m Commands – Part I

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host>host-ident mac)

Full Context

configure subscriber-mgmt local-user-db ipoe host host-identification mac

Description

This command specifies the MAC address to match for a host lookup.

The no form of this command removes the MAC address from the configuration.

Parameters

ieee-address

Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>ipv6>vrrp mac)

[Tree] (config>service>vprn>if mac)

[Tree] (config>service>vprn>if>vrrp mac)

[Tree] (config>service>vprn>nw-if mac)

Full Context

configure service vprn interface ipv6 vrrp mac

configure service vprn interface mac

configure service vprn interface vrrp mac

configure service vprn network-interface mac

Description

This command assigns a specific MAC address to a VPRN IP interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface on which the SAP is configured.

Parameters

ieee-mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>mac-protect mac)

Full Context

configure service vpls mac-protect mac

Description

This command specifies the 48-bit IEEE 802.3 MAC address.

The no form of the command reverts to the default.

Parameters

ieee-address

Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if mac)

Full Context

configure service ies interface mac

Description

This command assigns a specific MAC address to an IES IP interface.

For Routed Central Office (CO), a group interface has no IP address explicitly configured but inherits an address from the parent subscriber interface when needed. For example, a MAC will respond to an ARP request when an ARP is requested for one of the IPs associated with the subscriber interface through the group interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface that the SAP is configured on (the default MAC address assigned to the interface, assigned by the system).

Parameters

ieee-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff, where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>mcr-default-gtw mac)

Full Context

configure service vpls mcr-default-gtw mac

Description

This command relates to a system configured for Dual Homing in L2-TPSDA. It defines the MAC address used when the system sends out a gratuitous ARP on an active SAP after a ring heals or fails in order to attract traffic from subscribers on the ring with connectivity to that SAP.

The no form of this command reverts to the default.

Default

no mac

Parameters

ieee-address

Specifies the address in xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx format (cannot be all zeros).

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet mac)

[Tree] (config>lag mac)

Full Context

configure port ethernet mac

configure lag mac

Description

This command assigns a specific MAC address to an Ethernet port, Link Aggregation Group (LAG), Ethernet tunnel, or BCP-enabled port or sub-port.

Only one MAC address can be assigned to a port. When multiple mac commands are entered, the last command overwrites the previous command. When the command is issued while the port is operational, IP will issue an ARP, if appropriate, and BPDUs are sent with the new MAC address.

The no form of this command returns the MAC address to the default value.

By default, a MAC address is assigned by the system from the chassis MAC address pool. The use of an all-zeroes MAC address indicates that an operational MAC address should be assigned from the chassis MAC address pool.

Default

mac 00:00:00:00:00:00

Parameters

ieee-address

Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>proxy-arp-nd>mac-list mac)

Full Context

configure service proxy-arp-nd mac-list mac

Description

This command configures the proxy ARP or ND MAC address information.

The no form of the command deletes the MAC address.

Parameters

ieee-address

Specifies the MAC address added to the list. The MAC list can be empty or contain up to 10 addresses.

Values

xx:xx:xx:xx:xx:xx

xx-xx-xx-xx-xx-xx

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>static-mac mac)

Full Context

configure service vpls static-mac mac

Description

This command assigns a conditional static MAC address entry to an SPBM B-VPLS SAP/spoke-SDP allowing external MACs for single and multi-homed operation.

For the 7705 SAR Gen 2, this command also assigns a conditional static MAC address entry to an EVPN VPLS SAP/spoke-SDP.

Static MACs are used for PBB Epipe and I-VPLS services that may terminate external to SPBM. If this is configured under a Control B-VPLS the interface referenced will not use IS-IS for this neighbor. This may also be configured under a User B-VPLS where the corresponding interface is not supported under the Control B-VPLS.

Parameters

ieee-address

Specifies the static MAC address to an SPBM/sdp-binding interface.

Values

6-byte mac-address (xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx) Cannot be all zeros.

sap-id

Specifies the SAP identifier.

sdp-id

Specifies the SDP identifier.

Values

1 to 17407

vc-id

Specifies the virtual circuit identifier.

Values

1 to 4294967295

create

Mandatory keyword used to create a static MAC.

fwd-status

Specifies that this static mac is based on the forwarding status of the SAP or spoke-SDP for multi-homed operation.

black-hole

Specifies for TLS FDB entries defined on a local SAP the value 'sap', remote entries defined on an SDP have the value 'sdp'.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>mac-list mac)

Full Context

configure service mac-list mac

Description

This command adds a protected MAC address entry.

The no form of this command removes the protected MAC address entry.

Parameters

ieee-address

Specifies the address in xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx format (cannot be all zeros), up to 30 characters.

six-byte-mask

Specifies the mask address in xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx format (cannot be all zeros), up to 30 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>interface mac)

Full Context

configure service vpls interface mac

Description

This command assigns a specific MAC address to a VPLS IP interface.

For Routed Central Office (CO), a group interface has no IP address explicitly configured but inherits an address from the parent subscriber interface when needed. For example, a MAC will respond to an ARP request when an ARP is requested for one of the IPs associated with the subscriber interface through the group interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

mac

Parameters

ieee-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Default

The system chassis MAC address.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>template>vpls-sap-template>egress>filter-name mac)

[Tree] (config>service>template>vpls-sap-template>ingress>filter-name mac)

Full Context

configure service template vpls-sap-template egress filter-name mac

configure service template vpls-sap-template ingress filter-name mac

Description

This command associates an existing IP filter policy with the template.

Parameters

name

Specifies the MAC filter policy name, up to 64 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>service>id>igmp-snooping mac)

Full Context

debug service id igmp-snooping mac

Description

This command shows IGMP packets for the specified MAC address.

The no form of this command disables the MAC debugging.

Platforms

7705 SAR Gen 2

Context

[Tree] (debug>service>id>mld mac)

Full Context

debug service id mld-snooping mac

Description

This command shows MLD packets for the specified MAC address.

The no form of this command disables the MAC debugging.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>ipv6>vrrp mac)

Full Context

configure service ies interface ipv6 vrrp mac

Description

This command assigns a specific MAC address to an IES IP interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface that the SAP is configured on (the default MAC address assigned to the interface, assigned by the system).

Parameters

mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>vrrp mac)

Full Context

configure service ies interface vrrp mac

Description

This command assigns a specific MAC address to an IES IP interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface that the SAP is configured on (the default MAC address assigned to the interface, assigned by the system).

Parameters

mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff, where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if mac)

Full Context

configure router interface mac

Description

This command assigns a specific MAC address to an IP interface. Only one MAC address can be assigned to an IP interface. When multiple mac commands are entered, the last command overwrites the previous command.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

no mac

Parameters

ieee-address

Specifies the 48-bit MAC address for the IP interface in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff, where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>ipv6>vrrp mac)

[Tree] (config>router>if>vrrp mac)

Full Context

configure router interface ipv6 vrrp mac

configure router interface vrrp mac

Description

This command sets an explicit MAC address used by the virtual router instance overriding the VRRP default derived from the VRID.

Changing the default MAC address is useful when an existing HSRP or other non-VRRP default MAC is in use by the IP hosts using the virtual router IP address. Many hosts do not monitor unessential ARPs and continue to use the cached non-VRRP MAC address after the virtual router becomes master of the host’s gateway address.

The mac command sets the MAC address used in ARP responses when the virtual router instance is master. Routing of IP packets with mac-address as the destination MAC is also enabled. The mac setting must be the same for all virtual routers participating as a virtual router or indeterminate connectivity by the attached IP hosts will result. All VRRP advertisement messages are transmitted with mac-address as the source MAC.

The command can be configured in both non-owner and owner vrrp nodal contexts.

The mac command can be executed at any time and takes effect immediately. When the virtual router MAC on a master virtual router instance changes, a gratuitous ARP is immediately sent with a VRRP advertisement message. If the virtual router instance is disabled or operating as backup, the gratuitous ARP and VRRP advertisement message is not sent.

The no form of the command restores the default VRRP MAC address to the virtual router instance.

Default

no mac

Parameters

mac-address

The 48-bit MAC address for the virtual router instance in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC, and non-IEEE reserved MAC addresses.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>ssh>client-mac-list mac)

[Tree] (config>system>security>ssh>server-mac-list mac)

Full Context

configure system security ssh client-mac-list mac

configure system security ssh server-mac-list mac

Description

This command configures SSH MAC algorithms for SR OS as an SSH server or an SSH client.

The no form of this command removes the specified mac index.

Default

no mac index

Parameters

index

Specifies the index of the algorithm in the list.

Values

1 to 255

mac-name

Specifies the algorithm for calculating the message authentication code.

Values

The following table lists the default client and server algorithms used for SSHv2.

Table 1. SSHv2 Default client and server algorithms

index	mac-name
200	hmac-sha2-512
210	hmac-sha2-256
215	hmac-sha1
220	hmac-sha1-96
225	hmac-md5
240	hmac-md5-96

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>dot1x>per-host-authentication>allowed-source-macs mac-address)

Full Context

configure port ethernet dot1x per-host-authentication allowed-source-macs mac-address

Description

This command configures the host MAC address on the allowed MAC list.

The no form of the command deletes the MAC address from the list.

Default

no mac

Parameters

ieee-address

Specifies the MAC address.

Values

xx:xx:xx:xx:xx:xx

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>bgp-evpn mac-advertisement)

Full Context

configure service vpls bgp-evpn mac-advertisement

Description

This command enables the advertisement in BGP of the learned macs on SAPs and SDP bindings. When the mac-advertisement is disabled, the local macs will be withdrawn in BGP.

Default

mac-advertisement

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-ingress mac-criteria)

Full Context

configure qos sap-ingress mac-criteria

Description

This command is used to enter the node to create or edit policy entries that specify MAC criteria.

The mac-criteria based SAP ingress policies are used to select the appropriate ingress queue and corresponding forwarding class for matched traffic.

Router implementation will exit on the first match found and execute the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly from most to least explicit.

The no form of this command deletes all the entries specified under this node. When mac-criteria entries are removed from a SAP ingress policy, the mac-criteria is removed from all services where that policy is applied.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>bgp-evpn mac-duplication)

Full Context

configure service vpls bgp-evpn mac-duplication

Description

Commands in this context configure the BGP EVPN MAC duplication parameters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>mgmt-access-filter mac-filter)

Full Context

configure system security management-access-filter mac-filter

Description

This command configures a management access MAC-filter.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>proxy-arp-nd mac-list)

Full Context

configure service proxy-arp-nd mac-list

Description

This command creates a list of MAC addresses that can be pointed at from the service for a specified IP. The list may contain up to 10 MAC addresses; an empty list is also allowed.

The MAC list allows on-the-fly changes, but a change in the list deletes the proxy entries for all the IPs using that list.

The no form of the command deletes the entire MAC-list. Deleting a MAC list is only possible if it is not referenced in the configuration.

Parameters

name

Specifies the name of the MAC address list, which can be up to 32 characters.

create

Mandatory keyword to create a MAC list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>proxy-nd>dynamic mac-list)

[Tree] (config>service>vpls>proxy-arp>dynamic mac-list)

Full Context

configure service vpls proxy-nd dynamic mac-list

configure service vpls proxy-arp dynamic mac-list

Description

This command associates a previously created MAC list to a dynamic IP. The MAC list is created using the configure service proxy-arp-nd mac-list command.

The no form of the command deletes the association of the MAC list and the dynamic IP.

Parameters

name

Specifies the name of the MAC list previously created using the configure service proxy-arp-nd mac-list command.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service mac-list)

Full Context

configure service mac-list

Description

This command configures a MAC list name. The MAC list is composed of a list of MAC addresses and masks, which along with Auto-Learn Mac Protect (ALMP) can be used to exclude certain MACs from being protected in a given object. This is typically used on SAPs and spoke SDPs configured with ALMP where certain MACs must be able to move to other objects (for example, VRRP virtual MACs).

The no form of this command removes the MAC list name.

Parameters

name

Specifies the MAC list name, up to 32 characters.

create

Keyword used to create the MAC list.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls mac-move)

[Tree] (config>service>template>vpls-template mac-move)

Full Context

configure service vpls mac-move

configure service template vpls-template mac-move

Description

Commands in this context configure MAC move attributes. A sustained high re-learn rate can be a sign of a loop somewhere in the VPLS topology. Typically, STP detects loops in the topology, but for those networks that do not run STP, the mac-move feature is an alternative way to protect your network against loops.

