a Commands

aa-admit-deny

aa-admit-deny

Syntax

aa-admit-deny

Context

[Tree] (config>app-assure>group>statistics aa-admit-deny)

Full Context

configure application-assurance group statistics aa-admit-deny

Description

Commands in this context configure admit-deny statistics generation.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-interface

aa-interface

Syntax

aa-interface aa-if-name [create]

no aa-interface aa-if-name

Context

[Tree] (config>service>vprn aa-interface)

[Tree] (config>service>ies aa-interface)

Full Context

configure service vprn aa-interface

configure service ies aa-interface

Description

This commands creates a new AA interface within an IES or VPRN service. It is used by the aa-isa to send/receive IPv4 traffic. In the context of ICAP url-filtering this interface is used by the ISA to establish ICAP TCP connections to the ICAP servers.

This interface supports /31 subnet only, and uses by default .1q encapsulation.

The system will automatically configure the ISA IP address based on the address configured by the operator under the aa-interface object (which represents the ISA sap facing interface on the ISA).

Parameters

aa-if-name

specifies the name of the AA Interface.

create

Keyword that specifies to create the interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-specific

aa-specific

Syntax

[no] aa-specific

Context

[Tree] (config>log>acct-policy>cr aa-specific)

Full Context

configure log accounting-policy custom-record aa-specific

Description

Commands in this context configure information for this custom record.

The no form of this command excludes aa-specific attributes in the AA subscriber's custom record.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub

aa-sub

Syntax

aa-sub esm {eq | neq} sub-ident-string

aa-sub esm-mac {eq | neq} esm-mac-name

aa-sub sap {eq | neq} sap-id

aa-sub spoke-sdp {eq | neq} sdp-id:vc-id

aa-sub transit {eq | neq} transit-aasub-name

no aa-sub

Context

[Tree] (config>app-assure>group>policy>aqp>entry>match aa-sub)

Full Context

configure application-assurance group policy app-qos-policy entry match aa-sub

Description

This command specifies a Service Access Point (SAP) or an ESM subscriber as matching criteria.

The no form of this command removes the SAP or ESM matching criteria.

Parameters

eq

Specifies that the value configured and the value in the flow are equal.

neq

Specifies that the value configured differs from the value in the flow.

sub-ident-string

Specifies the name of an existing application assurance subscriber.

esm-mac-name

Specifies the name of an ESM-MAC subscriber.

sap-id

Specifies the SAP ID.

sap sap-id

Specifies the physical port identifier portion of the SAP definition.

sdp-id:vc-id

Specifies the spoke SDP ID and VC ID.

Values

1 to 32767

1 to 4294967295

transit-aasub-name

Specifies the name of a transit AA subscriber.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub

Syntax

aa-sub

Context

[Tree] (config>app-assure>group>statistics aa-sub)

Full Context

configure application-assurance group statistics aa-sub

Description

Commands in this context configure accounting and statistics collection parameters per application assurance subscribers.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub

Syntax

[no] aa-sub {esm sub-ident-string | sap sap-id | spoke-sdp sdp-id:vc-id | transit transit-aasub-name | esm-mac esm-mac-name }

Context

[Tree] (config>app-assure>group>statistics>aa-sub-study aa-sub)

Full Context

configure application-assurance group statistics aa-sub-study aa-sub

Description

This command adds an existing subscriber identification to a group of special study subscribers (for example, subscribers for which per subscriber statistics and accounting records can be collected for protocols and applications of application assurance).

The no form of this command removes the subscriber from the special study subscribers.

Up to 100 subscribers can be configured into the special study group for protocols and up to a 100 potentially different subscribers can be configured into the special study group for applications.

When adding a subscriber to the special study group, accounting records and statistics generation will commence immediately. When removing a subscriber from the group, special study statistics and accounting records for that subscriber in the current interval will be lost.

Parameters

sub-ident-string

Specifies the name of a subscriber ID. The subscriber does not need to be currently active. Any sub-ident-string will be accepted. When the subscriber becomes active, statistics generation will start automatically at that time.

sap-id

Specifies the physical port identifier portion of the SAP definition.

spoke-id sdp-id:vc-id

Specifies the spoke SDP ID and VC ID.

Values

1 to 32767

1 to 4294967295

transit-aasub-name

Specifies an existing transit subscriber name string, up to 32 characters in length.

esm-mac-name

Specifies an existing ESM-MAC subscriber name, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub

Syntax

aa-sub transit-aasub-name

no aa-sub

Context

[Tree] (config>app-assure>group>transit-prefix-policy>entry aa-sub)

Full Context

configure application-assurance group transit-prefix-policy entry aa-sub

Description

This command configures a transit prefix policy entry subscriber.

The no form of this command removes the transit subscriber name from the transit prefix policy configuration.

Parameters

transit-aasub-name

specifies the name of the transit prefix AA subscriber up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub-attributes

aa-sub-attributes

Syntax

aa-sub-attributes [all]

no aa-sub-attributes

Context

[Tree] (config>log>acct-policy>cr>aa aa-sub-attributes)

Full Context

configure log accounting-policy custom-record aa-specific aa-sub-attributes

Description

Commands in this context configure aa-specific attributes such as aa-sub-attributes and counters that will be available in the AA subscriber's custom record.

The no form of this command excludes aa specific attributes from the AA subscriber's custom record.

Parameters

all

Specifies all counters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub-congestion-detection

aa-sub-congestion-detection

Syntax

aa-sub-congestion-detection

Context

[Tree] (config>app-assure>group aa-sub-congestion-detection)

Full Context

configure application-assurance group aa-sub-congestion-detection

Description

Commands in this context configure Non-Location Based DEM (NLB-DEM) parameters.

Note:

NLB-DEM and Access-Network Location (ANL) DEM mode are mutually exclusive, and cannot operate simultaneously.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub-counters

aa-sub-counters

Syntax

aa-sub-counters [all]

no aa-sub-counters

Context

[Tree] (config>log>acct-policy>cr>aa aa-sub-counters)

Full Context

configure log accounting-policy custom-record aa-specific aa-sub-counters

Description

Commands in this context configure subscriber counter information. This command only applies to the 7750 SR.

The no form of this command excludes the aa-sub-counters attributes in the AA subscriber's custom record.

Parameters

all

Specifies all counters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub-ip

aa-sub-ip

Syntax

aa-sub-ip ip-address[/mask]

no aa-sub-ip

Context

[Tree] (config>app-assure>group>transit-prefix-policy>entry>match aa-sub-ip)

Full Context

configure application-assurance group transit-prefix-policy entry match aa-sub-ip

Description

This command configures a transit prefix subscriber ip address prefix. It is used when the site is on the local side, being the same side of the system as the parent SAP. The local aa-sub-ip addresses represent the src-IP in the from-SAP direction and dest-IP in the to-SAP direction.

The no form of this command deletes the aa-sub-ip address assigned from the entry configuration.

Default

no aa-sub-ip

Parameters

ip-address[/mask]

Specifies the address type of the subscriber address prefix associated with this transit prefix policy entry.

Values

ip-address[/mask] :

ipv4-address - a.b.c.d[/mask]

mask - [1..32]

ipv6-address - x:x:x:x:x:x:x:x/prefix-length

x:x:x:x:x:x:d.d.d.d

x - [0..FFFF]H

d - [0..255]D

prefix-length [1..128]

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub-remote

aa-sub-remote

Syntax

[no] aa-sub-remote

Context

[Tree] (config>app-assure>group aa-sub-remote)

Full Context

configure application-assurance group aa-sub-remote

Description

This command specifies whether or not the from subscriber and to subscriber traffic direction is reversed for this group-partition.

Default

no aa-sub-remote

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub-study

aa-sub-study

Syntax

aa-sub-study study-type

Context

[Tree] (config>app-assure>group>statistics aa-sub-study)

Full Context

configure application-assurance group statistics aa-sub-study

Description

Commands in this context configure accounting and statistics collection parameters per application assurance special study subscribers.

Parameters

study-type

Specifies special study protocol subscriber stats.

Values

application, protocol

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub-suppressible

aa-sub-suppressible

Syntax

aa-sub-suppressible

no aa-sub-suppressible

Context

[Tree] (config>app-assure>group>policy>app-profile aa-sub-suppressible)

Full Context

configure application-assurance group policy app-profile aa-sub-suppressible

Description

This command configures an app-profile as "aa-sub-suppressible”, this function is used in the context of an SRRP group interface. If an SRRP group interface is configured as "suppress-aa-sub” then subscribers with an app-profile configured as "aa-sub-suppressible” will not be diverted to Application Assurance.

The no form of this command restores the default behavior.

Default

no aa-sub-suppressible

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-sub-tethering-state

aa-sub-tethering-state

Syntax

aa-sub-tethering-state {detected | not-detected}

no aa-sub-tethering-state

Context

[Tree] (config>app-assure>group>policy>aqp>entry>match aa-sub-tethering-state)

Full Context

configure application-assurance group policy app-qos-policy entry match aa-sub-tethering-state

Description

This command specifies the tethering state of the subscriber where the AQP match entry will be applied.

The tethering state match condition is meaningful when configured in non-default subscriber policy AQP. Default subscriber policy consists of those AQPs that include match criteria based on the subscriber’s configuration. Tethering state match condition is also applicable in those AQPs that include matching criteria that are derived from actual subscriber’s traffic.

The no form of this command removes detection of sub-tethering state from the configuration.

Default

no aa-sub-tethering-state

Parameters

detected

Specifies that the subscriber is in the tethering state.

not-detected

Specifies that the subscriber is not in the tethering state.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aa-url-parameter

aa-url-parameter

Syntax

aa-url-parameter url-param-string

Context

[Tree] (config>subscr-mgmt>http-rdr-plcy aa-url-parameter)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dsm aa-url-parameter)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dsm aa-url-parameter)

Full Context

configure subscriber-mgmt http-redirect-policy aa-url-parameter

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt aa-url-parameter

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt aa-url-parameter

Description

This command configures the AA URL parameter that is used for HTTP portal redirect.

Parameters

url-param-string

Specifies an AA URL parameter, up to 247 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

aaa

aaa

Syntax

aaa

Context

[Tree] (config aaa)

Full Context

configure aaa

Description

Commands in this context configure authentication, authorization, and accounting.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

aaa

Syntax

aaa

Context

[Tree] (config>service>vprn aaa)

Full Context

configure service vprn aaa

Description

Commands in this context configure AAA on the VPRN.

Platforms

All

aarp

aarp

Syntax

aarp aarpId type type

no aarp

Context

[Tree] (config>service>epipe>spoke-sdp aarp)

[Tree] (config>service>epipe>sap aarp)

Full Context

configure service epipe spoke-sdp aarp

configure service epipe sap aarp

Description

This command associates an AARP instance with a multi-homed SAP or spoke SDP. This instance uses the same AARP ID in the same node to provide traffic flow and packet asymmetry removal for a multi-homed SAP or spoke SDP.

The type specifies the role of this service point in the AARP: either, primary (dual-homed) or secondary (dual-homed-secondary). The AA service attributes (app-profile and transit-policy) of the primary are inherited by the secondary endpoints. All endpoints within an AARP must be of the same type (SAP or spoke), and all endpoints with an AARP must be within the same service.

The no form of this command removes the association between an AARP instance and a multi-homed SAP or spoke SDP.

Default

no aarp

Parameters

aarpid

Specifies the AARP instance associated with this SAP. If not configured, no AARP instance is associated with this SAP.

Values

1 to 65535

type

Specifies the role of the SAP referenced by the AARP instance.

Values

dual-homed — The primary dual-homed AA subscriber side service-point of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

dual-homed-secondary — One of the secondary dual-homed AA subscriber side service-points of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aarp

Syntax

aarp aarp-id type {subscriber-side-shunt | network-side-shunt}

no aarp

Context

[Tree] (config>service>ipipe>spoke-sdp aarp)

Full Context

configure service ipipe spoke-sdp aarp

Description

This command associates an AARP instance to an Ipipe spoke SDP. This instance is paired with the same aarp-id in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP. The type parameter specifies the role of this service point in the AARP instance.

The no form of this command removes the association.

Default

no aarp

Parameters

aarp-id

An integer that identifies an AARP instance.

Values

1 to 65535

subscriber-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for subscriber-side traffic.

network-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for network-side traffic.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aarp

Syntax

aarp aarp-id type {subscriber-side-shunt | network-side-shunt}

no aarp

Context

[Tree] (config>service>ies>aarp-interface>spoke-sdp aarp)

Full Context

configure service ies aarp-interface spoke-sdp aarp

Description

This command associates an AARP instance to an AARP interface spoke SDP. This instance is paired with the same aarp-id in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP. The type parameter specifies the role of this service point in the AARP instance.

The no form of this command removes the association.

Default

no aarp

Parameters

aarp-id

Specifies an integer that identifies an AARP instance.

Values

1 to 65535

subscriber-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for subscriber-side traffic.

network-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for network-side traffic.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aarp

Syntax

aarp aarpId type type

no aarp

Context

[Tree] (config>service>ies>if>spoke-sdp aarp)

[Tree] (config>service>ies>if>sap aarp)

Full Context

configure service ies interface spoke-sdp aarp

configure service ies interface sap aarp

Description

This command associates an AARP instance with a multi-homed SAP or spoke SDP. This instance uses the same AARP ID in the same node or in a peer node (pre-configured) to provide traffic flow and packet asymmetry removal for a multi-homed SAP or spoke SDP.

The type specifies the role of this service point in the AARP: either, primary (dual-homed) or secondary (dual-homed-secondary). The AA service attributes (app-profile and transit-policy) of the primary are inherited by the secondary endpoints. All endpoints within an AARP must be of the same type (SAP or spoke), and all endpoints with an AARP must be within the same service.

The no form of this command removes the association between an AARP instance and a multi-homed SAP or spoke SDP.

Default

no aarp

Parameters

aarpId

Specifies the AARP instance associated with this SAP. If not configured, no AARP instance is associated with this SAP.

Values

1 to 65535

type

Specifies the role of the SAP referenced by the AARP instance.

Values

dual-homed — The primary dual-homed AA subscriber side service-point of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

dual-homed-secondary — One of the secondary dual-homed AA subscriber side service-points of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aarp

Syntax

aarp aarp-id type {subscriber-side-shunt | network-side-shunt}

no aarp

Context

[Tree] (config>service>vprn>aarp-interface>spoke-sdp aarp)

Full Context

configure service vprn aarp-interface spoke-sdp aarp

Description

This command associates an AARP instance to an AARP interface spoke SDP. This instance is paired with the same aarp-id in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP. The type parameter specifies the role of this service point in the AARP instance.

The no form of this command removes the association.

Default

no aarp

Parameters

aarp-id

An integer that identifies an AARP instance.

Values

1 to 65535

subscriber-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for subscriber-side traffic.

network-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for network-side traffic.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aarp

Syntax

aarp aarpId type type

no aarp

Context

[Tree] (config>service>vprn>if>sap aarp)

[Tree] (config>service>vprn>if>spoke-sdp aarp)

Full Context

configure service vprn interface sap aarp

configure service vprn interface spoke-sdp aarp

Description

This command associates an AARP instance with a multi-homed SAP or spoke SDP. This instance uses the same AARP ID in the same node or in a peer node (pre-configured) to provide traffic flow and packet asymmetry removal for a multi-homed SAP or spoke SDP.

The type specifies the role of this service point in the AARP: either, primary (dual-homed) or secondary (dual-homed-secondary). The AA service attributes (app-profile and transit-policy) of the primary are inherited by the secondary endpoints. All endpoints within an AARP must be of the same type (SAP or spoke), and all endpoints with an AARP must be within the same service.

The no form of this command removes the association between an AARP instance and a multi-homed SAP or spoke SDP.

Default

no aarp

Parameters

aarpId

Specifies the AARP instance associated with this SAP. If not configured, no AARP instance is associated with this SAP.

Values

1 to 65535

type

Specifies the role of the SAP referenced by the AARP instance.

Values

dual-homed — The primary dual-homed AA subscriber side service-point of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

dual-homed-secondary — One of the secondary dual-homed AA subscriber side service-points of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aarp

Syntax

aarp aarpId [create]

no aarp aarpId

Context

[Tree] (config>application-assurance aarp)

Full Context

configure application-assurance aarp

Description

This command defines an Application Assurance Redundancy Protocol (AARP) instance. This instance is paired with the same aarpId in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.

The no form of this command removes the instance from the configuration.

Parameters

aarpid

An integer that identifies an AARP instance.

Values

1 to 65535

create

Keyword used to create the AARP instance.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aarp-interface

aarp-interface

Syntax

aarp-interface aarp-interface-name [create]

no aarp-interface aarp-interface-name

Context

[Tree] (config>service>ies aarp-interface)

Full Context

configure service ies aarp-interface

Description

This command creates an AARP interface for connecting a service to a peer node AARP service. This instance is paired with the same AARP interface in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.

The no form of this command deletes the interface.

Default

no aarp-interface

Parameters

aarp-interface-name

Specifies a string of up to 32 characters identifying the interface.

create

Keyword used to create the AARP interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aarp-interface

Syntax

aarp-interface aarp-interface-name [create]

no aarp-interface aarp-interface-name

Context

[Tree] (config>service>vprn aarp-interface)

Full Context

configure service vprn aarp-interface

Description

This command creates an AARP interface for connecting a service to a peer node AARP service. This instance is paired with the same AARP interface in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.

The no form of this command deletes the interface.

Default

no aarp-interface

Parameters

aarp-interface-name

Specifies the AARP interface name.

create

Keyword used to create the AARP interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

abandon-tcp-optimization

abandon-tcp-optimization

Syntax

[no] abandon-tcp-optimization

Context

[Tree] (config>app-assure>group>policy>aqp>entry>action abandon-tcp-optimization)

Full Context

configure application-assurance group policy app-qos-policy entry action abandon-tcp-optimization

Description

This command causes TCPO to stop for flows matching this AQP entry. The flows are counted as TCPO abandoned by policy flows.

The no form of this command removes abandon TCPO from actions on flows matching this AQP entry.

Default

no abandon-tcp-optimization

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

abort

abort

Syntax

abort

Context

[Tree] (config>app-assure>group>policy abort)

Full Context

configure application-assurance group policy abort

Description

This command ends the current editing session and aborts any changes entered during this policy editing session.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

abort

Syntax

abort

Context

[Tree] (config>router>bfd abort)

Full Context

configure router bfd abort

Description

This command discards the changes made to a BFD template during an active session.

Platforms

All

abort

Syntax

abort

Context

[Tree] (config>router>route-next-hop-policy abort)

Full Context

configure router route-next-hop-policy abort

Description

This command discards the changes made to route next-hop templates during an active session.

Platforms

All

abort

Syntax

abort

Context

[Tree] (config>system>sync-if-timing abort)

Full Context

configure system sync-if-timing abort

Description

This command is required to discard changes that have been made to the synchronous interface timing configuration during a session.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

abort

Syntax

abort

Context

[Tree] (config>router>policy-options abort)

Full Context

configure router policy-options abort

Description

This command is required to discard changes made to a route policy.

Platforms

All

above-offered-allowance

above-offered-allowance

Syntax

[no] above-offered-allowance

Context

[Tree] (config>qos>adv-config-policy>child-control>bandwidth-distribution above-offered-allowance)

Full Context

configure qos adv-config-policy child-control bandwidth-distribution above-offered-allowance

Description

Commands in this context edit the parameters that control the child's above-offered-allowance bandwidth. These parameters are only applicable when the port scheduler is configured to use the above-offered-allowance-control algorithm, otherwise they are ignored.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

above-offered-cap

above-offered-cap

Syntax

above-offered-cap {percent percent-of-admin-pir | rate rate-in-kilobits-per-second}

no above-offered-cap

Context

[Tree] (config>qos>adv-config-policy>child-control>bandwidth-distribution above-offered-cap)

Full Context

configure qos adv-config-policy child-control bandwidth-distribution above-offered-cap

Description

This command is used to limit the operationally configured shaping or policing rate on the child associated with the policy. After the parent virtual scheduler or policer control policy determines the appropriate rate for a specific child, a separate operation decides the actual PIR that should be configured for that child. When the parent determines that the distributed rate is equal to or less than the child’s offered rate, the configured operational PIR will be equal to that determined rate. But when the parent determines that the child’s offered rate is less than the available bandwidth the child could consume, the operational PIR may be set to a value larger than the distributed bandwidth. This extra rate is not currently used by the child because the offered rate is less. The system provides this extra bandwidth in case the child’s offered rate increases before the next sampling interval is complete, to mitigate the periodic nature of the child’s operational PIR adjustments. The increase in the offered rate is not subtracted from the parent’s remaining distribution bandwidth for lower priority children, only the determined rate is considered consumed by the parent virtual scheduler or policer control policy instance. The actual operationally configured PIR will never be greater than the child’s administratively defined PIR.

This 'fair share’ PIR configuration behavior may result in the sum of the children’s PIRs exceeding the aggregate rate of the parent. If this behavior violates the downstream QoS requirements, the above-offered-cap command may be used to minimize or eliminate the increase in the child’s configured PIR.

If the above-offered-cap command is used with a percent-based value, the increase is a function of the configured PIR value on the policer or queue. In this case, care should be taken that the child is either configured with an explicit PIR rate (other than max) or the child’s administrative PIR is defined using the percent-rate command with the local parameter enabled if an explicit value is not needed. When a maximum PIR is in use on the child, the system attempts to interpret the maximum child forwarding rate. This rate could be very large if the child is associated with multiple ingress or egress ports.

If the child’s administrative PIR is modified while a percent based above-offered-cap is in effect, the system automatically uses the new relative limit value the next time the child’s operational PIR is distributed.

When this command is not specified or removed, the child’s operational 'fair share’ operational PIR may be configured up to the child’s administrative PIR, based on the actual parental bandwidth available at the child’s priority level.

The no form of this command is used to remove a fair share operational PIR rate increase limit from all child policers and queues associated with the policy.

Parameters

percent-of-admin-pir

When the percent qualifier is used, the following percent-of-admin-pir parameter specifies the percentage of the child’s administrative PIR that is used as the fair share increase limit. The new operational PIR result is capped by the child’s PIR. If a value of 0 or 0.00 is used, the system will disable the fair share increase function and only configure the actual distribution rate. If a value of 100 or 100.00 is used, the system will interpret this equivalent to executing the no above-offered-cap command and return the fair-share operation to the default behavior.

Values

0.00 to 100.00

rate-in-kilobits-per-second

When the rate qualifier is used, the rate-in-kilobits-per-second parameter specifies an explicit rate, in kb/s, that are used as the limit to the child’s fair share increase to the operational PIR. The new operational PIR result is capped by the child’s PIR. If a value of 0 is used, the system will disable the fair share increase function and only configure the actual distribution rate.

Values

0 to 100,000,000

Platforms

All

absolute

absolute

Syntax

absolute microseconds

no absolute

Context

[Tree] (config>test-oam>link-meas>template>asw>thr absolute)

[Tree] (config>test-oam>link-meas>template>sw>thr absolute)

Full Context

configure test-oam link-measurement measurement-template aggregate-sample-window threshold absolute

configure test-oam link-measurement measurement-template sample-window threshold absolute

Description

This command specifies the delta, in microseconds, that a new delay measurement must differ from the previously reported measurement to be reported directly to the routing engine.

The no form of this command reverts to the default value.

Default

absolute 0

Parameters

microseconds

Specifies the difference, in microseconds.

A value of 0 (zero) indicates that the absolute threshold is not used for reporting.

Values

0 to 100000

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ac-df-capability

ac-df-capability

Syntax

ac-df-capability {include | exclude}

Context

[Tree] (config>service>system>bgp-evpn>eth-seg ac-df-capability)

Full Context

configure service system bgp-evpn ethernet-segment ac-df-capability

Description

This command configures the inclusion or exclusion of the Attachment Circuit-influenced (AC-Influenced) designated forwarder (DF) election capability (AC-DF) capability into the DF Election for the Ethernet Segment.

The SR OS supports the AC-DF capability, in accordance with RFC8584. The include option is the default command setting. The AC-DF capability is enabled by default to support the EVPN auto-discovery per EVI/ES (AD per EVI/ES) routes for a specific PE, which ensures that the PE is included in the candidate DF election list.

Configuring the exclude option disables the AC-DF capability. When ac-df-capability exclude is configured on a specific Ethernet Segment (ES), the presence or absence of the AD per EVI/ES routes from the ES peers do not modify the candidate DF Election list for the ES. The exclude option is recommended in ESs that use an oper-group monitored by the access LAG to signal standby lacp or power-off.

All PE routers attached to the same ES must be configured consistently for the AC-DF capability.

Default

ac-df-capability include

Parameters

include

Specifies that AC-DF capability is enabled.

exclude

Specifies that AC-DF capability is disabled.

Platforms

All

accept-authorization-change

accept-authorization-change

Syntax

[no] accept-authorization-change

Context

[Tree] (config>subscr-mgmt>auth-policy accept-authorization-change)

Full Context

configure subscriber-mgmt authentication-policy accept-authorization-change

Description

This command specifies whether or not the system should handle the CoA messages initiated by the RADIUS server, and provide for mid-session interval changes of policies applicable to subscriber hosts.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accept-coa

accept-coa

Syntax

[no] accept-coa

Context

[Tree] (config>service>vprn>radius-server>server accept-coa)

[Tree] (config>router>radius-server>server accept-coa)

Full Context

configure service vprn radius-server server accept-coa

configure router radius-server server accept-coa

Description

This command configures this server for Change of Authorization messages. The system will process the CoA request from the external server if configured with this command; otherwise the CoA request is dropped.

The no form of this command disables the command.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accept-from-ebgp

accept-from-ebgp

Syntax

accept-from-ebgp family [family]

no accept-from-ebgp

Context

[Tree] (config>service>vprn>bgp>group>neighbor>link-bandwidth accept-from-ebgp)

[Tree] (config>service>vprn>bgp>group>link-bandwidth accept-from-ebgp)

Full Context

configure service vprn bgp group neighbor link-bandwidth accept-from-ebgp

configure service vprn bgp group link-bandwidth accept-from-ebgp

Description

This command configures BGP to accept and use the link-bandwidth extended community attached to any route received from any EBGP peer in the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community is encoded as a non-transitive type. This means that by default it should not be attached to any route advertised to an EBGP peer and it should be discarded when received in any route from an EBGP peer. This command overrides the standard behavior.

Up to three families may be configured.

The no form of this command restores the default behavior of discarding the link-bandwidth extended community in any route received from an EBGP peer.

Default

no accept-from-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

Platforms

All

accept-from-ebgp

Syntax

accept-from-ebgp family [family]

no accept-from-ebgp

Context

[Tree] (config>router>bgp>group>neighbor>link-bandwidth accept-from-ebgp)

[Tree] (config>router>bgp>group>link-bandwidth accept-from-ebgp)

Full Context

configure router bgp group neighbor link-bandwidth accept-from-ebgp

configure router bgp group link-bandwidth accept-from-ebgp

Description

This command configures BGP to accept and use the link-bandwidth extended community attached to any route received from any EBGP peer in the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community is encoded as a non-transitive type. This means that by default it should not be attached to any route advertised to an EBGP peer and it should be discarded when received in any route from an EBGP peer. This command overrides the standard behavior.

Up to six families may be configured.

The no form of this command restores the default behavior of discarding the link-bandwidth extended community in any route received from an EBGP peer.

Default

no accept-from-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

vpn-ipv4 — Adds a link-bandwidth extended community to IPv4 VPN (SAFI 128) routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

label-ipv6 — Adds a link-bandwidth extended community to labeled-unicast IPv6 routes.

vpn-ipv6 — Adds a link-bandwidth extended community to IPv6 VPN (SAFI 128) routes.

Platforms

All

accept-ivpls-evpn-flush

accept-ivpls-evpn-flush

Syntax

[no] accept-ivpls-evpn-flush

Context

[Tree] (config>service>vpls>bgp-evpn accept-ivpls-evpn-flush)

Full Context

configure service vpls bgp-evpn accept-ivpls-evpn-flush

Description

This command enables the system to accept non-zero Ethernet tag MAC routes and process them only for C-MAC flushing. This command can be changed on the fly without shutting down BGP-EVPN MPLS.

The no version of the command prevents the router from processing B-MAC/ISID routes for cmac-flush.

Default

no accept-ivpls-evpn-flush

Platforms

All

accept-mrru

accept-mrru

Syntax

[no] accept-mrru

Context

[Tree] (config>subscr-mgmt>ppp-policy>mlppp accept-mrru)

Full Context

configure subscriber-mgmt ppp-policy mlppp accept-mrru

Description

This command is applicable only to LAC. MRRU option is an indication that the session is of MLPPPoX type. The 7750 SR LAC never initiates the MRRU option in LCP negotiation process. However, it responds to MRRU negotiation request by the client.

This command provides an option to specifically enable or disable negotiation of MLPPPoX on a capture SAP level or on a group interface level.

The no form of this command causes the MRRU option in LCP to not be negotiated by LAC.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

accept-orf

accept-orf

Syntax

[no] accept-orf

Context

[Tree] (config>router>bgp>group>neighbor>outbound-route-filtering>extended-community accept-orf)

[Tree] (config>router>bgp>outbound-route-filtering>extended-community accept-orf)

[Tree] (config>router>bgp>group>outbound-route-filtering>extended-community accept-orf)

Full Context

configure router bgp group neighbor outbound-route-filtering extended-community accept-orf

configure router bgp outbound-route-filtering extended-community accept-orf

configure router bgp group outbound-route-filtering extended-community accept-orf

Description

This command instructs the router to negotiate the receive capability in the BGP ORF negotiation with a peer, and accept filters that the peer wants to send.

The no form of this command causes the router to remove the accept capability in the BGP ORF negotiation with a peer, and to clear any existing ORF filters that are currently in place.

Default

no accept-orf

Platforms

All

accept-remote-loopback

accept-remote-loopback

Syntax

[no] accept-remote-loopback

Context

[Tree] (config>port>ethernet>efm-oam accept-remote-loopback)

Full Context

configure port ethernet efm-oam accept-remote-loopback

Description

This command enables reactions to loopback control OAM PDUs from peers.

The no form of this command disables reactions to loopback control OAM PDUs.

Default

no accept-remote-loopback

Platforms

All

accept-script-policy

accept-script-policy

Syntax

accept-script-policy policy-name

no accept-script-policy

Context

[Tree] (config>aaa>radius-srv-plcy accept-script-policy)

Full Context

configure aaa radius-server-policy accept-script-policy

Description

This command specifies the RADIUS script policy used to change the RADIUS attributes of the incoming Access-Accept messages.

Parameters

policy-name

Specifies the name of the Python script to modify Access-Accept messages, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accept-script-policy

Syntax

accept-script-policy policy-name

no accept-script-policy

Context

[Tree] (config>subscr-mgmt>auth-policy accept-script-policy)

Full Context

configure subscriber-mgmt authentication-policy accept-script-policy

Description

This command specifies the RADIUS script policy used to change the RADIUS attributes of the incoming Access-Accept messages.

The no form of this command reverts to the default.

Parameters

policy-name

Specifies the name of the Python script to modify Access-Accept messages, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accept-unprotected-errormsg

accept-unprotected-errormsg

Syntax

[no] accept-unprotected-errormsg

Context

[Tree] (config>system>security>pki>ca-profile>cmpv2 accept-unprotected-errormsg)

Full Context

configure system security pki ca-profile cmpv2 accept-unprotected-errormsg

Description

This command enables the system to accept both protected and unprotected CMPv2 error message. Without this command, system will only accept protected error messages.

The no form of this command causes the system to only accept protected PKI confirmation message.

Default

no accept-unprotected-errormsg

Platforms

All

accept-unprotected-pkiconf

accept-unprotected-pkiconf

Syntax

[no] accept-unprotected-pkiconf

Context

[Tree] (config>system>security>pki>ca-profile>cmpv2 accept-unprotected-pkiconf)

Full Context

configure system security pki ca-profile cmpv2 accept-unprotected-pkiconf

Description

This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will only accept protected PKI confirmation message.

The no form of this command causes the system to only accept protected PKI confirmation message.

Default

no accept-unprotected-pkiconf

Platforms

All

access

access

Syntax

access router router-instance

access service service-name

no access

Context

[Tree] (config>subscr-mgmt>steering-profile access)

Full Context

configure subscriber-mgmt steering-profile access

Description

This command specifies a routing instance to be used as a network VAS router in the steering profile.

