryptionKey A1234567890123$%
On cloud and SWe N:1 on upgrade, this key is not retained in the file. In all other scenarios (hardware/SWe 1:1), it is retained during the upgrade.
In cloud and SWe N:1, you need to configure the same generic key after an upgrade or need to delete All LI Data and perform reconfiguration.
% request system ethernetPort packetAdmin <host name> <pkt0 | pkt1> switchover
> request system ipPolicing resetOffendersList <OffendersList name> aclOffendersList aggregateOffendersList arpOffendersList badEtherIpHdrOffendersList discardRuleOffendersList ipSecDecryptOffendersList mediaOffendersList rogueMediaOffendersList uFlowOffendersList
ACL Offenders List – The Access Control List policer offenders list.
Aggregate Offenders List – The aggregate policer offenders list.
ARP Offenders List – The ARP policer offenders list.
Bad Ethernet IP Header Offenders List – The bad Ethernet/IP Header policer offenders list. Ethernet/IP headers are considered bad under the following conditions:
Only broadcast ARP packets are allowed; all other broadcast packets are considered bad.
Anything other than the following unicast/multicast ICMPV6 packets are considered bad.
Anything other than the following unicast ICMPV4 packets are considered bad:
Type 0 Echo Reply
Type 3 Code 4 (Destination unreachable, fragmentation required)
Type 8 Echo Request
Type 11 Code 0 (Time Exceeded, TTL expired)
Only ICMPV6 neighbor discovery packets are allowed under multicast MAC address. Anything else is considered bad.
If DestMAC is zero, it is considered a bad packet.
Anything other than ethertype (IPV4, IPV6, VLAN) is considered bad.
IP Checksum error is considered bad.
IP version other than 4 or 6 is considered bad.
Bad IP Header length
Packet that is not long enough to contain IP header.
TTL == 0 is considered bad.
IPV4 with options set is considered bad.
IPV6 with initial next header field of 0, 60, or 43 is considered bad.
Discard Rule Offenders List – The table of statistics for the discard rule offenders list. For example: ACLi discard rule packets.
IPsec Decrypt Offenders List – The table of statistics for the IPsec Decrypt policer offenders list. For example:
Bad IPsec packet
Authentication error
Invalid SSID
IPsec protocol == AH
Media Offenders List – The table of statistics for the media policer offenders list. For example: Media packets exceeding the policing value.
Rogue Media Offenders List – The table of statistics for the rogue media policer offenders list. For example:
srtpDecryptOffendersList – The table of statistic for SRTP decrypt offenders list. This contains SRTP packets which failed authentication or were flagged as replay packets. This could indicate malicious media packet attacks or it can be used to troubleshoot "no audio" calls using SRTP.
uFlow Offenders List – The table of statistics for the micro flow policer offenders list. For example: Microflow packet exceeding the policing rate.
Contrasting the Rogue Media Offenders List and the Media Offenders List:
Entries in the Media Offenders List are for allocated media packets that violate the policing rules. The associated call is sending too many media packets. This could indicate a possible “Theft of Service” scenario. Entries in the Rogue Media Offenders List are media packets that the SBC is receiving but no resource is allocated for the packet. This may be a Denial of Service attack or indication that a call was terminated but the other end is still sending media packets.
Use this command to test the License Manager settings, or to trigger a new License Manager registration after a previous registration request fails.
> request system licenseManager register
Operational mode only.
> request system logout user <user_Id>
> request system policyServer remoteServer <server_name>
For additional security configuration details, see PKI Security - CLI.