When enabled in a VPLS, mac-move monitors the re-learn rate of each MAC. If the rate exceeds the configured maximum allowed limit, it disables the SAP where the source MAC was last seen. The SAP can be disabled permanently (until a shutdown/no shutdown command is executed) or for a length of time that grows linearly with the number of times the specified SAP was disabled. You have the option of marking a SAP as non-blockable in the config>service>vpls>sap>limit-mac-move or config>service>vpls>spoke-sdp>limit-mac-move contexts. This means that when the re-learn rate has exceeded the limit, another (blockable) SAP will be disabled instead.

The mac-move command enables the feature at the service level for SAPs and spoke-SDPs, as only those objects can be blocked by this feature. Mesh SDPs are never blocked, but their re-learn rates (sap-to-mesh/spoke-to-mesh or vice versa) are still measured.

The operation of this feature is the same on the SAP and spoke-SDP. For example, if a MAC address moves from SAP to SAP, from SAP to spoke-SDP, or between spoke-SDPs, one will be blocked to prevent thrashing. If the MAC address moves between a SAP and mesh SDP or spoke-SDP and mesh SDP combinations, the respective SAP or spoke-SDP will be blocked.

mac-move will disable a VPLS port when the number of relearns detected has reached the number of relearns needed to reach the move-frequency in the 5-second interval. For example, when the move-frequency is configured to 1 (relearn per second) mac-move will disable one of the VPLS ports when 5 relearns were detected during the 5-second interval because then the average move-frequency of 1 relearn per second has been reached. This can already occur in the first second if the real relearn rate is 5 relearns per second or higher.

The no form of this command disables MAC move.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>template>vpls-sap-template mac-move-level)

Full Context

configure service template vpls-sap-template mac-move-level

Description

When a SAP is instantiated using vpls-sap-template, if the MAC move feature is enabled at VPLS level, the command mac-move-level indicates whether the sap should be populated as primary-port, secondary-port, or tertiary-port in the instantiated VPLS.

If configured to the default, SAP is populated as a tertiary-port.

Default

no mac-move-level

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>spoke-sdp mac-pinning)

[Tree] (config>service>vpls>mesh-sdp mac-pinning)

[Tree] (config>service>vpls>sap mac-pinning)

[Tree] (config>service>vpls>endpoint mac-pinning)

Full Context

configure service vpls spoke-sdp mac-pinning

configure service vpls mesh-sdp mac-pinning

configure service vpls sap mac-pinning

configure service vpls endpoint mac-pinning

Description

This command disables re-learning of MAC addresses on other SAPs within the VPLS. The MAC address will remain attached to a given SAP for duration of its age-timer.

The age of the MAC address entry in the FDB is set by the age timer. If mac-aging is disabled on a given VPLS service, any MAC address learned on a SAP or SDP with mac-pinning enabled will remain in the FDB on this SAP or SDP forever.

Every event that would otherwise result in re-learning is logged (MAC address; original-SAP; new-SAP).

When a SAP or spoke SDP is part of a Residential Split Horizon Group (RSHG), MAC pinning is activated at creation of the SAP. Otherwise MAC pinning is not enabled by default.

The no form of the command enables re-learning of MAC addresses.

Default

no mac-pinning

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>pw-template mac-pinning)

Full Context

configure service pw-template mac-pinning

Description

Enabling this command will disable re-learning of MAC addresses on other SAPs within the service. The MAC address will remain attached to a given SAP for duration of its age-timer.

The age of the MAC address entry in the FDB is set by the age timer. If mac-aging is disabled on a given VPLS service, any MAC address learned on a SAP or SDP with mac-pinning enabled will remain in the FDB on this SAP or SDP forever. Every event that would otherwise result in re-learning will be logged (MAC address; original-SAP; new-SAP).

When a SAP or spoke SDP is part of a Residential Split Horizon Group (RSHG), MAC pinning is activated at creation of the SAP. Otherwise MAC pinning is not enabled by default.

Default

no mac-pinning

Platforms

7705 SAR Gen 2

Context

[Tree] (config>macsec mac-policy)

Full Context

configure macsec mac-policy

Description

This command configures MAC address policy groups.

The no form of this command removes the MAC address policy group configuration.

Parameters

mac-policy-id

Specifies the value of the MAC address policy.

Values

0 to 4294967295

create

Mandatory keyword used to create the configuration.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls mac-protect)

Full Context

configure service vpls mac-protect

Description

This command indicates if this MAC is protected on the MAC protect list. When enabled, the agent will protect the MAC from being learned or re-learned on a SAP, spoke SDP or mesh SDP that has restricted learning enabled. The MAC protect list is used in conjunction with restrict-protected-src, restrict-unprotected-dst and auto-learn-mac-protect.

The no form of the command reverts to the default.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls mac-subnet-length)

Full Context

configure service vpls mac-subnet-length

Description

This command specifies the number of bits to be considered when performing MAC learning (MAC source) and MAC switching (MAC destination). Specifically, this value identifies how many bits, starting from the beginning of the MAC address are used. For example, if the mask-value of 28 is used, MAC learning only performs a lookup for the first 28 bits of the source MAC address when comparing with existing FDB entries. Then, it installs the first 28 bits in the FDB while zeroing out the last 20 bits of the MAC address. When performing switching in the reverse direction, only the first 28 bits of the destination MAC address are used to perform a FDB lookup to determine the next hop.

The no form of this command switches back to full MAC lookup.

Default

mac-subnet-length 48

Parameters

subnet-length

Specifies the number of bits to be considered when performing MAC learning or MAC switching.

Values

24 to 48

Platforms

7705 SAR Gen 2

Context

[Tree] (config macsec)

Full Context

configure macsec

Description

Commands in this context configure MACsec, including the MACsec MKA profile.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>dot1x macsec)

Full Context

configure port ethernet dot1x macsec

Description

This command configures MACsec under this port.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>macsec>connectivity-association macsec-encrypt)

Full Context

configure macsec connectivity-association macsec-encrypt

Description

This command specifies that all PDUs are encrypted and authenticated (ICV payload).

The no form of this command specifies that all PDUs are transmitted with cleartext, but still authenticated and have the trailing ICV.

Default

macsec-encrypt

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls>lsp main-ct-retry-limit)

[Tree] (config>router>mpls>lsp-template main-ct-retry-limit)

Full Context

configure router mpls lsp main-ct-retry-limit

configure router mpls lsp-template main-ct-retry-limit

Description

This command configures the maximum number of retries the LSP primary path should be retried with the LSP Diff-Serv main Class Type (CT).

When an unmapped LSP primary path goes into retry, it uses the main CT until the number of retries reaches the value of the new main-ct-retry-limit parameter. If the path did not come up, it must start using the backup CT at that point in time. By default, this parameter is set to infinite value. The new main-ct-retry-limit parameter has no effect on an LSP primary path which retries due to a failure event.

An unmapped LSP primary path is a path which has never received a Resv in response to the first Path message sent. This can occur when performing a "shut/no-shut” on the LSP or LSP primary path or when the node reboots. An unmapped LSP primary path goes into retry if the retry timer expired or the head-end node received a PathErr message before the retry timer expired.

If the user entered a value of the main-ct-retry-limit parameter that is greater than the value of the LSP retry-limit, the number of retries will still stop when the LSP primary path reaches the value of the LSP retry-limit. In other words, the meaning of the LSP retry-limit parameter is not changed and always represents the upper bound on the number of retries. The unmapped LSP primary path behavior applies to both CSPF and non-CSPF LSPs.

The no form of this command sets the parameter to the default value of zero (0) which means the LSP primary path will retry forever.

Default

no main-ct-retry-limit

Parameters

number

Specifies the number of times MPLS will attempt to re-establish the LSP primary path using the Diff-Serv main CT. Allowed values are integers in the range of zero (0) to 10,000, where zero indicates to retry infinitely.

Values

0 to 1000, integer

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>segment-routing maintenance-policy)

Full Context

configure router segment-routing maintenance-policy

Description

This command configures a named maintenance policy that can be applied to SR Policy candidate paths that are either statically configured or imported via BGP. A maintenance policy is used to configure seamless BFD and protection for an SR Policy candidate path.

A maintenance policy must be administratively disabled in order to change any of the parameters.

A maintenance policy cannot be enabled unless a mode, bfd-enable, and bfd-template are configured.

If a maintenance-template is administratively disabled, then all candidate paths to which it is applied are deprogrammed from the data path.

The no form of this command removes the specified maintenance policy.

Parameters

maintenance-policy-name

Specifies the name of the maintenance policy, up to 32 characters and cannot start with a space or underscore.

Platforms

7705 SAR Gen 2

Context

[Tree] (conf>router>segment-routing>sr-policies>policy maintenance-policy)

Full Context

configure router segment-routing sr-policies static-policy maintenance-policy

Description

This command applies a named maintenance policy to the static SR policy path. The maintenance policy must exist under the configure router segment-routing context.

The no form of this command removes the specified maintenance policy.

Parameters

maintenance-policy-name

Specifies the name of the maintenance policy, up to 32 characters and cannot start with a space or underscore.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>router-advert>if managed-configuration)

[Tree] (config>service>vprn>router-advert>if managed-configuration)

Full Context

configure router router-advertisement interface managed-configuration

configure service vprn router-advertisement interface managed-configuration

Description

This command sets or resets managed address configuration flag for this group-interface. This flag indicates that DHCPv6 is available for address configuration in addition to any address auto-configured using stateless address auto-configuration. See RFC 3315 for additional details.

The no form of this command reverts to the default.

Default

no managed-configuration

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap managed-vlan-list)

Full Context

configure service vpls sap managed-vlan-list

Description

Commands in this context configure VLAN ranges to be managed by a management VPLS. The list indicates, for each SAP, the ranges of associated VLANs that will be affected when the SAP changes state. This managed-vlan-list is not used when STP mode is MSTP in which case the vlan-range is taken from the config>service>vpls>stp>msti configuration.

This command is only valid when the VPLS in which it is entered was created as a management VPLS.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn management)

Full Context

configure service vprn management

Description

Commands in this context configure node management within the VPRN.

Parameters

create

Keyword used to create a management server entry.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security management)

Full Context

configure system security management

Description

Commands in this context allow access to management servers.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security management-access-filter)

Full Context

configure system security management-access-filter

Description

This command creates the context to edit management access filters and to reset match criteria.

Management access filters control all traffic in and out of the CPM. They can be used to restrict management of the router by other nodes outside either specific (sub)networks or through designated ports.

Management filters, as opposed to other traffic filters, are enforced by system software.

The no form of this command removes management access filters from the configuration.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system management-interface)

Full Context

configure system management-interface

Description

Commands in this context configure the capabilities of router management interfaces such as CLI and NETCONF.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security management-interface)

Full Context

configure system security management-interface

Description

Commands in this context configure the selection of a management interface for hash configuration. The management interfaces are classic-cli, md-cli, netconf, or grpc.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>remote-management manager)

Full Context

configure system management-interface remote-management manager

Description

Commands configured in this context take precedence over command values specified directly in the configure management-interface remote-management context.

If a command is not configured in this context, the command setting is inherited from the higher level context.

The no form of this command removes the remote manager configuration.

Default

system-name

Parameters

manager-name

Specifies the name of the remote manager, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>remote-management>manager manager-address)

Full Context

configure system management-interface remote-management manager manager-address

Description

This command configures the destination IP address or FQDN of the manager.

The no form of this command removes the configured IP address or FQDN of the configured manager.

Parameters

ip-address

Specifies the IP address, up to 255 characters.

fqdn

Specifies the FQDN, up to 255 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>management-interface>remote-management>manager manager-port)

Full Context

configure system management-interface remote-management manager manager-port

Description

This command assigns a destination TCP port to be used for opening gRPC connections to the specified remote manager.

The no form of this command reverts the destination TCP port for the remote manager to the default gRPC port (57400).

Parameters

port

Specifies the TCP destination port.

