Multiservice Integrated Service Adapter and Extended Services Appliance

The 7705 SAR-Hm series of routers supports the Multiservice Integrated Adapter (MS-ISA) as covered in the following topics:

IP tunnels

This section describes IPSec secured interface over cellular functionality:

For general information about IP tunnel support, see the following topics in the 7450 ESS, 7750 SR, and VSR Multiservice ISA and ESA Guide, "IP tunnels":

  • IP tunnels overview

    • Tunnel ISAs

    • IPsec tunnel types

    • Operational conditions

    • QoS interactions

    • OAM interactions

    • Statistics collection

    • Security

    • IKEv2

    • SHA2 support

    • IPSec client lockout

    • IPSec tunnel CHILD_SA rekey

    • Multiple IKE/ESP transform support

    • Reverse routes for dynamic LAN-to-LAN IPsec tunnels

  • Using certificates for IPSec tunnel authentication

  • Trust-anchor profile

  • Cert-profile

  • IPSec deployment requirements

  • IKEv2 remote-access tunnel

  • Secured interface

  • IPsec client database

  • IPsec transport mode protected IP tunnel

  • Configuring IPSec with CLI

To configure and enable IP tunnels, the virtualized tunnel ISA MDA (isa-tunnel-v) must be configured in slot 5 or 6 on the router. See the 7705 SAR-Hm and SAR-Hmc Interface Configuration Guide for information.

IPSec secured interface over cellular

The 7705 SAR-Hm series of routers supports IPSec secured interfaces over cellular interfaces.

IPSec secured interface over a cellular interface shows an example of an IPSec secured interface deployment over a cellular interface in a dual SIM environment.

Figure 1. IPSec secured interface over a cellular interface

With IPSec secured interfaces, static IPSec tunnels can be created under the PDN router interface associated for each SIM. When the SIM is active and the node attaches to the cellular network, the PDN router interface becomes operational. At that time, IPSec secured interface tunnels configured on the interface also begin to establish toward the security gateway they are configured to connect to. When the tunnel is established, data traffic traverses the IPSec secured interface. In IPSec secured interface over a cellular interface, only the pair of tunnels associated with the active SIM is operational.

The tunnel pair on the second PDN router interface is kept down and becomes operational when the second SIM becomes active.

Each IPSec secured interface tunnel is associated with one service. The supported service types are IES and VPRN.

Each service that needs to be secured over the PDN router interface must be configured with its own IPSec secured interface tunnel. For example if VPRN1, VPRN2, and VPRN3 all need to be secured, then three different IPSec secured interfaces are required, one for each service.

IPSec secured interface is supported on IPv4 and IPv6 PDN router interfaces.

The following CLI output shows an example of IPSec secured interface configured on an IPv6 PDN router interface:

#--------------------------------------------------
echo "ISA Configuration"
#--------------------------------------------------
    isa
        tunnel-group 1 isa-scale-mode tunnel-limit-32 create
            reassembly 2000
            multi-active
            mda 1/5
            no shutdown
        exit
    exit
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
    router Base
        interface "lte-interface1" pdn
            port 1/1/1
            ip-mtu 1500
            ipv6
            exit
            no shutdown
        exit
#--------------------------------------------------
echo "IPsec Configuration"
#--------------------------------------------------
    ipsec
        ike-transform 1 create
            dh-group 21
            ike-auth-algorithm sha384
            ike-encryption-algorithm des
        exit
        ike-policy 1 create
            ike-version 2
            dpd interval 10
            ike-transform 1
        exit
        ipsec-transform 1 create
            esp-auth-algorithm auth-encryption
            esp-encryption-algorithm aes256-gcm8
        exit
    exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
    service
        vprn 1 name "vprn1" customer 1 create
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-v6-ip 463c:f068:d815:e0ee:7ecf:5660::/96
                        remote-v6-ip c97e:a8fa:1785:52d7:9bb8:9b3b::/96
                    exit
                    entry 2 create
                        local-v6-ip 463c:f068:d815:e0ee:7ecf:5661::/96
                        remote-v6-ip c97e:a8fa:1785:52d7:9bb8:9b3c::/96
                    exit
                exit
            exit
            route-distinguisher 1.1.1.1:52
            static-route-entry c97e:a8fa:1785:52d7:9bb8::/80
                ipsec-tunnel "tunnel1-vprn1"
                    no shutdown
                exit
            exit
            no shutdown
        exit
    exit
#--------------------------------------------------
echo "Router (Service Side) Configuration"
#--------------------------------------------------
    router Base
        interface "lte-interface1" pdn
            ipsec tunnel-group 1 public-sap 1
                ipsec-tunnel "tunnel1-vprn1" private-sap 1 private-service-
name "vprn1" create
                    encapsulated-ip-mtu 1300
                    remote-gateway-address 2001:90:10:3::2
                    security-policy 1
                    dynamic-keying
                        ike-policy 1
                        pre-shared-key "2KMbfx1sfSVdLxLEJsuVhs/
hfa42V3XyCZMLyubX" hash2
                        transform 1
                    exit
                    no shutdown
                exit
                no shutdown
            exit
        exit
    exit

