a Commands – Part I

Context

[Tree] (config aaa)

Full Context

configure aaa

Description

Commands in this context configure authentication, authorization, and accounting.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn aaa)

Full Context

configure service vprn aaa

Description

Commands in this context configure AAA on the VPRN.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bfd abort)

Full Context

configure router bfd abort

Description

This command discards the changes made to a BFD template during an active session.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>route-next-hop-policy abort)

Full Context

configure router route-next-hop-policy abort

Description

This command discards the changes made to route next-hop templates during an active session.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options abort)

Full Context

configure router policy-options abort

Description

This command is required to discard changes made to a route policy.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>radius-server>server accept-coa)

[Tree] (config>router>radius-server>server accept-coa)

Full Context

configure service vprn radius-server server accept-coa

configure router radius-server server accept-coa

Description

This command configures this server for Change of Authorization messages. The system will process the CoA request from the external server if configured with this command; otherwise the CoA request is dropped.

The no form of this command disables the command.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group>neighbor>link-bandwidth accept-from-ebgp)

[Tree] (config>service>vprn>bgp>group>link-bandwidth accept-from-ebgp)

Full Context

configure service vprn bgp group neighbor link-bandwidth accept-from-ebgp

configure service vprn bgp group link-bandwidth accept-from-ebgp

Description

This command configures BGP to accept and use the link-bandwidth extended community attached to any route received from any EBGP peer in the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community is encoded as a non-transitive type. This means that by default it should not be attached to any route advertised to an EBGP peer and it should be discarded when received in any route from an EBGP peer. This command overrides the standard behavior.

Up to three families may be configured.

The no form of this command restores the default behavior of discarding the link-bandwidth extended community in any route received from an EBGP peer.

Default

no accept-from-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>neighbor>link-bandwidth accept-from-ebgp)

[Tree] (config>router>bgp>group>link-bandwidth accept-from-ebgp)

Full Context

configure router bgp group neighbor link-bandwidth accept-from-ebgp

configure router bgp group link-bandwidth accept-from-ebgp

Description

This command configures BGP to accept and use the link-bandwidth extended community attached to any route received from any EBGP peer in the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community is encoded as a non-transitive type. This means that by default it should not be attached to any route advertised to an EBGP peer and it should be discarded when received in any route from an EBGP peer. This command overrides the standard behavior.

Up to six families may be configured.

The no form of this command restores the default behavior of discarding the link-bandwidth extended community in any route received from an EBGP peer.

Default

no accept-from-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

vpn-ipv4 — Adds a link-bandwidth extended community to IPv4 VPN (SAFI 128) routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

label-ipv6 — Adds a link-bandwidth extended community to labeled-unicast IPv6 routes.

vpn-ipv6 — Adds a link-bandwidth extended community to IPv6 VPN (SAFI 128) routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>outbound-route-filtering>extended-community accept-orf)

[Tree] (config>router>bgp>group>outbound-route-filtering>extended-community accept-orf)

[Tree] (config>router>bgp>group>neighbor>outbound-route-filtering>extended-community accept-orf)

Full Context

configure router bgp outbound-route-filtering extended-community accept-orf

configure router bgp group outbound-route-filtering extended-community accept-orf

configure router bgp group neighbor outbound-route-filtering extended-community accept-orf

Description

This command instructs the router to negotiate the receive capability in the BGP ORF negotiation with a peer, and accept filters that the peer wants to send.

The no form of this command causes the router to remove the accept capability in the BGP ORF negotiation with a peer, and to clear any existing ORF filters that are currently in place.

Default

no accept-orf

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki>ca-profile>cmpv2 accept-unprotected-errormsg)

Full Context

configure system security pki ca-profile cmpv2 accept-unprotected-errormsg

Description

This command enables the system to accept both protected and unprotected CMPv2 error message. Without this command, system will only accept protected error messages.

The no form of this command causes the system to only accept protected PKI confirmation message.

Default

no accept-unprotected-errormsg

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki>ca-profile>cmpv2 accept-unprotected-pkiconf)

Full Context

configure system security pki ca-profile cmpv2 accept-unprotected-pkiconf

Description

This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will only accept protected PKI confirmation message.

The no form of this command causes the system to only accept protected PKI confirmation message.

Default

no accept-unprotected-pkiconf

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet access)

Full Context

configure port ethernet access

Description

This command configures Ethernet access port parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port access)

[Tree] (config>card>mda access)

Full Context

configure port access

configure card mda access

Description

This command enables the access context to configure egress and ingress pool policy parameters.

On the MDA level, access egress and ingress pools are only allocated on channelized MDAs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>card>fp>ingress access)

Full Context

configure card fp ingress access

Description

This CLI node contains the access forwarding-plane parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>lag access)

Full Context

configure lag access

Description

Commands in this context configure access parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>snmp access)

Full Context

configure service vprn snmp access

Description

This command enables SNMP access using VPRN interface addresses. This command allows SNMP messages destined to the VPRN interface IP addresses for this VPRN (including VPRN interfaces that are bound to R-VPLS services) to be processed by the SNMP agent on the router. SNMP messages that arrive on VPRN interfaces but are destined to IP addresses in the Base routing context that can be accessed in the VPRN (for example, the router system address via grt leaking) do not require snmp access to be enabled but do require allow-local-management to be enabled.

Using an SNMP community defined inside the VPRN context (configure service vprn snmp community) allows access to a subset of the full SNMP data model. This subset can be seen in the output of show system security view "vprn-view".

Using an SNMP community defined in the system context (configure system security snmp community) allows access to the full SNMP data model (unless otherwise restricted used SNMP views).

Alternatively, grt leaking and a Base routing IP address can be used (along with an SNMP community defined at the system context) to get access to the entire SNMP data model (see the allow-local-management command).

The Nokia NSP cannot discover or fully manage an SR OS router using an SNMP community defined inside the VPRN context. Full SNMP access requires using one of the approaches described above.

See the 7705 SAR Gen 2 System Management Guide for detailed information about SNMP.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>user-template access)

[Tree] (config>system>security>user access)

Full Context

configure system security user-template access

configure system security user access

Description

This command configures user permissions for router management access methods.

To deny an existing access method, enter the no form of this command followed by the method to be denied; for example, no access ftp denies FTP access.

The no form of this command removes the user permission for all management access methods.

Default

no access

Parameters

ftp

Specifies FTP access.

snmp

Specifies SNMP access. This keyword is only configurable in the configure system security user context.

console

Specifies Bluetooth, console port CLI, SCP/SFTP, SSH CLI, and Telnet CLI access.

li

Specifies Lawful Intercept (LI) command access.

netconf

Specifies NETCONF access.

grpc

Specifies gRPC access.

scp-sftp

Specifies SCP/SFTP access.

console-port-cli

Specifies console port CLI access.

ssh-cli

Specifies SSH CLI access.

telnet-cli

Specifies Telnet CLI access.

bluetooth

Specifies Bluetooth access.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>snmp access)

Full Context

configure system security snmp access

Description

This command creates an association between a user group, a security model, and the views that the user group can access. Access parameters must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2. An access group is defined by a unique combination of the group name, security model and security level.

Access groups are used by the usm-community command.

Access must be configured unless security is limited to SNMPv1/SNMPv2c with community strings. See the community command.

Default access group configurations cannot be modified or deleted.

To remove the user group with associated, security model(s), and security level(s), use:

no access group group-name

To remove a security model and security level combination from a group, use:

no access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy}

Parameters

group-name

Specify a unique group name up to 32 characters.

security-model {snmpv1 | snmpv2c | usm}

Specifies the security model required to access the views configured in this node. A group can have multiple security models. For example, one view may only require SNMPv1/ SNMPv2c access while another view may require USM (SNMPv3) access rights.

security-level {no-auth-no-priv | auth-no-priv | privacy}

Specifies the required authentication and privacy levels to access the views configured in this node.

security-level no-auth-no-privacy

Specifies that no authentication and no privacy (encryption) is required. When configuring the user’s authentication, select the none option.

security-level auth-no-privacy

Specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication.

security-level privacy

Specifies that both authentication and privacy (encryption) is required. When this option is configured, both the group and the user must be configured for authentication. The user must also be configured for privacy.

context-name

Specifies a set of SNMP objects that are associated with the context-name.

The context-name is treated as either a full context-name string or a context name prefix depending on the keyword specified (exact or prefix).

prefix-match

Specifies the context name prefix-match keywords, exact or prefix.

The VPRN context names begin with a vprn prefix. The numerical value is associated with the service ID that the VPRN was created with and identifies the service in the service domain. For example, when a new VPRN service is created such as config>service>vprn 2345 customer 1, a VPRN with context name vprn2345 is created.

The exact keyword specifies that an exact match between the context name and the prefix value is required. For example, when context vprn2345 exact is entered, matches for only vprn2345 are considered.

The prefix keyword specifies that only a match between the prefix and the starting portion of context name is required. If only the prefix keyword is specified, simple wildcard processing is used. For example, when context vprn prefix is entered, all vprn contexts are matched.

Default

exact

view-name-1

Specifies the SNMP view used to control which MIB objects can be accessed using a read (get) operation.

view-name-2

Specifies the SNMP view used to control which MIB objects can be accessed using a write (set) operation.

view-name-3

Specifies the SNMP view used to control which MIB objects can be accessed for notifications.

Values

none

Platforms

7705 SAR Gen 2

Context

[Tree] (config>aaa>radius-srv-plcy>servers access-algorithm)

Full Context

configure aaa radius-server-policy servers access-algorithm

Description

This command configures the algorithm used to select a RADIUS server from the pool of configured RADIUS servers.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

hash-based

Select a RADIUS server based on the calculated hash result of the configured load-balance-key under the radius-proxy server hierarchy. This parameter is only applicable for radius-proxy server scenarios and results in an unpredictable RADIUS server selection if used in other scenarios.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>aaa>rmt-srv>radius access-algorithm)

[Tree] (config>system>security>radius access-algorithm)

Full Context

configure service vprn aaa remote-servers radius access-algorithm

configure system security radius access-algorithm

Description

This command indicates the algorithm used to access the set of RADIUS servers.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>aaa>rmt-srv>tacplus>req access-operation-cmd)

[Tree] (config>system>security>tacplus>request-format access-operation-cmd)

Full Context

configure service vprn aaa remote-servers tacplus request-format access-operation-cmd

configure system security tacplus request-format access-operation-cmd

Description

This command sends an operation argument in authorization requests.

In model-driven interfaces, this command configures the system to send the operation in the cmd argument, and the path in the cmd-args argument, in TACACS+ authorization requests. This command does not apply to authorization requests in classic interfaces.

The no form of this command removes the operation from the configuration.

Default

no access-operation-cmd

Parameters

access-operation

Specifies that an operation in the authorization request is sent.

Values

delete — Keyword that sends the operation "cmd=delete" and "cmd-args=path".

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>aaa>rmt-srv>radius accounting)

[Tree] (config>system>security>radius accounting)

Full Context

configure service vprn aaa remote-servers radius accounting

configure system security radius accounting

Description

This command enables RADIUS accounting.

The no form of this command disables RADIUS accounting.

Default

no accounting

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>aaa>rmt-srv>tacplus accounting)

[Tree] (config>system>security>tacplus accounting)

Full Context

configure service vprn aaa remote-servers tacplus accounting

configure system security tacplus accounting

Description

This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.

Default

no accounting

Parameters

record-type start-stop

Specifies that a TACACS+ start packet is sent whenever the user executes a command and a TACACS+ stop packet when command execution is complete.

record-type stop-only

Specifies that only a TACACS+ stop packet is sent whenever the command execution is complete.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>storage accounting-files-total-size)

Full Context

configure log file-storage-control accounting-files-total-size

Description

This command configures the limit for the total space that all accounting files can occupy on each storage device on the active CPM.

When this threshold is reached, new accounting files are no longer created in the \act-collect directory of the storage device until SR OS removes older accounting files from the \act directory and the occupancy is below the limit. Currently open, in-progress accounting files in the \act-collect directory are not affected by this limit and are completed.

When unconfigured, there is no specific limit for the total size of all accounting files.

Only accounting files in the \act directory with system generated names (including no file extension) are applicable toward the total size limit.

If a user manually adds or deletes accounting files from the \act directory, the size of the files is not taken into account for up to 1 hour.

The configured total size limit is not validated against the actual size of the installed storage devices. If the configured limit is larger than the installed compact flash (CF) device, the limit is never reached.

The no form of this command removes the total size limit for accounting files.

Default

no accounting-files-total-size

Parameters

megabytes

Specifies the total size limit for accounting files, in MB.

Values

50 to 4,194,304 MBytes (4 TBytes, 2²² MB)

Default

0

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap accounting-policy)

[Tree] (config>service>vprn>if>sap accounting-policy)

[Tree] (config>service>vpls>spoke-sdp accounting-policy)

[Tree] (config>service>vpls>mesh-sdp accounting-policy)

[Tree] (config>service>vprn>if>spoke-sdp accounting-policy)

[Tree] (config>service>ies>if>sap accounting-policy)

Full Context

configure service vpls sap accounting-policy

configure service vprn interface sap accounting-policy

configure service vpls spoke-sdp accounting-policy

configure service vpls mesh-sdp accounting-policy

configure service vprn interface spoke-sdp accounting-policy

configure service ies interface sap accounting-policy

Description

This command creates the accounting policy context that can be applied to an interface SAP or interface SAP spoke SDP.

An accounting policy must be defined before it can be associated with a SAP or SDP.

If the policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SAP or SDP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SAP or SDP, and the accounting policy reverts to the default.

Default

no accounting policy

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>card>fp>ingress>access>queue-group accounting-policy)

[Tree] (config>card>fp>ingress>network>queue-group accounting-policy)

Full Context

configure card fp ingress access queue-group accounting-policy

configure card fp ingress network queue-group accounting-policy

Description

This command configures an accounting policy that can apply to a queue-group on the forwarding plane.

An accounting policy must be configured before it can be associated to an interface. If the accounting policy-id does not exist, an error is returned.

Accounting policies associated with service billing can only be applied to SAPs. The accounting policy can be associated with an interface at a time.

The no form of this command removes the accounting policy association from the queue-group.

Default

No accounting policies are specified by default. You must explicitly specify a policy. If configured, the accounting policy configured as the default is used.

Parameters

acct-policy-id

Specifies the name of the accounting policy to use for the queue-group.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>network>egr>qgrp accounting-policy)

[Tree] (config>port>ethernet>network accounting-policy)

[Tree] (config>port>ethernet>access>ing>qgrp accounting-policy)

[Tree] (config>port>ethernet accounting-policy)

[Tree] (config>port>ethernet>access>egr>qgrp accounting-policy)

Full Context

configure port ethernet network egress queue-group accounting-policy

configure port ethernet network accounting-policy

configure port ethernet access ingress queue-group accounting-policy

configure port ethernet accounting-policy

configure port ethernet access egress queue-group accounting-policy

Description

This command configures an accounting policy that can apply to an interface.

An accounting policy must be configured before it can be associated to an interface. If the accounting policy-id does not exist, an error is returned.

Accounting policies associated with service billing can only be applied to SAPs. Accounting policies associated with network ports can only be associated with interfaces. Only one accounting policy can be associated with an interface at a time.

The no form of this command removes the accounting policy association from the network interface, and the accounting policy reverts to the default.

Default

No accounting policies are specified by default. You must explicitly specify a policy. If configured, the accounting policy configured as the default is used.

