a Commands – Part II

Context

[Tree] (debug>service>id>stp all-events)

Full Context

debug service id stp all-events

Description

This command enables STP debugging for all events.

The no form of the command disables debugging.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>isis all-l1isis)

Full Context

configure service vprn isis all-l1isis

Description

This command specifies the MAC address to use for the VPRN instance of the Layer 1 IS-IS routers. The MAC address should be a multicast address.

The no form of this command reverts to the default value.

Default

all-l1isis 01:80:c2:00:00:14

Parameters

ieee-address

Specifies the destination MAC address for all Layer 1 I-IS neighbors on the link for this ISIS instance.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis all-l1isis)

Full Context

configure router isis all-l1isis

Description

This command enables you to specify the MAC address to use for all Layer 1 IS-IS routers. The MAC address should be a multicast address.

The no form of this command reverts to the default value.

Default

01:80:c2:00:00:14

Parameters

ieee-address

Specifies the destination MAC address for all Layer 1 I-IS neighbors on the link for this IS-IS instance.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>isis all-l2isis)

Full Context

configure service vprn isis all-l2isis

Description

This command specifies the MAC address to use for Layer 2 IS-IS routers for the VPRN instance. The MAC address should be a multicast address.

The no form of this command reverts to the default value.

Default

all-l2isis 01:80:c2:00:00:15

Parameters

ieee-address

Specifies the destination MAC address for all Layer 2 ISIS neighbors on the link for this ISIS instance.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis all-l2isis)

Full Context

configure router isis all-l2isis

Description

This command enables you to specify the MAC address to use for all Layer 2 IS-IS routers. The MAC address should be a multicast address.

The no form of this command reverts to the default value.

Default

01:80:c2:00:00:15

Parameters

ieee-address

Specifies the destination MAC address for all Layer 2 IS-IS neighbors on the link for this IS-IS instance.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>acct-policy>cr>queue>i-counters all-octets-offered-count)

[Tree] (config>log>acct-policy>cr>ref-queue>i-counters all-octets-offered-count)

Full Context

configure log accounting-policy custom-record queue i-counters all-octets-offered-count

configure log accounting-policy custom-record ref-queue i-counters all-octets-offered-count

Description

This command includes all octets offered in the count.

The no form of this command excludes the octets offered in the count.

Default

no all-octets-offered-count

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>acct-policy>cr>queue>i-counters all-packets-offered-count)

[Tree] (config>log>acct-policy>cr>ref-queue>i-counters all-packets-offered-count)

Full Context

configure log accounting-policy custom-record queue i-counters all-packets-offered-count

configure log accounting-policy custom-record ref-queue i-counters all-packets-offered-count

Description

This command includes all packets offered in the count.

The no form of this command excludes the packets offered in the count.

Default

no all-packets-offered-count

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>segm-rtng>adj-sid allocate-dual-sids)

[Tree] (config>router>isis>segm-rtng>adj-sid allocate-dual-sids)

Full Context

configure router ospf segment-routing adjacency-sid allocate-dual-sids

configure router isis segment-routing adjacency-sid allocate-dual-sids

Description

This command enables the support of two SR-MPLS adjacency SIDs per interface. A protected and unprotected adjacency SID is instantiated and advertised. If an SR-MPLS adjacency SID already exists, an additional complementary (protected or unprotected) adjacency SID is created on the interface.

The no form of this command disables the support of two SR-MPLS adjacency SIDs per interface.

Default

no allocate-dual-sids

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router allow-bgp-to-igp-export)

Full Context

configure router allow-bgp-to-igp-export

Description

This command enables the export of base BGP RTM routes into the IGP routing instance within the base router. This command applies to already exported BGP prefixes and to newly received BGP prefixes.

Default

allow-bgp-to-igp-export

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system allow-boot-license-violations)

Full Context

configure system allow-boot-license-violations

Description

This command configures whether the system should allow successful execution of the bootup configuration file when it contains license violations. When enabled, the system will not error on any configuration that causes a license violation and as a result permits the system to come into service. However, if violations are detected, the system reboots after a period of time if the violations are not fixed.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if allow-directed-broadcasts)

[Tree] (config>service>vprn>nw-if allow-directed-broadcasts)

[Tree] (config>service>vprn>if allow-directed-broadcasts)

[Tree] (config>service>ies>if allow-directed-broadcasts)

Full Context

configure router interface allow-directed-broadcasts

configure service vprn network-interface allow-directed-broadcasts

configure service vprn interface allow-directed-broadcasts

configure service ies interface allow-directed-broadcasts

Description

This command enables the forwarding of directed broadcasts out of the IP interface.

A directed broadcast is a packet received on a local router interface destined for the subnet broadcast address on another IP interface. The allow-directed-broadcasts command on an IP interface enables or disables the transmission of packets destined to the subnet broadcast address of the egress IP interface.

When enabled, a frame destined to the local subnet on this IP interface is sent as a subnet broadcast out this interface. Care should be exercised when allowing directed broadcasts as it is a well-known mechanism used for denial-of-service attacks.

When disabled, directed broadcast packets discarded at this egress IP interface are counted in the normal discard counters for the egress SAP.

By default, directed broadcasts are not allowed and are discarded at this egress IP interface.

The no form of this command disables the forwarding of directed broadcasts out of the IP interface. All broadcasts are dropped.

Default

no allow-directed-broadcasts — Directed broadcasts are dropped.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>oam-pm>session>ip allow-egress-remark-dscp)

Full Context

configure oam-pm session ip allow-egress-remark-dscp

Description

This command instructs the egress QoS process to modify the DSCP based on the egress QoS configuration. This command exposes the DSCP to egress DSCP processing rules.

The no form of this command instructs the egress QoS process to ignore the DSCP and allow it to bypass egress QoS. If the config>qos>network>egress>remark force command is configured for the network egress QoS profile, the egress QoS process is applied and the DSCP can be overwritten regardless of the allow-egress-remark-dscp configuration.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn allow-export-bgp-vpn)

Full Context

configure service vprn allow-export-bgp-vpn

Description

This command allows routes leaked from another local VPRN service to be re-exported by this VPRN in the form of new VPN-IP routes. The service label, route targets, and BGP next-hop of the re-advertised routes are based on the configuration and default values of the re-exporting VPRN.

When re-exporting leaked routes, the following restrictions apply.

• The allow-export-bgp-vpn command is not configurable in combination with any of the following commands: carrier-carrier-vpn (CSC), label-mode next-hop (LPN), type {hub | spoke | subscriber-split-horizon}, redundant-interface, and export-inactive-bgp.

• Re-exported routes always have the per-VRF label of the exporting VPRN; label-per-prefix advertisement is not supported.

• The best-external (inactive BGP) routes leaked by another VPRN cannot be re-exported by a VPRN configured with allow-export-bgp-vpn.

If the no form of this command is configured, leaked routes cannot be re-advertised as VPN-IP routes; they can only be re-advertised to PE-CE BGP peers of the VPRN.

Default

no allow-export-bgp-vpn

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>next-hop-resolution>labeled-routes>transport-tunnel>family allow-flex-algo-fallback)

[Tree] (config>router>bgp>next-hop-resolution>shortcut-tunnel>family allow-flex-algo-fallback)

[Tree] (config>service>vpls>bgp-evpn>mpls>auto-bind-tunnel allow-flex-algo-fallback)

[Tree] (config>service>vprn>bgp-ipvpn>mpls>auto-bind-tunnel allow-flex-algo-fallback)

[Tree] (config>service>epipe>bgp-evpn>mpls>auto-bind-tunnel allow-flex-algo-fallback)

[Tree] (config>service>vprn>bgp-evpn>mpls>auto-bind-tunnel allow-flex-algo-fallback)

Full Context

configure router bgp next-hop-resolution labeled-routes transport-tunnel family allow-flex-algo-fallback

configure router bgp next-hop-resolution shortcut-tunnel family allow-flex-algo-fallback

configure service vpls bgp-evpn mpls auto-bind-tunnel allow-flex-algo-fallback

configure service vprn bgp-ipvpn mpls auto-bind-tunnel allow-flex-algo-fallback

configure service epipe bgp-evpn mpls auto-bind-tunnel allow-flex-algo-fallback

configure service vprn bgp-evpn mpls auto-bind-tunnel allow-flex-algo-fallback

Description

This command configures a router to relax the strictly enforced Flex-Algorithm aware autobind, which is enabled through an import policy configured with the action flex-algo command.

If the allow-flex-algo-fallback command is enabled, the BGP router can autobind to a fallback algorithm 0 tunnel if no target Flex-Algorithm tunnel is available. If the allow-flex-algo-fallback command is disabled, the BGP autobind is strictly enforced to an intended Flex-Algorithm tunnel, which may cause traffic loss if no corresponding Flex-Algorithm tunnel exists.

The no form of this command removes the allow-flex-algo-fallback command from the configuration.

Default

no allow-flex-algo-fallback

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>auto-bind-tunnel allow-flex-algo-fallback)

Full Context

configure service vprn auto-bind-tunnel allow-flex-algo-fallback

Description

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>pw-template allow-fragmentation)

[Tree] (config>service>sdp allow-fragmentation)

Full Context

configure service pw-template allow-fragmentation

configure service sdp allow-fragmentation

Description

This command disables the setting of the do-not-fragment bit in the IP header of GRE encapsulated service traffic. This feature is only applicable to GRE SDPs and will be applied to all service traffic using the associated GRE SDP.

The no form of this command removes the command from the active configuration and returns the associated SDP to its default which is to set the do-not-fragment bit in all GRE encapsulated service traffic.

Default

no allow-fragmentation

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>management allow-ftp)

Full Context

configure service vprn management allow-ftp

Description

This commands allows access to the FTP server from VPRN.

The no form of this command removes FTP access for this VPRN.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>management allow-ftp)

Full Context

configure system security management allow-ftp

Description

This command allows access to the FTP server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the FTP server.

Default

allow-ftp

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>management allow-grpc)

Full Context

configure system security management allow-grpc

Description

This command allows access to the gRPC server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the gRPC server.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>management allow-grpc)

Full Context

configure service vprn management allow-grpc

Description

This commands allows access to the GRPC server from VPRN.

The no form of this command removes GRPC access for this VPRN.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router allow-icmp-redirect)

Full Context

configure router allow-icmp-redirect

Description

This command allows ICMP redirects received on the management interface.

The no form of this command drops the ICMP redirects received on the management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router allow-icmp6-redirect)

Full Context

configure router allow-icmp6-redirect

Description

This command allows IPv6 ICMP redirects received on the management interface.

The no form of this command drops the IPv6 ICMP redirects received on the management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>classic-cli allow-immediate)

Full Context

configure system management-interface cli classic-cli allow-immediate

Description

This command enables write access in the classic CLI configuration branch without having to use the classic CLI candidate edit functionality.

The no form of this command blocks write access and configuration changes in the classic CLI configuration branch, and the classic CLI configuration branch is read-only. This enforces using the classic CLI candidate edit functionality, including candidate commit, to modify the router configuration, instead of allowing immediate line-by-line configuration changes.

Default

allow-immediate

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls allow-ip-int-bind)

Full Context

configure service vpls allow-ip-int-bind

Description

The allow-ip-int-bind command that sets a flag on the VPLS or I-VPLS service that enables the ability to attach an IES or VPRN IP interface to the VPLS service in order to make the VPLS service routable. When the allow-ip-int-bind command is not enabled, the VPLS service cannot be attached to an IP interface.

VPLS Configuration Constraints for Enabling allow-ip-int-bind

When attempting to set the allow-ip-int-bind VPLS flag, the system first checks to see if the correct configuration constraints exist for the VPLS service and the network ports. The following VPLS features must be disabled or not configured for the allow-ip-int-bind flag to set:

• SAP ingress QoS policies applied to the VPLS SAPs cannot have MAC match criteria defined

• The VPLS service type cannot be B-VPLS or M-VPLS

• MVR from Routed VPLS and to another SAP is not supported

• Enhanced and Basic Subscriber Management (ESM and BSM) features

• Network domain on SDP bindings

Once the VPLS allow-ip-int-bind flag is set on a VPLS service, the above features cannot be enabled on the VPLS service.

Network Port Hardware Constraints

The system also checks to ensure that all ports configured in network mode are associated with FlexPath2 forwarding planes. If a port is currently in network mode and the port is associated with a FlexPath1 forwarding plane, the allow-ip-int-bind command will fail. Once the allow-ip-int-bind flag is set on any VPLS service, attempting to enable network mode on a port associated with a FlexPath1 forwarding plane will fail.