% request system security eventLogValidation deleteUserPrivateKey generateDefaultKeys setUserPrivateKey <uniqueUserPrivateKeyName> <userPrivateKey> showPublicKey <default/user> generateSipHeaderEncryptionKeys pki certificate <certificate name> generateCSR csrSub (max 255 chars) keySize (keySize1K | keySize2K | keySize4K | keySizeEcDsaSecp521rl subjectAlternativeDnsName (0-4096 chars) importCert certContent (max 4096 chars) retrieveCertContent uploadCertificate
To retrieve certificate content of an existing PKI certificate:
% request system security pki certificate server retrieveCertContent result Certificate: Data: Version: 1 (0x0) Serial Number: 13211600523504912060 (0xb75908ad95e006bc) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=MA, L=Westford, O=VeriSign Validity Not Before: Apr 28 09:56:54 2015 GMT Not After : Jul 12 09:56:54 2033 GMT Subject: C=IN, ST=TN, L=Chennai Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c5:80:dc:59:0a:8d:98:19:0b:bd:be:fd:ab:6c: f7:e9:b6:28:d9:e8:fe:a5:84:fb:45:d9:16:97:f5: fc:9f:df:7b:5b:03:6e:34:38:3f:10:2b:d0:d8:d6: 4a:03:5f:2a:78:85:4c:65:d4:0d:a6:e2:d3:be:1a: fc:8b:96:a1:db:15:16:74:3e:9f:2a:34:95:88:6a: 49:3b:1e:78:15:bf:5c:e8:ec:a3:0d:8b:d4:2a:39: d6:17:c1:a8:88:94:36:23:23:d5:3b:2c:49:fb:15: d3:e6:7f:72:b0:e4:3d:e6:3a:44:f3:ac:a2:d3:2a: 62:f7:2f:d1:d4:a1:82:fe:03:57:49:1d:6b:12:14: 2c:28:f8:ef:6c:e0:c2:36:8c:7f:77:2a:32:d9:ce: c7:9e:fc:4f:20:aa:43:db:b1:77:16:e9:d5:b5:44: ff:06:8a:85:d4:74:63:af:3c:5e:f3:a3:e0:83:5a: 40:d1:5d:fc:84:36:34:b4:8b:ac:f1:5b:2c:b6:0e: 97:bc:1b:cd:a4:f8:17:b3:81:42:41:db:09:bb:79: 42:1f:92:dc:43:52:ca:78:e3:db:3d:db:e9:f6:39: 15:eb:3a:09:e5:ab:eb:18:5f:7e:14:ec:f9:b6:04: 9e:f5:6d:73:f4:ea:85:c4:4a:1f:5a:01:8f:2e:94: b6:0d Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 1a:91:c0:8a:b8:66:4b:a2:67:bc:99:4f:b4:0b:f8:bc:67:0e: de:23:37:42:bc:dd:96:64:7c:ef:e1:05:c7:eb:92:06:fa:ef: 7b:72:ee:7f:26:b5:1c:39:b5:f2:b2:04:6e:2e:0c:1d:7e:1f: 7a:87:b8:8b:9c:25:e2:8f:77:6f:ac:bb:a0:63:28:51:4f:7c: 35:30:ad:31:24:85:f3:99:6d:c2:f8:33:eb:49:45:ed:ab:26: 97:f4:04:a7:0a:06:dd:40:c3:f6:1a:0e:ec:72:0f:40:65:ab: 34:4a:dc:51:2b:f3:61:b6:3a:1c:26:09:a1:af:37:dc:bf:a5: ba:dd No Trusted Uses. No Rejected Uses. Alias: Server Cert Key Id: 79:70:FC:99:1A:2B:15:A7:A1:33:21:F7:8A:57:0C:A7:07:7B:96:35 status 0
> request system serverAdmin <server_name> forceCoreDump coreDumpType <full | partial> removeCoredump coredumpFileName <filename> restart softReset startSoftwareUpgrade integrityCheck <perform | skip> package <pkg_name> rpmName <name> versionCheck <perform | skip>
To set bond monitoring type to 'network-connect' and leader election algorithm type to 'enhanced':
request system admin sbx1 setHaConfig bondMonitoring network-connect leaderElection enhanced
To set bond monitoring type to 'direct-connect' and retain current setting of leader election algorithm:
request system admin sbx1 setHaConfig bondMonitoring direct-connect leaderElection currentValue
To load a license file:
request system admin WFDSBC01 license loadLicenseFile bundleName BUND fileName FN This command will load the license file kept in /opt/sonus/external path. Do you want to continue? [yes,no] yes