Parameters

policy-id

The accounting policy-id of an existing policy. Accounting policies record either service (access) or network information. A network accounting policy can only be associated with the network port configurations. Accounting policies are configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>sap accounting-policy)

[Tree] (config>service>epipe>spoke-sdp accounting-policy)

Full Context

configure service epipe sap accounting-policy

configure service epipe spoke-sdp accounting-policy

Description

This command creates the accounting policy context that can be applied to a SAP.

An accounting policy must be defined before it can be associated with a SAP. If the policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SAP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SAP, and the accounting policy reverts to the default.

Default

no accounting policy

Parameters

acct-policy-id

Enter the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>spoke-sdp accounting-policy)

Full Context

configure service ies interface spoke-sdp accounting-policy

Description

This command configures an accounting-policy.

Parameters

acct-policy-id

Specifies an accounting policy ID.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>saa>test accounting-policy)

Full Context

configure saa test accounting-policy

Description

This command associates an accounting policy to the SAA test. The accounting policy must already be defined before it can be associated otherwise an error message is generated.

A notification (trap) is issued whenever a test is completed or terminates.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>oam-pm>session>meas-interval accounting-policy)

Full Context

configure oam-pm session meas-interval accounting-policy

Description

This optional command allows the operator to assign an accounting policy and the policy-id (configured under the config>log>accounting-policy) with a record-type of complete-pm. This runs the data collection process for completed measurement intervals in memory, file storage, and maintenance functions moving data from memory to flash. A single accounting policy can be applied to a measurement interval.

The no form of this command removes the accounting policy.

Parameters

acct-policy-id

Specifies the accounting policy to be applied to the measurement interval.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>sdp accounting-policy)

[Tree] (config>service>pw-template accounting-policy)

Full Context

configure service sdp accounting-policy

configure service pw-template accounting-policy

Description

This command creates the accounting policy context that can be applied to an SDP. An accounting policy must be defined before it can be associated with a SDP. If the acct-policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SDP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SDP, and the accounting policy reverts to the default.

Default

no accounting-policy

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log accounting-policy)

Full Context

configure log accounting-policy

Description

This command creates an access or network accounting policy. An accounting policy defines the accounting records that are created.

Access accounting policies are policies that can be applied to one or more SAPs. Changes made to an existing policy, using any of the sub-commands, are applied immediately to all SAPs where this policy is applied.

If an accounting policy is not specified on a SAP, then accounting records are produced in accordance with the access policy designated as the default. If a default access policy is not specified, then no accounting records are collected other than the records for the accounting policies that are explicitly configured.

Only one policy can be regarded as the default access policy. If a policy is configured as the default policy, then a no default command must be used to allow the data that is currently being collected to be written before a new access default policy can be configured.

Network accounting policies are policies that can be applied to one or more network ports or SONET/SDH channels. Any changes made to an existing policy, using any of the sub-commands, will be applied immediately to all network ports or SONET/SDH channels where this policy is applied.

If no accounting policy is defined on a network port, accounting records will be produced in accordance with the default network policy as designated with the default command. If no network default policy is created, then no accounting records will be collected other than the records for the accounting policies explicitly configured. Default accounting policies cannot be explicitly applied. For example, for accounting-policy 10, if default is set, then that policy cannot be used:

A:node-2>config>service>vpls>spoke-sdp# accounting-policy 10

Only one policy can be regarded as the default network policy. If a policy is configured as the default policy, then a no default command must be used to allow the data that is currently being collected to be written before a new network default policy can be configured.

The no form of this command deletes the policy from the configuration. The accounting policy cannot be removed unless it is removed from all the SAPs, network ports or channels where the policy is applied.

Parameters

policy-id

Specifies the policy ID that uniquely identifies the accounting policy, expressed as a decimal integer.

Values

1 to 99

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>radius accounting-port)

[Tree] (config>service>vprn>aaa>rmt-srv>radius accounting-port)

Full Context

configure system security radius accounting-port

configure service vprn aaa remote-servers radius accounting-port

Description

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

Default

accounting-port 1813

Parameters

port

Specifies the UDP port number.

Values

1 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>aaa>radius-srv-plcy>servers>buffering acct-interim)

Full Context

configure aaa radius-server-policy servers buffering acct-interim

Description

This command enables RADIUS accounting interim update message buffering.

1. The message is stored in the buffer, a lifetime timer is started and the message is sent to the RADIUS server

2. If after retry*timeout seconds no RADIUS accounting response is received for the interim update then a new attempt to send the message is started after minimum[(min-val*2n), max-val] seconds.

3. Repeat step 2 until for one of the following:

   1. a RADIUS accounting response is received.

   2. the lifetime of the buffered message expires.

   3. a new RADIUS accounting interim-update or a RADIUS accounting stop for the same accounting session-id and radius-server-policy is stored in the buffer.

   4. the message is manually purged from the message buffer via a clear command.

4. The message is purged from the buffer.

The no form of this command disables RADIUS accounting interim update message buffering.

Parameters

min-val

Specifies the minimum interval in seconds between attempts to resend the RADIUS accounting interim update.

Values

1 to 3600

max-val

Specifies the maximum interval in seconds between attempts to resend the RADIUS accounting interim update.

Values

1 to 3600

lifetime

Specifies the lifetime in hours.

Values

1 to 25

Platforms

7705 SAR Gen 2

Context

[Tree] (config>aaa>radius-srv-plcy acct-on-off)

Full Context

configure aaa radius-server-policy acct-on-off

Description

This command controls the sending of Accounting-On and Accounting-Off messages and the acct-on-off oper-state of the radius-server-policy:

acct-on-off: enables the sending of Accounting-On and Accounting-Off messages for this radius-server-policy. The acct-on-off oper-state is always not blocked.

acct-on-off oper-state-change [group group-name]: enables the sending of Accounting-On and Accounting-Off messages for this radius-server-policy. The acct-on-off oper-state is function of the Accounting-response received for the Accounting-On and Accounting-Off. Optionally, sets the acct-on-off oper-state of the acct-on-off-group.

acct-on-off monitor-group group-name: no Accounting-On and Accounting-Off messages are sent for this radius-server-policy. The acct-on-off oper-state is inherited from the acct-on-off-group.

The no form of this command disables the sending of Accounting-On and Accounting-Off messages.

Parameters

group-name

Specifies the name of an acct-on-off group up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>radius-server>server acct-port)

[Tree] (config>router>radius-server>server acct-port)

Full Context

configure service vprn radius-server server acct-port

configure router radius-server server acct-port

Description

This command specifies the UDP listening port for RADIUS accounting requests.

The no form of this command resets the UDP port to its default value (1813).

Default

acct-port 1813

Parameters

port

Specifies the UDP listening port for accounting requests of the external RADIUS server.

Values

1 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>rad-acct-plcy>include acct-stats)

Full Context

configure ipsec radius-accounting-policy include-radius-attribute acct-stats

Description

This command enables the system to include accounting attributes in RADIUS acct-stop and interim-update packets.

The no form of this command disables the system from including accounting attributes in RADIUS acct-stop and interim-update packets.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>aaa>radius-srv-plcy>servers>buffering acct-stop)

Full Context

configure aaa radius-server-policy servers buffering acct-stop

Description

This command enables RADIUS accounting stop message buffering.

1. The message is stored in the buffer, a lifetime timer is started and the message is sent to the RADIUS server

2. If after retry*timeout seconds no RADIUS accounting response is received for the accounting stop, then a new attempt to send the message is started after minimum[(min-val*2n), max-val] seconds.

3. Repeat step 2 until one of the following events occurs:

   1. A RADIUS accounting response is received.

   2. The lifetime of the buffered message expires.

   3. The message is manually purged from the message buffer via a clear command.

4. The message is purged from the buffer.

The no form of this command disables RADIUS accounting stop message buffering.

Parameters

min-val

Specifies the minimum interval in seconds between attempts to resend the RADIUS accounting stop.

Values

1 to 3600

max-val

Specifies the maximum interval in seconds between attempts to resend the RADIUS accounting stop.

Values

1 to 3600

lifetime

Specifies the lifetime in hours.

Values

1 – 25

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rsvp>packet ack)

Full Context

debug router rsvp packet ack

Description

This command debugs ack events.

The no form of the command disables the debugging.

Parameters

detail

Displays detailed information about ack events.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>epipe>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service vpls spoke-sdp control-channel-status acknowledgment

configure service epipe spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service ies interface spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Default

no acknowledgment

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service vprn interface spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>dhcp-filter>entry action)

Full Context

configure filter dhcp-filter entry action

Description

This command specifies the action to take on DHCP host creation when the filter entry matches.

The no form of this command reverts to the default wherein the host creation proceeds as normal.

Parameters

bypass-host-creation

Specifies that the host creation is bypassed.

drop

Specifies that the DHCP message is dropped.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>dhcp6-filter>entry action)

Full Context

configure filter dhcp6-filter entry action

Description

This command specifies the action to take on DHCP6 host creation when the filter entry matches.

The no form of this command reverts to the default wherein the host creation proceeds as normal.

Parameters

bypass-host-creation

Specifies that the host creation is bypassed.

Values

na — Bypasses the DHCP6 NA hosts creation.

pd — Bypasses the DHCP6 PD hosts creation.

drop

Specifies that the DHCP6 message is dropped.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>entry action)

Full Context

configure router policy-options policy-statement entry action

Description

This command creates the context to configure actions to take for routes matching a route policy statement entry.

This command is required and must be entered for the entry to be active.

Any route policy entry without the action command will be considered incomplete and will be inactive.

The no form of this command deletes the action context from the entry.

Default

no action

Parameters

accept

Specifies that routes matching the entry match criteria will be accepted and propagated.

next-entry

Specifies that the actions specified would be made to the route attributes and then policy evaluation would continue with next policy entry (if any others are specified).

next-policy

Specifies that the actions specified would be made to the route attributes and then policy evaluation would continue with next route policy (if any others are specified).

drop

Specifies that routes matching the entry match criteria should be rejected. This parameter provides a context for modifying route properties.

reject

Specifies that routes matching the entry match criteria should be rejected. This parameter does not provide a context for modifying route properties.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap>dhcp>option action)

[Tree] (config>service>ies>if>dhcp>option action)

[Tree] (config>service>vprn>if>dhcp>option action)

Full Context

configure service vpls sap dhcp option action

configure service ies interface dhcp option action

configure service vprn interface dhcp option action

Description

This command configures the processing required when the SR OS receives a DHCP request that already has a Relay Agent Information Option (Option 82) field in the packet.

The no form of this command returns the system to the default value.

Default

action keep — Per RFC 3046, DHCP Relay Agent Information Option, section 2.1.1, Reforwarded DHCP requests. The default is to keep the existing information intact. The exception to this is if the giaddr of the received packet is the same as the ingress address on the router. In that case the packet is dropped and an error is logged.

Parameters

replace

In the upstream direction (from the user), the existing Option 82 field is replaced with the Option 82 field from the router. In the downstream direction (towards the user) the Option 82 field is stripped (in accordance with RFC 3046).

drop

Specifies that the packet is dropped, and an error is logged.

keep

Specifies that the existing information is kept in the packet and the router does not add any additional information. In the downstream direction the Option 82 field is not stripped and is sent on towards the client.

The behavior is slightly different in case of Vendor Specific Options (VSOs). When the keep parameter is specified, the router inserts its own VSO into the Option 82 field. This is only done when the incoming message has already an Option 82 field.

If no Option 82 field is present, the router will not create the Option 82 field. In this in that case, no VSO is added to the message.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>log>filter>entry action)

[Tree] (config>log>filter>entry action)

Full Context

configure service vprn log filter entry action

configure log filter entry action

Description

This command specifies a drop or forward action associated with the filter entry. If neither drop nor forward is specified, the default-action will be used for traffic that conforms to the match criteria. This could be considered a No-Op filter entry used to explicitly exit a set of filter entries without modifying previous actions.

Multiple action statements entered will overwrite previous actions.

The no form of this command removes the specified action statement.

Default

Action specified by the default-action command will apply.

Parameters

drop

Specifies packets matching the entry criteria will be dropped.

forward

Specifies packets matching the entry criteria will be forwarded.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>filter>entry action)

Full Context

configure log filter entry action

Description

This command specifies a drop or forward action associated with the filter entry. If neither drop nor forward is specified, the default-action will be used for traffic that conforms to the match criteria. This could be considered a No-Op filter entry used to explicitly exit a set of filter entries without modifying previous actions.

Multiple action statements entered will overwrite previous actions.

The no form of this command removes the specified action statement.

Default

no action

Parameters

drop

Specifies packets matching the entry criteria will be dropped.

forward

Specifies packets matching the entry criteria will be forwarded.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>card>mda>event action)

Full Context

configure card mda event action

Description

This command defines the action to be taken when a specific hardware error event is raised against the target mda.

Only one action can be enabled at a time. Entering a new action will override a previously defined action.

The no form of this command sets the action to the default value.

Default

action log-only

Parameters

log-only

Specifies to pass the log event to log management. No other action is taken.

reset-mda

Specifies to reset the mda.

fail-mda

Specifies to set the operational state of the mda to Failed. This Failed state will persist until the clear mda command is issued (reset) or the mda is removed and re-inserted (re-seat).

Platforms

7705 SAR Gen 2

Context

[Tree] (configure>system>security>profile>netconf>base-op-authorization action)

Full Context

configure system security profile netconf base-op-authorization action

Description

This command enables the NETCONF <action> RPC.

The no form of this command disables the RPC.

Default

no action

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ip-filter>entry action)

[Tree] (config>filter>ipv6-filter>entry action)

Full Context

configure filter ip-filter entry action

configure filter ipv6-filter entry action

Description

Commands in this context configure a primary (no option specified) or secondary (secondary option specified) action to be performed on packets matching this filter entry. An ACL filter entry remains inactive (is not programmed in hardware) until a specific action is configured for that entry.

A primary action supports any filter entry action, a secondary action is used for redundancy and defines a redundant Layer 3 PBR action for an Layer 3 PBR primary action or a redundant L2 PBF action for a Layer 2 PBF primary action.

The no form of this command removes the specific action configured in the context of the action command. The primary action cannot be removed if a secondary action exists.

Default

no action

Parameters

secondary

Specifies a secondary action to be performed on packets matching this filter entry. A secondary action can only be configured if a primary action is configured.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-ingress>ipv6-criteria>entry action)

[Tree] (config>qos>sap-ingress>ip-criteria>entry action)

[Tree] (config>qos>sap-ingress>mac-criteria>entry action)

Full Context

configure qos sap-ingress ipv6-criteria entry action

configure qos sap-ingress ip-criteria entry action

configure qos sap-ingress mac-criteria entry action

Description

This mandatory command associates the forwarding class or enqueuing priority with specific IP, IPv6, or MAC criteria entry ID. The action command supports setting the forwarding class parameter to a subclass. Packets that meet all match criteria within the entry have their forwarding class and enqueuing priority overridden based on the parameters included in the action parameters. When the forwarding class is not specified in the action command syntax, a matching packet preserves (or inherits) the existing forwarding class derived from earlier matches in the classification hierarchy. When the enqueuing priority is not specified in the action, a matching packet preserves (or inherits) the existing enqueuing priority derived from earlier matches in the classification hierarchy.

When a policer is specified in the action, a matching packet is directed to the configured policer instead of the policer/queue assigned to the forwarding class of the packet.