VPLS SAP Hardware Constraints

Besides VPLS configuration and network port hardware association, the system also checks to that all SAPs within the VPLS are created on Ethernet ports and the ports are associated with FlexPath2 forwarding planes. Certain Ethernet ports and virtual Ethernet ports are not supported which include CCAG virtual ports (VSM based). If a SAP in the VPLS exists on an unsupported port type or is associated with a FlexPath1 forwarding plane, the allow-ip-int-bind command will fail. Once the allow-ip-int-bind flag is set on the VPLS service, attempting to create a VPLS SAP on the wrong port type or associated with a FlexPath1 forwarding plane will fail.

VPLS Service Name Bound to IP Interface without allow-ip-int-bind flag Set

If a service name is applied to a VPLS service and that service name is also bound to an IP interface but the allow-ip-int-bind flag has not been set on the VPLS service context, the system attempt to resolve the service name between the VPLS service and the IP interface will fail. After the allow-ip-int-bind flag is successfully set on the VPLS service, either the service name on the VPLS service must be removed and reapplied or the IP interface must be re-initialized using the shutdown / no shutdown commands. This will cause the system to reattempt the name resolution process between the IP interface and the VPLS service.

The no form of this command resets the allow-ip-int-bind flag on the VPLS service. If the VPLS service currently has an IP interface from an IES or VPRN service attached, the no allow-ip-int-bind command will fail. Once the allow-ip-int-bind flag is reset on the VPLS service, the configuration and hardware restrictions associated with setting the flag are removed. The port network mode hardware restrictions are also removed.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>twamp-light>reflector allow-ipv6-udp-checksum-zero)

[Tree] (config>service>vprn>twamp-light>reflector allow-ipv6-udp-checksum-zero)

Full Context

configure router twamp-light reflector allow-ipv6-udp-checksum-zero

configure service vprn twamp-light reflector allow-ipv6-udp-checksum-zero

Description

This command configures the acceptance of IPv6 packets with UDP checksums of 0.This optional configuration allows the router to process arriving IPv6 TWAMP Test packets that contain IPv6 UDP checksum of 0x0000. The UDP port specific to this TWAMP Light test bypasses the default discard IPv6 UDP checksum 0x0000. If this optional command is not configured, IPv6 UDP checksum 0x000 arriving packets are discarded.

The no form of this command reverts to the default value, discarding packets that arrive with an IPv6 UDP checksum of 0x0000.

Default

no allow-ipv6-udp-checksum-zero

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>dhcp6>server allow-lease-query)

[Tree] (config>router>dhcp6>server allow-lease-query)

Full Context

configure service vprn dhcp6 local-dhcp-server allow-lease-query

configure router dhcp6 local-dhcp-server allow-lease-query

Description

If enabled, the local DHCPv6 server will handle and reply to lease query messages.

The no form of this command disables lease query support.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>grt>enable-grt allow-local-management)

Full Context

configure service vprn grt-lookup enable-grt allow-local-management

Description

This command enables the support of specific management protocols over VPRN interfaces that terminate on Base routing context IPv4 and IPv6 interface addresses, including Base loopback and system addresses. Global Routing Table (GRT) leaking is used to enable the visibility and access of the Base interface addresses in the VPRN. The supported protocols are Telnet, FTP, SNMP, TACACS+, RADIUS (IPv4 only, not IPv6), SSH (including applications that ride over the standard SSH TCP port 22 such as SCP and SFTP) and NETCONF (configured on port 22 or 830).

Ping and traceroute responses from the Base router interfaces are supported but are not configurable.

The allow-local-management command does not control the support for management protocols terminating on VPRN interfaces directly. See "Node Management using VPRN" in the 7705 SAR Gen 2 Layer 3 Services Guide: IES and VPRN for more information. Also, see the access command in the config>service>vprn>snmp context, and the commands in the config>service>vprn>management context.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>management allow-netconf)

Full Context

configure system security management allow-netconf

Description

This command allows access to the NETCONF server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the NETCONF server.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>management allow-netconf)

Full Context

configure service vprn management allow-netconf

Description

This commands allows access to the NETCONF server from VPRN.

The no form of this command removes NETCONF access for this VPRN.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ipsec allow-reverse-route-override)

Full Context

configure service vprn ipsec allow-reverse-route-override

Description

This command allows a new dynamic LAN-to-LAN tunnel that terminates in the private VPRN service to be created with an overlapping reverse route.

The no form of this command reverts to the default value.

Default

no allow-reverse-route-override

Parameters

type

Specifies the action to take when the system accepts a new reverse route.

Values

same-idi — Specifies that the system accepts a new reverse route and removes the existing route only if the IDi of the new tunnel is the same as existing route.

any-idi — Specifies that the system accepts a new reverse route and removes the existing route regardless of the IDi.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>igp-sc allow-sr-over-srte)

[Tree] (config>router>isis>igp-sc allow-sr-over-srte)

Full Context

configure router ospf igp-shortcut allow-sr-over-srte

configure router isis igp-shortcut allow-sr-over-srte

Description

This command enables the SR-TE LSPs as eligible SRv4 or SRv6 IGP shortcuts.

For SR-MPLS SRv4 and SRv6, IGP shortcuts can only use SR-TE LSPs with allow-sr-over-srte explicitly enabled that have an adjacency SID as top SID in the SR-TE LSP. IPv4 and IPv6 addresses can use all available SR-TE LSPs as shortcuts regardless of the explicit allow-sr-over-srte configuration.

Under ECMP, when IGP allow-sr-over-srte is configured, preference is given to the SR-TE LSPs with allow-sr-over-srte explicitly configured over the LSPs that do not have allow-sr-over-srte configured.

The no form of this command disables the eligibility.

Default

no allow-sr-over-srte

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>management allow-ssh)

Full Context

configure service vprn management allow-ssh

Description

This command allows configuration of the SSH parameters.

The no form of this command disallows configuration of the SSH parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>management allow-ssh)

Full Context

configure system security management allow-ssh

Description

This command allows the SSH parameters to be configured from Base and Management routers.

The no form of this command disallows SSH parameters from being configured.

Default

allow-ssh

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>next-hop-res>labeled-routes allow-static)

Full Context

configure router bgp next-hop-resolution labeled-routes allow-static

Description

This command allows the BGP next-hop of label-IPv4, label-IPv6, VPN-IPv4, and VPN-IPv6 routes received from any EBGP or IBGP peer to be resolved using static routes, except for static default routes (0/0 and ::/0).

A static route is less preferred than a local or interface route for resolving the BGP next-hop of labeled route, but more preferred than other IGP routes or tunnels.

Default

no allow-static

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>management allow-telnet)

Full Context

configure service vprn management allow-telnet

Description

This command allows access to the Telnet server from a VPRN.

The no form of this command removes the Telnet access.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>management allow-telnet)

Full Context

configure system security management allow-telnet

Description

This command allows access to the Telnet server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the Telnet server.

Default

allow-telnet

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>management allow-telnet6)

Full Context

configure service vprn management allow-telnet6

Description

This command allows access to the Telnet IPv6 server from a VPRN.

The no form of this command removes the Telnet IPv6 access.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>management allow-telnet6)

Full Context

configure system security management allow-telnet6

Description

This command allows access to the Telnet IPv6 server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the Telnet IPv6 server.

Default

allow-telnet6

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>next-hop-res allow-unresolved-leaking)

Full Context

configure router bgp next-hop-resolution allow-unresolved-leaking

Description

This command instructs BGP, in the base router instance, to allow its routes to be leaked to other (VPRN) BGP instances, even if the routes to be leaked do not have a BGP next hop that can be resolved by the base instance.

By default, BGP routes cannot be leaked to another BGP instance unless they are resolvable by the instance that receives them.

The no form of this command provides the default behavior.

Default

no allow-unresolved-leaking

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>grpc allow-unsecure-connection)

Full Context

configure system grpc allow-unsecure-connection

Description

This command enables unsecure operation of gRPC connections. This means that TCP connections are not encrypted, including username and password information.

This command can be enabled only if there is no TLS profile assigned to the gRPC server.

The no form of this command enables TLS encryption on gRPC connections.

Default

no allow-unsecure-connection

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>remote-management allow-unsecure-connection)

Full Context

configure system management-interface remote-management allow-unsecure-connection

Description

This command enables unsecure operation of all remote manager connections. In an unsecured operation, connections are not encrypted, including the username and password information.

This command and client-tls-profile are mutually exclusive. This means it can be used only if there are no TLS profiles assigned to the server.

If this command is also configured in the config>system>management-interface>remote-management> manager context, that configuration takes precedence.

The no form of this command disables unsecured connections.

Default

no allow-unsecure-connection

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>remote-management>manager allow-unsecure-connection)

Full Context

configure system management-interface remote-management manager allow-unsecure-connection

Description

This command allows an unsecured connection to the remote managers; the TCP connection is not encrypted. This includes username and password information.

This command and client-tls-profile are mutually exclusive.

This command takes precedence over the same command configured in the config> system>management-interface>remote-management context, if applicable.

The no form of this command disables unsecured connections for the specified manager.

Default

no allow-unsecure-connection

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>telemetry>destination-group allow-unsecure-connection)

Full Context

configure system telemetry destination-group allow-unsecure-connection

Description

This command enables an unsecured connection for a specified destination group.

This command is mutually exclusive with the tls-client-profile command.

The no form of this command disables unsecured connections for the specified destination group.

Default

no allow-unsecure-connection

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>grpc-tunnel>destination-group allow-unsecure-connection)

Full Context

configure system grpc-tunnel destination-group allow-unsecure-connection

Description

This command enables an unsecured connection for a specified destination group, which allows a gRPC tunnel to run without a secured transport protocol. Data is transferred in unencrypted form.

This command is mutually exclusive with the tls-client-profile command.

The no form of this command disables unsecured connections for the specified destination group.

Default

no allow-unsecure-connection

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>ipv6>secure-nd allow-unsecured-msgs)

Full Context

configure service ies interface ipv6 secure-nd allow-unsecured-msgs

Description

This command specifies whether unsecured messages are accepted. When Secure Neighbor Discovery (SeND) is enabled, only secure messages are accepted by default.

The no form of this command disables accepting unsecured messages.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>send allow-unsecured-msgs)

Full Context

configure service vprn interface ipv6 secure-nd allow-unsecured-msgs

Description

This command specifies whether unsecured messages are accepted. When Secure Neighbor Discovery (SeND) is enabled, only secure messages are accepted by default.

The no form of this command disables accepting unsecured messages.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>ipv6>secure-nd allow-unsecured-msgs)

Full Context

configure router interface ipv6 secure-nd allow-unsecured-msgs

Description

This command specifies whether unsecured messages are accepted. When Secure Neighbor Discovery (SeND) is enabled, only secure messages are accepted by default.

The no form of this command disables accepting unsecured messages.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>password>complexity-rules allow-user-name)

Full Context

configure system security password complexity-rules allow-user-name

Description

The user name is allowed to be used as part of the password.

The no form of this command does not allow user name to be used as password.

Default

no allow-user-name

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group>dynamic-neighbor>match>prefix allowed-peer-as)

Full Context

configure service vprn bgp group dynamic-neighbor match prefix allowed-peer-as

Description

This command configures a single peer AS value or a contiguous range of peer AS values to associate with a prefix from which dynamic BGP sessions can be accepted.

If an incoming dynamic BGP session is associated with the prefix then the peer’s AS, as reported in the OPEN message, is checked against the list of allowed-peer-as values. If the peer AS is not contained in one of the allowed-peer-as commands, then the connection is rejected with a Bad_Peer_AS error. If there is no allowed-peer-as configuration in the matched prefix, then the ASN in the peer’s OPEN message, is checked against the group level peer-as.

The no form of this command removes an allowed-peer-as entry.

Default

no allowed-peer-as

Parameters

min-as-number

Specifies an allowed peer AS value as well as the start of an allowed range if the max-as-number value is also configured.

Values

1 to 4294967295

max-as-number

Specifies the end of an allowed range.

Values

1 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>dynamic-neighbor>match>prefix allowed-peer-as)

Full Context

configure router bgp group dynamic-neighbor match prefix allowed-peer-as

Description

This command configures a single peer AS value or a contiguous range of peer AS values to associate with a prefix from which dynamic BGP sessions can be accepted.

If an incoming dynamic BGP session is associated with the prefix, then the peer’s AS, as reported in the OPEN message, is checked against the list of allowed-peer-as values. If the peer AS is not contained in one of the allowed-peer-as commands, then the connection is rejected with a Bad_Peer_AS error. If there is no allowed-peer-as configuration in the matched prefix, then the ASN in the peer’s OPEN message, is checked against the group level peer-as.

