In this section:
The request system
command applies to both system-level and configure modes except where noted.
% request system admin <SYSTEM NAME> license loadLicenseFile bundleName <license bundle name> fileName <license filename> loadConfig allowOldVersion <no | yes> filename reenableOSaccount <username> reGenerateSshRsaKeys reKeyConfdEncryptionKeys removeSavedConfig fileName <filename> restart saveConfig fileNameSuffix <suffix> setHaConfig bondMonitoring <currentValue | direct-connect | network-connect> leaderElection <currentValue | enhanced | standard> softReset switchover verifyDatabaseIntegrity <activeAndStandbyPolicy | activeConfigAndActivePolicy | all> zeroizePersistenKeys
Geographical Redundancy High Availability (GRHA) is not supported on SBC SWe Cloud.
% request system ethernetPort packetAdmin <host name> <pkt0 | pkt1> switchover
> request system ipPolicing resetOffendersList <OffendersList name> aclOffendersList aggregateOffendersList arpOffendersList badEtherIpHdrOffendersList discardRuleOffendersList ipSecDecryptOffendersList mediaOffendersList rogueMediaOffendersList uFlowOffendersList
ACL Offenders List – The Access Control List policer offenders list.
Aggregate Offenders List – The aggregate policer offenders list.
ARP Offenders List – The ARP policer offenders list.
Bad Ethernet IP Header Offenders List – The bad Ethernet/IP Header policer offenders list. Ethernet/IP headers are considered bad under the following conditions:
Only broadcast ARP packets are allowed; all other broadcast packets are considered bad.
Anything other than the following unicast/multicast ICMPV6 packets are considered bad.
Anything other than the following unicast ICMPV4 packets are considered bad:
Type 0 Echo Reply
Type 3 Code 4 (Destination unreachable, fragmentation required)
Type 8 Echo Request
Type 11 Code 0 (Time Exceeded, TTL expired)
Only ICMPV6 neighbor discovery packets are allowed under multicast MAC address. Anything else is considered bad.
If DestMAC is zero, it is considered a bad packet.
Anything other than ethertype (IPV4, IPV6, VLAN) is considered bad.
IP Checksum error is considered bad.
IP version other than 4 or 6 is considered bad.
Bad IP Header length
Packet that is not long enough to contain IP header.
TTL == 0 is considered bad.
IPV4 with options set is considered bad.
IPV6 with initial next header field of 0, 60, or 43 is considered bad.
Discard Rule Offenders List – The table of statistics for the discard rule offenders list. For example: ACLi discard rule packets.
IPsec Decrypt Offenders List – The table of statistics for the IPsec Decrypt policer offenders list. For example:
Bad IPsec packet
Authentication error
Invalid SSID
IPsec protocol == AH
Media Offenders List – The table of statistics for the media policer offenders list. For example: Media packets exceeding the policing value.
Rogue Media Offenders List – The table of statistics for the rogue media policer offenders list. For example:
srtpDecryptOffendersList – The table of statistic for SRTP decrypt offenders list. This contains SRTP packets which failed authentication or were flagged as replay packets. This could indicate malicious media packet attacks or it can be used to troubleshoot "no audio" calls using SRTP.
uFlow Offenders List – The table of statistics for the Micro Flow policer offenders list. For example: Microflow packet exceeding the policing rate.
Note: rogueMediaOffenders List vs. mediaOffendersList
Entries in the Media Offenders List are for allocated media packets that violate the policing rules. The associated call is sending too many media packets. This could indicate a possible “Theft of Service” scenario. Entries in the Rogue Media Offenders List are media packets that the SBC is receiving but no resource is allocated for the packet. This may be a Denial of Service attack or indication that a call was terminated but the other end is still sending media packets.
Operational mode only.
> request system logout user <user_Id>
> request system policyServer remoteServer <server_name>
> request system resetLicenseStats resetLicenseFeatureStats resetLicenseServerStats
For additional security configuration details, see PKI Security - CLI.