Values

1 to 65535

Default

57400

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap>ipsec-tunnel manual-keying)

[Tree] (config>service>vprn>if>ipsec>ipsec-tunnel manual-keying)

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel manual-keying)

[Tree] (config>router>if>ipsec>ipsec-tunnel manual-keying)

Full Context

configure service vprn interface sap ipsec-tunnel manual-keying

configure service vprn interface ipsec ipsec-tunnel manual-keying

configure service ies interface ipsec ipsec-tunnel manual-keying

configure router interface ipsec ipsec-tunnel manual-keying

Description

This command configures Security Association (SA) for manual keying. When enabled, the command specifies whether this SA entry is created manually, by the user, or dynamically by the IPsec sub-system.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>isis>segment-routing mapping-server)

Full Context

configure router isis segment-routing mapping-server

Description

Commands in this context configures the Segment Routing mapping server feature in an IS-IS instance.

SR mapping server enables the configuration and advertisement, via IS-IS, of the node SID index for IS-IS prefixes of routers which are in the LDP domain. This is performed in the router acting as a mapping server, which uses a prefix-SID sub-TLV within the SID/Label binding TLV in IS-IS.

The no form of this command deletes all node SID entries in the IS-IS instance.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ospf>segm-rtng mapping-server)

Full Context

configure router ospf segment-routing mapping-server

Description

Commands in this context configure the Segment Routing mapping server feature in an OSPF instance.

The mapping server feature allows the configuration and advertisement in OSPF of the node SID index for OSPF prefixes of routers which are in the LDP domain. This is performed in the router acting as a mapping server and using a prefix-SID sub-TLV within the Extended Prefix Range TLV in OSPF.

The no form of this command deletes all node SID entries in the OSPF instance.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe mask)

Full Context

configure subscriber-mgmt local-user-db ipoe mask

Description

This command configures a mask for the specified match type. The masking is applied on the parameter when performing an LUDB lookup to identify a host.

The no form of this command removes the mask from the configuration.

Parameters

ppp-match-type

Specifies the parameter on which the mask should be applied for an LUDB lookup to identify a PPP host.

Values

circuit-id, mac, remote-id, sap-id, service-name, username

ipoe-match-type

Specifies the parameter on which the mask should be applied for an LUDB lookup to identify an IPoE host.

The prefix-string and suffix-string command options are not supported when the ipoe-match-type value is set to duid-en or duid-ll-llt.

Values

circuit-id, duid-en, duid-ll-llt, option60, remote-id, sap-id, string, system-id

prefix-string

Specifies a substring that is stripped of the start of the incoming parameter value before it is matched against the value configured in the LUDB host identification.

This string can only contain printable ASCII characters. The "*” character is a wildcard that matches any substring. If a "\" character is masked, use the escape key so it becomes "\\".

This command option is unsupported when the ppp-match-type equals mac.

Values

up to 127 characters, "*”

prefix-length

Specifies the number of characters to remove from the start of the incoming parameter value before it is matched against the value configured in the LUDB host identification.

When used with the mac or duid-ll-llt parameter, it specifies the number of bits to remove from the start of the MAC address. For example, if the MAC address is 0a:0b:0c:0d:0e:0f, to obtain the last bit for matching purposes (match an odd or even MAC address), the prefix length is 47. The result in this example would be a binary number of 1 (0xf = 1111).

Values

1 to 127

suffix-string

Specifies a substring that is stripped of the end of the incoming parameter value before it is matched against the value configured in the LUDB host identification.

This string can only contain printable ASCII characters. The "*” character is a wildcard that matches any substring. If a "\" character is masked, use the escape key so it becomes "\\".

This command option is unsupported when the ppp-match-type equals mac.

Values

up to 127 characters

suffix-length

Specifies the number of characters to remove from the end of the incoming parameter value before it is matched against the value configured in the LUDB host identification.

When used with the mac or duid-ll-llt command option, the number of bits to remove from the end of the MAC address is specified.

Values

1 to 127

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>snmp>view mask)

Full Context

configure system security snmp view mask

Description

The mask value and the mask type, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view.

Each bit in the mask corresponds to a sub-identifier position. For example, the most significant bit for the first sub-identifier, the next most significant bit for the second sub-identifier, and so on. If the bit position on the sub-identifier is available, it can be included or excluded.

For example, the MIB subtree that represents MIB-II is 1.3.6.1.2.1. The mask that catches all MIB-II would be 0xfc or 0b11111100.

Only a single mask may be configured per view and OID value combination. If more than one entry is configured, each subsequent entry overwrites the previous entry.

The no form of this command removes the mask from the configuration.

Parameters

mask-value

The mask value associated with the OID value determines whether the sub-identifiers are included or excluded from the view. (Default: all 1s)

The mask can be entered either:

• In hex. For example, 0xfc.

• In binary. For example, 0b11111100.

Note:

If the number of bits in the bit mask is less than the number of sub-identifiers in the MIB subtree, then the mask is extended with ones until the mask length matches the number of sub-identifiers in the MIB subtree.

type

Specifies to include or exclude MIB subtree objects.

Values

included - All MIB subtree objects that are identified with a 1 in the mask are available in the view.

excluded - All MIB subtree objects that are identified with a 1 in the mask are denied access in the view.

Default

included

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>icmp mask-reply)

[Tree] (config>service>vprn>nw-if>icmp mask-reply)

[Tree] (config>service>vprn>if>icmp mask-reply)

Full Context

configure service ies interface icmp mask-reply

configure service vprn network-interface icmp mask-reply

configure service vprn interface icmp mask-reply

Description

This command enables responses to Internet Control Message Protocol (ICMP) mask requests on the router interface.

If a local node sends an ICMP mask request to the router interface, the mask-reply command configures the router interface to reply to the request.

By default, the router instance replies to mask requests.

The no form of this command disables replies to ICMP mask requests on the router interface.

Default

mask-reply — Specifies to reply to ICMP mask requests.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>icmp mask-reply)

Full Context

configure router interface icmp mask-reply

Description

This command enables responses to ICMP mask requests on the router interface.

If a local node sends an ICMP mask request to the router interface, the mask-reply command configures the router interface to reply to the request.

The no form of this command disables replies to ICMP mask requests on the router interface.

Default

mask-reply — Replies to ICMP mask requests.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>ipv6>vrrp master-int-inherit)

Full Context

configure service ies interface ipv6 vrrp master-int-inherit

Description

This command allows the master instance to dictate the master down timer (non-owner context only).

Default

no master-int-inherit

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>vrrp master-int-inherit)

Full Context

configure service ies interface vrrp master-int-inherit

Description

This command allows the master instance to dictate the master down timer (non-owner context only).

Default

no master-int-inherit

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>ipv6>vrrp master-int-inherit)

[Tree] (config>service>vprn>if>vrrp master-int-inherit)

Full Context

configure service vprn interface ipv6 vrrp master-int-inherit

configure service vprn interface vrrp master-int-inherit

Description

This command allows the master instance to dictate the master down timer (non-owner context only).

Default

no master-int-inherit

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>vrrp master-int-inherit)

[Tree] (config>router>if>ipv6>vrrp master-int-inherit)

Full Context

configure router interface vrrp master-int-inherit

configure router interface ipv6 vrrp master-int-inherit

Description

This command enables the virtual router instance to inherit the master VRRP router’s advertisement interval timer which is used by backup routers to calculate the master down timer.

The master-int-inherit command is only available in the non-owner nodal context and is used to allow the current virtual router instance master to dictate the master down timer for all backup virtual routers. The master-int-inherit command has no effect when the virtual router instance is operating as master.

If master-int-inherit is not enabled, the locally configured message-interval must match the master’s VRRP advertisement message advertisement interval field value or the message is discarded.

The no form of the command restores the default operating condition which requires the locally configured message-interval to match the received VRRP advertisement message advertisement interval field value. The virtual router instance does not inherit the master VRRP router’s advertisement interval timer and uses the locally configured message interval.

Default

no master-int-inherit

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group>dynamic-neighbor match)

Full Context

configure service vprn bgp group dynamic-neighbor match

Description

This command configures match conditions for the dynamic neighbors.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>log>filter>entry match)

Full Context

configure service vprn log filter entry match

Description

This command creates context to enter/edit match criteria for a filter entry. When the match criteria is satisfied, the action associated with the entry is executed.

If more than one match parameter (within one match statement) is specified, then all the criteria must be satisfied (AND functional) before the action associated with the match is executed.

Use the match command to display a list of the valid applications.

Match context can consist of multiple match parameters (application, event-number, severity, subject), but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Default

no match

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-egress>ip-criteria>entry match)

[Tree] (config>qos>sap-ingress>ip-criteria>entry match)

Full Context

configure qos sap-egress ip-criteria entry match

configure qos sap-ingress ip-criteria entry match

Description

This command creates a context to configure match criteria for SAP QoS policy match criteria. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be entered per entry.

It is possible that a SAP policy includes the dscp map command, the dot1p map command, and an IP match criteria. When multiple matches occur for the traffic, the order of precedence is used to arrive at the final action. The order of precedence is as follows:

1. 802.1p bits

2. DSCP

3. IP quintuple or MAC headers

The no form of this command removes the match criteria for the entry-id.

Parameters

protocol protocol-id

Specifies an IP protocol to be used as a SAP QoS policy match criterion.

The protocol type such as TCP / UDP / OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17)

IP Protocol Names lists the IP protocols and their respective IDs and descriptions.

Values

protocol-id: 0 to 255 protocol numbers accepted in decimal, hexadecimal, or binary

keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

Table 2. IP Protocol Names

Protocol	Protocol ID	Description
icmp	1	Internet Control Message
igmp	2	Internet Group Management
ip	4	IP in IP (encapsulation)
tcp	6	Transmission Control
egp	8	Exterior Gateway Protocol
igp	9	Any private interior gateway (used by Cisco for their IGRP)
udp	17	User Datagram
rdp	27	Reliable Data Protocol
ipv6	41	IPv6
ipv6-route	43	Routing Header for IPv6
ipv6-frag	44	Fragment Header for IPv6
idrp	45	Inter-Domain Routing Protocol
rsvp	46	Reservation Protocol
gre	47	General Routing Encapsulation
ipv6-icmp	58	ICMP for IPv6
ipv6-no-nxt	59	No Next Header for IPv6
ipv6-opts	60	Destination Options for IPv6
iso-ip	80	ISO Internet Protocol
eigrp	88	EIGRP
ospf-igp	89	OSPFIGP
ether-ip	97	Ethernet-within-IP Encapsulation
encap	98	Encapsulation Header
pnni	102	PNNI over IP
pim	103	Protocol Independent Multicast
vrrp	112	Virtual Router Redundancy Protocol
l2tp	115	Layer Two Tunneling Protocol
stp	118	Schedule Transfer Protocol
ptp	123	Performance Transparency Protocol
isis	124	ISIS over IPv4
crtp	126	Combat Radio Transport Protocol
crudp	127	Combat Radio User Datagram

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-ingress>ipv6-criteria>entry match)

[Tree] (config>qos>sap-egress>ipv6-criteria>entry match)

Full Context

configure qos sap-ingress ipv6-criteria entry match

configure qos sap-egress ipv6-criteria entry match

Description

This command creates a context to configure match criteria for ingress SAP QoS policy match IPv6 criteria. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (logical AND) before the action associated with the match is executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be created per entry.

A SAP ingress policy may include the dscp map command, the dot1p map command, and an IPv6 match criteria. When multiple matches occur for the traffic, the following order of precedence is used to arrive at the final action.

1. 802.1p bits

2. DSCP

3. IP quintuple or MAC headers

The no form of this command removes the match criteria for the entry-id.

Parameters

next-header

protocol-number, protocol-name

Specifies the IPv6 next header to match.

On the 7705 SAR Gen 2, the protocol type such as TCP, UDP, or OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6) and UDP(17).

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>sap-ingress>mac-criteria>entry match)

Full Context

configure qos sap-ingress mac-criteria entry match

Description

This command creates a context for entering/editing match MAC criteria for ingress SAP QoS policy match criteria. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (AND function) before the action associated with the match will be executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Parameters

frame-type

The frame-type keyword configures an Ethernet frame type or an ATM frame type to be used for the MAC filter match criteria.

Values

802dot3, 802dot2-llc, 802dot2-snap, ethernet_II, atm

Default

802dot3

802dot3

Specifies the frame type is Ethernet IEEE 802.3.

802dot2-llc

Specifies the frame type is Ethernet IEEE 802.2 LLC.