The no form of this command removes the router instance.

Parameters

router-instance

Specifies the router instance to be used as an access VAS router.

Values

router-instance:

router-name | vprn-svc-id

router-name:

"Base”

vprn-svc-id:

1 to 2147483647

service-name

Specifies the service name, up to 64 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

access

Syntax

access

Context

[Tree] (config>port>ethernet access)

Full Context

configure port ethernet access

Description

This command configures Ethernet access port parameters.

Platforms

All

access

Syntax

[no] access

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext access)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext access)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext access

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext access

Description

Commands in this context configure the access side of HLE for the VLAN range.

The no form of this command disables the vRGW parameters enabled in this context.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

access

Syntax

access

Context

[Tree] (config>port access)

[Tree] (config>card>mda access)

Full Context

configure port access

configure card mda access

Description

This command enables the access context to configure egress and ingress pool policy parameters.

On the MDA level, access egress and ingress pools are only allocated on channelized MDAs.

Platforms

All

access

Syntax

access

Context

[Tree] (config>card>fp>ingress access)

Full Context

configure card fp ingress access

Description

This CLI node contains the access forwarding-plane parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

access

Syntax

access

Context

[Tree] (config>lag access)

Full Context

configure lag access

Description

Commands in this context configure access parameters.

Platforms

All

access

Syntax

access

Context

[Tree] (config>eth-tunnel>lag-emulation access)

Full Context

configure eth-tunnel lag-emulation access

Description

Commands in this context configure eth-tunnel loadsharing access parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

access

Syntax

[no] access

Context

[Tree] (config>service>vprn>snmp access)

Full Context

configure service vprn snmp access

Description

This command enables SNMP access using VPRN interface addresses. This command allows SNMP messages destined to the VPRN interface IP addresses for this VPRN (including VPRN interfaces that are bound to R-VPLS services) to be processed by the SNMP agent on the router. SNMP messages that arrive on VPRN interfaces but are destined to IP addresses in the Base routing context that can be accessed in the VPRN (for example, the router system address via grt leaking) do not require snmp access to be enabled but do require allow-local-management to be enabled.

Using an SNMP community defined inside the VPRN context (configure service vprn snmp community) allows access to a subset of the full SNMP data model. This subset can be seen in the output of show system security view "vprn-view".

Using an SNMP community defined in the system context (configure system security snmp community) allows access to the full SNMP data model (unless otherwise restricted used SNMP views).

Alternatively, grt leaking and a Base routing IP address can be used (along with an SNMP community defined at the system context) to get access to the entire SNMP data model (see the allow-local-management command).

The Nokia NSP cannot discover or fully manage an SR OS router using an SNMP community defined inside the VPRN context. Full SNMP access requires using one of the approaches described above.

Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for detailed information about SNMP.

Platforms

All

access

Syntax

[no] access [ftp] [snmp] [ console] [li] [netconf] [grpc]

Context

[Tree] (config>system>security>user access)

[Tree] (config>system>security>user-template access)

Full Context

configure system security user access

configure system security user-template access

Description

This command grants a user permission for FTP, SNMP, console, lawful intercept (LI), NETCONF, or gRPC access.

If a user requires access to more than one application, then multiple applications can be specified in a single command. Multiple commands are treated additively.

The no form of this command removes access for a specific application, and denies permission for all management access methods.

To deny a single access method, enter the no form of this command followed by the method to be denied, for example, no access FTP denies FTP access.

Default

no access

Parameters

ftp

Specifies FTP permission.

snmp

Specifies SNMP permission. This keyword is only configurable in the config>system>security>user context.

console

Specifies console access (serial port or Telnet) permission.

li

Specifies CLI command access in the lawful intercept (LI) context.

netconf

Specifies NETCONF session access for the user defined in the specified user context. Because of the Base-R13 SR OS YANG data models, console access is also necessary in both classic and mixed configuration modes. console access is not required for the Nokia SR OS YANG data models in model-driven mode.

grpc

Specifies gRPC access.

Platforms

All

access

Syntax

[no] access group group-name security-model security-model security-level security-level [context context-name [prefix -match]] [read view-name-1] [write view-name-2] [notify view-name-3]

Context

[Tree] (config>system>security>snmp access)

Full Context

configure system security snmp access

Description

This command creates an association between a user group, a security model, and the views that the user group can access. Access parameters must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2. An access group is defined by a unique combination of the group name, security model and security level.

Access groups are used by the usm-community command.

Access must be configured unless security is limited to SNMPv1/SNMPv2c with community strings. See the community command.

Default access group configurations cannot be modified or deleted.

To remove the user group with associated, security model(s), and security level(s), use:

no access group group-name

To remove a security model and security level combination from a group, use:

no access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy}

Parameters

group-name

Specify a unique group name up to 32 characters.

security-model {snmpv1 | snmpv2c | usm}

Specifies the security model required to access the views configured in this node. A group can have multiple security models. For example, one view may only require SNMPv1/ SNMPv2c access while another view may require USM (SNMPv3) access rights.

security-level {no-auth-no-priv | auth-no-priv | privacy}

Specifies the required authentication and privacy levels to access the views configured in this node.

security-level no-auth-no-privacy

Specifies that no authentication and no privacy (encryption) is required. When configuring the user’s authentication, select the none option.

security-level auth-no-privacy

Specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication.

security-level privacy

Specifies that both authentication and privacy (encryption) is required. When this option is configured, both the group and the user must be configured for authentication. The user must also be configured for privacy.

context-name

Specifies a set of SNMP objects that are associated with the context-name.

The context-name is treated as either a full context-name string or a context name prefix depending on the keyword specified (exact or prefix).

prefix-match

Specifies the context name prefix-match keywords, exact or prefix. This parameter applies only to the 7750 SR.

The VPRN context names begin with a vprn prefix. The numerical value is associated with the service ID that the VPRN was created with and identifies the service in the service domain. For example, when a new VPRN service is created such as config>service>vprn 2345 customer 1, a VPRN with context name vprn2345 is created.

The exact keyword specifies that an exact match between the context name and the prefix value is required. For example, when context vprn2345 exact is entered, matches for only vprn2345 are considered.

The prefix keyword specifies that only a match between the prefix and the starting portion of context name is required. If only the prefix keyword is specified, simple wildcard processing is used. For example, when context vprn prefix is entered, all vprn contexts are matched.

Default

exact

view-name-1

Specifies the SNMP view used to control which MIB objects can be accessed using a read (get) operation.

view-name-2

Specifies the SNMP view used to control which MIB objects can be accessed using a write (set) operation.

view-name-3

Specifies the SNMP view used to control which MIB objects can be accessed for notifications.

Values

none

Platforms

All

access-algorithm

access-algorithm

Syntax

access-algorithm {direct | round-robin}

no access-algorithm

Context

[Tree] (config>aaa>l2tp-acct-plcy>radius-acct-server access-algorithm)

Full Context

configure aaa l2tp-accounting-policy radius-accounting-server access-algorithm

Description

This command configures the algorithm used to access the list of configured RADIUS servers.

The no form of this command reverts to the default.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

access-algorithm

Syntax

access-algorithm {direct | round-robin}

Context

[Tree] (config>app-assure>rad-acct-plcy>server access-algorithm)

Full Context

configure application-assurance radius-accounting-policy radius-accounting-server access-algorithm

Description

This command configures the algorithm used to access the list of configured RADIUS servers.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

access-algorithm

Syntax

access-algorithm {direct | round-robin}

no access-algorithm

Context

[Tree] (config>subscr-mgmt>acct-plcy>server access-algorithm)

[Tree] (config>subscr-mgmt>auth-plcy>radius-auth-server access-algorithm)

Full Context

configure subscriber-mgmt radius-accounting-policy radius-accounting-server access-algorithm

configure subscriber-mgmt authentication-policy radius-authentication-server access-algorithm

Description

This command configures the algorithm used to access the list of configured RADIUS servers.

The no form of this command reverts to the default.

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

access-algorithm

Syntax

access-algorithm {direct | round-robin | hash-based}

no access-algorithm

Context

[Tree] (config>aaa>radius-srv-plcy>servers access-algorithm)

Full Context

configure aaa radius-server-policy servers access-algorithm

Description

This command configures the algorithm used to select a RADIUS server from the pool of configured RADIUS servers.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

hash-based

Select a RADIUS server based on the calculated hash result of the configured load-balance-key under the radius-proxy server hierarchy. This parameter is only applicable for radius-proxy server scenarios and results in an unpredictable RADIUS server selection if used in other scenarios.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

access-algorithm

Syntax

access-algorithm {direct | round-robin}

no access-algorithm

Context

[Tree] (config>service>vprn>aaa>remote-servers>radius access-algorithm)

Full Context

configure service vprn aaa remote-servers radius access-algorithm

Description

This command indicates the algorithm used to access the set of RADIUS servers.

Default

access-algorithm direct

Parameters

direct

The first server will be used as primary server for all requests, the second as secondary and so on.

round-robin

The first server will be used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

All

access-algorithm

Syntax

access-algorithm {direct | round-robin | hash-based | direct-priority}

no access-algorithm

Context

[Tree] (config>aaa>isa-radius-plcy>servers access-algorithm)

Full Context

configure aaa isa-radius-policy servers access-algorithm

Description

This command defines the algorithm used to access the list of available RADIUS servers. A RADIUS server is considered available initially and marked as unavailable if no response packets are received in a period equal to the configured packet timeout multiplied by the retry count after sending a request. A server is always marked as available when any valid RADIUS packet is received from that server. Some access algorithms periodically probe unavailable servers by sending a single request. If the server responds to the request, it is immediately marked as available.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

hashed-based

Specifies that the selection is based on the hash-based procedures.

direct-priority

Specifies that the first server is used for all requests. If that server is not available, the second server is used, and so on. This method periodically probes and falls back to higher-priority servers.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

access-algorithm

Syntax

access-algorithm {direct | round-robin}

no access-algorithm

Context

[Tree] (config>system>security>radius access-algorithm)

Full Context

configure system security radius access-algorithm

Description

This command indicates the algorithm used to access the set of RADIUS servers.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

All

access-loop-encapsulation

access-loop-encapsulation

Syntax

[no] access-loop-encapsulation

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host access-loop-encapsulation)

Full Context

configure subscriber-mgmt local-user-db ppp host access-loop-encapsulation

Description

Commands in this context configure access loop information.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

access-loop-information

access-loop-information

Syntax

access-loop-information

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host access-loop-information)

Full Context

configure subscriber-mgmt local-user-db ppp host access-loop-information

Description

Commands in this context configure access loop information in the local user database.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

access-loop-options

access-loop-options

Syntax

[no] access-loop-options

Context

[Tree] (config>subscr-mgmt>auth-plcy>include-radius-attribute access-loop-options)

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute access-loop-options)

Full Context

configure subscriber-mgmt authentication-policy include-radius-attribute access-loop-options

configure subscriber-mgmt radius-accounting-policy include-radius-attribute access-loop-options

Description

This command enables inclusion of access loop information: Broadband Forum (BBF) access loop characteristics, DSL line state and DSL type. The BBF access loop characteristics are returned as BBF specific RADIUS attributes where DSL line state and DSL type are returned as Nokia-specific RADIUS VSAs.

Information obtained via the ANCP protocol has precedence over information received in PPPoE Vendor Specific BBF tags or DHCP Vendor Specific BBF Options.

If ANCP is utilized and interim accounting update is enabled, any Port Up event from GSMP will initiate in an interim update. Port Up messages can include information such as an update on the current subscriber actual-upstream-speed. The next interim accounting message is from port up triggering point.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

access-network-location

access-network-location

Syntax

access-network-location

Context

[Tree] (config>app-assure>group access-network-location)

Full Context

configure application-assurance group access-network-location

Description

Commands in this context configure parameters related to dynamic experience management, also known as Access Network Location (ANL).

These parameters include location source type congestion point and congestion detection parameters (such as roundtrip delay thresholds), if applicable.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

access-operation-cmd

access-operation-cmd

Syntax

[no] access-operation-cmd access-operation

Context

[Tree] (config>service>vprn>aaa>rmt-srv>tacplus>req access-operation-cmd)

[Tree] (config>system>security>tacplus>request-format access-operation-cmd)

Full Context

configure service vprn aaa remote-servers tacplus request-format access-operation-cmd

configure system security tacplus request-format access-operation-cmd

Description

This command sends an operation argument in authorization requests.

In model-driven interfaces, this command configures the system to send the operation in the cmd argument, and the path in the cmd-args argument, in TACACS+ authorization requests. This command does not apply to authorization requests in classic interfaces.

The no form of this command removes the operation from the configuration.

Default

no access-operation-cmd

Parameters

access-operation

Specifies that an operation in the authorization request is sent.

Values

delete — Keyword that sends the operation "cmd=delete" and "cmd-args=path".

Platforms

All

accounting

accounting

Syntax

accounting {1 | 2} [create]

no accounting {1 | 2}

Context

[Tree] (config>service>dynsvc>ladb>user>idx accounting)

Full Context

configure service dynamic-services local-auth-db user-name index accounting

Description

This command creates a context for one of the two accounting destinations specified in the dynamic services policy. In this context, overrides of RADIUS accounting parameters can be specified.

The no form of this command removes the RADIUS accounting overrides context from the configuration.

Parameters

{1 | 2}

Indicates one of the two RADIUS accounting destinations.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accounting

Syntax

[no] accounting

Context

[Tree] (config>service>vprn>aaa>remote-servers>radius accounting)

Full Context

configure service vprn aaa remote-servers radius accounting

Description

This command enables RADIUS accounting.

The no form of this command disables RADIUS accounting.

Default

no accounting

Platforms

All

accounting

Syntax

accounting [record-type { start-stop | stop-only}]

no accounting

Context

[Tree] (config>service>vprn>aaa>remote-servers>tacplus accounting)

Full Context

configure service vprn aaa remote-servers tacplus accounting

Description

This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.

Default

no accounting

Parameters

record-type start-stop

Specifies that a TACACS+ start packet is sent whenever the user executes a command and a TACACS+ stop packet when command execution is complete.

record-type stop-only

Specifies that only a TACACS+ stop packet is sent whenever the command execution is complete.

Platforms

All

accounting

Syntax

accounting [port udp-port]

no accounting

Context

[Tree] (config>aaa>isa-radius-plcy>servers>server accounting)

Full Context

configure aaa isa-radius-policy servers server accounting

Description

This command configures accounting for this server.

Parameters

udp-port

Specifies the UDP port number on which to contact the RADIUS server for authentication.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

accounting

Syntax

[no] accounting

Context

[Tree] (config>system>security>radius accounting)

Full Context

configure system security radius accounting

Description

This command enables RADIUS accounting.

The no form of this command disables RADIUS accounting.

Default

no accounting

Platforms

All

accounting

Syntax

accounting [record-type { start-stop | stop-only}]

no accounting

Context

[Tree] (config>system>security>tacplus accounting)

Full Context

configure system security tacplus accounting

Description

This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.

Default

no accounting

Parameters

record-type start-stop

Specifies that a TACACS+ start packet is sent whenever the user executes a command and a TACACS+ stop packet when command execution is complete.

record-type stop-only

Specifies that only a TACACS+ stop packet is sent whenever the command execution is complete.

Platforms

All

accounting-1

accounting-1

Syntax

accounting-1

Context

[Tree] (config>service>dynsvc>policy accounting-1)

Full Context

configure service dynamic-services dynamic-services-policy accounting-1

Description

Commands in this context configure the first RADIUS accounting destination and corresponding RADIUS accounting parameters for dynamic data services.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accounting-2

accounting-2

Syntax

accounting-2

Context

[Tree] (config>service>dynsvc>policy accounting-2)

Full Context

configure service dynamic-services dynamic-services-policy accounting-2

Description

Commands in this context configure the second RADIUS accounting destination and corresponding RADIUS accounting parameters for dynamic data services.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accounting-files-total-size

accounting-files-total-size

Syntax

accounting-files-total-size megabytes

Context

[Tree] (config>log>storage accounting-files-total-size)

Full Context

configure log file-storage-control accounting-files-total-size

Description

This command configures the limit for the total space that all accounting files can occupy on each storage device on the active CPM.

When this threshold is reached, new accounting files are no longer created in the \act-collect directory of the storage device until SR OS removes older accounting files from the \act directory and the occupancy is below the limit. Currently open, in-progress accounting files in the \act-collect directory are not affected by this limit and are completed.

When unconfigured, there is no specific limit for the total size of all accounting files.

Only accounting files in the \act directory with system generated names (including no file extension) are applicable toward the total size limit.

If a user manually adds or deletes accounting files from the \act directory, the size of the files is not taken into account for up to 1 hour.

The configured total size limit is not validated against the actual size of the installed storage devices. If the configured limit is larger than the installed compact flash (CF) device, the limit is never reached.

The no form of this command removes the total size limit for accounting files.

Default

no accounting-files-total-size

Parameters

megabytes

Specifies the total size limit for accounting files, in MB.

Values

50 to 4,194,304 MBytes (4 TBytes, 222 MB)

Default

0

Platforms

All

accounting-policy

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>subscr-mgmt>sub-prof accounting-policy)

Full Context

configure subscriber-mgmt sub-profile accounting-policy

Description

This command specifies the policy to use to collect accounting statistics on this subscriber profile.

A maximum of one accounting policy can be associated with a profile at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>service>vpls>spoke-sdp accounting-policy)

[Tree] (config>service>vprn>if>spoke-sdp accounting-policy)

[Tree] (config>service>ies>if>sap accounting-policy)

[Tree] (config>service>ies>sub-if>grp-if>sap accounting-policy)

[Tree] (config>service>vprn>sub-if>grp-if>sap accounting-policy)

[Tree] (config>service>vpls>sap accounting-policy)

[Tree] (config>service>vpls>mesh-sdp accounting-policy)

[Tree] (config>service>vprn>if>sap accounting-policy)

Full Context

configure service vpls spoke-sdp accounting-policy

configure service vprn interface spoke-sdp accounting-policy

configure service ies interface sap accounting-policy

configure service ies subscriber-interface group-interface sap accounting-policy

configure service vprn subscriber-interface group-interface sap accounting-policy

configure service vpls sap accounting-policy

configure service vpls mesh-sdp accounting-policy

configure service vprn interface sap accounting-policy

Description

This command creates the accounting policy context that can be applied to an interface SAP or interface SAP spoke SDP.

An accounting policy must be defined before it can be associated with a SAP or SDP.

If the policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SAP or SDP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SAP or SDP, and the accounting policy reverts to the default.

Default

no accounting policy

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

  • configure service vprn interface spoke-sdp accounting-policy
  • configure service vpls sap accounting-policy
  • configure service vpls spoke-sdp accounting-policy
  • configure service ies interface sap accounting-policy
  • configure service vpls mesh-sdp accounting-policy
  • configure service vprn interface sap accounting-policy

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service ies subscriber-interface group-interface sap accounting-policy
  • configure service vprn subscriber-interface group-interface sap accounting-policy

accounting-policy

Syntax

accounting-policy isa-radius-policy-name

no accounting-policy

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>vlan-tag-ranges>range>xconnect accounting-policy)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>vlan-tag-ranges>range>xconnect accounting-policy)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range xconnect accounting-policy

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range xconnect accounting-policy

Description

This command configures the ISA RADIUS accounting policy for the cross-connect.

The no form of this command removes the ISA RADIUS accounting policy from the cross-connect UE.

Parameters

isa-radius-policy-name

Specifies the identifier of the ISA RADIUS policy name, up to 32 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

accounting-policy

Syntax

accounting-policy policy-name

no accounting-policy

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dsm accounting-policy)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dsm accounting-policy)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt accounting-policy

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt accounting-policy

Description

This command specifies the isa-radius-policy used for accounting messages originated from the ISAs in the wlan-gw group. The policy can specify up to five accounting servers and configuration-specific to these accounting servers. It also specifies configuration specific to RADIUS client on ISAs and RADIUS attributes to be included in accounting messages.

Parameters

policy-name

Specifies the name of the account policy up to 32 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>card>fp>ingress>network>queue-group accounting-policy)

[Tree] (config>card>fp>ingress>access>queue-group accounting-policy)

Full Context

configure card fp ingress network queue-group accounting-policy

configure card fp ingress access queue-group accounting-policy

Description

This command configures an accounting policy that can apply to a queue-group on the forwarding plane.

An accounting policy must be configured before it can be associated to an interface. If the accounting policy-id does not exist, an error is returned.

Accounting policies associated with service billing can only be applied to SAPs. The accounting policy can be associated with an interface at a time.

The no form of this command removes the accounting policy association from the queue-group.

Default

No accounting policies are specified by default. You must explicitly specify a policy. If configured, the accounting policy configured as the default is used.

Parameters

acct-policy-id

Specifies the name of the accounting policy to use for the queue-group.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

accounting-policy

Syntax

accounting-policy policy-id

no accounting-policy

Context

[Tree] (config>port>ethernet>network accounting-policy)

[Tree] (config>port>tdm>ds1>channel-group>network accounting-policy)

[Tree] (config>port>sonet-sdh>path>network accounting-policy)

[Tree] (config>port>ethernet>network>egr>qgrp accounting-policy)

[Tree] (config>port>tdm>e3>network accounting-policy)

[Tree] (config>port>tdm>ds3>network accounting-policy)

[Tree] (config>port>ethernet>access>egr>qgrp accounting-policy)

[Tree] (config>port>ethernet>access>ing>qgrp accounting-policy)

[Tree] (config>port>tdm>e1>channel-group>network accounting-policy)

[Tree] (config>port>ethernet accounting-policy)

Full Context

configure port ethernet network accounting-policy

configure port tdm ds1 channel-group network accounting-policy

configure port sonet-sdh path network accounting-policy

configure port ethernet network egress queue-group accounting-policy

configure port tdm e3 network accounting-policy

configure port tdm ds3 network accounting-policy

configure port ethernet access egress queue-group accounting-policy

configure port ethernet access ingress queue-group accounting-policy

configure port tdm e1 channel-group network accounting-policy

configure port ethernet accounting-policy

Description

This command configures an accounting policy that can apply to an interface.

An accounting policy must be configured before it can be associated to an interface. If the accounting policy-id does not exist, an error is returned.

Accounting policies associated with service billing can only be applied to SAPs. Accounting policies associated with network ports can only be associated with interfaces. Only one accounting policy can be associated with an interface at a time.

The no form of this command removes the accounting policy association from the network interface, and the accounting policy reverts to the default.

Default

No accounting policies are specified by default. You must explicitly specify a policy. If configured, the accounting policy configured as the default is used.

Parameters

policy-id

The accounting policy-id of an existing policy. Accounting policies record either service (access) or network information. A network accounting policy can only be associated with the network port configurations. Accounting policies are configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

  • configure port ethernet network accounting-policy
  • configure port ethernet access ingress queue-group accounting-policy
  • configure port ethernet accounting-policy
  • configure port ethernet network egress queue-group accounting-policy
  • configure port ethernet access egress queue-group accounting-policy

7450 ESS, 7750 SR-7/12/12e, 7750 SR-a, 7750 SR-e

  • configure port tdm e3 network accounting-policy
  • configure port tdm e1 channel-group network accounting-policy
  • configure port tdm ds3 network accounting-policy
  • configure port tdm ds1 channel-group network accounting-policy

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure port sonet-sdh path network accounting-policy

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy [acct-policy-id]

Context

[Tree] (config>service>epipe>sap accounting-policy)

[Tree] (config>service>cpipe>sap accounting-policy)

[Tree] (config>service>epipe>spoke-sdp accounting-policy)

[Tree] (config>service>ipipe>sap accounting-policy)

Full Context

configure service epipe sap accounting-policy

configure service cpipe sap accounting-policy

configure service epipe spoke-sdp accounting-policy

configure service ipipe sap accounting-policy

Description

This command creates the accounting policy context that can be applied to a SAP.

An accounting policy must be defined before it can be associated with a SAP. If the policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SAP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SAP, and the accounting policy reverts to the default.

Default

no accounting policy

Parameters

acct-policy-id

Enter the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

  • configure service ipipe sap accounting-policy
  • configure service epipe sap accounting-policy
  • configure service epipe spoke-sdp accounting-policy

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service cpipe sap accounting-policy

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>service>ies>if>spoke-sdp accounting-policy)

Full Context

configure service ies interface spoke-sdp accounting-policy

Description

This command configures an accounting-policy.

Parameters

acct-policy-id

Specifies an accounting policy ID.

Values

1 to 99

Platforms

All

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>router>ldp>egr-stats>fec-pfx accounting-policy)

Full Context

configure router ldp egress-statistics fec-prefix accounting-policy

Description

This command associates an accounting policy to the MPLS instance.

An accounting policy must be defined before it can be associated else an error message is generated.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Enter the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>router>mpls>ingr-stats>lsp accounting-policy)

[Tree] (config>router>mpls>lsp-template>egr-stats accounting-policy)

[Tree] (config>router>mpls>ingr-stats>p2p-template-lsp accounting-policy)

[Tree] (config>router>mpls>ingr-stats>p2mp-template-lsp accounting-policy)

[Tree] (config>router>mpls>lsp>egr-stats accounting-policy)

[Tree] (config>router>mpls>lsp>ingr-stats accounting-policy)

Full Context

configure router mpls ingress-statistics lsp accounting-policy

configure router mpls lsp-template egress-statistics accounting-policy

configure router mpls ingress-statistics p2p-template-lsp accounting-policy

configure router mpls ingress-statistics p2mp-template-lsp accounting-policy

configure router mpls lsp egress-statistics accounting-policy

configure router mpls lsp ingress-statistics accounting-policy

Description

This command associates an accounting policy to the MPLS instance.

The config>router>mpls>ingr-stats>p2mp-template-lsp>accounting-policy command is supported on the 7750 SR, 7950 XRS, and with VPLS only on the 7450 ESS.

An accounting policy must be defined before it can be associated else an error message is generated.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

  • configure router mpls ingress-statistics lsp accounting-policy
  • configure router mpls lsp egress-statistics accounting-policy
  • configure router mpls lsp-template egress-statistics accounting-policy
  • configure router mpls ingress-statistics p2mp-template-lsp accounting-policy
  • configure router mpls ingress-statistics p2p-template-lsp accounting-policy

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure router mpls lsp ingress-statistics accounting-policy

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>app-assure>group>statistics>app accounting-policy)

[Tree] (config>app-assure>group>statistics>aa-sub-study accounting-policy)

[Tree] (config>app-assure>group>statistics>aa-sub accounting-policy)

[Tree] (config>app-assure>group>statistics>aa-admit-deny accounting-policy)

[Tree] (config>app-assure>group>statistics>app-grp accounting-policy)

[Tree] (config>app-assure>group>statistics>protocol accounting-policy)

[Tree] (config>isa>aa-grp>statistics>perform accounting-policy)

[Tree] (config>app-assure>group>statistics>aa-part accounting-policy)

Full Context

configure application-assurance group statistics application accounting-policy

configure application-assurance group statistics aa-sub-study accounting-policy

configure application-assurance group statistics aa-sub accounting-policy

configure application-assurance group statistics aa-admit-deny accounting-policy

configure application-assurance group statistics app-group accounting-policy

configure application-assurance group statistics protocol accounting-policy

configure isa application-assurance-group statistics performance accounting-policy

configure application-assurance group statistics aa-partition accounting-policy

Description

This command specifies the existing accounting policy to use for AA. Accounting policies are configured in the config>log>accounting-policy context.

Parameters

acct-policy-id

Specifies the existing accounting policy to use for applications.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>saa>test accounting-policy)

Full Context

configure saa test accounting-policy

Description

This command associates an accounting policy to the SAA test. The accounting policy must already be defined before it can be associated otherwise an error message is generated.

A notification (trap) is issued whenever a test is completed or terminates.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>oam-pm>session>meas-interval accounting-policy)

Full Context

configure oam-pm session meas-interval accounting-policy

Description

This optional command allows the operator to assign an accounting policy and the policy-id (configured under the config>log>accounting-policy) with a record-type of complete-pm. This runs the data collection process for completed measurement intervals in memory, file storage, and maintenance functions moving data from memory to flash. A single accounting policy can be applied to a measurement interval.

The no form of this command removes the accounting policy.

Parameters

acct-policy-id

Specifies the accounting policy to be applied to the measurement interval.

Values

1 to 99

Platforms

All

accounting-policy

Syntax

accounting-policy acct-policy-id

no accounting-policy

Context

[Tree] (config>service>sdp accounting-policy)

[Tree] (config>service>pw-template accounting-policy)

Full Context

configure service sdp accounting-policy

configure service pw-template accounting-policy

Description

This command creates the accounting policy context that can be applied to an SDP. An accounting policy must be defined before it can be associated with a SDP. If the acct-policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SDP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SDP, and the accounting policy reverts to the default.

Default

no accounting-policy

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

accounting-policy

Syntax

accounting-policy policy-id [interval minutes]

no accounting-policy policy-id

Context

[Tree] (config>log accounting-policy)

Full Context

configure log accounting-policy

Description

This command creates an access or network accounting policy. An accounting policy defines the accounting records that are created.

Access accounting policies are policies that can be applied to one or more SAPs. Changes made to an existing policy, using any of the sub-commands, are applied immediately to all SAPs where this policy is applied.

If an accounting policy is not specified on a SAP, then accounting records are produced in accordance with the access policy designated as the default. If a default access policy is not specified, then no accounting records are collected other than the records for the accounting policies that are explicitly configured.

Only one policy can be regarded as the default access policy. If a policy is configured as the default policy, then a no default command must be used to allow the data that is currently being collected to be written before a new access default policy can be configured.

Network accounting policies are policies that can be applied to one or more network ports or SONET/SDH channels. Any changes made to an existing policy, using any of the sub-commands, will be applied immediately to all network ports or SONET/SDH channels where this policy is applied.

If no accounting policy is defined on a network port, accounting records will be produced in accordance with the default network policy as designated with the default command. If no network default policy is created, then no accounting records will be collected other than the records for the accounting policies explicitly configured. Default accounting policies cannot be explicitly applied. For example, for accounting-policy 10, if default is set, then that policy cannot be used:

*A:75>config>service>vpls>spoke-sdp# accounting-policy 10

Only one policy can be regarded as the default network policy. If a policy is configured as the default policy, then a no default command must be used to allow the data that is currently being collected to be written before a new network default policy can be configured.

The no form of this command deletes the policy from the configuration. The accounting policy cannot be removed unless it is removed from all the SAPs, network ports or channels where the policy is applied.

Parameters

policy-id

Specifies the policy ID that uniquely identifies the accounting policy, expressed as a decimal integer.

Values

1 to 99

Platforms

All

accounting-port

accounting-port

Syntax

accounting-port port

no accounting-port

Context

[Tree] (config>service>vprn>aaa>remote-servers>radius accounting-port)

Full Context

configure service vprn aaa remote-servers radius accounting-port

Description

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

Default

accounting-port 1813

Parameters

port

Specifies the UDP port number.

Values

1 to 65535

Default

1813

Platforms

All

accounting-port

Syntax

accounting-port port

no accounting-port

Context

[Tree] (config>system>security>radius accounting-port)

Full Context

configure system security radius accounting-port

Description

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

Default

accounting-port 1813

Parameters

port

Specifies the UDP port number.

Values

1 to 65535

Default

1813

Platforms

All

accounting-type

accounting-type

Syntax

accounting-type [session] [tunnel]

no accounting-type

Context

[Tree] (config>aaa>l2tp-acct-plcy accounting-type)

Full Context

configure aaa l2tp-accounting-policy accounting-type

Description

This command specifies the accounting type for the L2TP tunnel accounting policy.

The no form of this command reverts to the default.

Default

accounting-type session tunnel

Parameters

session

Enables tunnel level accounting, including:

Tunnel-Link-Start

Tunnel-Link-Stop

Tunnel-Link-Reject

tunnel

Enables link level accounting, including:

Tunnel-Start

Tunnel-Stop

Tunnel-Reject

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accounting-update-interval

accounting-update-interval

Syntax

accounting-update-interval [interval]

no accounting-update-interval

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>vlan-tag-ranges>range>xconnect accounting-update-interval)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>vlan-tag-ranges>range>xconnect accounting-update-interval)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range xconnect accounting-update-interval

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range xconnect accounting-update-interval

Description

This command configures the time interval between consecutive interim accounting update messages. If not configured, the system does not send interim accounting update messages.