The action command must be executed for the match criteria to be added to the active list of entries. If the entry is designed to prevent more explicit (higher entry ID) entries from matching certain packets, the fc fc-name and match protocol fields should not be defined when executing action. This allows packets matching the entry to preserve the forwarding class and enqueuing priority derived from previous classification rules.

Each time action is executed on a specific entry ID, the previously entered values for fc fc-name and priority are overridden with the newly defined parameters or inherit previous matches when a parameter is omitted.

The no form of this command removes the entry from the active entry list. Removing an entry on a policy immediately removes the entry from all SAPs using the policy. All previous parameters for the action is lost.

If no action is specified, the action specified by the default-fc command will be used.

Parameters

fc fc-name

The value given for fc fc-name must be one of the predefined forwarding classes in the system. Specifying the fc fc-name is required. When a packet matches the rule, the forwarding class is only overridden when the fc fc-name parameter is defined on the rule. If the packet matches and the forwarding class is not explicitly defined in the rule, the forwarding class is inherited based on previous rule matches.

The subclass-name parameter is optional and used with the fc-name parameter to define a pre-existing subclass. The fc-name and subclass-name parameters must be separated by a period (.). If subclass-name does not exist in the context of fc-name, an error will occur. If subclass-name is removed using the no fc fc-name.subclass-name force command, the default-fc command will automatically drop the subclass-name and only use fc-name (the parent forwarding class for the subclass) as the forwarding class.

Values

fc:	class[.subclass]
		class: be, l2, af, l1, h2, ef, h1, nc
		subclass: 29 characters max

Default

Inherit (When fc fc-name is not defined, the rule preserves the previous forwarding class of the packet.)

priority

The priority parameter overrides the default enqueuing priority for all packets received on a SAP using this policy that match this rule. Specifying the priority (high or low) is optional. When a packet matches the rule, the enqueuing priority is only overridden when the priority parameter is defined on the rule. If the packet matches and priority is not explicitly defined in the rule, the enqueuing priority is inherited based on previous rule matches.

Default

Inherit (When the priority (high or low) is not defined, the rule preserves the previous enqueuing priority of the packet)

high

The high parameter is used in conjunction with the priority parameter. Setting the priority enqueuing parameter to high for a packet increases the likelihood to enqueue the packet when the queue is congested. The enqueuing priority only affects ingress SAP queuing. When the packet is placed in a buffer on the queue, the significance of the enqueuing priority is lost.

low

The low parameter is used in conjunction with the priority parameter. Setting the priority enqueuing parameter to low for a packet decreases the likelihood to enqueue the packet when the queue is congested. The enqueuing priority only affects ingress SAP queuing. When the packet is placed in a buffer on the ingress queue, the significance of the enqueuing priority is lost.

Default

Inherit

policer-id

A valid policer-id must be specified. The parameter policer-id references a policer-id that has already been created within the sap-ingress QoS policy.

Values

1 to 63

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-egress>ip-criteria>entry action)

[Tree] (config>qos>sap-egress>ipv6-criteria>entry action)

Full Context

configure qos sap-egress ip-criteria entry action

configure qos sap-egress ipv6-criteria entry action

Description

This command defines the reclassification actions that should be performed on any packet matching the defined IP flow criteria within the entries match node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an egress packet on the SAP matches the specified IP flow entry, the forwarding class, or profile or egress queue accounting behavior may be overridden. By default, the forwarding class and profile of the packet is derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all IP precedence- or DSCP-based reclassification rule actions when an explicit reclassification action is defined for the entry.

It is also possible to redirect the egress packet to a configured policer. The forwarding class or profile can also be optionally specified.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. In show and info commands, the entry will display no action as the specified reclassification action for the entry. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate packets egressing a SAP with the SAP egress policy defined. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed either with explicit reclassification entries or without any actions defined. Specifying action without any trailing reclassification actions allows packets matching the entry to exit the evaluation list without matching entries lower in the list. Executing no action on an entry removes the entry from the evaluation list and also removes any explicitly defined reclassification actions associated with the entry.

The fc keyword is optional. When specified, the egress classification rule will overwrite the forwarding class derived from ingress. The new forwarding class is used for egress remarking and queue mapping decisions.

The profile keyword is optional. When specified, the egress classification rule will overwrite the profile of the packet derived from ingress. The new profile value is used for egress remarking and queue congestion behavior.

The policer keyword is optional. When specified, the egress packet will be redirected to the configured policer. Optional parameters allow the user to control how the forwarded policed traffic exits the egress port. By default, the policed forwarded traffic will use a queue in the egress port’s policer-output-queue queue group; alternatively, a queue in an instance of a user-configured queue group can be used or a local SAP egress queue.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any packets egress a SAP associated with the SAP egress QoS policy.

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

fc	class
	class	be, l2, af, l1, h2, ef, h1, nc

profile {in | out | exceed | inplus}

The profile reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of the ingress profiling decision. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

The in parameter is mutually exclusive to the exceed, inplus, and out parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When in is specified, any packets matching the reclassification rule will be treated as in-profile by the egress forwarding plane.

out

The out parameter is mutually exclusive to the exceed, inplus, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When out is specified, any packets matching the reclassification rule will be treated as out-of-profile by the egress forwarding plane.

exceed

The exceed parameter is mutually exclusive to the out, inplus, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When exceed is specified, any packets matching the reclassification rule will be treated as exceed-profile by the egress forwarding plane.

inplus

The inplus parameter is mutually exclusive to the out, exceed, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When inplus is specified, any packets matching the reclassification rule will be treated as inplus-profile by the egress forwarding plane.

policer policer-id

When the action policer command is executed, a valid policer ID must be specified. The parameter policer ID references a policer ID that has already been created within the SAP egress QoS policy.

Values

1 to 63

port-redirect-group-queue queue queue-id

Used to override the forwarding class default egress queue destination to an egress port queue group. The specific egress queue group instance to use is specified at the time the QoS policy is applied to the SAP. Therefore, this parameter is only valid if SAP-based redirection is required. The queue parameter overrides the policer’s default egress queue destination to a specified queue-id in the egress port queue group instance.

Values

1 to 8

queue queue-id

This parameter overrides the policer’s default egress queue destination to a specified local SAP queue of that queue-id. A queue of ID queue-id must exist within the egress QoS policy.

Values

1 to 8

use-fc-mapped-queue

This parameter overrides the policer’s default egress queue destination to the queue mapped by the traffic’s forwarding class.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>network>egress>ip-criteria>entry action)

[Tree] (config>qos>network>egress>ipv6-criteria>entry action)

Full Context

configure qos network egress ip-criteria entry action

configure qos network egress ipv6-criteria entry action

Description

This command defines the reclassification actions that are performed on any packet matching the defined IP flow criteria within the entry’s matched node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an egress packet matches the specified IP flow entry, the forwarding class and profile may be overridden. By default, the forwarding class and profile of the packet are derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all IP precedence-based or DSCP-based reclassification rule actions when an explicit reclassification action is defined for the entry.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate egress packets. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed.

The fc and profile keywords are optional. When specified, the egress classification rule will overwrite the forwarding class and profile derived from ingress. The new forwarding class and profile are used for egress remarking, queue mapping decisions, and queue congestion behavior.

The port-redirect-group keyword is optional. When specified, the egress packet will be redirected to the configured queue or policer in the specified egress network queue group. By default, the policed forwarded traffic will use the regular network queue to which the packet's forwarding class is mapped. Alternatively, a queue in the network egress queue group instance can be used for post-policed traffic by specifying a queue after the policer parameter. The port-redirect-group keyword requires that the network egress queue group instance is specified when this network QoS policy is applied to a network interface.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any egress packets.

Default

no action

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. The profile reclassification action is mandatory when an fc is specified. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

be, l2, af, l1, h2, ef, h1, nc

profile {in | out | exceed | inplus}

The profile reclassification action is mandatory when an fc is specified, otherwise it is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of the ingress profiling decision. In, exceed, inplus, or out must be specified when the profile keyword is present. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

When specified, any packets matching the reclassification rule will be treated as in-profile by the egress forwarding plane.

out

When specified, any packets matching the reclassification rule will be treated as out-of-profile by the egress forwarding plane.

exceed

When specified, any packets matching the reclassification rule will be treated as exceed-profile by the egress forwarding plane.

inplus

When specified, any packets matching the reclassification rule will be treated as inplus-profile by the egress forwarding plane.

queue queue-id

Used to override the forwarding class default egress queue destination to the specified network egress queue group instance queue. The specific egress queue group instance to use is specified at the time the QoS policy is applied to the network interface.

Values

1 to 8

policer policer-id

Specifies a valid policer ID that has already been created within the network egress queue group instance.

Values

1 to 16

queue queue-id

The queue following the configured policer overrides the default policed traffic egress queue destination to a specified queue in the network egress queue group instance.

Values

1 to 8

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>network>ingress>ipv6-criteria>entry action)

[Tree] (config>qos>network>ingress>ip-criteria>entry action)

Full Context

configure qos network ingress ipv6-criteria entry action

configure qos network ingress ip-criteria entry action

Description

This command defines the reclassification actions that are performed on any packet matching the defined IP flow criteria within the entry’s matched node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an ingress packet matches the specified IP flow entry, the forwarding class and profile may be overridden. By default, the forwarding class and profile of the packet are derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all non-criteria reclassification rule actions when an explicit reclassification action is defined for the entry.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate ingress packets. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any ingress packets.

Default

no action

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. The profile reclassification action is mandatory when an fc is specified. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

be, l2, af, l1, h2, ef, h1, nc

profile {in | out}

The profile reclassification action is mandatory. Packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of other ingress profiling decisions. In or out must be specified when the profile keyword is present. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

When specified, any packets matching the reclassification rule will be treated as in-profile by the ingress forwarding plane.

out

When specified, any packets matching the reclassification rule will be treated as out-of-profile by the ingress forwarding plane.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>dhcp>option action)

Full Context

configure router interface dhcp option action

Description

This command configures the processing required when the router receives a DHCP request that already has a Relay Agent Information Option (Option 82) field in the packet.

The no form of this command returns the system to the default value.

Default

Per RFC 3046, DHCP Relay Agent Information Option, section 2.1.1, Reforwarded DHCP requests, the default is to keep the existing information intact. The exception to this is if the GI address of the received packet is the same as the ingress address on the router. In that case the packet is dropped and an error is logged.

Parameters

replace

In the upstream direction (from the user), the existing Option 82 field is replaced with the Option 82 field from the router. In the downstream direction (toward the user) the Option 82 field is stripped (in accordance with RFC 3046).

drop

The packet is dropped, and an error is logged.

keep

The existing information is kept in the packet and the router does not add any additional information. In the downstream direction the Option 82 field is not stripped and is sent on toward the client.

The behavior is slightly different in case of Vendor Specific Options (VSOs). When the keep parameter is specified, the router will insert his own VSO into the Option 82 field. This will only be done when the incoming message has already an Option 82 field.

If no Option 82 field is present, the router will not create the Option 82 field. In this in that case, no VSO will be added to the message.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>mgmt-access-filter>mac-filter>entry action)

[Tree] (config>system>security>mgmt-access-filter>ipv6-filter>entry action)

[Tree] (config>system>security>mgmt-access-filter>ip-filter>entry action)

Full Context

configure system security management-access-filter mac-filter entry action

configure system security management-access-filter ipv6-filter entry action

configure system security management-access-filter ip-filter entry action

Description

This command creates the action associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

If the packet does not meet any of the match criteria the configured default action is applied.

Parameters

permit

Specifies that packets matching the configured criteria will be permitted.

deny

Specifies that packets matching the configured selection criteria will be denied and that a ICMP host unreachable message will not be issued.

deny-host-unreachable

Specifies that packets matching the configured selection criteria will be denied and that a host unreachable message will not be issued.

The deny-host-unreachable parameter only applies to ip-filter and ipv6-filter.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>profile>entry action)

Full Context

configure system security profile entry action

Description

This command configures the action associated with the profile entry.

Parameters

deny

Specifies that commands matching the entry command match criteria are to be denied.

permit

Specifies that commands matching the entry command match criteria is permitted.

read-only

Specifies the commands matching the entry command match criteria is available with read-only access.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>event-handling>handler action-list)

Full Context

configure log event-handling handler action-list

Description

Commands in this context configure the EHS handler action list.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>system>license activate)

Full Context

admin system license activate

Description

This command performs an activation on the license file pointed to by the command line argument. The file is first validated as described in the admin>system>license>validate command and upon success, replaces the existing license attributes in the system with the information in the new license file.

The license attributes that are active on a system can be viewed with the show>licensing>entitlements command.

Parameters

file-url

Specifies the file URL location to read the license file.

Values

local-url, remote-url

now

If the now keyword is not present, the operator is prompted to confirm the activation. With the now keyword the license file is activated without the additional prompt.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>system>security>secure-boot activate)

Full Context

admin system security secure-boot activate

Description

This command activates Secure Boot to enforce digital signature verification of the software on every boot.

Once Secure Boot is activated on a CPM, the capability is permanently enabled and cannot be disabled.

Parameters

cpm-slot

Specifies the CPM slot.

Values

A,B

cpm-serial-number

Specifies the CPM serial number, up to 256 characters.

code

Specifies the secure boot confirmation code, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>endpoint active-hold-delay)

Full Context

configure service epipe endpoint active-hold-delay

Description

This command specifies that the node will delay sending the change in the T-LDP status bits for the VLL endpoint when the MC-LAG transitions the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby or when any object in the endpoint. For example, SAP, ICB, or regular spoke SDP, transitions from up to down operational state.

By default, when the MC-LAG transitioned the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby, the node sends immediately new T-LDP status bits indicating the new value of "standby” over the spoke SDPs which are on the mate-endpoint of the VLL. The same applies when any object in the endpoint changes an operational state from up to down.

There is no delay applied to the VLL endpoint status bit advertisement when the MC-LAG transitions the LAG subgroup which hosts the SAP from standby to active or when any object in the endpoint transitions to an operationally up state.

Default

active-hold-delay 0

Parameters

active-hold-delay

Specifies the active hold delay in 100s of milliseconds.

A value of zero means that when the MC-LAG transitioned the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby, the node sends immediately new T-LDP status bits indicating the new value of standby over the spoke SDPs which are on the mate-endpoint of the VLL. The same applies when any object in the endpoint changes an operational state from up to down.

Values

0 to 60

Platforms

7705 SAR Gen 2

Context

[Tree] (config>isa>nat-group active-mda-limit)

Full Context

configure isa nat-group active-mda-limit

Description

This command configures the number of active ESA-VM or ISA members in a NAT group.

The system automatically selects which ESA-VMs or ISAs are active. In active/standby (A/S) redundancy mode, the correlation between ESA-VM or ISA members is direct, meaning each ESA-VM or ISA equates to one member. In active/active (A/A) redundancy mode, an individual ESA-VM or ISA may be associated with multiple members.

For A/S redundancy, any surplus ESA-VMs or ISAs beyond the configured active threshold automatically transition to standby. These standby units remain idle until an active unit fails, at which point a standby unit takes over, handling traffic from only one failed active unit. This setup allows for the configuration of multiple standby units to provide resilience against several concurrent failures.

In A/A redundancy, the combination of this command and the failed-mda-limit command guides the distribution of resources among ESA-VMs or ISAs, essentially defining how the members are structured.