802dot2-snap

Specifies the frame type is Ethernet IEEE 802.2 SNAP.

ethernet-II

Specifies the frame type is Ethernet Type II.

atm

Specifies the frame type as ATM cell. The user is not allowed to configure entries with frame type of atm and a frame type of other supported values in the same QoS policy.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>network>ingress>ip-criteria>entry match)

[Tree] (config>qos>network>egress>ip-criteria>entry match)

Full Context

configure qos network ingress ip-criteria entry match

configure qos network egress ip-criteria entry match

Description

This command creates a context to configure match criteria for a network QoS policy. When the match criteria have been satisfied, the action associated with it is executed.

If more than one match criteria (within one match statement) are configured, then all criteria must be satisfied before the associated action with the match is executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be entered per entry.

A network QoS policy can include the DSCP map command, the dot1p map command (ingress only), the prec map command (egress only), and an IP match criteria. When multiple matches occur for the traffic, the order of precedence is used to arrive at the final action. The order of precedence is as follows:

• 802.1p bits (ingress only)

• DSCP

• prec (egress only)

• IP quintuple

The no form of this command removes the match criteria for the entry identifier.

Parameters

protocol protocol-id

Specifies an IP protocol to be used as an ingress or egress network QoS policy match criterion.

The protocol type is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), and UDP(17).

Values

protocol-id: 0 to 255 protocol numbers accepted in decimal, hexadecimal, or binary

keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

* — udp/tcp wildcard

Protocol ID Descriptions lists the protocols and their protocol IDs and descriptions.

Table 3. Protocol ID Descriptions

Protocol	Protocol ID	Description
icmp	1	Internet Control Message
igmp	2	Internet Group Management
ip	4	IP in IP (encapsulation)
tcp	6	Transmission Control
egp	8	Exterior Gateway Protocol
igp	9	Any private interior gateway (used by Cisco for their IGRP)
udp	17	User Datagram
rdp	27	Reliable Data Protocol
ipv6	41	IPv6
ipv6-route	43	Routing Header for IPv6
ipv6-frag	44	Fragment Header for IPv6
idrp	45	Inter-Domain Routing Protocol
rsvp	46	Reservation Protocol
gre	47	General Routing Encapsulation
ipv6-icmp	58	ICMP for IPv6
ipv6-no-nxt	59	No Next Header for IPv6
ipv6-opts	60	Destination Options for IPv6
iso-ip	80	ISO Internet Protocol
eigrp	88	EIGRP
ospf-igp	89	OSPFIGP
ether-ip	97	Ethernet-within-IP Encapsulation
encap	98	Encapsulation Header
pnni	102	PNNI over IP
pim	103	Protocol Independent Multicast
vrrp	112	Virtual Router Redundancy Protocol
l2tp	115	Layer Two Tunneling Protocol
stp	118	Schedule Transfer Protocol
ptp	123	Performance Transparency Protocol
isis	124	ISIS over IPv4
crtp	126	Combat Radio Transport Protocol
crudp	127	Combat Radio User Datagram

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>network>ingress>ipv6-criteria>entry match)

[Tree] (config>qos>network>egress>ipv6-criteria>entry match)

Full Context

configure qos network ingress ipv6-criteria entry match

configure qos network egress ipv6-criteria entry match

Description

This command creates a context to configure match criteria for a network QoS policy match IPv6 criteria. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (logical AND) before the action associated with the match is executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be created per entry.

A network policy can include the DSCP map command, the dot1p map command (ingress only), the prec map command (egress only), and an IPv6 match criteria. When multiple matches occur for the traffic, the following order of precedence is used to arrive at the final action.

• 802.1p bits (ingress only)

• DSCP

• prec (egress only)

• IP quintuple

The no form of this command removes the match criteria for the entry identifier.

Parameters

next-header

protocol-number, protocol-name

Specifies the next header to match.

The protocol type is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), and UDP(17).

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ip-exception>entry match)

Full Context

configure filter ip-exception entry match

Description

Commands in this context enter match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry. More precisely, the command can be entered multiple times but this only results in modifying the protocol-id. and does not affect the underlying match criteria configuration.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none (keyword). As per above, match protocol none is however not equivalent to no match.

Default

match protocol none

Parameters

protocol-id

Sets an IP protocol to be used as an IP filter match criterion. The protocol type, such as TCP or UDP, is identified by its respective protocol number.

Values

protocol-number: [0..255]D

[0x0..0xFF]H

[0b0..0b11111111]B

protocol-name:0 to 255 in decimal format. Values can also be specified in hexadecimal format, in binary format, or using the following keywords:

IPv4 filter keywords: none (default), icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

IP exception filter keywords: none, icmp, igmp, ospf-igp, pim, rsvp, tcp, udp, vrrp

* — udp/tcp wildcard

Table 4. Protocol ID Descriptions

Protocol	Protocol ID	Description
icmp	1	Internet Control Message
igmp	2	Internet Group Management
ip	4	IP in IP (encapsulation)
tcp	6	Transmission Control
egp	8	Exterior Gateway Protocol
igp	9	Any private interior gateway (used by Cisco for IGRP)
udp	17	User Datagram
rdp	27	Reliable Data Protocol
ipv6	41	IPv6
ipv6-route	43	Routing Header for IPv6
ipv6-frag	44	Fragment Header for IPv6
idrp	45	Inter-Domain Routing Protocol
rsvp	46	Reservation Protocol
gre	47	General Routing Encapsulation
ipv6-icmp	58	ICMP for IPv6
ipv6-no-nxt	59	No Next Header for IPv6
ipv6-opts	60	Destination Options for IPv6
iso-ip	80	ISO Internet Protocol
eigrp	88	EIGRP
ospf-igp	89	OSPFIGP
ether-ip	97	Ethernet-within-IP Encapsulation
encap	98	Encapsulation Header
pnni	102	PNNI over IP
pim	103	Protocol Independent Multicast
vrrp	112	Virtual Router Redundancy Protocol
l2tp	115	Layer Two Tunneling Protocol
stp	118	Spanning Tree Protocol
ptp	123	Performance Transparency Protocol
isis	124	ISIS over IPv4
crtp	126	Combat Radio Transport Protocol
crudp	127	Combat Radio User Datagram
sctp	132	Stream Control Transmission Protocol

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ip-filter>entry match)

Full Context

configure filter ip-filter entry match

Description

Commands in this context enter match criteria for the filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be created per entry. More precisely, the protocol command can be entered multiple times but this only results in modifying the protocol-id. Matching on more than one protocol can be achieved using the protocol-list match criteria in an IP filter policy.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none. However, match protocol none is not equivalent to no match.

Default

match protocol none

Parameters

protocol-id

protocol-number | protocol-name

protocol-number

Specifies the protocol number value to be configured as a match criterion. The value can be expressed as a decimal integer, or in hexadecimal or binary format.

Values

[0..255]D, [0x0..0xFF]H, [0b0..0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

IPv4 filter keywords: none (default), icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* — udp/tcp

Table 5. Protocol ID Descriptions

Protocol	Protocol ID	Description
icmp	1	Internet Control Message
igmp	2	Internet Group Management
ip	4	IP in IP (encapsulation)
tcp	6	Transmission Control
egp	8	Exterior Gateway Protocol
igp	9	Any private interior gateway (used by Cisco for IGRP)
udp	17	User Datagram
rdp	27	Reliable Data Protocol
ipv6	41	IPv6
ipv6-route	43	Routing Header for IPv6
ipv6-frag	44	Fragment Header for IPv6
idrp	45	Inter-Domain Routing Protocol
rsvp	46	Reservation Protocol
gre	47	General Routing Encapsulation
ipv6-icmp	58	ICMP for IPv6
ipv6-no-nxt	59	No Next Header for IPv6
ipv6-opts	60	Destination Options for IPv6
iso-ip	80	ISO Internet Protocol
eigrp	88	EIGRP
ospf-igp	89	OSPFIGP
ether-ip	97	Ethernet-within-IP Encapsulation
encap	98	Encapsulation Header
pnni	102	PNNI over IP
pim	103	Protocol Independent Multicast
vrrp	112	Virtual Router Redundancy Protocol
l2tp	115	Layer Two Tunneling Protocol
stp	118	Spanning Tree Protocol
ptp	123	Performance Transparency Protocol
isis	124	ISIS over IPv4
crtp	126	Combat Radio Transport Protocol
crudp	127	Combat Radio User Datagram
sctp	132	Stream Control Transmission Protocol

protocol-list-name

Specifies the name of the protocol list, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ipv6-exception>entry match)

Full Context

configure filter ipv6-exception entry match

Description

Commands in this context enter match criteria for the IPv6 filter exception. When the match criteria have been satisfied, the action associated with the match criteria is executed.

The no form of the command removes all the match criteria from the IPv6 filter exception.

Parameters

next-header

protocol-number, protocol-name

Specifies the next header to match.

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter>ipv6-filter>entry match)

Full Context

configure filter ipv6-filter entry match

Description

Commands in this context enter match criteria for the filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be created per entry. More precisely, the next-header command can be entered multiple times, but this only results in modifying the protocol-id. Matching on more than one protocol can be achieved using the next-header-list match criteria.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none. However, match next-header none is not equivalent to no match.

Default

match next-header none

Parameters

next-header

protocol-number, protocol-name

Specifies the IPv6 next header to match. This parameter is analogous to the protocol parameter used in IPv4 filter match command.

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

protocol-list-name

Specifies the name of the protocol list, up to 32 characters.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>log>filter>entry match)

Full Context

configure log filter entry match

Description

This command creates the context to enter and edit match criteria for a filter entry. When the match criteria is satisfied, the action associated with the entry is executed.

If more than one match parameter (within one match statement) is specified, then all the criteria must be satisfied (AND functional) before the action associated with the match is executed.

Use the application command to display a list of the valid applications.

Match context can consist of multiple match parameters (application, event-number, severity, subject), but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>mgmt-access-filter>mac-filter>entry match)

Full Context

configure system security management-access-filter mac-filter entry match

Description

This command configures math criteria for this MAC filter entry.

Parameters

frame-type

Specifies the type of MAC frame to use as match criteria.

Values

802dot3 | 802dot2-llc | 802dot2-snap | 802dot1ag | ethernet_II

Default

802dot3

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>security>profile>entry match)

Full Context

configure system security profile entry match

Description

This command configures a command or subtree commands in subordinate command levels are specified.

Evaluation stops when the first match is found, so subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.

All commands below the hierarchy level of the matched command are denied.

The no form of this command removes a match condition.

Parameters

command-string

Specifies the CLI command or CLI tree level that is the scope of the profile entry.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>bgp>group>dynamic-neighbor match)

Full Context

configure router bgp group dynamic-neighbor match

Description

This command configures match conditions for the dynamic neighbors.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe match-list)

Full Context

configure subscriber-mgmt local-user-db ipoe match-list

Description

This command specifies the type of matching done to identify a host. There are different match-types for IPoE hosts of which a maximum of four can be specified.

The no form of this command removes all match criteria.

Parameters

match-type-x

Specifies up to four matching types to identify a host.