The no form of this command removes the value from the cross-connect configuration.

Parameters

interval

Specifies the time interval between consecutive interim accounting update messages in minutes.

Values

5 to 259200

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

accounting-update-interval

Syntax

accounting-update-interval [interval]

no accounting-update-interval

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dsm accounting-update-interval)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dsm accounting-update-interval)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt accounting-update-interval

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt accounting-update-interval

Description

This command enables the interim accounting and specifies the interim accounting interval.

Parameters

interval

Specifies the interim accounting interval in seconds.

Values

5 to 259200

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

acct-authentic

acct-authentic

Syntax

[no] acct-authentic

Context

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute acct-authentic)

Full Context

configure subscriber-mgmt radius-accounting-policy include-radius-attribute acct-authentic

Description

This command enables the generation of the acct-authentic RADIUS attribute.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-delay-time

acct-delay-time

Syntax

[no] acct-delay-time

Context

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute acct-delay-time)

Full Context

configure subscriber-mgmt radius-accounting-policy include-radius-attribute acct-delay-time

Description

This command enables the generation of the acct-delay-time RADIUS attribute.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-delay-time

Syntax

[no] acct-delay-time

Context

[Tree] (config>aaa>isa-radius-plcy>acct-include-attributes acct-delay-time)

Full Context

configure aaa isa-radius-policy acct-include-attributes acct-delay-time

Description

This command enables the acct-delay-time.

Default

no acct-delay-time

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

acct-include-attributes

acct-include-attributes

Syntax

[no] acct-include-attributes

Context

[Tree] (config>aaa>isa-radius-plcy acct-include-attributes)

Full Context

configure aaa isa-radius-policy acct-include-attributes

Description

This command configures attributes to be included in RADIUS accounting messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

acct-interim

acct-interim

Syntax

acct-interim min min-val max max-val lifetime lifetime

no acct-interim

Context

[Tree] (config>aaa>radius-srv-plcy>servers>buffering acct-interim)

Full Context

configure aaa radius-server-policy servers buffering acct-interim

Description

This command enables RADIUS accounting interim update message buffering.

  1. The message is stored in the buffer, a lifetime timer is started and the message is sent to the RADIUS server

  2. If after retry*timeout seconds no RADIUS accounting response is received for the interim update then a new attempt to send the message is started after minimum[(min-val*2n), max-val] seconds.

  3. Repeat step 2 until for one of the following:

    1. a RADIUS accounting response is received.

    2. the lifetime of the buffered message expires.

    3. a new RADIUS accounting interim-update or a RADIUS accounting stop for the same accounting session-id and radius-server-policy is stored in the buffer.

    4. the message is manually purged from the message buffer via a clear command.

  4. The message is purged from the buffer.

The no form of this command disables RADIUS accounting interim update message buffering.

Parameters

min-val

Specifies the minimum interval in seconds between attempts to resend the RADIUS accounting interim update.

Values

1 to 3600

max-val

Specifies the maximum interval in seconds between attempts to resend the RADIUS accounting interim update.

Values

1 to 3600

lifetime

Specifies the lifetime in hours.

Values

1 to 25

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-on-off

acct-on-off

Syntax

acct-on-off

acct-on-off monitor-group group-name

acct-on-off oper-state-change [group group-name]

Context

[Tree] (config>aaa>radius-srv-plcy acct-on-off)

Full Context

configure aaa radius-server-policy acct-on-off

Description

This command controls the sending of Accounting-On and Accounting-Off messages and the acct-on-off oper-state of the radius-server-policy:

acct-on-off: enables the sending of Accounting-On and Accounting-Off messages for this radius-server-policy. The acct-on-off oper-state is always not blocked.

acct-on-off oper-state-change [group group-name]: enables the sending of Accounting-On and Accounting-Off messages for this radius-server-policy. The acct-on-off oper-state is function of the Accounting-response received for the Accounting-On and Accounting-Off. Optionally, sets the acct-on-off oper-state of the acct-on-off-group.

acct-on-off monitor-group group-name: no Accounting-On and Accounting-Off messages are sent for this radius-server-policy. The acct-on-off oper-state is inherited from the acct-on-off-group.

The no form of this command disables the sending of Accounting-On and Accounting-Off messages.

Parameters

group-name

Specifies the name of an acct-on-off group up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-on-off-group

acct-on-off-group

Syntax

acct-on-off-group group-name [create]

no acct-on-off-group group-name

Context

[Tree] (config>aaa acct-on-off-group)

Full Context

configure aaa acct-on-off-group

Description

This command creates an acct-on-off-group.

An acct-on-off-group can be referenced by:

  • A single radius-server-policy as controller — The acct-on-off oper-state of the acct-on-off-group is set to the acct-on-off oper-state of the radius-server-policy.

  • Multiple radius-server-policies as monitor — The acct-on-off oper-state of the radius-server-policy is inherited from the acct-on-off oper-state of the acct-on-off group.

The no form of this command deletes the acct-on-off-group.

Parameters

group-name

Specifies the name of an acct-on-off group up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-policy

acct-policy

Syntax

acct-policy acct-policy-name [duplicate acct-policy-name]

no acct-policy

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host acct-policy)

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host acct-policy)

Full Context

configure subscriber-mgmt local-user-db ipoe host acct-policy

configure subscriber-mgmt local-user-db ppp host acct-policy

Description

This command specifies the accounting policy used for sending an Accounting Stop message to report RADIUS authentication failures of PPPoE sessions. A duplicate policy can be specified if a copy of the Accounting Stop message must be sent to another destination.

Reporting RADIUS authentication failures with an Accounting Stop message must be enabled in the RADIUS authentication policy ("send-acct-stop-on-fail”).

A duplicate RADIUS accounting policy can be specified if the accounting stop resulting from a RADIUS authentication failure must also be sent to a second RADIUS destination.

The no form of this command reverts to the default.

Parameters

acct-policy-name

Specifies the name of a RADIUS accounting policy, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-port

acct-port

Syntax

acct-port port

no acct-port

Context

[Tree] (config>service>vprn>radius-server>server acct-port)

[Tree] (config>router>radius-server>server acct-port)

Full Context

configure service vprn radius-server server acct-port

configure router radius-server server acct-port

Description

This command specifies the UDP listening port for RADIUS accounting requests.

The no form of this commands resets the UDP port to its default value (1813)

Default

acct-port 1813

Parameters

port

Specifies the UDP listening port for accounting requests of the external RADIUS server.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-request-script-policy

acct-request-script-policy

Syntax

acct-request-script-policy policy-name

no acct-request-script-policy

Context

[Tree] (config>subscr-mgmt>acct-plcy acct-request-script-policy)

Full Context

configure subscriber-mgmt radius-accounting-policy acct-request-script-policy

Description

This command configures the Python script policy to modify Accounting-Request messages.

The no form of this command removes the policy name from the configuration.

Parameters

policy-name

Specifies the Python script policy to modify Accounting-Request messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-request-script-policy

Syntax

acct-request-script-policy policy-name

no acct-request-script-policy

Context

[Tree] (config>aaa>radius-srv-plcy acct-request-script-policy)

Full Context

configure aaa radius-server-policy acct-request-script-policy

Description

This command specifies the name of the RADIUS script policy used to change the RADIUS attributes of the Accounting-Request messages.

Parameters

policy-name

Specifies the name of the Python script to modify Accounting-Request messages, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-session-id

acct-session-id

Syntax

acct-session-id [session-id-type]

no acct-session-id

Context

[Tree] (config>subscr-mgmt>auth-plcy>include-radius-attribute acct-session-id)

Full Context

configure subscriber-mgmt authentication-policy include-radius-attribute acct-session-id

Description

The acct-session-id attribute for each subscriber host is generated at the very beginning of the session initiation. This command will enable or disable sending this attribute to the RADIUS server in the Access-Request messages regardless of whether the accounting is enabled or not. The acct-session-id attribute can be used to address the subscriber hosts from the RADIUS server in the CoA Request.

The acct-session-id attribute is unique per subscriber host network wide. It is a 22 byte field comprised of the system MAC address along with the creation time and a sequence number in a hex format.

The no form of this command reverts to the default.

Default

no acct-session-id

Parameters

session-id-type

Specifies the format for the acct-session-id attribute used in RADIUS accounting requests.

Values

host, session

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-stats

acct-stats

Syntax

[no] acct-stats

Context

[Tree] (config>ipsec>rad-acct-plcy>include acct-stats)

Full Context

configure ipsec radius-accounting-policy include-radius-attribute acct-stats

Description

This command enables the system to include accounting attributes in RADIUS acct-stop and interim-update packets.

The no form of this command disables the system from including accounting attributes in RADIUS acct-stop and interim-update packets.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

acct-stop

acct-stop

Syntax

acct-stop min min-val max max-val lifetime lifetime

no acct-stop

Context

[Tree] (config>aaa>radius-srv-plcy>servers>buffering acct-stop)

Full Context

configure aaa radius-server-policy servers buffering acct-stop

Description

This command enables RADIUS accounting stop message buffering.

  1. The message is stored in the buffer, a lifetime timer is started and the message is sent to the RADIUS server

  2. If after retry*timeout seconds no RADIUS accounting response is received for the accounting stop, then a new attempt to send the message is started after minimum[(min-val*2n), max-val] seconds.

  3. Repeat step 2 until one of the following events occurs:

    1. A RADIUS accounting response is received.

    2. The lifetime of the buffered message expires.

    3. The message is manually purged from the message buffer via a clear command.

  4. The message is purged from the buffer.

The no form of this command disables RADIUS accounting stop message buffering.

Parameters

min-val

Specifies the minimum interval in seconds between attempts to resend the RADIUS accounting stop.

Values

1 to 3600

max-val

Specifies the maximum interval in seconds between attempts to resend the RADIUS accounting stop.

Values

1 to 3600

lifetime

Specifies the lifetime in hours.

Values

1 – 25

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-trigger-reason

acct-trigger-reason

Syntax

[no] acct-trigger-reason

Context

[Tree] (config>aaa>isa-radius-plcy>acct-include-attributes acct-trigger-reason)

Full Context

configure aaa isa-radius-policy acct-include-attributes acct-trigger-reason

Description

This command enables the acct-trigger-reason.

Default

no acct-trigger-reason

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

acct-tunnel-connection-fmt

acct-tunnel-connection-fmt

Syntax

acct-tunnel-connection-fmt ascii-spec

no acct-tunnel-connection-fmt

Context

[Tree] (config>aaa>l2tp-acct-plcy acct-tunnel-connection-fmt)

Full Context

configure aaa l2tp-accounting-policy acct-tunnel-connection-fmt

Description

This command configures the accounting tunnel connection ascii-specification.

Default

no acct-tunnel-connection-fmt

Parameters

ascii-spec

Specifies the ASCII specifications.

<ascii-spec>

<char-specification> <ascii-spec>

char-specification

<ascii-char> | <char-origin>

ascii-char

a printable ASCII character

char-origin

%<origin>

origin

n | s | S | t | T | c | C

n

Call Serial Number

s | S

Local (s) or Remote (S) Session Id

t | T

Local (t) or Remote (T) Tunnel Id

c | C

Local (c) or Remote (C) Connection Id

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-tunnel-connection-fmt

Syntax

acct-tunnel-connection-fmt ascii-spec

no acct-tunnel-connection-fmt

Context

[Tree] (config>subscr-mgmt>acct-plcy acct-tunnel-connection-fmt)

Full Context

configure subscriber-mgmt radius-accounting-policy acct-tunnel-connection-fmt

Description

This command specifies the string that is sent in the accounting message.

Default

no acct-tunnel-connection-fmt

Parameters

ascii-spec

Specifies the accounting tunnel connection ASCII specification.

Values

asci-spec

<char-specification> <ascii-spec>

char-specification

<ascii-char> | <char-origin>

ascii-char

A printable ASCII character

char-origin

%<origin>

origin

n | s | S | t | T | c | C

n

Call Serial Number

s | S

Local (s) or Remote (S) Session Id

t | T

Local (t) or Remote (T) Tunnel Id

c | C

Local (c) or Remote (C) Connection Id

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acct-update-triggers

acct-update-triggers

Syntax

acct-update-triggers

Context

[Tree] (config>aaa>isa-radius-plcy acct-update-triggers)

Full Context

configure aaa isa-radius-policy acct-update-triggers

Description

Commands in this context enable or disable the sending of triggered interim-updates, with the exception of the following:

  • After an update interval change, an interim update is always sent to indicate the start of the new interval.

  • Mobility-triggered updates are configured in the (service vprn <svc-id> | router) wlan-gw mobility-triggered-acct context.

  • NAT port block allocation depends on the inclusion of NAT-related attributes (port-range, outside-service, outside-ip).

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

accu-stats-policy

accu-stats-policy

Syntax

accu-stats-policy policy-name [create]

no accu-stats-policy policy-name

Context

[Tree] (config>subscr-mgmt accu-stats-policy)

Full Context

configure subscriber-mgmt accu-stats-policy

Description

This command creates a storage policy for cumulative statistics for subscribers. The policy defines the specific direction for the policer or the queue to be stored and performs the following functions.

  • The policy stores subscriber statistics even if the subscriber session has ended. The subscriber statistics can be viewed even if the subscriber is offline.

  • When the subscriber session ends, the statistics are added to the past statistics stored in memory so that all previous session statistics are accumulated. The accumulated statistics are not persistent; they are only stored in memory and reset to zero when the chassis reboots.

The no form of this command deletes the policy only when it is no longer referenced by a subscriber profile.

Parameters

policy-name

Specifies the name for the policy, up to 32 characters.

create

Configures an entry for the policy.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

accu-stats-policy

Syntax

accu-stats-policy policy-name

no accu-stats-policy

Context

[Tree] (config>subscr-mgmt>sub-profile accu-stats-policy)

Full Context

configure subscriber-mgmt sub-profile accu-stats-policy

Description

This command associates an accumulated statistics policy with a subscriber profile.

The no form of this command removes the association of the accu-stats-policy from the subscriber profile. It is possible to remove the policy from the subscriber profile while the subscriber is still online, however, the statistics remain in memory and must be cleared manually, using the clear subscriber-mgmt accu-stats active-subs no-accu-stats-policy command.

Parameters

policy-name

Specifies the name of the accumulated statistics policy, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

ack

ack

Syntax

ack [detail]

no ack

Context

[Tree] (debug>router>rsvp>packet ack)

Full Context

debug router rsvp packet ack

Description

This command debugs ack events.

The no form of the command disables the debugging.

Parameters

detail

Displays detailed information about ack events.

Platforms

All

ack-auth-retry-count

ack-auth-retry-count

Syntax

ack-auth-retry-count [value]

no ack-auth-retry-count

Context

[Tree] (config>router>wpp>portals>portal ack-auth-retry-count)

[Tree] (config>service>vprn>wpp>portals>portal ack-auth-retry-count)

Full Context

configure router wpp portals portal ack-auth-retry-count

configure service vprn wpp portals portal ack-auth-retry-count

Description

This command configures the number of retransmissions of an ACK_OUT message.

The no form of this command reverts to the default.

Default

ack-auth-retry-count 5

Parameters

value

Specifies the number of retransmissions of an ACK_OUT message.

Values

0 to 5

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

acknowledgment

acknowledgment

Syntax

[no] acknowledgment

Context

[Tree] (config>service>cpipe>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>vpls>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>epipe>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service cpipe spoke-sdp control-channel-status acknowledgment

configure service vpls spoke-sdp control-channel-status acknowledgment

configure service epipe spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service cpipe spoke-sdp control-channel-status acknowledgment

All

  • configure service epipe spoke-sdp control-channel-status acknowledgment
  • configure service vpls spoke-sdp control-channel-status acknowledgment

acknowledgment

Syntax

[no] acknowledgment

Context

[Tree] (config>service>ies>if>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>ies>red-if>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service ies interface spoke-sdp control-channel-status acknowledgment

configure service ies redundant-interface spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Default

no acknowledgment

Platforms

All

  • configure service ies interface spoke-sdp control-channel-status acknowledgment

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service ies redundant-interface spoke-sdp control-channel-status acknowledgment

acknowledgment

Syntax

[no] acknowledgment

Context

[Tree] (config>service>vprn>if>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>vprn>red-if>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service vprn interface spoke-sdp control-channel-status acknowledgment

configure service vprn redundant-interface spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Platforms

All

  • configure service vprn interface spoke-sdp control-channel-status acknowledgment

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn redundant-interface spoke-sdp control-channel-status acknowledgment

acknowledgment

Syntax

[no] acknowledgment

Context

[Tree] (config>mirror>mirror-dest>remote-src>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>mirror>mirror-dest>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure mirror mirror-dest remote-source spoke-sdp control-channel-status acknowledgment

configure mirror mirror-dest spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

action

action

Syntax

action bypass-host-creation

action drop

no action

Context

[Tree] (config>filter>dhcp-filter>entry action)

Full Context

configure filter dhcp-filter entry action

Description

This command specifies the action to take on DHCP host creation when the filter entry matches.

The no form of this command reverts to the default wherein the host creation proceeds as normal.

Parameters

bypass-host-creation

Specifies that the host creation is bypassed.

drop

Specifies that the DHCP message is dropped.

Platforms

All

action

Syntax

action bypass-host-creation [na] [pd]

action drop

no action

Context

[Tree] (config>filter>dhcp6-filter>entry action)

Full Context

configure filter dhcp6-filter entry action

Description

This command specifies the action to take on DHCP6 host creation when the filter entry matches.

The no form of this command reverts to the default wherein the host creation proceeds as normal.

Parameters

bypass-host-creation

Specifies that the host creation is bypassed.

Values

na — Bypasses the DHCP6 NA hosts creation.

pd — Bypasses the DHCP6 PD hosts creation.

drop

Specifies that the DHCP6 message is dropped.

Platforms

All

action

Syntax

action {accept | next-entry | next-policy | drop | reject}

no action

Context

[Tree] (config>router>policy-options>policy-statement>entry action)

Full Context

configure router policy-options policy-statement entry action

Description

This command creates the context to configure actions to take for routes matching a route policy statement entry.

This command is required and must be entered for the entry to be active.

Any route policy entry without the action command will be considered incomplete and will be inactive.

The no form of this command deletes the action context from the entry.

Default

no action

Parameters

accept

Specifies that routes matching the entry match criteria will be accepted and propagated.

next-entry

Specifies that the actions specified would be made to the route attributes and then policy evaluation would continue with next policy entry (if any others are specified).

next-policy

Specifies that the actions specified would be made to the route attributes and then policy evaluation would continue with next route policy (if any others are specified).

drop

Specifies that routes matching the entry match criteria should be rejected. This parameter provides a context for modifying route properties.

reject

Specifies that routes matching the entry match criteria should be rejected. This parameter does not provide a context for modifying route properties.

Platforms

All

action

Syntax

action dhcp-action

no action

Context

[Tree] (config>service>vprn>sub-if>grp-if>dhcp>option action)

[Tree] (config>service>vpls>sap>dhcp>option action)

[Tree] (config>service>ies>sub-if>grp-if>dhcp>option action)

[Tree] (config>service>vprn>if>dhcp>option action)

[Tree] (config>subscr-mgmt>msap-policy>vpls-only>dhcp>option action)

[Tree] (config>service>ies>if>dhcp>option action)

Full Context

configure service vprn subscriber-interface group-interface dhcp option action

configure service vpls sap dhcp option action

configure service ies subscriber-interface group-interface dhcp option action

configure service vprn interface dhcp option action

configure subscriber-mgmt msap-policy vpls-only-sap-parameters dhcp option action

configure service ies interface dhcp option action

Description

This command configures the processing required when the SR-Series receives a DHCP request that already has a Relay Agent Information Option (Option 82) field in the packet.

The no form of this command returns the system to the default value.

Default

action keep — Per RFC 3046, DHCP Relay Agent Information Option, section 2.1.1, Reforwarded DHCP requests. The default is to keep the existing information intact. The exception to this is if the giaddr of the received packet is the same as the ingress address on the router. In that case the packet is dropped and an error is logged.

Parameters

replace

In the upstream direction (from the user), the existing Option 82 field is replaced with the Option 82 field from the router. In the downstream direction (towards the user) the Option 82 field is stripped (in accordance with RFC 3046).

drop

Specifies that the packet is dropped, and an error is logged.

keep

Specifies that the existing information is kept in the packet and the router does not add any additional information. In the downstream direction the Option 82 field is not stripped and is sent on towards the client.

The behavior is slightly different in case of Vendor Specific Options (VSOs). When the keep parameter is specified, the router inserts its own VSO into the Option 82 field. This is only done when the incoming message has already an Option 82 field.

If no Option 82 field is present, the router will not create the Option 82 field. In this in that case, no VSO is added to the message.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn subscriber-interface group-interface dhcp option action
  • configure service ies subscriber-interface group-interface dhcp option action
  • configure subscriber-mgmt msap-policy vpls-only-sap-parameters dhcp option action

All

  • configure service ies interface dhcp option action
  • configure service vprn interface dhcp option action
  • configure service vpls sap dhcp option action

action

Syntax

action {drop | forward}

no action

Context

[Tree] (config>log>filter>entry action)

[Tree] (config>service>vprn>log>filter>entry action)

Full Context

configure log filter entry action

configure service vprn log filter entry action

Description

This command specifies a drop or forward action associated with the filter entry. If neither drop nor forward is specified, the default-action will be used for traffic that conforms to the match criteria. This could be considered a No-Op filter entry used to explicitly exit a set of filter entries without modifying previous actions.

Multiple action statements entered will overwrite previous actions.

The no form of this command removes the specified action statement.

Default

Action specified by the default-action command will apply.

Parameters

drop

Specifies packets matching the entry criteria will be dropped.

forward

Specifies packets matching the entry criteria will be forwarded.

Platforms

All

action

Syntax

action {drop | forward}

no action

Context

[Tree] (config>log>filter>entry action)

Full Context

configure log filter entry action

Description

This command specifies a drop or forward action associated with the filter entry. If neither drop nor forward is specified, the default-action will be used for traffic that conforms to the match criteria. This could be considered a No-Op filter entry used to explicitly exit a set of filter entries without modifying previous actions.

Multiple action statements entered will overwrite previous actions.

The no form of this command removes the specified action statement.

Default

no action

Parameters

drop

Specifies packets matching the entry criteria will be dropped.

forward

Specifies packets matching the entry criteria will be forwarded.

Platforms

All

action

Syntax

action direction [create]

no action direction

Context

[Tree] (config>subscr-mgmt>isa-svc-chain>vas-filter>entry action)

Full Context

configure subscriber-mgmt isa-service-chaining vas-filter entry action

Description

Commands in this context configure an action to be performed for traffic that matches a configured match criteria in the filter entry. The action can be configured as being applicable to upstream traffic, downstream traffic, or both.

The no form of this command removes the direction from the configuration.

Parameters

direction

Specifies the direction for the action in a VAS filter entry.

Values

upstream, downstream

create

Keyword used to create the action’s direction. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action drop

action forward

action http-redirect url [allow-override]

no action

Context

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>egr-ip>entry action)

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>ingr-ipv6>entry action)

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>egr-ipv6>entry action)

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>ingr-ip>entry action)

Full Context

configure subscriber-mgmt category-map category exhausted-credit-service-level egress-ip-filter-entries entry action

configure subscriber-mgmt category-map category exhausted-credit-service-level ingress-ipv6-filter-entries entry action

configure subscriber-mgmt category-map category exhausted-credit-service-level egress-ipv6-filter-entries entry action

configure subscriber-mgmt category-map category exhausted-credit-service-level ingress-ip-filter-entries entry action

Description

This command configures the action for the filter entry.

The no form of this command reverts to the default.

Default

action drop

Parameters

drop

Specifies to drop the packets matching the IP filter entry.

forward

Specifies to forward the packets matching the IP filter entry.

http-redirect url [allow-override]

Specifies the HTTP web address, up to 255 characters, that is sent to the user’s browser for redirection.

Note:

This action is not supported for IPv6 filter entries.

The specified URL can be overridden by a Diameter Credit Control Server when the following conditions are met:

  • a Final-Unit-Indication AVP is present in the Multiple-Services-Credit-Control AVP of a CCA message

  • the Final-Unit-Action AVP is set to REDIRECT (1)

  • a Redirect-Server AVP is included with the following:

    • the Redirect-Address-Type AVP set to URL (2)

    • the Redirect-Server-Address AVP containing the URL to use for this rating group (category-map)

  • the out of credit action for the corresponding rating group is set to change-service-level using one of the following commands:

    • configure>subscriber-mgmt>credit-control-policy policy-name>out-of-credit-action change-service-level

    • configure>subscriber-mgmt>category-map category-map-name category category-name>out-of-credit-action-override change-service-level

  • an IPv4 HTTP redirect action with allow-override is specified in the exhausted credit service level context for the corresponding rating group using the command configure>subscriber-mgmt>category-map category-map-name category category-name>exhausted-credit-service-level>ingress-ip-filter-entries> entry entry-id>action http-redirect url allow-override

In all other cases, the URL specified in the Redirect-Server-Address AVP is ignored and the configured URL is used. The URL received from the Credit Control Server is included in the output of show>service>active-subscribers>credit-control. The allow-override is ignored for RADIUS credit control.

The following variables can optionally be added in the configured URL (http-redirect url) and in the override URL from the Credit Control Server (Redirect-Server-Address AVP):

  • $IP – Customer’s IP address

  • $MAC – Customer’s MAC address

  • $URL – Original requested URL

  • $SAP – Customer’s SAP

  • $SUB – Customer’s subscriber identification string

  • $CID – string that represents the circuit-id or interface-id of the subscriber host (hexadecimal format)

  • $RID – string that represents the remote-id of the subscriber host (hexadecimal format)

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action {alarm | remove}

no action

Context

[Tree] (config>subscr-mgmt>shcv-policy>periodic action)

Full Context

configure subscriber-mgmt shcv-policy periodic action

Description

This command configures the action to take when the periodic connectivity verification failed.

The no form of this command reverts to the default.

Default

action alarm

Parameters

alarm

Raises an alarm indicating that the host is disconnected.

remove

Raises an alarm and releases all allocated resources (addresses, prefixes, queues, table entries, and so on). Static hosts are removed.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action {drop | forward | none}

action http-redirect rdr-url-string

no action

Context

[Tree] (config>subscr-mgmt>isa-filter>entry action)

[Tree] (config>subscr-mgmt>isa-filter>ipv6>entry action)

Full Context

configure subscriber-mgmt isa-filter entry action

configure subscriber-mgmt isa-filter ipv6 entry action

Description

This command specifies what should happen to packets that do match this entry.

The no form of this command reverts to the default value.

Default

action none

Parameters

drop

Specifies to drop the packet.

forward

Specifies to forward the packet.

none

Specifies to ignore the entry and continue processing with subsequent entries.

rdr-url-string

Specifies the URL to which matching HTTP flows are redirected, up to 255 characters. The URL can be overridden by AAA. Non-HTTP packets are dropped. The URL supports the $URL, $MAC, and $IP variables. For other macro substitutions, the string is not modified.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action {permit-deny | priority-mark}

no action

Context

[Tree] (config>subscr-mgmt>isa-policer action)

Full Context

configure subscriber-mgmt isa-policer action

Description

This command specifies what happens to packets that are in-profile and out-of-profile.

The no form of this command reverts to the default value.

Default

action permit-deny

Parameters

permit-deny

Drops all packets that are out of profile (they do not conform to the PIR).

priority-mark

Currently not supported. The policer will take no action.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action {log-only | reset-mda | fail-mda}

no action

Context

[Tree] (config>card>mda>event action)

Full Context

configure card mda event action

Description

This command defines the action to be taken when a specific hardware error event is raised against the target mda.

Only one action can be enabled at a time. Entering a new action will override a previously defined action.

The no form of this command sets the action to the default value.

Default

action log-only

Parameters

log-only

Specifies to pass the log event to log management. No other action is taken.

reset-mda

Specifies to reset the mda.

fail-mda

Specifies to set the operational state of the mda to Failed. This Failed state will persist until the clear mda command is issued (reset) or the mda is removed and re-inserted (re-seat).

Platforms

All

action

Syntax

[no] action

Context

[Tree] (configure>system>security>profile>netconf>base-op-authorization action)

Full Context

configure system security profile netconf base-op-authorization action

Description

This command enables the NETCONF action operation.

The no form of this command disables the operation.

Default

no action

Note:

The operation is enabled by default in the built-in system-generated administrative profile.

Platforms

All

action

Syntax

action {priority-mark | permit-deny}

Context

[Tree] (config>app-assure>group>policer action)

Full Context

configure application-assurance group policer action

Description

This command configures the action to be performed by single-bucket bandwidth policers for non-conformant traffic.

Dual bucket bandwidth policers cannot have their action configured and always mark traffic below CIR in profile, between CIR and PIR out of profile, and drop traffic above PIR. Flow policers always discard non-conformant traffic.

When multiple application assurance policers are configured against a single flow (including policers at both subscriber and system), the final action done to the flow/packet will be a logical OR of all policers actions. For example, if only of the policers requires the packet to be discarded, the packet will be dropped regardless of the action of the other policers.

Default

action permit-deny

Parameters

priority-mark

Non-conformant traffic will be marked out of profile and the conformant traffic will be marked in profile. The new marking will overwrite any previous IOM QoS marking done to a packet.

permit-deny

Non-conformant traffic will be dropped.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action

Context

[Tree] (config>app-assure>group>policy>aqp>entry action)

Full Context

configure application-assurance group policy app-qos-policy entry action

Description

Commands in this context configure AQP actions to be performed on flows that match the AQP entry’s match criteria.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action {permit | deny} [event-log event-log-name]

action http-redirect http-redirect-name [event-log event-log-name]

action tcp-optimizer tcp-optimizer-name

Context

[Tree] (config>app-assure>group>sess-fltr>entry action)

Full Context

configure application-assurance group session-filter entry action

Description

This command configures the action for this entry.

Parameters

deny

Packets matching the criteria are denied.

permit

Packets matching the criteria are permitted.

event-log-name

Specifies the event log name, up to 32 characters.

http-redirect-name

Specifies the HTTP redirect name, up to 32 characters.

tcp-optimizer

Specifies to use TCP Optimization (TCPO) on the matching flows.The TCPO policy referenced within this session filter entry is configured under the AA group. If the TCPO action is removed from a session-filter entry, the existing flows are not affected. However, no new TCP flows are optimized.

tcp-optimizer-name

Specifies the name of the TCPO policy, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action {permit | deny}

Context

[Tree] (config>app-assure>group>gtp>gtp-fltr>imsi-apn-fltr>entry action)

Full Context

configure application-assurance group gtp gtp-filter imsi-apn-filter entry action

Description

This command configures an action for the IMSI-APN filter entry.

Default

action permit

Parameters

permit

Specifies to permit packets that do not match any message entries.

deny

Specifies to deny packets that do not match any message entries.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

action {dnat | forward} [ip-address ip-address]

no action

Context

[Tree] (config>service>nat>nat-classifier>entry action)

Full Context

configure service nat nat-classifier entry action

Description

This command specifies the action to take for packets that match this nat-classifier entry. The no form of the command removes the specified action statement. By default, the entry is ignored (skipped). Consequently, the action from another matching entry is applied. If there are no other matching entries found, the default-action is applied.

Default

no action.

Parameters

dnat

Performs the DNAT function. The destination IP address of the packet traversing the router in the direction from inside to outside is replaced by the configured IP address. Destination port is not translated. In the opposite direction (from outside to inside), the source address in the returning packet is restored to the original value.

forward

Specifies that the forward action ensures that the packet is transparently passed through the nat-classifier.

ip-address ip-address

Specifies that the destination IP address replaces the original IP address in the packet traveling from inside to outside.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

action

Syntax

[no] action [secondary]

Context

[Tree] (config>filter>mac-filter>entry action)

[Tree] (config>filter>ip-filter>entry action)

[Tree] (config>filter>ipv6-filter>entry action)

Full Context

configure filter mac-filter entry action

configure filter ip-filter entry action

configure filter ipv6-filter entry action

Description

Commands in this context configure a primary (no option specified) or secondary (secondary option specified) action to be performed on packets matching this filter entry. An ACL filter entry remains inactive (is not programmed in hardware) until a specific action is configured for that entry.

