For feedback and comments:
documentation.feedback@alcatel-lucent.com

Table of Contents Previous Next PDF

Triple Play Security Configuration Commands
Topics in this section include:
Triple Play Anti-Spoofing Commands
Triple Play Layer 2 Security Commands
ARP Handling Commands
Show Commands
 
 
Triple Play Anti-Spoofing Commands
anti-spoof
Syntax
 
anti-spoof {ip | mac | ip-mac}
no anti-spoof
Context
 
config>service>vpls>sap
config>service>ies>if>sap
Description
 
This command enables anti-spoof filtering and optionally changes the anti-spoof matching type for the SAP.
The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, mac, ip-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.
The no form of the command disables anti-spoof filtering on the SAP.
Default
 
no anti-spoof
Parameters
 
ip
Configures SAP anti-spoof filtering to use only the source IP address in its lookup. If a static host exists on the SAP without an IP address specified, the anti-spoof ip command will fail.
mac
Configures SAP anti-spoof filtering to use only the source MAC address in its lookup. If a static host exists on the SAP without a specified MAC address, the anti-spoof mac command will fail.
ip-mac
Configures SAP anti-spoof filtering to use both the source IP address and the source MAC address in its lookup. If a static host exists on the SAP without both the IP address and MAC address specified, the anti-spoof ip-mac command will fail.
anti-spoof
Syntax
 
anti-spoof {ip | ip-mac}
no anti-spoof
Context
 
config>service>ies>subscriber-interface>grp-if>sap
Description
 
This command enables anti-spoof filtering and optionally change the anti-spoof matching type for the SAP.
The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, ip-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.
The no form of the command disables anti-spoof filtering on the SAP.
Default
 
no anti-spoof
Parameters
 
ip
Configures SAP anti-spoof filtering to use only the source IP address in its lookup. If a static host exists on the SAP without an IP address specified, the anti-spoof ip command will fail.
ip-mac
Configures SAP anti-spoof filtering to use both the source IP address and the source MAC address in its lookup. If a static host exists on the SAP without both the IP address and MAC address specified, the anti-spoof ip-mac command will fail.
Triple Play Layer 2 Security Commands
split-horizon-group
Syntax
 
[no] split-horizon-group [group-name] [residential-group]
Context
 
config>service>vpls
Description
 
This command creates a new split horizon group for the VPLS instance. Traffic arriving on a SAP or spoke SDP within this split horizon group will not be copied to other SAPs or spoke SDPs in the same split horizon group.
A split horizon group must be created before SAPs and spoke SDPs can be assigned to the group.
The split horizon group is defined within the context of a single VPLS. The same group-name can be re-used in different VPLS instances.
Up to 30 split horizon groups can be defined per VPLS instance.
The no form of the command removes the group name from the configuration.
Parameters
 
group-name
Specifies the name of the split horizon group to which the SDP belongs.
residential-group
Defines a split horizon group as a residential split horizon group (RSHG). Doing so entails that:
a) SAPs which are members of this Residential Split Horizon Group will have:
Double-pass queuing at ingress as default setting (can be disabled)
STP disabled (can not be enabled)
ARP reply agent enabled per default (can be disabled)
MAC pinning enabled per default (can be disabled)
Besides the multicast downstream also broadcast packets are discarded thus also blocking the unknown, flooded traffic.
b) Spoke SDPs which are members of this Residential Split Horizon Group will have:
Downstream multicast traffic supported
Double-pass queuing is not applicable
STP is disabled (can be enabled)
ARP reply agent is not applicable (dhcp-lease-states are not supported on spoke SDPs)
MAC pinning enabled per default (can be disabled)
Default
 
A split horizon group is by default not created as a residential-group.
 
mac-protect
Syntax
 
mac-protect
Context
 
config>service>vpls
Description
 
This command indicates whether or not this MAC is protected on the MAC protect list. When enabled, the agent will protect the MAC from being learned or re-learned on a SAP, spoke SDP or mesh-SDP that has restricted learning enabled. The MAC protect list is used in conjunction with restrict-protected-src, restrict-unprotected-dst and auto-learn-mac-protect.
Default
 
disabled
mac
Syntax
 
[no] mac ieee-address
Context
 
config>service>vpls>mac-protect
Description
 
This command specifies the 48-bit IEEE 802.3 MAC address.
Parameters
 
ieee-address
Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers.
auto-learn-mac-protect
Syntax
 