In both A/S and A/A modes, the system strives to maintain the configured number of active members as outlined by the active MDA limit, drawing from the pool of available spare resources to compensate for any failures. If the actual number of active members drops below this limit because of a lack of available spares, the NAT group status changes to degraded. In this state, traffic intended for the missing ESA-VM or ISA members (up to the active MDA limit) is blackholed. In Layer 2-aware NAT this condition can be circumvented where traffic can bypass NAT altogether and be directly routed within the internal network that may have an alternate path to a backup NAT system. For additional details, see "L2-Aware bypass" in the 7705 SAR Gen 2 Multiservice ISA and ESA Guide

The no form of this command removes the active MDA limit configuration.

Default

no active-mda-limit

Parameters

number

Specifies the active MDA limit.

Values

1 to 28

Platforms

7705 SAR Gen 2

Context

[Tree] (config>isa>tunnel-grp active-mda-number)

Full Context

configure isa tunnel-group active-mda-number

Description

This command specifies the number of active MS-ISA within all configured MS-ISA in the tunnel-group with multi-active enabled. IPsec traffic will be load balanced across all active MS-ISAs. If the number of configured MS-ISA is greater than the active-mda-number then the delta number of MS-ISA will be backup.

Default

active-mda-number 1

Parameters

number

Specifies the number of active MDAs.

Values

1 to 16

Platforms

7705 SAR Gen 2

Context

[Tree] (config>grp-encryp>encryp-keygrp active-outbound-sa)

Full Context

configure group-encryption encryption-keygroup active-outbound-sa

Description

This command specifies the Security Association, referenced by the Security Parameter Index (SPI), to use when performing encryption and authentication on NGE packets egressing the node for all services configured using this key group.

The no form of the command returns the parameter to its default value and is the same as removing this key group from all outbound direction key groups in all services configured with this key group (that is, all packets of services using this key group will egress the node in without being encrypted).

Parameters

spi

Specifies the SPI to use for packets of services using this key group when egressing the node.

Values

1 to 127

Platforms

7705 SAR Gen 2

Context

[Tree] (config>macsec>conn-assoc>static-cak active-psk)

Full Context

configure macsec connectivity-association static-cak active-psk

Description

This command specifies the active transmitting pre-shared-key. If two pre-shared-keys are configured, the arriving MACsec MKA can be decrypted via CAKs of both pre-shared keys; however, only the active-psk will be used for TX encryption of MKA PDUs.

Default

active-psk 1

Parameters

active-pre-shared-key

Specifies the value of the pre-shared-key.

Values

1 or 2

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>system>bgp-evpn ad-per-evi-routes)

Full Context

configure service system bgp-evpn ad-per-evi-routes

Description

Commands in this context configure how Ethernet AD per-EVI routes are generated.

Default

ad-per-evi-routes

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>dns>dnssec ad-validation)

Full Context

configure system dns dnssec ad-validation

Description

This command enables validation of the presence of the AD-bit in responses from the DNS servers, and reports a warning to the SECURITY log if DNSSEC validation was not possible.

This command requires either the fall-through or drop parameters be configured. When the fall-through parameter is supplied, the system will allow DNS responses that do not pass DNSSEC validation to be accepted and logged. When the drop parameter is specified, the system will reject and log DNS responses that do not pass DNSSEC validation and the resolution will appear to fail.

Default

no ad-validation

Parameters

fall-through

Specifies that the DNSSEC validator should allow non-DNSSEC responses to fall-through to permit resolution in case of validation failure.

drop

Specifies that the DNSSEC validator should drop non-DNSSEC responses in case of validation failure.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>lag>access adapt-qos)

Full Context

configure lag access adapt-qos

Description

This command specifies how the LAG SAP queue and virtual scheduler buffering and rate parameters are adapted over multiple active XMAs/MDAs. This command applies only to access LAGs.

Default

adapt-qos distribute

Parameters

link

Specifies that the LAG will create the SAP queues and virtual schedulers with the actual parameters on each LAG member port.

port-fair

Places the LAG instance into a mode that enforces QoS bandwidth constraints in the following manner:

• all egress QoS objects associated with the LAG instance are created on a per port basis

• bandwidth is distributed over these per port objects based on the proportion of the port's bandwidth relative to the total of all active ports bandwidth within the LAG

• the include-egr-hash-cfg behavior is automatically enabled allowing the system to detect objects that hash to a single egress link in the lag and enabling full bandwidth for that object on the appropriate port

distribute

Creates an additional internal virtual scheduler per IOM/XCM as parent of the configured SAP queues and virtual schedulers per LAG member port on that IOM/XCM. This internal virtual scheduler limits the total amount of egress bandwidth for all member ports on the IOM/XCM to the bandwidth specified in the egress qos policy.

include-egr-hash-cfg

Specifies whether explicitly configured hashing should factor into the egress buffering and rate distribution.

When this parameter is configured, all SAPs on this LAG which have explicit hashing configured, the egress HQoS and HPol (including queues, policers, schedulers and arbiters) will receive 100% of the configured bandwidth (essentially operating in adapt-qos link mode). For any Multi-Service-Sites assigned to such a LAG, bandwidth will continue to be divided according to adapt-qos distribute mode.

A LAG instance that is currently in adapt-qos link mode may be placed at any time in port-fair mode. Similarly, a LAG instance that is currently in adapt-qos port-fair mode may be placed at any time in link mode. However, a LAG instance in adapt-qos distribute mode may not be placed into port-fair (or link) mode while QoS objects are associated with the LAG instance. To move from distribute to port-fair mode it is necessary to remove all QoS objects from the LAG instance.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap>egress>queue-override>queue adaptation-rule)

[Tree] (config>service>vpls>sap>egress>queue-override>queue adaptation-rule)

[Tree] (config>service>vpls>sap>ingress>queue-override>queue adaptation-rule)

[Tree] (config>service>ies>if>sap>ingress>queue-override>queue adaptation-rule)

Full Context

configure service ies interface sap egress queue-override queue adaptation-rule

configure service vpls sap egress queue-override queue adaptation-rule

configure service vpls sap ingress queue-override queue adaptation-rule

configure service ies interface sap ingress queue-override queue adaptation-rule

Description

This command overrides specific attributes of the specified queue’s adaptation rule parameters. The adaptation rule controls the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case, the configuration of the adaptation rule is performed under the hs-wrr-group within the SAP egress QoS policy.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

no adaptation-rule

Parameters

pir

Specifies the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

cir

Specifies the constraints enforced when adapting the CIR rate defined within the queue queue-id rate command. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

adaptation-rule

Specifies the CIR and PIR adaptation rules.

Values

max — The max (maximum) option is mutually exclusive with the min and closest options. When max is defined, the operational PIR for the queue is equal to or less than the administrative rate specified using the rate command.

min — The min (minimum) option is mutually exclusive with the max and closest options. When min is defined, the operational PIR for the queue is equal to or greater than the administrative rate specified using the rate command.

closest — The closest parameter is mutually exclusive with the min and max parameter. When closest is defined, the operational PIR for the queue is the rate closest to the rate specified using the rate command.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>network>egr>qgrp>qover>q adaptation-rule)

[Tree] (config>port>ethernet>access>ing>qgrp>qover>q adaptation-rule)

[Tree] (config>port>ethernet>access>egr>qgrp>qover>q adaptation-rule)

Full Context

configure port ethernet network egress queue-group queue-overrides queue adaptation-rule

configure port ethernet access ingress queue-group queue-overrides queue adaptation-rule

configure port ethernet access egress queue-group queue-overrides queue adaptation-rule

Description

This command specifies the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case the configuration of the adaptation rule is performed under the hs-wrr-group within the egress queue group template.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

adaptation-rule pir closest cir closest

Parameters

pir

Defines the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

cir

Defines the constraints enforced when adapting the CIR rate defined within the queue queue-id rate command. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

adaptation-rule

Specifies the adaptation rule to be used while computing the operational CIR or PIR value.

Values

max — The max (maximum) option is mutually exclusive with the min and closest options. When max is defined, the operational PIR for the queue will be equal to or less than the administrative rate specified using the rate command.

min — The min (minimum) option is mutually exclusive with the max and closest options. When min is defined, the operational PIR for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest — The closest parameter is mutually exclusive with the min and max parameter. When closest is defined, the operational PIR for the queue will be the rate closest to the rate specified using the rate command.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>sap>ingress>queue-override>queue adaptation-rule)

[Tree] (config>service>epipe>sap>egress>queue-override>queue adaptation-rule)

Full Context

configure service epipe sap ingress queue-override queue adaptation-rule

configure service epipe sap egress queue-override queue adaptation-rule

Description

This command can be used to override specific attributes of the specified queue’s adaptation rule parameters. The adaptation rule controls the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case the configuration of the adaptation rule is performed under the hs-wrr-group within the SAP egress QoS policy.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

no adaptation-rule

Parameters

pir

The pir parameter defines the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

cir

The cir parameter defines the constraints enforced when adapting the CIR rate defined within the queue queue-id rate command. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

adaptation-rule

Specifies the criteria to use to compute the operational CIR and PIR values for this queue, while maintaining a minimum offset.

Values

max — The max (maximum) keyword is mutually exclusive with the min and closest options. When max is defined, the operational PIR for the queue will be equal to or less than the administrative rate specified using the rate command.

min — The min (minimum) keyword is mutually exclusive with the max and closest options. When min is defined, the operational PIR for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest — The closest parameter is mutually exclusive with the min and max parameter. When closest is defined, the operational PIR for the queue will be the rate closest to the rate specified using the rate command.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap>ingress>queue-override>queue adaptation-rule)

[Tree] (config>service>vprn>if>sap>egress>queue-override>queue adaptation-rule)

Full Context

configure service vprn interface sap ingress queue-override queue adaptation-rule

configure service vprn interface sap egress queue-override queue adaptation-rule

Description

This command can be used to override specific attributes of the specified queue’s adaptation rule parameters. The adaptation rule controls the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case, the configuration of the adaptation rule is performed under the hs-wrr-group within the SAP egress QoS policy.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

no adaptation-rule

Parameters

pir

The pir parameter defines the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

cir

The cir parameter defines the constraints enforced when adapting the CIR rate defined within the queue queue-id rate command. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

adaptation-rule

Specifies the criteria to use to compute the operational CIR and PIR values for this queue, while maintaining a minimum offset.

Values

max — The max (maximum) keyword is mutually exclusive with the min and closest options. When max is defined, the operational PIR for the queue will be equal to or less than the administrative rate specified using the rate command.

min — The min (minimum) keyword is mutually exclusive with the max and closest options. When min is defined, the operational PIR for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest — The closest parameter is mutually exclusive with the min and max parameter. When closest is defined, the operational PIR for the queue will be the rate closest to the rate specified using the rate command.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls>lsp adaptive)

[Tree] (config>router>mpls>lsp>secondary adaptive)

[Tree] (config>router>mpls>lsp>primary adaptive)

[Tree] (config>router>mpls>lsp-template adaptive)

Full Context

configure router mpls lsp adaptive

configure router mpls lsp secondary adaptive

configure router mpls lsp primary adaptive

configure router mpls lsp-template adaptive

Description

This command enables the make-before-break functionality for an LSP or LSP path. When enabled for the LSP, make-before-break will be performed for primary path and all the secondary paths of the LSP.

Default

adaptive

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp add-paths)

[Tree] (config>router>bgp>group add-paths)

[Tree] (config>router>bgp>group>neighbor add-paths)

Full Context

configure router bgp add-paths

configure router bgp group add-paths

configure router bgp group neighbor add-paths

Description

This command allows the add-paths node to be the configured for one or more families of the BGP instance, a group or a neighbor. The BGP add-paths capability allows the router to send and/or receive multiple paths per prefix to/from a peer. The add-paths command without additional parameters is equivalent to removing Add-Paths support for all address families, which causes sessions that previously negotiated the add-paths capability for one or more address families to go down and come back up without the add-paths capability.

The no form of this command (no add-paths) removes add-paths from the configuration of BGP, the group or the neighbor, causing sessions established using add-paths to go down and come back up without the add-paths capability.

Default

no add-paths

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>default-action add-paths-send-limit)

Full Context

configure router policy-options policy-statement default-action add-paths-send-limit

Description

This command sets the send-limit to a specific value for all routes matched by the policy entry or default action. Add-paths allows a BGP router to send multiple paths for the same NLRI/prefix to a peer advertising the add-paths receive capability. The send-limit dictates the maximum number of paths that can be advertised.

The default send-limit is controlled by the instance, group or neighbor level configuration and applies to all prefixes in a particular address family. Using route policies allows the default send-limit to be overridden to use a larger or smaller maximum value on a per-prefix basis. For example, if, for most prefixes advertised to a peer, at most 1 path should be advertised but for a few exceptional prefixes up to 4 paths should be advertised, then the neighbor-level send-limit can be set to a value of 1 and the add-paths-send-limit in the policy entry that matches the exceptional routes can be set to a value of 4.

Default

no add-paths-send-limit

Parameters

send-limit

Specifies the maximum number of paths to advertise for matched routes to an Add-Paths peer. If the value is multipaths, then BGP advertises all of the used BGP multipaths for each matched route that is the best path for its prefix (NLRI). Add paths can be advertised only if the peer has signaled support for receiving multiple add paths.

Values

1 to 16, none, multipaths

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group>evpn-link-bandwidth add-to-received-bgp)

[Tree] (config>service>vprn>bgp>group>neighbor>evpn-link-bandwidth add-to-received-bgp)

Full Context

configure service vprn bgp group evpn-link-bandwidth add-to-received-bgp

configure service vprn bgp group neighbor evpn-link-bandwidth add-to-received-bgp

Description

This command configures the weight value added to all BGP PE-CE routes for the purpose of weighted ECMP if EVPN-IFL and BGP PE-CE routes are combined into the same ECMP set.

For the load-balancing between EVPN-IFL and BGP PE-CE routes the configure service vprn bgp eibgp-loadbalance command must already be configured on the system.

The no form of this command disables the weight value added to all BGP PE-CE routes.

Default

no add-to-received-bgp

Parameters

weight

Specifies the weight value added to all BGP PE-CE routes.

Values

1 to 128

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group>link-bandwidth add-to-received-ebgp)

[Tree] (config>service>vprn>bgp>group>neighbor>link-bandwidth add-to-received-ebgp)

Full Context

configure service vprn bgp group link-bandwidth add-to-received-ebgp

configure service vprn bgp group neighbor link-bandwidth add-to-received-ebgp

Description

This command configures BGP to automatically add a link-bandwidth extended community to every route received from a directly connected (single-hop) EBGP peer within the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community added by this command encodes the local-AS number of receiving BGP instance and the bandwidth of the interface to the directly connected EBGP peer.

Up to three families may be configured.

The no form of this command removes the link-bandwidth extended community added to received BGP routes.

Default

no add-to-received-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>link-bandwidth add-to-received-ebgp)

[Tree] (config>router>bgp>group>neighbor>link-bandwidth add-to-received-ebgp)

Full Context

configure router bgp group link-bandwidth add-to-received-ebgp

configure router bgp group neighbor link-bandwidth add-to-received-ebgp

Description

This command configures BGP to automatically add a link-bandwidth extended community to every route received from a directly connected (single-hop) EBGP peer within the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community added by this command encodes the local-AS number of receiving BGP instance and the bandwidth of the interface to the directly connected EBGP peer.

Up to six families may be configured.

The no form of this command removes the link-bandwidth extended community added to received BGP routes.