A primary action supports any filter entry action, a secondary action is used for redundancy and defines a redundant Layer 3 PBR action for an Layer 3 PBR primary action or a redundant L2 PBF action for a Layer 2 PBF primary action.

The no form of this command removes the specific action configured in the context of the action command. The primary action cannot be removed if a secondary action exists.

Default

no action

Parameters

secondary

Specifies a secondary action to be performed on packets matching this filter entry. A secondary action can only be configured if a primary action is configured.

Platforms

All

action

Syntax

action [fc fc-name] [priority {high | low}] [policer policer-id]

no action

Context

[Tree] (config>qos>sap-ingress>ipv6-criteria>entry action)

[Tree] (config>qos>sap-ingress>mac-criteria>entry action)

[Tree] (config>qos>sap-ingress>ip-criteria>entry action)

Full Context

configure qos sap-ingress ipv6-criteria entry action

configure qos sap-ingress mac-criteria entry action

configure qos sap-ingress ip-criteria entry action

Description

This mandatory command associates the forwarding class or enqueuing priority with specific IP, IPv6, or MAC criteria entry ID. The action command supports setting the forwarding class parameter to a subclass. Packets that meet all match criteria within the entry have their forwarding class and enqueuing priority overridden based on the parameters included in the action parameters. When the forwarding class is not specified in the action command syntax, a matching packet preserves (or inherits) the existing forwarding class derived from earlier matches in the classification hierarchy. When the enqueuing priority is not specified in the action, a matching packet preserves (or inherits) the existing enqueuing priority derived from earlier matches in the classification hierarchy.

When a policer is specified in the action, a matching packet is directed to the configured policer instead of the policer/queue assigned to the forwarding class of the packet.

The action command must be executed for the match criteria to be added to the active list of entries. If the entry is designed to prevent more explicit (higher entry ID) entries from matching certain packets, the fc fc-name and match protocol fields should not be defined when executing action. This allows packets matching the entry to preserve the forwarding class and enqueuing priority derived from previous classification rules.

Each time action is executed on a specific entry ID, the previously entered values for fc fc-name and priority are overridden with the newly defined parameters or inherit previous matches when a parameter is omitted.

The no form of this command removes the entry from the active entry list. Removing an entry on a policy immediately removes the entry from all SAPs using the policy. All previous parameters for the action is lost.

If no action is specified, the action specified by the default-fc command will be used.

Parameters

fc fc-name

The value given for fc fc-name must be one of the predefined forwarding classes in the system. Specifying the fc fc-name is required. When a packet matches the rule, the forwarding class is only overridden when the fc fc-name parameter is defined on the rule. If the packet matches and the forwarding class is not explicitly defined in the rule, the forwarding class is inherited based on previous rule matches.

The subclass-name parameter is optional and used with the fc-name parameter to define a pre-existing subclass. The fc-name and subclass-name parameters must be separated by a period (.). If subclass-name does not exist in the context of fc-name, an error will occur. If subclass-name is removed using the no fc fc-name.subclass-name force command, the default-fc command will automatically drop the subclass-name and only use fc-name (the parent forwarding class for the subclass) as the forwarding class.

Values

fc:

class[.subclass]

class: be, l2, af, l1, h2, ef, h1, nc

subclass: 29 characters max

Default

Inherit (When fc fc-name is not defined, the rule preserves the previous forwarding class of the packet.)

priority

The priority parameter overrides the default enqueuing priority for all packets received on a SAP using this policy that match this rule. Specifying the priority (high or low) is optional. When a packet matches the rule, the enqueuing priority is only overridden when the priority parameter is defined on the rule. If the packet matches and priority is not explicitly defined in the rule, the enqueuing priority is inherited based on previous rule matches.

Default

Inherit (When the priority (high or low) is not defined, the rule preserves the previous enqueuing priority of the packet)

high

The high parameter is used in conjunction with the priority parameter. Setting the priority enqueuing parameter to high for a packet increases the likelihood to enqueue the packet when the queue is congested. The enqueuing priority only affects ingress SAP queuing. When the packet is placed in a buffer on the queue, the significance of the enqueuing priority is lost.

low

The low parameter is used in conjunction with the priority parameter. Setting the priority enqueuing parameter to low for a packet decreases the likelihood to enqueue the packet when the queue is congested. The enqueuing priority only affects ingress SAP queuing. When the packet is placed in a buffer on the ingress queue, the significance of the enqueuing priority is lost.

Default

Inherit

policer-id

A valid policer-id must be specified. The parameter policer-id references a policer-id that has already been created within the sap-ingress QoS policy.

Values

1 to 63

Platforms

All

action

Syntax

action [fc fc-name] [profile {in | out | exceed | inplus}] [policer policer-id] [port-redirect-group-queue] [queue queue-id] [use-fc-mapped-queue]

no action

Context

[Tree] (config>qos>sap-egress>ip-criteria>entry action)

[Tree] (config>qos>sap-egress>ipv6-criteria>entry action)

Full Context

configure qos sap-egress ip-criteria entry action

configure qos sap-egress ipv6-criteria entry action

Description

This command defines the reclassification actions that should be performed on any packet matching the defined IP flow criteria within the entries match node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an egress packet on the SAP matches the specified IP flow entry, the forwarding class, or profile or egress queue accounting behavior may be overridden. By default, the forwarding class and profile of the packet is derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all IP precedence- or DSCP-based reclassification rule actions when an explicit reclassification action is defined for the entry.

It is also possible to redirect the egress packet to a configured policer. The forwarding class or profile can also be optionally specified.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. In show and info commands, the entry will display no action as the specified reclassification action for the entry. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate packets egressing a SAP with the SAP egress policy defined. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed either with explicit reclassification entries or without any actions defined. Specifying action without any trailing reclassification actions allows packets matching the entry to exit the evaluation list without matching entries lower in the list. Executing no action on an entry removes the entry from the evaluation list and also removes any explicitly defined reclassification actions associated with the entry.

The fc keyword is optional. When specified, the egress classification rule will overwrite the forwarding class derived from ingress. The new forwarding class is used for egress remarking and queue mapping decisions.

The profile keyword is optional. When specified, the egress classification rule will overwrite the profile of the packet derived from ingress. The new profile value is used for egress remarking and queue congestion behavior.

The policer keyword is optional. When specified, the egress packet will be redirected to the configured policer. Optional parameters allow the user to control how the forwarded policed traffic exits the egress port. By default, the policed forwarded traffic will use a queue in the egress port’s policer-output-queue queue group; alternatively, a queue in an instance of a user-configured queue group can be used or a local SAP egress queue.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any packets egress a SAP associated with the SAP egress QoS policy.

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

fc

class

class

be, l2, af, l1, h2, ef, h1, nc

profile {in | out | exceed | inplus}

The profile reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of the ingress profiling decision. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

The in parameter is mutually exclusive to the exceed, inplus, and out parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When in is specified, any packets matching the reclassification rule will be treated as in-profile by the egress forwarding plane.

out

The out parameter is mutually exclusive to the exceed, inplus, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When out is specified, any packets matching the reclassification rule will be treated as out-of-profile by the egress forwarding plane.

exceed

The exceed parameter is mutually exclusive to the out, inplus, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When exceed is specified, any packets matching the reclassification rule will be treated as exceed-profile by the egress forwarding plane.

inplus

The inplus parameter is mutually exclusive to the out, exceed, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When inplus is specified, any packets matching the reclassification rule will be treated as inplus-profile by the egress forwarding plane.

policer policer-id

When the action policer command is executed, a valid policer ID must be specified. The parameter policer ID references a policer ID that has already been created within the SAP egress QoS policy.

Values

1 to 63

port-redirect-group-queue queue queue-id

Used to override the forwarding class default egress queue destination to an egress port queue group. The specific egress queue group instance to use is specified at the time the QoS policy is applied to the SAP. Therefore, this parameter is only valid if SAP-based redirection is required. The queue parameter overrides the policer’s default egress queue destination to a specified queue-id in the egress port queue group instance.

Values

1 to 8

queue queue-id

This parameter overrides the policer’s default egress queue destination to a specified local SAP queue of that queue-id. A queue of ID queue-id must exist within the egress QoS policy.

Values

1 to 8

use-fc-mapped-queue

This parameter overrides the policer’s default egress queue destination to the queue mapped by the traffic’s forwarding class.

Platforms

All

action

Syntax

action [fc fc-name profile {in | out | exceed | inplus}] [port-redirect-group {queue queue-id | policer policer-id [queue queue-id]}]

Context

[Tree] (config>qos>network>egress>ipv6-criteria>entry action)

[Tree] (config>qos>network>egress>ip-criteria>entry action)

Full Context

configure qos network egress ipv6-criteria entry action

configure qos network egress ip-criteria entry action

Description

This command defines the reclassification actions that are performed on any packet matching the defined IP flow criteria within the entry’s matched node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an egress packet matches the specified IP flow entry, the forwarding class and profile may be overridden. By default, the forwarding class and profile of the packet are derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all IP precedence-based or DSCP-based reclassification rule actions when an explicit reclassification action is defined for the entry.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate egress packets. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed.

The fc and profile keywords are optional. When specified, the egress classification rule will overwrite the forwarding class and profile derived from ingress. The new forwarding class and profile are used for egress remarking, queue mapping decisions, and queue congestion behavior.

The port-redirect-group keyword is optional. When specified, the egress packet will be redirected to the configured queue or policer in the specified egress network queue group. By default, the policed forwarded traffic will use the regular network queue to which the packet's forwarding class is mapped. Alternatively, a queue in the network egress queue group instance can be used for post-policed traffic by specifying a queue after the policer parameter. The port-redirect-group keyword requires that the network egress queue group instance is specified when this network QoS policy is applied to a network interface. The port-redirect-group is not supported on a 7750 SR-a4/a8.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any egress packets.

Default

no action

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. The profile reclassification action is mandatory when an fc is specified. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

be, l2, af, l1, h2, ef, h1, nc

profile {in | out | exceed | inplus}

The profile reclassification action is mandatory when an fc is specified, otherwise it is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of the ingress profiling decision. In, exceed, inplus, or out must be specified when the profile keyword is present. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

When specified, any packets matching the reclassification rule will be treated as in-profile by the egress forwarding plane.

out

When specified, any packets matching the reclassification rule will be treated as out-of-profile by the egress forwarding plane.

exceed

When specified, any packets matching the reclassification rule will be treated as exceed-profile by the egress forwarding plane.

inplus

When specified, any packets matching the reclassification rule will be treated as inplus-profile by the egress forwarding plane.

queue queue-id

Used to override the forwarding class default egress queue destination to the specified network egress queue group instance queue. The specific egress queue group instance to use is specified at the time the QoS policy is applied to the network interface.

Values

1 to 8

policer policer-id

Specifies a valid policer ID that has already been created within the network egress queue group instance.

Values

1 to 16

queue queue-id

The queue following the configured policer overrides the default policed traffic egress queue destination to a specified queue in the network egress queue group instance.

Values

1 to 8

Platforms

All

action

Syntax

action fc fc-name profile {in | out}

no action

Context

[Tree] (config>qos>network>ingress>ipv6-criteria>entry action)

[Tree] (config>qos>network>ingress>ip-criteria>entry action)

Full Context

configure qos network ingress ipv6-criteria entry action

configure qos network ingress ip-criteria entry action

Description

This command defines the reclassification actions that are performed on any packet matching the defined IP flow criteria within the entry’s matched node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an ingress packet matches the specified IP flow entry, the forwarding class and profile may be overridden. By default, the forwarding class and profile of the packet are derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all non-criteria reclassification rule actions when an explicit reclassification action is defined for the entry.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate ingress packets. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any ingress packets.

Default

no action

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. The profile reclassification action is mandatory when an fc is specified. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

be, l2, af, l1, h2, ef, h1, nc

profile {in | out}

The profile reclassification action is mandatory. Packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of other ingress profiling decisions. In or out must be specified when the profile keyword is present. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

When specified, any packets matching the reclassification rule will be treated as in-profile by the ingress forwarding plane.

out

When specified, any packets matching the reclassification rule will be treated as out-of-profile by the ingress forwarding plane.

Platforms

All

action

Syntax

action {replace | drop | keep}

no action

Context

[Tree] (config>router>if>dhcp>option action)

Full Context

configure router interface dhcp option action

Description

This command configures the processing required when the SR-Series router receives a DHCP request that already has a Relay Agent Information Option (Option 82) field in the packet.

The no form of this command returns the system to the default value.

Default

Per RFC 3046, DHCP Relay Agent Information Option, section 2.1.1, Reforwarded DHCP requests, the default is to keep the existing information intact. The exception to this is if the GI address of the received packet is the same as the ingress address on the router. In that case the packet is dropped and an error is logged.

Parameters

replace

In the upstream direction (from the user), the existing Option 82 field is replaced with the Option 82 field from the router. In the downstream direction (toward the user) the Option 82 field is stripped (in accordance with RFC 3046).

drop

The packet is dropped, and an error is logged.

keep

The existing information is kept in the packet and the router does not add any additional information. In the downstream direction the Option 82 field is not stripped and is sent on toward the client.

The behavior is slightly different in case of Vendor Specific Options (VSOs). When the keep parameter is specified, the router will insert his own VSO into the Option 82 field. This will only be done when the incoming message has already an Option 82 field.

If no Option 82 field is present, the router will not create the Option 82 field. In this in that case, no VSO will be added to the message.

Platforms

All

action

Syntax

action {action}

no action

Context

[Tree] (config>serv>mrp>mrp-policy>entry action)

Full Context

configure service mrp mrp-policy entry action

Description

This command specifies the action to be applied to the MMRP attributes (Group B-MACs) whose ISIDs match the specified ISID criteria in the related entry.

The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and will be inactive. If neither keyword is specified (no action is used), this is considered a No-Op policy entry used to explicitly set an entry inactive without modifying match criteria or removing the entry itself. Multiple action statements entered will overwrite previous actions parameters when defined. To remove a parameter, use the no form of the action command with the specified parameter.

The no form of the command removes the specified action statement. The entry is considered incomplete and hence rendered inactive without the action keyword.

Default

no action

Parameters

action

Specifies the action for the MRP policy entry.

block

Specifies that the matching MMRP attributes will not be declared or registered on this SAP or SDP.

allow

Specifies that the matching MMRP attributes will be declared and registered on this SAP or SDP.

end-station

Specifies that an end-station emulation is present on this SAP or SDP for the MMRP attributes related with matching ISIDs. Equivalent action with the block keyword on that SAP or SDP. The attributes associated with the matching ISIDs are not declared or registered on the SAP or SDP. The matching attributes on the other hand are mapped as static MMRP entries on the SAP or SDP which implicitly instantiates in the data plane as a MFIB entry associated with that SAP or SDP for the related Group B-MAC. For the other SAPs/SDPs in the BVPLS with MRP enabled (no shutdown). This means that the permanent declaration of the matching attributes, as in the case when the IVPLS instances associated with these ISIDs were locally configured.

If an MRP policy has end-station action in one entry, the only default action allowed in the policy is block. Also no other actions are allowed to be configured in other entry configured under the policy.

This policy will apply even if the MRP is shutdown on the local SAP or SDP or for the whole BVPLS to allow for manual creation of MMRP entries in the data plane. Specifically the following rules apply:

  • If service vpls mrp shutdown is executed, and the MMRP on all SAP or SDPs is shutdown, then MRP PDUs pass-through transparently.

  • If service vpls mrp no shutdown, and the endstation statement (even with no ISID values in the related match statement) is used in an MRP policy applied to SAP or SDP, then no declaration is sent on SAP or SDP. The provisioned ISIDs in the match statement are registered on that SAP or SDP and are propagated on all the other MRP enabled endpoints.

Platforms

All

action

Syntax

action {permit | deny | deny-host-unreachable}

no action

Context

[Tree] (config>system>security>mgmt-access-filter>ip-filter>entry action)

[Tree] (config>system>security>mgmt-access-filter>mac-filter>entry action)

[Tree] (config>system>security>mgmt-access-filter>ipv6-filter>entry action)

Full Context

configure system security management-access-filter ip-filter entry action

configure system security management-access-filter mac-filter entry action

configure system security management-access-filter ipv6-filter entry action

Description

This command creates the action associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

If the packet does not meet any of the match criteria the configured default action is applied.

Parameters

permit

Specifies that packets matching the configured criteria will be permitted.

deny

Specifies that packets matching the configured selection criteria will be denied and that a ICMP host unreachable message will not be issued.

deny-host-unreachable

Specifies that packets matching the configured selection criteria will be denied and that a host unreachable message will not be issued.

The deny-host-unreachable parameter only applies to ip-filter and ipv6-filter.

Platforms

All

action

Syntax

action [accept | drop | queue queue-id]

no action

Context

[Tree] (config>sys>security>cpm-filter>ip-filter>entry action)

[Tree] (config>sys>security>cpm-filter>ipv6-filter>entry action)

[Tree] (config>sys>security>cpm-filter>mac-filter>entry action)

Full Context

configure system security cpm-filter ip-filter entry action

configure system security cpm-filter ipv6-filter entry action

configure system security cpm-filter mac-filter entry action

Description

This command specifies the action to take for packets that match this filter entry.

Default

action drop

Parameters

accept

Specifies packets matching the entry criteria will be forwarded.

drop

Specifies packets matching the entry criteria will be dropped.

queue queue-id

Specifies packets matching the entry criteria will be forward to the specified CPM hardware queue.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

action

Syntax

action {deny | permit | read-only}

Context

[Tree] (config>system>security>profile>entry action)

Full Context

configure system security profile entry action

Description

This command configures the action associated with the profile entry.

Parameters

deny

Specifies that commands matching the entry command match criteria are to be denied.

permit

Specifies that commands matching the entry command match criteria is permitted.

read-only

Specifies the commands matching the entry command match criteria is available with read-only access.

Platforms

All

action-list

action-list

Syntax

action-list

Context

[Tree] (config>log>event-handling>handler action-list)

Full Context

configure log event-handling handler action-list

Description

Commands in this context configure the EHS handler action list.

Platforms

All

action-on-fail

action-on-fail

Syntax

action-on-fail {drop | passthrough}

no action-on-fail

Context

[Tree] (config>python>py-script action-on-fail)

Full Context

configure python python-script action-on-fail

Description

This command specifies the action taken when Python fails to modify the given message.

The no form of this command reverts to the default.

Default

action-on-fail drop

Parameters

drop

Specifies that the packet will be dropped.

passthrough

Specifies that the packet that is sent out without any modifications.

Platforms

All

action-on-fail

Syntax

action-on-fail {drop | passthrough}

no action-on-fail

Context

[Tree] (config>aaa>radius-scr-plcy action-on-fail)

Full Context

configure aaa radius-script-policy action-on-fail

Description

specifies the action taken when Python fails to modify the RADIUS message.

The no form of this command reverts to the default.

Default

action-on-fail drop

Parameters

drop

Specifies that the packet will be dropped.

passthrough

Specifies that the packet will be sent out without any modifications.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

activate

activate

Syntax

activate [file-url] [now]

Context

[Tree] (admin>system>license activate)

Full Context

admin system license activate

Description

This command performs an activation on the license file pointed to by the command line argument. The file is first validated as described in the admin>system>license>validate command and upon success, replaces the existing license attributes in the system with the information in the new license file.

The license attributes that are active on a system can be viewed with the show>licensing>entitlements command.

Note:

If the CLM tool is being used for license management, it shall perform the validation and activation and there is no need to enter these commands manually.

Parameters

file-url

Specifies the file URL location to read the license file.

Values

local-url, remote-url

Note:

IPv6 addresses apply only to 7750 SR and 7950 XRS.

now

If the now keyword is not present, the operator is prompted to confirm the activation. With the now keyword the license file is activated without the additional prompt.

Platforms

All

activate-entry-tag

activate-entry-tag

Syntax

activate-entry-tag activate-entry-tag

no activate-entry-tag

Context

[Tree] (config>service>ipipe>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>cpipe>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>vprn>if>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>vpls>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>ipipe>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>cpipe>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>vprn>if>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>vpls>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>ies>if>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>ies>if>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>epipe>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>epipe>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

Full Context

configure service ipipe sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service cpipe sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service vprn interface sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service vpls sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service ipipe sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service cpipe sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service vprn interface sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service vpls sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service ies interface sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service ies interface sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service epipe sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service epipe sap ingress criteria-overrides ip-criteria activate-entry-tag

Description

This command activates the entry tag.

The no form of this command removes any existing entry tags from the SAP.

Parameters

activate-entry-tag

Specifies the tag identifier value for activation.

Values

1 to 255

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

active-cpm-protocols

active-cpm-protocols

Syntax

[no] active-cpm-protocols

Context

[Tree] (config>service>vprn>if active-cpm-protocols)

Full Context

configure service vprn interface active-cpm-protocols

Description

This command enables CPM protocols on this interface.

Platforms

All

active-flow-timeout

active-flow-timeout

Syntax

active-flow-timeout seconds

no active-flow-timeout

Context

[Tree] (config>cflowd active-flow-timeout)

Full Context

configure cflowd active-flow-timeout

Description

This command configures the maximum amount of time before an active flow is aged out of the active cache. If an individual flow is active for the specified amount of time, the flow is aged out and a new flow is created on the next packet sampled for that flow.

Existing flows do not inherit the new active-flow-timeout value if this parameter is changed while cflowd is active. The active-flow-timeout value for a flow is set when the flow is first created in the active cache table and does not change dynamically.

The no form of this command resets the timeout back to the default value.

Default

active-flow-timeout 1800

Parameters

seconds

Specifies the value, in seconds, before an active flow is exported.

Values

30 to 36000

Platforms

All

active-hold-delay

active-hold-delay

Syntax

active-hold-delay active-hold-delay

no active-hold-delay

Context

[Tree] (config>service>cpipe>endpoint active-hold-delay)

[Tree] (config>service>ipipe>endpoint active-hold-delay)

[Tree] (config>service>epipe>endpoint active-hold-delay)

Full Context

configure service cpipe endpoint active-hold-delay

configure service ipipe endpoint active-hold-delay

configure service epipe endpoint active-hold-delay

Description

This command specifies that the node will delay sending the change in the T-LDP status bits for the VLL endpoint when the MC-LAG transitions the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby or when any object in the endpoint. For example, SAP, ICB, or regular spoke SDP, transitions from up to down operational state.

By default, when the MC-LAG transitioned the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby, the node sends immediately new T-LDP status bits indicating the new value of "standby” over the spoke SDPs which are on the mate-endpoint of the VLL. The same applies when any object in the endpoint changes an operational state from up to down.

There is no delay applied to the VLL endpoint status bit advertisement when the MC-LAG transitions the LAG subgroup which hosts the SAP from standby to active or when any object in the endpoint transitions to an operationally up state.

Default

active-hold-delay 0

Parameters

active-hold-delay

Specifies the active hold delay in 100s of milliseconds.

A value of zero means that when the MC-LAG transitioned the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby, the node sends immediately new T-LDP status bits indicating the new value of standby over the spoke SDPs which are on the mate-endpoint of the VLL. The same applies when any object in the endpoint changes an operational state from up to down.

Values

0 to 60

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service cpipe endpoint active-hold-delay

All

  • configure service epipe endpoint active-hold-delay
  • configure service ipipe endpoint active-hold-delay

active-instance

active-instance

Syntax

active-instance instance-id

no active-instance

Context

[Tree] (config>router>p2mp-sr-tree>p2mp-policy>p2mp-candidate-path active-instance)

Full Context

configure router p2mp-sr-tree p2mp-policy p2mp-candidate-path active-instance

Description

This command configures the active instance of a P2MP candidate path for the P2MP SR tree as a primary or a secondary instance. Before configuring the active instance ID, the candidate path instance must be configured using the instance command.

The no form of this command removes the active instance.

Parameters

instance-id

Specifies the active instance as primary (1) or secondary (2).

Values

1, 2

Platforms

All

active-iom-limit

active-iom-limit

Syntax

active-iom-limit number

no active-iom-limit

Context

[Tree] (config>isa>wlan-gw-group active-iom-limit)

Full Context

configure isa wlan-gw-group active-iom-limit

Description

This command specifies the number of WLAN-GW IOMs used as active IOMs from the total number of configured WLAN-GW IOMs. If there are more configured IOM than active-iom-limit, then the remaining number of IOMs is designated as backup(s).

The no form of this command removes the number from the configuration.

Parameters

number

Specifies the number of IOMs in this WLAN Gateway ISA group that are intended for active use.

Values

1 to 3

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

active-lease-time

active-lease-time

Syntax

active-lease-time [hrs hours] [min minutes] [sec seconds]

no active-lease-time

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dhcp active-lease-time)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dhcp active-lease-time)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range dhcp active-lease-time

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range dhcp active-lease-time

Description

This command configures the lease time for an authenticated user.

Default

active-lease-time min 10

Parameters

hours

Specifies the number of active lease time hours.

Values

1 to 1

minutes

Specifies the number of active lease time minutes.

Values

5 to 59

seconds

Specifies the number of active lease time seconds.

Values

1 to 59

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

active-mda-limit

active-mda-limit

Syntax

active-mda-limit number

no active-mda-limit

Context

[Tree] (config>isa>wlan-gw-group active-mda-limit)

Full Context

configure isa wlan-gw-group active-mda-limit

Description

This command specifies how many ISAs may be in active use by the WLAN-GW group at the same time. If the maximum number of active ISAs is reached and more ISAs are added to the group, the new ISAs are considered to be in standby mode.

The no form of this command removes the limit on the maximum number of active ISAs.

Parameters

number

Specifies the number of WLAN-GW ISAs intended for active use.

Values

1 to 14

Platforms

7750 SR, 7750 SR-e, 7750 SR-s

active-mda-limit

Syntax

active-mda-limit number

no active-mda-limit

Context

[Tree] (config>isa>nat-group active-mda-limit)

Full Context

configure isa nat-group active-mda-limit

Description

This command configures the number of active ISAs in active-standby ISA redundancy model for NAT. The active ISAs are automatically selected by the system and any the remaining ISA beyond the number of active limit will automatically assume the standby role. An ISA in the standby mode is idle until the failure of an active ISA occurs. Standby ISA can accept traffic from exactly one failed active ISA. Multiple standby ISAs can be configured in the system to protect against multiple simultaneous failures.

Once the active ISA fails, the standby ISA will start forwarding traffic. NAT translations from the failed ISA will have to be re-initiated by the clients and consequently setup on the newly active ISA.

In order for this command to take effect, the intra-chassis redundancy mode must be set to active-standby (config>isa>nat-group>redundancy active-standby).

Default

no active-mda-limit

Parameters

number

Specifies the active MDA limit.

Values

1 to 14

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

active-mda-number

active-mda-number

Syntax

active-mda-number number

no active-mda-number

Context

[Tree] (config>isa>tunnel-grp active-mda-number)

Full Context

configure isa tunnel-group active-mda-number

Description

This command specifies the number of active MS-ISA within all configured MS-ISA in the tunnel-group with multi-active enabled. IPsec traffic will be load balanced across all active MS-ISAs. If the number of configured MS-ISA is greater than the active-mda-number then the delta number of MS-ISA will be backup.

Default

active-mda-number 1

Parameters

number

Specifies the number of active MDAs.

Values

1 to 16

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

active-outbound-sa

active-outbound-sa

Syntax

active-outbound-sa spi

no active-outbound-sa

Context

[Tree] (config>grp-encryp>encryp-keygrp active-outbound-sa)

Full Context

configure group-encryption encryption-keygroup active-outbound-sa

Description

This command specifies the Security Association, referenced by the Security Parameter Index (SPI), to use when performing encryption and authentication on NGE packets egressing the node for all services configured using this key group.

The no form of the command returns the parameter to its default value and is the same as removing this key group from all outbound direction key groups in all services configured with this key group (that is, all packets of services using this key group will egress the node in without being encrypted).

Parameters

spi

Specifies the SPI to use for packets of services using this key group when egressing the node.

Values

1 to 127

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

active-preferred-lifetime

active-preferred-lifetime

Syntax

active-preferred-lifetime [hrs hours] [min minutes] [sec seconds]

no active-preferred-lifetime

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>slaac active-preferred-lifetime)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dhcp6 active-preferred-lifetime)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dhcp6 active-preferred-lifetime)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>slaac active-preferred-lifetime)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range slaac active-preferred-lifetime

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range dhcp6 active-preferred-lifetime

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range dhcp6 active-preferred-lifetime

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range slaac active-preferred-lifetime

Description

This command specifies the signaled preferred lifetime in DHCPv6 or SLAAC after full authentication. This is only applicable to DSM.

The no form of this command reverts to the default.

Default

active-preferred-lifetime min 10

Parameters

hours

Specifies the number of active preferred lifetime hours.

Values

1 to 1

minutes

Specifies the number of active preferred lifetime minutes.

Values

5 to 59

seconds

Specifies the number of active preferred lifetime seconds.

Values

1 to 59

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

active-psk

active-psk

Syntax

active-psk active-pre-shared-key

no active-psk

Context

[Tree] (config>macsec>conn-assoc>static-cak active-psk)

Full Context

configure macsec connectivity-association static-cak active-psk

Description

This command specifies the active transmitting pre-shared-key. If two pre-shared-keys are configured, the arriving MACsec MKA can be decrypted via CAKs of both pre-shared keys; however, only the active-psk will be used for TX encryption of MKA PDUs.

Default

active-psk 1

Parameters

active-pre-shared-key

Specifies the value of the pre-shared-key.

Values

1 or 2

Platforms

All

active-source-limit

active-source-limit

Syntax

active-source-limit number

no active-source-limit

Context

[Tree] (config>service>vprn>msdp>peer active-source-limit)

[Tree] (config>service>vprn>msdp>group active-source-limit)

[Tree] (config>service>vprn>msdp>source active-source-limit)

[Tree] (config>service>vprn>msdp active-source-limit)

[Tree] (config>service>vprn>msdp>group>peer active-source-limit)

Full Context

configure service vprn msdp peer active-source-limit

configure service vprn msdp group active-source-limit

configure service vprn msdp source active-source-limit

configure service vprn msdp active-source-limit

configure service vprn msdp group peer active-source-limit

Description

This option controls the maximum number of active source messages that will be accepted by Multicast Source Discovery Protocol (MSDP), effectively controlling the number of active sources that can be stored on the system.

The no form of this command reverts the number of source message limit to default operation.

Default

no active-source-limit

Parameters

number

Defines how many active sources can be maintained by MSDP.

Values

0 to 1000000

Platforms

All

active-source-limit

Syntax

active-source-limit number

no active-source-limit

Context

[Tree] (config>router>msdp>peer active-source-limit)

[Tree] (config>router>msdp>group>peer active-source-limit)

[Tree] (config>router>msdp>source active-source-limit)

[Tree] (config>router>msdp>group active-source-limit)

[Tree] (config>router>msdp active-source-limit)

Full Context

configure router msdp peer active-source-limit

configure router msdp group peer active-source-limit

configure router msdp source active-source-limit

configure router msdp group active-source-limit

configure router msdp active-source-limit

Description

This option controls the maximum number of active source messages that will be accepted by Multicast Source Discovery Protocol (MSDP), effectively controlling the number of active sources that can be stored on the system.

The no form of this command sets no limit on the number of source active records.

Default

no active-source-limit

Parameters

number

Specifies the number of active sources that can be maintained by MSDP.

Values

0 to 1000000

Platforms

All

active-valid-lifetime

active-valid-lifetime

Syntax

active-valid-lifetime [hrs hours] [min minutes] [sec seconds]

no active-valid-lifetime

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>slaac active-valid-lifetime)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dhcp6 active-valid-lifetime)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>slaac active-valid-lifetime)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dhcp6 active-valid-lifetime)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range slaac active-valid-lifetime

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range dhcp6 active-valid-lifetime

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range slaac active-valid-lifetime

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range dhcp6 active-valid-lifetime

Description

This command specifies the signaled valid lifetime in DHCPv6 or SLAAC after full authentication. This is only applicable to DSM.

The no form of this command reverts to the default.

Default

active-valid-lifetime min 10

Parameters

hours

Specifies the number of active-valid-lifetime hours.

Values

1 to 1

minutes

Specifies the number of active-valid-lifetime minutes.

Values

5 to 59

seconds

Specifies the number of active-valid-lifetime seconds.