The no form of this command removes an allowed-peer-as entry.

Default

no allowed-peer-as

Parameters

min-as-number

Specifies an allowed peer AS value as well as the start of an allowed range if the max-as-number value is also configured.

Values

1 to 4294967295

max-as-number

Specifies the end of an allowed range.

Values

1 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>dynamic-neighbor>interface allowed-peer-as)

[Tree] (config>service>vprn>bgp>group>dynamic-neighbor>interface allowed-peer-as)

Full Context

configure router bgp group dynamic-neighbor interface allowed-peer-as

configure service vprn bgp group dynamic-neighbor interface allowed-peer-as

Description

This command configures a singular allowed peer AS value or a range of acceptable values.

The no form of this command removes an allowed peer AS value or range of acceptable values.

Parameters

min-as-number

Specifies an allowed peer AS value as well as the start of an allowed range if the max-as-number value is also configured.

Values

1 to 4294967295

max-as-number

Specifies the end of an allowed range.

Values

1 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>dot1x>per-host-authentication allowed-source-macs)

Full Context

configure port ethernet dot1x per-host-authentication allowed-source-macs

Description

Commands in this context add the source MAC addresses of the hosts to the allowed MAC list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>best-path-selection always-compare-med)

[Tree] (config>service>vprn>bgp>path-selection always-compare-med)

Full Context

configure router bgp best-path-selection always-compare-med

configure service vprn bgp best-path-selection always-compare-med

Description

This command configures the comparison of BGP routes based on the MED attribute. The default behavior of SR OS (equivalent to the no form of this command) is to only compare two routes on the basis of MED if they have the same neighbor AS (the first non-confed AS in the received AS_PATH attribute). Also by default, a route without a MED attribute is handled the same as though it had a MED attribute with the value 0. The always-compare-med command without the strict-as keyword allows MED to be compared even if the paths have a different neighbor AS; in this case, if neither zero nor infinity is specified, the zero option is inferred, meaning a route without a MED is handled the same as though it had a MED attribute with the value 0. When the strict-as keyword is present, MED is only compared between paths from the same neighbor AS, and in this case, zero or infinity is mandatory and tells BGP how to interpret paths without a MED attribute.

Default

no always-compare-med

Parameters

zero

Specifies that for routes learned without a MED attribute that a zero (0) value is used in the MED comparison. The routes with the lowest metric are the most preferred.

infinity

Specifies for routes learned without a MED attribute that a value of infinity (2^32-1) is used in the MED comparison. This in effect makes these routes the least desirable.

strict-as

Specifies that the BGP MED values are only compared if the route comes from the same neighbor AS.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>md-cli>environment>info-output always-display)

Full Context

configure system management-interface cli md-cli environment info-output always-display

Description

Commands in this context configure the elements that are always displayed in the info output of an MD-CLI session, regardless of whether the detail option is used.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>pki>ca-profile>cmpv2 always-set-sender-for-ir)

Full Context

configure system security pki ca-profile cmpv2 always-set-sender-for-ir

Description

This command specifies to always set the sender field in CMPv2 header of all Initial Registration (IR) messages with the subject name. By default, the sender field is only set if an optional certificate is specified in the CMPv2 request.

Default

no always-set-sender-for-ir

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>persistence ancp)

Full Context

configure system persistence ancp

Description

This command configures ANCP persistence parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim>rp anycast)

Full Context

configure service vprn pim rp anycast

Description

This command configures a PIM anycast protocol instance for the RP being configured. Anycast enables fast convergence when a PIM RP router fails by allowing receivers and sources to rendezvous at the closest RP.

The no form of this command removes the anycast instance from the configuration.

Parameters

rp-ip-address

Configure the loopback IP address shared by all routes that form the RP set for this anycast instance. Only a single address can be configured. If another anycast command is entered with an address then the old address will be replaced with the new address. If no ip-address is entered then the command is simply used to enter the anycast CLI level.

Values

Any valid loopback address configured on the node.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim>rp>ipv6 anycast)

Full Context

configure service vprn pim rp ipv6 anycast

Description

This command configures an IPv6 PIM anycast protocol instance for the RP being configured. Anycast enables fast convergence when a PIM RP router fails by allowing receivers and sources to rendezvous at the closest RP.

The no form of this command removes the anycast instance from the configuration.

Parameters

ipv6-address

Configures the loopback IP address shared by all routes that form the RP set for this anycast instance. Only a single address can be configured. If another anycast command is entered with an address then the old address will be replaced with the new address. If no address is entered then the command is simply used to enter the anycast CLI context.

Values

ipv6-address	: x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x [0 to FFFF]H
	d [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>rp anycast)

Full Context

configure router pim rp anycast

Description

This command configures a PIM anycast protocol instance for the RP being configured. Anycast enables fast convergence when a PIM RP router fails by allowing receivers and sources to rendezvous at the closest RP.

The no form of this command removes the anycast instance from the configuration.

Parameters

rp-ip-address

Specifies the loopback IP address shared by all routes that form the RP set for this anycast instance. Only a single address can be configured. If another anycast command is entered with an address then the old address will be replaced with the new address. If no ip-address is entered then the command is simply used to enter the anycast CLI level.

Values

Any valid loopback address configured on the node.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>rp>ipv6 anycast)

Full Context

configure router pim rp ipv6 anycast

Description

This command configures a PIM anycast protocol instance for the RP being configured. Anycast enables fast convergence when a PIM RP router fails by allowing receivers and sources to rendezvous at the closest RP.

The no form of this command removes the anycast instance from the configuration.

Parameters

ipv6-address

Specifies the loopback IPv6 address shared by all routes that form the RP set for this anycast instance. Only a single address can be configured. If another anycast command is entered with an address then the old address is replaced with the new address. If no ipv6-address is entered then the command is simply used to enter the anycast CLI level.

Values

Any valid loopback address configured on the node.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log app-route-notifications)

Full Context

configure log app-route-notifications

Description

Specific system applications in SR OS can take action based on a route to certain IP destinations being available. This CLI branch contains configuration related to these route availability notifications. A delay can be configured between the time that a route is determined as available in the CPM, and the time that the application is notified of the available route. For example, this delay may be used to increase the chances that other system modules (such as IOMs/XCMs/MDAs/XMAs) are fully programmed with the new route before the application takes action. Currently, the only application that acts upon these route available or route changed notifications with their configurable delays is the SNMP replay feature, which receives notifications of route availability to the SNMP trap receiver destination IP address.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>sgt-qos application)

[Tree] (config>router>sgt-qos application)

Full Context

configure service vprn sgt-qos application

configure router sgt-qos application

Description

This command configures DSCP/dot1p remarking for self-generated application traffic. When an application is configured using this command, the specified DSCP name is used for all packets generated by this application within the router instance it is configured. The instances can be base router, vprn, or management.

Using the value configured in this command:

• sets the DSCP bits in the IP packet

• maps to the FC. This value will be signaled from the CPM to the egress forwarding complex.

• based on this signaled FC, the egress forwarding complex QoS policy sets the Ethernet 802.1p and MPLS EXP bits. This includes ARP, PPPoE, and IS-IS packets that do not carry DSCP bits.

• configure the DSCP value in the egress IP header. The egress QoS policy does not overwrite this value.

Only one DSCP name can be configured per application, if multiple entries are configured, the subsequent entry overrides the previous configured entry.

The no form of this command reverts back to the default value.

Parameters

dscp-app-name

Specifies the DSCP application name.

Values

Some of the following values may only apply to specific products. Refer to the SR OS R25.x.Rx Software Release Notes for details about application support for different SR OS products:

bfd, bgp, bmp, call-trace, cflowd, dhcp, diameter, dns, ftp, grpc, gtp, http, icmp, igmp, igmp-reporter, l2tp, ldp, mld, mpls-udp-return, msdp, mtrace2, ndis, ntp, ospf, pcep, pim, ptp, radius, rip, rsvp, sflow, snmp, snmp-notification, srrp, ssh, syslog, tacplus, telnet, tftp, traceroute, vrrp

dscp-value

Specifies a value when this packet egresses; the respective egress policy should provide the mapping for the DSCP value to either LSP-EXP bits or IEEE 802.1p (dot1p) bits as appropriate. Otherwise, the default mapping applies.

Values

0 to 63

dscp-name

Specifies the DSCP name.

Values

none, be, ef, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cp9, cs1, cs2, cs3, cs4, cs5, nc1, nc2, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cp11, cp13, cp15, cp17, cp19, cp21, cp23, cp25, cp27, cp29, cp31, cp33, cp35, cp37, cp39, cp41, cp42, cp43, cp44, cp45, cp47, cp49, cp50, cp51, cp52, cp53, cp54, cp55, cp57, cp58, cp59, cp60, cp61, cp62, cp63

dot1p-priority

Specifies the dot1p priority.

Values

none, 0 to 7

dot1p-app-name

Specifies the dot1p application name.

Values

Some of the following values may only apply to specific products. Refer to the SR OS R25.x.Rx Software Release Notes for details about application support for different SR OS products:

arp, isis, pppoe

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>source-address application)

Full Context

configure service vprn source-address application

Description

This command specifies the source address and application name.

The no form of this command removes the interface name or IP address from the command.

Parameters

app

Specifies the application name.

Values

cflowd, ntp, ping, ptp, snmptrap, ssh, telnet, traceroute, icmp-error

ip-int-name

Specifies the name of the IP interface, up to 32 characters. If the string contains special characters (#, ?, space), the entire string must be enclosed between double quotes.

ip-address

Specifies the source IP address.

Values

ipv4-address:

a.b.c.d

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>log>filter>entry>match application)

Full Context

configure service vprn log filter entry match application

Description

This command adds an OS application as an event filter match criterion.

An OS application is the software entity that reports the event. Applications include IP, MPLS, OSPF, CLI, SERVICES and so on Only one application can be specified. The latest application command overwrites the previous command.

The no form of this command removes the application as a match criterion.

Default

no application — no application match criterion is specified

Parameters

eq | neq

The operator specifying the type of match.

Values

eq	equal to
neq	not equal to

application-id

The application name string.

Values

port, ppp, rip, route, policy, rsvp, security, snmp, stp, svcmgr, system, user, vrrp, vrtr

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>filter>entry>match application)

Full Context

configure log filter entry match application

Description

This command adds an OS application as an event filter match criterion.

An OS application is the software entity that reports the event. Applications include IP, MPLS, OSPF, CLI, SERVICES and so on. Only one application can be specified. The latest application command overwrites the previous command.

The no form of this command removes the application as a match criterion.

Parameters

eq | neq

Specifies the operator match type. Valid operators are listed in Valid Operators.

Table 1. Valid Operators

Operator	Notes
eq	equal to
neq	not equal to

application-id

The application name string.

Values

application_assurance, aps, bgp, cflowd, chassis, debug, dhcp, dhcps, diameter, dynsvc, efm_oam, elmi, ering, eth_cfm, etun, fiter, gsmp, igh, igmp, igmp_snooping, ip, ipsec, isis, l2tp, lag, ldp, li, lldp, logger, mcpath, mc_redundancy, mirror, mld, mld_snooping, mpls, mpls_tp, msdp, nat, ntp, oam, open_flow, ospf, pim, pim_snooping, port, ppp, pppoe, ptp, radius, rip, rip_ng, route_policy, rsvp, security, snmp, stp, svcmgr, system, user, video, vrrp, vrtr, wlan_gw, wpp

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>source-address application)

Full Context

configure system security source-address application

Description

This command configures the source IP address specified by the source-address command.

The no form of this command removes the interface name or IP address from the command.

Parameters

app

Specifies the application name.

Values

cflowd, dns, ftp, ntp, ldap, ping, ptp, radius, sflow, snmptrap, sntp, ssh, syslog, tacplus, telnet, traceroute, mcreporter, icmp-error

ip-int-name

Specifies the name of the IP interface, up to 32 characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes.

ip-address

Specifies the source IP address.

Values

ipv4-address:

a.b.c.d

Platforms

7705 SAR Gen 2

Context

[Tree] (config>redundancy>multi-chassis>peer>sync>transport-encryption application)

Full Context

configure redundancy multi-chassis peer sync transport-encryption application

Description

This command configures transport encryption.

The no form of this command removes the specified application.

Parameters

application

Specifies a Multi-Chassis Synchronization (MCS) client application

keychain-name

Specifies a keychain name, up to 32 characters

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis>traffic-engineering-options application-link-attributes)

Full Context

configure router isis traffic-engineering-options application-link-attributes

Description

Commands in this context configure the advertisement of the TE attributes of each link on a per-application basis. Two applications are supported in SR OS: RSVP-TE and SR-TE.

