e Commands

Context

[Tree] (config>log>acct-policy>cr>ref-queue e-counters)

[Tree] (config>log>acct-policy>cr>queue e-counters)

[Tree] (config>log>acct-policy>cr>ref-policer e-counters)

[Tree] (config>log>acct-policy>cr>policer e-counters)

Full Context

configure log accounting-policy custom-record ref-queue e-counters

configure log accounting-policy custom-record queue e-counters

configure log accounting-policy custom-record ref-policer e-counters

configure log accounting-policy custom-record policer e-counters

Description

This command configures egress counter parameters for this custom record.

The no form of this command reverts all egress counters to their default value.

Default

e-counters

Parameters

all

Specifies that all egress counters should be included.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>dot1x>macsec>sub-port eapol-destination-address)

Full Context

configure port ethernet dot1x macsec sub-port eapol-destination-address

Description

The EAPoL destination MAC address uses a destination multicast MAC address of 01:80:C2:00:00:03. Some networks cannot tunnel this packet over the network and consume these packets, causing the MKA session to fail. This command can change the destination MAC of the EAPoL to the unicast address of the MACsec peer, and as such, the EAPoL and MKA signaling will be unicasted between two peers.

The no form of this command returns the value to the default.

Default

no eapol-destination-address

Parameters

mac

Specifies the desired destination MAC address to be used by the EAPOL MKA packets of this sub-port.

Values

aa:bb:cc:dd:ee:ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp ebgp-default-reject-policy)

[Tree] (config>service>vprn>bgp>group>neighbor ebgp-default-reject-policy)

[Tree] (config>service>vprn>bgp>group ebgp-default-reject-policy)

Full Context

configure service vprn bgp ebgp-default-reject-policy

configure service vprn bgp group neighbor ebgp-default-reject-policy

configure service vprn bgp group ebgp-default-reject-policy

Description

This command configures the default import and export policy behavior for EBGP neighbors.

The no form of this command removes the default import and export policy behavior.

Default

no ebgp-default-reject-policy

Parameters

import

Specifies the default reject import policy for EBGP neighbors.

export

Specifies the default reject export policy for EBGP neighbors.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp ebgp-default-reject-policy)

[Tree] (config>router>bgp>group>neighbor ebgp-default-reject-policy)

[Tree] (config>router>bgp>group ebgp-default-reject-policy)

Full Context

configure router bgp ebgp-default-reject-policy

configure router bgp group neighbor ebgp-default-reject-policy

configure router bgp group ebgp-default-reject-policy

Description

This command configures the default import and export policy behavior for EBGP neighbors.

The no form of this command removes the default import and export policy behavior.

Default

no ebgp-default-reject-policy

Parameters

import

Specifies the default reject import policy for EBGP neighbors.

export

Specifies the default reject export policy for EBGP neighbors.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>best-path-selection ebgp-ibgp-equal)

Full Context

configure service vprn bgp best-path-selection ebgp-ibgp-equal

Description

This command instructs the BGP decision process to ignore the difference between EBGP and IBGP routes in selecting the best path and eligible multipaths (if multipath and ECMP are enabled). The result is a form of EIBGP load-balancing in a multipath scenario.

The operator can apply the behavior selectively to only certain types of routes by specifying one or more address family names in the command.

The no form of this command configures the router in the BGP decision process to prefer an EBGP learned route over an IBGP learned route.

Default

no ebgp-ibgp-equal

Parameters

ipv4

Specifies that the command should be applied to unlabeled unicast IPv4 routes.

ipv6

Specifies that the command should be applied to unlabeled unicast IPv6 routes.

label-ipv4

Specifies that the command should be applied to labeled IPv4 routes.

label-ipv6

Specifies that the command should be applied to labeled IPv6 routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>best-path-selection ebgp-ibgp-equal)

Full Context

configure router bgp best-path-selection ebgp-ibgp-equal

Description

This command instructs the BGP decision process to ignore the difference between EBGP and IBGP routes in selecting the best path and eligible multipaths (if multipath and ECMP are enabled). The result is a form of EIBGP load balancing in a multipath scenario.

The behavior can be applied selectively to only certain types of routes by specifying one or more address family names in the command. If no families are specified, this command applies to IPv4, IPv6, label-IPv4, label-IPv6, VPN-IPv4, VPN-IPv6, and EVPN routes.

The no form of this command configures the router in the BGP decision process to prefer an EBGP learned route over an IBGP learned route.

Default

no ebgp-ibgp-equal

Parameters

ipv4

Specifies that the command should be applied to unlabeled unicast IPv4 routes.

ipv6

Specifies that the command should be applied to unlabeled unicast IPv6 routes.

label-ipv4

Specifies that the command should be applied to labeled unicast IPv4 routes.

label-ipv6

Specifies that the command should be applied to labeled unicast IPv6 routes.

vpn-ipv4

Specifies that the command should be applied to IPv4 VPN routes.

vpn-ipv6

Specifies that the command should be applied to IPv6 VPN routes.

evpn

Specifies that the command should be applied to EVPN routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>user>public-keys ecdsa)

Full Context

configure system security user public-keys ecdsa

Description

This command allows the user to enter the context to configure ECDSA public keys.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>user>public-keys>ecdsa ecdsa-key)

Full Context

configure system security user public-keys ecdsa ecdsa-key

Description

This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

Parameters

create

Keyword used to create an ECDSA key. The create keyword requirement can be enabled/disabled in the environment>create context.

key-id

Specifies the key identifier.

Values

1 to 32

Platforms

7705 SAR Gen 2

Context

[Tree] (echo)

Full Context

echo

Description

This command echoes arguments on the command line. The primary use of this command is to allow messages to be displayed to the screen in files executed with the exec command.

Parameters

text-to-echo

Specifies a text string to be echoed, up to 256 characters.

extra-text-to-echo

Specifies more text to be echoed, up to 256 characters.

more-text

Specifies more text to be echoed, up to 256 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bfd>bfd-template echo-receive)

Full Context

configure router bfd bfd-template echo-receive

Description

This command sets the minimum echo receive interval, in milliseconds, for a session. This is not used by a BFD session for MPLS-TP.

The no form of this command reverts to the default value.

Default

echo-receive 100

Parameters

echo-interval

Specifies the echo receive interval.

Values

100 ms to 100,000 ms in 1 ms increments

Default

100

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>bgp-evpn>mpls>auto-bind-tunnel ecmp)

[Tree] (config>service>epipe>bgp-evpn>mpls ecmp)

[Tree] (config>service>vpls>bgp-evpn>mpls>auto-bind-tunnel ecmp)

Full Context

configure service epipe bgp-evpn mpls auto-bind-tunnel ecmp

configure service epipe bgp-evpn mpls ecmp

configure service vpls bgp-evpn mpls auto-bind-tunnel ecmp

Description

When configured in a VPLS service, this command controls the number of paths that are allowed to reach a specified MAC address when that MAC in the FDB is associated to a remote all-active multi-homed ES.

The configuration of two or more ECMP paths to a specified MAC enables the aliasing function described in RFC 7432.

When used in an Epipe service, this command controls the number of paths that are allowed to reach a specified remote Ethernet tag that is associated to an ES destination.

Default

ecmp 1

Parameters

max-ecmp-routes

Specifies the number of paths allowed to the same multi-homed MAC address or Ethernet tag.

Values

1 to 32

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp-ipvpn>mpls>auto-bind-tunnel ecmp)

[Tree] (config>service>vprn>bgp-evpn>mpls>auto-bind-tunnel ecmp)

Full Context

configure service vprn bgp-ipvpn mpls auto-bind-tunnel ecmp

configure service vprn bgp-evpn mpls auto-bind-tunnel ecmp

Description

This command configures the maximum number of tunnels that may be used as ECMP next-hops for the VPRN. This value overrides any values that are configured using the config>service>vprn>ecmp command.

The no form of this command removes the configured overriding value, and the value configured using the config>service>vprn>ecmp command is used.

Default

ecmp 1

Parameters

max-ecmp-routes

Specifies the maximum number of tunnels that may be used as ECMP next-hops for the VPRN.

Values

1 to 32

Default

1

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router ecmp)

Full Context

configure router ecmp

Description

This command enables ECMP and configures the number of routes for path sharing; for example, the value 2 means two equal cost routes are used for cost sharing.

ECMP can be used only for routes with the same preference and same protocol.

If available ECMP routes at the best preference exceed the maximum ECMP routes allowed, the system selects using the following criteria:

1. The system selects the lowest next hop router ID.
2. If the next hop goes to the same neighbor, the system selects the next hop with the lowest interface index.

The no form of this command disables ECMP path sharing. If ECMP is disabled and multiple routes are available at the best preference and equal cost, the route with the lowest next-hop IP address is used.

Default

no ecmp

Parameters

max-ecmp-routes

Specifies the maximum number of equal cost routes allowed on this routing table instance, expressed as a decimal integer. Setting ECMP max-ecmp-routes to 1 yields the same result as entering no ecmp.

Values

1 to 64

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn ecmp)

Full Context

configure service vprn ecmp

Description

This command enables equal-cost multipath (ECMP) and configures the number of routes for path sharing. For example, the value of 2 means that 2 equal cost routes are used for cost sharing.

ECMP groups form when the system routes to the same destination with equal cost values. Routing table entries can be entered manually (as static routes), or they can be formed when neighbors are discovered and routing table information is exchanged by routing protocols. The system can balance traffic across the groups with equal costs.

ECMP can only be used for routes learned with the same preference and same protocol.

If available ECMP routes at the best preference exceed the maximum ECMP routes allowed, the system selects using the following criteria:

1. The system selects the lowest next hop router ID.
2. If the next hop goes to the same neighbor, the system selects the next hop with the lowest interface index.

The no form of this command disables ECMP path sharing. If ECMP is disabled and multiple routes are available at the best preference and equal cost, the newly updated route is used.

Default

no ecmp

Parameters

max-ecmp-routes

Specifies the maximum number of routes for path sharing.

Values

1 to 64

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>auto-bind-tunnel ecmp)

Full Context

configure service vprn auto-bind-tunnel ecmp

Description

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn ecmp-unequal-cost)

Full Context

configure service vprn ecmp-unequal-cost

Description

This command relaxes the constraint that ECMP multipaths must have the same IGP cost to reach the BGP next-hop. When VPN routes for the same IP prefix are imported into a VPRN service, they are eligible to be used as multipaths. The resulting route is programmed as an ECMP IP route.

The BGP best path selection algorithm is the basis for choosing the set of imported VPN routes that can be combined to form an ECMP route. Normally (unless an ignore-nh-metric command is configured), the BGP decision process gives higher preference to VPN routes with a lower next-hop cost if other, more significant criteria, are tied. In these circumstances, a VPN route cannot be an eligible multipath if it does not have the same next-hop cost as the best VPN route. Configuring this command removes this restriction and allows the multipaths to have different (meaning lower) next-hop costs than the best route. This broadens the applicability of multipath and can result in better load balancing in the network.

This command applies only to the following types of routes imported by a VPRN.

• vpn-ipv4

• vpn-ipv6

• mcast-vpn-ipv4

• mcast-vpn-ipv6

The no form of this command restores the default behavior that requires next-hop costs of multipaths to be equal, unless the next-hop cost is completely removed from the BGP decision process.

Default

ecmp-unequal-cost

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>template>vpls-sap-template>stp edge-port)

[Tree] (config>service>vpls>spoke-sdp>stp edge-port)

[Tree] (config>service>vpls>sap>stp edge-port)

Full Context

configure service template vpls-sap-template stp edge-port

configure service vpls spoke-sdp stp edge-port

configure service vpls sap stp edge-port

Description

This command configures the SAP or SDP as an edge or non-edge port. If auto-edge is enabled for the SAP, this value will be used only as the initial value.

RSTP, however, can detect that the actual situation is different from what edge-port may indicate.

Initially, the value of the SAP or spoke-SDP parameter is set to edge-port. This value will change if:

• A BPDU is received on that port. This means that after all there is another bridge connected to this port. Then the edge-port becomes disabled.

• If auto-edge is configured and no BPDU is received within a certain period of time, RSTP concludes that it is on an edge and enables the edge-port.

The no form of this command returns the edge port setting to the default value.

Default

no edge-port

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>pw-template>stp edge-port)

Full Context

configure service pw-template stp edge-port

Description

This command configures the SAP or SDP as an edge or non-edge port. If auto-edge is enabled for the SAP, this value will be used only as the initial value.

RSTP, however, can detect that the actual situation is different from what edge-port may indicate.

Initially, the value of the SAP or spoke SDP parameter is set to edge-port. This value will change if:

• A BPDU is received on that port. This means that after all there is another bridge connected to this port. Then the edge-port becomes disabled.

• If auto-edge is configured and no BPDU is received within a certain period of time, RSTP concludes that it is on an edge and enables the edge-port.

The no form of this command returns the edge port setting to the default value.

Default

no edge-port

Platforms

7705 SAR Gen 2

Context

[Tree] (candidate edit)

Full Context

candidate edit

Description

This command enables the edit-cfg mode where changes can be made to the candidate configuration and sets the edit-point to the end of the candidate. In edit-cfg mode the CLI prompt contains edit-cfg near the root of the prompt. Commands in the candidate CLI branch, except candidate edit, are available only when in edit-cfg mode.

Parameters

exclusive

Allows a user to exclusively create a candidate configuration by blocking other users (and other sessions of the same user) from entering edit-cfg mode. Exclusive edit-cfg mode can only be entered if the candidate configuration is empty and no user is in edit-cfg mode. Once a user is in exclusive edit-cfg mode no other users/sessions are allowed in edit-cfg mode. The user must either commit or discard the exclusive candidate before leaving exclusive edit-cfg mode. If the CLI session times out while a user is in exclusive edit-cfg mode then the contents of the candidate are discarded. The admin disconnect command can be used to force a user to disconnect (and to clear the contents of the candidate) if they have the candidate locked.

Platforms

7705 SAR Gen 2

Context

[Tree] (configure>system>security>profile>netconf>base-op-authorization edit-config)

Full Context

configure system security profile netconf base-op-authorization edit-config

Description

This command enables the NETCONF <edit-config> RPC.

The no form of this command disables the RPC.

Default

no edit-config

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>server-tls-profile>status-verify ee-revocation)

[Tree] (config>system>security>tls>client-tls-profile>status-verify ee-revocation)

Full Context

configure system security tls server-tls-profile status-verify ee-revocation

configure system security tls client-tls-profile status-verify ee-revocation

Description

This command configures the method used to verify the revocation status of the TLS end-entity (EE) certificate.

Parameters

primary

Specifies the primary method.

Values

ocsp, crl

Default

crl

secondary

Specifies the secondary method.

Values

ocsp, crl, none

Default

none

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>load-balancing egr-ip-load-balancing)

Full Context

configure service ies interface load-balancing egr-ip-load-balancing

Description

This command specifies whether to include the source address or destination address or both in the LAG/ECMP hash on IP interfaces. Additionally, when l4-load-balancing is enabled, the command also applies to the inclusion of source/destination port in the hash inputs.

The no form of this command includes both source and destination parameters.