Default

no add-to-received-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

vpn-ipv4 — Adds a link-bandwidth extended community to IPv4 VPN (SAFI 128) routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

label-ipv6 — Adds a link-bandwidth extended community to labeled-unicast IPv6 routes.

vpn-ipv6 — Adds a link-bandwidth extended community to IPv6 VPN (SAFI 128) routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host address)

Full Context

configure subscriber-mgmt local-user-db ipoe host address

Description

This command configures how the IP address is defined for this host.

When the user database is used from a local DHCP server, then this command defines how to define the IP address the server offers to the DHCP-client.

When the user-db is used for PPPoE authentication, the gi-address parameter cannot be used. A fixed IP address causes PPPoE to use this IP address. If no IP address is specified, the PPPoE looks for IP address by other means (DHCP). If a pool name is given, this pool is sent in the DHCP request so it can be used in by the DHCP server to determine which address to give to the host.

The no form of this command causes no IP address to be assigned to this host. In a user database referred to from a local DHCP server, creating a host without address information causes the matching client never to get an IP address.

The no form of this command reverts to the default.

Parameters

gi-address

When specified, the gi-address of the DHCP message is taken to look for a subnet in the local DHCP server. The first available free address of the subnet is taken and "offered” to the host. When local-user-db is used for PPPoE authentication, this has the same result as no address.

ip-address

Specifies the fixed IP address to use for this host.

Values

a.b.c.d

pool-name/sec-pool-name

Specifies the primary (and secondary) pool (in the local DHCP server), up to 32 characters, to look for an available address. The first available IP address from any subnet in the pool is used. When the local user database is used for PPPoE authentication, this causes the specified pool name to be sent to the DHCP server in a vendor-specific sub-option under Option 82.

use-pool-from-client

Use the pool-name in the Option 82 vendor-specific sub-option.

delimiter

Specifies a single ASCII character specifies the delimiter of separating primary and secondary pool names in option82 VSO.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>ipv6 address)

[Tree] (config>service>vprn>if>ipv6 address)

Full Context

configure service ies interface ipv6 address

configure service vprn interface ipv6 address

Description

This command assigns an IPv6 address/subnet to the interface.

Up to 16 total primary and secondary IPv4 and IPv6 addresses can be assigned to network interfaces, and up to 256 to access interfaces.

The no form of this command removes the IPv6 address from the interface.

Parameters

ipv6-address/prefix-length

Specifies the IPv6 address on the interface.

Values

ipv6-address/prefix:	ipv6-address	x:x:x:x:x:x:x:x (eight 16-bit pieces)
		x:x:x:x:x:x:d.d.d.d
		x [0 to FFFF]H
		d [0 to 255]D
prefix-length		1 to 128

eui-64

When the eui-64 keyword is specified, a complete IPv6 address from the supplied prefix and 64-bit interface identifier is formed. The 64-bit interface identifier is derived from MAC address on Ethernet interfaces. For interfaces without a MAC address, for example ATM interfaces, the Base MAC address of the chassis is used.

srrp-instance

Specifies the SRRP instance ID that this interface route needs to track.

Values

1 to 4294967295

cga-modifier

Specifies the modifier in 32 hexadecimal nibbles.

Values

0x0–0xFFFFFFFF

dad-disable

Disables Duplicate Address Detection (DAD) and sets the address to preferred, even if there is a duplicated address.

primary-preference

Specifies a primary-preference index to an IPv6 address of the interface to enforce the order in which the address is used by control plane protocols and applications which require a fixed address of the interface. These include LDP and Segment Routing.

When originating packets from this interface, the source IPv6 address follows the selection rules in RFC 6724 except for the specific cases where a fixed address is required. In the latter case, the IPv6 address with the lowest primary-preference index is selected. If the selected address is removed, the system selects the IPv6 address with the next lowest primary-preference index.

The system assigns the next available index value to any IPv6 address of the interface when configured without the primary-preference index value specified. The address index space is unique across all addresses of a given interface.

Values

1 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if address)

[Tree] (config>service>vprn>nw-if address)

[Tree] (config>service>vprn>if address)

Full Context

configure service ies interface address

configure service vprn network-interface address

configure service vprn interface address

Description

This command assigns an IP address, IP subnet, and broadcast address format to an IES IP router interface. Only one IP address can be associated with an IP interface. Use the secondary command to assign multiple addresses.

An IP address must be assigned to each IES or VPRN IP interface. An IP address and a mask are used together to create a local IP prefix. The defined IP prefix must be unique within the context of the routing instance. It cannot overlap with other existing IP prefixes defined as local subnets on other IP interfaces in the same routing context within the router.

The IP address for the interface can be entered in either CIDR (Classless Inter-Domain Routing) or traditional dotted decimal notation. The show commands display CIDR notation and is stored in configuration files.

By default, no IP address or subnet association exists on an IP interface until it is explicitly created.

The operational state is a read-only variable and the only controlling variables are the address and admin states. The address and admin states are independent and can be set independently. If an interface is in an administratively up state and an address is assigned, it becomes operationally up and the protocol interfaces and the MPLS LSPs associated with that IP interface are reinitialized.

The no form of this command removes the IP address assignment from the IP interface. When the no address command is entered, the interface becomes operationally down.

Parameters

ip-address

Specifies the IP address of the IP interface. The ip-address portion of the address command specifies the IP host address that is used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP addresses in the range 1.0.0.0 – 223.255.255.255 (with support of /31 subnets).

/

The forward slash is a parameter delimiter and separates the ip-address portion of the IP address from the mask that defines the scope of the local subnet. No spaces are allowed between the ip-address, the "/” and the mask-length parameter. If a forward slash is not immediately following the ip-address, a dotted decimal mask must follow the prefix.

mask-length

Specifies the subnet mask length when the IP prefix is specified in CIDR notation. When the IP prefix is specified in CIDR notation, a forward slash (/) separates the ip-address from the mask-length parameter. The mask length parameter indicates the number of bits used for the network portion of the IP address; the remainder of the IP address is used to determine the host portion of the IP address.

Note:

A mask length of 32 is reserved for loopback addresses (includes system addresses).

Default

0 to 31

mask

The subnet mask in dotted decimal notation. When the IP prefix is not specified in CIDR notation, a space separates the ip-address from a traditional dotted decimal mask. The mask parameter indicates the complete mask that is used in a logical 'AND’ function to derive the local subnet of the IP address. Allowed values are dotted decimal addresses in the range 128.0.0.0 – 255.255.255.254.

Note:

A mask of 255.255.255.255 is reserved for system IP addresses.

broadcast

Overrides the default broadcast address used by the IP interface when sourcing IP broadcasts on the IP interface. If no broadcast format is specified for the IP address, the default value is host-ones which indicates a subnet broadcast address. Use this parameter to change the broadcast address to all-ones or revert back to a broadcast address of host-ones.

The broadcast format on an IP interface can be specified when the IP address is assigned or changed.

This parameter does not affect the type of broadcasts that can be received by the IP interface. A host sending either the local broadcast (all-ones) or the valid subnet broadcast address (host-ones) is received by the IP interface.

Default

host-ones

all-ones

Specifies the broadcast address used by the IP interface for this IP address is 255.255.255.255, also known as the local broadcast.

host-ones

Specifies that the broadcast address used by the IP interface for this IP address is the subnet broadcast address. This is an IP address that corresponds to the local subnet described by the ip-address and the mask-length or mask with all the host bits set to binary one. This is the default broadcast address used by an IP interface.

The broadcast parameter within the address command does not have a negate feature, which is usually used to revert a parameter to the default value. To change the broadcast type to host-ones after being changed to all-ones, the address command must be executed with the broadcast parameter defined.

srrp-instance

Tracks the specified SRRP instance state on the IPv6 address.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>interface address)

Full Context

configure service vpls interface address

Description

This command assigns an IP address, IP subnet, and broadcast address format to an IES IP router interface. Only one IP address can be associated with an IP interface.

An IP address must be assigned to each IES IP interface. An IP address and a mask are used together to create a local IP prefix. The defined IP prefix must be unique within the context of the routing instance. It cannot overlap with other existing IP prefixes defined as local subnets on other IP interfaces in the same routing context within the router.

The IP address for the interface can be entered in either CIDR (Classless Inter-Domain Routing) or traditional dotted decimal notation. The show commands display CIDR notation and is stored in configuration files.

By default, no IP address or subnet association exists on an IP interface until it is explicitly created.

Use the no form of this command to remove the IP address assignment from the IP interface. When the no address command is entered, the interface becomes operationally down.

The operational state is a read-only variable and the only controlling variables are the address and admin states. The address and admin states are independent and can be set independently. If an interface is in an administratively up state and an address is assigned, it becomes operationally up and the protocol interfaces and the MPLS LSPs associated with that IP interface will be reinitialized.

Parameters

ip-address

The IP address of the IP interface. The ip-address portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP netmask

The subnet mask in dotted decimal notation. When the IP prefix is not specified in CIDR notation, a space separates the ip-address from a traditional dotted decimal mask. The mask parameter indicates the complete mask that will be used in a logical 'AND’ function to derive the local subnet of the IP address. Allowed values are dotted decimal addresses in the range 128.0.0.0 to 255.255.255.254. A mask of 255.255.255.255 is reserved for system IP addresses.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>log>syslog address)

Full Context

configure service vprn log syslog address

Description

This command adds the syslog target host IP address to/from a syslog ID.

The ip-address parameter is mandatory. If no address is configured, syslog data cannot be forwarded to the syslog target host.

Only one address can be associated with a syslog-id. If multiple addresses are entered, the last address entered overwrites the previous address.

The same syslog target host can be used by multiple log IDs.

The no form of this command removes the syslog target host IP address.

Default

no address

Parameters

ip-address

Specifies the IP address of the syslog target host in dotted decimal notation.

Values

ipv4-address	a.b.c.d
ipv6-address	x:x:x:x:x:x:x:x[-interface]
	x:x:x:x:x:x:d.d.d.d[-interface]
	x: [0 to FFFF]H
	d: [0 to 255]D
	interface: 32 characters maximum, mandatory for link local addresses

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim>rp>rp-candidate address)

[Tree] (config>service>vprn>pim>rp>bsr-candidate address)

Full Context

configure service vprn pim rp rp-candidate address

configure service vprn pim rp bsr-candidate address

Description

This command configures a static bootstrap or rendezvous point (RP) as long as the source is not directly attached to this router.

Use the no form of this command to remove the static RP from the configuration.

Default

No IP address is specified.

Parameters

ip-address

The static IP address of the RP. The ip-address portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

1.0.0.0 to 223.255.255.255

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim>rp>ipv6>bsr-candidate address)

[Tree] (config>service>vprn>pim>rp>ipv6>rp-candidate address)

Full Context

configure service vprn pim rp ipv6 bsr-candidate address

configure service vprn pim rp ipv6 rp-candidate address

Description

This command configures a static bootstrap or rendezvous point (RP) as long as the source is not directly attached to this router.

Use the no form of this command to remove the static RP from the configuration.

Default

No IP address is specified.

Parameters

ipv6-address

The static IP address of the RP. The ip-address portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

ipv6-address	: x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x [0 to FFFF]H
	d [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim>rp>static address)

Full Context

configure service vprn pim rp static address

Description

This command configures the static rendezvous point (RP) address.

The no form of this command removes the static RP entry from the configuration.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>ts-list>remote>entry address)

[Tree] (config>ipsec>ts-list>local>entry address)

Full Context

configure ipsec ts-list remote entry address

configure ipsec ts-list local entry address

Description

This command specifies the address range in the IKEv2 traffic selector.

Default

no address

Parameters

ip-prefix/ip-prefix-len

Specifies the IP prefix and subnet mask.

begin-ip-address

Specifies the beginning address of the range for this entry.

end-ip-address

Specifies the ending address of the range for this entry.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>rp>bsr-candidate address)

Full Context

configure router pim rp bsr-candidate address

Description

This command configures the candidate BSR IP address. This address is for Bootstrap router election.

The no form of this command removes the IP address from the BSR candidate configuration.

Default

no address

Parameters

ip-address

Specifies the IP host address used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

1.0.0.0 – 223.255.255.255

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>rp>ipv6>bsr-candidate address)

Full Context

configure router pim rp ipv6 bsr-candidate address

Description

This command configures the candidate BSR IPv6 address. This address is for Bootstrap router election.

The no form of this command removes the IPv6 address from the BSR candidate configuration.

Default

no address

Parameters

ipv6-address

Specifies the IPv6 host address used by the interface within the subnet.

Values

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>rp>ipv6>rp-candidate address)

Full Context

configure router pim rp ipv6 rp-candidate address

Description

This command configures the local IPv6 RP address. This address is sent in the RP candidate advertisements to the bootstrap router.

The no form of this command removes the IPv6 address from the RP candidate configuration.

Default

no address

Parameters

ipv6-address

Specifies the IPv6 RP address.

Values

ipv6-address:

• x:x:x:x:x:x:x:x (eight 16-bit pieces)

• x:x:x:x:x:x:d.d.d.d

• x: [0 to FFFF]H

• d: [0 to 255]D

  prefix-length: 16 to 128

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>rp>rp-candidate address)

Full Context

configure router pim rp rp-candidate address

Description

This command configures the local RP address. This address is sent in the RP candidate advertisements to the bootstrap router.

The no form of this command removes the IP address from the RP candidate configuration.

Default

no address

Parameters

ip-address

Specifies the ip-address.

Values

1.0.0.0 – 223.255.255.255

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>rp>static address)

[Tree] (config>router>pim>rp>ipv6>static address)

Full Context

configure router pim rp static address

configure router pim rp ipv6 static address

Description

This command configures the Rendezvous Point (RP) address that should be used by the router for the range of multicast groups configured by the range command.

The no form of this command removes the IP address from the static configuration.

Parameters

ip-address

Specifies the static IP address of the RP. The ip-address portion of the address command specifies the IP host address that is used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

1.0.0.0 – 223.255.255.255

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if address)

Full Context

configure router interface address

Description

This command assigns an IP address, IP subnet, and broadcast address format to an IP interface. Only one IP address can be associated with an IP interface. Use the secondary command to assign additional addresses.

An IP address must be assigned to each IP interface. An IP address and a mask combine to create a local IP prefix. The defined IP prefix must be unique within the context of the routing instance. It cannot overlap with other existing IP prefixes defined as local subnets on other IP interfaces in the same routing context within the router.

From Release 19.10, The overlap restriction is not applicable for host-addresses configured on loopback interfaces. For example, a loopback interface addresses configured with mask of 32 or netmask of 255.255.255.255 can overlap with other prefixes on other IP interfaces in the same routing context within the router.

The IP address for the interface can be entered in either CIDR (Classless Inter-Domain Routing) or traditional dotted decimal notation. Show commands display CIDR notation and are stored in configuration files.

By default, no IP address or subnet association exists on an IP interface until it is explicitly created.

The no form of this command removes the IP address assignment from the IP interface. Interface specific configurations for MPLS are also removed. This will operationally stop any MPLS LSPs that explicitly reference that IP address. When a new IP address is configured, interface specific configurations for MPLS need to be added. IEEE 1588 port based timestamping configured with ptp-hw-assist is also disabled.

Default

no address

Parameters

ip-address

Specifies the IP address of the IP interface. The ip-address portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

1.0.0.0 to 223.255.255.255

/

The forward slash is a parameter delimiter that separates the ip-address portion of the IP address from the mask that defines the scope of the local subnet. No spaces are allowed between the ip-address, the "/” and the mask parameter. If a forward slash does not immediately follow the ip-address, a dotted decimal mask must follow the prefix.

mask

Specifies the subnet mask length when the IP prefix is specified in CIDR notation. When the IP prefix is specified in CIDR notation, a forward slash (/) separates the ip-address from the mask parameter. The mask parameter indicates the number of bits used for the network portion of the IP address; the remainder of the IP address is used to determine the host portion of the IP address. Allowed values are integers in the range 1— 32. A mask length of 32 is reserved for system IP addresses.