The legacy mode of advertising TE attributes that is used in RSVP-TE is still supported but it can be disabled by using the no legacy command, which also enables per-application TE attribute advertisement for RSVP-TE.

The no form of this command deletes the context.

Default

no application-link-attributes

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>source-address application6)

Full Context

configure service vprn source-address application6

Description

This command specifies the IPv6 source address and application.

The no form of this command removes the application and IPv6 address from the configuration.

Parameters

app

Specifies the application name.

Values

cflowd, ntp, ping, ptp, snmptrap, ssh, telnet, traceroute, icmp6-error

ipv6-address

Specifies the IPv6 address.

Values

ipv6-address:	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>source-address application6)

Full Context

configure system security source-address application6

Description

This command configures the application to use the source IPv6 address specified by the source-address command.

The no form of this command removes the application and IPv6 address from the configuration.

Parameters

app

Specifies the application name.

Values

cflowd, dns, ftp, ldap, ntp, ping, ptp, radius, sflow, snmptrap, ssh, syslog, tacplus, telnet, traceroute, icmp6-error

ipv6-address

Specifies the IPv6 address.

Values

ipv6-address:	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim apply-bgp-nh-override)

Full Context

configure service vprn pim apply-bgp-nh-override

Description

This command forces the RPF check to be performed via IPv4 VPN AF next-hop and not via IPv4 VPN AF VRF import extended community.

Default

no apply-bgp-nh-override

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>match-list>ip-prefix-list apply-path)

[Tree] (config>filter>match-list>ipv6-prefix-list apply-path)

Full Context

configure filter match-list ip-prefix-list apply-path

configure filter match-list ipv6-prefix-list apply-path

Description

Commands in this context configure the auto-generation of address prefixes for IPv4 or IPv6 address prefix match lists. The context in which the command is executed governs whether IPv4 or IPv6 prefixes will be auto-generated.

The no form of this command removes all auto-generation configuration under the apply-path context.

Default

no apply path

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim apply-to)

Full Context

configure service vprn pim apply-to

Description

This command creates a PIM interface with default parameters.

If a manually created interface or modified interface is deleted, the interface will be recreated when the apply-to command is executed. If PIM is not required on a specific interface, then execute a shutdown command.

The apply-to command is saved first in the PIM configuration structure, all subsequent commands either create new structures or modify the defaults as created by the apply-to command.

Default

apply-to none

Parameters

all

Specifies that all VPRN and non-VPRN interfaces are automatically applied in PIM.

none

No interfaces are automatically applied in PIM. PIM interfaces must be manually configured.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim apply-to)

Full Context

configure router pim apply-to

Description

This command creates a PIM interface with default parameters.

If a manually created or a modified interface is deleted, the interface is recreated when (re)processing the apply-to command and if PIM is not required on a specific interface a shutdown should be executed.

The apply-to command is first saved in the PIM configuration structure. Then, all subsequent commands either create new structures or modify the defaults as created by the apply-to command.

Default

apply-to none

Parameters

ies

Specifies to apply all IES interfaces in PIM.

non-ies

Specifies to apply non-IES interfaces created in PIM.

all

Specifies to apply all IES and non-IES interfaces created in PIM.

none

Removes all interfaces that are not manually created or modified. It also removes explicit no interface commands if present.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>plcr-ctrl-plcy>tier arbiter)

Full Context

configure qos policer-control-policy tier arbiter

Description

This command is used to create an arbiter within the context of tier 1 or tier 2. An arbiter is a child policer bandwidth control object that manages the throughput of a set of child policers. An arbiter allows child policers or other arbiters to parent to one of eight strict levels. Each arbiter is itself parented to either another tiered arbiter or to the root arbiter.

The root arbiter starts with its defined maximum rate and distributes the bandwidth to its directly attached child policers and arbiters beginning with priority 8. As the children at each priority level are distributed bandwidth according to their needs and limits, the root proceeds to the next lower priority until either all children’s needs are met or it runs out of bandwidth. The bandwidth given to a tiered arbiter is then divided between that arbiter’s children (child policers or a tier 2 arbiter) in the same fashion. A tiered arbiter may also have a rate limit defined that limits the amount of bandwidth it may receive from its parent.

An arbiter that is currently parented by another arbiter cannot be deleted.

Each time the policer-control-policy is applied to either a SAP, or a subscriber (through association with a sub-profile that has the policy applied), or a multiservice site, an instance of the parent policer and the arbiters is created.

Any child policer that uses the arbiter’s name in its parenting command will be associated with the arbiter instance. The child policer will also become associated with any arbiter to which its parent arbiter is parented (grandparent). Having child policers parented to an arbiter does not prevent that arbiter from being removed from the policer-control-policy. When removed, the child policers become orphaned.

You can create up to 31 tiered arbiters within the policer-control-policy on either tier 1 or tier 2 (in addition to the arbiter).

The no form of this command is used to remove an arbiter from tier 1 or tier 2. If the specified arbiter does not exist, the command returns without an error. If the specified arbiter is currently specified as the parent for another arbiter, the command will fail. When an arbiter is removed from a policer-control-policy, all instances of the arbiter will also be removed. Any child policers currently parented to the arbiter instance will become orphans and will not be bandwidth managed by the policer control policy instances parent policer.

Parameters

arbiter-name

Any unique name within the policy. Up to 31 arbiters may be created.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ospf3 area)

[Tree] (config>service>vprn>ospf area)

Full Context

configure service vprn ospf3 area

configure service vprn ospf area

Description

This command creates the context to configure an OSPF area. An area is a collection of network segments within an AS that have been administratively grouped together. The area ID can be specified in dotted decimal notation or as a 32-bit decimal integer.

The no form of this command deletes the specified area from the configuration. Deleting the area also removes the OSPF configuration of all the interfaces, virtual-links, sham-links, address-ranges and so on, that are currently assigned to this area.

Default

no area — No OSPF areas are defined.

Parameters

area-id

The OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal)

0 to 4294967295 (decimal integer)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf area)

[Tree] (config>router>ospf3 area)

Full Context

configure router ospf area

configure router ospf3 area

Description

This command creates the context to configure an OSPF or OSPF3 area. An area is a collection of network segments within an AS that have been administratively grouped together. The area ID can be specified in dotted decimal notation or as a 32-bit decimal integer.

The no form of this command deletes the specified area from the configuration. Deleting the area also removes the OSPF configuration of all the interfaces, virtual-links, and address-ranges and so on, that are currently assigned to this area.

Default

no area

Parameters

area-id

The OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal), 0 to 4294967295 (decimal integer)

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>ospf3 area)

[Tree] (debug>router>ospf area)

Full Context

debug router ospf3 area

debug router ospf area

Description

This command enables debugging for an OSPF area.

Parameters

area-id

Specifies the OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

ip-address — a.b.c.d

area — 0 to 4294967295

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>entry>from area)

Full Context

configure router policy-options policy-statement entry from area

Description

This command configures an OSPF area as a route policy match criterion.

This match criterion is only used in export policies.

All OSPF routes (internal and external) are matched using this criterion if the best path for the route is by the specified area.

The no form of this command removes the OSPF area match criterion.

Default

no area

Parameters

area-id

Specifies the OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal), 0 to 4294967295 (decimal)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>isis area-id)

Full Context

configure service vprn isis area-id

Description

This command configures the area ID portion of NSAP addresses for the VPRN instance. This identifies a point of connection to the network, such as a router interface, and is called a Network Service Access Point (NSAP). Addresses in the IS-IS protocol are based on the ISO NSAP addresses and Network Entity Titles (NETs), not IP addresses.

A maximum of 3 area addresses can be configured for the VPRN instance.

NSAP addresses are divided into three parts.

• Area ID — A variable length field between 1 and 13 bytes long. This includes the Authority and Format Identifier (AFI) as the most significant byte and the area ID.

• System ID — A six-byte system identification. When not configured, the system ID is derived from the configurations for configure router isis router-id, configure router router-id, or system address ipv4 address. If the previous commands are not configured, the system ID defaults to the last four octets of the chassis MAC address.

• Selector ID — A one-byte selector identification that must contain zeros when configuring a NET. This value is not configurable. The selector ID is always 00.

The NET is constructed like an NSAP but the selector byte contains a 00 value. NET addresses are exchanged in hello and LSP PDUs. All net addresses configured on the node are advertised to its neighbors.

For Level 1 interfaces, neighbors can have different area IDs, but, they must have at least one area ID (AFI + area) in common. Sharing a common area ID, they become neighbors and area merging between the potentially different areas can occur.

For Level 2 (only) interfaces, neighbors can have different area IDs. However, if they have no area IDs in common, they become only Level 2 neighbors and Level 2 LSPs are exchanged.

For Level 1 and Level 2 interfaces, neighbors can have different area IDs. If they have at least one area ID (AFI + area) in common, they become neighbors. In addition to exchanging Level 2 LSPs, area merging between potentially different areas can occur.

If multiple area-id commands are entered, the system ID of all subsequent entries must match the first area address.

The no form of this command removes the area address.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis area-id)

Full Context

configure router isis area-id

Description

This command was previously named the net network-entity-title command. The area-id command allows you to configure the area ID portion of NSAP addresses which identifies a point of connection to the network, such as a router interface, and is called a Network Service Access Point (NSAP). Addresses in the IS-IS protocol are based on the ISO NSAP addresses and Network Entity Titles (NETs), not IP addresses.

A maximum of three area addresses can be configured.

NSAP addresses are divided into three parts.

• Area ID — A variable length field between 1 and 13 bytes long. This includes the Authority and Format Identifier (AFI) as the most significant byte and the area ID.

• System ID — A six-byte system identification. When not configured, the system ID is derived from the configurations for configure router isis router-id, configure router router-id, or system address ipv4 address. If the previous commands are not configured, the system ID defaults to the last four octets of the chassis MAC address.

• Selector ID — A one-byte selector identification that must contain zeros when configuring a NET. This value is not configurable. The selector ID is always 00.

The NET is constructed like an NSAP but the selector byte contains a 00 value. NET addresses are exchanged in hello and LSP PDUs. All net addresses configured on the node are advertised to its neighbors.

For Level 1 interfaces, neighbors can have different area IDs, but, they must have at least one area ID (AFI + area) in common. Sharing a common area ID, they become neighbors and area merging between the potentially different areas can occur.

For Level 2 (only) interfaces, neighbors can have different area IDs. However, if they have no area IDs in common, they become only Level 2 neighbors and Level 2 LSPs are exchanged.

For Level 1 and Level 2 interfaces, neighbors can have different area IDs. If they have at least one area ID (AFI + area) in common, they become neighbors. In addition to exchanging Level 2 LSPs, area merging between potentially different areas can occur.

If multiple area-id commands are entered, the system ID of all subsequent entries must match the first area address.

The no form of this command removes the area address.

Parameters

area-address

Specifies a 1 — 13-byte address. Of the total 20 bytes comprising the NET, only the first 13 bytes can be manually configured. As few as one byte can be entered or, at most, 13 bytes. If less than 13 bytes are entered, the rest is padded with zeros.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ospf>area>nssa area-range)

[Tree] (config>service>vprn>ospf>area area-range)

[Tree] (config>service>vprn>ospf3>area area-range)

[Tree] (config>service>vprn>ospf3>area>nssa area-range)

Full Context

configure service vprn ospf area nssa area-range

configure service vprn ospf area area-range

configure service vprn ospf3 area area-range

configure service vprn ospf3 area nssa area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, it is configured to be advertised or not advertised into other areas. Multiple range commands are used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ipv6-prefix/prefix-length

The IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ipv6-prefix	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x: [0 to FFFF]H
	d: [0 to 255]D
ipv6-prefix-length	0 to 128

mask

The subnet mask for the range expressed as a decimal integer mask length or in dotted decimal notation.

Values

0 to 32 (mask length), 0.0.0.0 to 255.255.255.255 (dotted decimal)

advertise | not-advertise

Specifies whether or not to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

The default is advertise.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>area area-range)

[Tree] (config>router>ospf>area>nssa area-range)

Full Context

configure router ospf area area-range

configure router ospf area nssa area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, the range is configured to be advertised or not advertised into other areas. Multiple range commands may be used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ip-prefix

Specifies the IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ip-prefix/mask: ip-prefix a.b.c.d (host bits must be 0)

mask

Specifies the subnet mask for the range expressed as a decimal integer mask length or in dotted decimal notation.