[no] auto-learn-mac-protect
Context
 
config>service>vpls>sap
config>service>vpls>spoke-sdp
config>service>vpls >mesh-sdp
config>service>vpls>split-horizon-group
config>service>vpls>endpoint
config>service>pw-template
config>service>pw-template>split-horizon-group
Description
 
This command enables the automatic protection of source MAC addresses learned on the associated object. MAC protection is used in conjunction with restrict-protected-src, restrict-unprotected-dst and mac-protect. When this command is applied or removed, the MAC addresses are cleared from the related object.
When the auto-learn-mac-protect is enabled on an SHG the action only applies to the associated SAPs (no action is taken by default for spoke SDPs in the SHG). In order to enable this function for spoke SDPs within a SHG, the auto-learn-mac-protect must be enabled explicitly under the spoke-SDP. If required, auto-learn-mac-protect can also be enabled explicitly under specific SAPs within the SHG.
Default
 
no auto-learn-mac-protect
restrict-protected-src
Syntax
 
restrict-protected-src [alarm-only | discard-frame]
no restrict-protected-src
Context
 
config>service>vpls>sap
config>service>vpls>spoke-sdp
config>service>vpls>mesh-sdp
config>service>vpls>split-horizon-group
config>service>vpls>endpoint
config>service>pw-template>
config>service>pw-template>split-horizon-group
Description
 
This command indicates how the agent will handle relearn requests for protected MAC addresses, either manually added using the mac-protect command or automatically added using the auto-learn-mac-protect command. While enabled all packets entering the configured SAP, spoke-SDP, mesh-SDP , or any SAP that is part of the configured split horizon group (SHG) will be verified not to contain a protected source MAC address. If the packet is found to contain such an address, the action taken depends on the parameter specified on the restrict-protected-src command, namely:
No parameter
The packet will be discarded, an alarm will be generated and the SAP, spoke-SDP or mesh-SDP will be set operationally down. The SAP, spoke-SDP or mesh-SDP must be shutdown and enabled (no shutdown) for this state to be cleared.
alarm-only
The packet will be forwarded, an alarm will be generated but the source MAC is not learned on the SAP/spoke-SDP/mesh-SDP.
discard-frame
The packet will be discarded and an alarm generated. The frequency of alarm generation is fixed to be at most one alarm per MAC address per FP2 per 10 minutes in a given VPLS service. This parameter is only applicable to automatically protected MAC addresses.
When the restrict-protected-src is enabled on an SHG the action only applies to the associated SAPs (no action is taken by default for spoke SDPs in the SHG). In order to enable this function for spoke SDPs within a SHG, the restrict-protected-src must be enabled explicitly under the spoke-SDP. If required, restrict-protected-src can also be enabled explicitly under specific SAPs within the SHG.
When this command is applied or removed, with either the alarm-only or discard-frame parameters, the MAC addresses are cleared from the related object.
The use of “restrict-protected-src discard-frame” is mutually exclusive with both the “restrict-protected-src [alarm-only]” command and with the configuration of manually protected MAC addresses within a given VPLS. “restrict-protected-src discard-frame” can only be enabled on SAPs on FP2 or later hardware or on SDPs where all network interfaces are on FP2 or later hardware.
Parameters
 
alarm-only
Specifies that the packet will be forwarded, an alarm will be generated but the source MAC is not learned on the SAP/spoke-SDP/mesh-SDP.
Default
no alarm-only
discard-frame
Specifies that the packet will be discarded and an alarm generated. The frequency of alarm generation is fixed to be at most one alarm per FP2 per MAC address per 10 minutes within a given VPLS service.
Default
no discard-frame
Default
 
no restrict-protected-src
restrict-unprotected-dst
Syntax
 
restrict-unprotected-dst
no restrict-unprotected-dst
Context
 
config>service>pw-template>split-horizon-group
config>service>vpls>split-horizon-group
config>service>vpls>sap
Description
 