Network Address Translation

This section describes the following Network Address Translation (NAT) functionality supported on the 7705 SAR-Hm series of routers:

NAT runs on a single virtual ISA configured on the node. For general information about NAT support, see the topics listed below in the 7450 ESS, 7750 SR, and VSR Multiservice ISA and ESA Guide, "Network Address Translation":

  • Terminology

  • Network Address Translation (NAT) overview

  • Large scale NAT

  • NAT pool addresses and ICMP Echo Request/Reply (ping)

  • One-to-one (1:1) NAT

  • NAT logging

    • Syslog, SNMP, local-file logging

    • SNMP trap logging

    • NAT syslog

  • ISA feature interactions

    • MS-ISA use with service mirrors

  • Configuring NAT

NAT with static port forwarding

With NAT, the source IP address and the port of the host on the private side (inside) of the network are translated to an external IP address and port on the public side (outside) of the network. The IP address on the inside can be assigned to a raw socket IP host connected to an RS-232 serial interface or assigned to an IP interface associated with an Ethernet port.

Static port forwarding is configured on the CLI using the following parameters:

  • inside IP address

  • inside port

  • outside IP address

  • outside port

  • protocol

NAT with static port forwarding shows an example of a network with a 7705 SAR-Hm series node configured to use NAT with static port forwarding.

Figure 2. NAT with static port forwarding

In the scenario shown above, the "RTU" VPRN service is inside and the "SCADA" VPRN service is outside. The "RTU" VPRN contains two IP transport services, one for each connected device. For information about IP transport services, see IP transport services and also see "Serial Transport over Raw Sockets" in the 7705 SAR-Hm and SAR-Hmc Interface Configuration Guide.

NAT with static port forwarding shows specific values for the inside IP address and port and outside IP address and port. The cellular interface of the node is used as the network-facing interface to transport the outside VPRN traffic.

When the SCADA master sends a packet to the node over the LTE network, it is carried within the outside "SCADA" VPRN service toward the node. The node sends the packet to the BB-ISA MDA to perform the required NAT function based on the configured NAT policy. NAT is applied to the packet as needed. The packet is then processed by the inside "RTU" VPRN service, destined for the corresponding IP transport service.

When a packet is sent from the RTU toward the SCADA master, the inside "RTU" VPRN service sends the packet to the BB-ISA MDA where the NAT policy translates the IP address and port to the outside IP address and port, The BB-ISA MDA then sends the packet to the outside "SCADA" VPRN service where it is routed over the cellular interface using the "SCADA" VPRN service.

The following steps and CLI outputs show the configuration of NAT with static port forwarding based on NAT with static port forwarding.

  1. Configure NAT on the BB-ISA MDA:

    config
         isa
            nat-group 1  
                  mda 1/6
    
  2. Configure the inside "RTU" VPRN (1) service for the inside static port forwarding NAT function:

    config
         service 
              vprn 1   
                 interface 'rtu1'
                     address 192.168.0.1/32
                     loopback 
                 interface 'rtu2'
                     address 192.168.0.2/32
                     loopback 
                 ip-transport 1/3/1
                     local-host ip-addr 192.168.0.1 port-num 2000 protocol udp
                     remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp 
                 ip-transport 1/3/2
                     local-host ip-addr 192.168.0.2 port-num 2000 protocol udp
                     remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp
        
        
    config
         service 
              vprn 1   
                 nat
                     inside 
                         destination-prefix 1.2.3.4/24   .  
                         nat-policy 'sar-hm-1'  
        
        
    config
         service 
               nat 
                    nat-policy 'sar-hm-1  
                         pool 'pool-name-1'  router 2  
                    port-forwarding  
                        lsn router 1 ip 192.168.0.1 protocol udp port 2000 outside-
                                      ip 10.0.0.1 outside-port 100 nat-policy "sar-hm-1"
                        lsn router 1 ip 192.168.0.2 protocol udp port 2000 outside-
                                      ip 10.0.0.1 outside-port 101 nat-policy "sar-hm-1"
    
  3. Configure the outside "SCADA" VPRN (2) service for the outside static port forwarding NAT function:

    service vprn 2  
         interface 'Outside_RTU' 
            address 10.0.0.1/32
            loopback
         nat
            outside
                   pool 'pool-name-1'nat-group 1 type large-scale 
                             address-range 10.0.0.1 10.0.0.1 create 
                             port-forwarding-range 30000  
                             port-reservations ports 1000 
    

NAT command reference

The 7705 SAR-Hm series of routers supports the NAT commands listed in this section. For command descriptions, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

ISA configuration commands

config
    - isa
        - nat-group	 nat-group-id [create]
        - no nat-group nat-group-id
            - active-mda-limit number
            - no active-mda-limit
            - description description-string
            - no description
            - [no] mda mda-id
            - [no] shutdown
            - [no] suppress-lsn-events
            - [no] suppress-lsn-sub-blks-free

NAT service configuration commands

configure
    - service
        - nat
            - nat-policy nat-policy-name [create]
            - no nat-policy nat-policy-name
                - block-limit [1..40]
                - no block-limit [
                - description description-string
                - no description
                - filtering filtering-mode
                - no filtering
                - pool nat-pool-name service-name service-name
                - pool nat-pool-name router router-instance
                - no pool
                - port-limits
                    - forwarding limit
                    - no forwarding
                    - watermarks high percentage-high low percentage-low 
                    - no watermarks 
                - session-limits
                    - max num-sessions
                    - no max
                    - watermarks high percentage-high low percentage-low 
                    - no watermarks
                - tcp-mss-adjust segment-size
                - no tcp-mss-adjust 
                - [no] timeouts
                    - icmp-query [min minutes] [sec seconds] 
                    - no icmp-query
                    - tcp-established [hrs hours] [min minutes] [sec seconds]
                    - no tcp-established 
                    - tcp-rst [min minutes] [sec sec]
                    - no tcp-rst
                    - tcp-syn [hrs hours] [min minutes] [sec seconds]
                    - no tcp-syn
                    - tcp-time-wait [min minutes] [sec seconds]
                    - no tcp-time-wait
                    - tcp-transitory [hrs hours] [min minutes] [sec seconds]
                    - no tcp-transitory
                    - udp [hrs hours] [min minutes] [sec seconds]
                    - no udp
                    - udp-dns [hrs hours] [min minutes] [sec seconds]
                    - no udp-dns 
                    - udp-inital [min minutes] [sec seconds]
                    - no udp-inital
                - [no] udp-inbound-refresh
            - port-forwarding
                - lsn router router-instance [b4 ipv6-address] [aftr ipv6-address] ip ip-address protocol {tcp | udp} [port port] [outside-ip ipv4-address] [outside-port port] [nat-policy nat-policy-name]
                - no lsn router router-instance [b4 ipv6-address] ip ip-address protocol {tcp | udp} port port [nat-policy nat-policy-name]

NAT VPRN commands

config
    - service
        - vprn service-id customer cust-id create
            - [no] nat
                - inside
                    - classic-lsn-max-subscriber-limit max
                    - no classic-lsn-max-subscriber-limit
                    - destination-prefix ip-prefix/length [nat-policy nat-policy-name]
                    - no destination-prefix ip-prefix/length 
                    - deterministic
                        - prefix ip-prefix/length subscriber-type nat-sub-type nat-policy nat-policy-name [create]
                        - prefix ip-prefix/length subscriber-type nat-sub-type
                        - no prefix ip-prefix/length subscriber-type nat-sub-type
                            - map start lsn-sub-address end lsn-sub-address to outside-ip-address
                            - no map  start lsn-sub-address end lsn-sub-address
                            - [no] shutdown
                    - nat-policy nat-policy-name
                    - no nat-policy
                - outside 
                    - mtu value
                    - no mtu
                    - poolnat-pool-name nat-group nat-group-id type pool-type [applications applications] [create]
                    - no pool nat-pool-name
                        - address-range start-ip-address end-ip-address [create]
                        - no address-range start-ip-address end-ip-address
                            - description description-string
                            - no description
                            - [no] drain
                        - description description-string
                        - no description
                        - mode {auto | napt | one-to-one}
                        - no mode
                        - port-forwarding-range range-end
                        - no port-forwarding-range
                        - port-reservation blocks num-blocks
                        - port-reservation ports num-ports
                        - no port-reservation
                        - subscriber-limit limit
                        - no subscriber-limit
                        - watermarks high percentage-high low percentage-low 
                        - no watermarks

NAT persistence commands

The 7705 SAR-Hm series of routers supports the persistence commands listed in this section. For command descriptions, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

config
    - system
        - persistence
            - nat-port-forwarding
                - description description-string
                - no description
                - location cflash-id
                - no location

NAT IPv4 filter policy commands

The 7705 SAR-Hm series of routers supports the NAT IPv4 filter policy commands listed in this section. For command descriptions, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

config
    - filter
        - ip-filter filter-id [name filter-name] [create]
        - no ip-filter {filter-id | filter-name}
            - entry entry-id [create]
            - no entry entry-id
                - [no] action [secondary]
                    - nat [nat-policy nat-policy-name]

NAT routing protocol commands

The 7705 SAR-Hm series of routers supports the NAT routing protocol commands listed in this section. For command descriptions, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

config
    - router
        - [no] policy-options]
            - [no] policy-statement name
                - entry entry-id [create]
                - no entry entry-id
                    - [no] from
                        - protocol protocol [all | instance instance]
                        - no protocol

Application Assurance firewall

The 7705 SAR-Hm series of routers supports Application Assurance (AA) firewall (FW). The AA FW feature extends AA ISA Layer 3 and Layer 4 packet analysis to provide an in-line integrated stateful FW for additional security from malicious attacks. The AA stateful packet filtering feature empowers operators with per-session tracking features to monitor the security of each session. The AA FW runs on the AA ISA.

In a stateful inspection, the AA FW not only inspects Layers 3 and 4, but also monitors and keeps track of each connection’s state. If the operator configures a “deny” action within a session filter, the packets that match the session filter match conditions are dropped and no flow session state or context is created.

The AA FW feature is supported on the following SAP types

  • VLLs (Epipes)
  • VPLS
  • IES/VPRN interfaces
Note: On the 7705 SAR-Hm series of routers, the AA FW supports application-level inspection at Layer 4 and below. References to application-level inspection above Layer 4 are not supported.

For general information about configuring an AA FW on the 7705 SAR-Hm series of routers, see the following topics in the 7450 ESS, 7750 SR, and VSR Multiservice ISA and ESA Guide, “Application Assurance":

  • AA overview

    • AA inline policy enforcement

    • Stateful firewall service

  • AA system architecture

    • AA ISA resource configuration

      • AA ISA groups

    • AA packet processing

      • Divert of traffic and subscribers
      • Traffic identification
      • Statistics and accounting
      • AQP
      • AA firewall
    • Service monitoring and debugging (firewall stastistics)
    • CLI batch: begin, commit and abort commands
  • Configuring AA with CLI

    • Configuring an AA ISA group

    • Configuring a group policy

      • Beginning, committing, and aborting a policy configuration
      • Configuring AA session filters
      • Configuring an application group
      • Configuring a policer
      • Configuring an application QoS policy

An AA FW is enabled by assigning an application profile to a SAP that requires flows to be inspected. The assignment enables the AA FW functionality for all traffic that is deemed of interest to and from the SAP. An application profile can be assigned to a VLL (Epipe) via the config>service>epipe>sap>app-profile command, to a VPLS via the config>service>vpls>sap>app-profile command, and to an IES or VPRN via the config>service>ies | vprn>interface>sap>app-profile commands.

AA FW datapath shows the general mechanism for filtering traffic of interest and diverting this traffic to the AA ISA. This traffic diversion method applies to both bridged and routed configurations.

Figure 3. AA FW datapath
The following CLI output shows an example of an AA FW configured on a 7705 SAR-Hm series router. It includes ISA, application asssurance, and application assurance group configurations.
#--------------------------------------------------
echo "ISA Configuration"
#--------------------------------------------------
    isa
        application-assurance-group 1 create
            description "ISA AA FW Group"
            primary 1/6
            fail-to-open
            divert-fc be
            statistics
                performance
                    collect-stats
                exit
            exit
            no shutdown
        exit
    exit

#--------------------------------------------------
echo "Application-assurance Configuration"
#--------------------------------------------------
    application-assurance
        flow-table-low-wmark 80
        flow-table-high-wmark 90
        group 1
            policer "flowCountPerSub_DL" type flow-count-limit granularity subscriber create
                description "Allow only a certain number of active flows at a time per subscriber"
                flow-count 50
                tod-override 1 create
                    time-range daily start 09:00 end 17:00
                    flow-count 25
                    no shutdown
                exit
            exit
            policer "flowCountPerSub_UL" type flow-count-limit granularity subscriber create
                flow-count 50
                tod-override 1 create
                    time-range daily start 09:00 end 17:00
                    flow-count 25
                    no shutdown
                exit
            exit
            policer "singeBucketSub" type single-bucket-bandwidth granularity subscriber create
                description "Sample bandwidth policer"
                rate 4096
                mbs 300
            exit
        exit
        group 1:0 create
            description "AA partition config"
            ip-prefix-list "IPL" create
                description "A sample IP prefix list"
                prefix 1.1.1.0/24
                prefix 10.1.1.135/32
                prefix 2607::/32
            exit
            event-log "EL" create
                buffer-type circular
                max-entries 1000
                no shutdown
            exit
            port-list "PL" create
                description "Sample port list"
                port range 80 443
                port 8080
            exit
            policy
                begin
                app-service-options
                    characteristic "ASO" persist-id 1 create
                        value "val1" persist-id 1
                        value "val2" persist-id 2
                        default-value "val1"
                    exit
                exit
                app-profile "aa_firewall" create
                    divert
                    characteristic "ASO" value "val2"
                exit
                commit
            exit
            tcp-validate "TV" create
                description "A TCP validate object with strict checked linked to event-log"
                event-log "EL"
                strict
            exit
            session-filter "SF" create
                description "Deny unsolicited network flows except for a known TCP port"
                default-action deny event-log "EL"
                entry 1 create
                    match
                        ip-protocol-num tcp
                        src-ip ip-prefix-list "IPL"
                        src-port port-list "PL"
                    exit
                    action permit event-log "EL"
                exit
            exit
            session-filter "SF2" create
                description "Deny subscribers from sending ICMP"
                default-action permit
                entry 1 create
                    match
                        ip-protocol-num icmp
                    exit
                    action deny
                exit
            exit
        exit
    exit

#--------------------------------------------------
echo "Application-assurance Configuration"
#--------------------------------------------------
    application-assurance
        group 1:0
            policy
                begin
                app-qos-policy
                    entry 1 create
                        action
                            overload-drop
                            error-drop
                            fragment-drop all
                        exit
                        no shutdown
                    exit
                    entry 2 create
                        action
                            tcp-mss-adjust 1500
                        exit
                        no shutdown
                    exit
                    entry 4 create
                        match
                            traffic-direction subscriber-to-network
                        exit
                        action
                            flow-count-limit "flowCountPerSub_UL"
                        exit
                        no shutdown
                    exit
                    entry 5 create
                        match
                            traffic-direction network-to-subscriber
                        exit
                        action
                            flow-count-limit "flowCountPerSub_DL"
                        exit
                        no shutdown
                    exit
                    entry 6 create
                        match
                            traffic-direction subscriber-to-network
                        exit
                        action
                            session-filter "SF2"
                        exit
                        no shutdown
                    exit
                    entry 7 create
                        match
                            traffic-direction network-to-subscriber
                        exit
                        action
                            session-filter "SF"
                        exit
                        no shutdown
                    exit
                    entry 8 create
                        action
                            tcp-validate "TV"
                        exit
                        no shutdown
                    exit
                    entry 9 create
                        match
                            characteristic "ASO" eq "val1"
                        exit
                        action
                            remark
                                fc ef
                            exit
                        exit
                        no shutdown
                    exit
                exit
                commit
            exit
            policy-override
                policy aa-sub sap 1/2/3 create
                    characteristic "ASO" value "val1"
                exit
            exit
            statistics
                aa-admit-deny
                    collect-stats
                    session-filter-stats
                    policer-stats-resources
                    policer-stats
                    tcp-validate-stats
                exit
                aa-partition
                    collect-stats
                    traffic-type
                exit
                threshold-crossing-alert
                    fragment-drop-all direction from-sub create
                        high-wmark 4294967295 low-wmark 0
                    exit
                    session-filter "SF"
                        default-action direction to-sub create
                            high-wmark 4294967295 low-wmark 0
                        exit
                    exit
                exit
            exit
        exit
   exit

The following CLI output shows an example of an Epipe service configured with an "aa_firewall" application profile.

#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
     service
        sdp 1 create
            description "Default sdp description"
            signaling off
            far-end 10.25.81.103
            keep-alive
                shutdown
            exit
            no shutdown
        exit
        customer 1 name "1" create
            description "Default customer"
        exit
        epipe 1 name "1" customer 1 vpn 1 create
            description "Default epipe description for service id 1"
            service-mtu 1200
            sap 1/2/1 create
                description "Default sap description for service id 1"
                app-profile "aa_firewall"
                no shutdown
            exit
            spoke-sdp 1:101 create
                description "Description for Sdp Bind 1 for Svc ID 1"
                ingress
                    vc-label 101
                exit
                egress
                    vc-label 101
                exit
                no shutdown
            exit
            no shutdown
     exit

The following CLI output shows an example of a VPRN service configured with an "aa-firewall" application profile.

#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
    service
        customer 1 name "1" create
            description "Default customer"
        exit
        vprn 2 name "Sample VPRN 2" customer 1 create
            description "Default Description For VPRN ID 2"
            interface "interface_1" create
                address 1.1.1.1/24
                static-arp 1.1.1.2 8a:5a:47:e5:1d:7f
                ipv6
                    address 1::1/126
                    neighbor 1::2 8a:5a:47:e5:1d:7f
                exit
                sap 1/2/3:2 create
                    description "sap-2-none"
                    app-profile "aa_firewall"
                exit
            exit
            bgp-ipvpn
                mpls
                    auto-bind-tunnel
                        resolution-filter
                            no bgp
                        exit
                        resolution disabled
                    exit
                    route-distinguisher 100:2
                    no shutdown
                exit
            exit
            no shutdown
        exit

The following CLI output shows an example of an Epipe configured with AA FW event logging.

#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
    service
        customer 1 name "1" create
            description "Default customer"
        exit
        epipe 1 name "1" customer 1 create
            sap 1/2/3:10 create
                app-profile "aa_firewall"
                no shutdown
            exit
            sap 1/2/4:10 create
                no shutdown
            exit
            no shutdown
        exit
        ies 100 name "100" customer 1 vpn 100 create
            description "Default Ies description for service id 100"
            aa-interface "aa_if" create
                address 10.1.1.2/31
                sap 1/6/aa-svc:1 create
                    no shutdown
                exit
                no shutdown
            exit
            interface "ies-100-9.9.9.1" create
                address 9.9.9.1/24
                sap 1/2/6 create
                    description "sap-100-9.9.9.1"
                exit
            exit
            no shutdown
        exit
#--------------------------------------------------
echo "Application-assurance Configuration"
#--------------------------------------------------
    application-assurance
        group 167:30712 create
            event-log "la8PQRgzyz6q87nIdJBolFLCiVRp0IG4" create
                buffer-type syslog
                max-entries 50000
                syslog
                    address 9.9.9.9
                    facility kernel
                    port 20001
                    severity notice
                    vlan-id 1
                exit
                no shutdown
            exit
            policy
                begin
                app-profile "aa_firewall" create
                    description "default-description for AppProfile aa_firewall"
                    divert
                exit
                app-qos-policy
                    entry 10 create
                        description "default-description for entry 10"
                        match
                            aa-sub sap eq 1/2/3:10
                        exit
                        action
                            fragment-drop out-of-order event-log "la8PQRgzyz6q87nIdJBolFLCiVRp0IG4"
                        exit
                        no shutdown
                    exit
                exit
                commit
            exit
            statistics
                aa-admit-deny
                    collect-stats
                    session-filter-stats
                    policer-stats-resources
                    policer-stats
                exit
            exit
        exit

AA FW command reference

The 7705 SAR-Hm series of routers supports the AA FW commands listed in this section. For command descriptions, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

ISA AA group configuration commands

— config
            — isa
               — application-assurance-group application-assurance-group-index [create] [aa-subscale sub-scale]

               — no application-assurance-group application-assurance-group-index
                  — description description-string
                  — no description 
                  — divert-fc fc-name
                  — no divert-fc 
                  — [no] fail-to-open
                — [no] shutdown 
                — statistics
                    — performance
                    — [no] collect-stats


AA configuration commands

— config
        — application-assurance
            — bit-rate-high-wmark high-watermark
            — no bit-rate-high-wmark 
            — bit-rate-low-wmark low-watermark
            — no bit-rate-low-wmark 
            — datapath-cpu-high-wmark high-watermark
            — datapath-cpu-high-wmark max
            — datapath-cpu-low-wmark low-watermark
            — flow-setup-high-wmark high-watermark
            — flow-setup-low-wmark low-watermark
            — no flow-setup-low-wmark 
            — flow-table-high-wmark high-watermark
            — no flow-table-high-wmark 
            — flow-table-low-wmark low-watermark
            — no flow-table-low-wmark 
            — packet-rate-high-wmark high-watermark
            — packet-rate-low-wmark low-watermark
            — no packet-rate-low-wmark low-watermark

AA group configuration commands

config
        — application-assurance
                    — group  aa-group-id[:partition-id [create]]
                    — no group  aa-group-id:partition-id 
                      — [no] aa-sub-remote 
                      — description description-string
                      — no description 
                      — event-log event-log-name [create]
                      — no event-log event-log-name 
                         — buffer-type buffer-type
                         — max-entries max-entries
                         — [no] shutdown
                         — syslog
                           — address ip-address
                           — no address 
                           — description description-string
                           — no description 
                           — facility syslog-facility
                           — port port
                           — severity syslog-severity
                           — vlan-id  service-port-vlan-id
                           — no vlan-id  
                      — ip-prefix-list ip-prefix-list-name [create]
                      — no ip-prefix-list ip-prefix-list-name
                          — description description-string
                          — no description 
                          — prefix ip-prefix/ip-prefix-length [name prefix-name]
                          — no prefix ip-prefix/ip-prefix-length 
                     — policer policer-name type type granularity granularity [create]
                     — no policer policer-name
                          — action  {priority-mark | permit-deny}
                          — adaptation-rule pir adaptation rule [cir {adaptation rule}]
                          — no adaptation-rule
                          — cbs  committed-burst-size
                          — no cbs  
                          — description description-string
                          — no description 
                          — flow-count flow-count
                          — no flow-count 
                          — mbs maximum-burst-size
                          — no mbs 
                          — rate  pir-rate [cir cir-rate]
                          — no rate  
                          — tod-override tod-override-id create
                          — no tod-override tod-override-id 
                              — cbs committed-burst-size
                              — no cbs 
                              — description  description-string
                              — no description  
                              — flow-count flow-count
                              — no flow-count 
                              — mbs maximum-burst-size
                              — no mbs 
                              — rate pir-rate [cir cir-rate]
                              — no rate 
                              — [no] shutdown 
                              — time-range daily start start-time end end-time [on day [day]]
                              — time-range weekly start start-time end end-time 
                              — no time-range
                     — policy
                          — abort
                          — app-profile app-profile-name [create]
                          — no app-profile app-profile-name 
                              — [no] aa-sub-suppressible
                              — capacity-cost cost
                              — no capacity-cost 
                              — characteristic  characteristic-name value value-name
                              — no characteristic  characteristic-name  
                              — description description-string
                              — no description 
                              — [no] divert
                          — app-qos-policy
                              — entry  entry-id [create]
                              — no entry  entry-id 
                                  — action 
                                      — bandwidth-policer policer-name
                                      — no bandwidth-policer 
                                      — [no] drop
                                      — error-drop [event-log event-log-name]
                                      — no error-drop 
                                      — flow-count-limit policer-name [event-log eventlogname]
                                      — no flow-count-limit [event-log eventlogname]
                                      — flow-rate-limit policer-name [event-log eventlogname]
                                      — no flow-rate-limit 
                                      — fragment-drop {all | out-of-order} [event-log event-log-name]
                                      — no fragment-drop
                                      — mirror-source [all-inclusive] mirror-service-id
                                      — no mirror-source 
                                      — [no] overload-drop
                                      — remark
                                          — dscp in-profile dscp-name out-profile dscp-name
                                          — no dscp
                                          — fc fc-name
                                          — no fc
                                          — priority priority-level
                                          — no priority
                                      — session-filter session-filter-name
                                      — no session-filter
                                      — tcp-mss-adjust segment-size
                                      — no tcp-mss-adjust 
                                      — tcp-validate tcp-validate-name
                                      — no tcp-validate 
                              — description description-string
                              — no description
                              — match
                                — aa-sub sap {eq | neq} sap-id
                                — aa-sub spoke-sdp {eq | neq} sdp-id:vc-id
                                — no aa-sub 
                                — dscp {eq | neq} dscp-name
                                — no dscp
                                — dst-ip {eq | neq} ip-address
                                — dst-ip {eq | neq} ip-prefix-list ip-prefix-list-name
                                — no dst-ip
                                — dst-port {eq | neq} port-num
                                — dst-port {eq | neq} port-list port-list-name
                                — dst-port {eq | neq} range start-port-num endport-num
                                — no dst-port 
                                — ip-protocol-num {eq | neq} protocol-id
                                — no ip-protocol-num 
                                — src-ip {eq | neq} ip-address
                                — src-ip {eq | neq} ip-prefix-list ip-prefix-list-name
                                — no src-ip
                                — src-port {eq | neq} port-num
                                — src-port {eq | neq} port-list port-list-name
                                — src-port {eq | neq} range start-port-num endport-num
                                — no src-port
                                — traffic-direction {subscriber-to-network | network-to-subscriber | both}
                            — [no] shutdown
                          — app-service-options
                             — characteristic charateristic-name [create]
                             — no characteristic charateristic-name 
                              — default-value value-name
                              — no default-value 
                              — [no] value value-name
                          — begin 
                          — commit 
                     — port-list port-list-name [create]
                     — no port-list port-list-name 
                          — description description-string
                          — no description 
                          — [no] port port-number
                          — [no] port range start-port-number end-port-number
                     — session-filter session-filter-name [create]
                     — no session-filter session-filter-name 
                          — default-action {permit | deny} [event-log event-log-name]
                          — description description-string
                          — no description 
                          — entry entry-id[create]
                          — no entry 
                             — action  {permit | deny | tcp-strict-order} [event-log event-logname]
                             — action  http-redirect http-redirect-name[event-log event-logname]
                             — description description-string
                             — no description 
                             — match 
                              — dst-ip ip-address
                              — dst-ip dns-ip-cache dns-ip-cache-name
                              — dst-ip ip-prefix-list ip-prefix-list-name
                              — no dst-ip 
                              — dst-port {eq | gt | lt} port-num
                              — dst-port port-list  port-list-name
                              — dst-port range  start-port-num end-port-num
                              — no dst-port 
                              — ip-protocol-num {ip-protocol-number | protocolname}
                              — no ip-protocol-num
                              — src-ip ip-address
                              — src-ip ip-prefix-list ip-prefix-list
                              — no src-ip 
                              — src-port  {eq | gt | lt} port-num
                              — src-port range  start-port-num end-port-num
                              — no src-port 
                     — statistics
                          — aa-admit-deny
                             — [no] collect-stats
                             — [no] policer-stats
                             — [no] policer-stats-resources
                             — [no] session-filter-stats
                             — [no] tcp-validate-stats
                          — aa-partition
                             — [no] collect-stats
                             — [no] traffic-type
                          — threshold-crossing-alert
                             — error-drop direction direction [create]
                             — no error-drop direction direction 
                              — high-wmark high-watermark low-wmark low-watermark
                             — fragment-drop-all direction direction [create]
                             — no fragment-drop-all direction direction 
                              — high-wmark high-watermark low-wmark low-watermark
                             — fragment-drop-out-of-order direction direction [create]
                             — no fragment-drop-out-of-order direction direction 
                              — high-wmark high-watermark low-wmark low-watermark
                          — overload-drop direction direction [create]
                          — no overload-drop direction direction 
                             — high-wmark  high-watermark low-wmark low-watermark
                          — policer policer-name direction direction [create]
                          — no policer policer-name direction direction 
                             — high-wmark high-watermark low-wmark low-watermark
                          — session-filter session-filter-name
                             — default-action direction direction [create]
                             — no default-action direction direction 
                              — high-wmark high-watermark low-wmark low-watermark
                             — entry entry-id direction direction [create]
                             — no entry entry-id direction direction 
                              — high-wmark high-watermark low-wmark low-watermark
                          — tcp-validate tcp-validate-name direction direction [create]
                          — no tcp-validate tcp-validate-name direction direction 
                              — high-wmark high-watermark low-wmark low-watermark
                — tcp-validate tcp-validate-name create
                — no tcp-validate tcp-validate-name 
                          — description description-string
                          — no description 
                          — event-log log event-log-name [all]
                          — no event-log 
                          — [no] strict

AA interface configuration commands

config
        — service service-id
            — ies | vprn
                — aa-interface aa-if-name [create]
                — no aa-interface aa-if-name 
                    — address  {ip-address/mask | ip-address netmask} 
                    — no address  [ip-address/mask | ip-address netmask]
                    — description  description-string
                    — no description 
                    — ip-mtu octets
                    — no ip-mtu 
                    — sap  sap-id [create]
                    — no sap  sap-id
                        — description  description-string
                        — no description  
                        — egress 
                            — filter ip ip-filter-id
                            — no filter [ip ip-filter-id]
                            — qos  policy-id 
                            — no qos  [policy-id] 
                        — ingress
                            — qos  policy-id
                            — no qos  [policy-id]
                        — [no] shutdown
                    — [no] shutdown

AA show commands

— show
         — application-assurance
               — group aa-group-id[:partition-id]
                  — aa-sub sap sap-id [snapshot]
                  — aa-sub-list [isa mda-id] 
                  — policy
                      — app-qos-policy [entry-id]
                  — status [isa mda-id]
                  — status isa mda-id overload
                  — tcp-validate tcp-validate-name [isa mda-id] 
               — threshold-crossing-alert [detail]





AA tools commands

— tools
    — dump
          — application-assurance
               — group aa-group-id resources
               — group aa-group-id [:partition-id]
                  — admit-deny-stats
                  — event-log isa sap-id [snapshot]