Values

For IPoE: circuit-id, derived-id, dual-stack-remote-id, duid-en, duid-ll-llt, encap-tag-range, encap-tag-separate-range, ip, mac, option60, remote-id, sap-id, service-id, string, system-id

Note:

The format of remote-id in IPv6 is different than the format of remote-id in IPv4; IPv6 remote-id contains enterprise-id field that is also honored in matching.

circuit-id — Specifies to use the circuit ID to match against.

derived-id — Specifies the value extracted by Python script during processing of DHCP Discover/Solicit/Request/Renew/Rebind Messages (client to server bound messages). The value is stored in the DHCP Transaction Cache (DTC) in a variable named alc.dtc.derivedId. This value has a lifespan of a DHCP transaction (a single pair of messages exchanged between the client and the server, for example DHCP Discover and DHCP Offer).

dual-stack-remote-id — Specifies the enterprise-id in IPv6 remote-id is stripped off before LUDB matching is performed. Processing of IPv4 remote ID remains unchanged. This will allow a single host entry in LUDB for dual-stack host where host identification is performed based on the remote ID field.

duid-en — Specifies to match against the concatenation of the enterprise number and identifier fields of DHCPv6 option CLIENTID (1) with DUID type = 2 (assigned by vendor based on the enterprise number) in the DHCPv6 client message.

duid-ll-llt — Specifies to match against the link-layer address field of DHCPv6 option CLIENTID (1) with DUID type = 3 (based on link-layer address) or DUID type = 1 (based on link-layer address plus time) and hardware type = 1 (Ethernet) in the DHCPv6 client message. For DUID type = 1, the time field is ignored.

encap-tag-separate-range — Specifies the match encapsulation inner and outer tag in two separate ranges.

encap-tag-range — Specifies to match tag ranges for inner and outer tags.

ip — Specifies the source IPv4/IPv6 address of a data-trigger packet.

mac — Specifies to use the MAC address to match against.

option-60 — Specifies to use Option60 to match against.

remote-id — Specifies to use the remote ID to match against.

sap-id — Specifies the SAP ID on which DHCPv4 packet are received. The SAP ID is inserted as ALU VSO (82,9,4) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay. Since the dhcp-relay configuration is enabled under the group interface CLI hierarchy, the group interface and the service ID must be known before the SAP ID can be used for LUDB match.

service-id — Specifies the service ID of the ingress SAP for DHCPv4 packets. The service ID is inserted as ALU VSO (82,9,3) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay.

string — Specifies the custom string configured under the vendor-specific-option CLI hierarchy of the DHCPv4 relay. The string is inserted as ALU VSO (82,9,5) by the DHCPv4 relay in router. Since the dhcp-relay configuration is enabled under the group-interface CLI hierarchy, the group-interface and the service ID must be known before the string can be used for LUDB match.

system-id — Specifies the system ID of the node name configured under the system>name CLI hierarchy. The system ID is inserted as ALU VSO (82,9,1) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay. Since the dhcp-relay configuration is enabled under the group interface CLI hierarchy, the group interface and the service ID must be known before the system ID can be used for LUDB match.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>client-db match-list)

Full Context

configure ipsec client-db match-list

Description

This command enables the match list context on a client database. The match list defines the match input used during IPsec’s tunnel setup. If there are multiple inputs configured in the match list, then they all must have matches before the system considers a client entry is a match.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos match-list)

Full Context

configure qos match-list

Description

This command is used to enter the context to create or edit match lists used in QoS policies.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>filter match-list)

Full Context

configure filter match-list

Description

This command enables the configuration context for match lists to be used in filter policies (IOM/FP and CPM).

Platforms

7705 SAR Gen 2

Context

[Tree] (config>ipsec>ike-policy match-peer-id-to-cert)

Full Context

configure ipsec ike-policy match-peer-id-to-cert

Description

This command enables checking the IKE peer's ID matches the peer's certificate when performing certificate authentication.

Default

no match-peer-id-to-cert

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap>ingress match-qinq-dot1p)

[Tree] (config>service>vpls>sap>ingress match-qinq-dot1p)

Full Context

configure service ies interface sap ingress match-qinq-dot1p

configure service vpls sap ingress match-qinq-dot1p

Description

This command specifies which dot1Q tag position dot1P bits in a QinQ encapsulated packet should be used to evaluate dot1P QoS classification.

The match-qinq-dot1p command allows the top or bottom PBits to be used when evaluating the applied sap-ingress QoS policy’s dot1P entries. The top and bottom keywords specify which position should be evaluated for QinQ encapsulated packets.

By default, the bottom-most service delineating dot1Q tag’s dot1P bits are used. Default QinQ and TopQ SAP Dot1P Evaluation defines the default behavior for dot1P evaluation when the match-qinq-dot1p command is not executed.

The no form of this command restores the default dot1p evaluation behavior for the SAP.

Default

no match-qinq-dot1p (no filtering based on p-bits)

(top or bottom must be specified to override the default QinQ dot1p behavior)

Parameters

top

The top parameter is mutually exclusive to the bottom parameter. When the top parameter is specified, the topmost PBits are used (if existing) to match any dot1p dot1p-value entries. Top Position QinQ and TopQ SAP Dot1P Evaluation defines the dot1p evaluation behavior when the top parameter is specified.

Table 7. Top Position QinQ and TopQ SAP Dot1P Evaluation

Port/SAP Type	Existing Packet Tags	PBits Used for Match
Null	None	None
Null	Dot1P (VLAN-ID 0)	Dot1P PBits
Null	Dot1Q	Dot1Q PBits
Null	TopQ BottomQ	TopQ PBits
Null	TopQ (No BottomQ)	TopQ PBits
Dot1Q	None (Default SAP)	None
Dot1Q	Dot1P (Default SAP VLAN-ID 0)	Dot1P PBits
Dot1Q	Dot1Q	Dot1Q PBits
QinQ/TopQ	TopQ	TopQ PBits
QinQ/TopQ	TopQ BottomQ	TopQ PBits
QinQ/QinQ	TopQ BottomQ	TopQ PBits

bottom

The bottom parameter is mutually exclusive to the top parameter. When the bottom parameter is specified, the bottom most PBits are used (if existing) to match any dot1p dot1p-value entries. Bottom Position QinQ and TopQ SAP Dot1P Evaluation defines the dot1p evaluation behavior when the bottom parameter is specified.

Table 8. Bottom Position QinQ and TopQ SAP Dot1P Evaluation

Port/SAP Type	Existing Packet Tags	PBits Used for Match
Null	None	None
Null	Dot1P (VLAN-ID 0)	Dot1P PBits
Null	Dot1Q	Dot1Q PBits
Null	TopQ BottomQ	BottomQ PBits
Null	TopQ (No BottomQ)	TopQ PBits
Dot1Q	None (Default SAP)	None
Dot1Q	Dot1P (Default SAP VLAN-ID 0)	Dot1P PBits
Dot1Q	Dot1Q	Dot1Q PBits
QinQ/TopQ	TopQ	TopQ PBits
QinQ/TopQ	TopQ BottomQ	BottomQ PBits
QinQ/QinQ	TopQ BottomQ	BottomQ PBits

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>sap>ingress match-qinq-dot1p)

Full Context

configure service epipe sap ingress match-qinq-dot1p

Description

This command specifies which Dot1Q tag position Dot1P bits in a QinQ encapsulated packet should be used to evaluate Dot1P QoS classification.

The match-qinq-dot1p command allows the top or bottom PBits to be used when evaluating the applied sap-ingress QoS policy’s Dot1P entries. The top and bottom keywords specify which position should be evaluated for QinQ encapsulated packets.

The setting also applies to classification based on the DE indicator bit.

The no form of this command reverts the dot1p and de bits matching to the default tag.

By default, the bottom most service delineating Dot1Q tags Dot1P bits are used. Default QinQ and TopQ SAP Dot1P Evaluation defines the default behavior for Dot1P evaluation. Top or bottom must be specified to override the default QinQ dot1p behavior.

Default

no match-qinq-dot1p (no filtering based on p-bits)

Parameters

top

The top parameter is mutually exclusive to the bottom parameter. When the top parameter is specified, the top most PBits are used (if existing) to match any dot1p dot1p-value entries. Top Position QinQ dpt1p Evaluation Behavior defines the dot1p evaluation behavior when the top parameter is specified.

Table 10. Top Position QinQ dpt1p Evaluation Behavior

Port/SAP Type	Existing Packet Tags	PBits Used for Match
Null	None	None
Null	Dot1P (VLAN ID 0)	Dot1P PBits
Null	Dot1Q	Dot1Q PBits
Null	TopQ BottomQ	TopQ PBits
Null	TopQ (No BottomQ)	TopQ PBits
Dot1Q	None (Default SAP)	None
Dot1Q	Dot1P (Default SAP VLAN ID 0)	Dot1P PBits
Dot1Q	Dot1Q	Dot1Q PBits
QinQ / TopQ	TopQ	TopQ PBits
QinQ / TopQ	TopQ BottomQ	TopQ PBits
QinQ / QinQ	TopQ BottomQ	TopQ PBits

bottom

The bottom parameter and the top parameter are mutually exclusive. When the bottom parameter is specified, the bottom most PBits are used (if existing) to match any dot1p dot1p-value entries. Bottom Position QinQ and TopQ SAP Dot1P Evaluation defines the dot1p evaluation behavior when the bottom parameter is specified.

Table 11. Bottom Position QinQ and TopQ SAP Dot1P Evaluation

Port/SAP Type	Existing Packet Tags	PBits Used for Match
Null	None	None
Null	Dot1P (VLAN ID 0)	Dot1P PBits
Null	Dot1Q	Dot1Q PBits
Null	TopQ BottomQ	TopQ PBits
Null	TopQ (No BottomQ)	TopQ PBits
Dot1Q	None (Default SAP)	None
Dot1Q	Dot1P (Default SAP VLAN ID 0)	Dot1P PBits
Dot1Q	Dot1Q	Dot1Q PBits
QinQ / TopQ	TopQ	TopQ PBits
QinQ / TopQ	TopQ BottomQ	BottomQ PBits
QinQ / QinQ	TopQ BottomQ	BottomQ PBits

Table 12. Egress SAP Types

Egress SAP Type	Ingress Packet Preserved Dot1P State	Marked (or Remarked) PBits
Null	No preserved Dot1P bits	None
Null	Preserved Dot1P bits	Preserved tag PBits remarked using dot1p-value
Dot1Q	No preserved Dot1P bits	New PBits marked using dot1p-value
Dot1Q	Preserved Dot1P bits	Preserved tag PBits remarked using dot1p-value
TopQ	No preserved Dot1P bits	TopQ PBits marked using dot1p-value
TopQ	Preserved Dot1P bits (used as TopQ and BottomQ PBits)	TopQ PBits marked using dot1p-value, BottomQ PBits preserved
QinQ	No preserved Dot1P bits	TopQ PBits and BottomQ PBits marked using dot1p-value
QinQ	Preserved Dot1P bits (used as TopQ and BottomQ PBits)	TopQ PBits and BottomQ PBits marked using dot1p-value

The QinQ and TopQ SAP PBit/DEI bit marking follows the default behavior defined in the preceding table when qinq-mark-top-only is not specified.

The dot1p dot1p-value command must be configured without the qinq-mark-top-only parameter to remove the TopQ PBits only marking restriction.

A QinQ-encapsulated Ethernet port can have two different sap types:

For a TopQ SAP type, only the outer (top) tag is explicitly specified. For example, sap 1/1/1:10.*

For QinQ SAP type, both inner (bottom) and outer (top) tags are explicitly specified. For example, sap 1/1/1:10.100.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap>ingress match-qinq-dot1p)

Full Context

configure service vprn interface sap ingress match-qinq-dot1p

Description

This command specifies which Dot1Q tag position Dot1P bits in a QinQ encapsulated packet should be used to evaluate Dot1P QoS classification.

The match-qinq-dot1p command allows the top or bottom PBits to be used when evaluating the applied sap-ingress QoS policy’s Dot1P entries. The top and bottom keywords specify which position should be evaluated for QinQ encapsulated packets.

The no form of this command restores the default dot1p evaluation behavior for the SAP.

By default, the bottom most service delineating Dot1Q tags Dot1P bits are used. Dot1P Default Behavior defines the default behavior for Dot1P evaluation when the match-qinq-dot1p command is not executed.

Default

no match-qinq-dot1p - No filtering based on p-bits.

top or bottom must be specified to override the default QinQ dot1p behavior.

Parameters

top

The top parameter is mutually exclusive to the bottom parameter. When the top parameter is specified, the top most PBits are used (if existing) to match any dot1p dot1p-value entries. Dot1P Evaluation Behavior defines the dot1p evaluation behavior when the top parameter is specified.

Table 14. Dot1P Evaluation Behavior

Port / SAP Type	Existing Packet Tags	PBits Used for Match
null	none	none
null	Dot1P (VLAN-ID 0)	Dot1P PBits
null	Dot1Q	Dot1Q PBits
null	TopQ BottomQ	TopQ PBits
null	TopQ (No BottomQ)	TopQ PBits
Dot1Q	none (Default SAP)	none
Dot1Q	Dot1P (Default SAP VLAN-ID 0)	Dot1P PBits
Dot1Q	Dot1Q	Dot1Q PBits
QinQ / TopQ	TopQ	TopQ PBits
QinQ / TopQ	TopQ BottomQ	TopQ PBits
QinQ / TopQ	TopQ BottomQ	TopQ PBits

bottom

The bottom parameter is mutually exclusive to the top parameter. When the bottom parameter is specified, the bottom most PBits are used (if existing) to match any dot1p dot1p-value entries. The following tables define the bottom position QinQ and TopQ SAP dot1p evaluation and the default dot1p explicit marking actions.