Values

0 to 32 (mask length), 0.0.0.0 to 255.255.255.255 (dotted decimal)

advertise | not-advertise

Specifies whether to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

Default

advertise

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf3>area>nssa area-range)

[Tree] (config>router>ospf3>area area-range)

Full Context

configure router ospf3 area nssa area-range

configure router ospf3 area area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, the range is configured to be advertised or not advertised into other areas. Multiple range commands may be used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ip-prefix/prefix-length

Specifies the IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ip-prefix/mask:

• ip-prefix a.b.c.d (host bits must be 0)

ipv6-prefix:

• x:x:x:x:x:x:x:x (eight 16-bit pieces)

• x:x:x:x:x:x:d.d.d.d

• x: [0 to FFFF]H

• d: [0 to 255]D

prefix-length: 0 to 128

advertise | not-advertise

Specifies whether or not to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

Default

advertise

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>ospf3 area-range)

[Tree] (debug>router>ospf area-range)

Full Context

debug router ospf3 area-range

debug router ospf area-range

Description

This command enables debugging for an OSPF area range.

Parameters

ip-address

Specifies the IPv4 or IPv6 address for the range used by the ABR to advertise the area into another area.

Values

ipv4-address:

• a.b.c.d

ipv6-address:

• x:x:x:x:x:x:x:x (eight 16-bit pieces)

• x:x:x:x:x:x:d.d.d.d

• x: [0 to FFFF]H

• d: [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>vpls>evpn arp)

[Tree] (config>service>ies>if>vpls>evpn arp)

Full Context

configure service vprn interface vpls evpn arp

configure service ies interface vpls evpn arp

Description

Commands in this context configure ARP host route parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>ip arp)

Full Context

debug router ip arp

Description

This command configures route table debugging.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if arp-host-route)

[Tree] (config>service>ies>if arp-host-route)

Full Context

configure service vprn interface arp-host-route

configure service ies interface arp-host-route

Description

Commands in this context configure ARP host routes to populate.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if arp-learn-unsolicited)

[Tree] (config>router>if arp-learn-unsolicited)

[Tree] (config>service>ies>if arp-learn-unsolicited)

Full Context

configure service vprn interface arp-learn-unsolicited

configure router interface arp-learn-unsolicited

configure service ies interface arp-learn-unsolicited

Description

This command allows the ARP application to learn new entries based on any received ARP message (GARP, ARP-Request, or ARP-Reply, such as any frame with ethertype 0x0806).

The no form of this command disables the above behavior and causes ARP entries to only be learned when needed, that is, when the router receives an ARP-reply after an ARP-request triggered by received traffic.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>interface arp-limit)

Full Context

configure service ies interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, a log event is raised. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

no arp-limit

Parameters

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

Default

90

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if arp-limit)

Full Context

configure service vprn interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, an SNMP trap is sent. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

90 percent

Parameters

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if arp-limit)

Full Context

configure router interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, an SNMP trap is sent. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

no arp-limit

Parameters

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>bgp-evpn arp-nd-extended-community-advertisement)

Full Context

configure service vpls bgp-evpn arp-nd-extended-community-advertisement

Description

This command enables the advertisement of the RFC 9047 ARP/ND extended community along with the MAC/IP routes that are advertised for local static and dynamic proxy ARP or ND entries. This command also controls the processing of the ARP/ND extended community and the selection of ARP or ND entries based on the inmutable flag.

The no form of this command disables the advertisement of the RFC 9047 ARP/ND extended community.

Default

no arp-nd-extended-community-advertisement

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>bgp-evpn arp-nd-only-with-fdb-advertisement)

Full Context

configure service vpls bgp-evpn arp-nd-only-with-fdb-advertisement

Description

This command enables the router to advertise local ARP/ND entries of VPRN interfaces using this VPLS BGP-EVPN service when the corresponding local MAC is programmed in the FDB.

The no form of this command disables the advertisement of the ARP/ND entries.

Default

no arp-nd-only-with-fdb-advertisement

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if arp-populate)

[Tree] (config>service>ies>if arp-populate)

Full Context

configure service vprn interface arp-populate

configure service ies interface arp-populate

Description

This command, when enabled, disables dynamic learning of ARP entries. Instead, the ARP table is populated with static and dynamic entries from the DHCP Lease State Table (enabled with lease-populate), and optionally with static entries entered with the static-host command.

The host’s IP address and MAC address are placed in the system ARP cache as a managed entry. Static hosts must be defined on the interface using the static-host command. Dynamic hosts are enabled on the system through enabling lease-populate in the IP interface DHCP context.

In the event that both a static host and a dynamic host share the same IP and MAC address, the system’s ARP cache retains the host information until both the static and dynamic information are removed.

Both static and dynamic hosts override static ARP entries. Static ARP entries are marked as inactive when they conflict with static or dynamic hosts and will be repopulated once all static and dynamic host information for the IP address are removed. Since static ARP entries are not possible when static subscriber hosts are defined or when DHCP lease state table population is enabled, conflict between static ARP entries and the arp-populate function is not an issue.

Enabling the arp-populate command removes any dynamic ARP entries learned on this interface from the ARP cache.

The arp-populate command fails if an existing static ARP entry exists for this interface.

When arp-populate is enabled, the system does not send out ARP requests for hosts that are not in the ARP cache. Only statically configured and DHCP learned hosts are reachable through an IP interface with arp-populate enabled. The arp-populate command can only be enabled on IES and VPRN interfaces supporting Ethernet encapsulation.

The no form of this command disables ARP cache population functions for static and dynamic hosts on the interface. All static and dynamic host information for this interface is removed from the system’s ARP cache. Any existing static ARP entries previously inactive due to static or dynamic hosts will be populated in the system ARP cache.

Default

no arp-populate

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if arp-proactive-refresh)

Full Context

configure service ies interface arp-proactive-refresh

Description

This command enables the router to always send out a single refresh message with no entries 30 seconds prior to the timeout of the entry.

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of whether the IOM receives traffic.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if arp-proactive-refresh)

Full Context

configure service vprn interface arp-proactive-refresh

Description

This command enables the router to always send out a refresh message 30 seconds prior to the timeout of the entry (a single refresh message with no retries).

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of the IOM receiving traffic.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if arp-proactive-refresh)

Full Context

configure router interface arp-proactive-refresh

Description

This command enables the router to always send out a refresh message 30 seconds prior to the timeout of the entry (a single refresh message with no retries).

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of the IOM receiving traffic.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if arp-retry-timer)

Full Context

configure service ies interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 seconds.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30,000 ms)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if arp-retry-timer)

[Tree] (config>service>vprn>network-interface arp-retry-timer)

Full Context

configure service vprn interface arp-retry-timer

configure service vprn network-interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 s.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30 000 ms)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if arp-retry-timer)

Full Context

configure router interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 seconds.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30,000 ms)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if arp-timeout)

[Tree] (config>service>ies>if arp-timeout)

Full Context

configure service vprn interface arp-timeout

configure service ies interface arp-timeout

Description

This command configures the minimum time in seconds an ARP entry learned on the IP interface is stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host, otherwise, the ARP entry is aged from the ARP table. If arp-timeout is set to a value of zero seconds, ARP aging is disabled.

When the arp-populate and lease-populate commands are enabled on an interface, the ARP table entries will no longer be dynamically learned, but instead by snooping DHCP ACK message from a DHCP server. In this case the configured arp-timeout value has no effect.

The default value for arp-timeout is 14400 seconds (4 hours).

The no form of this command reverts to the default value.

Default

arp-timeout 14400

Parameters

seconds

Specifies the minimum number of seconds a learned ARP entry is stored in the ARP table, expressed as a decimal integer. A value of zero specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>interface arp-timeout)

Full Context

configure service vpls interface arp-timeout

Description

This command configures the minimum time in seconds an ARP entry learned on the IP interface will be stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host, otherwise, the ARP entry is aged from the ARP table. If arp-timeout is set to a value of zero seconds, ARP aging is disabled.

The default value for arp-timeout is 14400 seconds (4 hours).

The no form of this command restores arp-timeout to the default value.

Default

arp-timeout 14400

Parameters

seconds

The minimum number of seconds a learned ARP entry will be stored in the ARP table, expressed as a decimal integer. A value of zero specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if arp-timeout)

Full Context

configure router interface arp-timeout

Description

This command configures the minimum time, in seconds, an ARP entry learned on the IP interface is stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host. Otherwise, the ARP entry is aged from the ARP table. If the arp-timeout value is set to 0 seconds, ARP aging is disabled.

The no form of this command reverts to the default value.

Default

no arp-timeout

Parameters

seconds

The minimum number of seconds a learned ARP entry is stored in the ARP table, expressed as a decimal integer. A value of 0 specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group as-override)

[Tree] (config>service>vprn>bgp>group>neighbor as-override)

Full Context

configure service vprn bgp group as-override

configure service vprn bgp group neighbor as-override

Description

This command replaces all instances of the peer's AS number with the local AS number in a BGP route's AS_PATH.

This command breaks BGP's loop detection mechanism. It should be used carefully.

Default

no as-override

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>neighbor as-override)

[Tree] (config>router>bgp>group as-override)

Full Context

configure router bgp group neighbor as-override

configure router bgp group as-override

Description

This command enables BGP to monitor the outbound routes toward the peer and whenever there is a route with the peer’s autonomous system number (ASN) in the AS_PATH, all occurrences are removed and replaced with the advertising router’s local ASN (or its confederation ID if the peer is outside the confederation).

In the group context, the no form of this command disables the functionality. In the neighbor context, the no form of this command causes the setting to be inherited from the group level.

Default

no as-override

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options as-path)

Full Context

configure router policy-options as-path

Description

This command creates a route policy AS path to use in route policy entries.

The no form of this command deletes the AS path.

Default

no as-path

Parameters

name

The AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path)

Full Context

configure router policy-options policy-statement entry from as-path

Description

This command configures an AS path regular expression statement as a match criterion for the route policy entry.

If no AS path criterion is specified, any AS path is considered to match.

AS path regular expression statements are configured at the global route policy level (config>router>policy-options>as-path name).

The no form of this command removes the AS path regular expression statement as a match criterion.

Default

no as-path

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end", " @variable@end", or "start@variable@".

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>default-action as-path)

[Tree] (config>router>policy-options>policy-statement>entry>action as-path)

Full Context

configure router policy-options policy-statement default-action as-path

configure router policy-options policy-statement entry action as-path

Description

This command assigns a BGP AS path list to routes matching the route policy statement entry.

If no AS path list is specified, the AS path attribute is not changed.

The no form of this command disables the AS path list editing action from the route policy entry.

Default

no as-path

Parameters

add

Specifies that the AS path list is to be prepended to an existing AS list.

replace

Specifies AS path list replaces any existing as path attribute.

name

Specifies the AS path list name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end"," @variable@end", or "start@variable@".

The name specified must already be defined.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options as-path-group)

Full Context

configure router policy-options as-path-group

Description

This command creates a route policy AS path regular expression statement to use in route policy entries.

The no form of this command deletes the AS path regular expression statement.

Default

no as-path-group

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path-group)

Full Context

configure router policy-options policy-statement entry from as-path-group

Description

This command creates a route policy AS path regular expression statement to use in route policy entries.

The no form of this command deletes the AS path regular expression statement.

Default

no as-path-group

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end", " @variable@end", or "start@variable@".

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>path-selection as-path-ignore)

Full Context

configure service vprn bgp best-path-selection as-path-ignore

Description

This command configures whether AS path length is considered in the selection of the best BGP route for a prefix.

If an address family is listed in this command, the length of AS paths is not a factor in the route selection process for routes of that address family.

The no form of this command removes the parameter from the configuration.

Default

no as-path-ignore

Parameters

ipv4

Specifies that the AS path length is ignored for all unlabeled unicast IPv4 routes.

ipv6

Specifies that the AS path length is ignored for all unlabeled unicast IPv6 routes.

label-ipv4

Specifies that the AS path length is ignored for all labeled unicast IPv4 routes.

label-ipv6

Specifies that the AS path length is ignored for all labeled unicast IPv6 routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>best-path-selection as-path-ignore)

Full Context

configure router bgp best-path-selection as-path-ignore

Description

This command configures whether AS path length is considered in the selection of the best BGP route for a prefix.

If an address family is listed in this command, then the length of AS paths is not a factor in the route selection process for routes of that address family.

The no form of this command removes the parameter from the configuration.