This command indicates how the system will forward packets destined to an unprotected MAC address, either manually added using the mac-protect command or automatically added using the auto-learn-mac-protect command. While enabled all packets entering the configured SAP or SAPs within a split-horizon-group (but not spoke or mesh-SDPs) will be verified to contain a protected destination MAC address. If the packet is found to contain a non-protected destination MAC, it will be discarded. Detecting a non-protected destination MAC on the SAP will not cause the SAP to be placed in the operationally down state. No alarms are generated.
If the destination MAC address is unknown, even if the packet is entering a restricted SAP, with restrict-unprotected-dst enabled, it will be flooded.
Default
 
no restrict-unprotected-dst
mac-pinning
Syntax
 
[no] mac-pinning
Context
 
config>service>vpls>sap
config>service>vpls>spoke-sdp
config>service>vpls>mesh-sdp
Description
 
Enabling this command will disable re-learning of MAC addresses on other SAPs within the VPLS. The MAC address will remain attached to a given SAP for duration of its age-timer.
The age of the MAC address entry in the FIB is set by the age timer. If mac-aging is disabled on a given VPLS service, any MAC address learned on a SAP/SDP with mac-pinning enabled will remain in the FIB on this SAP/SDP forever.
Every event that would otherwise result in re-learning will be logged (MAC address; original-SAP; new-SAP).
Note that MAC addresses learned during DHCP address assignment (DHCP snooping enabled) are not impacted by this command. MAC-pinning for such addresses is implicit.
Default
 
When a SAP or spoke SDP is part of a Residential Split Horizon Group (RSHG), MAC pinning is activated at creation of the SAP. Otherwise MAC pinning is not enabled by default.
 
ARP Handling Commands
arp-reply-agent
Syntax
 
arp-reply-agent [sub-ident]
no arp-reply-agent
Context
 
config>service>vpls>sap
Description
 
This command enables a special ARP response mechanism in the system for ARP requests destined to static or dynamic hosts associated with the SAP. The system responds to each ARP request using the host’s MAC address as the both the source MAC address in the Ethernet header and the target hardware address in the ARP header.
ARP replies and requests received on a SAP with arp-reply-agent enabled will be evaluated by the system against the anti-spoof filter entries associated with the ingress SAP (if the SAP has anti-spoof filtering enabled). ARPs from unknown hosts on the SAP will be discarded when anti-spoof filtering is enabled.
The ARP reply agent only responds if the ARP request enters an interface (SAP, spoke-SDP or mesh-SDP) associated with the VPLS instance of the SAP.
A received ARP request that is not in the ARP reply agent table is flooded to all forwarding interfaces of the VPLS capable of broadcast except the ingress interface while honoring split-horizon constraints.
Static hosts can be defined on the SAP using the host command. Dynamic hosts are enabled on the system by enabling the lease-populate command in the SAP’s dhcp context. In the event that both a static host and a dynamic host share the same IP and MAC address, the VPLS ARP reply agent will retain the host information until both the static and dynamic information are removed. In the event that both a static and dynamic host share the same IP address, but different MAC addresses, the VPLS ARP reply agent is populated with the static host information.
The arp-reply-agent command will fail if an existing static host on the SAP does not have both MAC and IP addresses specified. Once the ARP reply agent is enabled, creating a static host on the SAP without both an IP address and MAC address will fail.
The ARP-reply-agent may only be enabled on SAPs supporting Ethernet encapsulation.
The no form of the command disables ARP-reply-agent functions for static and dynamic hosts on the SAP.
Default
 
not enabled
Parameters
 
sub-ident
Configures the arp-reply-agent to discard ARP requests received on the SAP that are targeted for a known host on the same SAP with the same subscriber identification.
Hosts are identified by their subscriber information. For DHCP subscriber hosts, the subscriber hosts, the subscriber information is configured using the optional subscriber parameter string.
When arp-reply-agent is enabled with sub-ident:
If the subscriber information for the destination host exactly matches the subscriber information for the originating host and the destination host is known on the same SAP as the source, the ARP request is silently discarded.
If the subscriber information for the destination host or originating host is unknown or undefined, the source and destination hosts are not considered to be the same subscriber. The ARP request is forwarded outside the SAP’s Split Horizon Group.
When sub-ident is not configured, the arp-reply-agent does not attempt to identify the subscriber information for the destination or originating host and will not discard an ARP request based on subscriber information.
arp-populate
Syntax
 