Table 15. Bottom Position QinQ and TopQ SAP Dot1P Evaluation

Port / SAP Type	Existing Packet Tags	PBits Used for Match
null	none	none
null	Dot1P (VLAN-ID 0)	Dot1P PBits
null	Dot1Q	Dot1Q PBits
null	TopQ BottomQ	BottomQ PBits
null	TopQ (No BottomQ)	TopQ PBits
Dot1Q	none (default SAP)	none
Dot1Q	Dot1P (default SAP VLAN-ID 0)	Dot1P PBits
Dot1Q	Dot1Q	Dot1Q PBits
QinQ / TopQ	TopQ	TopQ PBits
QinQ / TopQ	TopQ BottomQ	BottomQ PBits
QinQ / QinQ	TopQ BottomQ	BottomQ PBits

Table 16. Default Dot1P Explicit Marking Actions

Egress SAP Type	Ingress Packet Preserved Dot1P State	Marked (or Remarked) PBits
null	no preserved Dot1P bits	none
null	preserved Dot1P bits	preserved tag PBits remarked using dot1p-value
Dot1Q	no preserved Dot1P bits	new PBits marked using dot1p-value
Dot1Q	preserved Dot1P bits	preserved tag PBits remarked using dot1p-value
TopQ	no preserved Dot1P bits	TopQ PBits marked using dot1p-value
TopQ	preserved Dot1P bits (used as TopQ and BottomQ PBits)	TopQ PBits marked using dot1p-value, BottomQ PBits preserved
QinQ	no preserved Dot1P bits	TopQ PBits and BottomQ PBits marked using dot1p-value
QinQ	preserved Dot1P bits (used as TopQ and BottomQ PBits)	TopQ PBits and BottomQ PBits marked using dot1p-value

The dot1p dot1p-value command must be configured without the qinq-mark-top-only parameter to remove the TopQ PBits only marking restriction.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>nat>nat-policy>session-limits max)

Full Context

configure service nat nat-policy session-limits max

Description

This command configures the session limit of this policy. The session limit is the maximum number of sessions allowed for a subscriber associated with this policy.

Default

max 65535

Parameters

num-sessions

Specifies the session limit.

Values

1 to 65535

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>router-advert>if max-advertisement-interval)

[Tree] (config>router>router-advert>if max-advertisement-interval)

Full Context

configure service vprn router-advertisement interface max-advertisement-interval

configure router router-advertisement interface max-advertisement-interval

Description

This command configures the maximum interval between sending router advertisement messages.

Default

max-advertisement-interval 600

Parameters

seconds

Specifies the maximum interval in seconds between sending router advertisement messages.

Values

4 to 1800

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>stp max-age)

[Tree] (config>service>template>vpls-template>stp max-age)

Full Context

configure service vpls stp max-age

configure service template vpls-template stp max-age

Description

This command indicates how many hops a BPDU can traverse the network starting from the root bridge. The message age field in a BPDU transmitted by the root bridge is initialized to 0. Each other bridge will take the message_age value from BPDUs received on their root port and increment this value by 1. The message_age therefore reflects the distance from the root bridge. BPDUs with a message age exceeding max-age are ignored.

STP uses the max-age value configured in the root bridge. This value is propagated to the other bridges via the BPDUs.

The no form of this command returns the max age to the default value.

Default

max-age 20

Parameters

max-age

The max info age for the STP instance in seconds. Allowed values are integers in the range 6 to 40.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>dot1x max-auth-req)

Full Context

configure port ethernet dot1x max-auth-req

Description

This command configures the maximum number of times that the router will send an access request RADIUS message to the RADIUS server. If a reply is not received from the RADIUS server after the specified number attempts, the 802.1x authentication procedure is considered to have failed.

The no form of this command returns the value to the default.

Default

max-auth-req 2

Parameters

max-auth-request

The maximum number of RADIUS retries.

Values

1 to 10

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>snmp max-bulk-duration)

Full Context

configure system snmp max-bulk-duration

Description

This command sets the maximum duration to process an SNMP request before bulk responses are returned to avoid a timeout on the management system when a lot of information is returned in the response.

Default

no max-bulk-duration

Parameters

milliseconds

Specifies the maximum duration to process requests before bulk responses are returned.

Values

100 to 5000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>rsvp>msg-pacing max-burst)

Full Context

configure router rsvp msg-pacing max-burst

Description

This command specifies the maximum number of RSVP messages that are sent in the specified period under normal operating conditions.

Default

max-burst 650

Parameters

number

Specifies the maximum number of RSVP messages to be sent in increments of 10.

Values

100 to 1000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls max-bypass-associations)

Full Context

configure router mpls max-bypass-associations

Description

This command allows the user to set a maximum number of LSP primary path associations with each manual or dynamic bypass LSP that is created in the system.

By default, a Point of Local Repair (PLR) node will associate a maximum of 1000 primary LSP paths with a given bypass before using the next available manual bypass or signaling a new dynamic bypass.

Note that a new bypass LSP may need to be signaled if the constraint of a given primary LSP path is not met by an existing bypass LSP even if the max-bypass-associations for this bypass LSP has not been reached.

The no form of this command reinstates the default value of this parameter.

Default

max-bypass-associations 1000

Parameters

integer

Configures the number of LSP primary path associations

Values

100 to 131072

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mpls max-bypass-plr-associations)

Full Context

configure router mpls max-bypass-plr-associations

Description

This command enables the configuration of the maximum number of Points of Local Repair (PLRs) per RSVP-TE bypass LSP.

A PLR summarizes the constraints applied to the computation of the path of the bypass LSP. It consists of the avoid link/node constraint, and potentially other TE constraints such as exclude SRLG, that are needed to protect against the failure of the primary path of the RSVP-TE LSP that is associated with this bypass LSP.

Additional PLRs with the same avoid link/node constraint are associated with the same bypass to minimize the number of bypass LSPs created. This command controls the maximum number of such PLRs.

Because MPLS saves only the PLR constraints of the first LSP that triggered the dynamic bypass creation, subsequent LSPs for the same avoid link/node and with the non-strict bypass SRLG disjointness enabled may be associated with the same bypass. This is even in cases where there exists a bypass LSP path that strictly satisfies the SRLG constraint.

When the maximum PLRs per bypass is configured with a value of 1, MPLS triggers the signaling of a new dynamic bypass LSP for each new PLR and saves each PLR constraint separately with its own bypass. As a result, when MPLS re-optimizes a bypass LSP it guarantees that SRLG disjointness of that PLR are checked and enforced.

The no form of this command returns the command to its default value.

Default

max-bypass-plr-associations 16

Parameters

plr-value

Configures the number of LSP primary path associations

Values

1 to 16

Default

16

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>login-control>ssh max-channels-per-connection)

Full Context

configure system login-control ssh max-channels-per-connection

Description

This command configures the maximum number of channels supported on an SSH connection.

The no form of this command configures this value to 5, which is the default.

Default

max-channels-per-connection 5

Parameters

number-of-channels

Specifies the number of channels.

Values

1 to 50

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>alarms max-cleared)

Full Context

configure system alarms max-cleared

Description

This command configures the maximum number of cleared alarms that the system will store and display.

Default

max-cleared 500

Parameters

maximum

Specifies the maximum number of cleared alarms, up to 500.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>script-control>script-policy max-completed)

Full Context

configure system script-control script-policy max-completed

Description

This command is used to configure the maximum number of script run history status entries to keep.

Default

max-completed 1

Parameters

unsigned

Specifies the maximum number of script run history status entries to keep.

Values

1 to 1500

Default

1

Platforms

7705 SAR Gen 2

Context

[Tree] (config>test-oam>twamp>server>prefix max-conn-prefix)

Full Context

configure test-oam twamp server prefix max-conn-prefix

Description

This command configures the maximum number of control connections by clients with an IP address in a specific prefix. A new control connection is rejected if accepting it would cause either the prefix limit defined by this command or the server limit (max-conn-server) to be exceeded.

The no form of this command returns the value to the default.

Default

max-conn-prefix 32

Parameters

count

Specifies the maximum number of control connections.

Values

0 to 64

Default

32

Platforms

7705 SAR Gen 2

Context

[Tree] (config>test-oam>twamp>server max-conn-server)

Full Context

configure test-oam twamp server max-conn-server

Description

This command configures the maximum number of TWAMP control connections from all TWAMP clients. A new control connection is rejected if accepting it would cause either this limit or a prefix limit (max-conn-prefix) to be exceeded.

The no form of this command returns the value to the default.

Default

max-conn-server 32

Parameters

count

Specifies the maximum number of control connections.

Values

0 to 64

Default

32

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>sdp>keep-alive max-drop-count)

Full Context

configure service sdp keep-alive max-drop-count

Description

This command configures the number of consecutive SDP keepalive failed request attempts or remote replies that can be missed after which the SDP is operationally downed. If the max-drop-count consecutive keepalive request messages cannot be sent or no replies are received, the SDP-ID will be brought operationally down by the keepalive SDP monitoring.

The no form of this command reverts the max-drop-count count value to the default settings.

Default

max-drop-count 3

Parameters

count

Specifies the number of consecutive SDP keepalive requests that are failed to be sent or replies missed, expressed as a decimal integer.

Values

1 to 5

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>ldp max-ecmp-routes)

Full Context

configure router ldp max-ecmp-routes

Description

This command sets the maximum number of ECMP routes that LDP may use to resolve the next hop for a FEC.

The no form of this command reverts to the default value.

Default

max-ecmp-routes 32

Parameters

max-routes

Specifies the maximum number of routes.

Values

1 to 64

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>igmp>if max-groups)

Full Context

configure service vprn igmp interface max-groups

Description

This command configures the maximum number of groups for which IGMP can have local receiver information based on received IGMP reports on this interface. When this configuration is changed dynamically to a value lower than currently accepted number of groups, the groups that are already accepted are not deleted. Only new groups will not be allowed.

The no form of this command removes the value.

Parameters

max-groups

Specifies the maximum number of groups for this interface.

Values

1 to 16000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>mld>if max-groups)

Full Context

configure service vprn mld interface max-groups

Description

This command specifies the maximum number of groups for which MLD can have local receiver information based on received MLD reports on this interface. When this configuration is changed dynamically to a value lower than the currently accepted number of groups, the groups that are already accepted are not deleted. Only new groups will not be allowed.

Default

0 (no limit to the number of groups)

Parameters

value

Specifies the maximum number of groups for this interface.

Values

1 to 16000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>pim>if max-groups)

Full Context

configure service vprn pim interface max-groups

Description

This command configures the maximum number of groups for which PIM can have downstream state based on received PIM Joins on this interface. This does not include IGMP local receivers on the interface. When this configuration is changed dynamically to a value lower than the currently accepted number of groups, the groups that are already accepted are not deleted. Only new groups will not be allowed. When this object has a value of 0, there is no limit to the number of groups.

Parameters

value

Specifies the maximum number of groups for this interface.

Values

1 to 16000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>igmp>if max-groups)

Full Context

configure router igmp interface max-groups

Description

This command specifies the maximum number of groups for which IGMP can have local receiver information based on received IGMP reports on this interface. When this configuration is changed dynamically to a value lower than the currently accepted number of groups, the groups that are already accepted are not deleted. Only new groups will not be allowed. This command is applicable for IPv4 and IPv6.

The no form of the command sets no limit to the number of groups.

Default

no max-groups

Parameters

value

Specifies the maximum number of groups for this interface.

Values

1 to 16000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mld>if max-groups)

Full Context

configure router mld interface max-groups

Description

This command specifies the maximum number of groups for which MLD can have local receiver information based on received MLD reports on this interface. When this configuration is changed dynamically to a value lower than the currently accepted number of groups, the groups that are already accepted are not deleted. New groups are not allowed.

The no form of this command reverts to the default value.

Default

max-groups 0 (no limit to the number of groups)

Parameters

1..16000

Specifies the maximum number of groups for this interface.

Values

1 to 16000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>pim>interface max-groups)

Full Context

configure router pim interface max-groups

Description

This command specifies the maximum number of groups for which PIM can have local receiver information based on received PIM reports on this interface. When this configuration is changed dynamically to a value lower than the currently accepted number of groups, the groups that are already accepted are not deleted. Only new groups will not be allowed. This command is applicable for IPv4 and IPv6.

The no form of this command sets no limit to the number of groups.

Default

no max-groups

Parameters

value

Specifies the maximum number of groups for this interface.