Default

no as-path-ignore

Parameters

ipv4

Specifies that the AS-path length will be ignored for all unlabeled unicast IPv4 routes.

label-ipv4

Specifies that the AS-path length will be ignored for all labeled-unicast IPv4 routes.

vpn-ipv4

Specifies that the length AS-path will be ignored for all VPN IPv4 (SAFI 128) routes.

ipv6

Specifies that the AS-path length will be ignored for all unlabeled unicast IPv6 routes.

label-ipv6

Specifies that the AS-path length will be ignored for all labeled-unicast IPv6 routes.

vpn-ipv6

Specifies that the AS-path length will be ignored for all VPN IPv6 (SAFI 128) routes.

mcast-ipv4

Specifies that the AS-path length will be ignored for all IPv4 multicast routes.

mcast-ipv6

Specifies that the AS-path length will be ignored for all IPv6 multicast routes.

mvpn-ipv4

Specifies that the AS-path length will be ignored for all IPv4 MVPN routes.

mvpn-ipv6

Specifies that the AS-path length will be ignored for all IPv6 MVPN routes.

l2-vpn

Specifies that the AS-path length will be ignored for all L2-VPN NLRIs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path-length)

Full Context

configure router policy-options policy-statement entry from as-path-length

Description

This command matches BGP routes based on their AS path length (the number of AS numbers in the AS_PATH).

If no comparison qualifiers are present (equal, or-higher, or-lower), then equal is the implied default.

Confederation member AS numbers in the AS_PATH do not count towards the total. An AS_SET element is considered to have a length of 1.

The unique option counts.

A non-BGP route does not match a policy entry if it contains the as-path-length command.

Default

no as-path-length

Parameters

length

Specifies the length of the AS path.

Values

0 to 255, or a parameter name delimited by starting and ending at-sign (@) characters

equal

Specifies that matched routes should have the same number of AS path elements as the value specified.

or-higher

Specifies that matched routes should have the same or a greater number of AS path elements as the value specified.

or-lower

Specifies that matched routes should have the same or a lower number of AS path elements as the value specified.

unique

Specifies that only the unique AS numbers should be counted (that is, multiple occurrences of the same AS number in the sequence count as one).

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>default-action as-path-prepend)

[Tree] (config>router>policy-options>policy-statement>entry>action as-path-prepend)

Full Context

configure router policy-options policy-statement default-action as-path-prepend

configure router policy-options policy-statement entry action as-path-prepend

Description

The command prepends a BGP AS number once or numerous times to the AS path attribute of routes matching the route policy statement entry.

If an AS number is not configured, the AS path is not changed.

If the optional number is specified, then the AS number is prepended as many times as indicated by the number.

The no form of this command disables the AS path prepend action from the route policy entry.

Default

no as-path-prepend

Parameters

as-path

Specifies the AS number to prepend expressed as a decimal integer.

Values

1 to 4294967295

param-name — Specifies the AS path parameter variable name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

repeat

Specifies the number of times to prepend the specified AS number expressed as a decimal integer.

Values

1 to 50

param-name — Specifies the AS path parameter variable name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

most-recent

Specifies that the most recent AS number must be prepended to the AS-Path attribute of the route.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf asbr)

[Tree] (config>router>ospf3 asbr)

Full Context

configure router ospf asbr

configure router ospf3 asbr

Description

This command configures the router as an Autonomous System Boundary Router (ASBR) if the router is to be used to export routes from the Routing Table Manager (RTM) into this instance of OSPF. After a router is configured as an ASBR, the export policies into this OSPF domain take effect. If no policies are configured, no external routes are redistributed into the OSPF domain.

The no form of this command removes the ASBR status and withdraws the routes redistributed from the Routing Table Manager into this instance of OSPF from the link state database.

When configuring multiple instances of OSPF, there is a risk of loops because networks are advertised by multiple domains configured with multiple interconnections to one another. To prevent this from happening, all routers in a domain should be configured with the same domain ID. Each domain (OSPF-instance) should be assigned a specific bit value in the 32-bit tag mask.

When an external route is originated by an ASBR using an internal OSPF route in a given domain, the corresponding bit is set in the AS-external LSA. As the route gets redistributed from one domain to another, more bits are set in the tag mask, each corresponding to the OSPF domain the route visited. Route redistribution looping is prevented by checking the corresponding bit as part of the export policy; if the bit corresponding to the announcing OSPF process is already set, the route is not exported there.

Domain IDs are incompatible with any other use of normal tags. The domain ID should be configured with a value between 1 and 31 by each router in a given OSPF domain (OSPF Instance).

When an external route is originated by an ASBR using an internal OSPF route in a given domain, the corresponding (1-31) bit is set in the AS-external LSA.

As the route gets redistributed from one domain to another, more bits are set in the tag mask, each corresponding to the OSPF domain the route visited. Route redistribution looping is prevented by checking the corresponding bit as part of the export policy; if the bit corresponding to the announcing OSPF process is already set, the route is not exported there.

Default

no asbr

Parameters

domain-id

Specifies the domain ID.

Values

1 to 31

Default

0

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>pim assert)

Full Context

debug router pim assert

Description

This command enables debugging for PIM assert mechanism.

The no form of this command disables PIM assert debugging.

Parameters

grp-ip-address

Debugs information associated with the PIM assert mechanism.

Values

multicast group address (ipv4, ipv6)

ip-address

Debugs information associated with the PIM assert mechanism.

Values

source address (ipv4, ipv6)

detail

Debugs detailed information on the PIM assert mechanism.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim>if assert-period)

Full Context

configure service vprn pim interface assert-period

Description

This command configures the period in seconds for periodic refreshes of PIM Assert messages on an interface.

The no form of this command reverts to the default.

Default

assert-period 60

Parameters

assert-period

Specifies the period, in seconds, for periodic refreshes of PIM Assert messages on an interface.

Values

1 to 300

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>interface assert-period)

Full Context

configure router pim interface assert-period

Description

This command configures the period for periodic refreshes of PIM Assert messages on an interface.

The no form of this command removes the assert-period from the configuration.

Default

no assert-period

Parameters

assert-period

Specifies the period, in seconds, for periodic refreshes of PIM Assert messages on an interface.

Values

1 to 300

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>cust>multi-service-site assignment)

Full Context

configure service customer multi-service-site assignment

Description

This command assigns a multi-service customer site to a specific chassis slot, port, or channel. This allows the system to allocate the resources necessary to create the virtual schedulers defined in the ingress and egress scheduler policies as they are specified. This also verifies that each SAP assigned to the site exists within the context of the proper customer ID and that the SAP was configured on the proper slot, port, or channel. The assignment must be given prior to any SAP associations with the site.

The no form of this command removes the port, channel, or slot assignment. If the customer site has not yet been assigned, the command has no effect and returns without any warnings or messages.

Default

no assignment

Parameters

port-id

Assigns the multi-service customer site to the port-id or port-id.channel-id given. When the multi-service customer site is assigned to a specific port or channel, all SAPs associated with this customer site must be on a service owned by the customer and created on the defined port or channel. The defined port or channel must already have been pre-provisioned on the system but need not be installed when the customer site assignment is made.

Syntax: port-id[:encap-val]

Values

port-id	slot/mda/port[.channel]
	aps-id	aps-group-id[.channel]
		aps keyword
		group-id	1 to 128
	eth-tunnel-id	eth-tunnel-<id>
		eth-tunnel	keyword
		id	1 to 1024
	lag-id	lag-id
		lag	keyword
		id	1 to 800
		id	1 to 1024
	eth-sat-id	esat-<id>/<slot>/[u]<port>
		esat	keyword
		id	1 to 20
		u	keyword for up-link port
	tdm-sat-id	tsat-<id>/<slot>/[<u>]<port>.<channel>
		tsat	keyword
		id	1 to 20
		u	keyword for up-link port
	pxc-id	psc-id.sub-port
		pxc psc-id.sub-port
		pxc	keyword
		id: 1 to 64
		sub-port: a, b
	pw-id	pw-<id>
		pw	keyword
		id	1 to 32767
slot-number	1 to 10
fpe-id	1 to 64

slot-number

Assigns the multi-service customer site to the slot-number given. When the multi-service customer site is assigned to a specific slot in the chassis, all SAPs associated with this customer site must be on a service owned by the customer and created on the defined chassis slot. The defined slot must already be pre-provisioned on the system but need not be installed when the customer site assignment is made.

Values

Any pre-provisioned slot number for the chassis type that allows SAP creation.

1 to 20

fpe-id

Specifies the multi-service-site (MSS) assignment to an FPE object for the purpose of controlling aggregated bandwidth across a set of PW SAPs.

Values

1 to 64

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pcep>pcc>pce-assoc>div association-id)

Full Context

configure router pcep pcc pce-associations diversity association-id

Description

This command configures the diversity association ID. The user must specify an association ID.

The no form of the command removes the association ID from the diversity association.

Default

no association-id

Parameters

association-id

Specifies the diversity association ID.

Values

1 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pcep>pcc>pce-assoc>plcy association-id)

Full Context

configure router pcep pcc pce-associations policy association-id

Description

This command configures the policy association ID. The user must specify an association ID.

The no form of the command removes the association ID from the policy association.

Default

no association-id

Parameters

association-id

Specifies the policy association ID.

Values

1 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pcep>pcc>pce-assoc>div association-source)

Full Context

configure router pcep pcc pce-associations diversity association-source

Description

This command configures the source IP address of the diversity association.

The no form of the command removes the IP address from the diversity association.

Default

no association-source

Parameters

ip-address

Specifies the source IP address.

Values

ipv4-address:	a.b.c.d
ipv6-address:	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pcep>pcc>pce-assoc>plcy association-source)

Full Context

configure router pcep pcc pce-associations policy association-source

Description

This command configures the source IP address of the policy association.

The no form of the command removes IP address from the policy association.

Default

no association-source

Parameters

ip-address

Specifies the source IP address.

Values

ipv4-address:	a.b.c.d
ipv6-address:	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>ops>global-timeout asynchronous-execution)

Full Context

configure system management-interface operations global-timeouts asynchronous-execution

Description

This command configures the period of time that operations launched as "asynchronous” are allowed to execute before being automatically stopped by the SR OS.

An asynchronous operation is not deleted from the system when it is stopped. See the asynchronous-retention command.

If a specific execution timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Default

asynchronous-execution 3600

Parameters

seconds

Specifies the period of time, in seconds, that asynchronous operations are allowed to execute.

Values

1 to 604800

never

Keyword to specify that an execution timeout is not applied to asynchronous operations.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>ops>global-timeout asynchronous-retention)

Full Context

configure system management-interface operations global-timeouts asynchronous-retention

Description

This command configures the period of time that data related to operations launched as "asynchronous” is retained in the system. After the retention timeout expires, all information related to the operation is deleted, including any status information and result data.

If a specific retention timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Default

asynchronous-retention 86400

Parameters

seconds

Specifies the period of time, in seconds, that data related to asynchronous operations is retained in the system.

Values

1 to 604800

never

Keyword to specify that data related to asynchronous operations will persist in memory until explicitly deleted.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>password attempts)

Full Context

configure system security password attempts

Description

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.

If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no attempts command resets all values to default.

Default

attempts 3 time 5 lockout 10

Parameters

count

Specifies the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.

Values

1 to 64

minutes

Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.

Values

0 to 60

minutes

Specifies the lockout period, in minutes, during which the user is not allowed to login.

Values

0 to 1440, or infinite

If the user exceeds the attempted count times in the specified time, then that user is locked out from any further login attempts for the configured lockout time period.

Values

0 to 1440

Values

infinite; user is locked out and must wait until manually unlocked before any further attempts.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>snmp attempts)

Full Context

configure system security snmp attempts

Description

This command configures a threshold value of unsuccessful SNMPv2 or SNMPv3 connection attempts allowed in a specified time frame. The command parameters are used to counter denial of service (DoS) attacks through SNMP.

If the threshold is exceeded, the host is locked out for the lockout time period.

The no form of the command restores the default values.

Default

attempts 20 time 5 lockout 10

Parameters

count

Specifies the number unsuccessful SNMP attempts allowed for the specified time.

Values

1 to 64

minutes1

Specifies period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out.

Values

0 to 60

minutes2

Specifies the lockout period in minutes where the host is not allowed to login. When the host exceeds the attempted count times in the specified time, then that host is locked out from any further login attempts for the configured time period.

Values

0 to 1440

Platforms

7705 SAR Gen 2

Context

[Tree] (file attrib)

Full Context

file attrib

Description

This command sets or clears/resets the read-only attribute for a file in the local file system. To list all files and their current attributes enter attrib or attrib x where x is either the filename or a wildcard (*).