Values

1 to 59

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

activity-threshold

activity-threshold

Syntax

activity-threshold kilobits-per-second

no activity-threshold

Context

[Tree] (config>subscr-mgmt>cat-map activity-threshold)

Full Context

configure subscriber-mgmt category-map activity-threshold

Description

This command configures the threshold that is applied to determine whether or not there is activity. This is only valid for credit-type = time (not volume).

The no form of this command reverts to the default.

Parameters

kilobits-per-second

Specifies the activity threshold value, in kilobits per second.

Values

1 to 100000000

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

ad-per-es-route-target

ad-per-es-route-target

Syntax

ad-per-es-route-target evi-rt

ad-per-es-route-target evi-rt-set route-distinguisher ip-address [extended-evi-range]

Context

[Tree] (config>service>system>bgp-evpn ad-per-es-route-target)

Full Context

configure service system bgp-evpn ad-per-es-route-target

Description

This command controls how Ethernet AD per-ES routes are generated.

The system can either send a separate Ethernet AD per-ES route per service, or an Ethernet AD per-ES route aggregating the route-targets for multiple services. While both alternatives can interoperate, RFC 7432 states that the EVPN Auto-Discovery per-ES route must be sent with a set of route-targets corresponding to all the EVIs defined on the Ethernet Segment. This command supports both options.

The default ad-per-es-route-target evi-rt option configures the system to send a separate AD per-ES route per service.

When enabled, the evi-rt-set option allows the aggregation of routes: a single AD per-ES route with the associated RD (ip-address:1) and a set of EVI route-targets are advertised (to a maximum of 128). When a significant number of EVIs are defined in the Ethernet Segment (hence the number of route-targets), the system sends more than one route. For example:

  • AD per-ES route for evi-rt-set 1 will be sent with RD ip-address:1

  • AD per-ES route for evi-rt-set 2 will be sent with RD ip-address:2

Default

ad-per-es-route-target evi-rt

Parameters

evi-rt

Specifies the option to advertise a separate AD per-ES route per service.

evi-rt-set

Specifies the option to advertise a set of AD per-ES routes aggregating the route-targets for all the services in the Ethernet Segment.

ip-address

Specifies the ip-address part of the route-distinguisher being used in the evi-rt-set option.

extended-evi-range

Specifies that the system reserves the RD comm-val 1 to 65535 out of the type 1 RD that is used for AD per-ES routes.

Platforms

All

ad-validation

ad-validation

Syntax

ad-validation {fall-through | drop}

no ad-validation

Context

[Tree] (config>system>dns>dnssec ad-validation)

Full Context

configure system dns dnssec ad-validation

Description

This command enables validation of the presence of the AD-bit in responses from the DNS servers, and reports a warning to the SECURITY log if DNSSEC validation was not possible.

This command requires either the fall-through or drop parameters be configured. When the fall-through parameter is supplied, the system will allow DNS responses that do not pass DNSSEC validation to be accepted and logged. When the drop parameter is specified, the system will reject and log DNS responses that do not pass DNSSEC validation and the resolution will appear to fail.

Default

no ad-validation

Parameters

fall-through

Specifies that the DNSSEC validator should allow non-DNSSEC responses to fall-through to permit resolution in case of validation failure.

drop

Specifies that the DNSSEC validator should drop non-DNSSEC responses in case of validation failure.

Platforms

All

adapt-qos

adapt-qos

Syntax

adapt-qos {link | port-fair | distribute [include-egr-hash-cfg]}

Context

[Tree] (config>lag>access adapt-qos)

Full Context

configure lag access adapt-qos

Description

This command specifies how the LAG SAP queue and virtual scheduler buffering and rate parameters are adapted over multiple active XMAs/MDAs. This command applies only to access LAGs.

Default

adapt-qos distribute

Parameters

link

Specifies that the LAG will create the SAP queues and virtual schedulers with the actual parameters on each LAG member port.

port-fair

Places the LAG instance into a mode that enforces QoS bandwidth constraints in the following manner:

  • all egress QoS objects associated with the LAG instance are created on a per port basis

  • bandwidth is distributed over these per port objects based on the proportion of the port's bandwidth relative to the total of all active ports bandwidth within the LAG

  • the include-egr-hash-cfg behavior is automatically enabled allowing the system to detect objects that hash to a single egress link in the lag and enabling full bandwidth for that object on the appropriate port

distribute

Creates an additional internal virtual scheduler per IOM/XCM as parent of the configured SAP queues and virtual schedulers per LAG member port on that IOM/XCM. This internal virtual scheduler limits the total amount of egress bandwidth for all member ports on the IOM/XCM to the bandwidth specified in the egress qos policy.

include-egr-hash-cfg

Specifies whether explicitly configured hashing should factor into the egress buffering and rate distribution.

When this parameter is configured, all SAPs on this LAG which have explicit hashing configured, the egress HQoS and HPol (including queues, policers, schedulers and arbiters) will receive 100% of the configured bandwidth (essentially operating in adapt-qos link mode). For any Multi-Service-Sites assigned to such a LAG, bandwidth will continue to be divided according to adapt-qos distribute mode.

A LAG instance that is currently in adapt-qos link mode may be placed at any time in port-fair mode. Similarly, a LAG instance that is currently in adapt-qos port-fair mode may be placed at any time in link mode. However, a LAG instance in adapt-qos distribute mode may not be placed into port-fair (or link) mode while QoS objects are associated with the LAG instance. To move from distribute to port-fair mode it is necessary to remove all QoS objects from the LAG instance.

Platforms

All

adapt-qos

Syntax

adapt-qos {distribute | link | port-fair}

no adapt-qos

Context

[Tree] (config>eth-tunnel>lag-emulation>access adapt-qos)

Full Context

configure eth-tunnel lag-emulation access adapt-qos

Description

This command specifies how the emulated LAG queue and virtual scheduler buffering and rate parameters are adapted over multiple active MDAs.

The no form of the command reverts to the default.

Parameters

distribute

Creates an additional internal virtual scheduler per line card as parent of the configured SAP queues and virtual schedulers per member path on that line card. This internal virtual scheduler limits the total amount of egress bandwidth for all member paths on the line card to that line card’s share of the bandwidth specified in the egress qos policy. This mode is not supported together with an egress port scheduler or the use of egress queue groups.

link

Specifies that the emulated LAG will create the SAP queues and virtual schedulers with the bandwidth specified in the egress QoS policy on each member path.

port-fair

Specifies that the emulated LAG will create the SAP queues and virtual schedulers on each member path based on the bandwidth specified in the egress QoS policy divided by the number of active paths.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

adaptation-rule

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule] [cir adaptation-rule]

no adaptation-rule

Context

[Tree] (config>qos>sap-egress>queue adaptation-rule)

Full Context

configure qos sap-egress queue adaptation-rule

Description

This command defines the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

When a specific adaptation-rule is removed, the default constraints for pir and cir apply.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy.

Default

adaptation-rule pir closest cir closest

Parameters

pir

Defines the constraints enforced when adapting the queue's PIR. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the pir parameter is not specified, the default constraint applies.

Values

max — Specifies that the operational PIR for the queue will be equal to or less than the requested rate.

min — Specifies that the operational PIR for the queue will be equal to or greater than the requested rate.

closest — Specifies that the operational PIR for the queue will be the rate closest to the requested rate.

cir

Defines the constraints enforced when adapting the queue's CIR defined. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

Values

max — Specifies that the operational rate for the queue will be equal to or less than the requested rate.

min — Specifies that the operational rate for the queue will be equal to or greater than the requested rate.

closest — Specifies that the operational rate for the queue will be the rate closest to the requested rate.

Platforms

All

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule] [cir adaptation-rule]

no adaptation-rule

Context

[Tree] (config>qos>sap-egress>queue adaptation-rule)

Full Context

configure qos sap-egress queue adaptation-rule

Description

This command defines the method used by the system to derive the operational FIR, CIR, and PIR settings when the queue is provisioned in hardware. For the FIR, CIR, and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

When a specific adaptation-rule is removed, the default constraints for pir, cir, and fir apply.

The no form of this command removes any explicitly defined constraints used to derive the operational FIR, CIR, and PIR created by the application of the policy.

Default

adaptation-rule pir closest cir closest fir closest

Parameters

pir adaptation-rule

Defines the constraints enforced when adapting the queue's PIR. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the pir parameter is not specified, the default applies.

Values

max - The max option is mutually exclusive to the min and closest options. When max is specified, the operational rate for the queue will be equal to or less than the requested rate.

min - The min option is mutually exclusive to the max and closest options. When min is specified, the operational PIR for the queue will be equal to or greater than the requested rate.

closest - The closest parameter is mutually exclusive to the min and max parameter. When closest is specified, the operational PIR for the queue will be the rate closest to the requested rate.

cir adaptation-rule

Defines the constraints enforced when adapting the queue's CIR. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

max

Specifies that the operational rate for the queue will be equal to or less than the requested rate.

min

Specifies that the operational PIR for the queue will be equal to or greater than the requested rate.

closest

Specifies that the operational PIR for the queue will be the rate closest to the requested rate.

Platforms

All

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule] [cir adaptation-rule]

Context

[Tree] (config>service>vpls>sap>ingress>queue-override>queue adaptation-rule)

[Tree] (config>service>ies>if>sap>ingress>queue-override>queue adaptation-rule)

[Tree] (config>service>ies>sub-if>grp-if>sap>egress>queue-override>queue adaptation-rule)

[Tree] (config>service>ies>if>sap>egress>queue-override>queue adaptation-rule)

[Tree] (config>service>vpls>sap>egress>queue-override>queue adaptation-rule)

Full Context

configure service vpls sap ingress queue-override queue adaptation-rule

configure service ies interface sap ingress queue-override queue adaptation-rule

configure service ies subscriber-interface group-interface sap egress queue-override queue adaptation-rule

configure service ies interface sap egress queue-override queue adaptation-rule

configure service vpls sap egress queue-override queue adaptation-rule

Description

This command overrides specific attributes of the specified queue’s adaptation rule parameters. The adaptation rule controls the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case, the configuration of the adaptation rule is performed under the hs-wrr-group within the SAP egress QoS policy.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

no adaptation-rule

Parameters

pir

Specifies the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

cir

Specifies the constraints enforced when adapting the CIR rate defined within the queue queue-id rate command. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

adaptation-rule

Specifies the CIR and PIR adaptation rules.

Values

max — The max (maximum) option is mutually exclusive with the min and closest options. When max is defined, the operational PIR for the queue is equal to or less than the administrative rate specified using the rate command.

min — The min (minimum) option is mutually exclusive with the max and closest options. When min is defined, the operational PIR for the queue is equal to or greater than the administrative rate specified using the rate command.

closest — The closest parameter is mutually exclusive with the min and max parameter. When closest is defined, the operational PIR for the queue is the rate closest to the rate specified using the rate command.

Platforms

All

adaptation-rule

Syntax

adaptation-rule pir adaptation-rule [cir adaptation-rule]

no adaptation-rule

Context

[Tree] (config>subscr-mgmt>isa-policer adaptation-rule)

Full Context

configure subscriber-mgmt isa-policer adaptation-rule

Description

For operational efficiency, the operational rate of a policer cannot take on every value in the configurable range. This configuration defines a rule that must be followed when mapping a configured rate to an operational rate.

The cir adaptation-rule can only be set on dual-bucket-bandwidth policers.

The no form of this command reverts to its default.

Default

adaptation-rule pir closest cir closest

Parameters

pir adaptation-rule

Configures the rules to compute the PIR operational rates.

Values

min — Specifies that the operational rate must minimally be the configured rate. The first operational value bigger or equal to the configured rate is chosen.

max — Specifies that the operational rate may maximally be the configured rate. The first operational value smaller or equal to the configured rate is chosen.

closest — Chooses the operational value closest to the configured value, lower or higher.

cir adaptation-rule

Configures the rules to compute the CIR operational rates.

Values

adaptation-rule

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule] [cir {max | min | closest}]

no adaptation-rule

Context

[Tree] (config>port>ethernet>network>egr>qover>q adaptation-rule)

[Tree] (config>port>ethernet>access>ing>qgrp>qover>q adaptation-rule)

[Tree] (config>port>ethernet>access>egr>qgrp>qover>q adaptation-rule)

Full Context

configure port ethernet network egress queue-overrides queue adaptation-rule

configure port ethernet access ingress queue-group queue-overrides queue adaptation-rule

configure port ethernet access egress queue-group queue-overrides queue adaptation-rule

Description

This command specifies the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case the configuration of the adaptation rule is performed under the hs-wrr-group within the egress queue group template.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

adaptation-rule pir closest cir closest

Parameters

pir

Defines the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

cir

Defines the constraints enforced when adapting the CIR rate defined within the queue queue-id rate command. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

adaptation-rule

Specifies the adaptation rule to be used while computing the operational CIR or PIR value.

Values

max — The max (maximum) option is mutually exclusive with the min and closest options. When max is defined, the operational PIR for the queue will be equal to or less than the administrative rate specified using the rate command.

min — The min (minimum) option is mutually exclusive with the max and closest options. When min is defined, the operational PIR for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest — The closest parameter is mutually exclusive with the min and max parameter. When closest is defined, the operational PIR for the queue will be the rate closest to the rate specified using the rate command.

Platforms

All

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule] [cir adaptation-rule]

no adaption-rule

Context

[Tree] (config>service>ipipe>sap>egress>queue-override>queue adaptation-rule)

[Tree] (config>service>ipipe>sap>ingress>queue-override>queue adaptation-rule)

[Tree] (config>service>epipe>sap>ingress>queue-override>queue adaptation-rule)

[Tree] (config>service>epipe>sap>egress>queue-override>queue adaptation-rule)

Full Context

configure service ipipe sap egress queue-override queue adaptation-rule

configure service ipipe sap ingress queue-override queue adaptation-rule

configure service epipe sap ingress queue-override queue adaptation-rule

configure service epipe sap egress queue-override queue adaptation-rule

Description

This command can be used to override specific attributes of the specified queue’s adaptation rule parameters. The adaptation rule controls the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case the configuration of the adaptation rule is performed under the hs-wrr-group within the SAP egress QoS policy.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

no adaptation-rule

Parameters

pir

The pir parameter defines the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

cir

The cir parameter defines the constraints enforced when adapting the CIR rate defined within the queue queue-id rate command. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

adaptation-rule

Specifies the criteria to use to compute the operational CIR and PIR values for this queue, while maintaining a minimum offset.

Values

max — The max (maximum) keyword is mutually exclusive with the min and closest options. When max is defined, the operational PIR for the queue will be equal to or less than the administrative rate specified using the rate command.

min — The min (minimum) keyword is mutually exclusive with the max and closest options. When min is defined, the operational PIR for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest — The closest parameter is mutually exclusive with the min and max parameter. When closest is defined, the operational PIR for the queue will be the rate closest to the rate specified using the rate command.

Platforms

All

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule] [cir adaptation-rule]

no adaptation-rule

Context

[Tree] (config>service>vprn>if>sap>egress>queue-override>queue adaptation-rule)

[Tree] (config>service>vprn>if>sap>ingress>queue-override>queue adaptation-rule)

Full Context

configure service vprn interface sap egress queue-override queue adaptation-rule

configure service vprn interface sap ingress queue-override queue adaptation-rule

Description

This command can be used to override specific attributes of the specified queue’s adaptation rule parameters. The adaptation rule controls the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case, the configuration of the adaptation rule is performed under the hs-wrr-group within the SAP egress QoS policy.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

no adaptation-rule

Parameters

pir

The pir parameter defines the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

cir

The cir parameter defines the constraints enforced when adapting the CIR rate defined within the queue queue-id rate command. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

adaptation-rule

Specifies the criteria to use to compute the operational CIR and PIR values for this queue, while maintaining a minimum offset.

Values

max — The max (maximum) keyword is mutually exclusive with the min and closest options. When max is defined, the operational PIR for the queue will be equal to or less than the administrative rate specified using the rate command.

min — The min (minimum) keyword is mutually exclusive with the max and closest options. When min is defined, the operational PIR for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest — The closest parameter is mutually exclusive with the min and max parameter. When closest is defined, the operational PIR for the queue will be the rate closest to the rate specified using the rate command.

Platforms

All

adaptation-rule

Syntax

adaptation-rule pir adaptation-rule [cir {adaptation-rule}]

no adaptation-rule

Context

[Tree] (config>app-assure>group>policer adaptation-rule)

Full Context

configure application-assurance group policer adaptation-rule

Description

This command defines the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined option. To change the CIR adaptation rule only, the current PIR rule must be part of the command executed.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for rate and cir apply.

Default

adaptation-rule pir closest cir closest

Parameters

max

The operational PIR or CIR for the queue will be equal to or less than the administrative rate specified using the rate command.

min

The operational PIR or CIR for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest

The operational PIR or CIR for the queue will be the rate closest to the rate specified using the rate command.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule] [cir adaptation-rule]

no adaptation-rule

Context

[Tree] (config>qos>sap-egress>policer adaptation-rule)

[Tree] (config>qos>sap-ingress>policer adaptation-rule)

Full Context

configure qos sap-egress policer adaptation-rule

configure qos sap-ingress policer adaptation-rule

Description

This command is used to define how the policer’s configuration parameters are translated into the underlying hardware capabilities used to implement each policer instance. For instance, the configured rates for the policer need to be mapped to the timers and decrement granularity used by the hardware's leaky bucket functions that actually perform the traffic metering. If a rate is defined that cannot be exactly matched by the hardware, the adaptation-rule setting provides guidance for which hardware rate should be used.

The hardware also needs to adapt the given mbs and cbs values into the PIR bucket violate threshold (discard) and the CIR bucket exceed threshold (out-of-profile). The hardware may not have an exact threshold match that it can use. The system treats the mbs and cbs values as minimum threshold values.

The no form of this command is used to return the policer’s metering and profiling hardware adaptation rules to closest.

Parameters

pir adaptation-rule

When the optional pir parameter is specified, the max, min, or closest keyword qualifier must follow.

Values

max — Specifies that the metering rate defined for the policer is the maximum allowed rate. The system will choose a hardware supported rate that is closest but not exceeding the specified rate.

min — Specifies that the metering rate defined for the policer is the minimum allowed rate. The system will choose a hardware supported rate that is closest but not lower than the specified rate.

closest — Specifies that the metering rate defined for the policer is the target rate. The system will choose a hardware supported rate that is closest to the specified rate.

Default

closest

cir adaptation-rule

When the optional cir parameter is specified, the max, min, or closest keyword qualifier must follow.

Values

max — Specifies that the profiling rate defined for the policer is the maximum allowed rate. The system will choose a hardware supported rate that is closest but not exceeding the specified rate.

min — Specifies that the profiling rate defined for the policer is the minimum allowed rate. The system will choose a hardware supported rate that is closest but not lower than the specified rate.

closest — Specifies that the profiling rate defined for the policer is the target rate. The system will choose a hardware supported rate that is closest to the specified rate.

Default

closest

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule] [cir adaptation-rule] [fir {max | min | closest}]

no adaptation-rule

Context

[Tree] (config>qos>sap-ingress>queue adaptation-rule)

Full Context

configure qos sap-ingress queue adaptation-rule

Description

This command defines the method used by the system to derive the operational FIR, CIR and PIR settings when the queue is provisioned in hardware. For the FIR, CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

When a specific adaptation-rule is removed, the default constraints for pir, cir and fir apply.

The no form of this command removes any explicitly defined constraints used to derive the operational FIR, CIR and PIR created by the application of the policy.

Default

adaptation-rule pir closest cir closest fir closest

Parameters

pir adaptation-rule

Defines the constraints enforced when adapting the queue's PIR. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the pir parameter is not specified, the default applies.

cir adaptation-rule

Defines the constraints enforced when adapting the queue's CIR. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

fir

Defines the constraints enforced when adapting the queue's FIR. The fir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the fir parameter is not specified, the default constraint applies. FIR is only supported on FP4 hardware and is ignored when the related policy is applied to FP2- or FP3-based hardware.

max

Specifies that the operational rate for the queue will be equal to or less than the requested rate.

min

Specifies that the operational rate for the queue will be equal to or greater than the requested rate.

closest

Specifies that the operational rate for the queue will be the rate closest to the requested rate.

Platforms

All

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule]

no adaptation-rule

Context

[Tree] (config>qos>network-queue>hs-wrr-group adaptation-rule)

Full Context

configure qos network-queue hs-wrr-group adaptation-rule

Description

This command specifies how the system should resolve differences between the specified scheduling limit derived from the WRR group’s rate command and the actual operational rate obtainable in hardware. The min, max, and closest mutually exclusive keywords specify whether the next highest rate, next lowest rate, or closest rate should be selected by the system.

The no form of the command reverts to the default value.

Default

adaptation-rule pir closest

Parameters

adaptation-rule

Specifies the adaptation rule (min, max, or closest) to be used while computing the operational PIR value. The adaptation rule specifies the rules to compute the operational values while maintaining minimum offset. The min, max, and closest keywords are mutually exclusive.

Values

min — When min is specified, the queue’s rate parameter is treated as the minimum rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queues shaping rate is the closest possible value without going under the specified rate.

max — When max is specified, the queue’s rate parameter is treated as the maximum rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queue’s shaping rate is the closest possible value without going over the specified rate.

closest — When closest is specified, the queue’s rate parameter is treated as the target rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queues shaping rate is the closest possible value and can be higher or lower than the specified rate.

Platforms

7750 SR-7/12/12e

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule]

no adaptation-rule

Context

[Tree] (config>qos>sap-egress>hs-wrr-group adaptation-rule)

Full Context

configure qos sap-egress hs-wrr-group adaptation-rule

Description

This command specifies how the system resolves differences between the specified scheduling limit derived from the WRR group’s rate command and the actual operational rate obtainable in hardware. The mutually exclusive min, max, and closest keywords specify whether the next highest rate, next lowest, or closest rate should be selected by the system.

The no form of the command reverts to the default value.

Default

adaptation-rule pir closest

Parameters

pir

Defines the constraints enforced when adapting the PIR rate defined within the queue queue-id rate command. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the rate command is not specified, the default applies.

adaptation-rule

Specifies the adaptation rule (min, max, or closest) to be used while computing the operational PIR value. The adaptation rule specifies the rules to compute the operational values while maintaining minimum offset. The min, max, and closest keywords are mutually exclusive.

Values

min — When min is specified, the queue’s rate parameter is treated as the minimum rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queues shaping rate is the closest possible value without going under the specified rate.

max — When max is specified, the queue’s rate parameter is treated as the maximum rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queue’s shaping rate is the closest possible value without going over the specified rate.

closest — When closest is specified, the queue’s rate parameter is treated as the target rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queues shaping rate is the closest possible value and can be higher or lower than the specified rate.

Platforms

7750 SR-7/12/12e

adaptation-rule

Syntax

adaptation-rule [pir adaptation-rule]

no adaptation-rule

Context

[Tree] (config>qos>qgrps>egr>qgrp>hs-wrr-group adaptation-rule)

Full Context

configure qos queue-group-templates egress queue-group hs-wrr-group adaptation-rule

Description

This command specifies how the system should resolve differences between the specified scheduling limit derived from the WRR group’s rate command and the actual operational rate obtainable in hardware. The mutually exclusive min, max, and closest keywords specify whether the next highest rate, next lowest rate, or closest rate should be selected by the system.

The no form of the command reverts to the default value.

Default

adaptation-rule pir closest

Parameters

adaptation-rule

Specifies the adaptation rule (min, max, or closest) to be used while computing the operational PIR value. The adaptation rule specifies the rules to compute the operational values while maintaining minimum offset. The min, max, and closest keywords are mutually exclusive.

Values

min — When min is specified, the queue’s rate parameter is treated as the minimum rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queues shaping rate is the closest possible value without going under the specified rate.

max — When max is specified, the queue’s rate parameter is treated as the maximum rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queue’s shaping rate is the closest possible value without going over the specified rate.

closest — When closest is specified, the queue’s rate parameter is treated as the target rate to shape the queue. The hardware chooses the appropriate timers and PIR leaky bucket behavior to ensure that the queues shaping rate is the closest possible value and can be higher or lower than the specified rate.

Platforms

7750 SR-7/12/12e

adaptation-rule

Syntax

adaptation-rule [pir {max | min | closest}] [cir {max | min | closest}]

no adaptation-rule

Context

[Tree] (config>qos>queue-group-templates>egress>queue-group>policer adaptation-rule)

Full Context

configure qos queue-group-templates egress queue-group policer adaptation-rule

Description

This command defines the method used by the system to derive the operational CIR and PIR settings when the policer is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

When configured on an egress HSQ queue group queue, the cir keywords are ignored. This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case, the configuration of the adaptation rule is performed under the hs-wrr-group within the egress queue group template.

When a specific adaptation-rule is removed, the default constraints for pir and cir apply.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy.

Default

adaptation-rule pir closest cir closest

Parameters

pir

Defines the constraints enforced when adapting the policer’s PIR. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the policer. When the pir parameter is not specified, the default constraint applies.

cir

Defines the constraints enforced when adapting the policer’s CIR. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the policer. When the cir parameter is not specified, the default constraint applies.

max

Specifies that the operational rate for the policer will be equal to or less than the requested rate.

min

Specifies that the operational rate for the policer will be equal to or greater than the requested rate.

closest

Specifies that the operational rate for the policer will be the rate closest to the requested rate.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

adaptation-rule

Syntax

adaptation-rule [pir {max | min | closest}] [cir {max | min | closest}] [fir {max | min | closest}]

no adaptation-rule

Context

[Tree] (config>qos>queue-group-templates>ingress>queue-group>queue adaptation-rule)

Full Context

configure qos queue-group-templates ingress queue-group queue adaptation-rule

Description

This command defines the method used by the system to derive the operational FIR, CIR and PIR settings when the queue is provisioned in hardware. For the FIR, CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

When a specific adaptation-rule is removed, the default constraints for pir, cir and fir apply.

The no form of this command removes any explicitly defined constraints used to derive the operational FIR, CIR and PIR created by the application of the policy.

Default

adaptation-rule pir closest cir closest fir closest

Parameters

pir

Defines the constraints enforced when adapting the queue's PIR. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the pir parameter is not specified, the default constraint applies.

cir

Defines the constraints enforced when adapting the queue's CIR. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

fir

Defines the constraints enforced when adapting the queue's FIR. The fir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the fir parameter is not specified, the default constraint applies. FIR is only supported on FP4 hardware and is ignored when the related policy is applied to FP2- or FP3-based hardware.

max

Specifies that the operational rate for the queue will be equal to or less than the requested rate.

min

Specifies that the operational rate for the queue will be equal to or greater than the requested rate.

closest

Specifies that the operational rate for the queue will be the rate closest to the requested rate.

Platforms

All

adaptation-rule

Syntax

adaptation-rule [pir {max | min | closest}] [cir {max | min | closest}]

no adaptation-rule

Context

[Tree] (config>qos>queue-group-templates>egress>queue-group>queue adaptation-rule)

Full Context

configure qos queue-group-templates egress queue-group queue adaptation-rule

Description

This command defines the method used by the system to derive the operational CIR and PIR settings when the queue is provisioned in hardware. For the CIR and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

When configured on an egress HSQ queue group queue, the cir keywords are ignored. This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case, the configuration of the adaptation rule is performed under the hs-wrr-group within the egress queue group template.

When a specific adaptation-rule is removed, the default constraints for pir and cir apply.

The no form of this command removes any explicitly defined constraints used to derive the operational CIR and PIR created by the application of the policy.

Default

adaptation-rule pir closest cir closest

Parameters

pir

Defines the constraints enforced when adapting the queue's PIR. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the pir parameter is not specified, the default applies.

cir

Defines the constraints enforced when adapting the queue's CIR defined. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

max

Specifies that the operational rate for the queue will be equal to or less than the requested rate.

min

Specifies that the operational rate for the queue will be equal to or greater than the requested rate.

closest

Specifies that the operational rate for the queue will be the rate closest to the requested rate.

Platforms

All

adaptation-rule

Syntax

adaptation-rule [pir {max | min | closest}] [cir {max | min | closest}] [fir {max | min | closest}]

no adaptation-rule

Context

[Tree] (config>qos>network-queue>queue adaptation-rule)

Full Context

configure qos network-queue queue adaptation-rule

Description

This command defines the method used by the system to derive the operational FIR, CIR, and PIR settings when the queue is provisioned in hardware. For the FIR, CIR, and PIR parameters individually, the system attempts to find the best operational rate depending on the defined constraint.

When configured on an egress HSQ queue group queue, the cir keyword is ignored. This command is ignored for egress HSQ queue group queues which are attached to an HS WRR group within an associated HS attachment policy. In this case, the configuration of the adaptation-rule is performed under the hs-wrr-group within the network queue policy.

The no form of this command removes any explicitly defined constraints used to derive the operational FIR, CIR, and PIR created by the application of the policy. When a specific adaptation-rule is removed, the default constraints for fir, cir, and pir apply.

Default

adaptation-rule pir closest cir closest fir closest

Parameters

pir

Defines the constraints enforced when adapting the queue's PIR. The pir parameter requires a qualifier that defines the constraint used when deriving the operational PIR for the queue. When the pir parameter is not specified, the default applies.

cir

Defines the constraints enforced when adapting the queue's CIR. The cir parameter requires a qualifier that defines the constraint used when deriving the operational CIR for the queue. When the cir parameter is not specified, the default constraint applies.

fir

Defines the constraints enforced when adapting the queue's FIR. The fir parameter requires a qualifier that defines the constraint used when deriving the operational FIR for the queue. When the fir parameter is not specified, the default constraint applies. FIR is only supported on FP4 hardware and is ignored when the related policy is applied to FP2- or FP3-based hardware.

max

Specifies that the operational rate for the queue will be equal to or less than the requested rate.

min

Specifies that the operational rate for the queue will be equal to or greater than the administrative rate specified using the rate command.

closest

Specifies that the operational rate for the queue will be the rate closest to the requested rate.

Platforms

All

adaptive

adaptive

Syntax

[no] adaptive

Context

[Tree] (config>router>mpls>lsp>primary adaptive)

[Tree] (config>router>mpls>lsp-template adaptive)

[Tree] (config>router>mpls>lsp>primary-p2mp-instance adaptive)

[Tree] (config>router>mpls>lsp adaptive)

[Tree] (config>router>mpls>lsp>secondary adaptive)

Full Context

configure router mpls lsp primary adaptive

configure router mpls lsp-template adaptive

configure router mpls lsp primary-p2mp-instance adaptive

configure router mpls lsp adaptive

configure router mpls lsp secondary adaptive

Description

This command enables the make-before-break functionality for an LSP or LSP path. When enabled for the LSP, make-before-break will be performed for primary path and all the secondary paths of the LSP.

The config>router>mpls>lsp>primary-p2mp-instance> adaptive command is not supported on the 7450 ESS.

Default

adaptive

Platforms

All

adaptive-load-balancing

adaptive-load-balancing

Syntax

adaptive-load-balancing [tolerance tolerance-value] [interval interval] [bandwidth-threshold percent]

no adaptive-load-balancing

Context

[Tree] (config>lag adaptive-load-balancing)

Full Context

configure lag adaptive-load-balancing

Description

This command enables adaptive load balancing between LAG links. The tolerance value defines the percentage threshold between the most and the least used link in the LAG. If the tolerance value is exceeded, adaptive load balancing optimizes traffic distribution between LAG links. The bandwidth threshold defines the minimum bandwidth percentage of the most loaded LAG port egress. If the bandwidth threshold value is exceeded, adaptive load balancing optimization is performed.

The no form of this command disables adaptive load balancing.

Default

no adaptive-load-balancing

Parameters

tolerance-value

Specifies the allowed tolerance value expressed as a percentage.

Values

1 to 100

Default

20

interval

Specifies the statistics pooling interval value, in seconds, for the LAG ports.

Values

15, 30, 60, 120

Default

30

percent

Specifies the bandwidth threshold expressed as a percentage.

Values

0 to 100

Default

10 on PXC LAG, 30 on other LAG types

Platforms

All

add

add

Syntax

add percent percentage [min-only] [ active-min-only]

add rate rate [min-only] [active-min-only]

no add

Context

[Tree] (config>qos>adv-config-policy>child-control>offered-measurement add)

Full Context

configure qos adv-config-policy child-control offered-measurement add

Description

This command is used to increase the measured rate of the policer or queue associated with the policy. The offered rate (capped by the administrative PIR configured on the queue or policer) is usually used unaltered by the parent virtual scheduler. The add command allows this measured rate to be increased by the specified amount or by a percentage of the administrative PIR. The resulting rate will not exceed the administrative PIR.