Values

1 to 16000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>igmp>if max-grp-sources)

[Tree] (config>service>vprn>mld>interface max-grp-sources)

Full Context

configure service vprn igmp interface max-grp-sources

configure service vprn mld interface max-grp-sources

Description

This command configures the maximum number of group sources for which IGMP can have local receiver information based on received IGMP reports on this interface. When this configuration is changed dynamically to a value lower than currently accepted number of group sources, the group sources that are already accepted are not deleted. Only new group sources will not be allowed.

The no form of this command reverts to the default.

Default

max-grp-sources 0

Parameters

max-grp-sources

Specifies the maximum number of group source.

Values

1 to 32000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>igmp>if max-grp-sources)

Full Context

configure router igmp interface max-grp-sources

Description

This command configures the maximum number of group sources for which IGMP can have local receiver information based on received IGMP reports on this interface. When this configuration is changed dynamically to a value lower than currently accepted number of group sources, the group sources that are already accepted are not deleted. Only new group sources will not be allowed.

The no form of the command reverts to the default.

Default

no max-grp-sources

Parameters

value

Specifies the maximum number of group sources.

Values

1 to 32000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>mld>if max-grp-sources)

Full Context

configure router mld interface max-grp-sources

Description

This command configures the maximum number of group sources for which MLD can have local receiver information based on received IGMP reports on this interface. When this configuration is changed dynamically to a value lower than currently accepted number of group sources, the group sources that are already accepted are not deleted. Only new group sources will not be allowed.

The no form of this command reverts to the default.

Default

max-grp-sources 0 (no limit to the number of sources)

Parameters

grp-source

Specifies the maximum number of group sources.

Values

1 to 32000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>if>ipsec>ipsec-tunnel max-history-esp-key-records)

[Tree] (config>service>vprn>if>sap>ipsec-gw max-history-esp-key-records)

[Tree] (config>service>vprn>if>ipsec>ipsec-tunnel max-history-esp-key-records)

[Tree] (config>ipsec>trans-mode-prof max-history-esp-key-records)

[Tree] (config>service>ies>if>sap>ipsec-gw max-history-esp-key-records)

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel max-history-esp-key-records)

[Tree] (config>service>vprn>if>sap>ipsec-tunnel max-history-esp-key-records)

Full Context

configure router interface ipsec ipsec-tunnel max-history-esp-key-records

configure service vprn interface sap ipsec-gw max-history-esp-key-records

configure service vprn interface ipsec ipsec-tunnel max-history-esp-key-records

configure ipsec ipsec-transport-mode-profile max-history-esp-key-records

configure service ies interface sap ipsec-gw max-history-esp-key-records

configure service ies interface ipsec ipsec-tunnel max-history-esp-key-records

configure service vprn interface sap ipsec-tunnel max-history-esp-key-records

Description

This command enables the system to keep records of CHILD-SA keys. There is a system wide limit of maximum number of IPsec tunnels that save keys. If the number of tunnel exceeds that limit, the system does not save keys for the new tunnels. Contact Nokia support for details of the limitation.

This command is ignored if the config>ipsec>no show-ipsec-keys command is configured.

The no form of this command prevents the system from keeping records.

Default

no max-history-esp-key-records

Parameters

max-records

Specifies the maximum number of recent records.

Values

1 to 48

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap>ipsec-gw max-history-ike-key-records)

[Tree] (config>service>vprn>if>sap>ipsec-tunnel max-history-ike-key-records)

[Tree] (config>ipsec>trans-mode-prof max-history-ike-key-records)

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel max-history-ike-key-records)

[Tree] (config>service>vprn>if>sap>ipsec-gw max-history-ike-key-records)

[Tree] (config>service>vprn>if>ipsec>ipsec-tunnel max-history-ike-key-records)

Full Context

configure service ies interface sap ipsec-gw max-history-ike-key-records

configure service vprn interface sap ipsec-tunnel max-history-ike-key-records

configure ipsec ipsec-transport-mode-profile max-history-ike-key-records

configure service ies interface ipsec ipsec-tunnel max-history-ike-key-records

configure service vprn interface sap ipsec-gw max-history-ike-key-records

configure service vprn interface ipsec ipsec-tunnel max-history-ike-key-records

Description

This command enables the system to keep records of IKE-SA keys for the corresponding ipsec-gw, ipsec-tunnel, or ipsec-transport-mode-profile.

This command is ignored if the config>ipsec>no show-ipsec-keys command is enabled. There is a system-wide limit for the maximum number of IPsec tunnels that save keys. If the number of tunnels exceeds that limit, the system does not save keys for the new tunnels. Contact Nokia support for details of the limitation.

The no form of this command prevents the system from keeping records.

Default

no max-history-ike-key-records

Parameters

max-records

Specifies the maximum number of recent records.

Values

1 to 3

Platforms

7705 SAR Gen 2

Context

[Tree] (config>router>dhcp>server>pool max-lease-time)

Full Context

configure router dhcp local-dhcp-server pool max-lease-time

Description

This command configures the maximum lease time.

The no form of this command reverts to the default.

Default

max-lease-time days 10

Parameters

max-lease-time

Specifies the maximum lease time.

Values

days	0 to 3650
hours	0 to 23
minutes	0 to 59
seconds	0 to 59

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>telemetry>notification-bundling max-msg-count)

Full Context

configure system telemetry notification-bundling max-msg-count

Description

This command sets the maximum number of notifications that can be bundled in a single telemetry message.

The no form of this command returns the message count to the default value.

Default

max-msg-count 100

Parameters

count

Specifies the maximum of notifications that can be bundled in a single telemetry message.

Values

2 to 1000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>system>grpc max-msg-size)

Full Context

configure system grpc max-msg-size

Description

This command configures the maximum rx message size that can be received.

The no form of this command reverts to the default.

Default

max-msg-size 512

Parameters

number

Specifies the message size, in MB.

Values

1 to 1024

Default

512

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>template>vpls-sap-template max-nbr-mac-addr)

[Tree] (config>service>vpls>spoke-sdp max-nbr-mac-addr)

[Tree] (config>service>vpls>sap max-nbr-mac-addr)

Full Context

configure service template vpls-sap-template max-nbr-mac-addr

configure service vpls spoke-sdp max-nbr-mac-addr

configure service vpls sap max-nbr-mac-addr

Description

This command specifies the maximum number of FDB entries for both learned and static MAC addresses for this instance.

When the configured limit is reached, no new addresses are learned from the SAP or spoke SDP until at least one FDB entry is aged out or cleared.

When the configured limit is reached and the discard-unknown-source command is enabled for this instance, packets with unknown source MAC addresses are discarded. If discard-unknown-source is disabled, the packets are forwarded if their destination MAC addresses are known, or flooded if their destination MAC addresses are unknown.

However, if the configure service vpls discard-unknown command is enabled, packets with unknown destination MAC addresses are discarded, even if the limit of FDB entries on the specific VPLS instance is not reached.

The no form of this command restores the global MAC learning limitations for this instance.

Default

no max-nbr-mac-addr

Parameters

table-size

Specifies the maximum number of learned and static entries allowed in the FDB of this service.

Values

1 to 32767

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>pw-template max-nbr-mac-addr)

Full Context

configure service pw-template max-nbr-mac-addr

Description

This command specifies the maximum number of FDB entries for both learned and static MAC addresses for this instance.

When the configured limit is reached, no new addresses are learned from the SAP or spoke SDP until at least one FDB entry is aged out or cleared.

When the configured limit is reached and the discard-unknown-source command is enabled for this instance, packets with unknown source MAC addresses are discarded. If discard-unknown-source is disabled, the packets are forwarded if their destination MAC addresses are known, or flooded if their destination MAC addresses are unknown.

However, if the configure service vpls discard-unknown command is enabled, packets with unknown destination MAC addresses are discarded, even if the limit of FDB entries on the specific VPLS instance is not reached.

The no form of this command restores the global MAC learning limitations for this instance.

Default

no max-nbr-mac-addr

Parameters

table-size

Specifies the maximum number of learned and static entries allowed in the FDB of this service.

Values

1 to 32767

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>endpoint max-nbr-mac-addr)

Full Context

configure service vpls endpoint max-nbr-mac-addr

Description

This command specifies the maximum number of FDB entries for both learned and static MAC addresses for this instance.

When the configured limit is reached, no new addresses are learned from the SAP or spoke SDP until at least one FDB entry is aged out or cleared. Packets with unknown source MAC addresses are still forwarded if their destination MAC addresses are known, or flooded if their destination MAC addresses are unknown.

The no form of this command restores the global MAC learning limitations for this instance.

Default

no max-nbr-mac-addr

Parameters

table-size

Specifies the maximum number of learned and static entries allowed in the FDB of this service.

Values

1 to 32767

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>spoke-sdp>mld-snooping max-num-groups)

[Tree] (config>service>vpls>mesh-sdp>igmp-snooping max-num-groups)

[Tree] (config>service>vpls>sap>igmp-snooping max-num-groups)

[Tree] (config>service>vpls>spoke-sdp>igmp-snooping max-num-groups)

[Tree] (config>service>vpls>sap>mld-snooping max-num-groups)

[Tree] (config>service>vpls>mesh-sdp>mld-snooping max-num-groups)

Full Context

configure service vpls spoke-sdp mld-snooping max-num-groups

configure service vpls mesh-sdp igmp-snooping max-num-groups

configure service vpls sap igmp-snooping max-num-groups

configure service vpls spoke-sdp igmp-snooping max-num-groups

configure service vpls sap mld-snooping max-num-groups

configure service vpls mesh-sdp mld-snooping max-num-groups

Description

This command defines the maximum number of multicast groups that can be joined on this SAP or SDP. If the node receives an IGMP join message that would exceed the configured number of groups, the request is ignored.

The no form of this command reverts to the default value.

Default

no max-num-groups

Parameters

count

Specifies the maximum number of groups that can be joined on this SAP or SDP.

Values

1 to 1000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>pw-template>igmp-snooping max-num-groups)

Full Context

configure service pw-template igmp-snooping max-num-groups

Description

This command defines the maximum number of multicast groups that can be joined. If the router receives an IGMP join message that would exceed the configured number of groups, the request is ignored.

Default

no max-num-groups

Parameters

count

Specifies the maximum number of groups that can be joined.

Values

1 to 1000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap>igmp-snooping max-num-grp-sources)

[Tree] (config>service>vpls>spoke-sdp>igmp-snooping max-num-grp-sources)

[Tree] (config>service>vpls>mesh-sdp>igmp-snooping max-num-grp-sources)

Full Context

configure service vpls sap igmp-snooping max-num-grp-sources

configure service vpls spoke-sdp igmp-snooping max-num-grp-sources

configure service vpls mesh-sdp igmp-snooping max-num-grp-sources

Description

This command defines the maximum number of multicast SGs that can be joined on this SAP or SDP. If the node receives an IGMP join message that would exceed the configured number of SGs, the request is ignored.

The no form of this command disables the check.

Default

no max-num-grp-sources

Parameters

1 to 32000

Specifies the maximum number of multicast sources allowed to be tracked per group.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>mesh-sdp>igmp-snooping max-num-sources)

[Tree] (config>service>vpls>spoke-sdp>igmp-snooping max-num-sources)

[Tree] (config>service>vpls>sap>igmp-snooping max-num-sources)

Full Context

configure service vpls mesh-sdp igmp-snooping max-num-sources

configure service vpls spoke-sdp igmp-snooping max-num-sources

configure service vpls sap igmp-snooping max-num-sources

Description

This command defines the maximum number of multicast sources that can be joined on this SAP or SDP. If the node receives an IGMP join message that would exceed the configured number of sources, the request is ignored.

The no form of this command removes the value from the configuration.

Parameters

max-num-sources

Specifies the maximum number of multicast sources allowed per group.

Values

1 to 1000

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>dot1x>macsec>sub-port max-peer)

Full Context

configure port ethernet dot1x macsec sub-port max-peer

Description

This command configures the max peer allowed under this MACsec instance.

The no form of this command returns the value to the default.

Default

no max-peer

Parameters

max-peer

The maximum number of peers supported on this port.

Values

0 to 32

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>plcr-ctrl-plcy>root max-percent-rate)

Full Context

configure qos policer-control-policy root max-percent-rate

Description

This command configures the maximum percentage rate for the policer control policy.

The no form of this command removes the configuration.