% request system security generateSipHeaderEncryptionKeys pki certificate <certificate name> generateCSR csrSub (max 255 chars) keySize (ketSize1K | keySize2K) subjectAlternativeDnsName (0-512 chars) importCert certContent (max 4096 chars) retrieveCertContent uploadCertificate
To retrieve certificate content of an existing PKI certificate:
% request system security pki certificate server retrieveCertContent result Certificate: Data: Version: 1 (0x0) Serial Number: 13211600523504912060 (0xb75908ad95e006bc) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=MA, L=Westford, O=VeriSign Validity Not Before: Apr 28 09:56:54 2015 GMT Not After : Jul 12 09:56:54 2033 GMT Subject: C=IN, ST=TN, L=Chennai Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c5:80:dc:59:0a:8d:98:19:0b:bd:be:fd:ab:6c: f7:e9:b6:28:d9:e8:fe:a5:84:fb:45:d9:16:97:f5: fc:9f:df:7b:5b:03:6e:34:38:3f:10:2b:d0:d8:d6: 4a:03:5f:2a:78:85:4c:65:d4:0d:a6:e2:d3:be:1a: fc:8b:96:a1:db:15:16:74:3e:9f:2a:34:95:88:6a: 49:3b:1e:78:15:bf:5c:e8:ec:a3:0d:8b:d4:2a:39: d6:17:c1:a8:88:94:36:23:23:d5:3b:2c:49:fb:15: d3:e6:7f:72:b0:e4:3d:e6:3a:44:f3:ac:a2:d3:2a: 62:f7:2f:d1:d4:a1:82:fe:03:57:49:1d:6b:12:14: 2c:28:f8:ef:6c:e0:c2:36:8c:7f:77:2a:32:d9:ce: c7:9e:fc:4f:20:aa:43:db:b1:77:16:e9:d5:b5:44: ff:06:8a:85:d4:74:63:af:3c:5e:f3:a3:e0:83:5a: 40:d1:5d:fc:84:36:34:b4:8b:ac:f1:5b:2c:b6:0e: 97:bc:1b:cd:a4:f8:17:b3:81:42:41:db:09:bb:79: 42:1f:92:dc:43:52:ca:78:e3:db:3d:db:e9:f6:39: 15:eb:3a:09:e5:ab:eb:18:5f:7e:14:ec:f9:b6:04: 9e:f5:6d:73:f4:ea:85:c4:4a:1f:5a:01:8f:2e:94: b6:0d Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 1a:91:c0:8a:b8:66:4b:a2:67:bc:99:4f:b4:0b:f8:bc:67:0e: de:23:37:42:bc:dd:96:64:7c:ef:e1:05:c7:eb:92:06:fa:ef: 7b:72:ee:7f:26:b5:1c:39:b5:f2:b2:04:6e:2e:0c:1d:7e:1f: 7a:87:b8:8b:9c:25:e2:8f:77:6f:ac:bb:a0:63:28:51:4f:7c: 35:30:ad:31:24:85:f3:99:6d:c2:f8:33:eb:49:45:ed:ab:26: 97:f4:04:a7:0a:06:dd:40:c3:f6:1a:0e:ec:72:0f:40:65:ab: 34:4a:dc:51:2b:f3:61:b6:3a:1c:26:09:a1:af:37:dc:bf:a5: ba:dd No Trusted Uses. No Rejected Uses. Alias: Server Cert Key Id: 79:70:FC:99:1A:2B:15:A7:A1:33:21:F7:8A:57:0C:A7:07:7B:96:35 status 0
> request system serverAdmin <server_name> forceCoreDump coreDumpType <full | partial> removeCoredump coredumpFileName <filename> restart softReset startSoftwareUpgrade integrityCheck <perform | skip> package <pkg_name> rpmName <name> versionCheck <perform | skip>
To set bond monitoring type to 'network-connect' and leader election algorithm type to 'enhanced':
request system admin sbx1 setHaConfig bondMonitoring network-connect leaderElection enhanced
To set bond monitoring type to 'direct-connect' and retain current setting of leader election algorithm:
request system admin sbx1 setHaConfig bondMonitoring direct-connect leaderElection currentValue
To load a license file:
request system admin WFDSBC01 license loadLicenseFile bundleName BUND fileName FN This command will load the license file kept in /opt/sonus/external path. Do you want to continue? [yes,no] yes