The parent scheduler uses the modified measured rate as the available work load for the queue or policer in determining how much bandwidth the child should receive from the bandwidth distribution algorithm.

One example of when an increase in the measured offered rate may be desired is when a queue or policer is handling VoIP traffic. A characteristic of VoIP is the step nature in how traffic is used. Each call typically adds a certain maximum amount to the overall load. By using the add command, the bandwidth required for the next added call may be included in the current measured rate. This allows the virtual scheduler to allocate sufficient bandwidth to the queue or policer so that when the call is made the scheduling algorithm does not need to run to increase the bandwidth.

A side effect of increasing the measured offered rate is that if the extra bandwidth is allocated by the virtual scheduler, the available bandwidth to lower priority queues or policers is diminished even though the extra allocated bandwidth may not be in use. If this is the case, the effect will be seen as an underrun in the aggregate output of the virtual scheduler.

If the add command is used with a percent-based value, the increase is a function of the configured PIR value on the policer or queue. In this case, care should be taken that the child is either configured with an explicit PIR rate (other than max) or the child’s administrative PIR is defined using the percent-rate command with the local parameter enabled if an explicit value is not desired. When a maximum PIR is in use on the child, the system attempts to interpret the maximum child forwarding rate. This rate could be very large if the child is associated with multiple ingress or egress ports.

Except for the overall cap on the offered input into the virtual scheduler, the child’s administrative PIR has no effect on the calculated increase if an explicit rate is specified.

If the child’s administrative PIR is modified while a percent based add is in effect, the system automatically uses the new relative increase value the next time the child’s offered rate is determined.

When the add command is not specified or removed, the child’s offered rate used by the child’s virtual scheduler is not increased.

The no form of this command is used to remove an offered rate increase from all child policers and queues associated with the policy.

Parameters

percent-of-admin-pir

When the percent qualifier is used, this parameter specifies the percentage of the child’s administrative PIR that should be added to the child’s offered rate. The new offered rate result is capped by the child’s PIR. If a value of 0 or 0.00 is used, the system interprets this equivalent to no add.

Values

1.00 to 100.00

rate-in-kilobits-per-second

When the rate qualifier is used, this parameter specifies an explicit rate, in kb/s, that should be added to the child’s offered rate. The new offered rate result is capped by the child’s PIR. If a rate increase of 0 is specified, the system interprets this equivalent to no add.

Values

0 to 100,000,000

min-only

This optional parameter is used to reinterpret the increase as a minimum offered rate. When this option is enabled, the system uses the specified increase as a minimum offered rate even for inactive queues or policers associated with the policy.

active-min-only

When this optional parameter is specified, the respective rate or percentage is treated as the minimum offered rate for a queue only when the queue has an actual non-zero offered rate. This is intended to limit the artificial increase in offered rate to queues that are currently active. When a queue’s measured offered rate drops to zero, the system stops enforcing the minimum value.

Platforms

All

add-paths

add-paths

Syntax

[no] add-paths

Context

[Tree] (config>router>bgp>group>neighbor add-paths)

[Tree] (config>router>bgp add-paths)

[Tree] (config>router>bgp>group add-paths)

Full Context

configure router bgp group neighbor add-paths

configure router bgp add-paths

configure router bgp group add-paths

Description

This command allows the add-paths node to be the configured for one or more families of the BGP instance, a group or a neighbor. The BGP add-paths capability allows the router to send and/or receive multiple paths per prefix to/from a peer. The add-paths command without additional parameters is equivalent to removing Add-Paths support for all address families, which causes sessions that previously negotiated the add-paths capability for one or more address families to go down and come back up without the add-paths capability.

The no form of this command (no add-paths) removes add-paths from the configuration of BGP, the group or the neighbor, causing sessions established using add-paths to go down and come back up without the add-paths capability.

Default

no add-paths

Platforms

All

add-paths-send-limit

add-paths-send-limit

Syntax

add-paths-send-limit send-limit

no add-paths-send-limit

Context

[Tree] (config>router>policy-options>policy-statement>default-action add-paths-send-limit)

[Tree] (config>router>policy-options>policy-statement>entry add-paths-send-limit)

Full Context

configure router policy-options policy-statement default-action add-paths-send-limit

configure router policy-options policy-statement entry add-paths-send-limit

Description

This command sets the send-limit to a specific value for all routes matched by the policy entry or default action. Add-paths allows a BGP router to send multiple paths for the same NLRI/prefix to a peer advertising the add-paths receive capability. The send-limit dictates the maximum number of paths that can be advertised.

The default send-limit is controlled by the instance, group or neighbor level configuration and applies to all prefixes in a particular address family. Using route policies allows the default send-limit to be overridden to use a larger or smaller maximum value on a per-prefix basis. For example, if, for most prefixes advertised to a peer, at most 1 path should be advertised but for a few exceptional prefixes up to 4 paths should be advertised, then the neighbor-level send-limit can be set to a value of 1 and the add-paths-send-limit in the policy entry that matches the exceptional routes can be set to a value of 4.

Default

no add-paths-send-limit

Parameters

send-limit

Specifies the maximum number of paths to advertise for matched routes to an Add-Paths peer. If the value is multipaths, then BGP advertises all of the used BGP multipaths for each matched route that is the best path for its prefix (NLRI). Add paths can be advertised only if the peer has signaled support for receiving multiple add paths.

Values

1 to 16, none, multipaths

Platforms

All

add-srv6-tlvs

add-srv6-tlvs

Syntax

add-srv6-tlvs locator locator-name

add-srv6-tlvs micro-segment-locator ms-locator-name

no add-srv6-tlvs

Context

[Tree] (config>router>bgp>srv6>family add-srv6-tlvs)

Full Context

configure router bgp segment-routing-v6 family add-srv6-tlvs

Description

This command adds a prefix SID attribute containing an SRv6 TLV to routes belonging to the family that are redistributed from another protocol into BGP. This command also adds a prefix SID attribute with SRv6 TLV to BGP routes received from other peers without the SRv6 TLV and that are propagated to other peers with next-hop-self applied.

The no form of this command reverts to the default value which does not append the SRv6 TLV.

Default

no add-srv6-tlvs

Parameters

locator-name

Specifies an existing locator name, up to 64 characters.

ms-locator-name

Specifies a micro-segment locator name, up to 64 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS, VSR

add-to-received-bgp

add-to-received-bgp

Syntax

add-to-received-bgp weight

no add-to-received-bgp

Context

[Tree] (config>service>vprn>bgp>group>neighbor>evpn-link-bandwidth add-to-received-bgp)

[Tree] (config>service>vprn>bgp>group>evpn-link-bandwidth add-to-received-bgp)

Full Context

configure service vprn bgp group neighbor evpn-link-bandwidth add-to-received-bgp

configure service vprn bgp group evpn-link-bandwidth add-to-received-bgp

Description

This command configures the weight value added to all BGP PE-CE routes for the purpose of weighted ECMP if EVPN-IFL and BGP PE-CE routes are combined into the same ECMP set.

For the load-balancing between EVPN-IFL and BGP PE-CE routes the configure service vprn bgp eibgp-loadbalance command must already be configured on the system.

The no form of this command disables the weight value added to all BGP PE-CE routes.

Default

no add-to-received-bgp

Parameters

weight

Specifies the weight value added to all BGP PE-CE routes.

Values

1 to 128

Platforms

All

add-to-received-ebgp

add-to-received-ebgp

Syntax

add-to-received-ebgp family [family]

no add-to-received-ebgp

Context

[Tree] (config>service>vprn>bgp>group>neighbor>link-bandwidth add-to-received-ebgp)

[Tree] (config>service>vprn>bgp>group>link-bandwidth add-to-received-ebgp)

Full Context

configure service vprn bgp group neighbor link-bandwidth add-to-received-ebgp

configure service vprn bgp group link-bandwidth add-to-received-ebgp

Description

This command configures BGP to automatically add a link-bandwidth extended community to every route received from a directly connected (single-hop) EBGP peer within the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community added by this command encodes the local-AS number of receiving BGP instance and the bandwidth of the interface to the directly connected EBGP peer.

Up to three families may be configured.

The no form of this command removes the link-bandwidth extended community added to received BGP routes.

Default

no add-to-received-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

Platforms

All

add-to-received-ebgp

Syntax

add-to-received-ebgp family [family]

no add-to-received-ebgp

Context

[Tree] (config>router>bgp>group>neighbor>link-bandwidth add-to-received-ebgp)

[Tree] (config>router>bgp>group>link-bandwidth add-to-received-ebgp)

Full Context

configure router bgp group neighbor link-bandwidth add-to-received-ebgp

configure router bgp group link-bandwidth add-to-received-ebgp

Description

This command configures BGP to automatically add a link-bandwidth extended community to every route received from a directly connected (single-hop) EBGP peer within the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community added by this command encodes the local-AS number of receiving BGP instance and the bandwidth of the interface to the directly connected EBGP peer.

Up to six families may be configured.

The no form of this command removes the link-bandwidth extended community added to received BGP routes.

Default

no add-to-received-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

vpn-ipv4 — Adds a link-bandwidth extended community to IPv4 VPN (SAFI 128) routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

label-ipv6 — Adds a link-bandwidth extended community to labeled-unicast IPv6 routes.

vpn-ipv6 — Adds a link-bandwidth extended community to IPv6 VPN (SAFI 128) routes.

Platforms

All

add-tunnel

add-tunnel

Syntax

add-tunnel never

add-tunnel on reason [reason]

no add-tunnel

Context

[Tree] (config>service>vprn>l2tp>tunnel-selection-blacklist add-tunnel)

[Tree] (config>router>l2tp>tunnel-selection-blacklist add-tunnel)

Full Context

configure service vprn l2tp tunnel-selection-blacklist add-tunnel

configure router l2tp tunnel-selection-blacklist add-tunnel

Description

This command will force the tunnel to the denylist and render it unavailable for new sessions for the duration of preconfigured time. Peers are always forced to the denylist in case they time out (failure to receive response to control packets). In addition to time outs, certain events can be used to trigger placement of the tunnel on the denylist.

Default

add-tunnel never

Parameters

never

When specified, no tunnels will be placed on the denylist under any circumstance. This parameter will available to preserve backward compatibility.

reason

Specifies the return codes or events that determine which tunnels are added to the denylist. A maximum of eight reasons can be specified in a single statement.

Table 1. Return codes

Return code

Tunnels added to denylist

cdn-err-code

A tunnel is forced to the denylist if that CDN message with the Result Code 2 (Call disconnected for the reasons indicated in error code) is received.

cdn-inv-dest

A tunnel is forced to the denylist if that CDN message with the Result Codes 6 (Invalid destination) is received.

cdn-tmp-no-facilities

A tunnel is forced to the denylist if that CDN message with the Result Code 4 is received (Call failed due to lack of appropriate facilities being available - temporary condition) is received.

cdn-perm-no-facilities

A tunnel is forced to the denylist if that CDN message with the Result Codes 5 (Call failed due to lack of appropriate facilities being available - permanent condition) is received.

tx-cdn-not-established-in-time

A tunnel is forced to the denylist if that CDN message with the Result Code 10 (Call was not established within time allotted by LAC) is sent from the LAC to the LNS.

stop-ccn-err-code

A tunnel is forced to the denylist if that StopCCN message with the Result Code 2 (General error – Error Code indicates the problem) is sent or received.

stop-ccn-other

A tunnel is forced to the denylist if that StopCCN message with the following Result Codes is received:

(1) General request to clear control connection

(4) Requester is not authorized to establish a control channel

(5) Protocol version not supported

(6) Requester is being shutdown

Or in the case that the StopCCN with the following result codes is transmitted:

(4) Requester is not authorized to establish a control channel.

(5) Protocol version not supported

The receipt of the following Result Codes will never denylist a tunnel:

(0) Reserved

(3) Control channel already exist

(7) Finite state machine error

(8) Undefined

Transmission of the following Result Codes will never denylist a tunnel:

(1) General request to clear control connection

(3) Control channel already exist

(6) Requester is being shutdown

(7) Finite state machine error

addr-change-timeout

A timed-out tunnel for which the peer IP address has changed mid-session (from the one that is provided initially during configuration) is forced to the denylist. In absence of this configuration option, only the configured peer for the tunnel is, but not the tunnel itself which now has a different peer address than the one initially configured.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address

address

Syntax

address gi-address [scope scope]

address ip-address[/prefix-length]

address pool pool-name [secondary-pool sec-pool-name] [delimiter delimiter]

address use-pool-from-client [delimiter delimiter]

no address

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host address)

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host address)

Full Context

configure subscriber-mgmt local-user-db ppp host address

configure subscriber-mgmt local-user-db ipoe host address

Description

This command configures how the IP address is defined for this host.

When the user database is used from a local DHCP server, then this command defines how to define the IP address the server offers to the DHCP-client.

When the user-db is used for PPPoE authentication, the gi-address parameter cannot be used. A fixed IP address causes PPPoE to use this IP address. If no IP address is specified, the PPPoE looks for IP address by other means (DHCP). If a pool name is given, this pool is sent in the DHCP request so it can be used in by the DHCP server to determine which address to give to the host.

The no form of this command causes no IP address to be assigned to this host. In a user database referred to from a local DHCP server, creating a host without address information causes the matching client never to get an IP address.

The no form of this command reverts to the default.

Parameters

gi-address

When specified, the gi-address of the DHCP message is taken to look for a subnet in the local DHCP server. The first available free address of the subnet is taken and "offered” to the host. When local-user-db is used for PPPoE authentication, this has the same result as no address.

ip-address

Specifies the fixed IP address to use for this host.

Values

a.b.c.d

pool-name/sec-pool-name

Specifies the primary (and secondary) pool (in the local DHCP server), up to 32 characters, to look for an available address. The first available IP address from any subnet in the pool is used. When the local user database is used for PPPoE authentication, this causes the specified pool name to be sent to the DHCP server in a vendor-specific sub-option under Option 82.

use-pool-from-client

Use the pool-name in the Option 82 vendor-specific sub-option.

delimiter

Specifies a single ASCII character specifies the delimiter of separating primary and secondary pool names in option82 VSO.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address ipv6-address/prefix-length [eui-64] [track-srrp srrp-instance] [modifier cga-modifier] [dad-disable] [primary-preference primary-preference]

no address ipv6-address/prefix-length

Context

[Tree] (config>service>vprn>if>ipv6 address)

[Tree] (config>service>ies>if>ipv6 address)

Full Context

configure service vprn interface ipv6 address

configure service ies interface ipv6 address

Description

This command assigns an IPv6 address/subnet to the interface.

Up to 16 total primary and secondary IPv4 and IPv6 addresses can be assigned to network interfaces, and up to 256 to access interfaces.

Caution:

Configurations must not exceed 16 secondary IP addresses when IPsec, GRE, L2TPv3, or IP in IP protocols are active on an access interface.

The no form of this command removes the IPv6 address from the interface.

Parameters

ipv6-address/prefix-length

Specifies the IPv6 address on the interface.

Values

ipv6-address/prefix:

ipv6-address

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x [0 to FFFF]H

d [0 to 255]D

prefix-length

1 to 128

eui-64

When the eui-64 keyword is specified, a complete IPv6 address from the supplied prefix and 64-bit interface identifier is formed. The 64-bit interface identifier is derived from MAC address on Ethernet interfaces. For interfaces without a MAC address, for example ATM interfaces, the Base MAC address of the chassis is used.

srrp-instance

Specifies the SRRP instance ID that this interface route needs to track.

Values

1 to 4294967295

cga-modifier

Specifies the modifier in 32 hexadecimal nibbles.

Values

0x0–0xFFFFFFFF

dad-disable

Disables Duplicate Address Detection (DAD) and sets the address to preferred, even if there is a duplicated address.

primary-preference

Specifies a primary-preference index to an IPv6 address of the interface to enforce the order in which the address is used by control plane protocols and applications which require a fixed address of the interface. These include LDP and Segment Routing.

When originating packets from this interface, the source IPv6 address follows the selection rules in RFC 6724 except for the specific cases where a fixed address is required. In the latter case, the IPv6 address with the lowest primary-preference index is selected. If the selected address is removed, the system selects the IPv6 address with the next lowest primary-preference index.

The system assigns the next available index value to any IPv6 address of the interface when configured without the primary-preference index value specified. The address index space is unique across all addresses of a given interface.

Values

1 to 4294967295

Platforms

All

address

Syntax

address ipv6-address/prefix-length [pd] [wan-host] [track-srrp srrp-instance] [holdup-time milli-seconds]

no address ipv6-address/prefix-length

Context

[Tree] (config>service>ies>sub-if>ipv6 address)

[Tree] (config>service>vprn>sub-if>ipv6 address)

Full Context

configure service ies subscriber-interface ipv6 address

configure service vprn subscriber-interface ipv6 address

Description

This command assigns an IPv6 address/subnet to the subscriber interface.

SRRP and an IPv6 Global Unicast Address on a subscriber interface are mutual exclusive:

  • track-srrp cannot be enabled on a subscriber interface ipv6 address

  • when an ipv6 address is configured on a subscriber interface, SRRP cannot be enabled on its group interfaces

The no form of this command removes the IPv6 address from the interface.

Parameters

ipv6-address

Specifies the 128-bit IPv6 address.

Values

128-bit hexadecimal IPv6 address in compressed form

prefix-length

Specifies the length of any associated aggregate prefix.

Values

32 to 127

pd

Specifies that this aggregate is used by IPv6 ESM hosts for DHCPv6 prefix-delegation.

wan-host

Specifies that this aggregate is used by IPv6 ESM hosts for local addressing or by a routing gateway’s WAN interface.

srrp-instance

Specifies the SRRP instance number.

Values

1 to 4294967295

milli-seconds

Specifies the time to wait, in milli-seconds, for the route before it accepts the new state attribute. This timer is used to prevent fluctuations in route advertisement caused by short lived SRRP instabilities, in the case that such condition arises.

Values

100 to 5000

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address ip-prefix/ip-prefix-length [peer-profile profile-name]

no address ip-prefix/ip-prefix-length

Context

[Tree] (config>service>vprn>gtp>uplink>peer-profile-map address)

[Tree] (config>service>vprn>gtp>s11>peer-profile-map address)

[Tree] (config>router>gtp>uplink>peer-profile-map address)

[Tree] (config>router>gtp>s11>peer-profile-map address)

Full Context

configure service vprn gtp uplink peer-profile-map address

configure service vprn gtp s11 peer-profile-map address

configure router gtp uplink peer-profile-map address

configure router gtp s11 peer-profile-map address

Description

This command configures a mapping of an IP address or subnet to a peer profile. If one peer profile is used for the entire router, it is possible to map the entire IPv4 subnet using 0.0.0.0/0.

If no match is found, the default or default S11 peer profile is used.

The no form of this command removes the peer profile mapping, affecting only the setup of new peers.

Parameters

ip-prefix/ip-prefix-length

Specifies the IP prefix and prefix length of the subnet.

Values

ipv4-prefix

a.b.c.d (host bits must be 0)

ipv4-prefix-length

[0 to 32]

ipv6-prefix

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

ipv6-prefix-le

[0 to 128]

profile-name

Specifies the GTP peer profile associated with the address prefix, up to 32 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address [ip-address | ipv6-address]

no address

Context

[Tree] (config>aaa>diam>node>peer address)

Full Context

configure aaa diameter node peer address

Description

This command configures IPv4 or IPv6 address for a Diameter peer.

The no form of this command removes the IPv4 or IPv6 from the peer configuration.

Parameters

ip-address

Specifies the IPv4 address in the a.b.c.d form

ipv6-address

Specifies the IPv6 address in the form:

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

where:

x - [0..FFFF]H

d - [0 to 255] D

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address {ip-address/mask | ip-address netmask} [broadcast {all-ones | host-ones}] [track-srrp srrp-instance]

no address [ip-address/mask | ip-address netmask]

Context

[Tree] (config>service>vprn>nw-if address)

[Tree] (config>service>ies>if address)

[Tree] (config>service>vprn>if address)

Full Context

configure service vprn network-interface address

configure service ies interface address

configure service vprn interface address

Description

This command assigns an IP address, IP subnet, and broadcast address format to an IES IP router interface. Only one IP address can be associated with an IP interface. Use the secondary command to assign multiple addresses.

An IP address must be assigned to each IES or VPRN IP interface. An IP address and a mask are used together to create a local IP prefix. The defined IP prefix must be unique within the context of the routing instance. It cannot overlap with other existing IP prefixes defined as local subnets on other IP interfaces in the same routing context within the router.

The IP address for the interface can be entered in either CIDR (Classless Inter-Domain Routing) or traditional dotted decimal notation. The show commands display CIDR notation and is stored in configuration files.

By default, no IP address or subnet association exists on an IP interface until it is explicitly created.

Table 2. Address Admin and Operational States

Address

Admin State

Oper State

No address

up

down

No address

down

down

1.1.1.1

up

up

1.1.1.1

down

down

The operational state is a read-only variable and the only controlling variables are the address and admin states. The address and admin states are independent and can be set independently. If an interface is in an administratively up state and an address is assigned, it becomes operationally up and the protocol interfaces and the MPLS LSPs associated with that IP interface are reinitialized.

The no form of this command removes the IP address assignment from the IP interface. When the no address command is entered, the interface becomes operationally down.

Parameters

ip-address

Specifies the IP address of the IP interface. The ip-address portion of the address command specifies the IP host address that is used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP addresses in the range 1.0.0.0 – 223.255.255.255 (with support of /31 subnets).

/

The forward slash is a parameter delimiter and separates the ip-address portion of the IP address from the mask that defines the scope of the local subnet. No spaces are allowed between the ip-address, the "/” and the mask-length parameter. If a forward slash is not immediately following the ip-address, a dotted decimal mask must follow the prefix.

mask-length

Specifies the subnet mask length when the IP prefix is specified in CIDR notation. When the IP prefix is specified in CIDR notation, a forward slash (/) separates the ip-address from the mask-length parameter. The mask length parameter indicates the number of bits used for the network portion of the IP address; the remainder of the IP address is used to determine the host portion of the IP address.

Note:

A mask length of 32 is reserved for loopback addresses (includes system addresses).

Default

0 to 31

mask

The subnet mask in dotted decimal notation. When the IP prefix is not specified in CIDR notation, a space separates the ip-address from a traditional dotted decimal mask. The mask parameter indicates the complete mask that is used in a logical 'AND’ function to derive the local subnet of the IP address. Allowed values are dotted decimal addresses in the range 128.0.0.0 – 255.255.255.254.

Note:

A mask of 255.255.255.255 is reserved for system IP addresses.

broadcast

Overrides the default broadcast address used by the IP interface when sourcing IP broadcasts on the IP interface. If no broadcast format is specified for the IP address, the default value is host-ones which indicates a subnet broadcast address. Use this parameter to change the broadcast address to all-ones or revert back to a broadcast address of host-ones.

The broadcast format on an IP interface can be specified when the IP address is assigned or changed.

This parameter does not affect the type of broadcasts that can be received by the IP interface. A host sending either the local broadcast (all-ones) or the valid subnet broadcast address (host-ones) is received by the IP interface.

Default

host-ones

all-ones

Specifies the broadcast address used by the IP interface for this IP address is 255.255.255.255, also known as the local broadcast.

host-ones

Specifies that the broadcast address used by the IP interface for this IP address is the subnet broadcast address. This is an IP address that corresponds to the local subnet described by the ip-address and the mask-length or mask with all the host bits set to binary one. This is the default broadcast address used by an IP interface.

The broadcast parameter within the address command does not have a negate feature, which is usually used to revert a parameter to the default value. To change the broadcast type to host-ones after being changed to all-ones, the address command must be executed with the broadcast parameter defined.

srrp-instance

Tracks the specified SRRP instance state on the IPv6 address.

Platforms

All

address

Syntax

address {ip-address/mask | ip-address netmask} [remote-ip ip-address]

no address

Context

[Tree] (config>service>vprn>red-if address)

Full Context

configure service vprn redundant-interface address

Description

This command assigns an IP address mask or netmask and a remote IP address to the interface.

The no form of this command removes the values from the configuration.

Parameters

ip-address/mask

Assigns an IP address/IP subnet format to the interface.

ip-address netmask

Assigns an IP address netmask to the interface. Specifies a string of 0s and 1s that mask or screen out the network part of an IP address so that only the host computer part of the address remains.

remote-ip ip-address

Assigns a remote IP to the interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address ip-address/mask [netmask] [ gw-ip-address gw-ip-address] [populate-host-routes] [track-srrp srrp-instance] [holdup-time milli-seconds]

no address ip-address/mask [netmask]

Context

[Tree] (config>service>vprn>sub-if address)

[Tree] (config>service>ies>sub-if address)

Full Context

configure service vprn subscriber-interface address

configure service ies subscriber-interface address

Description

This command configures the subscriber interface address along with additional parameters related to multi-chassis redundancy.

The no form of this command reverts to the default.

Parameters

ip-address

The IP address of the IP interface. The ip-address portion of the address command specifies the IP host address that is used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP addresses in the range 1.0.0.0 – 223.255.255.255 (with support of /31 subnets).

/

The forward slash is a parameter delimiter and separates the ip-address portion of the IP address from the mask that defines the scope of the local subnet. No spaces are allowed between the ip-address, the "/” and the mask-length parameter. If a forward slash is not immediately following the ip-address, a dotted decimal mask must follow the prefix.

mask

The subnet mask in dotted decimal notation. When the IP prefix is not specified in CIDR notation, a space separates the ip-address from a traditional dotted decimal mask. The mask parameter indicates the complete mask that is used in a logical AND function to derive the local subnet of the IP address. Allowed values are dotted decimal addresses in the range 128.0.0.0 – 255.255.255.254.

Note:

A mask of 255.255.255.255 is reserved for system IP addresses.

netmask

The subnet mask in dotted decimal notation.

Values

0.0.0.0 - 255.255.255.255

gw-ip-address

Specifies a separate IP address within the subnet for SRRP routing purposes. This parameter must be followed by a valid IP interface that exists within the subscriber subnet created by the address command. The defined gateway IP address cannot currently exist as a subscriber host (static or dynamic). If the defined ip-address already exists as a subscriber host address, the address command will fail. The specified ip-address must be unique within the system.

The gw-ip-address parameter may be specified at any time. If the subscriber subnet was created previously, executing the address command with a gw-ip-address parameter will simply add the SRRP gateway IP address to the existing subnet.

If the address command is executed without the gw-ip-address parameter when the subscriber subnet is associated with an active SRRP instance, the address will fail. If the SRRP instance is inactive or removed, executing the address command without the gw-ip-address parameter removes the SRRP gateway IP address from the specified subscriber subnet.

If the address command is executed with a new GW address, all SRRP instances associated with the specified subscriber subnet is updated with the new SRRP gateway IP address.

populate-host-routes

Specifies to populate subscriber-host routes in local FDB. Storing them in FDB benefits topologies only where the external router advertises more specific routes than the one corresponding to locally configured subscriber-interface subnets.

milli-seconds

Specifies the time to wait, in milli-seconds, for the route before it accepts the new state attribute. This timer is used to prevent fluctuations in route advertisement caused by short lived SRRP instabilities, in the case that such condition arises.

Values

100 to 5000

srrp-inst

Enables the subscriber interface route to track the SRRP state of the specified SRRP instance. The route updates its state attribute to reflect the state of SRRP instance:

  • Master = srrp-master

  • Any other = srrp-non-master

Routing policy can be applied towards the state attribute in order to customize the advertisement of the route. Only one SRRP instance can be tracked per subscriber interface route. Tracked SRRP instance can be part of the Fate Sharing Group. This command can be enabled at any time.

Values

1 to 4294967295

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

[no] address [ip-address | ipv6-address]

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw address)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw address)

Full Context

configure service ies subscriber-interface group-interface wlan-gw address

configure service vprn subscriber-interface group-interface wlan-gw address

Description

This command configures an IPv4 or IPv6 address of a WLAN Gateway.

The no form of this command removes the IPv4 or IPv6 address from the configuration.

Parameters

ip-address

Specifies up to four IPv4 addresses.

Values

a.b.c.d

ipv6-address

Specifies up to six gateway IPv6 endpoint addresses.

Values

ipv6-address:

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

ipv6-address

Specifies up to six IPv6 addresses.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address ip-address [/mask] [netmask]

no address

Context

[Tree] (config>service>vpls>interface address)

Full Context

configure service vpls interface address

Description

This command assigns an IP address, IP subnet, and broadcast address format to an IES IP router interface. Only one IP address can be associated with an IP interface.

An IP address must be assigned to each IES IP interface. An IP address and a mask are used together to create a local IP prefix. The defined IP prefix must be unique within the context of the routing instance. It cannot overlap with other existing IP prefixes defined as local subnets on other IP interfaces in the same routing context within the router.

The IP address for the interface can be entered in either CIDR (Classless Inter-Domain Routing) or traditional dotted decimal notation. The show commands display CIDR notation and is stored in configuration files.

By default, no IP address or subnet association exists on an IP interface until it is explicitly created.

Use the no form of this command to remove the IP address assignment from the IP interface. When the no address command is entered, the interface becomes operationally down.

Address

Admin State

Oper State

No address

up

down

No address

down

down

1.1.1.1

up

up

1.1.1.1

down

down

The operational state is a read-only variable and the only controlling variables are the address and admin states. The address and admin states are independent and can be set independently. If an interface is in an administratively up state and an address is assigned, it becomes operationally up and the protocol interfaces and the MPLS LSPs associated with that IP interface will be reinitialized.

Parameters

ip-address

The IP address of the IP interface. The ip-address portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP netmask

The subnet mask in dotted decimal notation. When the IP prefix is not specified in CIDR notation, a space separates the ip-address from a traditional dotted decimal mask. The mask parameter indicates the complete mask that will be used in a logical 'AND’ function to derive the local subnet of the IP address. Allowed values are dotted decimal addresses in the range 128.0.0.0 to 255.255.255.254. A mask of 255.255.255.255 is reserved for system IP addresses.

Platforms

All

address

Syntax

address {ip-address/mask | ip-address netmask} [remote-ip ip-address]

no address

Context

[Tree] (config>service>ies>redundant-interface address)

Full Context

configure service ies redundant-interface address

Description

This command assigns an IP address mask or netmask and a remote IP address to the interface.

Parameters

ip-address/mask

Assigns an IP address/IP subnet format to the interface.

ip-address netmask

Specifies a string of 0s and 1s that mask or screen out the network part of an IP address so that only the host computer part of the address remains.

Assigns an IP address netmask to the interface.

remote-ip ip-address

Assigns a remote IP to the interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address ip-address

no address

Context

[Tree] (config>service>vprn>log>syslog address)

Full Context

configure service vprn log syslog address

Description

This command adds the syslog target host IP address to/from a syslog ID.

The ip-address parameter is mandatory. If no address is configured, syslog data cannot be forwarded to the syslog target host.

Only one address can be associated with a syslog-id. If multiple addresses are entered, the last address entered overwrites the previous address.

The same syslog target host can be used by multiple log IDs.

The no form of this command removes the syslog target host IP address.

Default

no address

Parameters

ip-address

Specifies the IP address of the syslog target host in dotted decimal notation.

Values

ipv4-address

a.b.c.d

ipv6-address

x:x:x:x:x:x:x:x[-interface]

x:x:x:x:x:x:d.d.d.d[-interface]

x: [0 to FFFF]H

d: [0 to 255]D

interface: 32 characters maximum, mandatory for link local addresses

The ipv6-address applies to the 7750 SR.

Platforms

All

address

Syntax

[no] address ipv6-address

Context

[Tree] (config>service>vprn>nat>inside>dslite address)

Full Context

configure service vprn nat inside dual-stack-lite address

Description

This command configures a DS-Lite IPv6 address

The no form of this command removes the value from the configuration.

Parameters

ipv6-address

Specifies the IPv6 address on the interface.