Default

no egr-ip-load-balancing

Parameters

source

Specifies using the source address and, if l4-load balancing is enabled, the source port in the hash, ignore destination address/port.

destination

Specifies using the destination address and, if l4-load balancing is enabled, the destination port in the hash, ignore source address/port.

inner-ip

Specifies using the inner IP header parameters instead of the outer IP header parameters in the LAG/ECMP hash for IPv4 encapsulated traffic.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>load-balancing egr-ip-load-balancing)

Full Context

configure service vprn interface load-balancing egr-ip-load-balancing

Description

This command specifies whether to include the source address or destination address or both in the LAG/ECMP hash on IP interfaces. Additionally, when l4-load-balancing is enabled, the command also applies to the inclusion of source/destination port in the hash inputs.

The no form of this command includes both source and destination parameters.

Default

no egr-ip-load-balancing

Parameters

source

Specifies using the source address and (if l4-load balancing is enabled) source port in the hash, ignore destination address/port.

destination

Specifies using the destination address and (if l4-load balancing is enabled) destination port in the hash, ignore source address/port.

inner-ip

Specifies use of the inner IP header parameters instead of outer IP header parameters in LAG/ECMP hash for IPv4 encapsulated traffic.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>load-balancing egr-ip-load-balancing)

Full Context

configure router interface load-balancing egr-ip-load-balancing

Description

This command specifies whether to include source address or destination address or both in LAG/ECMP hash on IP interfaces. Additionally, when l4-load-balancing is enabled the command applies also to inclusion of source/destination port in the hash inputs.

The no form of this command includes both source and destination parameters.

Default

no egr-ip-load-balancing

Parameters

source

Specifies using source address and (if l4-load balancing is enabled) source port in the hash, ignore destination address/port

destination

Specifies using destination address and (if l4-load balancing is enabled) destination port in the hash, ignore source address/port.

inner-ip

Specifies use of the inner IP header parameters instead of outer IP header parameters in LAG/ECMP hash for IPv4 encapsulated traffic.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>spoke-sdp egress)

Full Context

configure service vprn interface spoke-sdp egress

Description

This command configures egress SDP parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap egress)

[Tree] (config>service>vpls>sap egress)

Full Context

configure service ies interface sap egress

configure service vpls sap egress

Description

Commands in this context configure egress Quality of Service (QoS) policies and filter policies.

If no QoS policy is defined, the system default QoS policy is used for egress processing. If no egress filter is defined, no filtering is performed.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap egress)

Full Context

configure service vpls sap egress

Description

Commands in this context configure egress filter policies.

If no sap-egress QoS policy is defined, the system default sap-egress QoS policy is used for egress processing. If no egress filter is defined, no filtering is performed.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>mesh-sdp egress)

[Tree] (config>service>ies>if>spoke-sdp egress)

[Tree] (config>service>vpls>spoke-sdp egress)

Full Context

configure service vpls mesh-sdp egress

configure service ies interface spoke-sdp egress

configure service vpls spoke-sdp egress

Description

Commands in this context configure egress SDP parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>access egress)

[Tree] (config>port>ethernet>network egress)

Full Context

configure port ethernet access egress

configure port ethernet network egress

Description

This command configures Ethernet access egress port parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>network egress)

[Tree] (config>card>mda>network egress)

[Tree] (config>port>access egress)

[Tree] (config>card>mda>access egress)

Full Context

configure port network egress

configure card mda network egress

configure port access egress

configure card mda access egress

Description

Commands in this context configure egress buffer pool parameters which define the percentage of the pool buffers that are used for CBS calculations and specify the slope policy that is configured in the config>qos>slope-policy context.

On the MDA level, network and access egress pools are only allocated on channelized MDAs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet egress)

Full Context

configure port ethernet egress

Description

This command configures Ethernet egress port parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>sap egress)

Full Context

configure service epipe sap egress

Description

Commands in this context configure egress SAP parameters.

If no sap-egress QoS policy is defined, the system default sap-egress QoS policy is used for egress processing.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>spoke-sdp egress)

Full Context

configure service epipe spoke-sdp egress

Description

This command configures the egress SDP context.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>vpls egress)

Full Context

configure service ies interface vpls egress

Description

The egress node under the vpls binding is used to define the optional sap-egress QoS policy that will be used for reclassifying the egress forwarding class or profile for routed packets associated with the IP interface on the attached VPLS or I-VPLS service context.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>nw-if egress)

Full Context

configure service vprn network-interface egress

Description

Commands in this context configure egress network filter policies for the interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap egress)

Full Context

configure service vprn interface sap egress

Description

Commands in this context configure egress SAP Quality of Service (QoS) policies and filter policies.

If no sap-egress QoS policy is defined, the system default sap-egress QoS policy is used for egress processing. If no egress filter is defined, no filtering is performed.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>vpls egress)

Full Context

configure service vprn interface vpls egress

Description

The egress node under the vpls binding is used to define the optional sap-egress QoS policy that will be used for reclassifying the egress forwarding class or profile for routed packets associated with the IP interface on the attached VPLS service context.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>network-interface egress)

Full Context

configure service vprn network-interface egress

Description

Commands in this context configure egress network filter policies for the interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>mirror>mirror-dest>remote-src>spoke-sdp egress)

[Tree] (config>mirror>mirror-dest>spoke-sdp egress)

Full Context

configure mirror mirror-dest remote-source spoke-sdp egress

configure mirror mirror-dest spoke-sdp egress

Description

Commands in this context configure spoke SDP egress parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>mirror>mirror-dest>sap egress)

Full Context

configure mirror mirror-dest sap egress

Description

This command enables access to the context to associate an egress SAP Quality of Service (QoS) policy with a mirror destination SAP.

If no QoS policy is defined, the system default SAP egress QoS policy is used for egress processing.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>network egress)

Full Context

configure qos network egress

Description

This command is used to enter the CLI node that creates or edits egress policy entries that specify the forwarding class queues to be instantiated when this policy is applied to the network port.

The forwarding class and profile state mapping to in- and out-of-profile DiffServ Code Points (DSCPs), dot1p, and MPLS EXP bits mapping for all labeled packets are also defined in this context.

All service packets are aggregated into DiffServ-based egress queues on the network interface. The service packets are transported either with IP GRE encapsulation or over a MPLS LSP. The exception is with the IES service. In this case, the actual customer IP header has the DSCP field mapped.

All out-of-profile service packets are marked with the corresponding out-of-profile DSCP, dot1p, or the EXP bit value at network egress. All the in-profile service ingress packets are marked with the corresponding in-profile DSCP, dot1p, or EXP bit value based on the forwarding class to which they belong. The exceed-profile traffic is marked with the same value as out-of-profile traffic and the inplus-profile traffic is marked with the same value as in-profile traffic.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>queue-group-templates egress)

Full Context

configure qos queue-group-templates egress

Description

Commands in this context configure QoS egress queue groups. Egress queue group templates can be applied to egress Ethernet ports to create an egress queue group.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if egress)

Full Context

configure router interface egress

Description

This command enables access to the context to configure egress network filter policies for the IP interface. If an egress filter is not defined, no filtering is performed.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>cust>multi-service-site egress)

Full Context

configure service customer multi-service-site egress

Description

Commands in this context configure the egress node associate an existing scheduler policy name with the customer site. The egress node is an entity to associate commands that complement the association.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>pw-template egress)

Full Context

configure service pw-template egress

Description

Commands in this context configure spoke SDP binding egress filter parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (configure>port>transceiver>optical-line-system egress-amplifier-gain)

Full Context

configure port transceiver optical-line-system egress-amplifier-gain

Description

This command configures the gain for the egress amplifier.

The no form of this command sets the gain for the egress amplifier to the default.

Default

no egress-amplifier-gain

Parameters

egress-amplifier-gain

Specifies the gain for the amplifier in decibels.

Values

0 to 25.00 dB

Default

25.00 dB

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>neighbor egress-engineering)

[Tree] (config>router>bgp>group egress-engineering)

Full Context

configure router bgp group neighbor egress-engineering

configure router bgp group egress-engineering

Description

Commands in this context configure egress engineering on a specific neighbor or all neighbors in a BGP group.

If egress engineering is not configured in the neighbor context, the configuration is inherited from the group context.

The no form of this command removes the egress engineering configuration.

Default

no egress-engineering

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-ingress>fc egress-fc)

Full Context

configure qos sap-ingress fc egress-fc

Description

This command configures the forwarding class to be used by the egress QoS processing. It overrides the forwarding class determined by ingress classification but not the QoS Policy Propagation via BGP.

The forwarding class or forwarding subclass can be overridden.

The new egress forwarding class is applicable to both SAP egress and network egress.

Default

no egress-fc

Parameters

fc-name

Specifies the forwarding class name to be used by the egress QoS processing.

Values

be, l2, af, l1, h2, ef, h1, nc

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp egress-peer-engineering)

Full Context

configure router bgp egress-peer-engineering

Description

Commands in this context configure EPE parameters in BGP.

The no form of this command removes the EPE parameters from the BGP context.

Default

no egress-peer-engineering

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>neighbor egress-peer-engineering-label-unicast)

[Tree] (config>router>bgp>group egress-peer-engineering-label-unicast)

Full Context

configure router bgp group neighbor egress-peer-engineering-label-unicast

configure router bgp group egress-peer-engineering-label-unicast

Description

This command enables the generation of a label-unicast route for each /32 or /128 prefix that corresponds to the BGP neighbor or group address in the scope of the command. These routes can be advertised to other routers to recursively resolve unlabeled BGP routes for AS external destinations. They support the Egress Peer Engineering (EPE) use case.

The no form of this command disables the generation of EPE label-unicast routes.

Default

no egress-peer-engineering-label-unicast

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet egress-rate)

Full Context

configure port ethernet egress-rate

Description

This command configures the rate of traffic leaving the network. The configured sub-rate uses packet-based accounting. An event log is generated each time the egress rate is modified unless the port is part of a LAG.

The no form of this command returns the value to the default.

Default

no egress-rate

Parameters

sub-rate

Specifies the egress rate in kb/s.

Values

1 to 100000000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet egress-scheduler-override)

Full Context

configure port ethernet egress-scheduler-override

Description

This command applies egress scheduler overrides. When a port scheduler is associated with an egress port, it is possible to override the following parameters:

• The max-rate allowed for the scheduler.

• The maximum rate for each priority level 8 through 1.

• The CIR associated with each priority level 8 through 1.

See the 7705 SAR Gen 2 Quality of Service Guide for command syntax and usage for the port-scheduler-policy command.

The no form of this command removes all override parameters from the egress port or channel scheduler context. Once removed, the port scheduler reverts all rate parameters back to the parameters defined on the port-scheduler-policy associated with the port.

Parameters

create

Mandatory while creating an entry.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet egress-scheduler-policy)

Full Context

configure port ethernet egress-scheduler-policy

Description

This command enables the provisioning of an existing port-scheduler-policy to a port or channel.

The egress-scheduler-override node allows for the definition of the scheduler overrides for a specific port or channel.

When a port scheduler is active on a port or channel, all queues and intermediate service schedulers on the port are subject to receiving bandwidth from the scheduler. Any policers, queues, or schedulers with port-parent associations are mapped to the appropriate port priority levels based on the port-parent command parameters. Any policers, queues, or schedulers that do not have a port-parent or valid intermediate scheduler parent defined are treated as orphaned and are handled based on the port scheduler policies default or explicit orphan behavior.

The port scheduler maximum rate and priority level rate parameters may be overridden to allow unique values separate from the port-scheduler-policy-name attached to the port or channel. Use the egress-scheduler-override command to specify the port or channel specific scheduling parameters.

The no form of this command removes a port scheduler policy from an egress port or channel. Once the scheduler policy is removed, all orphaned policers, queues, and schedulers revert to a free running state governed only by the local queue or scheduler parameters. This includes any queues or schedulers with a port-parent association.

Parameters

port-scheduler-policy-name

Specifies an existing port-scheduler-policy configured in the config>qos context. The name can be up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls>fwd-policies>fwd-policy egress-statistics)

Full Context

configure router mpls forwarding-policies forwarding-policy egress-statistics

Description

This command configures egress statistics in an MPLS forwarding policy.

The no form of this command removes any egress statistics in a forwarding policy.

Default

no egress-statistics

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp eibgp-loadbalance)

Full Context

configure service vprn bgp eibgp-loadbalance

Description

This command enables eiBGP load sharing so routes with both MP-BGP and IPv4 next-hops can be used simultaneously.

In order for this command to be effective, the ecmp and multipath commands for the associated VPRN instance must also be configured to allow for multiple routes to the same destination.

The no form of this command used at the global level reverts to default values.

Default

no eibgp-loadbalance

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ipv6-filter embed-filter)

[Tree] (config>filter>ip-filter embed-filter)

Full Context

configure filter ipv6-filter embed-filter

configure filter ip-filter embed-filter

Description

This command embeds a previously defined IPv4, IPv6, or MAC embedded filter policy or Hybrid OpenFlow switch instance into this exclusive, template, or system filter policy at the specified offset value. Rules derived from the BGP FlowSpec can also be embedded into template filter policies only.

The embed-filter open-flow ofs-name form of this command enables OpenFlow (OF) in GRT either by embedding the specified OpenFlow switch (OFS) instance with switch-defined-cookie disabled, or by embedding rules with sros-cookie:type "grt-cookie”, value 0, from the specified OFS instance with switch-defined-cookie enabled. The embedding filter can only be deployed in GRT context or be unassigned.

The embed-filter open-flow ofs-name system form of this command enables OF in system filters by embedding rules with sros-cookie:type "system-cookie”, value 0, from the specified OFS instance with switch-defined-cookie enabled. The embedding filter can only be of scope system.

The embed-filter open-flow ofs-name service {service-id | service-name} form of this command enables OF in VPRN/VPLS filters by embedding rules with sros-cookie:type "service-cookie”, value service-id, from the specified OFS instance with switch-defined-cookie enabled—per service rules. The embedding filter can only be deployed in the specified VPRN/VPLS service. A single VPLS service can only support OF rules per SAP or per service.

The embed-filter open-flow ofs-name sap sap-id form of this command enables OF in VPLS SAP filters by embedding rules with sros-cookie:type "service-cookie”, value service-id and flow match conditions specifying the sap-id from the specified OFS instance with switch-defined-cookie enabled—per SAP OF rules. The embedding filter must be of type exclusive and can only be deployed on the specified SAP in the context of the specified VPLS service. A single VPLS service can only support OF rules per SAP or per service.

The no embed-filter open-flow ofs-name form of this command removes the OF embedding for the GRT context.

The embed-filter flowspec form of this command enables the embedding of rules derived from BGP FlowSpec routes into the filter policy that is being configured. The optional group parameter specifies that only FlowSpec routes tagged with an interface-set extended community containing this group ID should be selected for embedding. The optional router parameter specifies the routing instance source of the BGP FlowSpec routes; if the parameter is not specified, the routing instance is derived automatically from the context in which the filter policy is applied.

The no embed-filter flowspec form of this command removes the FlowSpec filter embedding from this filter policy.