[no] arp-populate
Context
 
config>service>ies>interface
config>service>ies>subscriber-int
Description
 
This command, when enabled, disables dynamic learning of ARP entries. Instead, the ARP table is populated with dynamic entries from the DHCP lease state table (enabled with lease-populate), and optionally with static entries entered with the host command.
Enabling the arp-populate command will remove any dynamic ARP entries learned on this interface from the ARP cache.
The arp-populate command will fail if an existing static ARP entry exists for this interface.
The arp-populate command will fail if an existing static subscriber host on the SAP does not have both MAC and IP addresses specified.
Once arp-populate is enabled, creating a static subscriber host on the SAP without both an IP address and MAC address will fail.
When arp-populate is enabled, the system will not send out ARP requests for hosts that are not in the ARP cache. Only statically configured and DHCP learned hosts are reachable through an IP interface with arp-populate enabled. The arp-populate command can only be enabled on IES and VPRN interfaces supporting Ethernet encapsulation.
Use the no form of the command to disable ARP cache population functions for static and dynamic hosts on the interface. All static and dynamic host information for this interface will be removed from the system’s ARP cache.
Default
 
not enabled
arp-timeout
Syntax
 
arp-timeout seconds
no arp-timeout
Context
 
config>service>ies>interface
config>service>ies>subscriber-interface>group-interface
Description
 
This command configures the minimum time in seconds an ARP entry learned on the IP interface will be stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host, otherwise, the ARP entry is aged from the ARP table. If arp-timeout is set to a value of zero seconds, ARP aging is disabled.
When the arp-populate and lease-populate commands are enabled on an IES interface, the ARP table entries will no longer be dynamically learned, but instead by snooping DHCP ACK message from a DHCP server. In this case the configured arp-timeout value has no effect.
The default value for arp-timeout is 14400 seconds (4 hours).
The no form of this command restores arp-timeout to the default value.
Default
 
14400 seconds
Parameters
 
seconds
The minimum number of seconds a learned ARP entry will be stored in the ARP table, expressed as a decimal integer. A value of zero specifies that the timer is inoperative and learned ARP entries will not be aged.
Values
0 — 65535
authentication-policy
Syntax
 
authentication-policy name
no authentication-policy
Context
 
config>service>ies>sub-if>grp-if
Description
 
This command assigns a RADIUS authentication policy to the interface.
The no form of this command removes the policy name from the group interface configuration.
Default
 
no authentication-policy
Parameters
 
name
Specifies the authentication policy name.
host-connectivity-verify
Syntax
 
host-connectivity-verify [interval interval] [action {remove | alarm}][family family]
Context
 
config>service>ies>sub-if>grp-if
Description
 
This command enables subscriber host connectivity verification for all hosts on this interface. This tool will periodically scan all known hosts (from dhcp-state) and perform a UC ARP request. The subscriber host connectivity verification will maintain state (connected vs. not-connected) for all hosts.
Default
 
no host-connectivity-verify
Parameters
 
interval interval
The interval, expressed in minutes, which specifies the time interval at which all known sources should be verified. The actual rate is then dependent on number of known hosts and interval.
Values
1— 6000
Note that a zero value can be used by the SNMP agent to disable host-connectivity-verify.
action {remove | alarm}
Defines the action taken on a subscriber host connectivity verification failure for a given host. The remove keyword raises an alarm and removes dhcp-state and releases all allocated resources (queues, table entries and etc.). DHCP release will be signaled to corresponding DHCP server. Static hosts will be never removed. The alarm keyword raises an alarm indicating that the host is disconnected.
family family
The family configuration allows the host connectivity checks to be performed for IPv4 endpoint, IPv6 endpoint or both. With family IPv6 configured, host connectivity checks will be performed on the global unicast address (assigned via SLAAC or DHCPv6 IA_NA) and link-local address of a Layer 3 RG or bridged hosts. In case of SLAAC assignment, host connectivity can only be performed if the /128 is known (via downstream ND). DHCPv6 PD assigned prefixes will be removed if link-local address is determined to be unreachable via “host connectivity check”. Reachability checks for GUA and link-local address will be done simultaneously.
local-proxy-arp
Syntax
 