When an attrib command is entered to list a specific file or all files in a directory, the file’s attributes are displayed with or without an "R” preceding the filename. The "R” implies that the +r is set and that the file is read-only. Files without the "R” designation implies that the -r is set and that the file is read-write-all. For example:

ALA-1>file cf3:\ # attrib
cf3:\bootlog.txt
cf3:\bof.cfg
cf3:\boot.ldr
cf3:\sr1.cfg
cf3:\test
cf3:\bootlog_prev.txt
cf3:\BOF.SAV 

Parameters

file-url

Specifies the URL for the local file.

Values

local-url	[cflash-id/][file-path] up to 200 characters, including cflash-id directory length 99 chars max each
remote-url	[{ftp:// | tftp://}login:pswd@remote-locn/][file-path]
	up to 247 characters
	directory length up to 199 characters
remote-locn	[hostname | ipv4-address | [ipv6-address]]
ipv4-address	a.b.c.d
ipv6-address	x:x:x:x:x:x:x:x[-interface]
	x:x:x:x:x:x:d.d.d.d[-interface]
	x - [0 to FFFF]H
	d - [0 to 255]D
	interface - up to 32 characters, for link local addresses 255
cflash-id	cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

+r

Sets the read-only attribute on the specified file.

-r

Clears/resets the read-only attribute on the specified file.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>system>bgp-evpn>ad-per-evi-routes attribute-propagation)

Full Context

configure service system bgp-evpn ad-per-evi-routes attribute-propagation

Description

This command enables attribute propagation in multi-instance Epipe services.

The no form of this command disables the propagation of attributes, including D-PATH, even if the domain-id is configured in the service.

Default

no attribute-propagation

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp attribute-set)

Full Context

configure service vprn bgp attribute-set

Description

Commands in this context configure the handling of attribute set (ATTR_SET) attributes in BGP routes received from PE-CE peers of the VPRN.

ATTR_SET is an optional transitive BGP path attribute standardized by RFC 6368 that is added to BGP Layer 3 VPN routes to provide logical separation between the BGP domain of a customer and the BGP domain of a service provider.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp-ipvpn attribute-set)

Full Context

configure service vprn bgp-ipvpn attribute-set

Description

Commands in this context configure the handling of attribute set (ATTR_SET) attributes attached to VPN-IP routes imported into or exported from the VPRN.

ATTR_SET is an optional transitive BGP path attribute standardized by RFC 6368 that is added to BGP Layer 3 VPN routes to provide logical separation between the BGP domain of a customer and the BGP domain of a service provider.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>system>bgp-evpn>ip-prefix-routes>iff attribute-uniform-propagation)

Full Context

configure service system bgp-evpn ip-prefix-routes interface-ful attribute-uniform-propagation

Description

This command enables the uniform propagation of BGP attributes for EVPN Interface-ful (EVPN-IFF) routes. EVPN-IFF is used in R-VPLS services with bgp-evpn>ip-route-advertisement. When enabled, the received EVPN-IFF routes for the R-VPLS can be propagated with the original BGP path attributes into EVPN-IFL, IPVPN, EVPN-IFF (in other R-VPLS services), or BGP IP routes advertised for the attached VPRN. This command also enables the attribute propagation in the opposite direction; for example, from EVPN-IFL, IPVPN, IP, or EVPN-IFF routes into EVPN-IFF routes.

The propagation is in accordance with the uniform mode defined in draft-ietf-bess-evpn-ipvpn-interworking.

The no form of this command re-originates the BGP path attributes when propagating EVPN-IFF routes into other inter-subnet forwarding families.

Default

no attribute-uniform-propagation

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis>loopfree-alternates augment-route-table)

Full Context

configure router isis loopfree-alternates augment-route-table

Description

This command enables IS-IS to attach Remote LFA specific information to RTM entries for use by other protocols. This command requires configure router isis lfa remote-lfa to be enabled. Currently only LDP makes use of this additional information.

The no form of this command disables IS-IS to attach Remote LFA specific information to RTM entries for use by other protocols.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>loopfree-alternates augment-route-table)

Full Context

configure router ospf loopfree-alternates augment-route-table

Description

This command enables OSPF to attach Remote LFA (rLFA) information to RTM entries for use by other protocols. Before this command is configured, the configure router ospf lfa remote-lfa command, must be enabled on the system. Currently, only LDP makes use of this additional information.

The no form of this command disables the attachment of rLFA-specific information to RTM entries for use by other protocols.

Default

no augment-route-table

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rsvp>event auth)

Full Context

debug router rsvp event auth

Description

This command debugs auth events.

The no form of the command disables the debugging.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rip auth)

Full Context

debug router rip auth

Description

This command enables debugging for RIP authentication.

Parameters

ip-int-name | ip-address

Debugs the RIP authentication for the neighbor IP address or interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group auth-keychain)

[Tree] (config>service>vprn>bgp>group>neighbor auth-keychain)

[Tree] (config>service>vprn>bgp auth-keychain)

Full Context

configure service vprn bgp group auth-keychain

configure service vprn bgp group neighbor auth-keychain

configure service vprn bgp auth-keychain

Description

This command configures the BGP authentication key for all peers.

The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of an existing keychain, up to 32 characters, to use for the specified TCP session or sessions.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>isis auth-keychain)

[Tree] (config>service>vprn>isis>level auth-keychain)

Full Context

configure service vprn isis auth-keychain

configure service vprn isis level auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface for the VPRN instance. The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis auth-keychain)

[Tree] (config>router>isis>level auth-keychain)

Full Context

configure router isis auth-keychain

configure router isis level auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface. The keychain allows the rollover of authentication keys during the lifetime of a session.

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ospf>area>sham-link auth-keychain)

[Tree] (config>service>vprn>ospf>area>if auth-keychain)

[Tree] (config>service>vprn>ospf>area>virtual-link auth-keychain)

Full Context

configure service vprn ospf area sham-link auth-keychain

configure service vprn ospf area interface auth-keychain

configure service vprn ospf area virtual-link auth-keychain

Description

This command enables the authentication keychain.

Parameters

name

Specifies the name of the authentication keychain, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ldp>tcp-session-params auth-keychain)

[Tree] (config>router>ldp>tcp-session-params>peer-transport auth-keychain)

Full Context

configure router ldp tcp-session-parameters auth-keychain

configure router ldp tcp-session-parameters peer-transport auth-keychain

Description

This command configures the TCP authentication keychain to use for the TCP session. The per-peer authentication configuration takes precedence over the global authentication configuration.

Parameters

name

Specifies the name of the keychain, up to 32 characters. This keychain is used for the specified TCP session or sessions, and allows the rollover of authentication keys during the lifetime of a session. The peer address used must be the TCP session transport address.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>rsvp>interface auth-keychain)

Full Context

configure router rsvp interface auth-keychain

Description

This command configures an authentication keychain to use for authentication of protocol messages sent and received over the associated interface. The keychain must include a valid entry to properly authenticate protocol messages, including a key, specification of a supported authentication algorithm, and beginning time. Each entry may also include additional options to control the overall lifetime of each entry to allow for the seamless rollover of without affecting the protocol adjacencies.

The no form of the auth-keychain command removes the association between the routing protocol and any keychain currently used.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group auth-keychain)

[Tree] (config>router>bgp auth-keychain)

[Tree] (config>router>bgp>group>neighbor auth-keychain)

Full Context

configure router bgp group auth-keychain

configure router bgp auth-keychain

configure router bgp group neighbor auth-keychain

Description

This command configures a TCP authentication keychain to use for the session. The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified TCP session or sessions.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>area>virtual-link auth-keychain)

[Tree] (config>router>ospf>area>interface auth-keychain)

Full Context

configure router ospf area virtual-link auth-keychain

configure router ospf area interface auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface. The keychain allows the rollover of authentication keys during the lifetime of a session.

The no form of this command removes the association to a previously specified keychain.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pcep>pcc>peer auth-keychain)

Full Context

configure router pcep pcc peer auth-keychain

Description

This command specifies a keychain to be used for TCP-AO authentication between the PCC and the PCE. The keychain must first be configured in the configure system security keychain context.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>ike-policy auth-method)

Full Context

configure ipsec ike-policy auth-method

Description

This command specifies the authentication method used with this IKE policy.

The no form of this command removes the parameter from the configuration.

Default

no auth-method

Parameters

psk

Both client and gateway authenticate each other by a hash derived from a pre-shared secret. Both client and gateway must have the PSK. This work with both IKEv1 and IKEv2

plain-psk-xauth

Both client and gateway authenticate each other by pre-shared key and RADIUS. This work with IKEv1 only.

psk-radius

Use the pre-shared-key and RADIUS to authenticate. IKEv2 remote-access tunnel only.

cert-radius

Use the certificate, public/private key and RADIUS to authenticate. IKEv2 remote-access tunnel only.

eap

Use the EAP to authenticate peer. IKEv2 remote-access tunnel only

auto-eap-radius

Use EAP or potentially other method to authenticate the peer. IKEv2 remote-access tunnel only. Also see config>ipsec>ike-policy auto-eap-method and config>ipsec>ike-policy auto-eap-own-method.

auto-eap

Use the EAP or potentially other RADIUS-related method to authenticate the peer. IKEv2 remote-access tunnel only. Also see config>ipsec>ike-policy auto-eap-method and config>ipsec>ike-policy auto-eap-own-method.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>radius-server>server auth-port)

[Tree] (config>router>radius-server>server auth-port)

Full Context

configure service vprn radius-server server auth-port

configure router radius-server server auth-port

Description

This command specifies the UDP listening port for RADIUS authentication requests.

The no form of this commands resets the UDP port to its default value (1812)

Default

auth-port 1812

Parameters

port

Specifies the UDP listening port for accounting requests of the external RADIUS server.

Values

1 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ntp authenticate)

Full Context

configure service vprn ntp authenticate

Description

This command enables authentication for the NTP server.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>server-tls-profile authenticate-client)

Full Context

configure system security tls server-tls-profile authenticate-client

Description

Commands in this context configure client authentication parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ospf3>area>if authentication)

[Tree] (config>service>vprn>ospf3>area>virtual-link authentication)

Full Context

configure service vprn ospf3 area interface authentication

configure service vprn ospf3 area virtual-link authentication

Description

This command configures OPSFv3 confidentiality authentication.

The no form of this command removes the SA name from the configuration.

Parameters

bidirectional sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

inbound sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

outbound sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>static-sa authentication)

Full Context

configure ipsec static-sa authentication

Description

This command configures the authentication algorithm to use for an IPsec manual SA.

Default

no authentication

Parameters

auth-algorithm

Specifies the authentication algorithm to be used.

Values

mda5, sha1

ascii-string

Specifies an ASCII key; 16 characters for md5 and 20 characters for sha1.

hex-string

Specifies a HEX key; 32 hex nibbles for md5 and 40 hex nibbles for sha1.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>user>snmp authentication)

Full Context

configure system security user snmp authentication

Description

This command configures the SNMPv3 authentication and privacy protocols for the user to communicate with the router. The keys are stored in an encrypted format in the configuration.

The keys configured with these commands must be localized keys, which are a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate localized authentication and privacy keys.

Default

authentication none

Parameters

none

Keyword to specify that no authentication protocol is used. If none is specified, privacy cannot be configured.

authentication-protocol

Specifies the SNMPv3 authentication protocol.

Values

hmac-md5-96 — Specifies use of the HMAC-MD5-96 authentication protocol.

hmac-sha1-96 — Specifies use of the HMAC-SHA-96 authentication protocol.

hmac-sha2-224 — Specifies use of the HMAC-SHA-224 authentication protocol.

hmac-sha2-256 — Specifies use of the HMAC-SHA-256 authentication protocol.

hmac-sha2-384 — Specifies use of the HMAC-SHA-384 authentication protocol.

hmac-sha-512 — Specifies use of the HMAC-SHA-512 authentication protocol.

authentication-key

Specifies the localized authentication key, which is entered as a hexadecimal string; the character length depends on the specified authentication protocol. The following table lists the authentication protocol key lengths.

Table 2. Authentication protocol key lengths

Authentication protocol	Character lengths
HMAC-MD5-96	32
HMAC-SHA-96	40
HMAC-SHA-224	56
HMAC-SHA-256	64
HMAC-SHA-384	96
HMAC-SHA-512	128

privacy-none

Keyword to specify that a privacy protocol is not used in the communication.

Default

privacy none

privacy-protocol

Specifies the SNMPv3 privacy protocol.