The no embed-filter filter-id form of this command removes the embedding from this filter policy.

See the description of embedded filter policies in this guide for further operational details.

Parameters

ip-filter-id

Specifies a previously defined IPv4 policy for embedding in this filter.

ipv6-filter-id

Specifies a previously defined IPv6 policy for embedding in this filter.

offset

Specifies that an embedded filter entry X will have an entry X + offset in the embedding filter.

Values

0 to 2097151

Default

0

active

Specifies that embedded filter entries are to be included in this embedding filter policy and activated on applicable line cards—default if no keyword is specified and omitted from info command output (but not info detail), or when saving the configuration.

inactive

Specifies that no embedded filter policy entries are to be included in this embedding filter policy. The embedding is configured but will not do anything.

flowspec

This keyword indicates that rules derived from BGP FlowSpec routes should be embedded into (or removed from, in case of the no form) the filter.

group-id

Specifies that only FlowSpec routes with an interface-set extended community with this value of group-id should be selected for embedding.

Values

0 to 16383

router-instance

Specifies a router instance.

vprn-service-name

Specifies the VPRN service name used for embedding FlowSpec rules.

open-flow

Indicates that rules derived from OpenFlow should be embedded into (or removed from, in case of the no form) the filter.

ofs-name

Specifies the name of the currently configured Hybrid OpenFlow Switch (OFS) instance.

Not including the system, service or sap parameters will specify OF in a GRT instance context by default. This allows embedding of OF rules into filters deployed in GRT instances from OFS with switch-defined-cookie disabled, or embedding rules from OFS with switch-defined-cookie enabled, when the FlowTable cookie encodes sros-cookie:type "grt-cookie”.

system

Used for OF control of system filters. Allows embedding of OF rules into system filters from OFS with switch-defined-cookie enabled. Only the rules with cookie value encoding "system-cookie” are embedded.

service-id

Specifies an existing VPRN or VPLS service ID that the embedding filter can be used for.

service-name — Specifies an existing VPRN or VPLS service name that the embedding filter can be used for.

Values

1 to 2147483647

service-name

Specifies an existing VPRN or VPLS service name up to 64 characters that the embedding filter can be used for.

sap-id

Used for OF control of VPLS services when a PortID and VLAN ID match is required. Allows embedding of OF rules with a PortID and VLAN ID match into exclusive VPLS SAP filters. Only the rules with cookie value encoding the VPLS service, and flow table match encoding the specified SAP, are embedded into the filter. The embedding filter can only be deployed in the context of the specified SAP.

sap-id — Specifies an existing SAP that the embedding filter can be used for.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim>rp>ipv6 embedded-rp)

Full Context

configure service vprn pim rp ipv6 embedded-rp

Description

This command enables context to configure IPv6 embedded RP parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>rp>ipv6 embedded-rp)

Full Context

configure router pim rp ipv6 embedded-rp

Description

Commands in this context configure embedded RP parameters.

Embedded RP is required to support IPv6 inter-domain multicast because there is no MSDP equivalent in IPv6.

The detailed protocol specification is defined in RFC 3956, Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address. This RFC describes a multicast address allocation policy in which the address of the RP is encoded in the IPv6 multicast group address, and specifies a PIM-SM group-to-RP mapping to use the encoding, leveraging, and extending unicast-prefix-based addressing. This mechanism not only provides a simple solution for IPv6 inter-domain ASM but can be used as a simple solution for IPv6 intra-domain ASM with scoped multicast addresses as well. It can also be used as an automatic RP discovery mechanism in those deployment scenarios that would have previously used the Bootstrap Router protocol (BSR).

The no form of this command disables embedded RP.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>dhcp>proxy-server emulated-server)

[Tree] (config>service>ies>if>dhcp>proxy-server emulated-server)

[Tree] (config>service>vpls>sap>dhcp>proxy-server emulated-server)

Full Context

configure service vprn interface dhcp proxy-server emulated-server

configure service ies interface dhcp proxy-server emulated-server

configure service vpls sap dhcp proxy-server emulated-server

Description

This command configures the IP address which is used as the DHCP server address in the context of the SAP. Typically, the configured address should be in the context of the subnet represented by the service.

The no form of this command reverts to the default setting. The local proxy server will not become operational without the emulated-server address being specified.

The no form of this command reverts to the default.

Parameters

ip-address

Specifies the emulated server’s IP address. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP addresses in the range 1.0.0.0 – 223.255.255.255 (with support of /31 subnets).

Platforms

7705 SAR Gen 2

Context

[Tree] (enable-admin)

Full Context

enable-admin

Description

See the description for the admin-password command. If the admin-password is configured in the config>system>security>password context, then any user can enter a special administrative mode by entering the enable-admin command.

enable-admin is in the default profile. By default, all users are given access to this command.

Once the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is given unrestricted access to all the commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the complexity command.

The following shows a password configuration example:

A:ALA-1>config>system>security# info
----------------------------------------------
...
            password
                aging 365
                minimum-length 8
                attempts 5 time 5 lockout 20
                admin-password "rUYUz9XMo6I" hash
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

There are two ways to verify that a user is in the enable-admin mode:

• show users — administrator can know which users are in this mode

• Enter the enable-admin command again at the root prompt and an error message will be returned.

*A:node-1# show users
===============================================================================
User                             Type      Login time           Idle time
  Session ID   From
===============================================================================
                                 Console         --             3d 10:16:12 --
  6            --
admin                            SSHv2     12OCT2018 20:44:15   0d 00:00:00 A-
 #83           192.168.0.10
admin                            SSHv2     12OCT2018 21:09:25   0d 00:05:10 --
  84           192.168.0.10
-------------------------------------------------------------------------------
Number of users: 2
'#' indicates the current active session
'A' indicates user is in admin mode
===============================================================================
*A:node-1# enable-admin
MINOR: CLI Already in admin mode.
*A:node-1#

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>password enable-admin-control)

Full Context

configure system security password enable-admin-control

Description

Enable the user to become a system administrator.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>login-control>telnet enable-graceful-shutdown)

Full Context

configure system login-control telnet enable-graceful-shutdown

Description

This command enables graceful shutdown of telnet sessions.

The no form of this command disables graceful shutdown of telnet sessions.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>grt-lookup enable-grt)

Full Context

configure service vprn grt-lookup enable-grt

Description

This command enables the functions required for looking up routes in the Global Route Table (GRT) when the lookup in the local VRF fails. If this command is enabled without the use of a static-route option (as subcommand to this parent), a lookup in the local VRF is preferred over the GRT. When the local VRF returns no route table lookup matches, the result from the GRT is preferred.

The no form of this command disables the lookup in the GRT when the lookup in the local VRF fails.

Default

no enable-grt

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system enable-icmp-vse)

Full Context

configure system enable-icmp-vse

Description

This command enables vendor specific extensions to ICMP.

Default

no enable-icmp-vse

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp enable-inter-as-vpn)

Full Context

configure router bgp enable-inter-as-vpn

Description

This command specifies whether VPNs can exchange routes across autonomous system boundaries, providing model B connectivity.

The no form of this command disallows ASBRs to advertise VPRN routes to their peers in other autonomous systems.

Default

no enable-inter-as-vpn

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if enable-mac-accounting)

Full Context

configure service ies interface enable-mac-accounting

Description

This command enables MAC accounting functionality on this interface.

The no form of this command disables MAC accounting functionality on this interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if enable-mac-accounting)

Full Context

configure service vprn interface enable-mac-accounting

Description

This command enables MAC accounting functionality on this interface.

The no form of this command disables MAC accounting functionality on this interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if enable-mac-accounting)

Full Context

configure router interface enable-mac-accounting

Description

This command enables MAC Accounting functionality for the interface.

Default

no enable-mac-accounting

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim enable-mdt-spt)

Full Context

configure router pim enable-mdt-spt

Description

This command enables SPT switchover for default MDT. On enable, PIM instance resets all MDTs and re-initiate setup.

The no form of this command disables SPT switchover for default MDT. On disable, PIM instance resets all MDTs and re-initiate setup.

Default

no enable-mdt-spt

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group>neighbor>graceful-restart enable-notification)

[Tree] (config>service>vprn>bgp>graceful-restart enable-notification)

[Tree] (config>service>vprn>bgp>group>graceful-restart enable-notification)

Full Context

configure service vprn bgp group neighbor graceful-restart enable-notification

configure service vprn bgp graceful-restart enable-notification

configure service vprn bgp group graceful-restart enable-notification

Description

When this command is present, the graceful restart capability sent by this router indicates support for NOTIFICATION messages. If the peer also supports this capability then the session can be restarted gracefully (while preserving forwarding) if either peer sends a NOTIFICATION message due to some type of event or error.

Default

no enable-notification

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>neighbor>graceful-restart enable-notification)

[Tree] (config>router>bgp>group>graceful-restart enable-notification)

[Tree] (config>router>bgp>graceful-restart enable-notification)

Full Context

configure router bgp group neighbor graceful-restart enable-notification

configure router bgp group graceful-restart enable-notification

configure router bgp graceful-restart enable-notification

Description

When this command is present, the graceful restart capability sent by this router indicates support for NOTIFICATION messages. If the peer also supports this capability, then the session can be restarted gracefully (while preserving forwarding) if either peer needs to send a NOTIFICATION message due to some type of event or error.

Default

no enable-notification

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group enable-origin-validation)

[Tree] (config>service>vprn>bgp>group>neighbor enable-origin-validation)

Full Context

configure service vprn bgp group enable-origin-validation

configure service vprn bgp group neighbor enable-origin-validation

Description

When this command is added to the configuration of a group or neighbor, it causes every inbound IPv4, IPv6, and label-IPv4 route from that peer to be marked with one of the following origin validation states:

• Valid (0)

• Not-Found (1)

• Invalid (2)

By default (when no family parameter is present in the command) or when all the family options are specified, all unicast IPv4 (AFI1/SAFI1), label-IPv4 (AFI1/SAFI4), and unicast IPv6 (AFI2/SAFI1) routes are evaluated to determine their origin validation states. When only a subset of the family options are present, then only the corresponding address family routes are evaluated.

This command applies to all types of VPRN BGP peers, generally, it should only be applied to EBGP peers and groups that contain only EBGP peers.

The no form of this command disables the inspection of received routes from the peer to determine origin validation state.

Default

no enable-origin-validation

Parameters

ipv4

Enables origin validation processing for unlabeled unicast IPv4 routes.

ipv6

Enables origin validation processing for unlabeled unicast IPv6 routes.

label-ipv4

Enables origin validation processing for labeled IPv4 routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>neighbor enable-origin-validation)

[Tree] (config>router>bgp>group enable-origin-validation)

Full Context

configure router bgp group neighbor enable-origin-validation

configure router bgp group enable-origin-validation

Description

When the enable-origin-validation command is added to the configuration of a group or neighbor, it causes every inbound IPv4 or IPv6 route from that peer to be marked with one of the following origin validation states:

• Valid (0)

• Not-Found (1)

• Invalid (2)

By default (when neither the ipv4 or ipv6 option is present in the command) or when both the ipv4 and ipv6 options are specified, all unicast IPv4 (AFI1/SAFI1), label-IPv4 (AFI1/SAFI4), unicast IPv6 (AFI2/SAFI1), and label-IPv6 (AFI2/SAFI4) routes are evaluated to determine their origin validation states. When only the ipv4 or ipv6 option is present, only the corresponding address family routes (unlabeled and labeled) are evaluated.

The enable-origin-validation command applies to all types of BGP peers, but as a general rule, it should only be applied to EBGP peers and groups that contain only EBGP peers.

Default

no enable-origin-validation

Parameters

ipv4

Enables origin validation processing for unlabeled unicast IPv4 routes.

ipv6

Enables origin validation processing for unlabeled unicast IPv6 routes.

label-ipv4

Enables origin validation processing for labeled IPv4 routes.

label-ipv6

Enables origin validation processing for labeled IPv6 routes.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp enable-peer-tracking)

[Tree] (config>service>vprn>bgp>group>neighbor enable-peer-tracking)

[Tree] (config>service>vprn>bgp>group enable-peer-tracking)

Full Context

configure service vprn bgp enable-peer-tracking

configure service vprn bgp group neighbor enable-peer-tracking

configure service vprn bgp group enable-peer-tracking

Description

This command enables BGP peer tracking.

Default

no enable-peer-tracking

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group enable-peer-tracking)

[Tree] (config>router>bgp>group>neighbor enable-peer-tracking)

[Tree] (config>router>bgp enable-peer-tracking)

Full Context

configure router bgp group enable-peer-tracking

configure router bgp group neighbor enable-peer-tracking

configure router bgp enable-peer-tracking

Description

This command enables BGP peer tracking. BGP peer tracking allows a BGP peer to be dropped immediately if the route used to resolve the BGP peer address is removed from the IP routing table and there is no alternative available. The BGP peer will not wait for the holdtimer to expire; therefore, the BGP re-convergence process is accelerated.

The no form of this command disables peer tracking.

Default

no enable-peer-tracking

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp enable-rr-vpn-forwarding)

Full Context

configure router bgp enable-rr-vpn-forwarding

Description

When this command is configured all received VPN-IP routes, regardless of route target, are imported into the dummy VRF, where the BGP next-hops are resolved. The label-route-transport-tunnel under config>router>bgp>next-hop-resolution determines what types of tunnels are eligible to resolve the next-hops. If a received VPN-IP route from IBGP peer X is resolved and selected as best so that it can be re-advertised to an IBGP peer Y, and the BGP next-hop is modified towards peer Y (by using the next-hop-self command in Y’s group or neighbor context or by using a next-hop action in an export policy applied to Y) then BGP allocates a new VPRN service label value for the route, signals that new label value to Y and programs the IOM to do the corresponding label swap operation. The supported combinations of X and Y are outlined below:

• from X (client) to Y (client)

• from X (client) to Y (non-client)

• from X (non-client) to Y (client)

The no form of this command causes the re-advertisement of a VPN-IP route between one IBGP peer and another IBGP peer does not cause a new VPRN service label value to be signaled and programmed even if the BGP next-hop is changed through group/neighbor configuration or policy.

Nokia recommends leaving this command disabled for scaling and convergence reasons.

Default

no enable-rr-vpn-forwarding

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp enable-subconfed-vpn-forwarding)

Full Context

configure router bgp enable-subconfed-vpn-forwarding

Description

This command configures BGP to keep VPN-IPv4 and VPN-IPv6 routes within a subconfederation and allow a next-hop-self command to create label swap forwarding entries.

When this is enabled, the base router BGP instance retains all received VPN-IPv4 and VPN-IPv6 routes, even those with route targets not matching any VRF import policy of any locally configured VPRN. In addition, when this leaf is enabled and base router BGP is configured to apply a next-hop-self command to a peer of any type (EBGP, IBGP, or confed-EBGP), the VPN-IPv4 and VPN-IPv6 routes are advertised to the peer with a new BGP label and next-hop, and a label-swap forwarding entry is programmed.The preceding behaviors are applied when the enable-inter-as-vpn or the enable-rr-vpn-forwarding commands, both under the configure router bgp context, are also enabled in the same BGP instance and regardless of whether the base router has a confederation configuration.