[no] local-proxy-arp
Context
 
config>service>ies>interface
config>service>ies>subscriber-interface>group-interface
Description
 
This command enables local proxy ARP. When local proxy ARP is enabled on an IP interface, the system responds to all ARP requests for IP addresses belonging to the subnet with its own MAC address, and thus will become the forwarding point for all traffic between hosts in that subnet.
When local-proxy-arp is enabled, ICMP redirects on the ports associated with the service are automatically blocked.
Default
 
no local-proxy-arp
remote-proxy-arp
Syntax
 
[no] remote-proxy-arp
Context
 
config>service>ies>interface
Description
 
This command enables or disables remote proxy ARP on the interface.
Default
 
no remote-proxy-arp
qos-route-lookup
Syntax
 
[no] qos-route-lookup
Context
 
config>service>ies>subscriber-interface>group-interface
config>service>ies>sub-if>grp-if>ipv6
Description
 
This command enables or disables Qos route lookup for the interface.
proxy-arp-policy
Syntax
 
proxy-arp-policy policy-name [policy-name...(up to 5 max)]
no proxy-arp-policy
Context
 
config>service>ies>interface
config>service>ies>subscriber-interface>group-interface
Description
 
This command specifies an existing policy-statement to analyze match and action criteria that controls the flow of routing information to and from a given protocol, set of protocols, or a particular neighbor.
Default
 
none
Parameters
 
policy-name
The export route policy name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters excluding double quotes. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.
The specified name(s) must already be defined.
static-arp
Syntax
 
static-arp ip-address ieee-mac-address
no static-arp ip-address [ieee-mac-address]
Context
 
config>service>ies>interface
Description
 
This command configures a static address resolution protocol (ARP) entry associating a subscriber IP address with a MAC address for the core router instance. This static ARP appears in the core routing ARP table. A static ARP can only be configured if it exists on the network attached to the IP interface.
If an entry for a particular IP address already exists and a new MAC address is configured for the IP address, the existing MAC address will be replaced with the new MAC address.
The no form of the command removes a static ARP entry.
Default
 
None
Parameters
 
ip-address
Specifies the IP address for the static ARP in IP address dotted decimal notation.
ieee-mac-address
Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.
 
Show Commands
arp
Syntax
 
arp
Context
 
show>service>id
Description
 
This command displays the ARP cache entries for this service.
Output
 
Show All Service-ID Output
The following table describes the show command output fields:
 
Label
Description  
IP Address
Specifies the IP address of the ARP cach entry.
MAC Address
Specifies the MAC address associated with the IP address.
Type
Other
Learned through normal ARP queries.
 
Static
Configured by static-arp commands.
 
Managed
Learned from DHCP snooping or configured by host commands.
Age
Indicates age of the ARP entry.
Interface
Indicates the name of the IP interface.
Port
Indicates the port that the entry was learned on.
Sample Output
A:ALA-A# show service id 100 base ===============================================================================
ARP Table
===============================================================================
IP Address      MAC Address       Type    Age       Interface         Port
-------------------------------------------------------------------------------
101.1.0.1       00:00:66:66:66:01 Other   00h00m00s ies-100-101.1.0.1 1/1/4
200.1.1.2       00:00:5e:00:01:64 Other   00h00m00s ies-100-200.1.1.2 1/1/3
200.1.1.201     00:00:22:2e:a5:61 Static  00h00m00s ies-100-200.1.1.2 1/1/3
200.1.1.202     00:00:22:2e:a5:62 Static  00h00m00s ies-100-200.1.1.2 1/1/3
===============================================================================
A:ALA-A#