Values

ipv6-prefix

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x: [0 to FFFF]H

d: [0 to 255]D

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

[no] address ip-address

Context

[Tree] (config>service>vprn>radius-proxy>server>wlan-gw address)

[Tree] (config>router>radius-proxy>server>wlan-gw address)

Full Context

configure service vprn radius-proxy server wlan-gw address

configure router radius-proxy server wlan-gw address

Description

This command configures the IPv4 address of the distributed RADIUS proxy server for use by the access points.

The no form of this command removes the address from the configuration.

Parameters

ip-address

Specifies the destination IPv4 address of the RADIUS proxy server.

Values

ipv4-address a.b.c.d

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

[no] address ip-address/mask

Context

[Tree] (config>service>vprn>nat>inside>l2-aware address)

Full Context

configure service vprn nat inside l2-aware address

Description

This command configures a Layer 2-aware NAT address. This address will act as a local address of the system. Hosts connected to the inside service will be able to ARP for this address. To verify connectivity, a host can also ping the address. This address is typically used as next hop of the default route of a Layer 2-aware host. The given mask defines a Layer 2-aware subnet. The (inside) IP address used by a Layer 2-aware host must match one of the subnets defined here or it will be rejected.

Parameters

ip-address

Specifies the IP address in a.b.c.d format.

mask

Specifies the mask.

Values

16 to 32

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

[no] address ip-address

Context

[Tree] (config>service>vprn>pim>rp>rp-candidate address)

[Tree] (config>service>vprn>pim>rp>bsr-candidate address)

Full Context

configure service vprn pim rp rp-candidate address

configure service vprn pim rp bsr-candidate address

Description

This command configures a static bootstrap or rendezvous point (RP) as long as the source is not directly attached to this router.

Use the no form of this command to remove the static RP from the configuration.

Default

No IP address is specified.

Parameters

ip-address

The static IP address of the RP. The ip-address portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

1.0.0.0 to 223.255.255.255

Platforms

All

address

Syntax

[no] address ipv6-address

Context

[Tree] (config>service>vprn>pim>rp>ipv6>bsr-candidate address)

[Tree] (config>service>vprn>pim>rp>ipv6>rp-candidate address)

Full Context

configure service vprn pim rp ipv6 bsr-candidate address

configure service vprn pim rp ipv6 rp-candidate address

Description

This command configures a static bootstrap or rendezvous point (RP) as long as the source is not directly attached to this router.

Use the no form of this command to remove the static RP from the configuration.

Default

No IP address is specified.

Parameters

ipv6-address

The static IP address of the RP. The ip-address portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

ipv6-address

: x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x [0 to FFFF]H

d [0 to 255]D

Platforms

All

address

Syntax

[no] address ip-address

Context

[Tree] (config>service>vprn>pim>rp>static address)

Full Context

configure service vprn pim rp static address

Description

This command configures the static rendezvous point (RP) address.

The no form of this command removes the static RP entry from the configuration.

Platforms

All

address

Syntax

address {ip-address/mask | ip-address netmask} [remote-ip ip-address]

no address

Context

[Tree] (config>service>vprn>redundant-interface address)

Full Context

configure service vprn redundant-interface address

Description

This command assigns an IP address mask or netmask and a remote IP address to the interface.

Parameters

ip-address/mask

Assigns an IP address/IP subnet format to the interface.

ip-address netmask

Specifies a string of 0s and 1s that mask or screen out the network part of an IP address so that only the host computer part of the address remains.

Assigns an IP address netmask to the interface.

remote-ip ip-address

Assigns a remote IP to the interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address ip-address

no address

Context

[Tree] (config>app-assure>group>evt-log>syslog address)

Full Context

configure application-assurance group event-log syslog address

Description

This command configures the target syslog host IP address.

Default

no address

Parameters

ip-address

Specifies the IP address of the target syslog host, either IPv4 or IPv6.

Values

ipv4-address a.b.c.d

ipv6-address x:x:x:x:x:x:x:x

x:x:x:x:x:x:d.d.d.d

x: [0 to FFFF]H

d: [0 to 255]D

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address {ip-address/mask | ip-address netmask}

no address [ip-address/mask | ip-address netmask]

Context

[Tree] (config>service>ies>aa-interface address)

[Tree] (config>service>vprn>aa-interface address)

Full Context

configure service ies aa-interface address

configure service vprn aa-interface address

Description

This command assigns an IP address to the interface.

Default

no address

Parameters

ip-address/mask

Specifies an IP address/IP subnet format to the interface.

ip-address netmask

Specifies a string of 0s and 1s that mask or screen out the network part of an IP address so that only the host computer part of the address remains.

create

Keyword that specifies to create the interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

address prefix ip-prefix/ip-prefix-len

address from begin-ip-address to end-ip-address

no address

Context

[Tree] (config>ipsec>ts-list>local>entry address)

[Tree] (config>ipsec>ts-list>remote>entry address)

Full Context

configure ipsec ts-list local entry address

configure ipsec ts-list remote entry address

Description

This command specifies the address range in the IKEv2 traffic selector.

Default

no address

Parameters

ip-prefix/ip-prefix-len

Specifies the IP prefix and subnet mask.

begin-ip-address

Specifies the beginning address of the range for this entry.

end-ip-address

Specifies the ending address of the range for this entry.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

[no] address ipv6-address

Context

[Tree] (config>router>nat>inside>dual-stack-lite address)

Full Context

configure router nat inside dual-stack-lite address

Description

This command configures a DS-Lite IPv6 address.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

[no] address ip-address/mask

Context

[Tree] (config>router>nat>inside address)

Full Context

configure router nat inside address

Description

This command configures the IP address and mask of the subnet.

The no form of the command removes the IP address and prefix length from the configuration.

Parameters

ip-address/mask

Specifies the IP address and mask of the subnet.

Values

ip-address:

a.b.c.d

mask:

16 to 32

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

Syntax

[no] address ip-address/mask

Context

[Tree] (config>service>ies>video-interface address)

[Tree] (config>service>vprn>video-interface address)

Full Context

configure service ies video-interface address

configure service vprn video-interface address

Description

This command assigns an IP address to the video interface within the service. Video interface IP addresses are used by video service clients to direct requests for video server services. Up to 16 IP address/subnets can be defined. The addresses defined must all be distinct and cannot be contained within a previously defined address.

The no form of the command deletes the IP address/subnet from the video interface.

Parameters

ip-address

Specifies the IP address/subnet of the video interface in dotted decimal notation.

mask

Specifies the subnet mask length for the IP address expressed as an integer.

Platforms

7450 ESS, 7750 SR-1, 7750 SR-7/12/12e, 7750 SR-1s, 7750 SR-2s, 7750 SR-7s, 7750 SR-14s

address

Syntax

address ip-address

no address

Context

[Tree] (config>router>pim>rp>bsr-candidate address)

Full Context

configure router pim rp bsr-candidate address

Description

This command configures the candidate BSR IP address. This address is for Bootstrap router election.

The no form of this command removes the IP address from the BSR candidate configuration.

Default

no address

Parameters

ip-address

Specifies the IP host address used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

1.0.0.0 – 223.255.255.255

Platforms

All

address

Syntax

address ipv6-address

no address

Context

[Tree] (config>router>pim>rp>ipv6>bsr-candidate address)

Full Context

configure router pim rp ipv6 bsr-candidate address

Description

This command configures the candidate BSR IPv6 address. This address is for Bootstrap router election.

The no form of this command removes the IPv6 address from the BSR candidate configuration.

Default

no address

Parameters

ipv6-address

Specifies the IPv6 host address used by the interface within the subnet.

Values

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

Platforms

All

address

Syntax

address ipv6-address

no address

Context

[Tree] (config>router>pim>rp>ipv6>rp-candidate address)

Full Context

configure router pim rp ipv6 rp-candidate address

Description

This command configures the local IPv6 RP address. This address is sent in the RP candidate advertisements to the bootstrap router.

The no form of this command removes the IPv6 address from the RP candidate configuration.

Default

no address

Parameters

ipv6-address

Specifies the IPv6 RP address.

Values

ipv6-address:

  • x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:x:x:d.d.d.d

  • x: [0 to FFFF]H

  • d: [0 to 255]D

    prefix-length: 16 to 128

Platforms

All

address

Syntax

address ip-address

no address

Context

[Tree] (config>router>pim>rp>rp-candidate address)

Full Context

configure router pim rp rp-candidate address

Description

This command configures the local RP address. This address is sent in the RP candidate advertisements to the bootstrap router.

The no form of this command removes the IP address from the RP candidate configuration.

Default

no address

Parameters

ip-address

Specifies the ip-address.

Values

1.0.0.0 – 223.255.255.255

Platforms

All

address

Syntax

address ip-address

no address

Context

[Tree] (config>router>pim>rp>ipv6>static address)

[Tree] (config>router>pim>rp>static address)

Full Context

configure router pim rp ipv6 static address

configure router pim rp static address

Description

This command configures the Rendezvous Point (RP) address that should be used by the router for the range of multicast groups configured by the range command.

The no form of this command removes the IP address from the static configuration.

Parameters

ip-address

Specifies the static IP address of the RP. The ip-address portion of the address command specifies the IP host address that is used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

1.0.0.0 – 223.255.255.255

Platforms

All

address

Syntax

address ipv4-address

no address

Context

[Tree] (config>li>x-interfaces>lics>lic address)

Full Context

configure li x-interfaces lics lic address

Description

This command configures the IP address of this LIC.

The no form of this command reverts to the default.

Parameters

ipv4-address

Specifies the IPv4 address of the LIC.

Values

a.b.c.d

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address

Syntax

address ipv4-address

no address

Context

[Tree] (config>li>x-interfaces>x1 address)

Full Context

configure li x-interfaces x1 address

Description

This command configures the X1 interface IP address that must match an IP address configured on the router.

The no form of this command reverts to the default.

Parameters

ipv4-address

Specifies the IPv4 address of the LIC.

Values

a.b.c.d

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address

Syntax

address ipv4-address

no address

Context

[Tree] (config>li>x-interfaces>x2 address)

Full Context

configure li x-interfaces x2 address

Description

This command configures the X2 interface IP address that must match an IP address configured on the router.

The no form of this command reverts to the default.

Parameters

ipv4-address

Specifies the IPv4 address of the LIC.

Values

a.b.c.d

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address

Syntax

address {ip-address/mask | ip-address netmask} [broadcast {all-ones | host-ones}] [track-srrp srrp-instance] [gre-termination]

no address

Context

[Tree] (config>router>if address)

Full Context

configure router interface address

Description

This command assigns an IP address, IP subnet, and broadcast address format to an IP interface. Only one IP address can be associated with an IP interface. Use the secondary command to assign additional addresses.

An IP address must be assigned to each IP interface. An IP address and a mask combine to create a local IP prefix. The defined IP prefix must be unique within the context of the routing instance. It cannot overlap with other existing IP prefixes defined as local subnets on other IP interfaces in the same routing context within the router.

From Release 19.10, The overlap restriction is not applicable for host-addresses configured on loopback interfaces. For example, a loopback interface addresses configured with mask of 32 or netmask of 255.255.255.255 can overlap with other prefixes on other IP interfaces in the same routing context within the router.

The IP address for the interface can be entered in either CIDR (Classless Inter-Domain Routing) or traditional dotted decimal notation. Show commands display CIDR notation and are stored in configuration files.

By default, no IP address or subnet association exists on an IP interface until it is explicitly created.

The no form of this command removes the IP address assignment from the IP interface. Interface specific configurations for MPLS are also removed. This will operationally stop any MPLS LSPs that explicitly reference that IP address. When a new IP address is configured, interface specific configurations for MPLS need to be added. IEEE 1588 port based timestamping configured with ptp-hw-assist is also disabled.

Default

no address

Parameters

ip-address

Specifies the IP address of the IP interface. The ip-address portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation.

Values

1.0.0.0 to 223.255.255.255

/

The forward slash is a parameter delimiter that separates the ip-address portion of the IP address from the mask that defines the scope of the local subnet. No spaces are allowed between the ip-address, the "/” and the mask parameter. If a forward slash does not immediately follow the ip-address, a dotted decimal mask must follow the prefix.

mask

Specifies the subnet mask length when the IP prefix is specified in CIDR notation. When the IP prefix is specified in CIDR notation, a forward slash (/) separates the ip-address from the mask parameter. The mask parameter indicates the number of bits used for the network portion of the IP address; the remainder of the IP address is used to determine the host portion of the IP address. Allowed values are integers in the range 1— 32. A mask length of 32 is reserved for system IP addresses.

Values

1 to 32

netmask

Specifies the subnet mask in dotted decimal notation.

Values

0.0.0.0 to 255.255.255.255 (network bits all 1 and host bits all 0)

broadcast

The optional broadcast parameter overrides the default broadcast address used by the IP interface when sourcing IP broadcasts on the IP interface. If no broadcast format is specified for the IP address, the default value is host-ones, which indicates a subnet broadcast address. Use this parameter to change the broadcast address to all-ones or revert back to a broadcast address of host-ones.

The broadcast parameter within the address command does not have a negate feature, which is usually used to revert a parameter to the default value. To change the broadcast type to host-ones after being changed to all-ones, the address command must be executed with the broadcast parameter defined.

The broadcast format on an IP interface can be specified when the IP address is assigned or changed.

This parameter does not affect the type of broadcasts that can be received by the IP interface. A host sending either the local broadcast (all-ones) or the valid subnet broadcast address (host-ones) will be received by the IP interface.

Default

host-ones

Values

all-ones, host-ones

all-ones

The all-ones keyword following the broadcast parameter specifies that the broadcast address used by the IP interface for this IP address will be 255.255.255.255, also known as the local broadcast.

host-ones

Specifies that the broadcast address used by the IP interface for this IP address will be the subnet broadcast address. This is an IP address that corresponds to the local subnet described by the ip-address and the netmask with all the host bits set to binary 1. This is the default broadcast address used by an IP interface.

srrp-instance

Specifies the SRRP instance ID that this interface route needs to track.

Values

1 to 4294967295

gre-termination

The optional gre-termination keyword allows GRE SDP tunnel packets to terminate on the router interface using the /31 value of the configured IP address. Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Services Overview Guide for information about using gre-termination.

Platforms

All

address

Syntax

address ipv6-address/prefix-length [eui-64] [track-srrp srrp-instance] [modifier cga-modifier] [dad-disable] [primary-preference primary-preference]

no address ipv6-address/prefix-length

Context

[Tree] (config>router>if>ipv6 address)

Full Context

configure router interface ipv6 address

Description

This command assigns an IPv6 address to the interface. Up to 16 total primary and secondary IPv4 and IPv6 addresses can be assigned to network interfaces, and up to 256 to access interfaces.

Caution:

Configurations must not exceed 16 IPv6 addresses when IPsec, GRE, L2TPv3, or IP in IP protocols are active on an access interface.

A global IPv6 address together with the prefix-length create a locally configured interface IPv6 prefix and subnet. The defined global IP prefix must be unique within the context of a routing instance. It cannot overlap with any other existing global IP prefix defined on another IP interface within the same routing context in the router.

This overlap restriction is not applicable for IPv6 host addresses configured on loopback interfaces. For example, an IPv6 loopback host address configured upon a loopback interface may overlap with another prefix subnet configured on another IP interface within the same routing context.

Parameters

ipv6-address/prefix-length

Specifies the IPv6 address on the interface.

Values

ipv6-address/prefix-length:

ipv6-address

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x [0 to FFFF]H

d [0 to 255]D

prefix-length

1 to 128

eui-64

When the eui-64 keyword is specified, a complete IPv6 address from the supplied prefix and 64-bit interface identifier is formed. The 64-bit interface identifier is derived from MAC address on Ethernet interfaces. For interfaces without a MAC address, for example POS interfaces, the Base MAC address of the chassis should be used.

srrp-instance

Indicates the unique identifier of the tracked SRRP instance.

Values

1 to 4294967295

cga-modifier

Sets the modifier for cryptographically-assigned addresses.

Values

0x0..0xFFFFFFFF...(32 hex nibbles)

dad-disable

Disables Duplicate Address Detection (DAD) and sets the address to preferred, even if there is a duplicated address.

primary-preference

Specifies a primary-preference index to an IPv6 address of the interface to enforce the order in which the address is used by control plane protocols and applications which require a fixed address of the interface. These include LDP and Segment Routing.

When originating packets from this interface, the source IPv6 address follows the selection rules in RFC 6724 except for the specific cases where a fixed address is required. In the latter case, the IPv6 address with the lowest primary-preference index is selected. If the selected address is removed, the system selects the IPv6 address with the next lowest primary-preference index.

The system assigns the next available index value to any IPv6 address of the interface when configured without the primary-preference index value specified. The address index space is unique across all addresses of a given interface.

Values

1 to 4294967295

srrp

Tracks the specified SRRP instance state on the IPv6 address.

Values

1 to 4294967295

Platforms

All

address

Syntax

[no] address ip-prefix/ip-prefix-length [active | standby | standby/A | standby/B | standby/C | standby/D]

Context

[Tree] (bof address)

Full Context

bof address

Description

This command assigns an IP address to the management Ethernet port on a CPM. The IP addresses are applied by the boot loader and the running image. The active and standby IP addresses must be on the same subnet.

On all systems except the 7950 XRS-40, an address must be assigned with the active keyword and for systems with a redundant CPM an additional address may be assigned with the standby keyword. The active address is used by the active CPM whether its CPM A or CPM B and the standby address, if specified, is used by the standby CPM whether its CPM B or CPM A.

For the 7950 XRS-40, if the extension chassis shall boot from local compact flash then an active and standby address should be defined for use by the master chassis as defined above.

For the 7950 XRS-40, if the extension chassis shall boot from remote URL, then it is required to assign addresses to the management Ethernet ports for CPM C and CPM D. In this case, the BOF should be updated to have addresses defined using the standby/A, standby/B, standby/C, and standby/D keywords in addition to an address using the active keyword. With these keywords, CPM A shall always use the address defined using the standby/A address when CPM A is running as the standby CPM. Similarly, CPM B shall always use the address defined using the standby/B address when CPM B is running as the standby CPM. The active CPM of CPM A and CPM B shall use the address defined using the active keyword.

Deleting a BOF address entry is not allowed from a remote session.

Note that changing the active and standby addresses without reboot standby CPM may cause a boot-env sync to fail.

The no form of this command deletes the IP address from the CPM Ethernet port.

Parameters

ip-prefix/ip-prefix-length

Specifies the destination address of the aggregate route in dotted decimal notation.

Values

ipv4-prefix

a.b.c.d (host bits must be 0)

ipv4-prefix-length

0 to 32

ipv6-prefix

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x:

[0 to FFFF]H

d:

[0 to 255]D

ipv6-prefix-length

0 to 128

active | standby | standby/A | standby/B | standby/C | standby/D

specifies which CPM Ethernet address is being configured

Default

active

Platforms

All

address

Syntax

address {01:1b:19:00:00:00| 01:80:c2:00:00:0e}

Context

[Tree] (config>system>ptp>port address)

Full Context

configure system ptp port address

Description

This command allows for the specification of the mac-address to be used for the destination MAC address of the transmitted ptp messages.

IEEE Std 1588-2008 Annex F defines two reserved addresses for 1588 messages. These are:

  • 01-1B-19-00-00-00 — all except the peer delay mechanism messages

  • 01-80-C2-00-00-0E — peer delay mechanism messages

Both addresses are supported for reception independent of the address configured by this command.

The no form of this command sets the address to the default address.

Default

address 01-1B-19-00-00-00

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address

Syntax

address ip-address

no address

Context

[Tree] (config>log>syslog address)

Full Context

configure log syslog address

Description

This command adds the syslog target host IP address to/from a syslog ID.

This parameter is mandatory. If no address is configured, syslog data cannot be forwarded to the syslog target host.

Only one address can be associated with a syslog-id. If multiple addresses are entered, the last address entered overwrites the previous address.

The same syslog target host can be used by multiple log IDs.

The no form of this command removes the syslog target host IP address.

Default

no address

Parameters

ip-address

Specifies the IP address of the syslog target host in dotted decimal notation. An IPv6-address applies only to the 7750 SR.

Values

ipv4-address

a.b.c.d

ipv6-address

x:x:x:x:x:x:x:x[-interface]

x:x:x:x:x:x:d.d.d.d[-interface]

x: [0..FFFF]H

d: [0..255]D

interface: 32 characters maximum, mandatory for link local

addressesipv6-address x:x:x:x:x:x:x:x[-interface]

x:x:x:x:x:x:d.d.d.d[-interface]

x: [0..FFFF]H

d: [0..255]D

interface: 32 characters maximum, mandatory for link local addresses

Platforms

All

address

Syntax

address ip-address [port port]

no address

Context

[Tree] (config>system>security>ldap>server address)

Full Context

configure system security ldap server address

Description

This command configures the IPv4 or IPv6 address for the LDAP server.

The no version of this command removes the server address.

Parameters

ip-address

The IP address of the LDAP server.

Values

ipv4-address

a.b.c.d (host bits must be 0)

ipv6-address

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x: [0..FFFF]H

d: [0..255]D

port

Specifies the port ID. The port is the LDAP server listening port; by default it is 389 but if the listening port on LDAP server is changed, this command needs to be configured accordingly.

Values

1 to 65535

Default

389

Platforms

All

address

Syntax

address ip-address

no address

Context

[Tree] (config>service>vprn>static-route-entry>next-hop>backup-next-hop address)

[Tree] (config>router>static-route-entry>next-hop>backup-next-hop address)

Full Context

configure service vprn static-route-entry next-hop backup-next-hop address

configure router static-route-entry next-hop backup-next-hop address

Description

This command specifies the backup IP forwarding address that is used for static route Fast ReRoute (FRR). The configured address, if reachable, acts as pre-installed backup forwarding information that can be used when the primary IP next-hop suddenly fails.

The configured backup next-hop IP address can be directly or indirectly connected (using an IGP or tunnel) to the node. The backup next-hop forwarding information or the Next-hop Label Forwarding Entry (NHLFE) tunnel forwarding information from the IP Routing Table Manager (RTM) is used to preconfigure an IP fast-reroute backup path.

One backup next-hop address can protect a single primary static route entry next-hop address without ECMP and it is only activated when the primary next-hop has no active ECMP.

The configured IP address can be either on the network or the access side.

By default, there is no backup next-hop address configured.

The no form of this command deletes the backup next-hop address entry.

Parameters

ip-address

Specifies the backup IP forwarding address.

Values

ipv4-address

a.b.c.d

ipv6-address

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x: [0..FFFF]H

d: [0..255]D

Platforms

All

address

Syntax

[no] address ip-address [:port]

Context

[Tree] (config>app-assure>group>cflowd>direct-export>collector address)

Full Context

configure application-assurance group cflowd direct-export collector address

Description

This command configures the Cflowd direct export collector remote address. Two addresses can be configured for each collector for redundancy. AA sends the same records to both at the same time.

The no form of this command removes the address from the configuration

Parameters

ip-address

Specifies the IP address of the Cflowd direct export collector, in the a.b.c.d format.

port

Specifies the port of the Cflowd direct export collector.

Values

1 to 65535

Default

4739

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address-avp

address-avp

Syntax

[no] address-avp

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy>gy>avp address-avp)

Full Context

configure subscriber-mgmt diameter-application-policy gy include-avp address-avp

Description

This command includes the following subscriber host/session address/prefix AVPs in all Diameter DCCA CCR messages:

  • [8] Framed-IP-Address

  • [97] Framed-IPv6-Prefix

  • [123] Delegated-IPv6-Prefix

  • [6527-99] Alc-IPv6-Address

Note: Only the address/prefix of the subscriber host that triggered the creation of the Diameter Gy session is included.

The no form of this command removes the address AVPs from the Diameter DCCA CCR messages.

Default

address-avp

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address-pooling

address-pooling

Syntax

[no] address-pooling {paired | arbitrary}

Context

[Tree] (config>router>nat>outside>pool address-pooling)

Full Context

configure router nat outside pool address-pooling

Description

This command configures address pooling to allocate outside ports for a NAT subscriber in relation to the outside IP address.

The behavior in NAT, as defined in RFC 7857, §4, allows the subscriber to be mapped to a single outside IP address and allows for outside ports always to be allocated from that same outside IP address. If this outside IP address becomes exhausted of ports, no new ports for the subscriber can be allocated. This behavior is called paired address pooling.

The alternative behavior is arbitrary address pooling, where a NAT subscriber is mapped to an alternate IP address when the current outside IP address runs out of ports. This way, the subscriber becomes associated with multiple outside IP addresses. While this results in better resource utilization in NAT, it may negatively affect the behavior of some applications.

Default

address-pooling paired

Parameters

paired

Specifies that the subscriber can allocate ports from a single outside IP address. When this IP address runs out of the ports, the subscriber is denied allocation of new ports.

arbitrary

Specifies that the subscriber can allocate ports from multiple outside IP addresses.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address-pref

address-pref

Syntax

address-pref {ipv4-only | ipv6-first}

no address-pref

Context

[Tree] (config>system>dns address-pref)

Full Context

configure system dns address-pref

Description

This command configures the DNS address resolving order preference. By default, DNS names are queried for A-records only (address-preference is IPv4-only).

If the address-preference is set to IPv6-first, the DNS server will be queried for AAAA-records (IPv6) first and if a successful replied is not received, then the DNS server is queried for A-records. IPv6 applies only to the 7750 SR and 7950 XRS.

Default

address-pref ipv4-only

Platforms

All

address-range

address-range

Syntax

no address-range start-ip-address end-ip-address [failover {local | remote | access-driven}]

no address-range start-ip-address end-ip-address

Context

[Tree] (config>router>dhcp>server>pool>subnet address-range)

[Tree] (config>service>vprn>dhcp>server>pool address-range)

Full Context

configure router dhcp local-dhcp-server pool subnet address-range

configure service vprn dhcp server pool address-range

Description

This command configures a range of IP addresses to be served from the pool. All IP addresses between the start and end IP addresses are included (other than specific excluded addresses).

The no form of this command removes the address-range parameters from the configuration.

Parameters

start-ip-address

Specifies the start address of this range to include. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP addresses in the range 1.0.0.0 – 223.255.255.255 (with support of /31 subnets).

Values

a.b.c.d

end-ip-address

Specifies the end address of this range to include. This address must be unique within the subnet and specified in dotted decimal notation. Allowed values are IP addresses in the range 1.0.0.0 – 223.255.255.255 (with support of /31 subnets).

Values

a.b.c.d

local

Specifies that the local DHCP server has the ownership of this dress range in a redundant setup under normal operation.

remote

Specifies that the remote DHCP server has the ownership of this address range in a redundant setup under normal operation.

access-driven

Specifies that the DHCP server failover system is in control by the access protection mechanisms (SRRP or MC-LAG).

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

address-range

Syntax

address-range start-ip-address end-ip-address [create]

no address-range start-ip-address end-ip-address

Context

[Tree] (config>service>vprn>nat>outside>pool address-range)

[Tree] (config>router>nat>outside>pool address-range)

Full Context

configure service vprn nat outside pool address-range

configure router nat outside pool address-range

Description

This command configures a NAT address range.

Parameters

start-ip-address

Specifies the beginning IP address in a.b.c.d form.

end-ip-address

Specifies the ending IP address in a.b.c.d. form.

create

This parameter must be specified to create the address range instance

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address-range

Syntax

address-range start ipv4-address end ipv4-address

no address-range

Context

[Tree] (config>li>x-interfaces>x3 address-range)

Full Context

configure li x-interfaces x3 address-range

Description

This command configures the range of IP addresses to use for the X3 interface. The number of addresses should correspond to the number of ISAs used for the x-interface application.

The no form of this command reverts to the default.

Parameters

ipv4-address

Specifies an IPv4 address.

Values

a.b.c.d

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

address-source

address-source

Syntax

address-source router router-instance dhcp-server local-dhcp4-svr-name pool dhcp4-server-pool [secondary-pool secondary-pool-name]

address-source service-name service-name dhcp-server local-dhcp4-svr-name pool dhcp4-server-pool [secondary-pool secondary-pool-name]

address-source router router-instance dhcp-server local-dhcp6-svr-name pool dhcp6-server-pool

address-source service-name service-name dhcp-server local-dhcp6-svr-name pool dhcp6-server-pool

no address-source

Context

[Tree] (config>service>vprn>if>sap>ipsec-gw>lcl-addr-assign>ipv6 address-source)

[Tree] (config>service>vprn>if>sap>ipsec-gw>lcl-addr-assign>ipv4 address-source)

[Tree] (config>service>ies>if>sap>ipsec-gw>lcl-addr-assign>ipv4 address-source)

[Tree] (config>service>ies>if>sap>ipsec-gw>lcl-addr-assign>ipv6 address-source)

Full Context

configure service vprn interface sap ipsec-gw local-address-assignment ipv6 address-source

configure service vprn interface sap ipsec-gw local-address-assignment ipv4 address-source

configure service ies interface sap ipsec-gw local-address-assignment ipv4 address-source

configure service ies interface sap ipsec-gw local-address-assignment ipv6 address-source

Description

This command specifies the IPv4 or IPv6 source of the local address assignment for the IPsec gateway, which is a pool of a local DHCPv4 or DHCPv6 server. The system will assign an internal address to an IKEv2 remote-access client from the specified pool.

Beside the IP address, netmask and DNS server can also be returned. For IPv4, the netmask and DNS server address can be returned from the specified pool, as well as the IP address. The netmask returned to the IPsec client is derived from the subnet length from the subnet x.x.x.x/m create configuration, not the subnet-mask configuration in the subnet context. For IPv6, the DNS server address can be returned from the specified pool, as well as the IP address.

For IPv4, a secondary pool can be optionally specified. The secondary pool is used if the system is unable to assign addresses from the primary pool.

Default

no address-source

Parameters

router-instance

Specifies the router instance ID where the local DHCPv4 or DHCPv6 server is defined, up to 32 characters.

This variant of this command is only supported in 'classic' configuration-mode (configure system management-interface configuration-mode classic). The address-source service-name service-name variant can be used in all configuration modes.

service-name

Specifies the name of the service where the local DHCPv4 or DHCPv6 server is defined, up to 64 characters.

local-dhcp4-svr-name

Specifies the name of the local DHCPv4 server, up to 32 characters.

local-dhcp6-svr-name

Specifies the name of the local DHCv6 server, up to 32 characters.

dhcp4-server-pool

The name of the pool defined in the specified DHCPv4 server, up to 32 characters.

dhcp6-server-pool

The name of the pool defined in the specified DHCPv6 server, up to 32 characters.

secondary-pool-name

The name of the secondary pool defined in the specified server, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address-state

address-state

Syntax

[no] address-state

Context

[Tree] (config>aaa>isa-radius-plcy>acct-update-triggers address-state)

Full Context

configure aaa isa-radius-policy acct-update-triggers address-state

Description

If enabled, an interim-update will be sent for a DSM UE whenever a DHCP, SLAAC or DHCPv6 address gets allocated or freed.

Default

no address-state

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

address-type

address-type

Syntax

address-type {ipv4 | ipv6 | not-specified}

no address-type

Context

[Tree] (config>subscr-mgmt>wlan-gw>tunnel-query address-type)

Full Context

configure subscriber-mgmt wlan-gw tunnel-query address-type

Description

This command specifies the address type to match on tunnels.

The no form of this command reverts to the default.

Default

address-type not-specified

Parameters

ipv4

Specifies the IPv4 address to match on tunnels.

ipv6

Specifies the IPv6 address to match on tunnels.

not-specified

Specifies that no address type matches on tunnels.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

address-type

Syntax

address-type {ipv4 | ipv6 | ipv4-only | ipv6-only | ipv4v6 | not-specified}

no address-type

Context

[Tree] (config>subscr-mgmt>wlan-gw>ue-query address-type)

Full Context

configure subscriber-mgmt wlan-gw ue-query address-type

Description

This command enables matching on UEs that have an address of the specified type.

The no form of this command reverts to the default.

Default

address-type not-specified

Parameters

ipv4

Specifies matching on UEs that have an IPv4 stack active.

ipv6

Specifies matching on UEs that have an IPv6 stack active.

ipv4-only

Specifies matching on UEs that have only an IPv4 and no IPv6 stack active.

ipv6-only

Specifies matching on UEs that have only an IPv6 and no IPv4 stack active.

ipv4v6

Specifies matching on UEs that have both an IPv4 and IPv6 stack active.

not-specified

Specifies that no address type matches on UEs.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

adi

adi

Syntax

adi [zone-channel-name]

no adi

Context

[Tree] (debug>service>id>video-interface adi)

Full Context

debug service id video-interface adi

Description

This command enables debugging for the ad insert server.