The no form of this command disables subconfederation VPN forwarding.

Default

no enable-subconfed-vpn-forwarding

Platforms

7705 SAR Gen 2

Context

[Tree] (admin enable-tech)

Full Context

admin enable-tech

Description

This command enables the shell and kernel commands.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>dot1x>macsec>sub-port encap-match)

Full Context

configure port ethernet dot1x macsec sub-port encap-match

Description

This command defines the sub-set of traffic on this port affected by this MACsec sub-port.

In order to establish an end-to-end communication between the remote MACsec peers encrypting VLAN-tagged traffic, the MKA packets have to be able to travel over the network following the same path as the encrypted traffic. MKA packets are generated with specific tags depending on the traffic match criteria configured, as shown in MKA Packet Generation .

The no form of this command removes all traffic sub-set definitions from the MACsec sub-port.

Default

encap-match all-encap

Parameters

all-encap

Specifies that all traffic patterns are matched including untagged, single-tag or double-tag, and all will be encrypted.

untagged

Specifies that only untagged traffic are matched and encrypted.

single-tag

Specifies that only dot1q traffic are matched. Either all single tag traffic can be matched, by using *, or a specific dot1q tag can be matched.

double-tag

Specifies that only qinq traffic are matched. The service tag can be specifically matched or a wild card match (*.*) can be used.

encap-value

Specifies the type and value of the packet encapsulation to match for this MACsec sub-port.

Type	Parameter
all-encap	—
untagged	—
dot1q	[*| s] (s = 0..4094)
qinq	[*.*| s.*| s.c] (s and c = 0..4094)

where:

• S = service tag

• C = customer tag

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet encap-type)

Full Context

configure port ethernet encap-type

Description

This command configures the encapsulation method used to distinguish customer traffic on an Ethernet access port, or different VLANs on a network port.

The no form of this command restores the default.

Default

encap-type null

Parameters

dot1q

Ingress frames carry 802.1Q tags where each tag signifies a different service.

null

Ingress frames will not use any tags to delineate a service. As a result, only one service can be configured on a port with a null encapsulation type.

qinq

Specifies QinQ encapsulation.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>lag encap-type)

Full Context

configure lag encap-type

Description

This command configures the encapsulation method used to distinguish customer traffic on a LAG. The encapsulation type is configurable on a LAG port. The LAG port and the port member encapsulation types must match when adding a port member.

If the encapsulation type of the LAG port is changed, the encapsulation type on all the port members will also change. The encapsulation type can be changed on the LAG port only if there is no interface associated with it. If the MTU is set to a non-default value, it will be reset to the default value when the encap type is changed.

The no form of this command restores the default.

Default

encap-type null — All traffic on the port belongs to a single service or VLAN.

Parameters

dot1q

Ingress frames carry 802.1Q tags where each tag signifies a different service.

null

Ingress frames will not use any tags to delineate a service. As a result, only one service can be configured on a port with a null encapsulation type.

qinq

Specifies QinQ encapsulation.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap>ip-tunnel encapsulated-ip-mtu)

[Tree] (config>ipsec>tnl-temp encapsulated-ip-mtu)

[Tree] (config>service>ies>if>sap>ip-tunnel encapsulated-ip-mtu)

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel encapsulated-ip-mtu)

[Tree] (config>service>vprn>if>sap>ipsec-tun encapsulated-ip-mtu)

[Tree] (config>router>if>ipsec>ipsec-tunnel encapsulated-ip-mtu)

[Tree] (config>service>vprn>if>ipsec>ipsec-tunnel encapsulated-ip-mtu)

Full Context

configure service vprn interface sap ip-tunnel encapsulated-ip-mtu

configure ipsec tunnel-template encapsulated-ip-mtu

configure service ies interface sap ip-tunnel encapsulated-ip-mtu

configure service ies interface ipsec ipsec-tunnel encapsulated-ip-mtu

configure service vprn interface sap ipsec-tunnel encapsulated-ip-mtu

configure router interface ipsec ipsec-tunnel encapsulated-ip-mtu

configure service vprn interface ipsec ipsec-tunnel encapsulated-ip-mtu

Description

This command specifies the maximum size of encapsulated tunnel packet for the ipsec-tunnel, ip-tunnel, or the dynamic tunnels terminated on the ipsec-gw. If the encapsulated IPv4 or IPv6 tunnel packet exceeds the encapsulated-ip-mtu, then the system fragments the packet against the encapsulated-ip-mtu.

The no form of this command reverts to the default.

Default

no encapsulated-ip-mtu

Parameters

bytes

Specifies the maximum size in bytes.

Values

512 to 9000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap>ip-tunnel encapsulated-ip-mtu)

Full Context

configure service vprn interface sap ip-tunnel encapsulated-ip-mtu

Description

This command configures the tunnel encapsulated IP MTU.

The no form of this command reverts to the default.

Parameters

octets

Specifies the tunnel encapsulated IP MTU in octets.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>telemetry>persistent-subscriptions>subscription encoding)

Full Context

configure system telemetry persistent-subscriptions subscription encoding

Description

This command configures the encoding type that is used for telemetry notifications in accordance with the definitions in the gNMI OpenConfig standard.

Default

encoding json

Parameters

encoding

Specifies the encoding type.

Values

json, bytes, proto

Platforms

7705 SAR Gen 2

Context

[Tree] (bof encrypt)

Full Context

bof encrypt

Description

This command enables and disables encryption of the BOF using AES256 and SHA256.

When the BOF is encrypted on the compact flash, it is still reachable using the BOF interactive menu during node startup, and fields can be modified using the BOF interactive menu.

Default

encrypt off

Parameters

on

Enables BOF encryption

off

Disables BOF encryption

Platforms

7705 SAR Gen 2

Context

[Tree] (bof encryption-key)

Full Context

bof encryption-key

Description

This command creates a key to be used by AES256 and SHA256 for configuration file encryption and hashing. This key is used for all configuration files (primary, secondary, and tertiary).

After creating or deleting a key, use the admin save command to save the configuration file with the current encryption key state.

The no form of this command deletes the encryption key.

Default

no encryption-key

Parameters

key

Specifies the encryption key.

If the hash, hash2, or custom parameter is not configured, the key is entered in plaintext and the key length must be between 8 and 32 characters. A plaintext key cannot contain embedded nulls or end with " hash”, " hash2”, or " custom”.

If the hash, hash2, or custom parameter is configured, the key is hashed and the key length must be between 1 and 64 characters.

hash

Keyword to specify that the key is entered in an encrypted form.

hash2

Keyword to specify that the key is entered in a more complex encrypted form. The hash2 encryption scheme is node-specific and the key cannot be transferred between nodes.

custom

Keyword to specify that the key uses custom encryption.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log encryption-key)

Full Context

configure log encryption-key

Description

This command specifies the encryption key used by AES-256-CTR for log file encryption. The encryption key is used for all local log files on the system.

The no form of this command deletes the encryption key.

Default

no encryption-key

Parameters

key

Specifies the encryption key.

If the hash, hash2, or custom parameter is not configured, the key is entered in plaintext and the key length must be between 8 and 32 characters. A plaintext key cannot contain embedded nulls or end with " hash”, " hash2”, or " custom”.

If the hash, hash2, or custom parameter is configured, the key is hashed and the key length must be between 1 and 64 characters.

hash

Keyword to specify that the key is entered in an encrypted form.

hash2

Keyword to specify that the key is entered in a more complex encrypted form. The hash2 encryption scheme is node-specific and the key cannot be transferred between nodes.

custom

Keyword to specify that the key uses custom encryption.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>group-encryption encryption-keygroup)

Full Context

configure router interface group-encryption encryption-keygroup

Description

This command is used to bind a key group to a router interface for inbound or outbound packet processing. When configured in the outbound direction, packets egressing the router use the active-outbound-sa associated with the configured key group. When configured in the inbound direction, received packets must be encrypted using one of the valid security associations configured for the key group.

The no form of this command removes the key group from the router interface in the specified direction.

Default

no encryption-keygroup direction inbound

no encryption-keygroup direction outbound

Parameters

keygroup-id

The ID number of the key group being configured.

Values

1 to 127, keygroup-name (64 characters maximum)

inbound

Binds the key group in the inbound direction.

outbound

Binds the key group in the outbound direction.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>grp-encryp encryption-keygroup)

Full Context

configure group-encryption encryption-keygroup

Description

This command is used to create a key group. Once the key group is created, use the command to enter the key group context or delete a key group.

The no form of the command removes the key group. Before using the no form, the key group association must be deleted from all services that are using this key group.

Parameters

keygroup-id

The number or name of the key group being referenced.

Values

1 to 15, or keygroup-name (up to 64 characters)

create

Creates a key group.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn encryption-keygroup)

[Tree] (config>service>sdp encryption-keygroup)

[Tree] (config>service>pw-template encryption-keygroup)

Full Context

configure service vprn encryption-keygroup

configure service sdp encryption-keygroup

configure service pw-template encryption-keygroup

Description

This command is used to bind a key group to an SDP, VPRN service, or PW template for inbound or outbound packet processing. When configured in the outbound direction, packets egressing the node use the active-outbound-sa associated with the key group configured. When configured in the inbound direction, received packets must be encrypted using one of the valid security associations configured for the key group. Services using the SDP will be encrypted.

The encryption (enabled or disabled) configured on an SDP used to terminate a Layer 3 spoke SDP of a VPRN always overrides any VPRN-level configuration for encryption.

Encryption is enabled after the outbound direction is configured.

For PW template changes, the following tools command must be executed after the configuration changes are made: tools>perform>service>eval-pw-template>allow-service-impact. This command applies the changes to services that use the PW template.

The no form of the command removes the key group from the SDP or service in the specified direction (inbound or outbound).

Parameters

keygroup-id

Specifies the number of the key group being configured.

Values

1 to 15 or keygroup-name (up to 64 characters)

direction {inbound | outbound}

Specifies the direction of the service that the key group will be bound to.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>macsec>connectivity-association encryption-offset)

Full Context

configure macsec connectivity-association encryption-offset

Description

This command specifies the offset of the encryption in MACsec packet.

The encryption-offset is distributed by MKA (Key-server) to all parties.

It is signaled via MACsec capabilities. There are four basic settings for this. MACsec Basic Settings breaks down the settings.

Note:

1. SR OS supports setting (3) Integrity without confidentiality and Integrity and confidentiality with a confidentiality offset of 0, 30, or 50.

The no form of this command rejects all arriving traffic whether MACsec is secured or not.

Default

encryption-offset 0

Parameters

encryption-offset

Specifies the encryption.

Values

0 — encrypt the entire payload

30 — leave the IPv4 header in clear

50 — leave the IPv6 header in clear

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>time>dst-zone end)

Full Context

configure system time dst-zone end

Description

This command configures start of summer time settings.

Default

end first sunday january 00:00

Parameters

end-week

Specifies the starting week of the month when the summer time ends.

Values

first, second, third, fourth, last

Default

first

end-day

Specifies the starting day of the week when the summer time ends.

Values

sunday, monday, tuesday, wednesday, thursday, friday, saturday

Default

sunday

end-month

Specifies the starting month of the year when the summer time takes effect.

Values

january, february, march, april, may, june, july, august, september, october, november, december

Default

january

hours-minutes

Specifies the time at which the summer time ends, in hh:mm format.

Values

hours: 00 to 23

minutes: 00 to 59

Default

00:00

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rpki-session>packet end-of-data)

Full Context

debug router rpki-session packet end-of-data

Description

This command enables debugging for end of data RPKI packets.

The no form of this command disables debugging for end of data RPKI packets.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>cron>sched end-time)

Full Context

configure system cron schedule end-time

Description

This command is used concurrently with type periodic or calendar. Using the type of periodic, end-time determines at which interval the schedule will end. Using the type of calendar, end-time determines on which date the schedule will end.

When no end-time is specified, the schedule runs forever.

Default

no end-time

Parameters

date

Specifies the date to schedule a command.

Values

YYYY:MM:DD in year:month:day number format

day-name

Specifies the day of the week to schedule a command.

Values

sunday, monday, tuesday, wednesday, thursday, friday, saturday

time

Specifies the time of day to schedule a command.

Values

hh:mm

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>keychain>direction>uni>receive>entry end-time)

Full Context

configure system security keychain direction uni receive entry end-time

Description

This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to sign or authenticate the protocol stream.

Default

end-time forever

Parameters

date

Specifies the calendar date after which the key specified by the authentication key is no longer eligible to sign or authenticate the protocol stream in the YYYY/MM/DD format. When no year is specified the system assumes the current year.

hours-minutes

Specifies the time after which the key specified by the authentication key is no longer eligible to sign or authenticate the protocol stream in the hh:mm[:ss] format. Seconds are optional, and if not included, assumed to be 0.

UTC

Indicates that time is given with reference to Coordinated Universal Time in the input.

now

Specifies a time equal to the current system time.

forever

Specifies that the key is always active.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe endpoint)

Full Context

configure service epipe endpoint

Description

This command configures a service endpoint.

Parameters

endpoint-name

Specifies an endpoint name.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls endpoint)

Full Context

configure service vpls endpoint

Description

This command configures a service endpoint.

Parameters

endpoint-name

Specifies an endpoint name up to 32 characters in length

create

This keyword is mandatory while creating a service endpoint

Platforms

7705 SAR Gen 2

Context

[Tree] (config>mirror>mirror-dest endpoint)

Full Context

configure mirror mirror-dest endpoint

Description

This command configures a service end point. A mirror service supports two implicit endpoints managed internally by the system. The following applies to endpoint configurations.

Up to two named endpoints may be created per service mirror or LI service. The endpoint name is locally significant to the service mirror or LI service.

• Objects (SAPs or SDPs) may be created on the service mirror or LI with the following limitations:

  • two implicit endpoint objects (without explicit endpoints defined)

  • one implicit and multiple explicit object with the same endpoint name

  • multiple explicit objects each with one of two explicit endpoint names

• All objects become associated implicitly or indirectly with the implicit endpoints 'x' and 'y'.

• Objects may be created without an explicit endpoint defined.

• Objects may be created with an explicit endpoint defined.

• Objects without an explicit endpoint may have an explicit endpoint defined without deleting the object.

• Objects with an explicit endpoint defined may be dynamically moved to another explicit endpoint or may have the explicit endpoint removed.

Creating an object without an explicit endpoint:

• If an object on a mirror or LI service has no explicit endpoint name associated, the system attempts to associate the object with implicit endpoint 'x' or 'y'.

• The implicit endpoint cannot have an existing object association.

• If both 'x' and 'y' are available, 'x' is selected.

• If an 'x' or 'y' association cannot be created, the object cannot be created.

Creating an object with an explicit endpoint name:

• The endpoint name must exist on the mirror or LI service.