Parameters

percentage

Specifies the percentage.

Values

0.01 to 100.00

local-limit

Keyword used to specify the local limit.

reference-port-limit

Keyword used to specify the reference port limit.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>card>fp>ingress>acc>qgrp>policer-ctrl-over max-rate)

[Tree] (config>card>fp>ingress>network>qgrp>policer-ctrl-over max-rate)

Full Context

configure card fp ingress access queue-group policer-control-override max-rate

configure card fp ingress network queue-group policer-control-override max-rate

Description

This command defines the parent policer’s PIR leaky bucket’s decrement rate. A parent policer is created for each time the policer-control-policy is applied to either a SAP or subscriber instance. Packets that are not discarded by the child policers associated with the SAP or subscriber instance are evaluated against the parent policer’s PIR leaky bucket.

For each packet, the bucket is first decremented by the correct amount based on the decrement rate to derive the current bucket depth. The current depth is then compared to one of two discard thresholds associated with the packet. The first discard threshold (discard-unfair) is applied if the FIR (Fair Information Rate) leaky bucket in the packet’s child policer is in the confirming state. The second discard threshold (discard-all) is applied if the child policer's FIR leaky bucket is in the exceed state. Only one of the two thresholds is applied per packet. If the current depth of the parent policer PIR bucket is less than the threshold value, the parent PIR bucket is in the conform state for that particular packet. If the depth is equal to or greater than the applied threshold, the bucket is in the violate state for the packet.

If the result is "conform,” the bucket depth is increased by the size of the packet (plus or minus the per-packet-offset setting in the child policer) and the packet is not discarded by the parent policer. If the result is "violate,” the bucket depth is not increased and the packet is discarded by the parent policer. When the parent policer discards a packet, any bucket depth increases (PIR, CIR and FIR) in the parent policer caused by the packet are canceled. This prevents packets that are discarded by the parent policer from consuming the child policers PIR, CIR and FIR bandwidth.

The policer-control-policy root max-rate setting may be overridden on each SAP or sub-profile where the policy is applied.

The no form of this command returns the policer-control-policy’s parent policer maximum rate to max.

Default

max-rate max

Parameters

rate

Specifies that a kilobits-per-second value is mutually exclusive with the max keyword. The kilobits-per-second value must be defined as an integer that represents the number of kilobytes that the parent policer will be decremented per second. The actual decrement is performed per packet based on the time that has elapsed since the last packet associated with the parent policer.

Values

0 to 2000000000

max

The max keyword is mutually exclusive with defining a kilobits-per-second value. When max is specified, the parent policer does not enforce a maximum rate on the aggregate throughput of the child policers. This is the default setting when the policer-control-policy is first created and is the value that the parent policer returns to when no max-rate is executed. In order for the parent policer to be effective, a kilobits-per-second value should be specified.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>port>ethernet>egr-scheduler-override max-rate)

Full Context

configure port ethernet egress-scheduler-override max-rate

Description

This command overrides the max-rate parameter found in the port-scheduler-policy associated with the port. When a max-rate is defined at the port or channel level, the port scheduler policies max-rate parameter is ignored.

The egress-scheduler-override max-rate command supports a parameter that allows the override command to restore the default of not having a rate limit on the port scheduler. This is helpful when the port scheduler policy has an explicit maximum rate defined and it is desirable to remove this limit at the port instance.

The no form of this command removes the maximum rate override from the egress port or channels port scheduler context. Once removed, the max-rate parameter from the port scheduler policy associated with the port or channel will be used by the local scheduler context.

Parameters

pir-rate

Specifies the explicit maximum frame based bandwidth limit, in kilobits per second. This value overrides the QoS scheduler policy rate.

Values

For Ethernet: 1 to 6400000000, max

For SONET-SDH and TDM: 1 to 3200000000, max

percent-rate

Specifies the percent rate.

Values

0.01 to 100.00

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>epipe>sap>ingress>policer-control-override max-rate)

[Tree] (config>service>epipe>sap>egress>policer-control-override max-rate)

Full Context

configure service epipe sap ingress policer-control-override max-rate

configure service epipe sap egress policer-control-override max-rate

Description

This command, within the SAP ingress and egress contexts, overrides the root arbiter parent policer max-rate that is defined within the policer-control-policy applied to the SAP.

When the override is defined, modifications to the policer-control-policy max-rate parameter have no effect on the SAP’s parent policer until the override is removed using the no max-rate command within the SAP.

The no form of this command returns the policer-control-policy’s parent policer maximum rate to max.

Parameters

rate

Specifies the rate override in kilobits per second.

Values

1 to 6400000000

max

Specifies the maximum rate override.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vpls>sap>ingress>policer-ctrl-over max-rate)

[Tree] (config>service>vpls>sap>egress>policer-ctrl-over max-rate)

Full Context

configure service vpls sap ingress policer-control-override max-rate

configure service vpls sap egress policer-control-override max-rate

Description

This command, within the SAP ingress and egress contexts, overrides the root arbiter parent policer max-rate that is defined within the policer-control-policy applied to the SAP.

When the override is defined, modifications to the policer-control-policy max-rate parameter have no effect on the SAP’s parent policer until the override is removed using the no max-rate command within the SAP.

The no form of this command removes an explicit rate value from the aggregate rate therefore returning it to its default value.

Parameters

rate | max

Specifies the max rate override in kilobits per second or use the maximum

Values

1 to 6400000000, max

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>ies>if>sap>ingress>policer-ctrl-over max-rate)

[Tree] (config>service>ies>if>sap>egress>policer-ctrl-over max-rate)

Full Context

configure service ies interface sap ingress policer-control-override max-rate

configure service ies interface sap egress policer-control-override max-rate

Description

This command, within the SAP ingress and egress contexts, overrides the root arbiter parent policer max-rate that is defined within the policer-control-policy applied to the SAP.

When the override is defined, modifications to the policer-control-policy max-rate parameter have no effect on the SAP’s parent policer until the override is removed using the no max-rate command within the SAP.

Parameters

rate | max

Specifies the rate override in kilobits per second or use the maximum override value.

Values

1 to 6400000000, max

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>if>sap>egress>policer-ctrl-over max-rate)

[Tree] (config>service>vprn>if>sap>ingress>policer-ctrl-over max-rate)

Full Context

configure service vprn interface sap egress policer-control-override max-rate

configure service vprn interface sap ingress policer-control-override max-rate

Description

This command, within the SAP ingress and egress contexts, overrides the root arbiter parent policer max-rate that is defined within the policer-control-policy applied to the SAP.

When the override is defined, modifications to the policer-control-policy max-rate parameter have no effect on the SAP’s parent policer until the override is removed using the no max-rate command within the SAP.

The no form of this command returns the policer-control-policy’s parent policer maximum rate to max.

Parameters

rate | max

Specifies the rate override in kilobits per second or use the maximum override value.

Values

1 to 6400000000, max

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>plcr-ctrl-plcy>root max-rate)

Full Context

configure qos policer-control-policy root max-rate

Description

The max-rate command defines the parent policer’s PIR leaky bucket’s decrement rate. A parent policer is created for each time the policer-control-policy is applied to either a SAP or subscriber instance. Packets that are not discarded by the child policers associated with the SAP or subscriber or multiservice site instances are evaluated against the parent policer’s PIR leaky bucket.

For each packet, the bucket is first decremented by the correct amount based on the decrement rate to derive the current bucket depth. The current depth is then compared to one of two discard thresholds associated with the packet. The first discard threshold (discard-unfair) is applied if the FIR (Fair Information Rate) leaky bucket in the packet’s child policer is in the confirming state. The second discard threshold (discard-all) is applied if the child policer's FIR leaky bucket is in the exceed state. Only one of the two thresholds is applied per packet. If the current depth of the parent policer PIR bucket is less than the threshold value, the parent PIR bucket is in the conform state for that particular packet. If the depth is equal to or greater than the applied threshold, the bucket is in the violate state for the packet.

If the result is "conform,” the bucket depth is increased by the size of the packet (plus or minus the per-packet-offset setting in the child policer) and the packet is not discarded by the parent policer. If the result is "violate,” the bucket depth is not increased and the packet is discarded by the parent policer. When the parent policer discards a packet, any bucket depth increases (PIR, CIR and FIR) in the parent policer caused by the packet are canceled. This prevents packets that are discarded by the parent policer from consuming the child policers PIR, CIR, and FIR bandwidth.

The policer-control-policy root max-rate setting may be overridden on each SAP or sub-profile where the policy is applied.

The no form of this command returns the policer-control-policy’s parent policer maximum rate to max.

Parameters

rate

The kilobits-per-second value must be defined as an integer that represents the number of kilobytes that the parent policer will be decremented per second. The actual decrement is performed per packet, based on the time that has elapsed since the last packet associated with the parent policer.

Values

1 to 6400000000, max

max

When max is specified, the parent policer does not enforce a maximum rate on the aggregate throughput of the child policers. This is the default setting when the policer-control-policy is first created and is the value that the parent policer returns to when no max-rate is executed. In order for the parent policer to be effective, a kilobits-per-second value should be specified.

Platforms

7705 SAR Gen 2

Context

[Tree] (config>qos>port-scheduler-policy max-rate)

Full Context

configure qos port-scheduler-policy max-rate

Description

This command defines an explicit maximum frame-based bandwidth limit for the port scheduler policies scheduler context. By default, when a scheduler policy is associated with a port or channel, the instance of the scheduler on the port automatically limits the bandwidth to the lesser of port or channel line rate and a possible egress-rate value (for Ethernet ports). If a max-rate is defined that is smaller than the port or channel rate, the expressed kilobits per second value is used instead. The max-rate command is another way to sub-rate the port or channel.

The max-rate command may be executed at any time for an existing port-scheduler-policy. When a new max-rate is given for a policy, the system evaluates all instances of the policy to see if the configured rate is smaller than the available port or channel bandwidth. If the rate is smaller and the maximum rate is not currently overridden on the scheduler instance, the scheduler instance is updated with the new maximum rate value.

The max-rate value defined in the policy may be overridden on each scheduler instance. If the maximum rate is explicitly defined as an override on a port or channel, the policies max-rate value has no effect.

The no form of this command removes an explicit rate value from the port scheduler policy. When removed, all instances of the scheduler policy on egress ports or channel are allowed to run at the available line rate unless the instance has a max-rate override in place.

Parameters

pir-rate

Specifies the PIR rate, in kilobits per second.

Values

1 to 6400000000, max

percent percent-rate

Specifies the percent rate.

Values

0.01 to 100.00

Platforms

7705 SAR Gen 2

Context

[Tree] (config>test-oam>twamp>server>prefix max-sess-prefix)

Full Context

configure test-oam twamp server prefix max-sess-prefix

Description

This command configures the maximum number of concurrent TWAMP-Test sessions by clients with an IP address in a specific prefix. A new test session (described by a Request-TW-Session message) is rejected if accepting it would cause either the limit defined by this command or the server limit (max-sess-server) to be exceeded.

The no form of this command returns the value to the default.

Default

max-sess-prefix 32

Parameters

count

Specifies the maximum number of concurrent test sessions.

Values

0 to 128

Default

32

Platforms

7705 SAR Gen 2

Context

[Tree] (config>test-oam>twamp>server max-sess-server)

Full Context

configure test-oam twamp server max-sess-server

Description

This command configures the maximum number of concurrent TWAMP-Test sessions across all allowed clients. A new test session (described by a Request-TW-Session message) is rejected if accepting it would cause either the limit defined by this command or a prefix limit (max-sess-prefix) to be exceeded.

The no form of this command returns the value to the default.

Default

max-sess-server 32

Parameters

count

Specifies the maximum number of concurrent test sessions.

Values

0 to 128

Default

32

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>bgp>group>dynamic-neighbor>interface max-sessions)

[Tree] (config>router>bgp>group>dynamic-neighbor>interface max-sessions)

Full Context

configure service vprn bgp group dynamic-neighbor interface max-sessions

configure router bgp group dynamic-neighbor interface max-sessions

Description

This command configures the maximum number of dynamic sessions that are allowed to be set up on the interface as a result of accepting sessions from link-local addresses or initiating sessions by receiving IPv6 router advertisements.

Default

max-sessions 1

Parameters

number

Specifies the maximum number of sessions.

Values

1 to 255

Platforms

7705 SAR Gen 2

Context

[Tree] (config>service>vprn>mld>interface max-sources)