Values

1 to 32

netmask

Specifies the subnet mask in dotted decimal notation.

Values

0.0.0.0 to 255.255.255.255 (network bits all 1 and host bits all 0)

broadcast

The optional broadcast parameter overrides the default broadcast address used by the IP interface when sourcing IP broadcasts on the IP interface. If no broadcast format is specified for the IP address, the default value is host-ones, which indicates a subnet broadcast address. Use this parameter to change the broadcast address to all-ones or revert back to a broadcast address of host-ones.

The broadcast parameter within the address command does not have a negate feature, which is usually used to revert a parameter to the default value. To change the broadcast type to host-ones after being changed to all-ones, the address command must be executed with the broadcast parameter defined.

The broadcast format on an IP interface can be specified when the IP address is assigned or changed.

This parameter does not affect the type of broadcasts that can be received by the IP interface. A host sending either the local broadcast (all-ones) or the valid subnet broadcast address (host-ones) will be received by the IP interface.

Default

host-ones

Values

all-ones, host-ones

all-ones

The all-ones keyword following the broadcast parameter specifies that the broadcast address used by the IP interface for this IP address will be 255.255.255.255, also known as the local broadcast.

host-ones

Specifies that the broadcast address used by the IP interface for this IP address will be the subnet broadcast address. This is an IP address that corresponds to the local subnet described by the ip-address and the netmask with all the host bits set to binary 1. This is the default broadcast address used by an IP interface.

srrp-instance

Specifies the SRRP instance ID that this interface route needs to track.

Values

1 to 4294967295

gre-termination

The optional gre-termination keyword allows GRE SDP tunnel packets to terminate on the router interface using the /31 value of the configured IP address. Refer to the 7705 SAR Gen 2 Services Overview Guide for information about using gre-termination.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>ipv6 address)

Full Context

configure router interface ipv6 address

Description

This command assigns an IPv6 address to the interface. Up to 16 total primary and secondary IPv4 and IPv6 addresses can be assigned to network interfaces, and up to 256 to access interfaces.

A global IPv6 address together with the prefix-length create a locally configured interface IPv6 prefix and subnet. The defined global IP prefix must be unique within the context of a routing instance. It cannot overlap with any other existing global IP prefix defined on another IP interface within the same routing context in the router.

This overlap restriction is not applicable for IPv6 host addresses configured on loopback interfaces. For example, an IPv6 loopback host address configured upon a loopback interface may overlap with another prefix subnet configured on another IP interface within the same routing context.

Parameters

ipv6-address/prefix-length

Specifies the IPv6 address on the interface.

Values

ipv6-address/prefix-length:	ipv6-address	x:x:x:x:x:x:x:x (eight 16-bit pieces)
		x:x:x:x:x:x:d.d.d.d
		x [0 to FFFF]H
		d [0 to 255]D
	prefix-length	1 to 128

eui-64

When the eui-64 keyword is specified, a complete IPv6 address from the supplied prefix and 64-bit interface identifier is formed. The 64-bit interface identifier is derived from MAC address on Ethernet interfaces. For interfaces without a MAC address, for example POS interfaces, the Base MAC address of the chassis should be used.

srrp-instance

Indicates the unique identifier of the tracked SRRP instance.

Values

1 to 4294967295

cga-modifier

Sets the modifier for cryptographically-assigned addresses.

Values

0x0..0xFFFFFFFF...(32 hex nibbles)

dad-disable

Disables Duplicate Address Detection (DAD) and sets the address to preferred, even if there is a duplicated address.

primary-preference

Specifies a primary-preference index to an IPv6 address of the interface to enforce the order in which the address is used by control plane protocols and applications which require a fixed address of the interface. These include LDP and Segment Routing.

When originating packets from this interface, the source IPv6 address follows the selection rules in RFC 6724 except for the specific cases where a fixed address is required. In the latter case, the IPv6 address with the lowest primary-preference index is selected. If the selected address is removed, the system selects the IPv6 address with the next lowest primary-preference index.

The system assigns the next available index value to any IPv6 address of the interface when configured without the primary-preference index value specified. The address index space is unique across all addresses of a given interface.

Values

1 to 4294967295

srrp

Tracks the specified SRRP instance state on the IPv6 address.

Values

1 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (bof address)

Full Context

bof address

Description

This command assigns an IP address to the management Ethernet port on a CPM. The IP addresses are applied by the boot loader and the running image. The active and standby IP addresses must be on the same subnet.

An address must be assigned with the active keyword and for systems with a redundant CPM an additional address may be assigned with the standby keyword. The active address is used by the active CPM whether its CPM A or CPM B and the standby address, if specified, is used by the standby CPM whether its CPM B or CPM A.

Deleting a BOF address entry is not allowed from a remote session.

Note that changing the active and standby addresses without reboot standby CPM may cause a boot-env sync to fail.

The no form of this command deletes the IP address from the CPM Ethernet port.

Parameters

ip-prefix/ip-prefix-length

Specifies the destination address of the aggregate route in dotted decimal notation.

Values

ipv4-prefix	a.b.c.d (host bits must be 0)
ipv4-prefix-length	0 to 32
ipv6-prefix	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x:	[0 to FFFF]H
	d:	[0 to 255]D
ipv6-prefix-length	0 to 128

active | standby | standby/A | standby/B | standby/C | standby/D

specifies which CPM Ethernet address is being configured

Default

active

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>syslog address)

Full Context

configure log syslog address

Description

This command adds the syslog target host IP address to/from a syslog ID.

This parameter is mandatory. If no address is configured, syslog data cannot be forwarded to the syslog target host.

Only one address can be associated with a syslog-id. If multiple addresses are entered, the last address entered overwrites the previous address.

The same syslog target host can be used by multiple log IDs.

The no form of this command removes the syslog target host IP address.

Default

no address

Parameters

ip-address

Specifies the IP address of the syslog target host in dotted decimal notation.

Values

ipv4-address	a.b.c.d
ipv6-address	x:x:x:x:x:x:x:x[-interface]
	x:x:x:x:x:x:d.d.d.d[-interface]
	x: [0..FFFF]H
	d: [0..255]D
	interface: 32 characters maximum, mandatory for link local
	addressesipv6-address x:x:x:x:x:x:x:x[-interface]
	x:x:x:x:x:x:d.d.d.d[-interface]
	x: [0..FFFF]H
	d: [0..255]D
	interface: 32 characters maximum, mandatory for link local addresses

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>ldap>server address)

Full Context

configure system security ldap server address

Description

This command configures the IPv4 or IPv6 address for the LDAP server.

The no version of this command removes the server address.

Parameters

ip-address

The IP address of the LDAP server.

Values

ipv4-address	a.b.c.d (host bits must be 0)
ipv6-address	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x: [0..FFFF]H
	d: [0..255]D

port

Specifies the port ID. The port is the LDAP server listening port; by default it is 389 but if the listening port on LDAP server is changed, this command needs to be configured accordingly.

Values

1 to 65535

Default

389

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>nat>inside>deterministic address-map)

[Tree] (config>service>vprn>nat>inside>deterministic address-map)

Full Context

configure router nat inside deterministic address-map

configure service vprn nat inside deterministic address-map

Description

This command configures the mapping of the inside IP addresses of deterministic NAT44 subscribers to the outside IP addresses in a NAT pool. This mapping is applicable is applicable only to deterministic NAT44 with a single ESA-VM in a NAT-group. The number of subscribers per outside IP address is flexible and not restricted to a discrete range governed by the 2^n rule.

When configured, the classic-lsn-max-subscriber-limit command must be set to 1.

The no form of this command removes the configuration.

Parameters

start-inside-ip-address

Specifies the first IP address in the inside IP address range.

Values

ipv4-prefix	a.b.c.d (host bits must be 0)
ipv4-prefix-length	0 to 32
ipv6-prefix	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x: [0 to FFFF]H
	d: [0 to 255]D
ipv6-prefix-length	0 to 128

end-inside-ip-address

Specifies the last IP address in the inside IP address range.

Values

ipv4-prefix	a.b.c.d (host bits must be 0)
ipv4-prefix-length	0 to 32
ipv6-prefix	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x: [0 to FFFF]H
	d: [0 to 255]D
ipv6-prefix-length	0 to 128

nat-sub-type

Specifies the NAT subscriber type.

Values

classic-lsn-sub, dslite-lsn-sub

nat-policy-name

Specifies the NAT policy name, up to 32 characters, that is referencing a NAT pool.

Values

classic-lsn-sub, dslite-lsn-sub

create

Keyword used to create the address mapping.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>dns address-pref)

Full Context

configure system dns address-pref

Description

This command configures the DNS address resolving order preference. By default, DNS names are queried for A-records only (address-preference is IPv4-only).

If the address-preference is set to IPv6-first, the DNS server will be queried for AAAA-records (IPv6) first and if a successful replied is not received, then the DNS server is queried for A-records.

Default

address-pref ipv4-only

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>dhcp>server>pool>subnet address-range)

Full Context

configure router dhcp local-dhcp-server pool subnet address-range

Description

This command configures a range of IP addresses to be served from the pool. All IP addresses between the start and end IP addresses are included (other than specific excluded addresses).

The no form of this command removes the address-range parameters from the configuration.

Parameters

start-ip-address

Specifies the start address of this range to include. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP addresses in the range 1.0.0.0 – 223.255.255.255 (with support of /31 subnets).

Values

a.b.c.d

end-ip-address

Specifies the end address of this range to include. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP addresses in the range 1.0.0.0 – 223.255.255.255 (with support of /31 subnets).

Values

a.b.c.d

local

Specifies that the local DHCP server has the ownership of this dress range in a redundant setup under normal operation.

remote

Specifies that the remote DHCP server has the ownership of this address range in a redundant setup under normal operation.

access-driven

Specifies that the DHCP server failover system is in control by the access protection mechanisms (SRRP or MC-LAG).

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>nat>outside>pool address-range)

[Tree] (config>router>nat>outside>pool address-range)

Full Context

configure service vprn nat outside pool address-range

configure router nat outside pool address-range

Description

This command configures a NAT address range.

Parameters

start-ip-address

Specifies the beginning IP address in a.b.c.d form.

end-ip-address

Specifies the ending IP address in a.b.c.d. form.

create

This parameter must be specified to create the address range instance

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap>ipsec-gw>lcl-addr-assign>ipv4 address-source)

[Tree] (config>service>vprn>if>sap>ipsec-gw>lcl-addr-assign>ipv4 address-source)

[Tree] (config>service>vprn>if>sap>ipsec-gw>lcl-addr-assign>ipv6 address-source)

[Tree] (config>service>ies>if>sap>ipsec-gw>lcl-addr-assign>ipv6 address-source)

Full Context

configure service ies interface sap ipsec-gw local-address-assignment ipv4 address-source

configure service vprn interface sap ipsec-gw local-address-assignment ipv4 address-source

configure service vprn interface sap ipsec-gw local-address-assignment ipv6 address-source

configure service ies interface sap ipsec-gw local-address-assignment ipv6 address-source

Description

This command specifies the IPv4 or IPv6 source of the local address assignment for the IPsec gateway, which is a pool of a local DHCPv4 or DHCPv6 server. The system will assign an internal address to an IKEv2 remote-access client from the specified pool.

Beside the IP address, netmask and DNS server can also be returned. For IPv4, the netmask and DNS server address can be returned from the specified pool, as well as the IP address. The netmask returned to the IPsec client is derived from the subnet length from the subnet x.x.x.x/m create configuration, not the subnet-mask configuration in the subnet context. For IPv6, the DNS server address can be returned from the specified pool, as well as the IP address.

For IPv4, a secondary pool can be optionally specified. The secondary pool is used if the system is unable to assign addresses from the primary pool.

Default

no address-source

Parameters

router-instance

Specifies the router instance ID where the local DHCPv4 or DHCPv6 server is defined, up to 32 characters.

This variant of this command is only supported in 'classic' configuration-mode (configure system management-interface configuration-mode classic). The address-source service-name service-name variant can be used in all configuration modes.

service-name

Specifies the name of the service where the local DHCPv4 or DHCPv6 server is defined, up to 64 characters.

local-dhcp4-svr-name

Specifies the name of the local DHCPv4 server, up to 32 characters.

local-dhcp6-svr-name

Specifies the name of the local DHCv6 server, up to 32 characters.

dhcp4-server-pool

The name of the pool defined in the specified DHCPv4 server, up to 32 characters.

dhcp6-server-pool

The name of the pool defined in the specified DHCPv6 server, up to 32 characters.

secondary-pool-name

The name of the secondary pool defined in the specified server, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis>segm-rtng adj-sid-hold)

Full Context

configure router isis segment-routing adj-sid-hold

Description

This command configures a timer to hold the ILM or LTN of an adjacency SID following a failure of the adjacency.

When an adjacency to a neighbor fails, the following procedures are followed for both the LFA protected SID and the LFA unprotected SID of this adjacency in SR-MPLS. An adjacency can have both types of SIDs assigned by configuration. An LFA protected adjacency SID is eligible for LFA protection, but the following procedures apply even if a LFA backup was not programmed at the time of the failure. An LFA unprotected adjacency SID is not eligible for LFA protection.

• IGP withdraws the advertisement of the link TLV as well as its adjacency SID sub-TLV.
• The adjacency SID hold timer starts.
• The LTN and ILM records of the adjacency are kept in the datapath for as long as the adjacency SID hold time is running. This allows packets to flow over the LFA backup path, when the adjacency is protected, and allows the ingress LER or PCE time to compute a new path of the SR-TE LSP after IGP converges.
• If the adjacency is restored while the adjacency SID hold timer is running, the timer is aborted, and the adjacency SID remains programmed in the datapath with the retained SID values. However, the backup NHLFE may change if a new LFA SPF runs while the adjacency SID hold timer running. An update to the backup NHLFE is performed immediately following the LFA SPF. In all cases, the adjacency keeps its assigned SID label value.

• If the adjacency SID hold timer expires before the adjacency is restored, the SID is deprogrammed from the datapath and the label returned into the common pool where it was drawn from. Users of the adjacency (for example, SR policy and SR-TE LSP) are also informed.

  When the adjacency is subsequently restored, it gets assigned its allocated static-label value or a new dynamic-label value.

• A new PG-ID is assigned each time an adjacency comes back up. This PG-ID is used by the ILM and LTN of the adjacency SID and of all downstream node SIDs that resolve to a next hop over this adjacency.

The no form of this command reverts to the default value.

Default

adj-sid-hold 15

Parameters

seconds

Specifies the adjacency SID hold time, in seconds.

Values

1 to 1800

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>segm-rtng adj-sid-hold)

Full Context

configure router ospf segment-routing adj-sid-hold

Description

This command configures a timer to hold the ILM or LTN of an adjacency SID following a failure of the adjacency.

When an adjacency to a neighbor fails, the following procedures are followed for both the LFA protected SID and the LFA unprotected SID of this adjacency in SR-MPLS. An adjacency can have both types of SIDs assigned by configuration. An LFA protected adjacency SID is eligible for LFA protection, but the following procedures apply even if a LFA backup was not programmed at the time of the failure. An LFA unprotected adjacency SID is not eligible for LFA protection.