• If this is the first object associated with the endpoint name:

  • the object is associated with either implicit endpoint 'x' or 'y'

  • the implicit endpoint cannot have an existing object associated

  • if both 'x' and 'y' are available, 'x' is selected

  • if 'x' or 'y' is not available, the object cannot be created

  • the implicit endpoint is now associated with the named endpoint

  • f this is not the first object associated with the endpoint name:

  • the object is associated with the named endpoint's implicit association

Changing an object’s implicit endpoint to an explicit endpoint name

• If the explicit endpoint name is associated with an implicit endpoint, the object is moved to that implicit endpoint

• If the object is the first to be associated with the explicit endpoint name:

  • the object is associated with either implicit endpoint 'x' or 'y'

  • the implicit endpoint cannot have an existing object associated (except this one)

  • if both 'x' and 'y' are available, 'x' is selected

  • if 'x' or 'y' is not available, the object cannot be moved to the explicit endpoint

  • if moved, the implicit endpoint is now associated with the named endpoint

Changing an object’s explicit endpoint to another explicit endpoint name

• If the new explicit endpoint name is associated with an implicit endpoint, the object is moved to that implicit endpoint

• If the object is the first to be associated with the new explicit endpoint name:

  • the object is associated with either implicit endpoint 'x' or 'y'

  • the implicit endpoint cannot have an existing object associated (except this one)

  • if both 'x' and 'y' are available, 'x' is selected

  • if 'x' or 'y' is not available, the object cannot be moved to the new endpoint

  • if moved, the implicit endpoint is now associated with the named endpoint

An explicitly named endpoint can have a maximum of one SAP and one ICB. Once a SAP is added to the endpoint, only one more object of type ICB sdp is allowed. The ICB sdp cannot be added to the endpoint if the SAP is not part of a MC-LAG instance. Conversely, a SAP which is not part of a MC-LAG instance cannot be added to an endpoint which already has an ICB sdp.

An explicitly named endpoint which does not have a SAP object can have a maximum of four SDPs which can include any of the following: a single primary SDP, one or many secondary SDPs with precedence, and a single ICB SDP.

The user can only add a SAP configured on a MC-LAG instance to this endpoint. Conversely, the user will not be able to change the mirror service type away from mirror service without first deleting the MC-LAG SAP.

The no form of this command removes the association of a SAP or an SDP with an explicit endpoint name. When removing an objects explicit endpoint association:

• The system attempts to associate the object with implicit endpoint 'x' or 'y'.

• The implicit endpoint cannot have an existing object association (except this one).

• If both 'x' and 'y' are available, 'x' is selected.

• If an 'x' or 'y' association cannot be created, the explicit endpoint cannot be removed.

Parameters

endpoint-name

Specifies the endpoint name.

create

Mandatory keyword to create this entry.

Platforms

7705 SAR Gen 2

Context

[Tree] (conf>router>segment-routing>sr-policies>policy endpoint)

Full Context

configure router segment-routing sr-policies static-policy endpoint

Description

This command associates an IPv4 or IPv6 endpoint address with a statically-defined segment routing policy. This association is mandatory when enabling an SR segment-routing policy.

The endpoint address 0.0.0.0 is a special value that matches all BGP next-hops. To use it, the BGP route must have a color-extended community with the color-only bits set to '01' or '10'.

The no form of this command removes the endpoint association.

Default

no endpoint

Parameters

ip-address

Specifies the endpoint IP address to be associated with the statically-defined segment-routing policy.

Values

ipv4-address:	a.b.c.d
ipv6-address:	x:x:x:x:x:x:x:x
	x:x:x:x:x:x:d.d.d.d
	x:	[0 to FFFF]H
	d:	[0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement>entry>from endpoint)

Full Context

configure router policy-options policy-statement entry from endpoint

Description

This command configures an SR Policy endpoint address as a route policy match criterion. This match criterion is only used in import policies.

The no form of this command removes the endpoint IP match criterion from the configuration.

Parameters

ip-address

Specifies the IPv4 or IPv6 address.

Values

ipv4-address:

• a.b.c.d

ipv6-address:

• x:x:x:x:x:x:x:x [-interface]

• x:x:x:x:x:x:d.d.d.d [-interface]

• x: [0 to FFFF]H

• d: [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>oam-pm>session>ip>tunnel>mpls>sr-policy endpoint)

Full Context

configure oam-pm session ip tunnel mpls sr-policy endpoint

Description

This command configures the unicast IPv4 or globally routable IPv6 address endpoint of the tunnel.

The no form of this command removes IPv4 or IPv6 address.

Default

no endpoint

Parameters

ip-address

Specifies the IPv4 or IPv6 address.

Values

ipv4-address	- a.b.c.d
ipv6-address	- x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group enforce-first-as)

[Tree] (config>service>vprn>bgp>group>neighbor enforce-first-as)

[Tree] (config>service>vprn>bgp enforce-first-as)

Full Context

configure service vprn bgp group enforce-first-as

configure service vprn bgp group neighbor enforce-first-as

configure service vprn bgp enforce-first-as

Description

When this command is configured so that it applies to an EBGP session, all routes (belonging to all address families) that are received from the EBGP peer are checked to ensure that the most recent autonomous system number (ASN) in the AS_PATH attribute of each route matches the configured peer-as of the session; if it does not match, then either the session is reset (if update-fault-tolerance is not enabled) or the session is left up but the route is treated as withdrawn (if update-fault-tolerance is enabled).

Enabling or disabling this command on a session that is already up does not flap the session. When enforce-first-as is enabled, previously received routes are not checked for compliance with the rule. Enforcement applies only to routes received after the command is enabled and stops when the command is disabled.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group enforce-first-as)

[Tree] (config>router>bgp>group>neighbor enforce-first-as)

[Tree] (config>router>bgp enforce-first-as)

Full Context

configure router bgp group enforce-first-as

configure router bgp group neighbor enforce-first-as

configure router bgp enforce-first-as

Description

When this command is configured so that it applies to an EBGP session, all routes (belonging to all address families) that are received from the EBGP peer are checked to ensure that the most recent autonomous system number (ASN) in the AS_PATH attribute of each route matches the configured peer-as of the session; if it does not match, then either the session is reset (if update-fault-tolerance is not enabled) or the session is left up but the route is treated as withdrawn (if update-fault-tolerance is enabled).

Enabling or disabling this command on a session that is already up does not flap the session. When enforce-first-as is enabled, previously received routes are not checked for compliance with the rule. Enforcement applies only to routes received after the command is enabled and stops when the command is disabled.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>bgp-evpn>mpls>auto-bind-tunnel enforce-strict-tunnel-tagging)

[Tree] (config>service>epipe>bgp-evpn>mpls>auto-bind-tunnel enforce-strict-tunnel-tagging)

[Tree] (config>service>vprn>bgp-evpn>mpls>auto-bind-tunnel enforce-strict-tunnel-tagging)

Full Context

configure service vpls bgp-evpn mpls auto-bind-tunnel enforce-strict-tunnel-tagging

configure service epipe bgp-evpn mpls auto-bind-tunnel enforce-strict-tunnel-tagging

configure service vprn bgp-evpn mpls auto-bind-tunnel enforce-strict-tunnel-tagging

Description

This command forces the system to only consider LSPs marked with an admin tag for next hop resolution. Untagged LSPs are not considered.

The no form of this command reverts to default value. While tagged RSVP and SR-TE LSPs are considered first, the system can fall back to using untagged LSPs of other types and does not exclude them depending on the auto-bind-tunnel configuration.

Default

no enforce-strict-tunnel-tagging

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>next-hop-resolution>shortcut-tunn>family enforce-strict-tunnel-tagging)

[Tree] (config>router>bgp>next-hop-resolution>labeled-routes>transport-tunnel>family enforce-strict-tunnel-tagging)

Full Context

configure router bgp next-hop-resolution shortcut-tunnel family enforce-strict-tunnel-tagging

configure router bgp next-hop-resolution labeled-routes transport-tunnel family enforce-strict-tunnel-tagging

Description

This command forces the system to only consider LSPs marked with an admin-tag for next-hop resolution. Untagged LSPs are not be considered.

The no form of this command reverts to the default behavior. While tagged RSVP and SR-TE LSPs will be considered first, the system can fall back to using tagged LSPs that are not explicitly excluded by a route admin tag policy and untagged LSPs of other types and not exclude them.

Default

no enforce-strict-tunnel-tagging

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>auto-bind-tunnel enforce-strict-tunnel-tagging)

Full Context

configure service vprn auto-bind-tunnel enforce-strict-tunnel-tagging

Description

Platforms

7705 SAR Gen 2

Context

[Tree] (config>test-oam>twamp>server enforce-test-session-start-time)

Full Context

configure test-oam twamp server enforce-test-session-start-time

Description

This command configures the router to check the signalled test-session start time against the server time and discard TWAMP test packets that arrive before the negotiated test-session start time.

The no form of this command configures the router to process all TWAMP test packets without checking the test-session start time against the server time.

Default

enforce-test-session-start-time

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>ip enforce-unique-if-index)

Full Context

configure system ip enforce-unique-if-index

Description

This command enables the options to force the creation of IP interface indexes so that they are globally unique across all routing contexts. In addition, the command ensures that any interface created using SNMP also has a system-wide unique IP interface index.

If this command is issued but the system has previously existing interface indexes that conflict, the command will be rejected until all the conflicts are removed. Pre-existing persistency tables should also be removed before enabling this system option.

The no form of the command disables this option and returns the system to the default behavior.

Default

no enforce-unique-if-index

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>next-hop-res>lbl-routes>transport-tunn>family enforce-untagged-route)

Full Context

configure router bgp next-hop-resolution labeled-routes transport-tunnel family enforce-untagged-route

Description

This command configures the enforcement of BGP routes with no administrative tag policy applied by modifying the next-hop resolution behavior for autobind services.

Default

enforce-untagged-route none

Parameters

none

Keyword to specify that untagged routes can bind to tagged or untagged LSPs.

untagged-tunnel

Keyword to specify that untagged routes can only bind to LSPs with no administrative tags configured. If both tagged and untagged tunnels to the next hop exist, the system only considers untagged tunnels. If no untagged tunnels to the next hop exist, the resolution of untagged routes also fails. This keyword may be used in combination with the enforce-strict-tunnel-tagging command, in which case tagged routes resolve to tagged LSPs and untagged routes only resolve to untagged LSPs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>next-hop-res>shortcut-tunn>family enforce-untagged-route)

Full Context

configure router bgp next-hop-resolution shortcut-tunnel family enforce-untagged-route

Description

This command configures the enforcement of BGP routes with no administrative tag policy applied by modifying the next-hop resolution behavior for autobind services.

Default

enforce-untagged-route none

Parameters

none

Keyword to specify that untagged routes can bind to tagged or untagged LSPs.

untagged-tunnel

Keyword to specify that untagged routes can only bind to LSPs with no administrative tags configured. If both tagged and untagged tunnels to the next hop exist, the system only considers untagged tunnels. If no untagged tunnels to the next hop exist, the resolution of untagged routes also fails. This keyword may be used in combination with the enforce-strict-tunnel-tagging command, in which case tagged routes resolve to tagged LSPs and untagged routes only resolve to untagged LSPs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>bgp-evpn>mpls>auto-bind-tunnel enforce-untagged-route)

Full Context

configure service epipe bgp-evpn mpls auto-bind-tunnel enforce-untagged-route

Description

This command configures the enforcement of BGP routes with no administrative tag policy applied by modifying the next-hop resolution behavior for autobind services.

Default

enforce-untagged-route none

Parameters

none

Keyword to specify that untagged routes can bind to tagged or untagged LSPs.

untagged-tunnel

Keyword to specify that untagged routes can only bind to LSPs with no administrative tags configured. If both tagged and untagged tunnels to the next hop exist, the system only considers untagged tunnels. If no untagged tunnels to the next hop exist, the resolution of untagged routes also fails. This keyword may be used in combination with the enforce-strict-tunnel-tagging command, in which case tagged routes resolve to tagged LSPs and untagged routes only resolve to untagged LSPs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>bgp-evpn>mpls>auto-bind-tunnel enforce-untagged-route)

Full Context

configure service vpls bgp-evpn mpls auto-bind-tunnel enforce-untagged-route

Description

This command configures the enforcement of BGP routes with no administrative tag policy applied by modifying the next-hop resolution behavior for autobind services.

Default

enforce-untagged-route none

Parameters

none

Keyword to specify that untagged routes can bind to tagged or untagged LSPs.

untagged-tunnel

Keyword to specify that untagged routes can only bind to LSPs with no administrative tags configured. If both tagged and untagged tunnels to the next hop exist, the system only considers untagged tunnels. If no untagged tunnels to the next hop exist, the resolution of untagged routes also fails. This keyword may be used in combination with the enforce-strict-tunnel-tagging command, in which case tagged routes resolve to tagged LSPs and untagged routes only resolve to untagged LSPs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp-evpn>mpls>auto-bind-tunnel enforce-untagged-route)

Full Context

configure service vprn bgp-evpn mpls auto-bind-tunnel enforce-untagged-route

Description

This command configures the enforcement of BGP routes with no administrative tag policy applied by modifying the next-hop resolution behavior for autobind services.

Default

enforce-untagged-route none

Parameters

none

Keyword to specify that untagged routes can bind to tagged or untagged LSPs.

untagged-tunnel

Keyword to specify that untagged routes can only bind to LSPs with no administrative tags configured. If both tagged and untagged tunnels to the next hop exist, the system only considers untagged tunnels. If no untagged tunnels to the next hop exist, the resolution of untagged routes also fails. This keyword may be used in combination with the enforce-strict-tunnel-tagging command, in which case tagged routes resolve to tagged LSPs and untagged routes only resolve to untagged LSPs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp-ipvpn>mpls>auto-bind-tunnel enforce-untagged-route)

Full Context

configure service vprn bgp-ipvpn mpls auto-bind-tunnel enforce-untagged-route

Description

This command configures the enforcement of BGP routes with no administrative tag policy applied by modifying the next-hop resolution behavior for autobind services.

Default

enforce-untagged-route none

Parameters

none

Keyword to specify that untagged routes can bind to tagged or untagged LSPs.

untagged-tunnel

Keyword to specify that untagged routes can only bind to LSPs with no administrative tags configured. If both tagged and untagged tunnels to the next hop exist, the system only considers untagged tunnels. If no untagged tunnels to the next hop exist, the resolution of untagged routes also fails. This keyword may be used in combination with the enforce-strict-tunnel-tagging command, in which case tagged routes resolve to tagged LSPs and untagged routes only resolve to untagged LSPs.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>sys>security>dist-cpu-protection>policy>protocol enforcement)

Full Context

configure system security dist-cpu-protection policy protocol enforcement

Description

This command configures the enforcement method for the protocol.

Default

enforcement dynamic local-mon-bypass

Parameters

static

Specifies that the protocol is always enforced using a static-policer. Multiple protocols can reference the same static-policer. Packets of protocols that are statically enforced bypass any local monitors.

policer name

Specifies which static-policer to use.

dynamic

Specifies that a specific enforcement policer for this protocol for this SAP/object is instantiated when the associated local-monitoring-policer is determined to be in a nonconforming state (at the end of a minimum monitoring time of 60 seconds to reduce thrashing).

mon-policer-name

Specifies which local-monitoring-policer to use.

local-mon-bypass

This parameter is used to not include packets from this protocol in the local monitoring function, and when the local-monitor "trips”, do not instantiate a dynamic enforcement policer for this protocol.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>snmp engineID)

Full Context

configure system snmp engineID

Description

This command sets the SNMP engine ID that uniquely identifies the SNMPv3 node.If unconfigured, the system uses an engine ID based on the information from the system backplane.If the SNMP engine ID is changed, the current configuration must be saved and a reboot must be executed. Otherwise, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID.

When replacing a chassis, configure the new router to use the same engine ID as the previous router. This preserves SNMPv3 security keys and allows management stations to use their existing authentication keys for the new router.

Ensure that the engine ID of each router is unique. A management domain can only maintain one instance of a specific engine ID.

The no form of the command configures the router to use the default value.

Parameters

engine-id

Specifies an identifier from 10 to 64 hexadecimal digits (5 to 32 octet number), uniquely identifying this SNMPv3 node. This string is used to access this node from a remote host with SNMPv3.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>certificate>est enroll)

Full Context

admin certificate est enroll

Description

This command enrolls a new certificate with Certificate Authority (CA) by the EST protocol specified with the est-profile name parameter with a imported private key specified by the key key-filename parameter.

The est-profile name specifies the authentication between the system and EST server.

The hash-alg hash-algorithm, subject-dn subject-dn, domain-name domain-names, and ip-addr ip-address parameters are used to generate the Certificate Signing Request (CSR) in the EST request message. The domain-name domain-names and ip-addr ip-address parameters are used as subject alternative names.

If validate-cert-chain is specified, the system validates the certificate’s chain of result certificate before importing it. The "certificate chain” is the chain of all the certificates from the result certificate to the issuing CA. The "result certificate” is the new certificate returned by EST server.

The result certificate is imported and saved with the filename specified by the output output-cert-filename. If force is specified, the system overwrites the existing file with same name as the output-cert-filename.

Parameters

name

Specifies EST profile name, up to 32 characters

key-filename

Specifies the filename of a key, up to 95 characters

output-cert-filename

Specifies the output certificate filename, up to 200 characters

hash-algorithm

Specifies the hash algorithm used in a certificate request.

Values

sha1, sha224, sha256, sha384, sha512

subject-dn

Specifies the distinguish name, up to 256 characters, used as the subject in a certificate request, including:

• C-Country

• ST-State

• O-Organization name

• OU-Organization Unit name

• CN-common name

This parameter is formatted as a text string including any of the preceding attributes. The attribute and its value is linked by using "=”, and ",” is used to separate different attributes.

For example: C=US,ST=CA,O=ALU,CN=SR12

Values

attr1=val1,attr2=val2

where: attrN={C | ST | O | OU | CN}, up to 256 characters

domain-names

Specifies domain names, up to 512 characters, separated by commas

ip-address

Specifies an IPv4 or IPv6 address string, up to 64 characters

validate-cert-chain

Specifies that the system validates the certificate’s chain of result certificate before importing it

force

Specifies that the system overwrites the existing file with same output-cert-filename

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>md-cli>environment>command-completion enter)

Full Context

configure system management-interface cli md-cli environment command-completion enter

Description

This command enables completion on the enter character.

The no form of this command reverts to the default value.

Default

enter

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>dhcp-filter entry)

[Tree] (config>filter>dhcp6-filter entry)

Full Context

configure filter dhcp-filter entry

configure filter dhcp6-filter entry

Description

This command configures DHCP filter entries.

The no form of this command removes the entry from the configuration.

Parameters

entry-id

Specifies the entry ID.

Values

1 to 65535

create

This keyword is required when first creating the DHCP filter entry. Once the context is created, it is possible to navigate into the context without the create keyword.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>log>filter entry)

Full Context

configure service vprn log filter entry

Description

This command is used to create or edit an event filter entry. Multiple entries may be created using unique entry-id values. The SR OS implementation exits the filter on the first match found and executes the action in accordance with the action command.

Comparisons are performed in an ascending entry ID order. When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit. Matching ceases when a packet matches an entry. The entry action is performed on the packet, either drop or forward. To be considered a match, the packet must meet all the conditions defined in the entry.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete. Entries without the action keyword will be considered incomplete and are rendered inactive.

By default, no filter entries are defined. Entries must be explicitly configured.

The no form of this command removes the specified entry from the event filter. Entries removed from the event filter are immediately removed from all log-id’s where the filter is applied.

Default

No event filter entries are defined. An entry must be explicitly configured.

Parameters

entry-id

The entry ID uniquely identifies a set of match criteria corresponding action within a filter. Entry ID values should be configured in staggered increments so you can insert a new entry in an existing policy without renumbering the existing entries.

Values

1 to 999

name entry-name

Configures an optional entry name for the event filter, up to 64 characters, that can be used to refer to the entry after it is created.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>cert-profile entry)

Full Context

configure ipsec cert-profile entry

Description

This command configures the certificate profile entry information

The no form of this command removes the entry-id value from the cert-profile configuration.

Parameters

entry-id

Specifies the entry ID.

Values

1 to 8

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>ts-list>remote entry)

[Tree] (config>ipsec>ts-list>local entry)

Full Context

configure ipsec ts-list remote entry

configure ipsec ts-list local entry

Description

This command creates a new TS-list entry or enables the context to configure an existing TS-list entry.

The no form of this command removes the entry from the local or remote configuration.

Parameters

entry-id

Specifies the entry ID

Values

1 to 32

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ipsec>sec-plcy entry)

[Tree] (config>service>vprn>ipsec>sec-plcy entry)

Full Context

configure router ipsec security-policy entry

configure service vprn ipsec security-policy entry

Description

This command configures an IPsec security policy entry.

Parameters

entry-id

Specifies the IPsec security policy entry.

Values

1 to 16

create

Keyword used to create the security policy entry instance. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-ingress>ip-criteria entry)

[Tree] (config>qos>sap-ingress>mac-criteria entry)

[Tree] (config>qos>sap-egress>ip-criteria entry)

[Tree] (config>qos>sap-ingress>ipv6-criteria entry)

[Tree] (config>qos>sap-egress>ipv6-criteria entry)

Full Context

configure qos sap-ingress ip-criteria entry

configure qos sap-ingress mac-criteria entry

configure qos sap-egress ip-criteria entry

configure qos sap-ingress ipv6-criteria entry

configure qos sap-egress ipv6-criteria entry

Description

This command is used to create or edit an IP, IPv6, or MAC criteria entry for the policy. Multiple entries can be created using unique entry-id numbers.

The list of flow criteria is evaluated in a top-down manner with the lowest entry ID at the top and the highest entry ID at the bottom. If the defined match criteria for an entry within the list matches the information in the egress packet, the system stops matching the packet against the list and performs the matching entries reclassification actions. If none of the entries match the packet, the IP flow reclassification list has no effect on the packet.

An entry is not populated in the list unless the action command is executed for the entry. An entry that is not populated in the list has no effect on egress packets. If the action command is executed without any explicit reclassification actions specified, the entry is populated in the list allowing packets matching the entry to exit the list, preventing them from matching entries lower in the list. Since this is the only flow reclassification entry that the packet matched and this entry explicitly states that no reclassification action is to be performed, the matching packet will not be reclassified.

The no form of this command removes the specified entry from the policy. Entries removed from the policy are immediately removed from all services where that policy is applied.

Parameters

entry-id

The entry-id, expressed as an integer, uniquely identifies a match criterion and the corresponding action. It is recommended that multiple entries be given entry-ids in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.

An entry cannot have any match criteria defined (in which case, everything matches) but must have at least the keyword action fc fc-name for it to be considered complete. Entries without the action keyword will be considered incomplete and, therefore, will be rendered inactive.

Values

1 to 65535

create

Required parameter when creating a flow entry when the system is configured to require the explicit use of the keyword to prevent accidental object creation. Objects may be accidentally created when this protection is disabled and an object name is mistyped when attempting to edit the object. This keyword is not required when the protection is disabled. The keyword is ignored when the flow entry already exists.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>network>ingress>ipv6-criteria entry)

[Tree] (config>qos>network>ingress>ip-criteria entry)

[Tree] (config>qos>network>egress>ipv6-criteria entry)

[Tree] (config>qos>network>egress>ip-criteria entry)

Full Context

configure qos network ingress ipv6-criteria entry

configure qos network ingress ip-criteria entry

configure qos network egress ipv6-criteria entry

configure qos network egress ip-criteria entry

Description

This command is used to create or edit an IP or IPv6 criteria entry for the policy. Multiple entries can be created using unique entry numbers.

The list of flow criteria is evaluated in a top-down manner with the lowest entry ID at the top and the highest entry ID at the bottom. If the defined match criteria for an entry within the list matches the information in the packet, the system stops matching the packet against the list and performs the matching entries reclassification actions. If none of the entries match the packet, the IP flow reclassification list has no effect on the packet.

An entry is not populated in the list unless the action command is executed for the entry. An entry that is not populated in the list has no effect on ingress packets. If the action command is executed without any explicit reclassification actions specified, the entry is populated in the list allowing packets matching the entry to exit the list, preventing them from matching entries lower in the list. Since this is the only flow reclassification entry that the packet matched, and this entry explicitly states that no reclassification action is to be performed, the matching packet will not be reclassified.

The configuration of egress prec/DSCP classification and the configuration of an egress IP criteria or IPv6 criteria entry statement within a network QoS policy are mutually exclusive.

Network QoS policies containing egress ip-criteria or ipv6-criteria entry statements are only applicable to network interfaces. Configuration of ip-criteria or ipv6-criteria entry statements in a network egress QoS policy and the application of the policy on any object other than a GRT network interface are mutually exclusive.

The no form of this command removes the specified entry from the policy. Entries removed from the policy are immediately removed from all services to which that policy is applied.

Parameters

entry-id

The entry identifier, expressed as an integer, uniquely identifies a match criterion and the corresponding action. It is recommended that multiple entries be given entry identifiers in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.

An entry cannot have any match criteria defined (in which case, everything matches) but must have at least the keyword action fc fc-name profile profile for it to be considered complete. Entries without the action keyword will be considered incomplete and will be rendered inactive.

Values

1 to 65535

create

Required parameter when creating a flow entry when the system is configured to require the explicit use of the keyword to prevent accidental object creation. Objects may be accidentally created when this protection is disabled, and an object name is mistyped when attempting to edit the object. This keyword is not required when the protection is disabled. The keyword is ignored when the flow entry already exists.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ip-filter entry)

[Tree] (config>filter>ipv6-exception entry)

[Tree] (config>filter>ipv6-filter entry)

[Tree] (config>filter>ip-exception entry)

Full Context

configure filter ip-filter entry

configure filter ipv6-exception entry

configure filter ipv6-filter entry

configure filter ip-exception entry

Description

This command creates or edits an IPv4, IPv6, MAC, IP exception filter, or IPv6 exception filter entry. Multiple entries can be created using unique entry-id numbers within the filter. Entries must be sequenced from most to least explicit.

An entry may not have any match criteria defined (in which case everything matches) but must have at least the keyword action for it to be considered complete. Entries without the action keyword will be considered incomplete and hence will be rendered inactive.

The no form of the command removes the specified entry from the filter. Entries removed from the filter are immediately removed from all services or network ports where that filter is applied.

Parameters

entry-id

Uniquely identifies a match criteria and the corresponding action. It is recommended that multiple entries be given entry-id in staggered increments. This allows users to insert a new entry in an existing policy without requiring to renumbering all the existing entries. The parameter is expressed as a decimal integer.

Values

1 to 2097151

create

This keyword is required to create the configuration context. Once the context is created, the user can enable the context with or without the create keyword.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>filter entry)

Full Context

configure log filter entry

Description

This command creates or edits an event filter entry. Multiple entries can be created using unique entry-id values. The SR OS implementation exits the filter on the first match found and executes the action in accordance with the action command.

Comparisons are performed in an ascending entry ID order. When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit. Matching ceases when a packet matches an entry. The entry action is performed on the packet, either drop or forward. To be considered a match, the packet must meet all the conditions defined in the entry.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete. Entries without the action keyword will be considered incomplete and are rendered inactive.

By default, no filter entries are defined. Entries must be explicitly configured.

The no form of this command removes the specified entry from the event filter. Entries removed from the event filter are immediately removed from all log-id’s where the filter is applied.

Parameters

entry-id

The entry ID uniquely identifies a set of match criteria corresponding action within a filter. Entry ID values should be configured in staggered increments so you can insert a new entry in an existing policy without renumbering the existing entries.

Values

1 to 999

name entry-name

Configures an optional entry name for the event filter, up to 64 characters, that can be used to refer to the entry after it is created.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>event-handling>handler>action-list entry)

Full Context

configure log event-handling handler action-list entry

Description

This command configures an EHS handler action-list entry. A handler can have multiple actions where each action, for example, could request the execution of a different script. When the handler is triggered it will walk through the list of configured actions.

The no form of this command removes the specified EHS handler action-list entry.

Parameters

entry-id

Specifies the identifier of the EHS handler entry.

Values

1 to 1500

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>mgmt-access-filter>mac-filter entry)

[Tree] (config>system>security>mgmt-access-filter>ipv6-filter entry)

[Tree] (config>system>security>mgmt-access-filter>ip-filter entry)

Full Context

configure system security management-access-filter mac-filter entry

configure system security management-access-filter ipv6-filter entry

configure system security management-access-filter ip-filter entry

Description

This command is used to create or edit a management access IP(v4), IPv6, or MAC filter entry. Multiple entries can be created with unique entry-id numbers. The OS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.

The no form of this command removes the specified entry from the management access filter.

Parameters

entry-id

Specifies an entry ID uniquely identifies a match criteria and the corresponding action. It is recommended that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Values

1 to 9999

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>profile entry)

Full Context

configure system security profile entry

Description

This command is used to create a user profile entry.

More than one entry can be created with unique entry-id numbers. Exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.

The no form of this command removes the specified entry from the user profile.

Parameters

entry-id

Specifies an entry-id that uniquely identifies a user profile command match criteria and a corresponding action. If more than one entry is configured, the entry-ids should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entries.

Values

1 to 9999

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>keychain>direction>bi entry)

[Tree] (config>system>security>keychain>direction>uni>send entry)

[Tree] (config>system>security>keychain>direction>uni>receive entry)

Full Context

configure system security keychain direction bi entry

configure system security keychain direction uni send entry

configure system security keychain direction uni receive entry

Description

This command defines a particular key in the keychain. Entries are defined by an entry ID. A keychain must have valid entries for the TCP Enhanced Authentication mechanism to work.

If the entry is the active entry for sending, then this causes a new active key to be selected (if one is available using the youngest key rule). If it is the only possible key to send, then the system rejects the command with an error indicating the configured key is the only available send key.

If the key is one of the eligible keys for receiving, it will be removed. If the key is the only possible eligible key, then the command is accepted, and an error indicating that this is the only eligible key will be generated.

The no form of this command removes the entry from the keychain.

Parameters

entry-id

Specifies an entry that represents a key configuration to be applied to a keychain.

Values

0 to 63, null-key

key

Specifies a key ID which is used along with keychain-name and direction to uniquely identify this particular key entry.

authentication-key

Specifies the authentication-key that is used by the encryption algorithm. The key is used to sign and authenticate a protocol packet.

The authentication-key can be any combination of letters or numbers.

Values

A key must be 160 bits for algorithm hmac-sha-1-96 and must be 128 bits for algorithm aes-128-cmac-96. If the key given with the entry command amounts to less than this number of bits, then it is padded internally with zero bits up to the correct length.

algorithm

Specifies an enumerated integer that indicates the encryption algorithm to be used by the key defined in the keychain.

Values

aes-128-cmac-96 — Specifies an algorithm based on the AES standard for TCP authentication as described in RFC 4494 for BGP and LDP.

aes-128-cmac-128 — Specifies an algorithm based on the AES standard as described in RFC 4493 for NTP.

aes-128-gcm-16 — Specifies an algorithm used for MCS.

hmac-sha-1-96 — Specifies an algorithm based on SHA-1 for RSVP-TE and TCP authentication.

message-digest — MD5 hash used for TCP authentication.

hmac-md5 — MD5 hash used for IS-IS and RSVP-TE.

password – Specifies a simple password authentication for OSPF, IS-IS, and RSVP-TE.

hmac-sha-1 — Specifies the sha-1 algorithm for OSPF, IS-IS, and RSVP-TE.

hmac-sha-256 — Specifies the sha-256 algorithm for OSPF and IS-IS.

hash-key | hash2-key | custom-key

Specifies the hash key. The key can be any combination of ASCII characters up to 33 for the hash-key and 96 characters for the hash2-key (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies a custom hash version is used while saving the configuration files.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>tls>cert-profile entry)

Full Context

configure system security tls cert-profile entry

Description

This command configures an entry for the TLS certificate profile. A certificate profile may have up to eight entries. Currently, TLS uses the entry with the smallest ID number when responding to server requests.

The no form of the command deletes the specified entry.

Parameters

entry-id

Specifies the identification number of the TLS certificate profile entry.

Values

1 to 8

create

Keyword used to create the TLS certificate profile entry.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>as-path-group entry)

Full Context

configure router policy-options as-path-group entry

Description

This command creates the context to edit route policy entries within an autonomous system path group.

Multiple entries can be created using unique entries. The router exits the filter when the first match is found and executes the action specified. For this reason, entries must be sequenced correctly from most to least explicit.

An entry does not require matching criteria defined (in which case, everything matches) but must at least define an action in order to be considered complete. Entries without an action are considered incomplete and will be rendered inactive.

The no form of this command removes the specified entry from the autonomous system path group.

Parameters

entry-id

Specifies the entry ID expressed as a decimal integer. An entry-id uniquely identifies match criteria and the corresponding action. Nokia recommends that multiple entries be given entry-ids in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.

Values

1 to 128

regular-expression

Specifies the AS path group regular expression. Allowed values are any string up to 255 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes.

An AS path in a BGP route matches an AS path group, if the pattern of the path matches the concatenation of all regular expressions in the group. A regular expression incorporates terms and operators that use the terms. An individual AS number is an elementary term in the AS path regular expression. More complex terms can be built from elementary terms. The following are key operators supported by SR OS:

• .

• *

• ?

• {n}

• {m,n}

• {m, }

To reverse the match criteria when specifying a list of ranges or single values using square brackets, use the non-match operator (^) before the elements within the square brackets.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>policy-options>policy-statement entry)

Full Context

configure router policy-options policy-statement entry

Description

This command creates the context to edit route policy entries within the route policy statement.

Multiple entries can be created using unique entries. The router exits the filter when the first match is found and executes the action specified. For this reason, entries must be sequenced correctly from most to least explicit.

An entry does not require matching criteria defined (in which case, everything matches) but must have at least define an action in order to be considered complete. Entries without an action are considered incomplete and will be rendered inactive.

The no form of this command removes the specified entry from the route policy statement.

Parameters

entry-id

Specifies the entry ID expressed as a decimal integer. An entry-id uniquely identifies match criteria and the corresponding action. It is recommended that multiple entries be given entry-ids in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.

Values

1 to 128

Platforms

7705 SAR Gen 2

Context

[Tree] (environment)

Full Context

environment

Description

Commands in this context configure classic CLI session environment parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>cli>md-cli environment)

Full Context

configure system management-interface cli md-cli environment

Description

Commands in this context configure MD-CLI session environment parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service epipe)

Full Context

configure service epipe

Description

This command configures an Epipe service instance. This command is used to configure a point-to-point epipe service. An Epipe connects two endpoints defined as Service Access Points (SAPs). Both SAPs may be defined in one 7705 SAR Gen 2 or they may be defined in separate devices connected over the service provider network. When the endpoint SAPs are separated by the service provider network, the far end SAP is generalized into a service destination point (SDP). This SDP describes a destination and the encapsulation method used to reach it.

No MAC learning or filtering is provided on an Epipe.

When creating a service, you must enter the customer keyword and specify a customer-id to associate the service with a customer. The customer-id must already exist, having been created using the customer command in the service context. After a service has been created with a customer association, it is not possible to edit the customer association. The service must be deleted and re-created with a new customer association.

After a service is created, the use of the customer customer-id is optional for navigating into the service configuration context. Attempting to edit a service with the incorrect customer-id specified will result in an error.

By default, no epipe services exist until they are explicitly created with this command.

The no form of this command deletes the epipe service instance with the specified service-id. The service cannot be deleted until the service has been shut down.

Parameters

service-id

The unique service identification number or string identifying the service in the service domain. This ID must be unique to this service and may not be used for any other service of any type. The service-id must be the same number used for every 7705 SAR Gen 2 on which this service is defined.

Values

service-id: 1 to 2147483647

svc-name: up to 64 characters

customer-id

Specifies the customer ID number to be associated with the service. This parameter is required on service creation and optional for service editing or deleting.

Values

1 to 2147483647

vpn vpn-id

Specifies the VPN ID number which allows you to identify virtual private networks (VPNs) by a VPN ID. If this parameter is not specified, the VPN ID uses the same service ID number.

Values

1 to 2147483647

Default

null (0)

vc-switching

Specifies if the pseudowire switching signaling is used for the spoke SDPs configured in this service.

test

Specifies a unique test service type for the service context which will contain only a SAP configuration. The test service can be used to test the throughput and performance of a path for MPLS-TP PWs.

create

Keyword used to create the service instance. The create keyword requirement can be enabled/disabled in the environment>create context.

name name

Configures an optional service name identifier, up to 64 characters, to a given service. This service name can then be used in configuration references, display, and show commands throughout the system. A defined service name can help the service provider or administrator to identify and manage services within the SR OS platforms.

To create a service, you must assign a service ID; however, after it is created, either the service ID or the service name can be used to identify and reference a service.

If a name is not specified at creation time, then SR OS assigns a string version of the service-id as the name.

Values

name: up to 64 characters

flexible-cross-connect

Keyword to specify the Flexible Cross Connect (FXC) mode, which allows the configuration of two or more SAPs on the same Epipe.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rip error)

Full Context

debug router rip error

Description

This command enables debugging for RIP errors.

Parameters

ip-int-name | ip-address

Debugs the RIP errors sent on the neighbor IP address or interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>ripng error)

Full Context

debug router ripng error

Description

This command enables debugging for RIPng errors.

Parameters

ip-int-name| ipv6-address

Debugs the RIPng errors sent on the neighbor IP address or interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>pcep>pcc>conn error)

[Tree] (debug>router>pcep>pcc error)

Full Context

debug router pcep pcc connection error

debug router pcep pcc error

Description

This command enables debugging for PCC or connection errors.

The no form of this command disables debugging.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group>neighbor error-handling)

[Tree] (config>service>vprn>bgp error-handling)

[Tree] (config>service>vprn>bgp>group error-handling)

Full Context

configure service vprn bgp group neighbor error-handling

configure service vprn bgp error-handling

configure service vprn bgp group error-handling

Description

This command specifies whether the error handling mechanism for optional transitive path attributes is enabled for this peer group.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>neighbor error-handling)

[Tree] (config>router>bgp>group error-handling)

[Tree] (config>router>bgp error-handling)

Full Context

configure router bgp group neighbor error-handling

configure router bgp group error-handling

configure router bgp error-handling

Description

This command specifies whether updated BGP error handling procedures should be applied.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rpki-session>packet error-report)

Full Context

debug router rpki-session packet error-report

Description

This command enables debugging for error report RPKI packets.

The no form of this command disables debugging for error report RPKI packets.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>transform esp-auth-algorithm)

Full Context

configure ipsec ipsec-transform esp-auth-algorithm

Description

This command specifies which hashing algorithm should be used for the authentication function Encapsulating Security Payload (ESP). Both ends of a manually configured tunnel must share the same configuration parameters for the IPsec tunnel to enter the operational state.

The no form of this command disables the authentication.

Default

esp-auth-algorithm sha1

Parameters

null

This is a very fast algorithm specified in RFC 2410, which provides no authentication.

md5

This parameter configures ESP to use the hmac-md5 algorithm for authentication.

sha1

This parameter configures ESP to use the hmac-sha1 algorithm for authentication.

sha256

This parameter configures ESP to use the sha256 algorithm for authentication.

sha384

This parameter configures ESP to use the sha384 algorithm for authentication.

sha512

This parameter configures ESP to use the sha512 algorithm for authentication.

aes-xcbc

Specifies the aes-xcbc algorithm for authentication.

auth-encryption

This parameter must be configured when esp-encryption-algorithm is either aes-gcm or aes-gmac.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>grp-encryp>encryp-keygrp esp-auth-algorithm)

Full Context

configure group-encryption encryption-keygroup esp-auth-algorithm

Description

This command specifies the hashing algorithm used to perform authentication on the Encapsulating Security Payload (ESP) within NGE packets for services configured using this key group. All SPI entries must be deleted before the no form of the command may be entered or the esp-auth-algorithm value changed from its current value.

The no form of the command reverts to the default value.

Default

esp-auth-algorithm sha256

Parameters

sha256

Configures the ESP to use the HMAC-SHA-256 algorithm for authentication.

sha512

Configures the ESP to use the HMAC-SHA-512 algorithm for authentication.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>ipsec-transform esp-encryption-algorithm)

Full Context

configure ipsec ipsec-transform esp-encryption-algorithm

Description

This command specifies the encryption algorithm to use for the IPsec session. Encryption only applies to esp configurations. If encryption is not defined, esp will not be used.

For IPsec tunnels to come up, both ends need to be configured with the same encryption algorithm.

The no form of this command removes the specified encryption algorithm.

Default

esp-encryption-algorithm aes128

Parameters

null

This parameter configures the high-speed null algorithm, which does nothing. This is the same as not having encryption turned on.

des

This parameter configures the 56-bit des algorithm for encryption. This is an older algorithm, with relatively weak security. Although slightly better than no encryption, it should only be used where a strong algorithm is not available on both ends at an acceptable performance level.

3des

This parameter configures the 3-des algorithm for encryption. This is a modified application of the des algorithm which uses multiple des operations to make things more secure.

aes128

This parameter configures the aes algorithm with a block size of 128 bits. This is the mandatory implementation size for aes. As of today, this is a very strong algorithm choice.

aes192

This parameter configures the aes algorithm with a block size of 192 bits. This is a stronger version of aes.

aes256

This parameter configures the aes algorithm with a block size of 256 bits. This is the strongest available version of aes.

aes128-gcm8

Configures ESP to use aes-gcm with a 128-bit key size and an 8-byte ICV for encryption and authentication.

aes128-gcm12

Configures ESP to use aes-gcm with a 128-bit key size and a 12-byte ICV for encryption and authentication.

aes128-gcm16

Configures ESP to use aes-gcm with a 128-bit key size and a 16-byte ICV for encryption and authentication.

aes192-gcm8

Configures ESP to use aes-gcm with a 192-bit key size and an 8-byte ICV for encryption and authentication.

aes192-gcm12

Configures ESP to use aes-gcm with a 192-bit key size and a 12-byte ICV for encryption and authentication.

aes192-gcm16

Configures ESP to use aes-gcm with a 192-bit key size and a 16-byte ICV for encryption and authentication.

aes256-gcm8

Configures ESP to use aes-gcm with a 256-bit key size and an 8-byte ICV for encryption and authentication.

aes256-gcm12

Configures ESP to use aes-gcm with a 256-bit key size and a 12-byte ICV for encryption and authentication.

aes128-gcm16

Configures ESP to use aes-gcm with a 256-bit key size and a 16-byte ICV for encryption and authentication.

null-aes128gmac

Configures ESP to use aes-gmac with a 128-bit key size for authentication only.

null-aes192gmac

Configures ESP to use aes-gmac with a 192-bit key size for authentication only.

null-aes256gmac

Configures ESP to use aes-gmac with a 256-bit key size for authentication only.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>grp-encryp>encryp-keygrp esp-encryption-algorithm)

Full Context

configure group-encryption encryption-keygroup esp-encryption-algorithm

Description

This command specifies the encryption algorithm used to perform encryption on the Encapsulating Security Payload (ESP) within NGE packets for services configured using this key group. All SPI entries must be deleted before the no form of the command may be entered or the esp-encryption-algorithm value changed from its current value.

The no form of the command resets the parameter to the default value.

Default

esp-encryption-algorithm aes128

Parameters

aes128

Configures the AES algorithm with a block size of 128 bits—a very strong algorithm choice.

aes256

Configures the AES algorithm with a block size of 256 bits—the strongest available version of AES.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ipv6-filter>entry>match esp-ext-hdr)

Full Context

configure filter ipv6-filter entry match esp-ext-hdr

Description

This command enables match on existence of ESP Extension Header in the IPv6 filter policy.

The no form of this command ignores ESP Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.

Default

no esp-ext-hdr

Parameters

true

Matches a packet with an ESP Extension Header.

false

Matches a packet without an ESP Extension Header.

Platforms

7705 SAR Gen 2

Context

[Tree] (admin>certificate est)

Full Context

admin certificate est

Description

Commands in this context configure Enrollment over Secure Transport (EST) parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>bgp-evpn>remote-attachment-circuit eth-tag)

[Tree] (config>service>epipe>bgp-evpn>local-attachment-circuit eth-tag)

Full Context

configure service epipe bgp-evpn remote-attachment-circuit eth-tag

configure service epipe bgp-evpn local-attachment-circuit eth-tag

Description

This command configures the Ethernet tag value. When configured in the local-attachment-circuit context, the system uses the value in the advertised AD per-EVI route sent for the attachment circuit. When configured in the remote-attachment-circuit context the system compares that value with the eth-tag value of the imported AD per-EVI routes for the service. If there is a match, the system creates an EVPN destination for the Epipe.

Parameters

tag-value

Specifies the Ethernet tag value of the attachment circuit.

Values

1 to 16777215

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port ethernet)

Full Context

configure port ethernet

Description

This command the context to configure Ethernet port attributes.

This context can only be used when configuring Fast Ethernet, gigabit or 10-G Fast Ethernet or Ethernet LAN ports on an appropriate MDA.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-egress ethernet-ctag)

Full Context

configure qos sap-egress ethernet-ctag

Description

This command specifies that the top customer tag should be used for egress reclassification based on dot1p criteria. This command applies to all dot1p criteria configured in a given SAP egress QoS policy.

The no form of this command means that a service delimiting tag will be used for egress reclassification based on dot1p criteria.

Default

no ethernet-ctag

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-ingress>mac-criteria>entry>match etype)

Full Context

configure qos sap-ingress mac-criteria entry match etype

Description

Configures an Ethernet type II value to be used as a service ingress QoS policy match criterion.

The Ethernet type field is a 2-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.

The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field. For IEEE 802.3 frames, use the dsap, ssap, or snap-pid fields as match criteria.

The snap-pid field, etype field, ssap, and dsap fields are mutually exclusive and cannot be part of the same match criteria.

The no form of this command removes the previously entered etype field as the match criteria.

Default

no etype

Parameters

etype-value

The Ethernet type II frame Ethertype value to be used as a match criterion expressed in hexadecimal.

Values

0x0600 to 0xFFFF

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>mgmt-access-filter>mac-filter>entry>match etype)

Full Context

configure system security management-access-filter mac-filter entry match etype

Description

Configures an Ethernet type II Ethertype value to be used as a MAC filter match criterion.

The Ethernet type field is a two-byte field used to identify the protocol carried by the Ethernet frame. For example, 0800 is used to identify the IPv4 packets.

The Ethernet type field is used by the Ethernet version-II frames. IEEE 802.3 Ethernet frames do not use the type field. For IEEE 802.3 frames, use the dsap, ssap or snap-pid fields as match criteria.

The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. Refer to the 7705 SAR Gen 2 Router Configuration Guide for information about MAC Match Criteria Exclusivity Rules fields that are exclusive based on the frame format.

The no form of this command removes the previously entered etype field as the match criteria.

Default

no etype

Parameters

ethernet-type

Specifies the Ethernet type II frame Ethertype value to be used as a match criterion expressed in hexadecimal.

Values

0x0600 to 0xFFFF

Platforms

7705 SAR Gen 2

Context

[Tree] (config>card>mda event)

Full Context

configure card mda event

Description

This command allows the user to control the action to be taken when a specific hardware error event is raised against the target MDA.

If no event action has been created for a specific event type, then the hardware errors related to that event type are ignored by the management plane of the router.

The log event raised for any event type (for example, soft-error, memory-error) is tmnxEqHwEventDetected.

The no form of this command clears any action defined for the event.

Parameters

event-type

Specifies the event type, up to 32 characters.

Values

soft-error — Defines the action to be taken when soft errors are detected on the MDA

internal-frame-loss — System detected frame loss in the traffic transiting the MDA.

memory-error — Provides the user options to handle MDA memory error events on MDAs. This feature is supported on FP2- and FP3-based Ethernet MDAs and IMMs.

data-link-error — Provides the user options to handle datapath link errors on an MDA.

create

Keyword used to create an event.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>ldp>if event)

[Tree] (debug>router>ldp>peer event)

Full Context

debug router ldp interface event

debug router ldp peer event

Description

This command configures debugging for specific LDP events.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rsvp event)

[Tree] (debug>router>mpls event)

Full Context

debug router rsvp event

debug router mpls event

Description

This command enables debugging for specific events.

The no form of the command disables the debugging.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>ip event)

Full Context

debug router ip event

Description

This command enables debugging for specific IP events.

The no form of this command disables debugging for the specified IP events.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>thresholds>rmon event)

Full Context

configure system thresholds rmon event

Description

The event command configures an entry in the RMON-MIB event table. The event command controls the generation and notification of threshold crossing events configured with the alarm command. When a threshold crossing event is triggered, the rmon>event configuration optionally specifies if an entry in the RMON-MIB log table should be created to record the occurrence of the event. It may also specify that an SNMP notification (trap) should be generated for the event. The RMON-MIB defines two notifications for threshold crossing events: Rising Alarm and Falling Alarm.

Creating an event entry in the RMON-MIB log table does not create a corresponding entry in the SR OS event logs. However, when the event-type is set to trap, the generation of a Rising Alarm or Falling Alarm notification creates an entry in the SR OS event logs and that is distributed to all the SR OS log destinations that are configured: CONSOLE, session, memory, file, syslog, or SNMP trap destination.

The SR OS logger message includes a rising or falling threshold crossing event indicator, the sample type (absolute or delta), the sampled value, the threshold value, the RMON-alarm-id, the associated RMON-event-id and the sampled SNMP object identifier.

Use the no form of this command to remove an rmon-event-id from the configuration.

Parameters

rmon-event-id

Specifies an identifier for this event. Alarm ID values above 65400 are used for dynamic system threshold commands and should be avoided.

Values

1 to 65535

rmon-event-type

Specifies the type of notification action to be taken when this event occurs.

Values

log — An entry is made in the RMON-MIB log table for each event occurrence.

This does not create an SR OS logger entry. The RMON-MIB log table entries can be viewed using the show>system>thresholds CLI command.

trap — An SR OS logger event is generated. The SR OS logger utility then distributes the notification of this event to its configured log destinations which may be CONSOLE, telnet session, memory log, cflash file, syslog, or SNMP trap destinations logs.

both — Both an entry in the RMON-MIB logTable and an SR OS logger event are generated.

none — No action is taken.

Default

both

description-string

Specifies a user configurable string that can be used to identify the purpose of this event. This is an optional parameter and can be up to 80 characters long. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes.

owner-string

Specifies the owner string; the owner identifies the creator of this alarm. It defaults to "TiMOS CLI". This parameter is defined primarily to allow entries that have been created in the RMON-MIB alarmTable by remote SNMP managers to be saved and reloaded in a CLI configuration file. The owner will not normally be configured by CLI users and can be up 80 characters long.

Default

TiMOS CLI

Configuration example:

event 5 rmon-event-type both description "alarm testing" owner "TiMOS CLI"

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>event-trigger event)

Full Context

configure log event-trigger event

Description

This command configures a specific log event as a trigger for one or more EHS handlers. Further matching criteria can be applied to only trigger certain handlers with certain instances of the log event.

The no form of this command removes the specified trigger event.

Parameters

application-id

Specifies the type of application that triggers the event.

Values

adp, application_assurance, auto_prov, bfd, bgp, bier, bmp, calltrace, cflowd, chassis, cpmhwfilter, cpmhwqueue, debug, dhcp, dhcps, diameter, dot1x, dynsvc, efm_oam, elmi, ering, eth_cfm, etun, filter, fpe, gsmp, gtp, igmp, igmp_snooping, ip, ipfix, ipsec, ipsec_cpm, isis, l2tp, lag, ldap, ldp, li, lldp, logger, maffilter, macsec, mcac, mcpath, mc_redundancy, mgmt_core, mirror, mld, mld_snooping, mpls, mpls_tp, mpls_lmgr, mrp, msdp, nat, nge, ntp, oam, open_flow, ospf, pcap, pcep, pfcp, pim, pim_snooping, port, pppoe, pppoe_clnt, profile, ptp, pxc, python, qos, radius, rib_api, rip, rip_ng, route_next_hop, route_policy, rpki, rsvp, satellite, security, sflow, snmp, sr_mpls, sr_policy, srv6, stp, subscr_mgmt, sub_host_trk, svcmgr, system, telemetry, tip, tls, tree_sid, user, user_db, video, vrrp, vrtr, wlan_gw, wpp

event-name-id

Specifies the name or numerical identifier of the event.

Values

0 to 4294967295 | event-name: 32 characters max

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log event-control)

Full Context

configure log event-control

Description

This command is used to specify that a particular event or all events associated with an application is either generated or suppressed.

Events are generated by an application and contain an event number and description explaining the cause of the event. Each event has a default designation which directs it to be generated or suppressed.

Events are generated with a default severity level that can be modified by using the severity-level option.

Events that are suppressed by default are typically used for debugging purposes. Events are suppressed at the time the application requests the event’s generation. No event log entry is generated regardless of the destination. While this feature can save processor resources, there may be a negative effect on the ability to troubleshoot problems if the logging entries are squelched. In reverse, indiscriminate application may cause excessive overhead.

The rate of event generation can be throttled by using the throttle parameter.

The no form of this command reverts the parameters to the default setting for events for the application or a specific event within the application. The severity, generate, suppress, and throttle options will also be reset to the initial values.

Default

Each event has a set of default settings. To display a list of all events and the current configuration use the event-control command.

Parameters

application-id

The application whose events are affected by this event control filter.

Values

A valid application name. Use the show log applications command to display a list of valid application names. Examples of valid applications are bgp, chassis, efm_oam, filter, security, system, and vrrp.

event-name

To generate, suppress, or revert to default for a single event, enter the specific event short name up to 32 characters. If no event name is specified, the command applies to all events in the application. To display a list of all event short names use the event-control command.

event-number

To generate, suppress, or revert to default for a single event, enter the specific number. If no event number is specified, the command applies to all events in the application.

Values

0 to 4294967295

generate

Specifies that logger event is created when this event occurs. The generate keyword can be used with two optional parameters, severity-level and throttle.

Default

generate

severity-level

An ASCII string representing the severity level to associate with the specified generated events

Default

The system-assigned severity name

Values

cleared, indeterminate, critical, major, minor, warning

throttle

Specifies whether or not events of this type will be throttled. By default, event throttling is on for most event types.

suppress

This keyword indicates that the specified events will not be logged. If the suppress keyword is not specified then the events are generated by default. For example on the 7705 SAR Gen 2, event-control bgp suppress will suppress all BGP events. If a log event is a raising event for a Facility Alarm, and the associated Facility Alarm is raised, then changing the log event to suppress clears the associated Facility Alarm.

Default

generate

specific-throttle-rate events-limit

The log event throttling rate can be configured independently for each log event using this keyword. This specific-throttle-rate overrides the globally configured throttle rate (config>log>throttle-rate) for the specific log event.

Values

1 to 20000

interval seconds

Specifies the number of seconds that the specific throttling intervals lasts.

Values

1 to 1200

disable-specific-throttle

Specifies to disable the specific-throttle-rate.

repeat

Specifies that the log event should be repeated every minute until the underlying condition is cleared. Only supported for the following log events: BGP tBgpMaxNgPfxLmtThresholdReached and PORT tmnxEqPortEtherCrcAlarm (for degrade threshold only)

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log event-damping)

Full Context

configure log event-damping

Description

This command allows the user to set the event damping algorithm to suppress QoS or filter change events.

The no form of this command removes the event damping algorithm.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>event-trigger>event>trigger-entry event-handler)

Full Context

configure log event-trigger event trigger-entry event-handler

Description

This command configures the event handler to be used for this trigger entry.

The no form of this command removes the event handler configuration.

Parameters

event-handler

Specifies the name of the event handler, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>cli-script>authorization event-handler)

Full Context

configure system security cli-script authorization event-handler

Description

Commands in this context configure authorization for the Event Handling System (EHS). EHS allows user-controlled programmatic exception handling by allowing a CLI script to be executed upon the detection of a log event.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log event-handling)

Full Context

configure log event-handling

Description

Commands in this context configure event handling within the Event Handler System (EHS).

Platforms

7705 SAR Gen 2

Context

[Tree] (config>oam-pm>session>meas-intvl event-mon)

Full Context

configure oam-pm session meas-interval event-mon

Description

This command enables the different threshold events on a specific measurement interval. Only one measurement interval with a configured OAM PM session can have events enabled using the no shutdown command.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log event-trigger)

Full Context

configure log event-trigger

Description

Commands in this context configure log events as triggers for Event Handling System (EHS) handlers.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>service>id>sap event-type)

Full Context

debug service id sap event-type

Description

This command enables a particular debugging event type.

The no form of this command disables the event type debugging.

Parameters

arp

Displays ARP events.

config-change

Debugs configuration change events.

oper-status-change

Debugs service operational status changes.

neighbor-discovery

Displays the status of IPv6 neighbor discovery for the sap or the spoke-sdp.

Platforms

7705 SAR Gen 2

Output

The following output is an example of event-type information.

A:bksim180# debug service id 1000 sap 1/7/1 event-type arp 
DEBUG OUTPUT show on CLI is as follows:
3 2008/11/17 18:13:24.35 UTC MINOR: DEBUG #2001 Base Service 1000 SAP 
1/7/1 "Service 1000 SAP 1/7/1: 
RX: ARP_REQUEST (0x0001)
hwType     : 0x0001
prType     : 0x0800
hwLength   : 0x06
prLength   : 0x04
srcMac     : 8c:c7:01:07:00:03
destMac    : 00:00:00:00:00:00
srcIp      : 10.1.1.2
destIp     : 10.1.1.1
"

4 2008/11/17 18:13:24.35 UTC MINOR: DEBUG #2001 Base Service 1000 
SAP 1/7/1 "Service 1000 SAP 1/7/1: 
TX: ARP_RESPONSE (0x0002)
hwType     : 0x0001
prType     : 0x0800
hwLength   : 0x06
prLength   : 0x04
srcMac     : 00:03:0a:0a:0a:0a
destMac    : 8c:c7:01:07:00:03
srcIp      : 10.1.1.1
destIp     : 10.1.1.2
"

Context

[Tree] (debug>service>id>sdp event-type)

Full Context

debug service id sdp event-type

Description

This command enables a particular debugging event type.

The no form of this command disables the event type debugging.

Parameters

config-change

Debugs configuration change events.

oper-status-change

Debugs service operational status changes.

neighbor-discovery

Displays the status of IPv6 neighbor discovery for the sap or the spoke-sdp.

control-channel-status

Debugs control channel status events.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>service>id event-type)

Full Context

debug service id event-type

Description

This command enables a particular debugging event type. The no form of this command disables the event type debugging.

Parameters

config-change

Debugs configuration change events

svc-oper-status-change

Debugs service operational status changes

sap-oper-status-change

Debugs SAP operational status changes

sdpbind-oper-status-change

Debugs SDP operational status changes

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>vrrp events)

Full Context

debug router vrrp events

Description

This command enables debugging for VRRP events.

The no form of the command disables debugging.

Parameters

ip-int-name

Displays the specified interface name.

virtual-router-id

Displays the specified VRID.

ipv6

Debugs the specified IPv6 VRRP interface.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>bgp events)

Full Context

debug router bgp events

Description

This command logs all events changing the state of a BGP peer.

The no form of this command disables the debugging.

Parameters

neighbor ip-address

Debugs only events affecting the specified BGP neighbor.

Values

ipv4-address:

• a.b.c.d (host bits must be 0)

ipv6-address:

• x:x:x:x:x:x:x:x [-interface] (eight 16-bit pieces)

• x:x:x:x:x:x:d.d.d.d [-interface]

• x: [0 to FFFF]H

• d: [0 to 255]D

• interface: up to 32 characters for link local addresses

group name

Debugs only events affecting the specified peer group name, up to 64 characters, and associated neighbors.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>router>rip events)

Full Context

debug router rip events

Description

This command enables debugging for RIP events.

Parameters

ip-int-name | ip-address

Debugs the RIP events sent on the neighbor IP address or interface.