Values

cbc-des — Specifies the use of the CBC-DES privacy protocol.

cfb128-aes-128 — Specifies the use of the CFB128-AES-128 privacy protocol.

cfb128-aes-192 — Specifies the use of the CFB128-AES-192 privacy protocol.

cfb128-aes-256 — Specifies the use of the CFB128-AES-256 privacy protocol.

privacy-key

Specifies the localized privacy key, which is entered as a hexadecimal string; the character length depends on the specified privacy protocol. The following table lists the privacy protocol key lengths.

Table 3. Privacy protocol key lengths

Privacy protocol	Character length
CBC-DES	32
CFB128-AES-128	32
CFB128-AES-192	48
CFB128-AES-256	64

hash

Keyword that specifies the key is entered in an encrypted form. If the hash or hash2 keyword is not specified, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Keyword that specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone; that is, the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 keyword is not specified, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Keyword that specifies the custom encryption to the management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf3>area>virtual-link authentication)

[Tree] (config>router>ospf3>area>interface authentication)

Full Context

configure router ospf3 area virtual-link authentication

configure router ospf3 area interface authentication

Description

This command configures the password used by the OSPF3 interface or virtual-link to send and receive OSPF3 protocol packets on the interface when simple password authentication is configured.

All neighboring routers must use the same type of authentication and password for proper protocol communication.

By default, no authentication key is configured.

The no form of this command removes the authentication.

Default

no authentication

Parameters

bidirectional sa-name

Specifies bidirectional OSPF3 authentication.

inbound sa-name

Specifies the inbound security association (SA) name for OSPF3 authentication.

outbound sa-name

Specifies the outbound SA name for OSPF3 authentication.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>isis authentication-check)

Full Context

configure service vprn isis authentication-check

Description

This command sets an authentication check to reject PDUs that do not match the type or key requirements for the VPRN instance.

The default behavior when authentication is configured is to reject all IS-IS protocol PDUs that have a mismatch in either the authentication type or authentication key.

When no authentication-check is configured, authentication PDUs are generated and IS-IS PDUs are authenticated on receipt. However, mismatches cause an event to be generated and will not be rejected.

The no form of this command allows authentication mismatches to be accepted and generates a log event.

Default

authentication-check — Rejects authentication mismatches.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ntp authentication-check)

Full Context

configure service vprn ntp authentication-check

Description

This command provides the option to skip the rejection of NTP PDUs that do not match the authentication key-id, type or key requirements. The default behavior when authentication is configured is to reject all NTP protocol PDUs that have a mismatch in either the authentication key-id, type or key.

When authentication-check is enabled, NTP PDUs are authenticated on receipt. However, mismatches cause a counter to be increased, one counter for type and one for key-id, one for type, value mismatches. These counters are visible in a show command.

The no form of this command allows authentication mismatches to be accepted; the counters however are maintained.

Default

authentication-check — Rejects authentication mismatches.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>time>ntp authentication-check)

Full Context

configure system time ntp authentication-check

Description

This command provides the option to skip the rejection of NTP PDUs that do not match the authentication key-id, type or key requirements. The default behavior when authentication is configured is to reject all NTP protocol PDUs that have a mismatch in either the authentication key-id, type or key.

When authentication-check is enabled, NTP PDUs are authenticated on receipt. However, mismatches cause a counter to be increased, one counter for type and one for key-id, one for type, value mismatches. These counters are visible in a show command.

The no form of this command allows authentication mismatches to be accepted; the counters however are maintained.

Default

authentication-check

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis authentication-check)

Full Context

configure router isis authentication-check

Description

This command sets an authentication check to reject PDUs that do not match the type or key requirements.

The default behavior when authentication is configured is to reject all IS-IS protocol PDUs that have a mismatch in either the authentication type or authentication key.

When no authentication-check is configured, authentication PDUs are generated and IS-IS PDUs are authenticated on receipt. However, mismatches cause an event to be generated and will not be rejected.

The no form of this command allows authentication mismatches to be accepted and generates a log event.

Default

authentication-check

Platforms

7705 SAR Gen 2

Context

[Tree] (config>redundancy>multi-chassis>peer authentication-key)

Full Context

configure redundancy multi-chassis peer authentication-key

Description

This command configures the authentication key used between this node and the multi-chassis peer. The authentication key can be any combination of letters or numbers. The no form of the command removes the authentication key.

Default

no authentication-key

Parameters

authentication-key

Specifies the authentication key. Allowed values are any string up to 20 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes.

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 33 (hash1-key) or 55 (hash2-key) characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>subscr-mgmt>rip-policy authentication-key)

Full Context

configure subscriber-mgmt rip-policy authentication-key

Description

This command configures the BGP authentication key.

Authentication is performed between neighboring routers before setting up the BGP session by verifying the password. Authentication is performed using the MD5 message-based digest. The authentication key can be any combination of letters or numbers from 1 to 16.

The no form of this command removes the authentication password from the configuration and effectively disables authentication.

Default

Authentication is disabled and the authentication password is empty.

Parameters

authentication-key

Specifies the authentication key. The key can be any combination of ASCII characters up to 255 characters (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 342 characters (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>vrrp authentication-key)

Full Context

configure service ies interface vrrp authentication-key

Description

The authentication-key command, within the vrrp virtual-router-id context, is used to assign a simple text password authentication key to generate master VRRP advertisement messages and validating received VRRP advertisement messages.

The authentication-key command is one of the few commands not affected by the presence of the owner keyword. If simple text password authentication is not required, the authentication-key command is not required. If the command is re-executed with a different password key defined, the new key will be used immediately. If a no authentication-key command is executed, the password authentication key is restored to the default value. The authentication-key command may be executed at any time.

To change the current in-use password key on multiple virtual router instances:

• Identify the current master

• Shutdown the virtual router instance on all backups

• Execute the authentication-key command on the master to change the password key

• Execute the authentication-key command and no shutdown command on each backup key

The no form of the command removes the authentication key.

Default

No default. The authentication data field contains the value 0 in all 16 octets.

Parameters

authentication-key

The key parameter identifies the simple text password used when VRRP Authentication Type 1 is enabled on the virtual router instance. Type 1 uses a string eight octets long that is inserted into all transmitted VRRP advertisement messages and compared against all received VRRP advertisement messages. The authentication data fields are used to transmit the key.

The key parameter is expressed as a string consisting up to eight alpha-numeric characters. Spaces must be contained in quotation marks (" ”). The quotation marks are not considered part of the string.

The string is case sensitive and is left-justified in the VRRP advertisement message authentication data fields. The first field contains the first four characters with the first octet (starting with IETF RFC bit position 0) containing the first character. The second field holds the fifth through eighth characters. Any unspecified portion of the authentication data field is padded with the value 0 in the corresponding octet.

Values

Any 7-bit printable ASCII character.

Exceptions:	Double quote (")	ASCII 34
	Carriage Return	ASCII 13
	Line Feed	ASCII 10
	Tab	ASCII 9
	Backspace	ASCII 8

hash-key

The hash key. The key can be any combination of ASCII characters up to 22 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp authentication-key)

[Tree] (config>service>vprn>bgp>group authentication-key)

[Tree] (config>service>vprn>bgp>group>neighbor authentication-key)

Full Context

configure service vprn bgp authentication-key

configure service vprn bgp group authentication-key

configure service vprn bgp group neighbor authentication-key

Description

This command configures the BGP authentication key.

Authentication is performed between neighboring routers before setting up the BGP session by verifying the password. Authentication is performed using the MD5 message-based digest. The authentication key can be any combination of letters or numbers from 1 to 16.

The no form of this command removes the authentication password from the configuration and effectively disables authentication.

Default

no authentication-key

Parameters

authentication-key

Specifies an authentication key. The key can be up to 255 characters (unencrypted).

hash-key

The hash key. The key can be any combination of ASCII characters up to 342 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>vrrp authentication-key)

Full Context

configure service vprn interface vrrp authentication-key

Description

The authentication-key command, within the vrrp virtual-router-id context, is used to assign a simple text password authentication key to generate master VRRP advertisement messages and validate received VRRP advertisement messages.

The authentication-key command is one of the few commands not affected by the presence of the owner keyword. If simple text password authentication is not required, this command is not required. If the command is re-executed with a different password key defined, the new key will be used immediately. If a no authentication-key command is executed, the password authentication key is restored to the default value. The authentication-key command may be executed at any time.

To change the current in-use password key on multiple virtual router instances:

• Identify the current master

• Shut down the virtual router instance on all backups

• Execute the authentication-key command on the master to change the password key

• Execute the authentication-key command and the no shutdown command on each backup key

The no form of this command restores the default null string to the value of key.

Parameters

authentication-key

The key parameter identifies the simple text password used when VRRP Authentication Type 1 is enabled on the virtual router instance. Type 1 uses a string eight octets long that is inserted into all transmitted VRRP advertisement messages and compared against all received VRRP advertisement messages. The authentication data fields are used to transmit the key.

The key parameter is expressed as a string consisting of up to eight alpha-numeric characters. Spaces must be contained in quotation marks ( " ” ). The quotation marks are not considered part of the string.

The string is case sensitive and is left-justified in the VRRP advertisement message authentication data fields. The first field contains the first four characters with the first octet (starting with IETF RFC bit position 0) containing the first character. The second field holds the fifth through eighth characters. Any unspecified portion of the authentication data field is padded with the value 0 in the corresponding octet.

Values

Any 7-bit printable ASCII character.

Exceptions:	Double quote (")	ASCII 34
	Carriage Return	ASCII 13
	Line Feed	ASCII 10
	Tab	ASCII 9
	Backspace	ASCII 8

hash-key

The hash key. The key can be any combination of ASCII characters up to 22 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”)

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>isis authentication-key)

[Tree] (config>service>vprn>isis>level authentication-key)

Full Context

configure service vprn isis authentication-key

configure service vprn isis level authentication-key

Description

This command sets the authentication key used to verify PDUs sent by neighboring routers on the interface for the VPRN instance.

Neighboring routers use passwords to authenticate PDUs sent from an interface. For authentication to work, both the authentication key and the authentication type on a segment must match. The OSPF Commands statement must also be included.

To configure authentication on the global level, configure this command in the config>router>isis context. When this parameter is configured on the global level, all PDUs are authenticated including the Hello PDU.

To override the global setting for a specific level, configure the authentication-key command in the config>router>isis>level context. When configured within the specific level, hello PDUs are not authenticated.

The no form of this command removes the authentication key.

Default

no authentication-key — No authentication key is configured.

Parameters

authentication-key

The authentication key. The key can be any combination of ASCII characters up to 255 characters in length (un-encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

The hash key. The key can be any combination of ASCII characters up to 342 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ntp authentication-key)

Full Context

configure service vprn ntp authentication-key

Description

This command sets the authentication key-id, type and key used to authenticate NTP PDUs sent by the broadcast server function toward external clients or to authenticate NTP PDUs received from external unicast clients within the VPRN routing instance. For authentication to work, the authentication key-id, type, and key value must match.

The no form of this command removes the authentication key.

Parameters

key-id

Configure the authentication key-id that will be used by the node when transmitting or receiving Network Time Protocol packets.

Entering the authentication-key command with a key-id value that matches an existing configuration key will result in overriding the existing entry.

Recipients of the NTP packets must have the same authentication key-id, type, and key value in order to use the data transmitted by this node. This is an optional parameter.

Values

1 to 255

key

The authentication key associated with the configured key-id, the value configured in this parameter is the actual value used by other network elements to authenticate the NTP packet.

The key can be any combination of ASCII characters up to 8 characters in length (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (".”).

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

type

This parameter determines if DES or message-digest authentication is used.

This is a required parameter; either DES or message-digest must be configured.

Values

des — Specifies that DES authentication is used for this key.

message-digest — Specifies that MD5 authentication in accordance with RFC 2104 is used for this key.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>ospf>area>sham-link authentication-key)

[Tree] (config>service>vprn>ospf>area>virtual-link authentication-key)

[Tree] (config>service>vprn>ospf>area>if authentication-key)

Full Context

configure service vprn ospf area sham-link authentication-key

configure service vprn ospf area virtual-link authentication-key

configure service vprn ospf area interface authentication-key

Description

This command configures the password used by the OSPF interface or virtual-link to send and receive OSPF protocol packets on the interface when simple password authentication is configured.

This command is not valid in the OSPF3 context.

All neighboring routers must use the same type of authentication and password for proper protocol communication. If the authentication-type is configured as password, then this key must be configured.

By default, no authentication key is configured.

This command is not supported in the OSPF context.

The no form of this command removes the authentication key.

Default

no authentication-key — No authentication key is defined.

Parameters

authentication-key

The authentication key. The key can be any combination of ASCII characters up to 8 characters in length (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

The hash key. The key can be any combination of ASCII characters up to 22 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms