m Commands

ma-index-range

ma-index-range

Syntax

ma-index-range start ma-index end ma-index

no ma-index-range

Context

[Tree] (config>eth-cfm>md-auto-id ma-index-range)

Full Context

configure eth-cfm md-auto-id ma-index-range

Description

This command specifies the range of indexes used by SR OS to automatically assign an index to ETH-CFM associations that are created in model-driven interfaces without an index explicitly specified by the user or client.

An association created with an explicitly-specified index cannot use an index in this range. In classic CLI and SNMP, the ID range cannot be changed while objects exist inside the previous or new range. In MD interfaces, the range can be changed, which causes any previously existing objects in the previous ID range to be deleted and re-created using a new ID in the new range.

The no form of this command removes the range values.

See the md-auto-id command for further details.

Parameters

start ma-index

Specifies the lower value of the index range. The value must be less than or equal to the end value.

Values

1 to 4294967295

end ma-index

Specifies the upper value of the index range. The value must be greater than or equal to the start value.

Values

1 to 4294967295

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mac

mac

Syntax

mac ieee-address

no mac

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host>host-ident mac)

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host>host-ident mac)

Full Context

configure subscriber-mgmt local-user-db ipoe host host-identification mac

configure subscriber-mgmt local-user-db ppp host host-identification mac

Description

This command specifies the MAC address to match for a host lookup.

Note:

This command is only used when mac is configured as one of the match-list parameters.

The no form of this command removes the MAC address from the configuration.

Parameters

ieee-address

Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac

Syntax

[no] mac ieee-mac-address

Context

[Tree] (config>service>vprn>nw-if mac)

[Tree] (config>service>vprn>if>sap>eth-cfm>mep mac)

[Tree] (config>service>vprn>if>ipv6>vrrp mac)

[Tree] (config>service>vprn>sub-if>grp-if mac)

[Tree] (config>service>vprn>if>vrrp mac)

[Tree] (config>service>vprn>if mac)

Full Context

configure service vprn network-interface mac

configure service vprn interface sap eth-cfm mep mac

configure service vprn interface ipv6 vrrp mac

configure service vprn subscriber-interface group-interface mac

configure service vprn interface vrrp mac

configure service vprn interface mac

Description

This command assigns a specific MAC address to a VPRN IP interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface on which the SAP is configured.

Parameters

ieee-mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

All

  • configure service vprn interface ipv6 vrrp mac
  • configure service vprn interface mac
  • configure service vprn interface vrrp mac
  • configure service vprn network-interface mac

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service vprn interface sap eth-cfm mep mac

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn subscriber-interface group-interface mac

mac

Syntax

[no] mac ieee-address

Context

[Tree] (debug>service>id>ppp mac)

Full Context

debug service id ppp mac

Description

This command shows PPP packets for the specified MAC address.

Parameters

ieee-address

Sets debugging for the specified MAC address.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac

Syntax

[no] mac ieee-address

Context

[Tree] (config>service>vpls>mac-protect mac)

Full Context

configure service vpls mac-protect mac

Description

This command specifies the 48-bit IEEE 802.3 MAC address.

The no form of the command reverts to the default.

Parameters

ieee-address

Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers.

Platforms

All

mac

Syntax

mac ieee-address

no mac [ieee-address]

Context

[Tree] (config>service>ies>if mac)

[Tree] (config>service>ies>sub-if>grp-if mac)

Full Context

configure service ies interface mac

configure service ies subscriber-interface group-interface mac

Description

This command assigns a specific MAC address to an IES IP interface.

For Routed Central Office (CO), a group interface has no IP address explicitly configured but inherits an address from the parent subscriber interface when needed. For example, a MAC will respond to an ARP request when an ARP is requested for one of the IPs associated with the subscriber interface through the group interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface that the SAP is configured on (the default MAC address assigned to the interface, assigned by the system).

Parameters

ieee-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff, where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

All

  • configure service ies interface mac

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service ies subscriber-interface group-interface mac

mac

Syntax

mac ieee-address

no mac

Context

[Tree] (config>service>vpls>mcr-default-gtw mac)

Full Context

configure service vpls mcr-default-gtw mac

Description

This command relates to a system configured for Dual Homing in L2-TPSDA. It defines the MAC address used when the system sends out a gratuitous ARP on an active SAP after a ring heals or fails in order to attract traffic from subscribers on the ring with connectivity to that SAP.

The no form of this command reverts to the default.

Default

no mac

Parameters

ieee-address

Specifies the address in xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx format (cannot be all zeros).

Platforms

All

mac

Syntax

mac ieee-address

no mac

Context

[Tree] (config>port>tdm>e1>channel-group mac)

[Tree] (config>port>tdm>e3 mac)

[Tree] (config>port>sonet-sdh>path mac)

[Tree] (config>lag mac)

[Tree] (config>port>tdm>ds1>channel-group mac)

[Tree] (config>port>tdm>ds3 mac)

[Tree] (config>port>ethernet mac)

[Tree] (config>eth-tunnel mac)

Full Context

configure port tdm e1 channel-group mac

configure port tdm e3 mac

configure port sonet-sdh path mac

configure lag mac

configure port tdm ds1 channel-group mac

configure port tdm ds3 mac

configure port ethernet mac

configure eth-tunnel mac

Description

This command assigns a specific MAC address to an Ethernet port, Link Aggregation Group (LAG), Ethernet tunnel, or BCP-enabled port or sub-port.

Only one MAC address can be assigned to a port. When multiple mac commands are entered, the last command overwrites the previous command. When the command is issued while the port is operational, IP will issue an ARP, if appropriate, and BPDUs are sent with the new MAC address.

The no form of this command returns the MAC address to the default value.

By default, a MAC address is assigned by the system from the chassis MAC address pool. The use of an all-zeroes MAC address indicates that an operational MAC address should be assigned from the chassis MAC address pool.

Default

mac 00:00:00:00:00:00

Parameters

ieee-address

Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-a, 7750 SR-e

  • configure port tdm e1 channel-group mac
  • configure port tdm ds3 mac
  • configure port tdm e3 mac
  • configure port tdm ds1 channel-group mac

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure port sonet-sdh path mac
  • configure eth-tunnel mac

All

  • configure lag mac
  • configure port ethernet mac

mac

Syntax

mac ieee-address

no mac

Context

[Tree] (config>eth-tunnel>ethernet mac)

Full Context

configure eth-tunnel ethernet mac

Description

This command assigns a specific MAC address to an Ethernet port, Link Aggregation Group (LAG), Ethernet tunnel, or BCP-enabled port or sub-port.

Only one MAC address can be assigned to a port. When multiple mac commands are entered, the last command overwrites the previous command. When the command is issued while the port is operational, IP will issue an ARP, if appropriate, and BPDUs are sent with the new MAC address.

The no form of this command returns the MAC address to the default value.

Default

no mac

Parameters

ieee-address

Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses 6-byte unicast mac-address (xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx) of the MEP. Using the all zeros address is equivalent to the no form of this command.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mac

Syntax

[no] mac ieee-address

Context

[Tree] (config>service>proxy-arp-nd>mac-list mac)

Full Context

configure service proxy-arp-nd mac-list mac

Description

This command configures the proxy ARP or ND MAC address information.

The no form of the command deletes the MAC address.

Parameters

ieee-address

Specifies the MAC address added to the list. The MAC list can be empty or contain up to 10 addresses.

Values

xx:xx:xx:xx:xx:xx

xx-xx-xx-xx-xx-xx

Platforms

All

mac

Syntax

mac ieee-address [create] black-holemac ieee-address [create] sap sap-id monitor {fwd-status}

mac ieee-address [create] spoke-sdp sdp-id:vc-id monitor {fwd-status}

no mac ieee-address

Context

[Tree] (config>service>vpls>static-mac mac)

Full Context

configure service vpls static-mac mac

Description

This command assigns a conditional static MAC address entry to an SPBM B-VPLS SAP/spoke-SDP allowing external MACs for single and multi-homed operation.

For the 7450 ESS or 7750 SR, this command also assigns a conditional static MAC address entry to an EVPN VPLS SAP/spoke-SDP.

Static MACs are used for PBB Epipe and I-VPLS services that may terminate external to SPBM. If this is configured under a Control B-VPLS the interface referenced will not use IS-IS for this neighbor. This may also be configured under a User B-VPLS where the corresponding interface is not supported under the Control B-VPLS.

Parameters

ieee-address

Specifies the static MAC address to an SPBM/sdp-binding interface.

Values

6-byte mac-address (xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx) Cannot be all zeros.

sap-id

Specifies the SAP identifier.

sdp-id

Specifies the SDP identifier.

Values

1 to 17407

vc-id

Specifies the virtual circuit identifier.

Values

1 to 4294967295

create

Mandatory keyword used to create a static MAC.

fwd-status

Specifies that this static mac is based on the forwarding status of the SAP or spoke-SDP for multi-homed operation.

black-hole

Specifies for TLS FDB entries defined on a local SAP the value 'sap', remote entries defined on an SDP have the value 'sdp'.

Platforms

All

mac

Syntax

[no] mac ieee-address

Context

[Tree] (config>service>ipipe>sap mac)

Full Context

configure service ipipe sap mac

Description

This command assigns a specific MAC address to an Ipipe SAP.

The no form of this command returns the MAC address of the SAP to the default value.

Default

The physical MAC address associated with the Ethernet interface where the SAP is configured.

Parameters

ieee-address

Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers.

Platforms

All

mac

Syntax

mac mac-filter-id

no mac

Context

[Tree] (config>service>template>epipe-sap-template>egress>filter mac)

[Tree] (config>service>template>epipe-sap-template>ingress>filter mac)

Full Context

configure service template epipe-sap-template egress filter mac

configure service template epipe-sap-template ingress filter mac

Description

This command associates an existing MAC filter policy with the template.

This command is only supported in 'classic' configuration-mode (configure system management-interface configuration-mode classic).

Parameters

mac-filter-id

Specifies the MAC filter policy. The specified filter ID must already exist within the created MAC filters. The filter policy must already exist within the created MAC filters.

Values

1 to 65535

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

mac

Syntax

mac name

no mac

Context

[Tree] (config>service>template>epipe-sap-template>egress>filter-name mac)

[Tree] (config>service>template>epipe-sap-template>ingress>filter-name mac)

Full Context

configure service template epipe-sap-template egress filter-name mac

configure service template epipe-sap-template ingress filter-name mac

Description

This command associates an existing IP filter policy with the template.

Parameters

name

Specifies the MAC filter policy name, up to 64 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

mac

Syntax

mac ieee-address [mask six-byte-mask]

no mac ieee-address

Context

[Tree] (config>service>mac-list mac)

Full Context

configure service mac-list mac

Description

This command adds a protected MAC address entry.

The no form of this command removes the protected MAC address entry.

Parameters

ieee-address

Specifies the address in xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx format (cannot be all zeros), up to 30 characters.

six-byte-mask

Specifies the mask address in xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx format (cannot be all zeros), up to 30 characters.

Platforms

All

mac

Syntax

mac ieee-address

no mac

Context

[Tree] (config>service>vpls>interface mac)

Full Context

configure service vpls interface mac

Description

This command assigns a specific MAC address to a VPLS IP interface.

For Routed Central Office (CO), a group interface has no IP address explicitly configured but inherits an address from the parent subscriber interface when needed. For example, a MAC will respond to an ARP request when an ARP is requested for one of the IPs associated with the subscriber interface through the group interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

mac

Parameters

ieee-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Default

The system chassis MAC address.

Platforms

All

mac

Syntax

mac name

no mac

Context

[Tree] (config>service>template>vpls-sap-template>egress>filter-name mac)

[Tree] (config>service>template>vpls-sap-template>ingress>filter-name mac)

Full Context

configure service template vpls-sap-template egress filter-name mac

configure service template vpls-sap-template ingress filter-name mac

Description

This command associates an existing IP filter policy with the template.

Parameters

name

Specifies the MAC filter policy name, up to 64 characters.

Platforms

All

mac

Syntax

[no] mac ieee-address

Context

[Tree] (debug>service>id>arp-host mac)

Full Context

debug service id arp-host mac

Description

This command displays ARP host events for a particular MAC address.

Parameters

mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx (cannot be all zeros)

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac

Syntax

[no] mac ieee-address

Context

[Tree] (debug>service>id>igmp-snooping mac)

Full Context

debug service id igmp-snooping mac

Description

This command shows IGMP packets for the specified MAC address.

The no form of this command disables the MAC debugging.

Platforms

All

mac

Syntax

[no] mac ieee-address

Context

[Tree] (debug>service>id>mld mac)

Full Context

debug service id mld-snooping mac

Description

This command shows MLD packets for the specified MAC address.

The no form of this command disables the MAC debugging.

Platforms

All

mac

Syntax

[no] mac ieee-address

Context

[Tree] (debug>service>id>host-connectivity-verify mac)

Full Context

debug service id host-connectivity-verify mac

Description

This command displays Subscriber Host Connectivity Verification (SHCV) events for a particular MAC address.

Parameters

mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx (cannot be all zeros)

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac

Syntax

mac mac-address

no mac

Context

[Tree] (config>service>ies>if>ipv6>vrrp mac)

Full Context

configure service ies interface ipv6 vrrp mac

Description

This command assigns a specific MAC address to an IES IP interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface that the SAP is configured on (the default MAC address assigned to the interface, assigned by the system).

Parameters

mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

All

mac

Syntax

mac mac-address

no mac

Context

[Tree] (config>service>ies>if>vrrp mac)

Full Context

configure service ies interface vrrp mac

Description

This command assigns a specific MAC address to an IES IP interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface that the SAP is configured on (the default MAC address assigned to the interface, assigned by the system).

Parameters

mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff, where aa, bb, cc, dd, ee, and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

All

mac

Syntax

mac ieee-address

no mac

Context

[Tree] (config>router>if mac)

Full Context

configure router interface mac

Description

This command assigns a specific MAC address to an IP interface. Only one MAC address can be assigned to an IP interface. When multiple mac commands are entered, the last command overwrites the previous command.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

no mac

Parameters

ieee-address

Specifies the 48-bit MAC address for the IP interface in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff, where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

All

mac

Syntax

mac mac-address

no mac

Context

[Tree] (config>router>if>vrrp mac)

[Tree] (config>router>if>ipv6>vrrp mac)

Full Context

configure router interface vrrp mac

configure router interface ipv6 vrrp mac

Description

This command sets an explicit MAC address used by the virtual router instance overriding the VRRP default derived from the VRID.

Changing the default MAC address is useful when an existing HSRP or other non-VRRP default MAC is in use by the IP hosts using the virtual router IP address. Many hosts do not monitor unessential ARPs and continue to use the cached non-VRRP MAC address after the virtual router becomes master of the host’s gateway address.

The mac command sets the MAC address used in ARP responses when the virtual router instance is master. Routing of IP packets with mac-address as the destination MAC is also enabled. The mac setting must be the same for all virtual routers participating as a virtual router or indeterminate connectivity by the attached IP hosts will result. All VRRP advertisement messages are transmitted with mac-address as the source MAC.

The command can be configured in both non-owner and owner vrrp nodal contexts.

The mac command can be executed at any time and takes effect immediately. When the virtual router MAC on a master virtual router instance changes, a gratuitous ARP is immediately sent with a VRRP advertisement message. If the virtual router instance is disabled or operating as backup, the gratuitous ARP and VRRP advertisement message is not sent.

The no form of the command restores the default VRRP MAC address to the virtual router instance.

Default

no mac

Parameters

mac-address

The 48-bit MAC address for the virtual router instance in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC, and non-IEEE reserved MAC addresses.

Platforms

All

mac

Syntax

mac index name mac-name

no mac index

Context

[Tree] (config>system>security>ssh>client-mac-list mac)

[Tree] (config>system>security>ssh>server-mac-list mac)

Full Context

configure system security ssh client-mac-list mac

configure system security ssh server-mac-list mac

Description

This command configures SSH MAC algorithms for SR OS as an SSH server or an SSH client.

The no form of this command removes the specified mac index.

Default

no mac index

Parameters

index

Specifies the index of the algorithm in the list.

Values

1 to 255

mac-name

Specifies the algorithm for calculating the message authentication code.

Values

The following table lists the default client and server algorithms used for SSHv2.

Table 1. SSHv2 Default client and server algorithms

index

mac-name

200

hmac-sha2-512

210

hmac-sha2-256

215

hmac-sha1

220

hmac-sha1-96

225

hmac-md5

240

hmac-md5-96

Platforms

All

mac

Syntax

mac mac-id [create]

no mac mac-id

Context

[Tree] (config>card>mda>xconnect mac)

[Tree] (config>card>xiom>mda>xconnect mac)

Full Context

configure card mda xconnect mac

configure card xiom mda xconnect mac

Description

This command creates a loopback in the MAC chip. It does not require the allocation of a faceplate. After the loopback is instantiated, a PXC can be configured on top of it.

For a list of MAC chip IDs per forwarding complex (datapath), use the show datapath datapath-id datapath-id command.

When considering loopback creation, the operation should consider the MAC chip’s bandwidth capacity and the bandwidth utilization of all the faceplate ports connected to it.The selection of MAC chips for loopback creation should be taken into consideration.

The no form of this command removes the MAC ID from the configuration.

Parameters

mac-id

Specifies the MAC ID.

Values

1 to 12

create

Keyword used to create the MAC ID instance. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS

  • configure card mda xconnect mac

7750 SR-1s, 7750 SR-2s, 7750 SR-7s, 7750 SR-14s

  • configure card xiom mda xconnect mac

mac-address

mac-address

Syntax

[no] mac-address

Context

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute mac-address)

[Tree] (config>subscr-mgmt>auth-policy>include-radius-attribute mac-address)

Full Context

configure subscriber-mgmt radius-accounting-policy include-radius-attribute mac-address

configure subscriber-mgmt authentication-policy include-radius-attribute mac-address

Description

This command enables the generation of the client MAC address RADIUS attribute.

The no form of this command disables the generation of the client MAC address RADIUS attribute.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac-address

Syntax

mac-address ieee-address

no mac-address

Context

[Tree] (config>subscr-mgmt>wlan-gw>ue-query mac-address)

Full Context

configure subscriber-mgmt wlan-gw ue-query mac-address

Description

This command enables matching on UEs with the specified MAC address.

The no form of this command disables matching on the MAC address.

Default

no mac-address

Parameters

ieee-address

Specifies the ethernet MAC address.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

mac-address

Syntax

mac-address mac-address

no mac-address

Context

[Tree] (config>eth-ring>path>eth-cfm>mep mac-address)

[Tree] (config>eth-tunnel>path>eth-cfm>mep mac-address)

Full Context

configure eth-ring path eth-cfm mep mac-address

configure eth-tunnel path eth-cfm mep mac-address

Description

This command specifies the MAC address of the MEP.

The no form of this command reverts the MAC address of the MEP back to that of the port (if the MEP is on a SAP) or the bridge (if the MEP is on a spoke SDP).

Parameters

mac-address

Specifies the MAC address of the MEP.

Values

6-byte unicast mac-address (xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx) of the MEP. Using the all zeros address is equivalent to the no form of this command.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mac-address

Syntax

mac-address mac-address

no mac-address

Context

[Tree] (config>router>if>eth-cfm>mep mac-address)

[Tree] (config>port>ethernet>eth-cfm>mep mac-address)

[Tree] (config>lag>eth-cfm>mep mac-address)

Full Context

configure router interface eth-cfm mep mac-address

configure port ethernet eth-cfm mep mac-address

configure lag eth-cfm mep mac-address

Description

This command specifies the MAC address of the MEP.

The no form of this command reverts to the MAC address of the MEP back to the default, that of the port, since this is SAP based.

Default

no mac-address

Parameters

mac-address

Specifies the MAC address of the MEP.

Values

6-byte unicast mac-address (xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx) of the MEP. Using the all zeros address is equivalent to the no form of this command.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mac-address

Syntax

mac-address mac-address

no mac-address

Context

[Tree] (config>service>epipe>spoke-sdp>eth-cfm>mep mac-address)

Full Context

configure service epipe spoke-sdp eth-cfm mep mac-address

Description

This command specifies the MAC address of the MEP.

The no form of this command reverts the MAC address of the MEP back to that of the port (if the MEP is on a SAP) or the bridge (if the MEP is on a spoke).

Parameters

mac-address

Specifies the MAC address of the MEP.

Values

6-byte mac-address in the form of xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx of the MEP. Must be unicast. Using the all zeros address is equivalent to the no form of this command.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mac-address

Syntax

mac-address mac-address

no mac-address

Context

[Tree] (config>service>vpls>sap>eth-cfm>mep mac-address)

[Tree] (config>service>vpls>eth-cfm>mep mac-address)

[Tree] (config>service>vpls>mesh-sdp>eth-cfm>mep mac-address)

[Tree] (config>service>vpls>spoke-sdp>eth-cfm>mep mac-address)

Full Context

configure service vpls sap eth-cfm mep mac-address

configure service vpls eth-cfm mep mac-address

configure service vpls mesh-sdp eth-cfm mep mac-address

configure service vpls spoke-sdp eth-cfm mep mac-address

Description

This command specifies the MAC address of the MEP.

The no form of this command reverts the MAC address of the MEP back to that of the port (if the MEP is on a SAP) or the bridge (if the MEP is on a spoke).

Parameters

mac-address

Specifies the MAC address of the MEP

Values

6-byte mac-address in the form of xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx of the MEP. Must be unicast. Using the all zeros address is equivalent to the no form of this command.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mac-address

Syntax

mac-address mac-address

Context

[Tree] (config>service>vprn>sub-if>grp-if>sap>eth-cfm mac-address)

[Tree] (config>service>vprn>if>spoke-sdp>eth-cfm>mep mac-address)

[Tree] (config>service>vprn>if>sap>eth-cfm>mep mac-address)

Full Context

configure service vprn subscriber-interface group-interface sap eth-cfm mac-address

configure service vprn interface spoke-sdp eth-cfm mep mac-address

configure service vprn interface sap eth-cfm mep mac-address

Description

This command assigns a specific MAC address to an IP interface.

The no form of this command returns the MAC address of the IP interface to the default value.

Default

The physical MAC address associated with the Ethernet interface that the SAP is configured on.

Parameters

mac-address

Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

  • configure service vprn subscriber-interface group-interface sap eth-cfm mac-address

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service vprn interface spoke-sdp eth-cfm mep mac-address
  • configure service vprn interface sap eth-cfm mep mac-address

mac-address

Syntax

[no] mac-address

Context

[Tree] (config>aaa>isa-radius-plcy>acct-include-attributes mac-address)

[Tree] (config>aaa>isa-radius-plcy>auth-include-attributes mac-address)

Full Context

configure aaa isa-radius-policy acct-include-attributes mac-address

configure aaa isa-radius-policy auth-include-attributes mac-address

Description

This command enables the generation of the client MAC address RADIUS attribute.

Default

no mac-address

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mac-address

Syntax

mac-address mac-address

no mac-address

Context

[Tree] (config>system>satellite>tdm-sat mac-address)

[Tree] (config>system>satellite>eth-sat mac-address)

Full Context

configure system satellite tdm-sat mac-address

configure system satellite eth-sat mac-address

Description

This command configures the MAC address for the associated satellite chassis. This MAC address is used to validate the identity of an satellite that attempts to associate with the local host.

The no form of the command deletes the MAC address for the associated satellite.

Parameters

mac-address

Specifies the MAC address of the associated satellite chassis; do not use a broadcast or multicast MAC. Enter the MAC address in either of the following formats: xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx.

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-a, 7750 SR-e

  • configure system satellite tdm-sat mac-address

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure system satellite eth-sat mac-address

mac-address

Syntax

mac-address ieee-address

no mac-address ieee-address

Context

[Tree] (config>port>ethernet>dot1x>per-host-authentication>allowed-source-macs mac-address)

Full Context

configure port ethernet dot1x per-host-authentication allowed-source-macs mac-address

Description

This command configures the host MAC address on the allowed MAC list.

The no form of the command deletes the MAC address from the list.

Default

no mac

Parameters

ieee-address

Specifies the MAC address.

Values

xx:xx:xx:xx:xx:xx

Platforms

All

mac-advertisement

mac-advertisement

Syntax

[no] mac-advertisement

Context

[Tree] (config>service>vpls>bgp-evpn mac-advertisement)

Full Context

configure service vpls bgp-evpn mac-advertisement

Description

This command enables the advertisement in BGP of the learned macs on SAPs and SDP bindings. When the mac-advertisement is disabled, the local macs will be withdrawn in BGP.

Default

mac-advertisement

Platforms

All

mac-criteria

mac-criteria

Syntax

[no] mac-criteria

Context

[Tree] (config>qos>sap-ingress mac-criteria)

Full Context

configure qos sap-ingress mac-criteria

Description

This command is used to enter the node to create or edit policy entries that specify MAC criteria.

The mac-criteria based SAP ingress policies are used to select the appropriate ingress queue and corresponding forwarding class for matched traffic.

Router implementation will exit on the first match found and execute the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly from most to least explicit.

The no form of this command deletes all the entries specified under this node. When mac-criteria entries are removed from a SAP ingress policy, the mac-criteria is removed from all services where that policy is applied.

Platforms

All

mac-da-hashing

mac-da-hashing

Syntax

[no] mac-da-hashing

Context

[Tree] (config>subscr-mgmt>msap-policy>vpls-only mac-da-hashing)

Full Context

configure subscriber-mgmt msap-policy vpls-only-sap-parameters mac-da-hashing

Description

This command specifies whether subscriber traffic egressing a LAG SAP has its egress LAG link selected by a function of the MAC destination address instead of the subscriber ID.

This command is only meaningful if subscriber management is enabled and can be configured for a VPLS service.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac-da-hashing

Syntax

mac-da-hashing

no mac-da-hashing

Context

[Tree] (config>service>vpls>sap>sub-sla-mgmt mac-da-hashing)

Full Context

configure service vpls sap sub-sla-mgmt mac-da-hashing

Description

This command specifies whether subscriber traffic egressing a LAG SAP has its egress LAG link selected by a function of the MAC destination address instead of the subscriber ID.

The no form of this command reverts to the default setting.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac-duplication

mac-duplication

Syntax

mac-duplication

Context

[Tree] (config>service>vpls>bgp-evpn mac-duplication)

Full Context

configure service vpls bgp-evpn mac-duplication

Description

Commands in this context configure the BGP EVPN MAC duplication parameters.

Platforms

All

mac-filter

mac-filter

Syntax

mac-filter mac-filter-id entry entry-id [entry-id]

no mac-filter mac-filter-id [entry entry-id]

Context

[Tree] (config>mirror>mirror-source mac-filter)

Full Context

configure mirror mirror-source mac-filter

Description

This command enables mirroring of packets that match specific entries in an existing MAC filter.

The mac-filter command directs packets which match the defined list of entry IDs to be mirrored to the mirror destination referenced by the mirror-dest-service-id of the mirror-source.

The MAC filter must already exist in order for the command to execute. Filters are configured in the config>filter context. If the MAC filter does not exist, an error will occur. If the filter exists but has not been associated with a SAP or IP interface, an error is not be generated but mirroring will not be enabled (there are no packets to mirror). Once the filter is defined to a SAP or MAC interface, mirroring is enabled.

If the MAC filter is defined as ingress, only ingress packets are mirrored. Ingress mirrored packets are mirrored to the mirror destination prior to any ingress packet modifications.

If the MAC filter is defined as egress, only egress packets are mirrored. Egress mirrored packets are mirrored to the mirror destination after all egress packet modifications.

An entry-id within a MAC filter can only be mirrored to a single mirror destination. If the same entry-id is defined multiple times, an error occurs and only the first mirror-source definition is in effect.

By default, no packets matching any MAC filters are mirrored. Mirroring of MAC filter entries must be explicitly defined.

The no form of this command, without the entry keyword, removes mirroring on all entry-id’s within the mac-filter-id.

When the no command is executed with the entry keyword and one or more entry-id’s, mirroring of that list of entry-id’s is terminated within the mac-filter-id. If an entry-id is listed that does not exist, an error will occur and the command will not execute. If an entry-id is listed that is not currently being mirrored, no error will occur for that entry-id and the command will execute normally.

Parameters

mac-filter-id

Specifies the MAC filter ID whose entries are mirrored. If the mac-filter-id does not exist, an error will occur and the command will not execute. Mirroring of packets will commence once the mac-filter-id is defined on a SAP.

entry-id

Specifies the MAC filter entries to use as match criteria for packet mirroring. The entry keyword begins a list of entry-id’s for mirroring. Multiple entry-id entries may be specified with a single command. Each entry-id must be separated by a space. Up to 8 entry IDs may be specified in a single command.

Each entry-id must exist within the mac-filter-id. If the entry-id is renumbered within the MAC filter definition, the old entry-id is removed from the list and the new entry-id will need to be manually added to the list if mirroring is still desired.

If no entry-id entries are specified in the command, mirroring will not occur for that MAC filter ID. The command will have no effect.

Platforms

All

mac-filter

Syntax

[no] mac-filter mac-filter-id

Context

[Tree] (config>li>li-filter-block-reservation>li-reserved-block mac-filter)

Full Context

configure li li-filter-block-reservation li-reserved-block mac-filter

Description

This command configures to which normal MAC filters the entry reservation is applied.

This command is only supported in 'classic' configuration-mode (configure system management-interface configuration-mode classic).

Parameters

mac-filter-id

Specifies the filter identification identifies the normal MAC filters.

Values

{filter-id | filter-name}

filter-id:

1 to 65535

filter-name:

up to 64 characters (filter-name is an alias for input only. The filter-name gets replaced with an id automatically by SR OS in the configuration).

Platforms

All

mac-filter

Syntax

[no] mac-filter mac-filter-id

Context

[Tree] (config>li>li-filter-assoc>li-mac-fltr mac-filter)

Full Context

configure li li-filter-associations li-mac-filter mac-filter

Description

Specifies the MAC filter(s) into which the entries from the specified li-mac-filter are to be inserted. The li-mac-filter and mac-filter must already exist before the association is made. If the normal MAC filter is deleted then the association is also removed (and not re-created if the MAC filter comes into existence in the future).

The no form of this command removes the MAC filter ID from the configuration.

Parameters

mac-filter-id

Specifies a filter identification to identify the MAC filter.

Values

1 to 65536, name: up to 64 characters

Platforms

All

mac-filter

Syntax

mac-filter mac-filter-id entry entry-id [entry-id] [ intercept-id intercept-id [intercept-id]] [session-id [session-id] [[session-id]]]

no mac-filter mac-filter-id

Context

[Tree] (config>li>li-source mac-filter)

Full Context

configure li li-source mac-filter

Description

This command enables lawful interception (LI) of packets that match specific entries in an existing MAC filter. Multiple entries can be created using unique entry-id numbers within the filter. The router implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete. Entries without the action keyword will be considered incomplete and hence will be rendered inactive.

An entry-id within an MAC filter can only be intercepted to a single destination. If the same entry-id is defined multiple times, an error occurs and only the first definition is in effect.

The no form of this command removes the specified entry from the IP or MAC filter. Entries removed from the IP or MAC filter are immediately removed from all services or network ports where that filter is applied.

Parameters

mac-filter-id

Specifies the MAC filter ID. If the mac-filter-id does not exist, an error will occur and the command will not execute.

entry-id

The MAC filter entries to use as match criteria.

intercept-id

Specifies the intercept-id that is inserted into the packet header for all mirrored packets of the associated li-source entry. This intercept-id can be used (for example by a downstream LI gateway) to identify the particular LI session to which the packet belongs. For all types of li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with ip-udp-shim routable encap, an intercept-id field (as part of the routable encap) is always present in the mirrored packets. If there is no intercept-id configured for an li-source entry, then the default value will be inserted. When the mirror service is configured with ip-gre routable encap, no intercept-id is inserted and none should be specified against the li-source entries.

Values

1 to 4294967295 (32b) — For nat li-source entries that are using a mirror service that is not configured with routable encapsulation

Values

1 to 1,073,741,824 (30b) — For all types of li-source entries that are using a mirror service with routable ip-udp-shim encapsulation and no direction-bit.

Values

1 to 536,870,912 (29b) — For all types of li-source entries that are using a mirror service with routable ip-udp-shim encapsulation and with the direction-bit enabled.

session-id

Specifies the session-id that is inserted into the packet header for all mirrored packets of the associated li-source entry. This session-id can be used (for example by a downstream LI gateway) to identify the particular LI session to which the packet belongs. The session-id is only valid and used for mirror services that are configured with ip-udp-shim routable encap (config>mirror>mirror-dest>encap>ip-udp-shim). For all types of li-source entries (filter, nat, sap, or subscriber), when the mirror service is configured with ip-udp-shim routable encap, a session-id field (as part of the routable encap) is always present in the mirrored packets. If there is no session-id configured for an li-source entry, then the default value will be inserted. When a mirror service is configured with ip-gre routable encap, no session-id is inserted and none should be specified against the li-source entries.

Values

1 to 4,294,967,295 (32b)

Platforms

All

mac-filter

Syntax

mac-filter mac-filter-id entry entry-id [entry-id]

no mac-filter mac-filter-id [entry entry-id]

Context

[Tree] (debug>mirror-source mac-filter)

Full Context

debug mirror-source mac-filter

Description

This command enables mirroring of packets that match specific entries in an existing MAC filter.

The mac-filter command directs packets which match the defined list of entry IDs to be mirrored to the mirror destination referenced by the mirror-dest-service-id of the mirror-source.

The MAC filter must already exist in order for the command to execute. Filters are configured in the config>filter context. If the MAC filter does not exist, an error will occur. If the filter exists but has not been associated with a SAP or IP interface, an error is not be generated but mirroring will not be enabled (there are no packets to mirror). Once the filter is defined to a SAP or MAC interface, mirroring is enabled.

If the MAC filter is defined as ingress, only ingress packets are mirrored. Ingress mirrored packets are mirrored to the mirror destination prior to any ingress packet modifications.

If the MAC filter is defined as egress, only egress packets are mirrored. Egress mirrored packets are mirrored to the mirror destination after all egress packet modifications.

An entry-id within a MAC filter can only be mirrored to a single mirror destination. If the same entry-id is defined multiple times, an error occurs and only the first mirror-source definition is in effect.

By default, no packets matching any MAC filters are mirrored. Mirroring of MAC filter entries must be explicitly defined.

The no form of this command command, without the entry keyword, removes mirroring on all entry-id’s within the mac-filter-id.

When the no command is executed with the entry keyword and one or more entry-id’s, mirroring of that list of entry-id’s is terminated within the mac-filter-id. If an entry-id is listed that does not exist, an error will occur and the command will not execute. If an entry-id is listed that is not currently being mirrored, no error will occur for that entry-id and the command will execute normally.

Parameters

mac-filter-id

Specifies the MAC filter ID whose entries are mirrored. If the mac-filter-id does not exist, an error will occur and the command will not execute. Mirroring of packets will commence once the mac-filter-id is defined on a SAP.

entry-id

Specifies the MAC filter entries to use as match criteria for packet mirroring. The entry keyword begins a list of entry-id’s for mirroring. Multiple entry-id entries may be specified with a single command. Each entry-id must be separated by a space. Up to 8 entry IDs may be specified in a single command.

Each entry-id must exist within the mac-filter-id. If the entry-id is renumbered within the MAC filter definition, the old entry-id is removed from the list and the new entry-id will need to be manually added to the list if mirroring is still desired.

If no entry-id entries are specified in the command, mirroring will not occur for that MAC filter ID. The command will have no effect.

Platforms

All

mac-filter

Syntax

mac-filter filter-id [create] [ name name]

mac-filter {filter-id | filter-name}

no mac-filter {filter-id | filter-name}

Context

[Tree] (config>filter mac-filter)

Full Context

configure filter mac-filter

Description

This command creates a configuration context for the specified MAC filter policy.

The no form of the command deletes the MAC filter policy. A filter policy cannot be deleted until it is removed from all objects where it is applied.

Parameters

filter-id

Specifies the MAC filter policy ID expressed as a decimal integer.

Values

1 to 65535

create

Keyword required to create the configuration context. After it is created, the context can be enabled with or without the create keyword.

name

Sets an optional filter name, up to 64 characters in length, to a given filter. This filter name can then be used in configuration references, display, and show commands throughout the system. A defined filter name can help the service provider or administrator to identify and manage filters within the SR OS platforms.

To create a filter, you must assign a filter ID, however, after it is created, either the filter ID or filter name can be used to identify and reference a filter.

If a name is not specified at creation time, then SR OS assigns a string version of the filter-id as the name.

Filter names may not begin with an integer (0 to 9).

Values

name: 64 characters maximum

filter-name

Specifies a string of up to 64 characters uniquely identifying this MAC filter policy.

Platforms

All

mac-filter

Syntax

[no] mac-filter

Context

[Tree] (config>system>security>mgmt-access-filter mac-filter)

Full Context

configure system security management-access-filter mac-filter

Description

This command configures a management access MAC-filter.

Platforms

All

mac-filter

Syntax

[no] mac-filter

Context

[Tree] (config>system>security>cpm-filter mac-filter)

Full Context

configure system security cpm-filter mac-filter

Description

Commands in this context configure CPM MAC-filter parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

mac-filter

Syntax

ip-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite]

Context

[Tree] (config>filter>copy mac-filter)

Full Context

configure filter copy mac-filter

Description

This command copies an existing filter entry for a specific filter ID to another filter ID. The copy command is a configuration level maintenance tool used to create new entries using an existing filter policy. If overwrite is not specified, an error will occur if the destination filter entry exists.

Parameters

src-filter-id

Specifies the source filter policy from which the copy command will attempt to copy. The filter policy must exist within the context of the preceding keyword (mac-filter).

dst-filter-id

Specifies the destination filter policy to which the copy command will attempt to copy. If the overwrite keyword is not specified, the filter entry ID cannot already exist in the destination filter policy. If the overwrite keyword is present, the destination entry ID may or may not exist.

overwrite

Specifies that the destination filter entry may exist. If it does, everything in the existing destination filter entry will be completely overwritten with the contents of the source filter entry. If the destination filter entry exists, either overwrite must be specified or an error message will be returned. If overwrite is specified, the function of copying from source to destination occurs in a "break before make” manner and therefore should be handled with care.

Platforms

All

mac-filter-name

mac-filter-name

Syntax

[no] mac-filter-name filter-name

Context

[Tree] (config>li>li-filter-block-reservation>li-reserved-block mac-filter-name)

Full Context

configure li li-filter-block-reservation li-reserved-block mac-filter-name

Description

This command configures a MAC filter in which the reservation is done through name.

The no form of this command removes the MAC filter name.

Parameters

filter-name

Specifies the MAC filter name, up to 64 characters.

Platforms

All

mac-filter-name

Syntax

[no] mac-filter-name filter-name

Context

[Tree] (config>li>li-filter-assoc>li-mac-fltr mac-filter-name)

Full Context

configure li li-filter-associations li-mac-filter mac-filter-name

Description

This command associates a MAC filter with a specified LI MAC filter through its name.

The no form of this command removes the MAC filter name.

Parameters

filter-name

Specifies the MAC filter name, up to 64 characters.

Platforms

All

mac-format

mac-format

Syntax

mac-format format

no mac-format

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host>match-radprox-cache mac-format)

Full Context

configure subscriber-mgmt local-user-db ipoe host match-radius-proxy-cache mac-format

Description

This command specifies the format of MAC address used for matching incoming DHCP DISCOVER against the RADIUS proxy cache.

The no form of this command reverts to the default.

Default

mac-format "aa:"

Parameters

format

Specifies the format string that specifies the format of MAC address.

Values

mac-format: (only when match is equal to mac)

like ab: for 00:0c:f1:99:85:b8

or XY- for 00-0C-F1-99-85-B8

or mmmm. for 0002.03aa.abff

or xx for 000cf19985b8

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac-format

Syntax

mac-format mac-format

no mac-format

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy>gy mac-format)

[Tree] (config>subscr-mgmt>diam-appl-plcy>gx mac-format)

[Tree] (config>subscr-mgmt>diam-appl-plcy>nasreq mac-format)

Full Context

configure subscriber-mgmt diameter-application-policy gy mac-format

configure subscriber-mgmt diameter-application-policy gx mac-format

configure subscriber-mgmt diameter-application-policy nasreq mac-format

Description

This command configures the format of the MAC address when reported in Gx, Gy, or NASREQ application message AVPs such as Calling-Station-Id or User-Name.

The no form of this command resets the command to the default setting.

Default

mac-format ab

Parameters

mac-format

Specifies the MAC address format.

Values

like ab: for 00:0c:f1:99:85:b8

or XY- for 00-0C-F1-99-85-B8

or mmmm. for 0002.03aa.abff

or xx for 000cf19985b8

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac-format

Syntax

mac-format mac-format

no mac-format

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>track-mobility mac-format)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>track-mobility mac-format)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range track-mobility mac-format

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range track-mobility mac-format

Description

This command configures how the MAC address is represented by the RADIUS proxy server.

Default

no mac-format "aa:"

Parameters

mac-format

Specifies how the MAC address is represented by the RADIUS proxy server.

Values

mac-format

like ab: for 00:0c:f1:99:85:b8

or XY- for 00-0C-F1-99-85-B8

or mmmm. for 0002.03aa.abff

or xx for 000cf19985b8

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

mac-learning-options

mac-learning-options

Syntax

[no] mac-learning-options

Context

[Tree] (config>service>vprn>sub-if>grp-if>sap>static-host-mgmt mac-learning-options)

[Tree] (config>service>ies>sub-if>grp-if>sap>static-host-mgmt mac-learning-options)

Full Context

configure service vprn subscriber-interface group-interface sap static-host-mgmt mac-learning-options

configure service ies subscriber-interface group-interface sap static-host-mgmt mac-learning-options

Description

This command configures additional methods by which the BNG learns the subscriber host MAC.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac-linking

mac-linking

Syntax

mac-linking ip-address

no mac-linking

Context

[Tree] (config>service>ies>sub-if>grp-if>sap>static-host mac-linking)

[Tree] (config>service>vprn>sub-if>grp-if>sap>static-host mac-linking)

Full Context

configure service ies subscriber-interface group-interface sap static-host mac-linking

configure service vprn subscriber-interface group-interface sap static-host mac-linking

Description

This command associates this IPv6 host to the specified IPv4 host through the learned MAC address. A learned MAC from the IPv6 host is associated with the IPv4 host and vice versa.

The no form of this command removes the IP address from the configuration.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mac-list

mac-list

Syntax

mac-list name [create]

no mac-list name

Context

[Tree] (config>service>proxy-arp-nd mac-list)

Full Context

configure service proxy-arp-nd mac-list

Description

This command creates a list of MAC addresses that can be pointed at from the service for a specified IP. The list may contain up to 10 MAC addresses; an empty list is also allowed.

The MAC list allows on-the-fly changes, but a change in the list deletes the proxy entries for all the IPs using that list.

The no form of the command deletes the entire MAC-list. Deleting a MAC list is only possible if it is not referenced in the configuration.

Parameters

name

Specifies the name of the MAC address list, which can be up to 32 characters.

create

Mandatory keyword to create a MAC list.

Platforms

All

mac-list

Syntax

mac-list name

no mac-list

Context

[Tree] (config>service>vpls>proxy-nd>dynamic mac-list)

[Tree] (config>service>vpls>proxy-arp>dynamic mac-list)

Full Context

configure service vpls proxy-nd dynamic mac-list

configure service vpls proxy-arp dynamic mac-list

Description

This command associates a previously created MAC list to a dynamic IP. The MAC list is created using the configure service proxy-arp-nd mac-list command.

The no form of the command deletes the association of the MAC list and the dynamic IP.

Parameters

name

Specifies the name of the MAC list previously created using the configure service proxy-arp-nd mac-list command.

Platforms

All

mac-list

Syntax

mac-list name [create]

no mac-list name

Context

[Tree] (config>service mac-list)

Full Context

configure service mac-list

Description

This command configures a MAC list name. The MAC list is composed of a list of MAC addresses and masks, which along with Auto-Learn Mac Protect (ALMP) can be used to exclude certain MACs from being protected in a given object. This is typically used on SAPs and spoke SDPs configured with ALMP where certain MACs must be able to move to other objects (for example, VRRP virtual MACs).

The no form of this command removes the MAC list name.

Parameters

name

Specifies the MAC list name, up to 32 characters.

create

Keyword used to create the MAC list.

Platforms

All

mac-move

mac-move

Syntax

[no] mac-move

Context

[Tree] (config>service>template>vpls-template mac-move)

[Tree] (config>service>vpls mac-move)

Full Context

configure service template vpls-template mac-move

configure service vpls mac-move

Description

Commands in this context configure MAC move attributes. A sustained high re-learn rate can be a sign of a loop somewhere in the VPLS topology. Typically, STP detects loops in the topology, but for those networks that do not run STP, the mac-move feature is an alternative way to protect your network against loops.

When enabled in a VPLS, mac-move monitors the re-learn rate of each MAC. If the rate exceeds the configured maximum allowed limit, it disables the SAP where the source MAC was last seen. The SAP can be disabled permanently (until a shutdown/no shutdown command is executed) or for a length of time that grows linearly with the number of times the specified SAP was disabled. You have the option of marking a SAP as non-blockable in the config>service>vpls>sap>limit-mac-move or config>service>vpls>spoke-sdp>limit-mac-move contexts. This means that when the re-learn rate has exceeded the limit, another (blockable) SAP will be disabled instead.

The mac-move command enables the feature at the service level for SAPs and spoke-SDPs, as only those objects can be blocked by this feature. Mesh SDPs are never blocked, but their re-learn rates (sap-to-mesh/spoke-to-mesh or vice versa) are still measured.

The operation of this feature is the same on the SAP and spoke-SDP. For example, if a MAC address moves from SAP to SAP, from SAP to spoke-SDP, or between spoke-SDPs, one will be blocked to prevent thrashing. If the MAC address moves between a SAP and mesh SDP or spoke-SDP and mesh SDP combinations, the respective SAP or spoke-SDP will be blocked.

mac-move will disable a VPLS port when the number of relearns detected has reached the number of relearns needed to reach the move-frequency in the 5-second interval. For example, when the move-frequency is configured to 1 (relearn per second) mac-move will disable one of the VPLS ports when 5 relearns were detected during the 5-second interval because then the average move-frequency of 1 relearn per second has been reached. This can already occur in the first second if the real relearn rate is 5 relearns per second or higher.

The no form of this command disables MAC move.

Platforms

All

mac-move-level

mac-move-level

Syntax

mac-move-level {primary | secondary| tertiary}

Context

[Tree] (config>service>template>vpls-sap-template mac-move-level)

Full Context

configure service template vpls-sap-template mac-move-level

Description

When a SAP is instantiated using vpls-sap-template, if the MAC move feature is enabled at VPLS level, the command mac-move-level indicates whether the sap should be populated as primary-port, secondary-port, or tertiary-port in the instantiated VPLS.

If configured to the default, SAP is populated as a tertiary-port.

Default

no mac-move-level

Platforms

All

mac-name

mac-name

Syntax

mac-name name ieee-address

no mac-name name

Context

[Tree] (config>service>pbb mac-name)

Full Context

configure service pbb mac-name

Description

This command configures the MAC name for the MAC address. It associates an ASCII name with an IEEE MAC to improve the PBB Epipe configuration. It can also change the dest-BMAC in one place instead of 1000s of Epipe.

Parameters

name

Specifies the MAC name up to 32 characters in length.

ieee-address

Specifies the MAC address assigned to the MAC name. The value should be input in either a xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx format.

Platforms

All

mac-notification

mac-notification

Syntax

mac-notification

Context

[Tree] (config>service mac-notification)

Full Context

configure service mac-notification

Description

This command controls the settings for the MAC notification message.

The MAC notification message must be generated under the following events:

  1. When enabled in the BVPLS using no shutdown, a MAC notification will be sent for every active MC-LAG link. The following 3 cases assume no shutdown in the BVPLS.

  2. Whenever a related MC-LAG link becomes active (the related MC-LAG link has at least 1 SAP associated with the BVPLS) if the MC-LAG peering is initialized and the PE peers are synchronized.

  3. First SAP on an active MC-LAG is associated (via IVPLS/Epipe) with the BVPLS.

  4. The link between IVPLS/Epipe and BVPLS is configured and there are I-SAPs configured on an active MC-LAG link.

The MAC notification is not sent for the following events:

  1. Change of source-bmac or source-bmac-lsb

  2. On changes of use-sap-bmac parameter

  3. If MC-LAG peering is not (initialized and in sync).

Platforms

All

mac-notification

Syntax

mac-notification

Context

[Tree] (config>service>vpls mac-notification)

Full Context

configure service vpls mac-notification

Description

This command controls the settings for the MAC notification message.

The MAC notification message must be generated under the following events:

  1. When enabled in the BVPLS using no shutdown, a MAC notification will be sent for every active MC-LAG link. The following three cases assume no shutdown in the BVPLS.

  2. Whenever a related MC-LAG link becomes active (the related MC-LAG link has at least 1 SAP associated with the BVPLS) if the MC-LAG peering is initialized and the PE peers are synchronized.

  3. First SAP on an active MC-LAG is associated (via IVPLS/Epipe) with the BVPLS

  4. The link between IVPLS/Epipe and BVPLS is configured and there are I-SAPs configured on an active MC-LAG link.

The MAC notification is not sent for the following events:

  1. Change of source-bmac or source-bmac-lsb

  2. On changes of use-sap-bmac parameter

  3. If MC-LAG peering is not (initialized and in sync).

Platforms

All

mac-ping

mac-ping

Syntax

mac-ping service service-id destination dst-ieee-address [source src-ieee-address] [fc fc-name [profile {in | out}]] [size octets] [ttl vc-label-ttl] [count send-count] [return-control] [interval interval] [timeout timeout]

Context

[Tree] (config>saa>test>type mac-ping)

[Tree] (oam mac-ping)

Full Context

configure saa test type mac-ping

oam mac-ping

Description

This command determines the existence of an egress SAP binding of a given MAC within a VPLS service.

A mac-ping packet is sent via the data plane.

A mac-ping is forwarded along the flooding domain if no MAC address bindings exist. If MAC address bindings exist, then the packet is forwarded along those paths, provided they are active. A response is generated only when there is an egress SAP binding for that MAC address or if the MAC address is a "local” OAM MAC address associated with the device’s control plan.

A mac-ping reply can be sent using the data plane or the control plane. The return-control option specifies the reply be sent using the control plane. If return-control is not specified, the request is sent using the data plane.

A mac-ping with data plane reply can only be initiated on nodes that can have an egress MAC address binding. A node without a FDB and without any SAPs cannot have an egress MAC address binding, so it is not a node where replies in the data plane are trapped and sent up to the control plane.

A control plane request is responded to via a control plane reply only.

By default, MAC OAM requests are sent with the system or chassis MAC address as the source MAC. The source option allows overriding of the default source MAC for the request with a specific MAC address.

When a source ieee-address value is specified and the source MAC address is locally registered within a split horizon group (SHG), then this SHG membership is used as if the packet originated from this SHG. In all other cases, SHG 0 (zero) is used. If the mac-trace is originated from a non-zero SHG, such packets do not go out to the same SHG.

Parameters

service-id

Specifies the service ID of the service to diagnose or manage.

Values

1 to 2147483647

service-name: up to 64 characters

dst-ieee-address

Specifies the destination MAC address for the OAM MAC request.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx

All zeros and multicast is not allowed.

src-ieee-address

Specifies the source MAC address from which the OAM MAC request originates. By default, the system MAC address for the chassis is used.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx

All zeros and multicast is not allowed.

Default

The system MAC address.

fc-name

Specifies that the fc parameter be used to test the forwarding class of the MPLS echo request packets. The actual forwarding class encoding is controlled by the network egress LSP-EXP mappings.

Values

be, l2, af, l1, h2, ef, h1, nc

Default

be

profile {in | out}

Specifies the profile state of the MPLS echo request encapsulation.

Default

out

octets

Specifies the MAC OAM request packet size in octets, expressed as a decimal integer. The request payload is padded to the specified size with a 6 byte PAD header and a byte payload of 0xAA as necessary. If the octet size specified is less than the minimum packet, the minimum sized packet necessary to send the request is used.

Values

1 to 9198

vc-label-ttl

Specifies the TTL value in the VC label for the OAM MAC request, expressed as a decimal integer.

Values

1 to 255

Default

255

send-count

Specifies the number of messages to send, expressed as a decimal integer. The count parameter is used to override the default number of message requests sent. Each message request must either time out or receive a reply before the next message request is sent. The message interval value must be expired before the next message request is sent.

Values

1 to 100

Default

1

return-control

Specifies the MAC OAM reply to a data plane MAC OAM request be sent using the control plane instead of the data plane.

interval

Specifies the time, in seconds, used to override the default request message send interval and defines the minimum amount of time that must expire before the next message request is sent.

If the interval is set to 1 second where the timeout value is set to 10 seconds, then the maximum time between message requests is 10 seconds and the minimum is 1 second. This depends upon the receipt of a message reply corresponding to the outstanding message request.

Values

1 to 10

Default

1

timeout

Specifies the time, in seconds, used to override the default timeout value and is the amount of time that the router waits for a message reply after sending the message request. Upon the expiration of message time out, the requesting router assumes that the message response is not received. Any response received after the request times out is silently discarded.

Values

1 to 10

Default

5

Platforms

All

mac-pinning

mac-pinning

Syntax

[no] mac-pinning

Context

[Tree] (config>service>vpls>endpoint mac-pinning)

[Tree] (config>service>vpls>mesh-sdp mac-pinning)

[Tree] (config>service>vpls>spoke-sdp mac-pinning)

[Tree] (config>service>vpls>sap mac-pinning)

Full Context

configure service vpls endpoint mac-pinning

configure service vpls mesh-sdp mac-pinning

configure service vpls spoke-sdp mac-pinning

configure service vpls sap mac-pinning

Description

This command disables re-learning of MAC addresses on other SAPs within the VPLS. The MAC address will remain attached to a given SAP for duration of its age-timer.

The age of the MAC address entry in the FDB is set by the age timer. If mac-aging is disabled on a given VPLS service, any MAC address learned on a SAP or SDP with mac-pinning enabled will remain in the FDB on this SAP or SDP forever.

Every event that would otherwise result in re-learning is logged (MAC address; original-SAP; new-SAP).

When a SAP or spoke SDP is part of a Residential Split Horizon Group (RSHG), MAC pinning is activated at creation of the SAP. Otherwise MAC pinning is not enabled by default.

The no form of the command enables re-learning of MAC addresses.

Note:

MAC addresses learned during DHCP address assignment (DHCP snooping enabled) are not impacted by this command. MAC-pinning for such addresses is implicit.

Default

no mac-pinning

Platforms

All

mac-pinning

Syntax

[no] mac-pinning

Context

[Tree] (config>service>pw-template mac-pinning)

Full Context

configure service pw-template mac-pinning

Description

Enabling this command will disable re-learning of MAC addresses on other SAPs within the service. The MAC address will remain attached to a given SAP for duration of its age-timer.

The age of the MAC address entry in the FDB is set by the age timer. If mac-aging is disabled on a given VPLS service, any MAC address learned on a SAP or SDP with mac-pinning enabled will remain in the FDB on this SAP or SDP forever. Every event that would otherwise result in re-learning will be logged (MAC address; original-SAP; new-SAP).

When a SAP or spoke SDP is part of a Residential Split Horizon Group (RSHG), MAC pinning is activated at creation of the SAP. Otherwise MAC pinning is not enabled by default.

Note:

For 7750 SR and 7450 ESS, MAC addresses learned during DHCP address assignment (DHCP snooping enabled) are not impacted by this command. MAC-pinning for such addresses is implicit.

Default

no mac-pinning

Platforms

All

mac-policy

mac-policy

Syntax

mac-policy mac-policy-id [create]

no mac-policy mac-policy-id

Context

[Tree] (config>macsec mac-policy)

Full Context

configure macsec mac-policy

Description

This command configures MAC address policy groups.

The no form of this command removes the MAC address policy group configuration.

Parameters

mac-policy-id

Specifies the value of the MAC address policy.

Values

0 to 4294967295

create

Mandatory keyword used to create the configuration.

Platforms

All

mac-populate

mac-populate

Syntax

mac-populate {service-id | service service-name} mac ieee-address [flood] [ age seconds] [force] [ target-sap sap-id]

Context

[Tree] (oam mac-populate)

Full Context

oam mac-populate

Description

This command populates the FDB with an OAM-type MAC entry indicating the node is the egress node for the MAC address and optionally floods the OAM MAC association throughout the service. The mac-populate command installs an OAM MAC into the service FDB indicating the device is the egress node for a MAC address. The MAC address can be bound to a SAP (the target-sap) or can be associated with the control plane in that any data destined to the MAC address is forwarded to the control plane (CPM). As a result, if the service on the node has neither a FDB nor an egress SAP, then it is not allowed to initiate a mac-populate.

The MAC address that is populated in the FDBs in the provider network is given a type OAM, so that it can be treated distinctly from regular dynamically learned or statically configured MACs. Note that OAM MAC addresses are operational MAC addresses and are not saved in the device configuration. An exec file can be used to define OAM MACs after system initialization.

The force option in mac-populate forces the MAC in the table to be type OAM in the case it already exists as a dynamic, static or an OAM induced learned MAC with some other type binding.

An OAM-type MAC cannot be overwritten by dynamic learning and allows customer packets with the MAC to either ingress or egress the network while still using the OAM MAC entry.

The flood option causes each upstream node to learn the MAC (that is, populate the local FDB with an OAM MAC entry) and to flood the request along the data plane using the flooding domain. The flooded mac-populate request is sent via the data plane.

An age can be provided to age an OAM MAC using a specific interval. By default, OAM MAC addresses are not aged and can be removed with a mac-purge or with an FDB clear operation.

When split horizon group (SHG) is configured, the flooding domain depends on which SHG the packet originates from. The target-sap sap-id value dictates the originating SHG information.

Parameters

service-id

Specifies the service ID of the service to diagnose or manage.

Values

1 to 2147483647

service-name

Specifies the name of the service to diagnose or manage. 64 characters maximum.

ieee-address

Specifies the MAC address to be populated.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx

All zeros and multicast is not allowed.

flood

Sends the OAM MAC populate to all upstream nodes.

seconds

Specifies the age for the OAM MAC, in seconds, expressed as a decimal integer.

Values

1 to 65535

Default

3600

force

Converts the MAC to an OAM MAC.

sap-id

Specifies the local target SAP bound to a service on which to associate the OAM MAC. By default, the OAM MAC is associated with the control place, that is, it is associated with the CPU on the router.

When the target-sap sap-id value is not specified the MAC is bound to the CPM or CFM. The originating SHG is 0 (zero). When the target-sap sap-id value is specified, the originating SHG is the SHG of the target-sap.

Values

null

port-id | bundle-id | bpgrp-id | lag-id | aps-id

dot1q

port-id | bundle-id | bpgrp-id | lag-id | aps-id | pw-id:[qtag1| cp-conn-prof-id]

qinq

port-id | bundle-id | bpgrp-id | lag-id | pw-id:[qtag1 cp-conn-prof-id].[qtag2 | cp-conn-prof-id]

cp

keyword

conn-prof-id

1 to 8000

cem

slot/mda/port.channel

ima-grp

bundle-id [:vpi/vci | vpi | vpi1.vpi2 | cp.conn-prof-id]

cp

keyword

conn-prof-id

1 to 8000

port-id

slot/mda/port[.channel]

esat-id/slot/port

pxc-id.sub-port

aps-id

aps-group-id[.channel]

aps

keyword

group-id

1 to 128

ccag-id

ccag-id.path-id[cc-type]:cc-id

ccag

keyword

id

1 to 8

path-id

a | b

cc-type

.sap-net | .net-sap

cc-id

1 to 4094

eth-tunnel

eth-tunnel-id[:eth-tun-sap-id]

id

1 to 1024

eth-tun-sap-id

0 to 4094

lag-id

lag-id

lag

keyword

id

1 to 800

pw-id

pw-id

pw

keyword

id

1 to 10239

qtag1

* | 0 to 4094

qtag2

* | null | 0 to 4094

tunnel-id

tunnel-id.private | public:tag

tunnel

keyword

id

1 to 16

tag

0 to 4094

Platforms

All

mac-prefix

mac-prefix

Syntax

mac-prefix mac-prefix

no mac-prefix

Context

[Tree] (config>subscr-mgmt>isa-svc-chain mac-prefix)

Full Context

configure subscriber-mgmt isa-service-chaining mac-prefix

Description

This command configures the unique MAC prefix per ISA and per outside service for all NAT group configured for service-chaining.

The no form of this command removes the MAC prefix from the configuration.

Parameters

mac-prefix

Specifies the MAC prefix, up to eight characters, including separators.

Values

format AA:BB:CC

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mac-protect

mac-protect

Syntax

[no] mac-protect

Context

[Tree] (config>service>vpls mac-protect)

Full Context

configure service vpls mac-protect

Description

This command indicates if this MAC is protected on the MAC protect list. When enabled, the agent will protect the MAC from being learned or re-learned on a SAP, spoke SDP or mesh SDP that has restricted learning enabled. The MAC protect list is used in conjunction with restrict-protected-src, restrict-unprotected-dst and auto-learn-mac-protect.

The no form of the command reverts to the default.

Platforms

All

mac-purge

mac-purge

Syntax

mac-purge {service-id | service service-name} target ieee-address [flood] [force] [register]

Context

[Tree] (oam mac-purge)

Full Context

oam mac-purge

Description

This command removes an OAM-type MAC entry from the FDB and optionally floods the OAM MAC removal throughout the service. A mac-purge can be sent via the forwarding path or via the control plane.

When sending the MAC purge using the data plane, the TTL in the VC label is set to 1.

A MAC address is purged only if it is marked as OAM. A mac-purge request is an HVPLS OAM packet, with the following fields. The Reply Flags is set to 0 (since no reply is expected), the Reply Mode and Reserved fields are set to 0. The Ethernet header has source set to the (system) MAC address, the destination set to the broadcast MAC address. There is a VPN TLV in the FEC Stack TLV to identify the service domain.

If the register option is provided, the R bit in the Address Delete flags is turned on.

The flood option causes each upstream node to be sent the OAM MAC delete request and to flood the request along the data plane using the flooding domain. The flooded mac-purge request is sent via the data plane.

The register option reserves the MAC for OAM testing where it is no longer an active MAC in the FDB for forwarding, but it is retained in the FDB as a registered OAM MAC. Registering an OAM MAC prevents relearns for the MAC based on customer packets. Relearning a registered MAC can only be done through a mac-populate request. The originating SHG is always 0 (zero).

Parameters

service-id

Specifies the service ID of the service to diagnose or manage.

Values

1 to 2147483647

service-name

Specifies the name, up to 64 characters, of the service to diagnose or manage.

ieee-address

Specifies the MAC address to be purged.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx

All zeros and multicast is not allowed.

flood

Sends the OAM MAC purge to all upstream nodes.

force

Purges the entry regardless of the entry’s originating node.

register

Reserves the MAC for OAM testing.

Platforms

All

mac-refresh

mac-refresh

Syntax

mac-refresh refresh interval

no mac-refresh

Context

[Tree] (config>service>ipipe>sap mac-refresh)

Full Context

configure service ipipe sap mac-refresh

Description

This command specifies the interval between ARP requests sent on this Ipipe SAP. When the SAP is first enabled, an ARP request will be sent to the attached CE device and the received MAC address will be used in addressing unicast traffic to the CE. Although this MAC address will not expire while the Ipipe SAP is enabled and operational, it is verified by sending periodic ARP requests at the specified interval.

The no form of this command restores mac-refresh to the default value.

Default

mac-refresh 14400

Parameters

refresh interval

Specifies the interval, in seconds, between ARP requests sent on this Ipipe SAP.

Values

0 to 65535

Platforms

All

mac-subnet-length

mac-subnet-length

Syntax

mac-subnet-length subnet-length

no mac-subnet-length

Context

[Tree] (config>service>vpls mac-subnet-length)

Full Context

configure service vpls mac-subnet-length

Description

This command specifies the number of bits to be considered when performing MAC learning (MAC source) and MAC switching (MAC destination). Specifically, this value identifies how many bits, starting from the beginning of the MAC address are used. For example, if the mask-value of 28 is used, MAC learning only performs a lookup for the first 28 bits of the source MAC address when comparing with existing FDB entries. Then, it installs the first 28 bits in the FDB while zeroing out the last 20 bits of the MAC address. When performing switching in the reverse direction, only the first 28 bits of the destination MAC address are used to perform a FDB lookup to determine the next hop.

The no form of this command switches back to full MAC lookup.

Default

mac-subnet-length 48

Parameters

subnet-length

Specifies the number of bits to be considered when performing MAC learning or MAC switching.

Values

24 to 48

Platforms

All

mac-trace

mac-trace

Syntax

mac-trace service service-id destination ieee-address [source ieee-address] [fc fc-name [profile {in | out}]] [size octets] [min-ttl vc-label-ttl] [max-ttl vc-label-ttl] [probe-count send-count] [return-control] [interval interval] [timeout timeout]

Context

[Tree] (config>saa>test>type mac-trace)

[Tree] (oam mac-trace)

Full Context

configure saa test type mac-trace

oam mac-trace

Description

This command displays the hop-by-hop path for a destination MAC address within a VPLS.

The MAC traceroute operation is modeled after the IP traceroute utility which uses ICMP echo request and reply packets with increasing TTL values to determine the hop-by-hop route to a destination IP. The MAC traceroute command uses Nokia OAM packets with increasing TTL values to determine the hop-by-hop route to a destination MAC.

In a MAC traceroute, the originating device creates a MAC ping echo request packet for the MAC to be tested with increasing values of the TTL. The echo request packet is sent via the data plane and awaits a TTL exceeded response or the echo reply packet from the device with the destination MAC. The devices that reply to the echo request packets with the TTL exceeded and the echo reply are displayed.

When a source ieee-address value is specified and the source MAC address is locally registered within a split horizon group (SHG), then this SHG membership is used as if the packet originated from this SHG. In all other cases, SHG 0 (zero) is used. Note that if the mac-ping is originated from a non-zero SHG, such packets do not go out to the same SHG.

Parameters

service-id

Specifies the service ID of the service to diagnose or manage.

This variant of the command is only supported in the classic configuration-mode (configure system management-interface configuration-mode classic).

Values

{id | svc-name}

service-id:

1 to 2147483647

svc-name:

up to 64 characters

destination ieee-address

Specifies the destination MAC address to be traced.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx

All zeros and multicast is not allowed.

source ieee-address

The source MAC address from which the OAM MAC request originates. By default, the system MAC address for the chassis is used.

Values

xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx

All zeros and multicast is not allowed.

Default

The system MAC address

fc-name

Specifies the forwarding class to test the forwarding class of the ICMP echo request packets. The actual forwarding class encoding is controlled by the network egress LSP-EXP mappings.

Values

be, l2, af, l1, h2, ef, h1, nc

Default

be

profile {in | out}

Specifies the profile state of the ICMP echo request encapsulation.

Default

out

octets

Specifies the MAC OAM request packet size in octets, expressed as a decimal integer. The request payload is padded to the specified size with a 6 byte PAD header and a byte payload of 0xAA as necessary. If the octet size specified is less than the minimum packet, the minimum sized packet necessary to send the request is used.

Values

1 to 9198

min-ttl vc-label-ttl

Specifies the minimum TTL value in the VC label for the MAC trace test, expressed as a decimal integer.

Values

1 to 255

Default

1

max-ttl vc-label-ttl

Specifies the maximum TTL value in the VC label for the MAC trace test, expressed as a decimal integer.

Values

1 to 255

Default

4

send-count

Specifies the number of MAC OAM requests sent for a TTL value, expressed as a decimal integer.

Values

1 to 100

Default

1

return-control

Specifies the MAC OAM reply to a data plane MAC OAM request be sent using the control plane instead of the data plane.

interval

Specifies the time, in seconds, used to override the default request message send interval and defines the minimum amount of time that must expire before the next message request is sent.

If the interval is set to 1 second, and the timeout value is set to 10 seconds, then the maximum time between message requests is 10 seconds and the minimum is 1 second. This depends upon the receipt of a message reply corresponding to the outstanding message request.

Values

1 to 10

Default

1

timeout

Specifies the time, in seconds, used to override the default timeout value and is the amount of time that the router waits for a message reply after sending the message request. Upon the expiration of message time out, the requesting router assumes that the message response is not received. Any response received after the request times out is silently discarded.

Values

1 to 60

Default

5

Platforms

All

mac-translation

mac-translation

Syntax

[no] mac-translation

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext mac-translation)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext mac-translation)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext mac-translation

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext mac-translation

Description

This command enables MAC address translation for HLE services.

The no form of this command disables MAC address translation for HLE services.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

macsec

macsec

Syntax

macsec

Context

[Tree] (config macsec)

Full Context

configure macsec

Description

Commands in this context configure MACsec, including the MACsec MKA profile.

Platforms

All

macsec

Syntax

[no] macsec

Context

[Tree] (config>port>ethernet>dot1x macsec)

Full Context

configure port ethernet dot1x macsec

Description

This command configures MACsec under this port.

Platforms

All

macsec-encrypt

macsec-encrypt

Syntax

[no] macsec-encrypt

Context

[Tree] (config>macsec>connectivity-association macsec-encrypt)

Full Context

configure macsec connectivity-association macsec-encrypt

Description

This command specifies that all PDUs are encrypted and authenticated (ICV payload).

The no form of this command specifies that all PDUs are transmitted with cleartext, but still authenticated and have the trailing ICV.

Default

macsec-encrypt

Platforms

All

main-ct-retry-limit

main-ct-retry-limit

Syntax

main-ct-retry-limit number

no main-ct-retry-limit

Context

[Tree] (config>router>mpls>lsp-template main-ct-retry-limit)

[Tree] (config>router>mpls>lsp main-ct-retry-limit)

Full Context

configure router mpls lsp-template main-ct-retry-limit

configure router mpls lsp main-ct-retry-limit

Description

This command configures the maximum number of retries the LSP primary path should be retried with the LSP Diff-Serv main Class Type (CT).

When an unmapped LSP primary path goes into retry, it uses the main CT until the number of retries reaches the value of the new main-ct-retry-limit parameter. If the path did not come up, it must start using the backup CT at that point in time. By default, this parameter is set to infinite value. The new main-ct-retry-limit parameter has no effect on an LSP primary path which retries due to a failure event.

An unmapped LSP primary path is a path which has never received a Resv in response to the first Path message sent. This can occur when performing a "shut/no-shut” on the LSP or LSP primary path or when the node reboots. An unmapped LSP primary path goes into retry if the retry timer expired or the head-end node received a PathErr message before the retry timer expired.

If the user entered a value of the main-ct-retry-limit parameter that is greater than the value of the LSP retry-limit, the number of retries will still stop when the LSP primary path reaches the value of the LSP retry-limit. In other words, the meaning of the LSP retry-limit parameter is not changed and always represents the upper bound on the number of retries. The unmapped LSP primary path behavior applies to both CSPF and non-CSPF LSPs.

The no form of this command sets the parameter to the default value of zero (0) which means the LSP primary path will retry forever.

Default

no main-ct-retry-limit

Parameters

number

Specifies the number of times MPLS will attempt to re-establish the LSP primary path using the Diff-Serv main CT. Allowed values are integers in the range of zero (0) to 10,000, where zero indicates to retry infinitely.

Values

0 to 1000, integer

Platforms

All

maintenance-policy

maintenance-policy

Syntax

[no] maintenance-policy maintenance-policy-name

Context

[Tree] (config>router>segment-routing maintenance-policy)

Full Context

configure router segment-routing maintenance-policy

Description

This command configures a named maintenance policy that can be applied to SR Policy candidate paths that are either statically configured or imported via BGP. A maintenance policy is used to configure seamless BFD and protection for an SR Policy candidate path.

A maintenance policy must be administratively disabled in order to change any of the parameters.

A maintenance policy cannot be enabled unless a mode, bfd-enable, and bfd-template are configured.

If a maintenance-template is administratively disabled, then all candidate paths to which it is applied are deprogrammed from the data path.

The no form of this command removes the specified maintenance policy.

Parameters

maintenance-policy-name

Specifies the name of the maintenance policy, up to 32 characters and cannot start with a space or underscore.

Platforms

All

maintenance-policy

Syntax

[no] maintenance-policy maintenance-policy-name

Context

[Tree] (conf>router>segment-routing>sr-policies>policy maintenance-policy)

Full Context

configure router segment-routing sr-policies static-policy maintenance-policy

Description

This command applies a named maintenance policy to the static SR policy path. The maintenance policy must exist under the configure router segment-routing context.

The no form of this command removes the specified maintenance policy.

Parameters

maintenance-policy-name

Specifies the name of the maintenance policy, up to 32 characters and cannot start with a space or underscore.

Platforms

All

managed-configuration

managed-configuration

Syntax

[no] managed-configuration

Context

[Tree] (config>service>vprn>router-advert>if managed-configuration)

[Tree] (config>service>ies>sub-if>grp-if>ipv6>rtr-adv managed-configuration)

[Tree] (config>service>ies>sub-if>ipv6>rtr-adv managed-configuration)

[Tree] (config>service>vprn>sub-if>grp-if>ipv6>rtr-adv managed-configuration)

[Tree] (config>router>router-advert>if managed-configuration)

[Tree] (config>service>vprn>sub-if>grp-if>ipv6 managed-configuration)

[Tree] (config>service>ies>sub-if>grp-if>ipv6 managed-configuration)

[Tree] (config>service>vprn>sub-if>ipv6>rtr-adv managed-configuration)

[Tree] (config>subscr-mgmt>rtr-adv-plcy managed-configuration)

Full Context

configure service vprn router-advertisement interface managed-configuration

configure service ies subscriber-interface group-interface ipv6 router-advertisements managed-configuration

configure service ies subscriber-interface ipv6 router-advertisements managed-configuration

configure service vprn subscriber-interface group-interface ipv6 router-advertisements managed-configuration

configure router router-advertisement interface managed-configuration

configure service vprn subscriber-interface group-interface ipv6 managed-configuration

configure service ies subscriber-interface group-interface ipv6 managed-configuration

configure service vprn subscriber-interface ipv6 router-advertisements managed-configuration

configure subscriber-mgmt router-advertisement-policy managed-configuration

Description

This command sets or resets managed address configuration flag for this group-interface. This flag indicates that DHCPv6 is available for address configuration in addition to any address auto-configured using stateless address auto-configuration. See RFC 3315 for additional details.

The no form of this command reverts to the default.

Default

no managed-configuration

Platforms

All

  • configure router router-advertisement interface managed-configuration
  • configure service vprn router-advertisement interface managed-configuration

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure subscriber-mgmt router-advertisement-policy managed-configuration
  • configure service vprn subscriber-interface group-interface ipv6 router-advertisements managed-configuration
  • configure service vprn subscriber-interface ipv6 router-advertisements managed-configuration
  • configure service ies subscriber-interface ipv6 router-advertisements managed-configuration
  • configure service vprn subscriber-interface group-interface ipv6 managed-configuration
  • configure service ies subscriber-interface group-interface ipv6 managed-configuration
  • configure service ies subscriber-interface group-interface ipv6 router-advertisements managed-configuration

managed-routes

managed-routes

Syntax

managed-routes

Context

[Tree] (config>service>ies>sub-if>grp-if>sap>static-host managed-routes)

[Tree] (config>service>vprn>sub-if>grp-if>sap>static-host managed-routes)

Full Context

configure service ies subscriber-interface group-interface sap static-host managed-routes

configure service vprn subscriber-interface group-interface sap static-host managed-routes

Description

Commands in this context configure managed route parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

managed-vlan-list

managed-vlan-list

Syntax

managed-vlan-list

Context

[Tree] (config>service>vpls>sap managed-vlan-list)

Full Context

configure service vpls sap managed-vlan-list

Description

Commands in this context configure VLAN ranges to be managed by a management VPLS. The list indicates, for each SAP, the ranges of associated VLANs that will be affected when the SAP changes state. This managed-vlan-list is not used when STP mode is MSTP in which case the vlan-range is taken from the config>service>vpls>stp>msti configuration.

This command is only valid when the VPLS in which it is entered was created as a management VPLS.

Platforms

All

management

management

Syntax

management [create]

no management

Context

[Tree] (config>service>vprn management)

Full Context

configure service vprn management

Description

Commands in this context configure node management within the VPRN.

Parameters

create

Keyword used to create a management server entry.

Platforms

All

management

Syntax

management

Context

[Tree] (config>system>security management)

Full Context

configure system security management

Description

Commands in this context allow access to management servers.

Platforms

All

management-access-filter

management-access-filter

Syntax

[no] management-access-filter

Context

[Tree] (config>system>security management-access-filter)

Full Context

configure system security management-access-filter

Description

This command creates the context to edit management access filters and to reset match criteria.

Management access filters control all traffic in and out of the CPM. They can be used to restrict management of the router by other nodes outside either specific (sub)networks or through designated ports.

Management filters, as opposed to other traffic filters, are enforced by system software.

The no form of this command removes management access filters from the configuration.

Platforms

All

management-interface

management-interface

Syntax

management-interface

Context

[Tree] (config>system management-interface)

Full Context

configure system management-interface

Description

Commands in this context configure the capabilities of router management interfaces such as CLI and NETCONF.

Platforms

All

management-interface

Syntax

management-interface

Context

[Tree] (config>system>security management-interface)

Full Context

configure system security management-interface

Description

Commands in this context configure the selection of a management interface for hash configuration. The management interfaces are classic-cli, md-cli, netconf, or grpc.

Platforms

All

manager

manager

Syntax

manager manager-name [create]

no manager manager-name

Context

[Tree] (config>system>management-interface>remote-management manager)

Full Context

configure system management-interface remote-management manager

Description

Commands configured in this context take precedence over command values specified directly in the configure management-interface remote-management context.

If a command is not configured in this context, the command setting is inherited from the higher level context.

The no form of this command removes the remote manager configuration.

Default

system-name

Parameters

manager-name

Specifies the name of the remote manager, up to 32 characters.

Platforms

All

manager-address

manager-address

Syntax

manager-address ip-address | fqdn

no manager-address

Context

[Tree] (config>system>management-interface>remote-management>manager manager-address)

Full Context

configure system management-interface remote-management manager manager-address

Description

This command configures the destination IP address or FQDN of the manager.

The no form of this command removes the configured IP address or FQDN of the configured manager.

Parameters

ip-address

Specifies the IP address, up to 255 characters.

fqdn

Specifies the FQDN, up to 255 characters.

Platforms

All

manager-port

manager-port

Syntax

manager-port port

no manager-port

Context

[Tree] (config>system>management-interface>remote-management>manager manager-port)

Full Context

configure system management-interface remote-management manager manager-port

Description

This command assigns a destination TCP port to be used for opening gRPC connections to the specified remote manager.

The no form of this command reverts the destination TCP port for the remote manager to the default gRPC port (57400).

Parameters

port

Specifies the TCP destination port.

Values

1 to 65535

Default

57400

Platforms

All

manual

manual

Syntax

manual

Context

[Tree] (config>service>system>bgp-evpn>eth-seg>service-carving manual)

Full Context

configure service system bgp-evpn ethernet-segment service-carving manual

Description

Commands in this context manually configure the service-carving algorithm, that is, configure the EVIs or ISIDs for which the PE is DF.

Platforms

All

manual-keying

manual-keying

Syntax

[no] manual-keying

Context

[Tree] (config>router>if>ipsec>ipsec-tunnel manual-keying)

[Tree] (config>service>vprn>if>ipsec>ipsec-tunnel manual-keying)

[Tree] (config>service>vprn>if>sap>ipsec-tunnel manual-keying)

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel manual-keying)

Full Context

configure router interface ipsec ipsec-tunnel manual-keying

configure service vprn interface ipsec ipsec-tunnel manual-keying

configure service vprn interface sap ipsec-tunnel manual-keying

configure service ies interface ipsec ipsec-tunnel manual-keying

Description

This command configures Security Association (SA) for manual keying. When enabled, the command specifies whether this SA entry is created manually, by the user, or dynamically by the IPsec sub-system.

Platforms

VSR

  • configure service vprn interface ipsec ipsec-tunnel manual-keying
  • configure service ies interface ipsec ipsec-tunnel manual-keying
  • configure router interface ipsec ipsec-tunnel manual-keying

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn interface sap ipsec-tunnel manual-keying

map

map

Syntax

[no] map

Context

[Tree] (config>service>nat>pcp-server-policy>opcode map)

Full Context

configure service nat pcp-server-policy opcode map

Description

This command enables/disables support for the map opcode.

Default

no map

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

map-domain

map-domain

Syntax

map-domain domain-name [create]

no map-domain

Context

[Tree] (config>service>nat map-domain)

Full Context

configure service nat map-domain

Description

This command creates a MAP domain template, which is used to define MAP rules and parameters specific to the MAP domain. A MAP domain represents a set of CEs that share the same default gateway (BR's IPv6 prefix - DMR rule) and a set of basic MAP rules (BMRs). As a bordering node between the IPv6 and IPv4 realm, the BR performs stateless IPv4 and IPv6 translation based on MAP rules.

A MAP domain can be instantiated within a routing context by referencing an existing MAP domain template in the context.

Parameters

domain-name

Specifies the name of the MAP domain, up to 32 characters. The MAP domain name has local significance.

Platforms

VSR

map-domain

Syntax

map-domain domain-name

no map-domain domain-name

Context

[Tree] (config>service>vprn>nat>map map-domain)

[Tree] (config>router>nat>map map-domain)

Full Context

configure service vprn nat map map-domain

configure router nat map map-domain

Description

This command instantiates a MAP-T domain within a routing context, assuming that the MAP-T domain template is administratively enabled (no shutdown). When the MAP-T is instantiated, the forwarding for the MAP-T domain is enabled and its routes can be exported in routing protocols.

Multiple MAP-T domains can be instantiated within a routing context.

Interactions:

The referenced MAP domain is defined under the config>service>nat context.

Parameters

domain-name

Specifies the name of the MAP domain template, up to 32 characters.

Platforms

VSR

mapping-limit

mapping-limit

Syntax

mapping-limit limit

no mapping-limit

Context

[Tree] (config>service>upnp>upnp-policy mapping-limit)

Full Context

configure service upnp upnp-policy mapping-limit

Description

This command specifies the maximum number of UPnP mapping per subscriber.

The no form of the command reverts to the default.

Default

mapping-limit 256

Parameters

limit

Specifies the upper limit of the number of UPnP mappings per subscriber.

Values

1 to 256

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mapping-rule

mapping-rule

Syntax

mapping-rule map-rule-name [create]

no mapping-rule map-rule-name

Context

[Tree] (config>service>nat>map-domain mapping-rule)

Full Context

configure service nat map-domain mapping-rule

Description

This command provides a CLI context for configuring MAP rules.

Parameters

map-rule-name

Specifies the name of the MAP rule; the name has a local significance.

Platforms

VSR

mapping-server

mapping-server

Syntax

[no] mapping-server

Context

[Tree] (config>router>isis>segment-routing mapping-server)

Full Context

configure router isis segment-routing mapping-server

Description

Commands in this context configures the Segment Routing mapping server feature in an IS-IS instance.

SR mapping server enables the configuration and advertisement, via IS-IS, of the node SID index for IS-IS prefixes of routers which are in the LDP domain. This is performed in the router acting as a mapping server, which uses a prefix-SID sub-TLV within the SID/Label binding TLV in IS-IS.

The no form of this command deletes all node SID entries in the IS-IS instance.

Platforms

All

mapping-server

Syntax

[no] mapping-server

Context

[Tree] (config>router>ospf>segm-rtng mapping-server)

Full Context

configure router ospf segment-routing mapping-server

Description

Commands in this context configure the Segment Routing mapping server feature in an OSPF instance.

The mapping server feature allows the configuration and advertisement in OSPF of the node SID index for OSPF prefixes of routers which are in the LDP domain. This is performed in the router acting as a mapping server and using a prefix-SID sub-TLV within the Extended Prefix Range TLV in OSPF.

The no form of this command deletes all node SID entries in the OSPF instance.

Platforms

All

maps-to

maps-to

Syntax

maps-to fc fc-name profile profile

Context

[Tree] (config>qos>post-policer-mapping>fc maps-to)

Full Context

configure qos post-policer-mapping fc maps-to

Description

This command remaps the forwarding class and profile state of an egress policed packet that is to be mapped to another forwarding class and profile, where the profile state is that of the resulting profile after the packet has been processed by the egress policer.

The new forwarding class is used to select the egress queue on which the post-policer traffic is placed. The new profile is used to determine the congestion control handling in that queue, specifically the drop tail or slope that is applied to the traffic.

The maps-to command parameters can be overwritten by reissuing the command with a different FC or profile.

The traffic remarking is based on the marking configured for the forwarding class and profile of the traffic after being policed but before it is remapped.

Parameters

fc-name

Specifies one of the eight forwarding classes supported by the system.

Values

be, l2, af, l1, h2, ef, h1, nc

profile

Specifies one of the egress packet profile states.

Values

exceed, in, inplus, out

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

mark

mark

Syntax

mark entity high percentage-high low percentage-low

no mark entity

Context

[Tree] (config>isa>wlan-gw-group>watermarks mark)

Full Context

configure isa wlan-gw-group watermarks mark

Description

This command enables a watermark notification. If the watermark is set, it generates a notification when the corresponding resource consumption goes above the high percentage. No additional notifications are sent until resource consumption goes under the low watermark, upon which, a notification is sent indicating the high watermark is no longer hit.

The no form of this command disables the watermark notification.

Parameters

entity

Specifies which watermark to set.

Values

user-equipment | bridge-domain | radius-proxy-client

percentage-high

Specifies the high watermark in percentage of total resources available.

Values

1 to 100

percentage-low

Specifies the low watermark in percentage of total resources available.

Values

0 to 99

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

mask

mask

Syntax

mask type ppp-match-type {[prefix-string prefix-string | prefix-length prefix-length] [suffix-string suffix-string | suffix-length suffix-length]}

no mask type ppp-match-type

mask type ipoe-match-type {[prefix-string prefix-string | prefix-length prefix-length] [suffix-string suffix-string | suffix-length suffix-length]}

no mask type ipoe-match-type

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe mask)

[Tree] (config>subscr-mgmt>loc-user-db>ppp mask)

Full Context

configure subscriber-mgmt local-user-db ipoe mask

configure subscriber-mgmt local-user-db ppp mask

Description

This command configures a mask for the specified match type. The masking is applied on the parameter when performing an LUDB lookup to identify a host.

The no form of this command removes the mask from the configuration.

Parameters

ppp-match-type

Specifies the parameter on which the mask should be applied for an LUDB lookup to identify a PPP host.

Values

circuit-id, mac, remote-id, sap-id, service-name, username

ipoe-match-type

Specifies the parameter on which the mask should be applied for an LUDB lookup to identify an IPoE host.

Values

circuit-id, option60, remote-id, sap-id, string, system-id

prefix-string

Specifies a substring that is stripped of the start of the incoming parameter value before it is matched against the value configured in the LUDB host identification.

This string can only contain printable ASCII characters. The "*” character is a wildcard that matches any substring. If a "\" character is masked, use the escape key so it becomes "\\".

This command option is unsupported when the ppp-match-type equals mac.

Values

up to 127 characters, "*”

prefix-length

Specifies the number of characters to remove from the start of the incoming parameter value before it is matched against the value configured in the LUDB host identification.

When used with the mac parameter, it specifies the number of bits to remove from the start of the MAC address. For example, if the MAC address is 0a:0b:0c:0d:0e:0f, to obtain the last bit for matching purposes (match an odd or even MAC address), the prefix length is 47. The result in this example would be a binary number of 1 (0xf = 1111).

Values

1 to 127

suffix-string

Specifies a substring that is stripped of the end of the incoming parameter value before it is matched against the value configured in the LUDB host identification.

This string can only contain printable ASCII characters. The "*” character is a wildcard that matches any substring. If a "\" character is masked, use the escape key so it becomes "\\".

This command option is unsupported when the ppp-match-type equals mac.

Values

up to 127 characters

suffix-length

Specifies the number of characters to remove from the end of the incoming parameter value before it is matched against the value configured in the LUDB host identification.

When used with the mac command option, the number of bits to remove from the end of the MAC address is specified.

Values

1 to 127

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mask

Syntax

mask mask-value [type {included | excluded}]

no mask

Context

[Tree] (config>system>security>snmp>view>view-name mask)

Full Context

configure system security snmp view view-name mask

Description

The mask value and the mask type, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view.

Each bit in the mask corresponds to a sub-identifier position. For example, the most significant bit for the first sub-identifier, the next most significant bit for the second sub-identifier, and so on. If the bit position on the sub-identifier is available, it can be included or excluded.

For example, the MIB subtree that represents MIB-II is 1.3.6.1.2.1. The mask that catches all MIB-II would be 0xfc or 0b11111100.

Only a single mask may be configured per view and OID value combination. If more than one entry is configured, each subsequent entry overwrites the previous entry.

The no form of this command removes the mask from the configuration.

Parameters

mask-value

The mask value associated with the OID value determines whether the sub-identifiers are included or excluded from the view. (Default: all 1s)

The mask can be entered either:

  • In hex. For example, 0xfc.

  • In binary. For example, 0b11111100.

Note:

If the number of bits in the bit mask is less than the number of sub-identifiers in the MIB subtree, then the mask is extended with ones until the mask length matches the number of sub-identifiers in the MIB subtree.

type

Specifies to include or exclude MIB subtree objects.

Values

included - All MIB subtree objects that are identified with a 1 in the mask are available in the view.

excluded - All MIB subtree objects that are identified with a 1 in the mask are denied access in the view.

Default

included

mask-reply

mask-reply

Syntax

[no] mask-reply

Context

[Tree] (config>service>ies>if>icmp mask-reply)

[Tree] (config>service>vprn>if>icmp mask-reply)

[Tree] (config>service>ies>sub-if>grp-if mask-reply)

[Tree] (config>service>vprn>if mask-reply)

[Tree] (config>service>vprn>nw-if>icmp mask-reply)

Full Context

configure service ies interface icmp mask-reply

configure service vprn interface icmp mask-reply

configure service ies subscriber-interface group-interface mask-reply

configure service vprn interface mask-reply

configure service vprn network-interface icmp mask-reply

Description

This command enables responses to Internet Control Message Protocol (ICMP) mask requests on the router interface.

If a local node sends an ICMP mask request to the router interface, the mask-reply command configures the router interface to reply to the request.

By default, the router instance replies to mask requests.

The no form of this command disables replies to ICMP mask requests on the router interface.

Default

mask-reply — Specifies to reply to ICMP mask requests.

Platforms

All

  • configure service ies interface icmp mask-reply
  • configure service vprn network-interface icmp mask-reply
  • configure service vprn interface mask-reply
  • configure service vprn interface icmp mask-reply

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service ies subscriber-interface group-interface mask-reply

mask-reply

Syntax

[no] mask-reply

Context

[Tree] (config>subscr-mgmt>git>ipv4>icmp mask-reply)

Full Context

configure subscriber-mgmt group-interface-template ipv4 icmp mask-reply

Description

This command enables responses to ICMP mask requests on the router interface. If a local node sends an ICMP mask request to the router interface, the router interface replies to the request.

By default, the router instance replies to mask requests.

The no form of this command disables replies to ICMP mask requests on the router interface.

Default

mask-reply

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

mask-reply

Syntax

[no] mask-reply

Context

[Tree] (config>router>if>icmp mask-reply)

Full Context

configure router interface icmp mask-reply

Description

This command enables responses to ICMP mask requests on the router interface.

If a local node sends an ICMP mask request to the router interface, the mask-reply command configures the router interface to reply to the request.

The no form of this command disables replies to ICMP mask requests on the router interface.

Default

mask-reply — Replies to ICMP mask requests.

Platforms

All

master-int-inherit

master-int-inherit

Syntax

[no] master-int-inherit

Context

[Tree] (config>service>ies>if>ipv6>vrrp master-int-inherit)

Full Context

configure service ies interface ipv6 vrrp master-int-inherit

Description

This command allows the master instance to dictate the master down timer (non-owner context only).

Default

no master-int-inherit

Platforms

All

master-int-inherit

Syntax

[no] master-int-inherit

Context

[Tree] (config>service>ies>if>vrrp master-int-inherit)

Full Context

configure service ies interface vrrp master-int-inherit

Description

This command allows the master instance to dictate the master down timer (non-owner context only).

Default

no master-int-inherit

Platforms

All

master-int-inherit

Syntax

[no] master-int-inherit

Context

[Tree] (config>service>vprn>if>vrrp master-int-inherit)

[Tree] (config>service>vprn>if>ipv6>vrrp master-int-inherit)

Full Context

configure service vprn interface vrrp master-int-inherit

configure service vprn interface ipv6 vrrp master-int-inherit

Description

This command allows the master instance to dictate the master down timer (non-owner context only).

Default

no master-int-inherit

Platforms

All

master-int-inherit

Syntax

[no] master-int-inherit

Context

[Tree] (config>router>if>ipv6>vrrp master-int-inherit)

[Tree] (config>router>if>vrrp master-int-inherit)

Full Context

configure router interface ipv6 vrrp master-int-inherit

configure router interface vrrp master-int-inherit

Description

This command enables the virtual router instance to inherit the master VRRP router’s advertisement interval timer which is used by backup routers to calculate the master down timer.

The master-int-inherit command is only available in the non-owner nodal context and is used to allow the current virtual router instance master to dictate the master down timer for all backup virtual routers. The master-int-inherit command has no effect when the virtual router instance is operating as master.

If master-int-inherit is not enabled, the locally configured message-interval must match the master’s VRRP advertisement message advertisement interval field value or the message is discarded.

The no form of the command restores the default operating condition which requires the locally configured message-interval to match the received VRRP advertisement message advertisement interval field value. The virtual router instance does not inherit the master VRRP router’s advertisement interval timer and uses the locally configured message interval.

Default

no master-int-inherit

Platforms

All

master-only

master-only

Syntax

master-only {true | false}

Context

[Tree] (config>system>ptp>port master-only)

Full Context

configure system ptp port master-only

Description

This command is used to restrict the local port to never enter the timeReceiver state. Use the command to ensure that the 7750 SR never draws synchronization from the attached external device.

This parameter is only effective when the profile is set to g8275dot1-2014 or g8275dot2-2016.

Note:

The ITU-T G.8275.1 (07/2014) recommendation used the term notSlave for this functionality; however, the IEEE has added this capability into the next edition of the 1588 standard using the term masterOnly. These are equivalent.

Default

master-only true

Parameters

true

Enables the master-only parameter of the PTP port.

false

Disables the master-only parameter of the PTP port.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

master-selection-mode

master-selection-mode

Syntax

master-selection-mode mode

Context

[Tree] (config>app-assure>aarp master-selection-mode)

Full Context

configure application-assurance aarp master-selection-mode

Description

This command configures the AARP mode of operation with the peer instance. The modes affect the AARP state machine behavior according to the desired behavior. Minimize-switchover will change AARP state based on Master ISA failure, and be non-revertive in that when the priority ISA returns a switch does not occur, which is optimal for AA flow identification. Inter-chassis efficiency mode considers both priority (revertive) and the endpoint status of the AARP instance and will switch activity in case of EP failure in order to avoid sending all the traffic over the ICL. The priority-based-balance mode will be revertive after a priority master returns to service, but excludes EP status. The master-selection-mode configuration must match on both peer AARP instances, or the AARP operational status will stay down.

Default

master-selection-mode minimize-switchovers

Parameters

mode

Specifies the AARP master selection mode.

Values

minimize-switchovers — Optimal AA flow detection continuity by minimizing AARP switchovers.

inter-chassis-efficiency — Minimizes inter-chassis traffic.

priority-based-balance — AA load balance between AARP peers based on configured priority.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match

match

Syntax

match {circuit-id | mac | remote-id}

match option [number] [option6 [number]

match option6 [number]

no match

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host>match-radprox-cache match)

Full Context

configure subscriber-mgmt local-user-db ipoe host match-radius-proxy-cache match

Description

This command specifies in what DHCPv6 option to retrieve the value to be used as lookup key in the RADIUS proxy cache.

The no form of this command reverts to the default.

Default

match mac

Parameters

circuit-id

Specifies to use the circuit Id to match against.

mac

Specifies the MAC address to match against.

remote-id

Specifies the remote ID to match against.

option number

Specifies the option number that the DHCP server uses to send the identification strings to the client.

Values

1 to 254

option6 number

Specifies the DHCPv6 option to retrieve the value to be used as lookup key in the RADIUS proxy cache.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match

Context

[Tree] (config>app-assure>group>policy>chrg-fltr>entry match)

Full Context

configure application-assurance group policy charging-filter entry match

Description

Commands in this context configure the match criterion for a AA charging-filter entry.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match

Context

[Tree] (config>subscr-mgmt>isa-svc-chain>vas-filter>entry match)

Full Context

configure subscriber-mgmt isa-service-chaining vas-filter entry match

Description

Commands in this context configure the match criterion for a VAS filter entry.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match [next-header next-header]

no match

Context

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>ingr-ipv6>entry match)

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>egr-ipv6>entry match)

Full Context

configure subscriber-mgmt category-map category exhausted-credit-service-level ingress-ipv6-filter-entries entry match

configure subscriber-mgmt category-map category exhausted-credit-service-level egress-ipv6-filter-entries entry match

Description

This command configures the match criteria for this IP filter entry.

The no form of this command reverts to the default.

Parameters

next-header

protocol-number, protocol-name

protocol-number

Specifies the protocol number accepted in DBH for IPv6 filter entries.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name accepted in DBH for IPv6 filter entries.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match [protocol protocol-id]

no match

Context

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>ingr-ip>entry match)

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>egr-ip>entry match)

Full Context

configure subscriber-mgmt category-map category exhausted-credit-service-level ingress-ip-filter-entries entry match

configure subscriber-mgmt category-map category exhausted-credit-service-level egress-ip-filter-entries entry match

Description

This command configures the match criteria for this IP filter entry.

The no form of this command reverts to the default.

Parameters

protocol-id

Specifies the protocol ID or protocol name accepted in DHB.

Values

protocol-number — [0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name — none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match protocol {any | icmp | tcp | udp | gre}

no match

Context

[Tree] (config>subscr-mgmt>isa-filter>ipv6>entry match)

Full Context

configure subscriber-mgmt isa-filter ipv6 entry match

Description

This command creates a match context for this entry. The protocol value specifies which Layer-4 protocol the packet should match.

The no form of this command removes the match context of this entry.

Default

match protocol any

Parameters

protocol

Specifies that the only supported match context is protocol.

any

Specifies to match any protocol.

icmp

Specifies to match ICMP packets in a v4 filter.

tcp

Specifies to match TCP packets.

udp

Specifies to match UDP packets.

gre

Specifies to match GRE over IP packets.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

[no] match

Context

[Tree] (config>service>mrp>mrp-policy>entry match)

Full Context

configure service mrp mrp-policy entry match

Description

This command creates the context for entering/editing match criteria for the mrp-policy entry. When the match criteria have been satisfied the action associated with the match criteria is executed. In the current implementation just one match criteria (ISID based) is possible in the entry associated with the mrp-policy. Only one match statement can be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Platforms

All

match

Syntax

match

Context

[Tree] (config>service>vprn>bgp>group>dynamic-neighbor match)

Full Context

configure service vprn bgp group dynamic-neighbor match

Description

This command configures match conditions for the dynamic neighbors.

Platforms

All

match

Syntax

[no] match

Context

[Tree] (config>service>vprn>log>filter>entry match)

Full Context

configure service vprn log filter entry match

Description

This command creates context to enter/edit match criteria for a filter entry. When the match criteria is satisfied, the action associated with the entry is executed.

If more than one match parameter (within one match statement) is specified, then all the criteria must be satisfied (AND functional) before the action associated with the match is executed.

Use the match command to display a list of the valid applications.

Match context can consist of multiple match parameters (application, event-number, severity, subject), but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Default

no match

Platforms

All

match

Syntax

match

Context

[Tree] (config>app-assure>group>policy>aqp>entry match)

Full Context

configure application-assurance group policy app-qos-policy entry match

Description

Commands in this context configure flow match rules for this AQP entry. A flow matches this AQP entry only if it matches all the match rules defined (logical and of all rules). If no match rule is specified, the entry will match all flows.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match

Context

[Tree] (config>app-assure>group>sess-fltr>entry match)

Full Context

configure application-assurance group session-filter entry match

Description

Commands in this context configure session conditions for this entry.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match

Context

[Tree] (config>app-assure>group>transit-prefix-policy>entry match)

Full Context

configure application-assurance group transit-prefix-policy entry match

Description

Commands in this context configure transit prefix policy entry match criteria.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

[no] match

Context

[Tree] (debug>app-assure>group>traffic-capture match)

Full Context

debug application-assurance group traffic-capture match

Description

This command configures debugging for traffic match criteria.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match protocol ip-protocol

no match

Context

[Tree] (config>service>nat>nat-classifier>entry match)

Full Context

configure service nat nat-classifier entry match

Description

This command configures an IP protocol to be used as a nat-classifier match criterion. When the match criteria have been satisfied the action associated with the match criteria is executed.

The no form of the command removes the match criteria for the entry-id.

Default

match protocol udp

Parameters

protocol ip-protocol

Specifies the text value representing the IP protocol to be used as a match criterion.

Values

udp, tcp

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match

Syntax

match [frame-type frame-type]

no match

Context

[Tree] (config>li>li-filter>li-mac-filter>entry match)

Full Context

configure li li-filter li-mac-filter entry match

Description

Commands in this context configure match criteria for the filter entry and specifies an Ethernet frame type for the entry.

If more than one match criteria (within one match statement) are configured then all criteria must be satisfied (and function) for a match to occur.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry.

Parameters

frame-type

Filters can continue to be edited by all users even when an li-source references an entry in that filter.

Values

802dot3, 802dot2-llc, 802dot2-snap, ethernet_II

Default

802dot3

Platforms

All

match

Syntax

match [protocol protocol-id]

no match

Context

[Tree] (config>li>li-filter>li-ip-filter>entry match)

Full Context

configure li li-filter li-ip-filter entry match

Description

This command enables context to enter match criteria for LI IPv4 filter and optionally allows specifying protocol value to match on.

If more than one match criterion are configured then all criteria must be satisfied for a match to occur (logical "AND”). Multiple criteria must be configured within a single match context for a given entry.

The no form of this command removes the match criteria for the entry.

Parameters

protocol-id

Configures the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP(1), TCP(6), UDP(17).

Values

0 to 255 (values can be expressed in decimal, hexadecimal, or binary - DHB)

Keywords for the 7750 SR:

none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

Keywords for the 7450 ESS:

none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

* — udp/tcp wildcard

Protocol

Protocol ID

Description

icmp

1

Internet Control Message

igmp

2

Internet Group Management

ip

4

IP in IP (encapsulation)

tcp

6

Transmission Control

egp

8

Exterior Gateway Protocol

igp

9

Any private interior gateway (used by Cisco for IGRP)

udp

17

User Datagram

rdp

27

Reliable Data Protocol

ipv6

41

IPv6

ipv6-route

43

Routing Header for IPv6

ipv6-frag

44

Fragment Header for IPv6

idrp

45

Inter-Domain Routing Protocol

rsvp

46

Reservation Protocol

gre

47

General Routing Encapsulation

ipv6-icmp

58

ICMP for IPv6

ipv6-no-nxt

59

No Next Header for IPv6

ipv6-opts

60

Destination Options for IPv6

iso-ip

80

ISO Internet Protocol

eigrp

88

EIGRP

ospf-igp

89

OSPFIGP

ether-ip

97

Ethernet-within-IP Encapsulation

encap

98

Encapsulation Header

pnni

102

PNNI over IP

pim

103

Protocol Independent Multicast

vrrp

112

Virtual Router Redundancy Protocol

l2tp

115

Layer Two Tunneling Protocol

stp

118

Spanning Tree Protocol

ptp

123

Performance Transparency Protocol

isis

124

ISIS over IPv4

crtp

126

Combat Radio Transport Protocol

crudp

127

Combat Radio User Datagram

Platforms

All

match

Syntax

match [next-header next-header]

no match

Context

[Tree] (config>li>li-filter>li-ipv6-filter>entry match)

Full Context

configure li li-filter li-ipv6-filter entry match

Description

Commands in this context enter match criteria for an LI IPv6 filter and optionally allows specification IPv6 next-header value to match on.

If more than one match criterion are configured, then all criteria must be satisfied for a match to occur (logical "AND”). Multiple criteria must be configured within a single match context for a given entry.

The no form removes the match criteria for the entry.

Parameters

next-header

protocol-number, protocol-name

Specifies the IPv6 next header to match. This parameter is analogous to the protocol parameter used in IP filter match criteria.

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

All

match

Syntax

match [protocol protocol-id]

no match

Context

[Tree] (config>qos>sap-ingress>ip-criteria>entry match)

[Tree] (config>qos>sap-egress>ip-criteria>entry match)

Full Context

configure qos sap-ingress ip-criteria entry match

configure qos sap-egress ip-criteria entry match

Description

This command creates a context to configure match criteria for SAP QoS policy match criteria. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be entered per entry.

It is possible that a SAP policy includes the dscp map command, the dot1p map command, and an IP match criteria. When multiple matches occur for the traffic, the order of precedence is used to arrive at the final action. The order of precedence is as follows:

  1. 802.1p bits

  2. DSCP

  3. IP quintuple or MAC headers

The no form of this command removes the match criteria for the entry-id.

Parameters

protocol protocol-id

Specifies an IP protocol to be used as a SAP QoS policy match criterion.

The protocol type such as TCP / UDP / OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17)

IP Protocol Names lists the IP protocols and their respective IDs and descriptions.

Values

The following values apply to the 7750 SR and 7950 XRS:

protocol-id: 0 to 255 protocol numbers accepted in decimal, hexadecimal, or binary

keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

Values

The following values apply to the 7450 ESS:

keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

* — udp/tcp wildcard

Table 2. IP Protocol Names

Protocol

Protocol ID

Description

icmp

1

Internet Control Message

igmp

2

Internet Group Management

ip

4

IP in IP (encapsulation)

tcp

6

Transmission Control

egp

8

Exterior Gateway Protocol

igp

9

Any private interior gateway (used by Cisco for their IGRP)

udp

17

User Datagram

rdp

27

Reliable Data Protocol

ipv6

41

IPv6

ipv6-route

43

Routing Header for IPv6

ipv6-frag

44

Fragment Header for IPv6

idrp

45

Inter-Domain Routing Protocol

rsvp

46

Reservation Protocol

gre

47

General Routing Encapsulation

ipv6-icmp

58

ICMP for IPv6

ipv6-no-nxt

59

No Next Header for IPv6

ipv6-opts

60

Destination Options for IPv6

iso-ip

80

ISO Internet Protocol

eigrp

88

EIGRP

ospf-igp

89

OSPFIGP

ether-ip

97

Ethernet-within-IP Encapsulation

encap

98

Encapsulation Header

pnni

102

PNNI over IP

pim

103

Protocol Independent Multicast

vrrp

112

Virtual Router Redundancy Protocol

l2tp

115

Layer Two Tunneling Protocol

stp

118

Schedule Transfer Protocol

ptp

123

Performance Transparency Protocol

isis

124

ISIS over IPv4

crtp

126

Combat Radio Transport Protocol

crudp

127

Combat Radio User Datagram

Platforms

All

match

Syntax

match [next-header next-header]

no match

Context

[Tree] (config>qos>sap-ingress>ipv6-criteria>entry match)

[Tree] (config>qos>sap-egress>ipv6-criteria>entry match)

Full Context

configure qos sap-ingress ipv6-criteria entry match

configure qos sap-egress ipv6-criteria entry match

Description

This command creates a context to configure match criteria for ingress SAP QoS policy match IPv6 criteria. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (logical AND) before the action associated with the match is executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be created per entry.

A SAP ingress policy may include the dscp map command, the dot1p map command, and an IPv6 match criteria. When multiple matches occur for the traffic, the following order of precedence is used to arrive at the final action.

  1. 802.1p bits

  2. DSCP

  3. IP quintuple or MAC headers

The no form of this command removes the match criteria for the entry-id.

Parameters

next-header

protocol-number, protocol-name

Specifies the IPv6 next header to match.

On the 7750 SR and 7950 XRS, the protocol type such as TCP, UDP, or OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6) and UDP(17).

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

All

match

Syntax

match [frame-type {802dot3 | 802dot2-llc | 802dot2-snap | ethernet-II | atm}]

no match

Context

[Tree] (config>qos>sap-ingress>mac-criteria>entry match)

Full Context

configure qos sap-ingress mac-criteria entry match

Description

This command creates a context for entering/editing match MAC criteria for ingress SAP QoS policy match criteria. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (AND function) before the action associated with the match will be executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Parameters

frame-type

The frame-type keyword configures an Ethernet frame type or an ATM frame type to be used for the MAC filter match criteria.

Values

802dot3, 802dot2-llc, 802dot2-snap, ethernet_II, atm

Default

802dot3

802dot3

Specifies the frame type is Ethernet IEEE 802.3.

802dot2-llc

Specifies the frame type is Ethernet IEEE 802.2 LLC.

802dot2-snap

Specifies the frame type is Ethernet IEEE 802.2 SNAP.

ethernet-II

Specifies the frame type is Ethernet Type II.

atm

Specifies the frame type as ATM cell. The user is not allowed to configure entries with frame type of atm and a frame type of other supported values in the same QoS policy. This parameter applies only to the 7750 SR and 7950 XRS.

Platforms

All

match

Syntax

match [protocol protocol-id]

no match

Context

[Tree] (config>qos>network>egress>ip-criteria>entry match)

[Tree] (config>qos>network>ingress>ip-criteria>entry match)

Full Context

configure qos network egress ip-criteria entry match

configure qos network ingress ip-criteria entry match

Description

This command creates a context to configure match criteria for a network QoS policy. When the match criteria have been satisfied, the action associated with it is executed.

If more than one match criteria (within one match statement) are configured, then all criteria must be satisfied before the associated action with the match is executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be entered per entry.

A network QoS policy can include the DSCP map command, the dot1p map command (ingress only), the prec map command (egress only), and an IP match criteria. When multiple matches occur for the traffic, the order of precedence is used to arrive at the final action. The order of precedence is as follows:

  • 802.1p bits (ingress only)

  • DSCP

  • prec (egress only)

  • IP quintuple

The no form of this command removes the match criteria for the entry identifier.

Parameters

protocol protocol-id

Specifies an IP protocol to be used as an ingress or egress network QoS policy match criterion.

The protocol type is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), and UDP(17).

Values

protocol-id: 0 to 255 protocol numbers accepted in decimal, hexadecimal, or binary

keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

* — udp/tcp wildcard

Protocol ID Descriptions lists the protocols and their protocol IDs and descriptions.

Table 3. Protocol ID Descriptions

Protocol

Protocol ID

Description

icmp

1

Internet Control Message

igmp

2

Internet Group Management

ip

4

IP in IP (encapsulation)

tcp

6

Transmission Control

egp

8

Exterior Gateway Protocol

igp

9

Any private interior gateway (used by Cisco for their IGRP)

udp

17

User Datagram

rdp

27

Reliable Data Protocol

ipv6

41

IPv6

ipv6-route

43

Routing Header for IPv6

ipv6-frag

44

Fragment Header for IPv6

idrp

45

Inter-Domain Routing Protocol

rsvp

46

Reservation Protocol

gre

47

General Routing Encapsulation

ipv6-icmp

58

ICMP for IPv6

ipv6-no-nxt

59

No Next Header for IPv6

ipv6-opts

60

Destination Options for IPv6

iso-ip

80

ISO Internet Protocol

eigrp

88

EIGRP

ospf-igp

89

OSPFIGP

ether-ip

97

Ethernet-within-IP Encapsulation

encap

98

Encapsulation Header

pnni

102

PNNI over IP

pim

103

Protocol Independent Multicast

vrrp

112

Virtual Router Redundancy Protocol

l2tp

115

Layer Two Tunneling Protocol

stp

118

Schedule Transfer Protocol

ptp

123

Performance Transparency Protocol

isis

124

ISIS over IPv4

crtp

126

Combat Radio Transport Protocol

crudp

127

Combat Radio User Datagram

Platforms

All

match

Syntax

match [next-header next-header]

no match

Context

[Tree] (config>qos>network>ingress>ipv6-criteria>entry match)

[Tree] (config>qos>network>egress>ipv6-criteria>entry match)

Full Context

configure qos network ingress ipv6-criteria entry match

configure qos network egress ipv6-criteria entry match

Description

This command creates a context to configure match criteria for a network QoS policy match IPv6 criteria. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criteria (within one match statement) are configured, all criteria must be satisfied (logical AND) before the action associated with the match is executed.

A match context can consist of multiple match criteria, but multiple match statements cannot be created per entry.

A network policy can include the DSCP map command, the dot1p map command (ingress only), the prec map command (egress only), and an IPv6 match criteria. When multiple matches occur for the traffic, the following order of precedence is used to arrive at the final action.

  • 802.1p bits (ingress only)

  • DSCP

  • prec (egress only)

  • IP quintuple

The no form of this command removes the match criteria for the entry identifier.

Parameters

next-header

protocol-number, protocol-name

Specifies the next header to match.

The protocol type is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), and UDP(17).

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

All

match

Syntax

match field-value instance instance-id

no match field-value

Context

[Tree] (config>qos>queue-group-redirect-list match)

Full Context

configure qos queue-group-redirect-list match

Description

This command configures the value of the field in the ingress or egress packet which, when matched, will cause the packet to be redirected to the specified queue group instance. The field-value is dependent on the setting of the type and therefore must be a valid VXLAN VNI.

A maximum of 16 match statements are supported in a queue group redirect list.

The no form of this command removes the match statement from the redirect list.

Parameters

field-value

Specifies the value of the field in the ingress or egress packet which, when matched, will cause the packet to be redirected to the specified queue group instance. Because the only permitted type is vxlan-vni, the field must be a valid VXLAN VNI. The VNI can be specified in any of the available formats but is always shown in decimal.

Values

1 to 16777215 (Decimal)

0x1 to 0xFFFFFF (Hexadecimal)

0b1 to 0b111111111111111111111111 (Binary)

instance-id

Specifies the instance of the queue group template to which the VXLAN traffic is redirected. The traffic can be redirected to the default instance, which is the instance specified with the QoS policy under the SAP ingress or egress.

Values

1 to 65535

Platforms

All

match

Syntax

match [protocol protocol-id]

match protocol none

no match

Context

[Tree] (config>filter>ip-exception>entry match)

Full Context

configure filter ip-exception entry match

Description

Commands in this context enter match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry. More precisely, the command can be entered multiple times but this only results in modifying the protocol-id. and does not affect the underlying match criteria configuration.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none (keyword). As per above, match protocol none is however not equivalent to no match.

Default

match protocol none

Parameters

protocol-id

Sets an IP protocol to be used as an IP filter match criterion. The protocol type, such as TCP or UDP, is identified by its respective protocol number.

Values

protocol-number: [0..255]D

[0x0..0xFF]H

[0b0..0b11111111]B

protocol-name:0 to 255 in decimal format. Values can also be specified in hexadecimal format, in binary format, or using the following keywords:

IPv4 filter keywords: none (default), icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

IP exception filter keywords: none, icmp, igmp, ospf-igp, pim, rsvp, tcp, udp, vrrp

* — udp/tcp wildcard

Table 4. Protocol ID Descriptions

Protocol

Protocol ID

Description

icmp

1

Internet Control Message

igmp

2

Internet Group Management

ip

4

IP in IP (encapsulation)

tcp

6

Transmission Control

egp

8

Exterior Gateway Protocol

igp

9

Any private interior gateway (used by Cisco for IGRP)

udp

17

User Datagram

rdp

27

Reliable Data Protocol

ipv6

41

IPv6

ipv6-route

43

Routing Header for IPv6

ipv6-frag

44

Fragment Header for IPv6

idrp

45

Inter-Domain Routing Protocol

rsvp

46

Reservation Protocol

gre

47

General Routing Encapsulation

ipv6-icmp

58

ICMP for IPv6

ipv6-no-nxt

59

No Next Header for IPv6

ipv6-opts

60

Destination Options for IPv6

iso-ip

80

ISO Internet Protocol

eigrp

88

EIGRP

ospf-igp

89

OSPFIGP

ether-ip

97

Ethernet-within-IP Encapsulation

encap

98

Encapsulation Header

pnni

102

PNNI over IP

pim

103

Protocol Independent Multicast

vrrp

112

Virtual Router Redundancy Protocol

l2tp

115

Layer Two Tunneling Protocol

stp

118

Spanning Tree Protocol

ptp

123

Performance Transparency Protocol

isis

124

ISIS over IPv4

crtp

126

Combat Radio Transport Protocol

crudp

127

Combat Radio User Datagram

sctp

132

Stream Control Transmission Protocol

Platforms

VSR

match

Syntax

match [{protocol protocol-id | protocol-list protocol-list-name}]

match protocol none

no match

Context

[Tree] (config>filter>ip-filter>entry match)

Full Context

configure filter ip-filter entry match

Description

Commands in this context enter match criteria for the filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be created per entry. More precisely, the protocol command can be entered multiple times but this only results in modifying the protocol-id. Matching on more than one protocol can be achieved using the protocol-list match criteria in an IP filter policy.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none. However, match protocol none is not equivalent to no match.

Default

match protocol none

Parameters

protocol-id

protocol-number | protocol-name

protocol-number

Specifies the protocol number value to be configured as a match criterion. The value can be expressed as a decimal integer, or in hexadecimal or binary format.

Values

[0..255]D, [0x0..0xFF]H, [0b0..0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

IPv4 filter keywords: none (default), icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* — udp/tcp

Table 5. Protocol ID Descriptions

Protocol

Protocol ID

Description

icmp

1

Internet Control Message

igmp

2

Internet Group Management

ip

4

IP in IP (encapsulation)

tcp

6

Transmission Control

egp

8

Exterior Gateway Protocol

igp

9

Any private interior gateway (used by Cisco for IGRP)

udp

17

User Datagram

rdp

27

Reliable Data Protocol

ipv6

41

IPv6

ipv6-route

43

Routing Header for IPv6

ipv6-frag

44

Fragment Header for IPv6

idrp

45

Inter-Domain Routing Protocol

rsvp

46

Reservation Protocol

gre

47

General Routing Encapsulation

ipv6-icmp

58

ICMP for IPv6

ipv6-no-nxt

59

No Next Header for IPv6

ipv6-opts

60

Destination Options for IPv6

iso-ip

80

ISO Internet Protocol

eigrp

88

EIGRP

ospf-igp

89

OSPFIGP

ether-ip

97

Ethernet-within-IP Encapsulation

encap

98

Encapsulation Header

pnni

102

PNNI over IP

pim

103

Protocol Independent Multicast

vrrp

112

Virtual Router Redundancy Protocol

l2tp

115

Layer Two Tunneling Protocol

stp

118

Spanning Tree Protocol

ptp

123

Performance Transparency Protocol

isis

124

ISIS over IPv4

crtp

126

Combat Radio Transport Protocol

crudp

127

Combat Radio User Datagram

sctp

132

Stream Control Transmission Protocol

protocol-list-name

Specifies the name of the protocol list, up to 32 characters.

Platforms

All

match

Syntax

match [next-header next-header]

no match

Context

[Tree] (config>filter>ipv6-exception>entry match)

Full Context

configure filter ipv6-exception entry match

Description

Commands in this context enter match criteria for the IPv6 filter exception. When the match criteria have been satisfied, the action associated with the match criteria is executed.

The no form of the command removes all the match criteria from the IPv6 filter exception.

Parameters

next-header

protocol-number, protocol-name

Specifies the next header to match.

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

VSR

match

Syntax

match [{next-header protocol-id | next-header-list protocol-list-name}]

match next-header none

no match

Context

[Tree] (config>filter>ipv6-filter>entry match)

Full Context

configure filter ipv6-filter entry match

Description

Commands in this context enter match criteria for the filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be created per entry. More precisely, the next-header command can be entered multiple times, but this only results in modifying the protocol-id. Matching on more than one protocol can be achieved using the next-header-list match criteria.

The no form of the command removes all the match criteria from the filter entry and sets the protocol-id of the match command to none. However, match next-header none is not equivalent to no match.

Default

match next-header none

Parameters

next-header

protocol-number, protocol-name

Specifies the IPv6 next header to match. This parameter is analogous to the protocol parameter used in IPv4 filter match command.

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

protocol-list-name

Specifies the name of the protocol list, up to 32 characters.

Platforms

All

match

Syntax

match [frame-type {802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II}]

no match

Context

[Tree] (config>filter>mac-filter>entry match)

Full Context

configure filter mac-filter entry match

Description

This command creates the context for entering/editing match criteria for the filter entry and specifies an Ethernet frame type for the entry.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

Parameters

frame-type

Keyword used to configure an Ethernet frame type to be used for the MAC filter match criteria.

Default

802dot3

Values

802dot3, 802dot2-llc, 802dot2-snap, ethernet_II

802dot3

Specifies the frame type is Ethernet IEEE 802.3.

802dot2-llc

Specifies the frame type is Ethernet IEEE 802.2 LLC.

802dot2-snap

Specifies the frame type is Ethernet IEEE 802.2 SNAP.

ethernet_II

Specifies the frame type is Ethernet Type II.

Platforms

All

match

Syntax

[no] match

Context

[Tree] (config>log>filter>filter-id>entry match)

Full Context

configure log filter filter-id entry match

Description

This command creates context to enter/edit match criteria for a filter entry. When the match criteria is satisfied, the action associated with the entry is executed.

If more than one match parameter (within one match statement) is specified, then all the criteria must be satisfied (AND functional) before the action associated with the match is executed.

Use the application command to display a list of the valid applications.

Match context can consist of multiple match parameters (application, event-number, severity, subject), but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

match

Syntax

match [frame-type frame-type]

no match

Context

[Tree] (config>system>security>mgmt-access-filter>mac-filter>entry match)

Full Context

configure system security management-access-filter mac-filter entry match

Description

This command configures math criteria for this MAC filter entry.

Parameters

frame-type

Specifies the type of MAC frame to use as match criteria.

Values

802dot3 | 802dot2-llc | 802dot2-snap | 802dot1ag | ethernet_II

Default

802dot3

Platforms

All

match

Syntax

match [protocol protocol-id]

no match

Context

[Tree] (cfg>sys>sec>cpm>ip-filter>entry match)

Full Context

configure system security cpm-filter ip-filter entry match

Description

Commands in this context enter match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed. If more than one match criteria (within one match statement) are configured then all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of this command removes the match criteria for the entry-id.

Parameters

protocol

Sets an IP protocol to be used as an IP filter match criterion. The protocol type such as TCP or UDP is identified by its respective protocol number.

protocol-id

Sets the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP(1), TCP(6), UDP(17). The no form the command removes the protocol from the match criteria.

Values

1 to 255 (values can be expressed in decimal, hexadecimal, or binary) keywords - none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp, * — udp/tcp wildcard

Table 6. IP Protocol Names

Protocol

Protocol ID

Description

icmp

1

Internet Control Message

igmp

2

Internet Group Management

ip

4

IP in IP (encapsulation)

tcp

6

Transmission Control

egp

8

Exterior Gateway Protocol

igp

9

any private interior gateway (used by Cisco for their IGRP)

udp

17

User Datagram

rdp

27

Reliable Data Protocol

ipv6

41

IPv6

ipv6-route

43

Routing Header for IPv6

ipv6-frag

44

Fragment Header for IPv6

idrp

45

Inter-Domain Routing Protocol

rsvp

46

Reservation Protocol

gre

47

General Routing Encapsulation

ipv6-icmp

58

ICMP for IPv6

ipv6-no-nxt

59

No Next Header for IPv6

ipv6-opts

60

Destination Options for IPv6

iso-ip

80

ISO Internet Protocol

eigrp

88

EIGRP

ospf-igp

89

OSPFIGP

ether-ip

97

Ethernet-within-IP Encapsulation

encap

98

Encapsulation Header

pnni

102

PNNI over IP

pim

103

Protocol Independent Multicast

vrrp

112

Virtual Router Redundancy Protocol

l2tp

115

Layer Two Tunneling Protocol

stp

118

Spanning Tree Protocol

ptp

123

Performance Transparency Protocol

isis

124

ISIS over IPv4

crtp

126

Combat Radio Transport Protocol

crudp

127

Combat Radio User Datagram

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

match

Syntax

match [next-header next-header]

no match

Context

[Tree] (cfg>sys>sec>cpm>ipv6-filter>entry match)

Full Context

configure system security cpm-filter ipv6-filter entry match

Description

This command specifies match criteria for the IP filter entry.

The no form of this command removes the match criteria for the entry-id.

Parameters

next-header

protocol-number, protocol-name

Specifies the next header to match.

The protocol type such as TCP, UDP or OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6) and UDP(17).

protocol-number

Specifies the protocol number value to be configured as a match criterion.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

Specifies the protocol name to be configured as a match criterion.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp

* - udp/tcp wildcard

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

match

Syntax

match command-string

no match

Context

[Tree] (config>system>security>profile>entry match)

Full Context

configure system security profile entry match

Description

This command configures a command or subtree commands in subordinate command levels are specified.

Evaluation stops when the first match is found, so subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.

All commands below the hierarchy level of the matched command are denied.

The no form of this command removes a match condition.

Parameters

command-string

Specifies the CLI command or CLI tree level that is the scope of the profile entry.

Platforms

All

match

Syntax

match

Context

[Tree] (config>router>bgp>group>dynamic-neighbor match)

Full Context

configure router bgp group dynamic-neighbor match

Description

This command configures match conditions for the dynamic neighbors.

Platforms

All

match-circuit-id

match-circuit-id

Syntax

[no] match-circuit-id

Context

[Tree] (config>service>vprn>sub-if>grp-if>dhcp match-circuit-id)

[Tree] (config>service>vprn>sub-if>dhcp match-circuit-id)

[Tree] (config>service>ies>sub-if>grp-if>dhcp match-circuit-id)

Full Context

configure service vprn subscriber-interface group-interface dhcp match-circuit-id

configure service vprn subscriber-interface dhcp match-circuit-id

configure service ies subscriber-interface group-interface dhcp match-circuit-id

Description

This command enables Option 82 circuit ID on relayed DHCP packet matching. For routed CO, the group interface DHCP relay process is stateful. When packets are relayed to the server the virtual router ID, transaction ID, SAP ID, and client hardware MAC address of the relayed packet are tracked.

When a response is received from the server the virtual router ID, transaction ID, and client hardware MAC address must be matched to determine the SAP on which to send the packet out. In some cases, the virtual router ID, transaction ID, and client hardware MAC address are not guaranteed to be unique.

When the match-circuit-id command is enabled this as part of the key is used to guarantee correctness in our lookup. This is only needed when dealing with an IP aware DSLAM that proxies the client hardware MAC address.

The no form of this command disables Option 82 circuit ID on relayed DHCP packet matching.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

match-list

match-list

Syntax

match-list ppp-match-type-1 [ppp-match-type-2]

no match-list

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp match-list)

Full Context

configure subscriber-mgmt local-user-db ppp match-list

Description

This command specifies the type of matching done to identify a host. There are different match-types for PPPoE hosts of which a maximum of three can be specified.

The no form of this command reverts to the default.

Parameters

match-type-x

Specifies up to three matching types to identify a host.

Values

For PPP: circuit-id, derived-id, mac, remote-id, sap-id, encap-tag-range, encap-tag-separate-range, service-name, username

Note:

The format of remote-id in IPv6 is different that the format of remote-id in IPv4; IPv6 remote-id contains enterprise-id filed that is also honored in matching.

circuit-id — Specifies to use the circuit ID to match against.

derived-id — Specifies the value extracted by Python script during processing of DHCP Discover/Solicit/Request/Renew/Rebind Messages (client to server bound messages). The value is stored in the DHCP Transaction Cache (DTC) in a variable named alc.dtc.derivedId. This value has a lifespan of a DHCP transaction (a single pair of messages exchanged between the client and the server, for example DHCP Discover and DHCP Offer).

encap-tag-separate-range — Specifies the match encapsulation inner and outer tag in two separate ranges.

encap-tag-range — Specifies to match tag ranges for inner and outer tags.

mac — Specifies to use the MAC address to match against.

remote-id — Specifies to use the remote ID to match against.

sap-id — Specifies the SAP ID on which DHCPv4 packet are received. The SAP ID is inserted as ALU VSO (82,9,4) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay. Since the dhcp-relay configuration is enabled under the group-interface CLI hierarchy, the group interface and the service ID must be known before the SAP ID can be used for LUDB match.

service-id — Specifies the service ID of the ingress SAP for DHCPv4 packets. The service ID is inserted as ALU VSO (82,9,3) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay.

system-id — Specifies the system ID of the node name configured under the system>name CLI hierarchy. The system ID is inserted as ALU VSO (82,9,1) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay. Since the dhcp-relay configuration is enabled under the group interface CLI hierarchy, the group interface and the service-id must be known before the system ID can be used for LUDB match.

username — Specifies the user name.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

match-list

Syntax

match-list ipoe-match-type-1 [ipoe-match-type-2]

no match-list

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe match-list)

Full Context

configure subscriber-mgmt local-user-db ipoe match-list

Description

This command specifies the type of matching done to identify a host. There are different match-types for IPoE hosts of which a maximum of four can be specified.

The no form of this command reverts to the default.

Parameters

match-type-x

Specifies up to four matching types to identify a host.

Values

For IPoE: circuit-id, derived-id, dual-stack-remote-id, encap-tag-range, encap-tag-separate-range, ip, mac, option60, remote-id, sap-id, service-id, string, system-id

Note:

The format of remote-id in IPv6 is different that the format of remote-id in IPv4; IPv6 remote-id contains enterprise-id filed that is also honored in matching.

circuit-id — Specifies to use the circuit ID to match against.

derived-id — Specifies the value extracted by Python script during processing of DHCP Discover/Solicit/Request/Renew/Rebind Messages (client to server bound messages). The value is stored in the DHCP Transaction Cache (DTC) in a variable named alc.dtc.derivedId. This value has a lifespan of a DHCP transaction (a single pair of messages exchanged between the client and the server, for example DHCP Discover and DHCP Offer).

dual-stack-remote-id — Specifies the enterprise-id in IPv6 remote-id is stripped off before LUDB matching is performed. Processing of IPv4 remote ID remains unchanged. This will allow a single host entry in LUDB for dual-stack host where host identification is performed based on the remote ID field.

encap-tag-separate-range — Specifies the match encapsulation inner and outer tag in two separate ranges.

encap-tag-range — Specifies to match tag ranges for inner and outer tags.

ip — Specifies the source IPv4/IPv6 address of a data-trigger packet.

mac — Specifies to use the MAC address to match against.

option-60 — Specifies to use Option60 to match against.

remote-id — Specifies to use the remote ID to match against.

sap-id — Specifies the SAP ID on which DHCPv4 packet are received. The SAP ID is inserted as ALU VSO (82,9,4) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay. Since the dhcp-relay configuration is enabled under the group interface CLI hierarchy, the group interface and the service ID must be known before the SAP ID can be used for LUDB match.

service-id — Specifies the service ID of the ingress SAP for DHCPv4 packets. The service ID is inserted as ALU VSO (82,9,3) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay.

string — Specifies the custom string configured under the vendor-specific-option CLI hierarchy of the DHCPv4 relay. The string is inserted as ALU VSO (82,9,5) by the DHCPv4 relay in router. Since the dhcp-relay configuration is enabled under the group-interface CLI hierarchy, the group-interface and the service ID must be known before the string can be used for LUDB match.

system-id — Specifies the system ID of the node name configured under the system>name CLI hierarchy. The system ID is inserted as ALU VSO (82,9,1) by the DHCPv4 relay in router. This is enabled via configuration under the vendor-specific-option CLI hierarchy of the DHCPv4 relay. Since the dhcp-relay configuration is enabled under the group interface CLI hierarchy, the group interface and the service ID must be known before the system ID can be used for LUDB match.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

match-list

Syntax

match-list

Context

[Tree] (config>ipsec>client-db match-list)

Full Context

configure ipsec client-db match-list

Description

This command enables the match list context on a client database. The match list defines the match input used during IPsec’s tunnel setup. If there are multiple inputs configured in the match list, then they all must have matches before the system considers a client entry is a match.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match-list

Syntax

match-list

Context

[Tree] (config>qos match-list)

Full Context

configure qos match-list

Description

This command is used to enter the context to create or edit match lists used in QoS policies.

Platforms

All

match-list

Syntax

match-list

Context

[Tree] (config>filter match-list)

Full Context

configure filter match-list

Description

This command enables the configuration context for match lists to be used in filter policies (IOM/FP and CPM).

Platforms

All

match-peer-id-to-cert

match-peer-id-to-cert

Syntax

[no] match-peer-id-to-cert

Context

[Tree] (config>ipsec>ike-policy match-peer-id-to-cert)

Full Context

configure ipsec ike-policy match-peer-id-to-cert

Description

This command enables checking the IKE peer's ID matches the peer's certificate when performing certificate authentication.

Default

no match-peer-id-to-cert

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match-qinq-dot1p

match-qinq-dot1p

Syntax

match-qinq-dot1p {top | bottom}

no match-qinq-dot1p

Context

[Tree] (config>service>ies>if>sap>ingress match-qinq-dot1p)

[Tree] (config>service>ies>sub-if>grp-if>sap>ingress match-qinq-dot1p)

[Tree] (config>service>vprn>sub-if>grp-if>sap>ingress match-qinq-dot1p)

[Tree] (config>service>vpls>sap>ingress match-qinq-dot1p)

Full Context

configure service ies interface sap ingress match-qinq-dot1p

configure service ies subscriber-interface group-interface sap ingress match-qinq-dot1p

configure service vprn subscriber-interface group-interface sap ingress match-qinq-dot1p

configure service vpls sap ingress match-qinq-dot1p

Description

This command specifies which dot1Q tag position dot1P bits in a QinQ encapsulated packet should be used to evaluate dot1P QoS classification.

The match-qinq-dot1p command allows the top or bottom PBits to be used when evaluating the applied sap-ingress QoS policy’s dot1P entries. The top and bottom keywords specify which position should be evaluated for QinQ encapsulated packets.

By default, the bottom-most service delineating dot1Q tag’s dot1P bits are used. Default QinQ and TopQ SAP Dot1P Evaluation defines the default behavior for dot1P evaluation when the match-qinq-dot1p command is not executed.

Table 7. Default QinQ and TopQ SAP Dot1P Evaluation

Port/SAP Type

Existing Packet Tags

PBits Used for Match

Null

None

None

Null

Dot1P (VLAN-ID 0)

Dot1P PBits

Null

Dot1Q

Dot1Q PBits

Null

TopQ BottomQ

TopQ PBits

Null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

None (Default SAP)

None

Dot1Q

Dot1P (Default SAP VLAN-ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ/TopQ

TopQ

TopQ PBits

QinQ/TopQ

TopQ BottomQ

TopQ PBits

QinQ/TopQ

TopQ BottomQ

BottomQ PBits

The no form of this command restores the default dot1p evaluation behavior for the SAP.

Default

no match-qinq-dot1p (no filtering based on p-bits)

(top or bottom must be specified to override the default QinQ dot1p behavior)

Parameters

top

The top parameter is mutually exclusive to the bottom parameter. When the top parameter is specified, the topmost PBits are used (if existing) to match any dot1p dot1p-value entries. Top Position QinQ and TopQ SAP Dot1P Evaluation defines the dot1p evaluation behavior when the top parameter is specified.

Table 8. Top Position QinQ and TopQ SAP Dot1P Evaluation

Port/SAP Type

Existing Packet Tags

PBits Used for Match

Null

None

None

Null

Dot1P (VLAN-ID 0)

Dot1P PBits

Null

Dot1Q

Dot1Q PBits

Null

TopQ BottomQ

TopQ PBits

Null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

None (Default SAP)

None

Dot1Q

Dot1P (Default SAP VLAN-ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ/TopQ

TopQ

TopQ PBits

QinQ/TopQ

TopQ BottomQ

TopQ PBits

QinQ/QinQ

TopQ BottomQ

TopQ PBits

bottom

The bottom parameter is mutually exclusive to the top parameter. When the bottom parameter is specified, the bottom most PBits are used (if existing) to match any dot1p dot1p-value entries. Bottom Position QinQ and TopQ SAP Dot1P Evaluation defines the dot1p evaluation behavior when the bottom parameter is specified.

Table 9. Bottom Position QinQ and TopQ SAP Dot1P Evaluation

Port/SAP Type

Existing Packet Tags

PBits Used for Match

Null

None

None

Null

Dot1P (VLAN-ID 0)

Dot1P PBits

Null

Dot1Q

Dot1Q PBits

Null

TopQ BottomQ

BottomQ PBits

Null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

None (Default SAP)

None

Dot1Q

Dot1P (Default SAP VLAN-ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ/TopQ

TopQ

TopQ PBits

QinQ/TopQ

TopQ BottomQ

BottomQ PBits

QinQ/QinQ

TopQ BottomQ

BottomQ PBits

Platforms

All

  • configure service ies interface sap ingress match-qinq-dot1p
  • configure service vpls sap ingress match-qinq-dot1p

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn subscriber-interface group-interface sap ingress match-qinq-dot1p
  • configure service ies subscriber-interface group-interface sap ingress match-qinq-dot1p

match-qinq-dot1p

Syntax

match-qinq-dot1p {top | bottom}

no match-qinq-dot1p de

Context

[Tree] (config>service>ipipe>sap>ingress match-qinq-dot1p)

[Tree] (config>service>epipe>sap>ingress match-qinq-dot1p)

Full Context

configure service ipipe sap ingress match-qinq-dot1p

configure service epipe sap ingress match-qinq-dot1p

Description

This command specifies which Dot1Q tag position Dot1P bits in a QinQ encapsulated packet should be used to evaluate Dot1P QoS classification.

The match-qinq-dot1p command allows the top or bottom PBits to be used when evaluating the applied sap-ingress QoS policy’s Dot1P entries. The top and bottom keywords specify which position should be evaluated for QinQ encapsulated packets.

The setting also applies to classification based on the DE indicator bit.

The no form of this command reverts the dot1p and de bits matching to the default tag.

By default, the bottom most service delineating Dot1Q tags Dot1P bits are used. Default QinQ and TopQ SAP Dot1P Evaluation defines the default behavior for Dot1P evaluation. Top or bottom must be specified to override the default QinQ dot1p behavior.

Table 10. Default QinQ and TopQ SAP Dot1P Evaluation

Port/SAP Type

Existing Packet Tags

PBits Used for Match

Null

None

None

Null

Dot1P (VLAN ID 0)

Dot1P PBits

Null

Dot1Q

Dot1Q PBits

Null

TopQ BottomQ

TopQ PBits

Null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

None (Default SAP)

None

Dot1Q

Dot1P (Default SAP VLAN ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ / TopQ

TopQ

TopQ PBits

QinQ / TopQ

TopQ BottomQ

TopQ PBits

QinQ / QinQ

TopQ BottomQ

BottomQ PBits

Default

no match-qinq-dot1p (no filtering based on p-bits)

Parameters

top

The top parameter is mutually exclusive to the bottom parameter. When the top parameter is specified, the top most PBits are used (if existing) to match any dot1p dot1p-value entries. Top Position QinQ dpt1p Evaluation Behavior defines the dot1p evaluation behavior when the top parameter is specified.

Table 11. Top Position QinQ dpt1p Evaluation Behavior

Port/SAP Type

Existing Packet Tags

PBits Used for Match

Null

None

None

Null

Dot1P (VLAN ID 0)

Dot1P PBits

Null

Dot1Q

Dot1Q PBits

Null

TopQ BottomQ

TopQ PBits

Null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

None (Default SAP)

None

Dot1Q

Dot1P (Default SAP VLAN ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ / TopQ

TopQ

TopQ PBits

QinQ / TopQ

TopQ BottomQ

TopQ PBits

QinQ / QinQ

TopQ BottomQ

TopQ PBits

bottom

The bottom parameter and the top parameter are mutually exclusive. When the bottom parameter is specified, the bottom most PBits are used (if existing) to match any dot1p dot1p-value entries. Bottom Position QinQ and TopQ SAP Dot1P Evaluation defines the dot1p evaluation behavior when the bottom parameter is specified.

Table 12. Bottom Position QinQ and TopQ SAP Dot1P Evaluation

Port/SAP Type

Existing Packet Tags

PBits Used for Match

Null

None

None

Null

Dot1P (VLAN ID 0)

Dot1P PBits

Null

Dot1Q

Dot1Q PBits

Null

TopQ BottomQ

TopQ PBits

Null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

None (Default SAP)

None

Dot1Q

Dot1P (Default SAP VLAN ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ / TopQ

TopQ

TopQ PBits

QinQ / TopQ

TopQ BottomQ

BottomQ PBits

QinQ / QinQ

TopQ BottomQ

BottomQ PBits

Table 13. Egress SAP Types

Egress SAP Type

Ingress Packet Preserved Dot1P State

Marked (or Remarked) PBits

Null

No preserved Dot1P bits

None

Null

Preserved Dot1P bits

Preserved tag PBits remarked using dot1p-value

Dot1Q

No preserved Dot1P bits

New PBits marked using dot1p-value

Dot1Q

Preserved Dot1P bits

Preserved tag PBits remarked using dot1p-value

TopQ

No preserved Dot1P bits

TopQ PBits marked using dot1p-value

TopQ

Preserved Dot1P bits (used as TopQ and BottomQ PBits)

TopQ PBits marked using dot1p-value, BottomQ PBits preserved

QinQ

No preserved Dot1P bits

TopQ PBits and BottomQ PBits marked using dot1p-value

QinQ

Preserved Dot1P bits (used as TopQ and BottomQ PBits)

TopQ PBits and BottomQ PBits marked using dot1p-value

The QinQ and TopQ SAP PBit/DEI bit marking follows the default behavior defined in the preceding table when qinq-mark-top-only is not specified.

The dot1p dot1p-value command must be configured without the qinq-mark-top-only parameter to remove the TopQ PBits only marking restriction.

A QinQ-encapsulated Ethernet port can have two different sap types:

For a TopQ SAP type, only the outer (top) tag is explicitly specified. For example, sap 1/1/1:10.*

For QinQ SAP type, both inner (bottom) and outer (top) tags are explicitly specified. For example, sap 1/1/1:10.100.

Platforms

All

match-qinq-dot1p

Syntax

match-qinq-dot1p {top | bottom}

no match-qinq-dot1p

Context

[Tree] (config>service>vprn>if>sap>ingress match-qinq-dot1p)

Full Context

configure service vprn interface sap ingress match-qinq-dot1p

Description

This command specifies which Dot1Q tag position Dot1P bits in a QinQ encapsulated packet should be used to evaluate Dot1P QoS classification.

The match-qinq-dot1p command allows the top or bottom PBits to be used when evaluating the applied sap-ingress QoS policy’s Dot1P entries. The top and bottom keywords specify which position should be evaluated for QinQ encapsulated packets.

The no form of this command restores the default dot1p evaluation behavior for the SAP.

By default, the bottom most service delineating Dot1Q tags Dot1P bits are used. Dot1P Default Behavior defines the default behavior for Dot1P evaluation when the match-qinq-dot1p command is not executed.

Table 14. Dot1P Default Behavior

Port / SAP Type

Existing Packet Tags

PBits Used for Match

null

none

none

null

Dot1P (VLAN-ID 0)

Dot1P PBits

null

Dot1Q PBits

null

TopQ BottomQ

TopQ PBits

null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

none (Default SAP)

none

Dot1Q

Dot1P (Default SAP VLAN-ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ / TopQ

TopQ

TopQ PBits

QinQ / TopQ

TopQ BottomQ

TopQ PBits

QinQ / QinQ

TopQ BottomQ

BottomQ PBits

Default

no match-qinq-dot1p - No filtering based on p-bits.

top or bottom must be specified to override the default QinQ dot1p behavior.

Parameters

top

The top parameter is mutually exclusive to the bottom parameter. When the top parameter is specified, the top most PBits are used (if existing) to match any dot1p dot1p-value entries. Dot1P Evaluation Behavior defines the dot1p evaluation behavior when the top parameter is specified.

Table 15. Dot1P Evaluation Behavior

Port / SAP Type

Existing Packet Tags

PBits Used for Match

null

none

none

null

Dot1P (VLAN-ID 0)

Dot1P PBits

null

Dot1Q

Dot1Q PBits

null

TopQ BottomQ

TopQ PBits

null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

none (Default SAP)

none

Dot1Q

Dot1P (Default SAP VLAN-ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ / TopQ

TopQ

TopQ PBits

QinQ / TopQ

TopQ BottomQ

TopQ PBits

QinQ / TopQ

TopQ BottomQ

TopQ PBits

bottom

The bottom parameter is mutually exclusive to the top parameter. When the bottom parameter is specified, the bottom most PBits are used (if existing) to match any dot1p dot1p-value entries. The following tables define the bottom position QinQ and TopQ SAP dot1p evaluation and the default dot1p explicit marking actions.

Table 16. Bottom Position QinQ and TopQ SAP Dot1P Evaluation

Port / SAP Type

Existing Packet Tags

PBits Used for Match

null

none

none

null

Dot1P (VLAN-ID 0)

Dot1P PBits

null

Dot1Q

Dot1Q PBits

null

TopQ BottomQ

BottomQ PBits

null

TopQ (No BottomQ)

TopQ PBits

Dot1Q

none (default SAP)

none

Dot1Q

Dot1P (default SAP VLAN-ID 0)

Dot1P PBits

Dot1Q

Dot1Q

Dot1Q PBits

QinQ / TopQ

TopQ

TopQ PBits

QinQ / TopQ

TopQ BottomQ

BottomQ PBits

QinQ / QinQ

TopQ BottomQ

BottomQ PBits

Table 17. Default Dot1P Explicit Marking Actions

Egress SAP Type

Ingress Packet Preserved Dot1P State

Marked (or Remarked) PBits

null

no preserved Dot1P bits

none

null

preserved Dot1P bits

preserved tag PBits remarked using dot1p-value

Dot1Q

no preserved Dot1P bits

new PBits marked using dot1p-value

Dot1Q

preserved Dot1P bits

preserved tag PBits remarked using dot1p-value

TopQ

no preserved Dot1P bits

TopQ PBits marked using dot1p-value

TopQ

preserved Dot1P bits (used as TopQ and BottomQ PBits)

TopQ PBits marked using dot1p-value, BottomQ PBits preserved

QinQ

no preserved Dot1P bits

TopQ PBits and BottomQ PBits marked using dot1p-value

QinQ

preserved Dot1P bits (used as TopQ and BottomQ PBits)

TopQ PBits and BottomQ PBits marked using dot1p-value

The dot1p dot1p-value command must be configured without the qinq-mark-top-only parameter to remove the TopQ PBits only marking restriction.

Platforms

All

match-radius-proxy-cache

match-radius-proxy-cache

Syntax

match-radius-proxy-cache

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host match-radius-proxy-cache)

Full Context

configure subscriber-mgmt local-user-db ipoe host match-radius-proxy-cache

Description

Commands in this context configure RADIUS proxy cache match parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

max

max

Syntax

max num-sessions

no max

Context

[Tree] (config>service>nat>firewall-policy>session-limits max)

[Tree] (config>service>nat>nat-policy>session-limits max)

[Tree] (config>service>nat>up-nat-policy>session-limits max)

Full Context

configure service nat firewall-policy session-limits max

configure service nat nat-policy session-limits max

configure service nat up-nat-policy session-limits max

Description

This command configures the session limit of this policy. The session limit is the maximum number of sessions allowed for a subscriber associated with this policy.

Default

max 65535

Parameters

num-sessions

Specifies the session limit.

Values

1 to 65535

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

  • configure service nat firewall-policy session-limits max

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

  • configure service nat nat-policy session-limits max
  • configure service nat up-nat-policy session-limits max

max-admin-down-time

max-admin-down-time

Syntax

max-admin-down-time [[down-interval] | infinite]

no max-admin-down-time

Context

[Tree] (config>lag>bfd>family max-admin-down-time)

Full Context

configure lag bfd family max-admin-down-time

Description

This command specifies the maximum amount of time the router will continue to forward traffic over a link after the micro-BFD sessions has transitioned to a Down state because it received an ADMIN-DOWN state from the far-end. This timer provide the administrator the configured amount of time to disable or de-provision the micro-BFD session on the local node before forwarding is halted over the associated link(s).

The no form of this command removes the time interval from the configuration.

Default

max-admin-down-time 0

Parameters

down-interval

Specifies the amount of time, in seconds.

Values

-1 to 3600

infinite

Specifies no end time to forward traffic.

Platforms

All

max-advertisement

max-advertisement

Syntax

max-advertisement seconds

no max-advertisement

Context

[Tree] (config>subscr-mgmt>rtr-adv-plcy max-advertisement)

[Tree] (config>service>vprn>sub-if>ipv6>rtr-adv max-advertisement)

[Tree] (config>service>ies>sub-if>grp-if>ipv6>rtr-adv max-advertisement)

[Tree] (config>service>vprn>sub-if>grp-if>ipv6>rtr-adv max-advertisement)

[Tree] (config>service>vprn>router-advert>if max-advertisement)

[Tree] (config>service>ies>sub-if>grp-if>ipv6 max-advertisement)

[Tree] (config>service>vprn>sub-if>grp-if>ipv6 max-advertisement)

[Tree] (config>service>ies>sub-if>ipv6>rtr-adv max-advertisement)

Full Context

configure subscriber-mgmt router-advertisement-policy max-advertisement

configure service vprn subscriber-interface ipv6 router-advertisements max-advertisement

configure service ies subscriber-interface group-interface ipv6 router-advertisements max-advertisement

configure service vprn subscriber-interface group-interface ipv6 router-advertisements max-advertisement

configure service vprn router-advert interface max-advertisement

configure service ies subscriber-interface group-interface ipv6 max-advertisement

configure service vprn subscriber-interface group-interface ipv6 max-advertisement

configure service ies subscriber-interface ipv6 router-advertisements max-advertisement

Description

This command specifies the maximum time allowed between sending unsolicited router advertisements from this interface.

The no form of this command reverts to the default.

Default

max-advertisement 1800

Parameters

seconds

Specifies the maximum advertisement interval, in seconds.

Values

900 to 1800

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

max-advertisement-interval

max-advertisement-interval

Syntax

[no] max-advertisement-interval seconds

Context

[Tree] (config>router>router-advert>if max-advertisement-interval)

[Tree] (config>service>vprn>router-advert>if max-advertisement-interval)

Full Context

configure router router-advertisement interface max-advertisement-interval

configure service vprn router-advertisement interface max-advertisement-interval

Description

This command configures the maximum interval between sending router advertisement messages.

Default

max-advertisement-interval 600

Parameters

seconds

Specifies the maximum interval in seconds between sending router advertisement messages.

Values

4 to 1800

Platforms

All

max-age

max-age

Syntax

max-age max-age

no max-age [max-age]

Context

[Tree] (config>service>template>vpls-template>stp max-age)

[Tree] (config>service>vpls>stp max-age)

Full Context

configure service template vpls-template stp max-age

configure service vpls stp max-age

Description

This command indicates how many hops a BPDU can traverse the network starting from the root bridge. The message age field in a BPDU transmitted by the root bridge is initialized to 0. Each other bridge will take the message_age value from BPDUs received on their root port and increment this value by 1. The message_age therefore reflects the distance from the root bridge. BPDUs with a message age exceeding max-age are ignored.

STP uses the max-age value configured in the root bridge. This value is propagated to the other bridges via the BPDUs.

The no form of this command returns the max age to the default value.

Default

max-age 20

Parameters

max-age

The max info age for the STP instance in seconds. Allowed values are integers in the range 6 to 40.

Platforms

All

max-attempts

max-attempts

Syntax

max-attempts count

max-attempts infinite

no max-attempts

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy>gy>efh>interim-c max-attempts)

Full Context

configure subscriber-mgmt diameter-application-policy gy extended-failure-handling interim-credit max-attempts

Description

This command configures the maximum number of attempts made to establish a new Diameter Gy session with the Online Charging Server (OCS) when Extended Failure Handling (EFH) is active.

A new attempt is made when the volume or time interim credit of a rating group is consumed or when the validity time expires for a rating group.

When the maximum number of attempts is reached, the user session associated with the Diameter session is terminated (the corresponding subscriber hosts are deleted from the system).

The no form of this command resets the value to the default value.

Default

max-attempts 10

Parameters

count

Specifies the maximum number attempts that is made to establish a Diameter Gy session with the OCS when EFH is active.

Values

1 to 4294967295

infinite

Specifies that an unlimited number of attempts is made to establish a Diameter Gy session with the OCS when EFH is active.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

max-auth-req

max-auth-req

Syntax

max-auth-req max-auth-request

Context

[Tree] (config>port>ethernet>dot1x max-auth-req)

Full Context

configure port ethernet dot1x max-auth-req

Description

This command configures the maximum number of times that the router will send an access request RADIUS message to the RADIUS server. If a reply is not received from the RADIUS server after the specified number attempts, the 802.1x authentication procedure is considered to have failed.

The no form of this command returns the value to the default.

Default

max-auth-req 2

Parameters

max-auth-request

The maximum number of RADIUS retries.

Values

1 to 10

Platforms

All

max-avg

max-avg

Syntax

max-avg percent

no max-avg

Context

[Tree] (config>qos>slope-policy>high-slope max-avg)

[Tree] (config>qos>slope-policy>exceed-slope max-avg)

[Tree] (config>qos>slope-policy>highplus-slope max-avg)

[Tree] (config>qos>slope-policy>low-slope max-avg)

Full Context

configure qos slope-policy high-slope max-avg

configure qos slope-policy exceed-slope max-avg

configure qos slope-policy highplus-slope max-avg

configure qos slope-policy low-slope max-avg

Description

Sets the exceed, low, high, or highplus Random Early Detection (RED) slope position for the shared buffer average utilization value where the packet discard probability rises directly to one. The percent parameter is expressed as a percentage of the shared buffer size.

The no form of this command restores the max-avg value to the default setting. If the current start-avg setting is larger than the default, an error will occur and the max-avg setting will not be changed to the default.

Default

max-avg 100 - Highplus slope default is 100% buffer utilization before discard probability is 1.

max-avg 90 — High slope default is 90% buffer utilization before discard probability is 1.

max-avg 75 — Low slope default is 75% buffer utilization before discard probability is 1.

max-avg 55 — Exceed slope default is 55% buffer utilization before discard probability is 1.

Parameters

percent

The percentage of the shared buffer space for the buffer pool at which point the drop probability becomes one. The value entered must be greater or equal to the current setting of start-avg. If the entered value is smaller than the current value of start-avg, an error will occur and no change will take place.

Values

0 to 100

Platforms

All

max-bandwidth

max-bandwidth

Syntax

max-bandwidth bandwidth-in-mbps

no max-bandwidth

Context

[Tree] (config>router>mpls>lsp-template>auto-bandwidth max-bandwidth)

[Tree] (config>router>mpls>lsp>auto-bandwidth max-bandwidth)

Full Context

configure router mpls lsp-template auto-bandwidth max-bandwidth

configure router mpls lsp auto-bandwidth max-bandwidth

Description

This command configures the maximum bandwidth that auto-bandwidth allocation is allowed to request for an LSP.

The LSP maximum applies whether the bandwidth adjustment is triggered by normal adjust-interval expiry, the overflow limit having been reached, or manual request.

The no form of this command reverts to the default value.

The max-bandwidth must be greater than the min-bandwidth.

Default

max-bandwidth 100000

Parameters

bandwidth-in-mbps

Specifies the maximum bandwidth in Mb/s.

Values

0 to 6400000

Platforms

All

max-bulk-duration

max-bulk-duration

Syntax

max-bulk-duration milliseconds

no max-bulk-duration

Context

[Tree] (config>system>snmp max-bulk-duration)

Full Context

configure system snmp max-bulk-duration

Description

This command sets the maximum duration to process an SNMP request before bulk responses are returned to avoid a timeout on the management system when a lot of information is returned in the response.

Default

no max-bulk-duration

Parameters

milliseconds

Specifies the maximum duration to process requests before bulk responses are returned.

Values

100 to 5000

Platforms

All

max-burst

max-burst

Syntax

max-burst number

no max-burst

Context

[Tree] (config>router>rsvp>msg-pacing max-burst)

Full Context

configure router rsvp msg-pacing max-burst

Description

This command specifies the maximum number of RSVP messages that are sent in the specified period under normal operating conditions.

Default

max-burst 650

Parameters

number

Specifies the maximum number of RSVP messages to be sent in increments of 10.

Values

100 to 1000

Platforms

All

max-burst-size

max-burst-size

Syntax

max-burst-size size [bytes | kilobytes]

no max-burst-size

Context

[Tree] (config>router>policy-acct-template>policer max-burst-size)

Full Context

configure router policy-acct-template policer max-burst-size

Description

This command configures the MBS for the policer. When this threshold value is exceeded, packets are considered violating and are dropped.

When this value is not configured, the default value is dependent on the peak-rate setting. When peak-rate is set to max or is greater than or equal to the FP capacity (overriding an explicitly configured MBS value), the default value is 16 megabytes; otherwise the value is capped at 3988 kilobytes with a minimum of 256 bytes.

The no form of this command reverts to the default value.

Parameters

size

Specifies the maximum number of RSVP messages to be sent in increments of 10.

Values

0 to 16777216 | default

bytes

Specifies that the value is in bytes.

kilobytes

Specifies that the value is in kilobytes.

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS

max-bypass-associations

max-bypass-associations

Syntax

max-bypass-associations integer

no max-bypass-associations

Context

[Tree] (config>router>mpls max-bypass-associations)

Full Context

configure router mpls max-bypass-associations

Description

This command allows the user to set a maximum number of LSP primary path associations with each manual or dynamic bypass LSP that is created in the system.

By default, a Point of Local Repair (PLR) node will associate a maximum of 1000 primary LSP paths with a given bypass before using the next available manual bypass or signaling a new dynamic bypass.

Note that a new bypass LSP may need to be signaled if the constraint of a given primary LSP path is not met by an existing bypass LSP even if the max-bypass-associations for this bypass LSP has not been reached.

The no form of this command reinstates the default value of this parameter.

Default

max-bypass-associations 1000

Parameters

integer

Configures the number of LSP primary path associations

Values

100 to 131072

Platforms

All

max-bypass-plr-associations

max-bypass-plr-associations

Syntax

max-bypass-plr-associations plr-value

no max-bypass-plr-associations

Context

[Tree] (config>router>mpls max-bypass-plr-associations)

Full Context

configure router mpls max-bypass-plr-associations

Description

This command enables the configuration of the maximum number of Points of Local Repair (PLRs) per RSVP-TE bypass LSP.

A PLR summarizes the constraints applied to the computation of the path of the bypass LSP. It consists of the avoid link/node constraint, and potentially other TE constraints such as exclude SRLG, that are needed to protect against the failure of the primary path of the RSVP-TE LSP that is associated with this bypass LSP.

Additional PLRs with the same avoid link/node constraint are associated with the same bypass to minimize the number of bypass LSPs created. This command controls the maximum number of such PLRs.

Because MPLS saves only the PLR constraints of the first LSP that triggered the dynamic bypass creation, subsequent LSPs for the same avoid link/node and with the non-strict bypass SRLG disjointness enabled may be associated with the same bypass. This is even in cases where there exists a bypass LSP path that strictly satisfies the SRLG constraint.

When the maximum PLRs per bypass is configured with a value of 1, MPLS triggers the signaling of a new dynamic bypass LSP for each new PLR and saves each PLR constraint separately with its own bypass. As a result, when MPLS re-optimizes a bypass LSP it guarantees that SRLG disjointness of that PLR are checked and enforced.

The no form of this command returns the command to its default value.

Default

max-bypass-plr-associations 16

Parameters

plr-value

Configures the number of LSP primary path associations

Values

1 to 16

Default

16

Platforms

All

max-cleared

max-cleared

Syntax

max-cleared maximum

Context

[Tree] (config>system>alarms max-cleared)

Full Context

configure system alarms max-cleared

Description

This command configures the maximum number of cleared alarms that the system will store and display.

Default

max-cleared 500

Parameters

maximum

Specifies the maximum number of cleared alarms, up to 500.

Platforms

All

max-completed

max-completed

Syntax

max-completed unsigned

Context

[Tree] (config>system>script-control>script-policy max-completed)

Full Context

configure system script-control script-policy max-completed

Description

This command is used to configure the maximum number of script run history status entries to keep.

Default

max-completed 1

Parameters

unsigned

Specifies the maximum number of script run history status entries to keep.

Values

1 to 1500

Default

1

Platforms

All

max-conn-prefix

max-conn-prefix

Syntax

max-conn-prefix count

no max-conn-prefix

Context

[Tree] (config>test-oam>twamp>server>prefix max-conn-prefix)

Full Context

configure test-oam twamp server prefix max-conn-prefix

Description

This command configures the maximum number of control connections by clients with an IP address in a specific prefix. A new control connection is rejected if accepting it would cause either the prefix limit defined by this command or the server limit (max-conn-server) to be exceeded.

The no form of this command returns the value to the default.

Default

max-conn-prefix 32

Parameters

count

Specifies the maximum number of control connections.

Values

0 to 64

Default

32

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

max-conn-server

max-conn-server

Syntax

max-conn-server count

no max-conn-server

Context

[Tree] (config>test-oam>twamp>server max-conn-server)

Full Context

configure test-oam twamp server max-conn-server

Description

This command configures the maximum number of TWAMP control connections from all TWAMP clients. A new control connection is rejected if accepting it would cause either this limit or a prefix limit (max-conn-prefix) to be exceeded.

The no form of this command returns the value to the default.

Default

max-conn-server 32

Parameters

count

Specifies the maximum number of control connections.

Values

0 to 64

Default

32

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

max-data-size

max-data-size

Syntax

max-data-size bytes

Context

[Tree] (config>sflow>receiver max-data-size)

Full Context

configure sflow receiver max-data-size

Description

This configures the maximum data size for sFlow UDP datagrams sent to the collector.

To restore default configuration, execute max-data-size 1400.

Default

max-data-size 1400

Parameters

bytes

Specifies the data size.

Values

200 to 1500

Platforms

7750 SR, 7750 SR-s, 7950 XRS

max-debounce-time

max-debounce-time

Syntax

max-debounce-time max-debounce-time

no max-debounce-time

Context

[Tree] (config>redundancy>mc>peer>mc>l3-ring>in-band-control-path max-debounce-time)

[Tree] (config>redundancy>mc>peer>mcr>ring>in-band-control-path max-debounce-time)

Full Context

configure redundancy multi-chassis peer multi-chassis l3-ring in-band-control-path max-debounce-time

configure redundancy multi-chassis peer mc-ring ring in-band-control-path max-debounce-time

Description

This command configures the inband control path maximum debounce time.

The no form of this command reverts to the default.

Default

max-debounce-time 10

Parameters

max-debounce-time

Specifies the maximum debounce time on the transition of the operational state of the inband control connection.

Values

5 to 200 seconds

Platforms

All

max-decrement

max-decrement

Syntax

max-decrement {percent percent-of-admin-pir | rate rate-in-kilobits-per-second}

no max-decrement

Context

[Tree] (config>qos>adv-config-policy>child-control>offered-measurement max-decrement)

Full Context

configure qos adv-config-policy child-control offered-measurement max-decrement

Description

This command is used to limit how fast a child queue or policer can 'give up’ bandwidth that it has been allotted from the virtual scheduler in a single iteration. If the child’s new offered rate has decreased by more than the maximum decrement limit, the system ignores the new offered rate and instead uses the old offered rate less the maximum decrement limit.

A possible reason to define a maximum decrement limit is to allow a child queue or policer to hold on to a portion of bandwidth that has been distributed by the parent virtual scheduler in case the child’s offered rate fluctuates in an erratic manor. The max-decrement limit has a dampening effect to changes in the offered rate.

A side effect of using a maximum decrement limit is that unused bandwidth allocated to the child queue or policer will not be given to another child as quickly. This may result in an underrun of the virtual scheduler’s aggregate rate.

The max-decrement limit has no effect on any increase in a child’s offered rate. If the rate increase is above the change sensitivity, the new offered rate is immediately used.

If the max-decrement command is used with a percent-based value, the decrement limit will be a function of the configured PIR value on the policer or queue. In this case, care should be taken that the child is either configured with an explicit PIR rate (other than max) or the child’s administrative PIR is defined using the percent-rate command with the local parameter enabled if an explicit value is not desired. When a maximum PIR is in use on the child, the system attempts to interpret the maximum child forwarding rate. This rate could be very large if the child is associated with multiple ingress or egress ports.

Except for the overall cap on the offered input into the virtual scheduler, the child’s administrative PIR has no effect on the calculated sensitivity if an explicit rate is specified.

If the child’s administrative PIR is modified while a percent based max-decrement is in effect, the system automatically uses the new relative maximum decrement limit value the next time the child’s offered rate is determined.

When the max-decrement command is not specified or removed, the virtual scheduler does not limit a decreasing offered rate to a specific limit.

The no form of this command is used to remove any currently configured maximum decrement limit for all child policers and queues associated with the policy.

Parameters

percent-of-admin-pir

When the percent qualifier is used, this parameter specifies the percentage of the child’s administrative PIR that should be used as the decrement limit to offered rate change. If a value of 100 or 100.00 is used, the system will interpret this equivalent to no max-decrement.

Values

1.00 to 100.00

rate-in-kilobits-per-second

When the rate qualifier is used, this parameter specifies an explicit rate, in kb/s, that should be used as the child’s offered rate change sensitivity value. If a rate sensitivity of 0 is specified, the system interprets this equivalent to no max-decrement.

Values

0 to 100,000,000

Platforms

All

max-description-size

max-description-size

Syntax

max-description-size size

no max-description-size

Context

[Tree] (config>service>nat>pcp-server-policy max-description-size)

Full Context

configure service nat pcp-server-policy max-description-size

Description

This command specifies the maximum length of mapping descriptions made by the PCP servers using this PCP policy.

Default

max-description-size 64

Parameters

size

Specifies the maximum length of mapping descriptions made by the PCP servers.

Values

1 to 64

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

max-drop-count

max-drop-count

Syntax

max-drop-count count

no max-drop-count

Context

[Tree] (config>service>sdp>keep-alive max-drop-count)

Full Context

configure service sdp keep-alive max-drop-count

Description

This command configures the number of consecutive SDP keepalive failed request attempts or remote replies that can be missed after which the SDP is operationally downed. If the max-drop-count consecutive keepalive request messages cannot be sent or no replies are received, the SDP-ID will be brought operationally down by the keepalive SDP monitoring.

The no form of this command reverts the max-drop-count count value to the default settings.

Default

max-drop-count 3

Parameters

count

Specifies the number of consecutive SDP keepalive requests that are failed to be sent or replies missed, expressed as a decimal integer.

Values

1 to 5

Platforms

All

max-ecmp-routes

max-ecmp-routes

Syntax

max-ecmp-routes max-routes

no max-ecmp-routes

Context

[Tree] (config>router>ldp max-ecmp-routes)

Full Context

configure router ldp max-ecmp-routes

Description

This command sets the maximum number of ECMP routes that LDP may use to resolve the next hop for a FEC.

Note:

The system-wide maximum number of ECMP routes is limited by the config>