• IGP withdraws the advertisement of the link TLV as well as its adjacency SID sub-TLV.
• The adjacency SID hold timer starts.
• The LTN and ILM records of the adjacency are kept in the datapath for as long as the adjacency SID hold time is running. This allows packets to flow over the LFA backup path, when the adjacency is protected, and allows the ingress LER or PCE time to compute a new path of the SR-TE LSP after IGP converges.
• If the adjacency is restored while the adjacency SID hold timer is running, the timer is aborted, and the adjacency SID remains programmed in the datapath with the retained SID values. However, the backup NHLFE may change when a new LFA SPF is run while the adjacency SID hold timer running. An update to the backup NHLFE is performed immediately following the LFA SPF. In all cases, the adjacency keeps its assigned SID label value.

• If the adjacency SID hold timer expires before the adjacency is restored, the SID is deprogrammed from the datapath and the label returned into the common pool where it was drawn from. Users of the adjacency (for example, SR policy and SR-TE LSP) are also informed.

  When the adjacency is subsequently restored, it gets assigned its allocated static label value or a new dynamic label value.

• A new PG-ID is assigned each time an adjacency comes back up. This PG-ID is used by the ILM and LTN of the adjacency SID and of all downstream node SIDs that resolve to a next hop over this adjacency.

The no form of this command reverts to the default value.

Default

adj-sid-hold 15

Parameters

seconds

Specifies the adjacency SID hold time, in seconds.

Values

1 to 1800

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>pim adjacency)

Full Context

debug router pim adjacency

Description

This command enables debugging for PIM adjacencies.

The no form of this command disables debugging for PIM adjacencies.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>isis adjacency)

Full Context

debug router isis adjacency

Description

This command enables debugging for IS-IS adjacency.

The no form of the command disables debugging.

Parameters

ip-address

When specified, only adjacencies with the specified interface address are debugged.

Values

ipv4-address:

• a.b.c.d (host bits must be 0)

ipv6-address:

• x:x:x:x:x:x:x:x (eight 16-bit pieces)

• x:x:x:x:x:x:d.d.d.d

• x: [0 to FFFF]H

• d: [0 to 255]D

ip-int-name

When specified, only adjacencies with the specified interface name are debugged.

nbr-system-id

When specified, only the adjacency with the specified ID is debugged.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>segm-rtng adjacency-set)

[Tree] (config>router>isis>segm-rtng adjacency-set)

Full Context

configure router ospf segment-routing adjacency-set

configure router isis segment-routing adjacency-set

Description

This command creates an adjacency set. An adjacency set consists of one or more adjacency SIDs originating on this node. The constituent adjacencies may terminate on different nodes.

The no form of this command removes the specified adjacency set.

Parameters

id

Specifies an unsigned integer representing the identifier of the adjacency set.

Values

1 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>area>interface adjacency-set)

[Tree] (config>router>isis>interface adjacency-set)

Full Context

configure router ospf area interface adjacency-set

configure router isis interface adjacency-set

Description

This command associates an interface with an adjacency set. The adjacency set must have been defined under the IS-IS or OSPF segment-routing context.

The no form of this command removes the association.

Parameters

id

Specifies an unsigned integer representing the identifier of the adjacency set.

Values

1 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>area>interface adjacency-sid)

Full Context

configure router ospf area interface adjacency-sid

Description

This command allows a static value to be assigned to an adjacency SID in OSPF segment routing.

The label option specifies that the value is assigned to an MPLS label.

The no form of this command removes the adjacency SID.

Parameters

label value

Specifies the value of adjacency SID label.

Values

18432 to 52428 | 1048575 (FP4 or FP5 only)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis>segm-rtng adjacency-sid)

[Tree] (config>router>ospf>segm-rtng adjacency-sid)

Full Context

configure router isis segment-routing adjacency-sid

configure router ospf segment-routing adjacency-sid

Description

Commands in this context configure two SR-MPLS adjacency SIDs per interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin)

Full Context

admin

Description

Commands in this context configure administrative system parameters. Only authorized users can execute the commands in the admin context.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>if-attribute admin-group)

[Tree] (config>service>ies>if>if-attribute admin-group)

[Tree] (config>router>mpls>interface admin-group)

[Tree] (config>service>vprn>if>if-attribute admin-group)

Full Context

configure router interface if-attribute admin-group

configure service ies interface if-attribute admin-group

configure router mpls interface admin-group

configure service vprn interface if-attribute admin-group

Description

This command configures the admin group membership of an interface. The user can apply admin groups to an IES, VPRN, network IP, or MPLS interface.

Each single operation of the admin-group command allows a maximum of five (5) groups to be specified at a time. However, a maximum of 32 groups can be added to a given interface through multiple operations. Once an admin group is bound to one or more interface, its value cannot be changed until all bindings are removed.

The configured admin-group membership will be applied in all levels or areas the interface is participating in. The same interface cannot have different memberships in different levels or areas.

Only the admin groups bound to an MPLS interface are advertised in TE link TLVs and sub-TLVs when the traffic-engineering option is enabled in IS-IS or OSPF. IES and VPRN interfaces do not have their attributes advertised in TE TLVs.

The no form of this command deletes one or more of the admin-group memberships of an interface. The user can also delete all memberships of an interface by not specifying a group name.

Default

no admin-group

Parameters

group-name

Specifies up to five groups, each up to 32 characters. The association of group name and value should be unique within an IP/MPLS domain. Each single operation of the admin-group command allows a maximum of 5 groups to be specified. However, a maximum of 32 groups can be added to a given interface through multiple operations.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if-attribute admin-group)

Full Context

configure router if-attribute admin-group

Description

This command defines an Administrative Group (AG) that can be associated with an IP or MPLS interface.

AGs, also known as affinity, are used to tag IP and MPLS interfaces that share a specific characteristic with the same identifier. For example, an AG identifier can represent:

• all links that connect to core routers
• all links that have a bandwidth higher than 10 Gb
• all links that are dedicated to a specific service

First configure locally on each router the name and identifier of each AG. A maximum of 32 AGs can be configured per system.

After configuring the router name and identifier, configure the AG membership of an interface. You can apply AGs to a IES, VPRN, network IP, or MPLS interface.

When applied to MPLS interfaces, the interfaces can be included or excluded in the LSP path definition by inferring the AG name. CSPF computes a path that satisfies the AG include and exclude constraints.

When applied to IES, VPRN, or network IP interfaces, the interfaces can be included or excluded in the route next-hop selection by inferring the AG name in a route next-hop policy template applied to an interface or a set of prefixes.

The following provisioning rules apply to the AG configuration. The system rejects the creation of an AG:

• if the name of the AG is the same as that of an existing group, even if the new AG group value is different from the existing group value
• if the AG reuses the same group value but with a different name from an existing group

Only the AGs bound to an MPLS interface are advertised area wide in TE link TLVs and sub-TLVs when the traffic-engineering option is enabled in IS-IS or OSPF. IES and VPRN interfaces do not have their attributes advertised in TE TLVs.

Parameters

group-name

Specifies the name of the group, up to 32 characters. The association of group name and value should be unique within an IP/MPLS domain

group-value

Specifies the integer value associated with the group. The association of group name and value should be unique within an IP or MPLS domain.

Values

0 to 31 – Specifies the value range to use with link LFA next-hop policies or is used as a link color (AG or EAG) with Segment Routing Flex-Algorithms.

32 to 255 – Specifies the value range to use when the EAG is used as a link color with Segment Routing Flex-Algorithms. This higher range fails if used for other applications, such as LFA next-hop policies.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>fad>flex-algo>exclude admin-group)

Full Context

configure router flexible-algorithm-definitions flex-algo exclude admin-group

Description

This command configures an administrative group link that will be excluded from the topology graph of the flexible algorithm. If multiple administrative groups are configured, they are all excluded from the topology graph.

Administrative groups are attributes associated with a link. Frequently these administrative groups are described as link colors.

The no form of this command removes the admin-group from being excluded from the topology graph.

Default

no admin-group

Parameters

admin-group

Configures an administrative group link to exclude from the topology graph of the configured FAD.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>fad>flex-algo>include-all admin-group)

Full Context

configure router flexible-algorithm-definitions flex-algo include-all admin-group

Description

This command configures an administrative group link that will be included in the topology graph of the defined FAD. If multiple administrative groups are configured, groups must be present in a link before the link is included in the flexible algorithm topology graph.

The no form of this command removes the specified admin-group from being included in the topology graph.

Default

no admin-group

Parameters

admin-group

Configures an administrative group to include in topology graph of the configured FAD.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>fad>flex-algo>include-any admin-group)

Full Context

configure router flexible-algorithm-definitions flex-algo include-any admin-group

Description

This command configures an administrative group link that will be included in the topology graph of the configured FAD. If multiple administrative groups are configured, at least one of the administrative groups must be present in a link before the link is included into the flexible algorithm topology graph.

The no form of this command removes the admin-group from being included in the topology graph.

Default

no admin-group

Parameters

admin-group

Configures an administrative group to include in the topology graph of the configured FAD.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls admin-group-frr)

Full Context

configure router mpls admin-group-frr

Description

This command enables the use of the admin-group constraints in the association of a manual or dynamic bypass LSP with the primary LSP path at a Point-of-Local Repair (PLR) node.

When this command is enabled, each PLR node reads the admin-group constraints in the FAST_REROUTE object in the Path message of the LSP primary path. If the FAST_REROUTE object is not included in the Path message, then the PLR will read the admin-group constraints from the Session Attribute object in the Path message.

If the PLR is also the ingress LER for the LSP primary path, then it just uses the admin-group constraint from the LSP and/or path level configurations.

The PLR node then uses the admin-group constraints along with other constraints, such as hop-limit and SRLG, to select a manual or dynamic bypass among those that are already in use.

If none of the manual or dynamic bypass LSP satisfies the admin-group constraints, and/or the other constraints, the PLR node will request CSPF for a path that merges the closest to the protected link or node and that includes or excludes the specified admin-group IDs.

If the user changes the configuration of the above command, it will not have any effect on existing bypass associations. The change will only apply to new attempts to find a valid bypass.

The no form of this command disables the use of administrative group constraints on a FRR backup LSP at a PLR node.

Default

no frr-admin-group

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>password admin-password)

Full Context

configure system security password admin-password

Description

This command allows a user (with admin permissions) to configure a password that enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.

This functionality can be enabled in two contexts:

config>system>security>password>admin-password

<global> enable-admin

If the admin-password is configured in the config>system>security>password context, then any user can enter the special mode by entering the enable-admin command.

enable-admin is in the default profile. By default, all users are given access to this command.

After the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the complexity command.

The usernames and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.

For example:

file copy ftp://test:secret@10.20.31.79/test/srcfile cf1:\destfile

In this example, the username 'test' and password 'secret' will not be sent to the AAA servers (or to any logs). They will be replaced with ''****''.

The no form of this command removes the admin password from the configuration.

Default

no admin-password

Parameters

password

Configures the password that enables a user to become a system administrator. The maximum length can be up to 56 characters if unhashed, 60 characters if hashed with bcrypt, from 87 to 92 characters if hashed with sha2-pbkdf2, 32 characters if the hash keyword is specified, or 54 characters if the hash2 keyword is specified. The unhashed cleartext password form should meet all the requirements that are defined by the complexity command.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form or hashed with bcrypt or PBKDF2. For security, all keys are stored in the configuration file in hashed form (using bcrypt or PBKDF2, depending on the hashing configuration parameter) or, for backward compatibility, can be stored in encrypted form with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form or hashed with bcrypt or PBKDF2. For security, all keys are stored in the configuration file in hashed form (using bcrypt or PBKDF2, depending on the hashing configuration parameter) or, for backward compatibility, can be stored in encrypted form with the hash or hash2 parameter specified.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>md-cli>environment>info-output>always-display admin-state)

Full Context

configure system management-interface cli md-cli environment info-output always-display admin-state

Description

This command configures that the values of the admin-state elements in the info output (without the detail option) are always displayed, even if they are the default values.

The no form of this command excludes the values of the admin-state elements from the info output display.

Default

no admin-state

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>lldp>dstmac admin-status)

Full Context

configure port ethernet lldp dest-mac admin-status

Description

This command configures LLDP transmission/reception frame handling.

Default

admin-status disabled

Parameters

rx

Specifies the LLDP agent will receive, but will not transmit LLDP frames on this port.

tx

Specifies that the LLDP agent will transmit LLDP frames on this port and will not store any information about the remote systems connected.

tx-rx

Specifies that the LLDP agent transmits and receives LLDP frames on this port.

disabled

Specifies that the LLDP agent does not transmit or receive LLDP frames on this port. If there is remote systems information which is received on this port and stored in other tables, before the port's admin status becomes disabled, then the information will naturally age out.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>lag>lldp-member-template>dstmac admin-status)

Full Context

configure lag lldp-member-template dest-mac admin-status

Description

This command configures the LLDP transmission and reception frame handling.

Default

admin-status disabled

Parameters

rx

Keyword to specify that the LLDP agent receives, but does not transmit LLDP frames on this port.

tx

Keyword to specify that the LLDP agent transmits LLDP frames on this port and does not store any information about the remote systems connected.

tx-rx

Keyword to specify that the LLDP agent transmits and receives LLDP frames on this port.

disabled

Keyword to specify that the LLDP agent does not transmit or receive LLDP frames on this port. If remote system information is received on this port and stored in other tables before the administrative status of the port becomes disabled, the information naturally ages out.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls>lsp-template admin-tag)

[Tree] (config>router>mpls>lsp admin-tag)

Full Context

configure router mpls lsp-template admin-tag

configure router mpls lsp admin-tag

Description

This assigns an administrative tag to an LSP. The administrative tag can be used to enable routes with certain administrative tags to resolve using LSPs of matching administrative tags.

Up to four tags can be assigned to an LSP.

The administrative tag must exist under config>router>admin-tags.

The no form of this command removes the administrative tag.

Parameters

tag-value

The value of the admin-tag, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>admin-tags admin-tag)

Full Context

configure router admin-tags admin-tag

Description

This command configures an admin tag value in the nodal LSP administrative tag database.

Up to 256 admin tags can be configured.

The no form of this command removes the admin tag.

Parameters

tag

The value of the administrative tag, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>default-action admin-tag-policy)

[Tree] (config>router>policy-options>policy-statement>entry>action admin-tag-policy)

Full Context

configure router policy-options policy-statement default-action admin-tag-policy

configure router policy-options policy-statement entry action admin-tag-policy

Description

This command assigns a route admin tag policy as an action in a route policy.

The admin tag policy must exist under config>router>admin-tags.

The no form of this command removes the admin tag policy.

Parameters

policy-name

Specifies the name of the admin tag policy, up to 64 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router admin-tags)

Full Context

configure router admin-tags

Description

Commands in this context configure admin tags and router admin tag policy templates used for route resolution to LSPs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls>lsp-template adspec)

[Tree] (config>router>mpls>lsp adspec)

Full Context

configure router mpls lsp-template adspec

configure router mpls lsp adspec

Description

When enabled, the ADSPEC object will be included in RSVP messages for this LSP. The ADSPEC object is used by the ingress LER to discover the minimum value of the MTU for links in the path of the LSP. By default, the ingress LER derives the LSP MTU from that of the outgoing interface of the LSP path.

A bypass LSP always signals the ADSPEC object since it protects both primary paths which signal the ADSPEC object and primary paths which do not. This means that MTU of LSP at ingress LER may change to a different value from that derived from the outgoing interface even if the primary path has ADSPEC disabled.

Default

no adspec — No ADSPEC objects are included in RSVP messages.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ldp>session-params>peer adv-adj-addr-only)

Full Context

configure router ldp session-parameters peer adv-adj-addr-only

Description

This command provides a means for an LDP router to advertise only the local IPv4 or IPv6 interfaces it uses to establish hello adjacencies with an LDP peer. By default, when a router establishes an LDP session with a peer, it advertises in an LDP Address message the addresses of all local interfaces to allow the peer to resolve LDP FECs distributed by this router. Similarly, a router sends a Withdraw Address message to of all its peers to withdraw a local address if the corresponding interface went down or was deleted.

This new option reduces CPU processing when a large number of LDP neighbors come up or go down. The new CLI option is strongly recommended in mobile backhaul networks where the number of LDP peers can be very large.

The no form of this command reverts LDP to the default behavior of advertising all local interfaces.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ldp>targeted-session>peer-template adv-local-lsr-id)

[Tree] (config>router>ldp>session-params>peer adv-local-lsr-id)

Full Context

configure router ldp targeted-session peer-template adv-local-lsr-id

configure router ldp session-parameters peer adv-local-lsr-id

Description

This command advertises a local LSR ID over a specified LDP session.

Advertisement of a local LSR ID over a given LDP session is configured using the adv-local-lsr-id command in the peer session-parameters. If a user disables the adv-local-lsr-id command, then the system will withdraw the FEC for the local LSR ID.

The SR OS router uses the following rules when advertising a local LSR ID:

• If the session parameters have the default configuration and the targeted peer template has the default configuration, the local LSR ID is not advertised.

• If the session parameters have the default configuration but the targeted peer template has an explicit configuration for advertisement of the local LSR ID, the targeted peer template configuration is used.

• If the session parameters have an explicit configuration for advertisement of the local LSR ID but the targeted peer template has the default configuration, the session parameter configuration is used.

• If both the session parameters and the targeted peer template have an explicit configuration for advertisement of the local LSR ID, then the session parameter configuration is used.

The no form of this command withdraws the FEC for the local LSR ID.

Default

no adv-local-lsr-id

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>sdp adv-mtu-override)

Full Context

configure service sdp adv-mtu-override

Description

This command overrides the advertised VC-type MTU of all spoke-sdps of L2 services using this SDP-ID. When enabled, the router signals a VC MTU equal to the service MTU, which includes the Layer 2 header. It also allows this router to accept an MTU advertised by the far-end PE which value matches either its advertised MTU or its advertised MTU minus the L2 headers.

By default, the router advertises a VC-MTU equal to the L2 service MTU minus the Layer 2 header and always matches its advertised MTU to that signaled by the far-end PE router, otherwise the spoke-sdp goes operationally down.

When this command is enabled on the SDP, it has no effect on a spoke-sdp of an IES/VPRN spoke interface using this SDP-ID. The router continues to signal a VC MTU equal to the net IP interface MTU, which is min{ip-mtu, sdp operational path mtu - L2 headers}. The router also continues to make sure that the advertised MTU values of both PE routers match or the spoke-sdp goes operationally down.

The no form of the command disables the VC-type MTU override and returns to the default behavior.

Default

no adv-mtu-override

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>dhcp6 adv-noaddrs-global)

Full Context

configure system dhcp6 adv-noaddrs-global

Description

This command configures the different DHCPv6 applications to send the NoAddrsAvail Status-Code in DHCPv6 Advertise messages at the global DHCP message level.

By default, all applications send the NoAddrsAvail Status-Code in DHCPv6 Advertise messages at the IA_NA Option level.

Different applications for which NoAddrsAvail Status-Code in DHCPv6 Advertise messages can be configured at the global DHCP message level.

The only valid combination in current SR OS is adv-noaddrs-global esm-relay server.

The no form of this command reverts to the default.

Default

no adv-noaddrs-global. All applications send the NoAddrsAvail Status-Code in DHCPv6 Advertise messages at the IA_NA Option level.

Parameters

esm-proxy

Specifies the DHCPv6 proxy server on subscriber group-interfaces. Not supported in current SR OS.

esm-relay

Specifies the DHCPv6 relay on subscriber group-interfaces. Must be enabled together with the DHCPv6 server (server) application.

relay

Specifies the DHCPv6 relay on regular IES or VPRN interfaces. Not supported in current SR OS.

server

Specifies the DHCPv6 server. Must be enabled together with the DHCPv6 relay on subscriber interfaces (esm-relay) application.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>spoke-sdp adv-service-mtu)

[Tree] (config>service>vpls>spoke-sdp adv-service-mtu)

Full Context

configure service epipe spoke-sdp adv-service-mtu

configure service vpls spoke-sdp adv-service-mtu

Description

This command configures the MTU value signaled in the targeted LDP for the spoke-SDP and is used to validate the value signaled by the far-end PE. If configured, this value is used instead of the service MTU. However, the configuration does not affect the locally enforced value, which is still based on the service MTU. This command cannot be configured on a spoke-SDP that is bound to an SDP with the adv-mtu-override command.

When configured, an adjusted service MTU is used. See the service-mtu command for more information.

The no form of this command removes the configuration.

Default

no adv-service-mtu

Parameters

octets

The size of the MTU in octets, expressed as a decimal integer.

Values

0 to 9782

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>bgp adv-service-mtu)

[Tree] (config>service>vpls>bgp adv-service-mtu)

Full Context

configure service epipe bgp adv-service-mtu

configure service vpls bgp adv-service-mtu

Description

This command configures the Layer 2 MTU value (advertised for BGP signaling) or the MTU interface parameter (advertised for LDP signaling) for the service. The configured MTU information is used to validate the value signaled by the far-end PE. However, this configuration does not affect the locally enforced value, which is still based on the service MTU.

The no form of this command reverts to the default Layer 2 MTU value for BGP signaling or to the default MTU interface parameter for LDP signaling for the service, which uses an adjusted service-mtu value. See the service-mtu command for more information.

Default

no adv-service-mtu

Parameters

number

Specifies the size, in octets, of the Layer 2 MTU value to advertise for BGP signaling for the service.

Values

0 to 9782

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>vpls>evpn>arp advertise)

[Tree] (config>service>ies>if>vpls>evpn>nd advertise)

Full Context

configure service ies interface vpls evpn arp advertise

configure service ies interface vpls evpn nd advertise

Description

This command enables the advertisement of static and dynamic ARP and ND entries that are installed in the ARP and ND cache into EVPN MAC/IP routes. This command must be used along with no learn-dynamic.

Default

no advertise

Parameters

static

Enables ARP/ND host routes to be created in the route table from EVPN ARP/ND entries

dynamic

Enables ARP/ND host routes to be created in the route table out of dynamic ARP/ND entries (learned from ARP/ND messages received from the hosts).

route-tag

Specifies the route tag that is added in the route table for ARP/ND host routes of type dynamic, or static. This tag can be matched on BGP VRF export and BGP peer export policies.

Values

1 to 255

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>vpls>evpn>arp advertise)

[Tree] (config>service>vprn>if>vpls>evpn>nd advertise)

Full Context

configure service vprn interface vpls evpn arp advertise

configure service vprn interface vpls evpn nd advertise

Description

This command enables the advertisement of static and dynamic ARP and ND entries that are installed in the ARP and ND cache into EVPN MAC/IP routes. This command must be used along with the no learn-dynamic command.

Default

no advertise

Parameters

static

Enables ARP or ND host routes to be created in the route table from EVPN ARP or ND entries

dynamic

Enables ARP or ND host routes to be created in the route table out of dynamic ARP or ND entries (learned from ARP or ND messages received from the hosts).

route-tag

Keyword to specify the route tag is added in the route table for ARP or ND host routes of type dynamic, or static. This tag can be matched on BGP VRF export and BGP peer export policies.

Values

1 to 255

interface-less-routing

Keyword to specify that the advertisement in EVPN MAC/IP advertisement routes include the label1 and route target of the R-VPLS EVPN service and the label2 value and route target of the EVPN interface-less instance in the linked VPRN.

bgp-evpn-instance

Keyword to specify the EVPN interface-less BGP instance from which the label and route target are taken when advertising the ARP or ND entry in an EVPN MAC/IP advertisement route.

Values

1 to 1

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis>flex-algos>flex-algo advertise)

[Tree] (config>router>ospf>flex-algos>flex-algo advertise)

Full Context

configure router isis flexible-algorithms flex-algo advertise

configure router ospf flexible-algorithms flex-algo advertise

Description

This command enables the advertisement of a locally configured Flexible Algorithm Definition (FAD).

A locally defined FAD is only advertised if it is administratively enabled. A router can advertise only a single locally defined FAD by using the fad-name as reference anchor.

The winning FAD used by a router must be consistent with the winning FAD on all other routers. This avoids routing loops and traffic blackholing. The winning FAD is selected using a tie-breaker algorithm that first selects the highest advertised FAD priority and next the highest system Id.

The no form of this command removes the advertisement of a flexible algorithm definition.

Default

no advertise

Parameters

fad-name

Configures the FAD name, up to 32 characters. By default, no locally configured FAD is advertised.

Platforms

7705 SAR Gen 2

Context

[Tree] (configure>service>vpls>bgp-evpn>ip-route-link-bw advertise)

[Tree] (configure>service>vprn>bgp-evpn>mpls>evpn-link-bw advertise)

Full Context

configure service vpls bgp-evpn ip-route-link-bandwidth advertise

configure service vprn bgp-evpn mpls evpn-link-bandwidth advertise

Description

This command enables the advertisement of the EVPN link bandwidth extended community along with the IP Prefix routes.

The no form of this command disables the advertisement of the EVPN link bandwidth extended community.

Default

no advertise

Parameters

weight

Specifies the weight advertised in the EVPN link bandwidth extended community for the advertised EVPN IP prefix routes for the service.

Values

1 to 128

weight dynamic

Keyword to specify that the weight is dynamically set based on the number of BGP PE-CE paths for the IP-Prefix that is advertised in an EVPN IP-Prefix route.

max-dynamic-weight

Specifies the maximum weight advertised in the EVPN link bandwidth extended community for the advertised EVPN IP-Prefix routes for the service. If weight dynamic is configured, the actual advertised weight is the minimum of the number of BGP PE-CE paths for the prefix and the configured maximum weight.

Values

1 to 128

Platforms

7705 SAR Gen 2

Context

[Tree] (configure>router>bgp>group>bfd-strict-mode advertise)

[Tree] (configure>router>bgp>group>neighbor>bfd-strict-mode advertise)

[Tree] (configure>service>vprn>bgp>group>bfd-strict-mode advertise)

[Tree] (configure>router>bgp>bfd-strict-mode advertise)

[Tree] (configure>service>vprn>bgp>bfd-strict-mode advertise)

[Tree] (configure>service>vprn>bgp>group>neighbor>bfd-strict-mode advertise)

Full Context

configure router bgp group bfd-strict-mode advertise

configure router bgp group neighbor bfd-strict-mode advertise

configure service vprn bgp group bfd-strict-mode advertise

configure router bgp bfd-strict-mode advertise

configure service vprn bgp bfd-strict-mode advertise

configure service vprn bgp group neighbor bfd-strict-mode advertise

Description

This command configures BGP to advertise the Strict-BFD capability to peers that are within scope of this command and meet the following requirements:

• The bfd-enable command that applies to the peer is enabled (through either configuration or inheritance).

• The interface associated with the peer has a valid BFD configuration.

When the preceding conditions are satisfied and two peers attempting to form a session both advertise the Strict-BFD capability, the BGP finite state machine in each router transitions the session state to established after the BFD session with the peer enters the up state.

The no form of this command prevents BGP from advertising the Strict-BFD capability to peers.

Default

no advertise

Parameters

seconds

Specifies the maximum time (in seconds) BGP waits for the BFD session to come up, provided that the Strict-BFD procedures apply to a session, and the negotiated BGP hold time is zero (no keepalives). If the negotiated BGP hold time is greater than zero, the holdtime parameter is not considered.

Values

1 to 65535

Default

30

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>flex-algos advertise-admin-group)

[Tree] (config>router>isis>flex-algos advertise-admin-group)

Full Context

configure router ospf flexible-algorithms advertise-admin-group

configure router isis flexible-algorithms advertise-admin-group

Description

This command configures the type of Aministrative Group (AG) or Extended Administrative Group (EAG) TLVs the router advertises as the Interior Gateway Protocol (IGP) link attribute. This command is configured for this IGP instance.

The no form of this command removes the configuration.

Default

prefer-ag

Parameters

prefer-ag

Keyword to specify that the router advertises the Administrative Group (AG) TLV as the IGP link attribute if the affinity bits in the configure router if-attribute admin-group value command are configured between 0 to 31. If no EAG (32 to 255) affinity bits are configured, only the AG TLV is advertised as the IGP link attribute.

If the affinity bits are configured in both the AG (0 to 31) and EAG (32 to 255) range, the router advertises both the AG and the EAG TLVs as the IGP link attributes.

eag-only

Keyword to specify that the router advertises only the EAG TLV as the IGP link attribute. No AG TLV is advertised if this keyword is configured.

ag-eag

Keyword to specify that the router can advertise both the AG and the EAG TLVs as the IGP link attributes, even without the affinity bit in the EAG range configured in the configure router if-attribute admin-group value command. If no affinity bit is configured in the AG range (0 to 31), the router prunes the AG TLV. Configuring this keyword allows for backward compatibility for vendor implementations that support only AG, while still supporting EAG.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>pw-routing>local-prefix advertise-bgp)

Full Context

configure service pw-routing local-prefix advertise-bgp

Description

This command enables a given prefix to be advertised in MP-BGP for dynamic MS-PW routing.

The no form of this command will explicitly withdraw a route if it has been previously advertised.

Default

no advertise-bgp

Parameters

rd

Specifies an 8-octet route distinguisher associated with the prefix. Up to 4 unique route distinguishers can be configured and advertised for a given prefix though multiple instances of the advertise-bgp command. This parameter is mandatory.

Values

(6 bytes, other 2 Bytes of type will be automatically generated) asn:number1 (RD Type 0): 2bytes ASN and 4 bytes locally administered number ip-address:number2 (RD Type 1): 4bytes IPv4 and 2 bytes locally administered number;

community

An optional BGP communities attribute associated with the advertisement. To delete a previously advertised community, advertise-bgp route-distinguisher must be run again with the same value for the RD but excluding the community attribute.

Values

community	{2-byte-as-number:comm-va1}
2-byte-asnumber	0 to 65535
comm.-val	0 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>te-opts advertise-delay)

Full Context

configure router ospf traffic-engineering-options advertise-delay

Description

This command configures the advertisement of link delay in the IGP LSDB within the OSPF-TE TLV attribute or when the Application Specific Link Attribute (ASLA) is enabled within the SR-TE ASLA.

When the router is configured with the configure router ospf traffic-engineering-options sr-te application-specific-link-attributes command to generate SR-TE ASLA attributes, link delay is advertised as a legacy RFC 3630 TE TLV when RSVP-TE is enabled and as an ASLA RFC 8920 TLV for SR-TE when MPLS is enabled for an interface.

SR OS accepts and handles both legacy RSVP-TE TLVs and ASLAs for the RSVP application. However, SR OS only advertises RFC 3630 legacy RSVP-TE TLVs (as recommended by RFC 8920) to avoid compatibility issues.

Default

no advertise-delay

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis>te advertise-delay)

Full Context