Parameters

zone-channel-name

Specifies the channel name up to 32 characters.

Platforms

7450 ESS, 7750 SR-1, 7750 SR-7/12/12e, 7750 SR-1s, 7750 SR-2s, 7750 SR-7s, 7750 SR-14s

adj-set

adj-set

Syntax

[no] adj-set

Context

[Tree] (config>router>isis>segm-rtng>egress-statistics adj-set)

[Tree] (config>router>ospf>segm-rtng>ingress-statistics adj-set)

[Tree] (config>router>isis>segm-rtng>ingress-statistics adj-set)

[Tree] (config>router>ospf>segm-rtng>egress-statistics adj-set)

Full Context

configure router isis segment-routing egress-statistics adj-set

configure router ospf segment-routing ingress-statistics adj-set

configure router isis segment-routing ingress-statistics adj-set

configure router ospf segment-routing egress-statistics adj-set

Description

This command enables the allocation of statistic indices to each adjacency set. All adjacencies of a set share the same statistics index. If a statistics index is not available at allocation time, the allocation fails, then the system re-tries the allocation. The system generates a log on the first fail and a log on the final successful allocation.

The no form of this command disables the allocation of statistic indices to each adjacency set, releases the statistic indices, and clears the associated counters.

Default

no adj-set

Platforms

All

adj-sid

adj-sid

Syntax

[no] adj-sid

Context

[Tree] (config>router>ospf3>segm-rtng>ingress-statistics adj-sid)

[Tree] (config>router>isis>segm-rtng>egress-statistics adj-sid)

[Tree] (config>router>ospf>segm-rtng>ingress-statistics adj-sid)

[Tree] (config>router>ospf>segm-rtng>egress-statistics adj-sid)

[Tree] (config>router>ospf3>segm-rtng>egress-statistics adj-sid)

[Tree] (config>router>isis>segm-rtng>ingress-statistics adj-sid)

Full Context

configure router ospf3 segment-routing ingress-statistics adj-sid

configure router isis segment-routing egress-statistics adj-sid

configure router ospf segment-routing ingress-statistics adj-sid

configure router ospf segment-routing egress-statistics adj-sid

configure router ospf3 segment-routing egress-statistics adj-sid

configure router isis segment-routing ingress-statistics adj-sid

Description

This command enables the allocation of statistic indices to each programmed NHLFE corresponding to Adjacency SIDs (local and received by means of IGP advertisement). All NHLFEs associated to a given SID share the same index. If a statistics index is not available at allocation time, the allocation fails, then the system re-tries the allocation. The system generates a log on the first fail and a log on the final successful allocation.

The no form of this command disables the allocation of statistic indices to each adjacency SID, releases the statistic indices, and clears the associated counters.

Default

no adj-sid

Platforms

All

adj-sid-hold

adj-sid-hold

Syntax

adj-sid-hold seconds

no adj-sid-hold

Context

[Tree] (config>router>isis>segm-rtng adj-sid-hold)

Full Context

configure router isis segment-routing adj-sid-hold

Description

This command configures a timer to hold the ILM or LTN of an adjacency SID following a failure of the adjacency.

When an adjacency to a neighbor fails, the following procedures are followed for both the LFA protected SID and the LFA unprotected SID of this adjacency in SR-MPLS. An adjacency can have both types of SIDs assigned by configuration. An LFA protected adjacency SID is eligible for LFA protection, but the following procedures apply even if a LFA backup was not programmed at the time of the failure. An LFA unprotected adjacency SID is not eligible for LFA protection.

  • IGP withdraws the advertisement of the link TLV as well as its adjacency SID sub-TLV.
  • The adjacency SID hold timer starts.
  • The LTN and ILM records of the adjacency are kept in the datapath for as long as the adjacency SID hold time is running. This allows packets to flow over the LFA backup path, when the adjacency is protected, and allows the ingress LER or PCE time to compute a new path of the SR-TE LSP after IGP converges.
  • If the adjacency is restored while the adjacency SID hold timer is running, the timer is aborted, and the adjacency SID remains programmed in the datapath with the retained SID values. However, the backup NHLFE may change if a new LFA SPF runs while the adjacency SID hold timer running. An update to the backup NHLFE is performed immediately following the LFA SPF. In all cases, the adjacency keeps its assigned SID label value.
  • If the adjacency SID hold timer expires before the adjacency is restored, the SID is deprogrammed from the datapath and the label returned into the common pool where it was drawn from. Users of the adjacency (for example, SR policy and SR-TE LSP) are also informed.

    When the adjacency is subsequently restored, it gets assigned its allocated static-label value or a new dynamic-label value.

  • A new PG-ID is assigned each time an adjacency comes back up. This PG-ID is used by the ILM and LTN of the adjacency SID and of all downstream node SIDs that resolve to a next hop over this adjacency.

The no form of this command reverts to the default value.

Default

adj-sid-hold 15

Parameters

seconds

Specifies the adjacency SID hold time, in seconds.

Values

1 to 1800

Platforms

All

adj-sid-hold

Syntax

adj-sid-hold seconds

no adj-sid-hold

Context

[Tree] (config>router>isis>srv6 adj-sid-hold)

Full Context

configure router isis segment-routing-v6 adj-sid-hold

Description

This command specifies the length of time the system holds the SRv6 adjacency route and tunnel entries programmed in datapath while the adjacency is down.

When an adjacency to a neighbor fails, the following procedures are followed for both the LFA protected SID and the LFA unprotected SID of this adjacency in SRv6. An adjacency can have both types of SIDs assigned by configuration. An LFA protected adjacency SID is eligible for LFA protection, but the following procedures apply even if a LFA backup was not programmed at the time of the failure. An LFA unprotected adjacency SID is not eligible for LFA protection.

  • IGP withdraws the advertisement of the link TLV as well as its SRv6 End.X SID sub-TLV.
  • The adjacency SID hold timer starts.
  • The route table, FIB, and tunnel table entries are kept for as long as the adjacency SID hold timer is running. This allows packets to flow over the LFA backup path, when the adjacency is protected, and to allow the ingress LER or PCE time to compute a new path of a SRv6 policy after IGP converges.
  • If the adjacency is restored while the adjacency SID hold timer is running, the timer is aborted, and the adjacency SID remains programmed in the datapath with the retained SID values. However, the backup NHLFE may change if a new LFA SPF runs while the adjacency SID hold timer is running. An update to the backup NHLFE is performed immediately following the LFA SPF. In all cases, the adjacency keeps its assigned SID value.
  • If the adjacency SID hold timer expires before the adjacency is restored, the SID is deprogrammed from the datapath and the SID value returned into the locator subnet where it was drawn from. Users of the adjacency (for example, SRv6 policy) are also informed.

    When the adjacency is subsequently restored, it gets assigned its allocated static SID value or a new dynamic SID value.

  • A new PG-ID is assigned each time an adjacency comes back up. This PG-ID is used by tunnel of the local adjacency SID and of all remote locator routes that resolve to a next hop over this adjacency.
Note:
Each IS-IS instance runs a single timer per adjacency that IPv4 SR-MPLS, IPv6 SR-MPLS, and SRv6 adjacency SIDs share. When you enable both SR-MPLS and SRv6 in the IS-IS instance via the following commands, the system programs the higher of the two timer values for all SIDs on the adjacency.
configure router isis segment-routing
configure router isis segment-routing-v6

The no form of this command reverts to the default value.

Default

adj-sid-hold 15

Parameters

seconds

Specifies the adjacency SID hold time, in seconds.

Values

1 to 1800

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS, VSR

adj-sid-hold

Syntax

adj-sid-hold seconds

no adj-sid-hold

Context

[Tree] (config>router>ospf3>segm-rtng adj-sid-hold)

[Tree] (config>router>ospf>segm-rtng adj-sid-hold)

Full Context

configure router ospf3 segment-routing adj-sid-hold

configure router ospf segment-routing adj-sid-hold

Description

This command configures a timer to hold the ILM or LTN of an adjacency SID following a failure of the adjacency.

When an adjacency to a neighbor fails, the following procedures are followed for both the LFA protected SID and the LFA unprotected SID of this adjacency in SR-MPLS. An adjacency can have both types of SIDs assigned by configuration. An LFA protected adjacency SID is eligible for LFA protection, but the following procedures apply even if a LFA backup was not programmed at the time of the failure. An LFA unprotected adjacency SID is not eligible for LFA protection.

  • IGP withdraws the advertisement of the link TLV as well as its adjacency SID sub-TLV.
  • The adjacency SID hold timer starts.
  • The LTN and ILM records of the adjacency are kept in the datapath for as long as the adjacency SID hold time is running. This allows packets to flow over the LFA backup path, when the adjacency is protected, and allows the ingress LER or PCE time to compute a new path of the SR-TE LSP after IGP converges.
  • If the adjacency is restored while the adjacency SID hold timer is running, the timer is aborted, and the adjacency SID remains programmed in the datapath with the retained SID values. However, the backup NHLFE may change when a new LFA SPF is run while the adjacency SID hold timer running. An update to the backup NHLFE is performed immediately following the LFA SPF. In all cases, the adjacency keeps its assigned SID label value.
  • If the adjacency SID hold timer expires before the adjacency is restored, the SID is deprogrammed from the datapath and the label returned into the common pool where it was drawn from. Users of the adjacency (for example, SR policy and SR-TE LSP) are also informed.

    When the adjacency is subsequently restored, it gets assigned its allocated static label value or a new dynamic label value.

  • A new PG-ID is assigned each time an adjacency comes back up. This PG-ID is used by the ILM and LTN of the adjacency SID and of all downstream node SIDs that resolve to a next hop over this adjacency.

The no form of this command reverts to the default value.

Default

adj-sid-hold 15

Parameters

seconds

Specifies the adjacency SID hold time, in seconds.

Values

1 to 1800

Platforms

All

adjacency

adjacency

Syntax

[no] adjacency

Context

[Tree] (debug>service>id>pim-snooping adjacency)

Full Context

debug service id pim-snooping adjacency

Description

This command enables or disables debugging for PIM adjacencies.

Platforms

All

adjacency

Syntax

[no] adjacency

Context

[Tree] (debug>router>pim adjacency)

Full Context

debug router pim adjacency

Description

This command enables debugging for PIM adjacencies.

The no form of this command disables debugging for PIM adjacencies.

Platforms

All

adjacency

Syntax

[no] adjacency [ip-int-name | ip-address | nbr-system-id]

Context

[Tree] (debug>router>isis adjacency)

Full Context

debug router isis adjacency

Description

This command enables debugging for IS-IS adjacency.

The no form of the command disables debugging.

Parameters

ip-address

When specified, only adjacencies with the specified interface address are debugged.

Values

ipv4-address:

  • a.b.c.d (host bits must be 0)

ipv6-address:

  • x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:x:x:d.d.d.d

  • x: [0 to FFFF]H

  • d: [0 to 255]D

ip-int-name

When specified, only adjacencies with the specified interface name are debugged.

nbr-system-id

When specified, only the adjacency with the specified ID is debugged.

Platforms

All

adjacency-set

adjacency-set

Syntax

[no] adjacency-set id

Context

[Tree] (config>router>isis>segm-rtng adjacency-set)

[Tree] (config>router>ospf>segm-rtng adjacency-set)

Full Context

configure router isis segment-routing adjacency-set

configure router ospf segment-routing adjacency-set

Description

This command creates an adjacency set. An adjacency set consists of one or more adjacency SIDs originating on this node. The constituent adjacencies may terminate on different nodes.

The no form of this command removes the specified adjacency set.

Parameters

id

Specifies an unsigned integer representing the identifier of the adjacency set.

Values

1 to 4294967295

Platforms

All

adjacency-set

Syntax

[no] adjacency-set id

Context

[Tree] (config>router>isis>interface adjacency-set)

[Tree] (config>router>ospf>area>interface adjacency-set)

Full Context

configure router isis interface adjacency-set

configure router ospf area interface adjacency-set

Description

This command associates an interface with an adjacency set. The adjacency set must have been defined under the IS-IS or OSPF segment-routing context.

The no form of this command removes the association.

Parameters

id

Specifies an unsigned integer representing the identifier of the adjacency set.

Values

1 to 4294967295

Platforms

All

adjacency-sid

adjacency-sid

Syntax

adjacency-sid label value

no adjacency-sid

Context

[Tree] (config>router>ospf>area>interface adjacency-sid)

Full Context

configure router ospf area interface adjacency-sid

Description

This command allows a static value to be assigned to an adjacency SID in OSPF segment routing.

The label option specifies that the value is assigned to an MPLS label.

The no form of this command removes the adjacency SID.

Parameters

label value

Specifies the value of adjacency SID label.

Values

18432 to 52428 | 1048575 (FP4 or FP5 only)

Platforms

All

adjacency-sid

Syntax

adjacency-sid

Context

[Tree] (config>router>isis>segm-rtng adjacency-sid)

[Tree] (config>router>ospf3>segm-rtng adjacency-sid)

[Tree] (config>router>ospf>segm-rtng adjacency-sid)

Full Context

configure router isis segment-routing adjacency-sid

configure router ospf3 segment-routing adjacency-sid

configure router ospf segment-routing adjacency-sid

Description

Commands in this context configure two SR-MPLS adjacency SIDs per interface.

Platforms

All

adjust-down

adjust-down

Syntax

adjust-down percent [bw bandwidth-in-mbps]

no adjust-down

Context

[Tree] (config>router>mpls>lsp>auto-bandwidth adjust-down)

[Tree] (config>router>mpls>lsp-template>auto-bandwidth adjust-down)

Full Context

configure router mpls lsp auto-bandwidth adjust-down

configure router mpls lsp-template auto-bandwidth adjust-down

Description

This command configures the minimum threshold for decreasing the bandwidth of an LSP based on active measurement of LSP bandwidth.

The no form of this command is equivalent to adjust-down 5.

Default

adjust-down 5 bw 0

Parameters

percent

Specifies the minimum difference between the current bandwidth reservation of the LSP and the (measured) maximum average data rate, expressed as a percentage of the current bandwidth, for decreasing the bandwidth of the LSP.

Values

1 to 100

bandwidth-in-mbps

Specifies the minimum difference between the current bandwidth reservation of the LSP and the (measured) maximum average data rate, expressed as an absolute bandwidth (Mb/s), for decreasing the bandwidth of the LSP.

Values

0 to 6400000

Platforms

All

adjust-up

adjust-up

Syntax

adjust-up percent [bw bandwidth-in-mbps]

no adjust-up

Context

[Tree] (config>router>mpls>lsp-template>auto-bandwidth adjust-up)

[Tree] (config>router>mpls>lsp>auto-bandwidth adjust-up)

Full Context

configure router mpls lsp-template auto-bandwidth adjust-up

configure router mpls lsp auto-bandwidth adjust-up

Description

This command configures the minimum threshold for increasing the bandwidth of an LSP based on active measurement of LSP bandwidth.

The no form of this command is equivalent to adjust-up 5.

Default

adjust-up 5 bw 0

Parameters

percent

Specifies the minimum difference between the current bandwidth reservation of the LSP and the (measured) maximum average data rate, expressed as a percentage of the current bandwidth, for increasing the bandwidth of the LSP.

Values

1 to 100

bandwidth-in-mbps

Specifies the minimum difference between the current bandwidth reservation of the LSP and the (measured) maximum average data rate, expressed as an absolute bandwidth (Mb/s), for increasing the bandwidth of the LSP

Values

0 to 6400000

Platforms

All

admin

admin

Syntax

admin

Context

[Tree] (admin)

Full Context

admin

Description

Commands in this context configure administrative system parameters. Only authorized users can execute the commands in the admin context.

Platforms

All

admin-bw

admin-bw

Syntax

admin-bw kbps

no admin-bw

Context

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle>channel admin-bw)

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle admin-bw)

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle>channel>src-override admin-bw)

Full Context

configure mcast-management multicast-info-policy bundle channel admin-bw

configure mcast-management multicast-info-policy bundle admin-bw

configure mcast-management multicast-info-policy bundle channel source-override admin-bw

Description

This command specifies an administrative bandwidth for multicast channels. The specified bandwidth rate can be used by the multicast ingress path manger, multicast CAC manager or multicast ECMP manager.

The kbps value is closely tied to the bw-activity command. When the bw-activity command is set to use-admin-bw, the multicast ingress path manager uses the configured administrative bandwidth value as the managed ingress bandwidth. The admin-bw value must be defined for the bw-activity use-admin-bw command to succeed. Once the bw-activity command is set to use the admin-bw value, the value cannot be set to 0 and the no admin-bw command fails. Setting the bw-activity command to dynamic (the default setting), breaks the association between the commands.

The no form of this command restores the default value for admin-bw. If the command is executed in the channel context, the channels administrative bandwidth value is set to null. If the command is executed in the source-override context, the source override administrative bandwidth value is set to null.

Parameters

kbps

Specifies the administrative bandwidth for multicast channels.

Values

1 to 40000000 kb/s

Bundle default:

0

Channel default:

Null (undefined)

Source-override default:

Null (undefined)

Override sequence — The channel setting overrides the bundle setting. The source-override setting overrides the channel and bundle settings.

Platforms

All

admin-bw-threshold

admin-bw-threshold

Syntax

admin-bw-threshold kilo-bits-per-second

no admin-bw-threshold

Context

[Tree] (config>mcast-mgmt>bw-plcy admin-bw-threshold)

Full Context

configure mcast-management bandwidth-policy admin-bw-threshold

Description

This command defines at which bandwidth rate a multicast channel configured to use an administrative rate starts and stop using that rate as the in-use ingress bandwidth when managing ingress multicast paths. This parameter only applies to channels that are configured to use the admin-bw rate with the bw-activity use-admin-bw command (both are configured in the multicast-info-policy associated with the channel context).

To be effective, the admin-bw-threshold value must be less than the channels configured admin-bw. If the administrative bandwidth configured on the channel is less than the administrative bandwidth threshold defined in the bandwidth policy, the admin-bw value is ignored for ingress multicast path management and the system continually uses the dynamic ingress bandwidth associated with the channel. Since the value is defined in the bandwidth-policy and the channel admin-bw value is defined in the multicast-info-policy, it is not possible to pre-determine that a given administrative bandwidth value is less than an administrative bandwidth threshold. Since a typical administrative bandwidth threshold is set significantly lower than any administrative bandwidth values, this corner case is not expected to be prevalent. However, if the case does arise in a production environment, no ill behavior is expected as the threshold is simply a tuning parameter used to detect when the bandwidth associated with a channel has risen above any OAM or background type traffic.

While a channel that is configured to the use-admin-bw parameter (in the bw-activity command) current bandwidth is less than the admin-bw-threshold, the system treats the channel as a dynamic type channel. Once the threshold is crossed, the system immediately allocates the full admin-bw value to the channel and manages the ingress multicast path accordingly. If the bandwidth monitored on the channel rises above the admin-bw value, the system reverts to dynamic bandwidth management operation. If the bandwidth drops below the admin-bw value, but is above the admin-bw-threshold, the system uses the admin-bw value. If the bandwidth drops below the admin-bw-threshold, the system goes back to dynamic bandwidth management operation.

This command has no effect on multicast ECMP or egress CAC management operations.

The no form of this command reverts to the default, which is 10 kb/s.

Parameters

kilobits-per-second

Specifies the defines the rate at which channels configured to use administrative bandwidths change from dynamic bandwidth management to using the channels configured administrative bandwidth. The parameter is expressed as an integer value and represents multiples of 1,000 bits per second. A value of 3000 indicates 3,000,000 bits per second.

Values

1 to 40,000,000

Platforms

7450 ESS, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-7/12/12e, 7750 SR-s, 7950 XRS, VSR

admin-group

admin-group

Syntax

[no] admin-group group-name [group-name]

no admin-group

Context

[Tree] (config>router>mpls>interface admin-group)

[Tree] (config>service>vprn>if>if-attribute admin-group)

[Tree] (config>service>ies>if>if-attribute admin-group)

[Tree] (config>router>if>if-attribute admin-group)

Full Context

configure router mpls interface admin-group

configure service vprn interface if-attribute admin-group

configure service ies interface if-attribute admin-group

configure router interface if-attribute admin-group

Description

This command configures the admin group membership of an interface. The user can apply admin groups to an IES, VPRN, network IP, or MPLS interface.

Each single operation of the admin-group command allows a maximum of five (5) groups to be specified at a time. However, a maximum of 32 groups can be added to a given interface through multiple operations. Once an admin group is bound to one or more interface, its value cannot be changed until all bindings are removed.

The configured admin-group membership will be applied in all levels or areas the interface is participating in. The same interface cannot have different memberships in different levels or areas.

Only the admin groups bound to an MPLS interface are advertised in TE link TLVs and sub-TLVs when the traffic-engineering option is enabled in IS-IS or OSPF. IES and VPRN interfaces do not have their attributes advertised in TE TLVs.

The no form of this command deletes one or more of the admin-group memberships of an interface. The user can also delete all memberships of an interface by not specifying a group name.

Default

no admin-group

Parameters

group-name

Specifies up to five groups, each up to 32 characters. The association of group name and value should be unique within an IP/MPLS domain. Each single operation of the admin-group command allows a maximum of 5 groups to be specified. However, a maximum of 32 groups can be added to a given interface through multiple operations.

Platforms

All

admin-group

Syntax

admin-group group-name value group-value

no admin-group group-name

Context

[Tree] (config>router>if-attribute admin-group)

Full Context

configure router if-attribute admin-group

Description

This command defines an Administrative Group (AG) that can be associated with an IP or MPLS interface.

AGs, also known as affinity, are used to tag IP and MPLS interfaces that share a specific characteristic with the same identifier. For example, an AG identifier can represent:

  • all links that connect to core routers
  • all links that have a bandwidth higher than 10 Gb
  • all links that are dedicated to a specific service

First configure locally on each router the name and identifier of each AG. A maximum of 32 AGs can be configured per system.

After configuring the router name and identifier, configure the AG membership of an interface. You can apply AGs to a IES, VPRN, network IP, or MPLS interface.

When applied to MPLS interfaces, the interfaces can be included or excluded in the LSP path definition by inferring the AG name. CSPF computes a path that satisfies the AG include and exclude constraints.

When applied to IES, VPRN, or network IP interfaces, the interfaces can be included or excluded in the route next-hop selection by inferring the AG name in a route next-hop policy template applied to an interface or a set of prefixes.

The following provisioning rules apply to the AG configuration. The system rejects the creation of an AG:

  • if the name of the AG is the same as that of an existing group, even if the new AG group value is different from the existing group value
  • if the AG reuses the same group value but with a different name from an existing group

Only the AGs bound to an MPLS interface are advertised area wide in TE link TLVs and sub-TLVs when the traffic-engineering option is enabled in IS-IS or OSPF. IES and VPRN interfaces do not have their attributes advertised in TE TLVs.

Parameters

group-name

Specifies the name of the group, up to 32 characters. The association of group name and value should be unique within an IP/MPLS domain

group-value

Specifies the integer value associated with the group. The association of group name and value should be unique within an IP or MPLS domain.

Values

0 to 31 – Specifies the value range to use with link LFA next-hop policies or is used as a link color (AG or EAG) with Segment Routing Flex-Algorithms.

32 to 255 – Specifies the value range to use when the EAG is used as a link color with Segment Routing Flex-Algorithms. This higher range fails if used for other applications, such as LFA next-hop policies.

Platforms

All

admin-group

Syntax

admin-group admin-group

no admin-group admin-group

Context

[Tree] (config>router>fad>flex-algo>exclude admin-group)

Full Context

configure router flexible-algorithm-definitions flex-algo exclude admin-group

Description

This command configures an administrative group link that will be excluded from the topology graph of the flexible algorithm. If multiple administrative groups are configured, they are all excluded from the topology graph.

Administrative groups are attributes associated with a link. Frequently these administrative groups are described as link colors.

The no form of this command removes the admin-group from being excluded from the topology graph.

Default

no admin-group

Parameters

admin-group

Configures an administrative group link to exclude from the topology graph of the configured FAD.

Platforms

All

admin-group

Syntax

admin-group admin-group

no admin-group admin-group

Context

[Tree] (config>router>fad>flex-algo>include-all admin-group)

Full Context

configure router flexible-algorithm-definitions flex-algo include-all admin-group

Description

This command configures an administrative group link that will be included in the topology graph of the defined FAD. If multiple administrative groups are configured, groups must be present in a link before the link is included in the flexible algorithm topology graph.

The no form of this command removes the specified admin-group from being included in the topology graph.

Default

no admin-group

Parameters

admin-group

Configures an administrative group to include in topology graph of the configured FAD.

Platforms

All

admin-group

Syntax

admin-group admin-group

no admin-group admin-group

Context

[Tree] (config>router>fad>flex-algo>include-any admin-group)

Full Context

configure router flexible-algorithm-definitions flex-algo include-any admin-group

Description

This command configures an administrative group link that will be included in the topology graph of the configured FAD. If multiple administrative groups are configured, at least one of the administrative groups must be present in a link before the link is included into the flexible algorithm topology graph.

The no form of this command removes the admin-group from being included in the topology graph.

Default

no admin-group

Parameters

admin-group

Configures an administrative group to include in the topology graph of the configured FAD.

Platforms

All

admin-group-frr

admin-group-frr

Syntax

[no] admin-group-frr

Context

[Tree] (config>router>mpls admin-group-frr)

Full Context

configure router mpls admin-group-frr

Description

This command enables the use of the admin-group constraints in the association of a manual or dynamic bypass LSP with the primary LSP path at a Point-of-Local Repair (PLR) node.

When this command is enabled, each PLR node reads the admin-group constraints in the FAST_REROUTE object in the Path message of the LSP primary path. If the FAST_REROUTE object is not included in the Path message, then the PLR will read the admin-group constraints from the Session Attribute object in the Path message.

If the PLR is also the ingress LER for the LSP primary path, then it just uses the admin-group constraint from the LSP and/or path level configurations.

The PLR node then uses the admin-group constraints along with other constraints, such as hop-limit and SRLG, to select a manual or dynamic bypass among those that are already in use.

If none of the manual or dynamic bypass LSP satisfies the admin-group constraints, and/or the other constraints, the PLR node will request CSPF for a path that merges the closest to the protected link or node and that includes or excludes the specified admin-group IDs.

If the user changes the configuration of the above command, it will not have any effect on existing bypass associations. The change will only apply to new attempts to find a valid bypass.

The no form of this command disables the use of administrative group constraints on a FRR backup LSP at a PLR node.

Default

no frr-admin-group

Platforms

All

admin-password

admin-password

Syntax

admin-password password [hash | hash2]

no admin-password

Context

[Tree] (config>system>security>password admin-password)

Full Context

configure system security password admin-password

Description

This command allows a user (with admin permissions) to configure a password that enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.

This functionality can be enabled in two contexts:

config>system>security>password>admin-password

<global> enable-admin

If the admin-password is configured in the config>system>security>password context, then any user can enter the special mode by entering the enable-admin command.

enable-admin is in the default profile. By default, all users are given access to this command.

After the enable-admin command is entered, the user is prompted for a password. If the password matches, user is given unrestricted access to all the commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the complexity command.

Note:

The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets.

The usernames and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.

For example:

file copy ftp://test:secret@10.20.31.79/test/srcfile cf1:\destfile

In this example, the username 'test' and password 'secret' will not be sent to the AAA servers (or to any logs). They will be replaced with ''****''.

The no form of this command removes the admin password from the configuration.

Note:

This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP.

Default

no admin-password

Parameters

password

Configures the password that enables a user to become a system administrator. The maximum length can be up to 56 characters if unhashed, 60 characters if hashed with bcrypt, from 87 to 92 characters if hashed with sha2-pbkdf2, 32 characters if the hash keyword is specified, or 54 characters if the hash2 keyword is specified. The unhashed cleartext password form should meet all the requirements that are defined by the complexity command.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form or hashed with bcrypt or PBKDF2. For security, all keys are stored in the configuration file in hashed form (using bcrypt or PBKDF2, depending on the hashing configuration parameter) or, for backward compatibility, can be stored in encrypted form with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form or hashed with bcrypt or PBKDF2. For security, all keys are stored in the configuration file in hashed form (using bcrypt or PBKDF2, depending on the hashing configuration parameter) or, for backward compatibility, can be stored in encrypted form with the hash or hash2 parameter specified.

Platforms

All

admin-state

admin-state

Syntax

admin-state {up | down}

no admin-state

Context

[Tree] (config>router>l2tp>group>tunnel>mlppp admin-state)

[Tree] (config>service>vprn>l2tp>group>tunnel>mlppp admin-state)

Full Context

configure router l2tp group tunnel mlppp admin-state

configure service vprn l2tp group tunnel mlppp admin-state

Description

This command enables MLPPP for this tunnel group and is applicable only to LNS.

The tunnel can be explicitly activated (if the parent group is in a no shutdown state) or deactivated by the up and down keywords.

If there the admin state is not configured, the tunnel inherits its administrative state from its parent (group).

The no form of this command causes the tunnel administrative state to be inherited from the group.

Parameters

up

Specifies that the tunnel is to be administratively up.

down

Specifies that the tunnel is to be administratively down.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

admin-status

admin-status

Syntax

admin-status {rx | tx | tx-rx | disabled}

Context

[Tree] (config>port>ethernet>lldp>dstmac admin-status)

Full Context

configure port ethernet lldp dest-mac admin-status

Description

This command configures LLDP transmission/reception frame handling.

Default

admin-status disabled

Parameters

rx

Specifies the LLDP agent will receive, but will not transmit LLDP frames on this port.

tx

Specifies that the LLDP agent will transmit LLDP frames on this port and will not store any information about the remote systems connected.

tx-rx

Specifies that the LLDP agent transmits and receives LLDP frames on this port.

disabled

Specifies that the LLDP agent does not transmit or receive LLDP frames on this port. If there is remote systems information which is received on this port and stored in other tables, before the port's admin status becomes disabled, then the information will naturally age out.

Platforms

All

admin-tag

admin-tag

Syntax

[no] admin-tag tag-value

Context

[Tree] (config>router>mpls>lsp-template admin-tag)

[Tree] (config>router>mpls>lsp admin-tag)

Full Context

configure router mpls lsp-template admin-tag

configure router mpls lsp admin-tag

Description

This assigns an administrative tag to an LSP. The administrative tag can be used to enable routes with certain administrative tags to resolve using LSPs of matching administrative tags.

Up to four tags can be assigned to an LSP.

The administrative tag must exist under config>router>admin-tags.

The no form of this command removes the administrative tag.

Parameters

tag-value

The value of the admin-tag, up to 32 characters.

Platforms

All

admin-tag

Syntax

[no] admin-tag tag

Context

[Tree] (config>router>admin-tags admin-tag)

Full Context

configure router admin-tags admin-tag

Description

This command configures an admin tag value in the nodal LSP administrative tag database.

Up to 256 admin tags can be configured.

The no form of this command removes the admin tag.

Parameters

tag

The value of the administrative tag, up to 32 characters.

Platforms

All

admin-tag-policy

admin-tag-policy

Syntax

admin-tag-policy policy-name

no admin-tag-policy

Context

[Tree] (config>router>policy-options>policy-statement>default-action admin-tag-policy)

[Tree] (config>router>policy-options>policy-statement>entry>action admin-tag-policy)

Full Context

configure router policy-options policy-statement default-action admin-tag-policy

configure router policy-options policy-statement entry action admin-tag-policy

Description

This command assigns a route admin tag policy as an action in a route policy.

The admin tag policy must exist under config>router>admin-tags.

The no form of this command removes the admin tag policy.

Parameters

policy-name

Specifies the name of the admin tag policy, up to 64 characters.

Platforms

All

admin-tags

admin-tags

Syntax

admin-tags

Context

[Tree] (config>router admin-tags)

Full Context

configure router admin-tags

Description

Commands in this context configure admin tags and router admin tag policy templates used for route resolution to LSPs.

Platforms

All

adspec

adspec

Syntax

[no] adspec

Context

[Tree] (config>router>mpls>lsp-template adspec)

[Tree] (config>router>mpls>lsp adspec)

Full Context

configure router mpls lsp-template adspec

configure router mpls lsp adspec

Description

When enabled, the ADSPEC object will be included in RSVP messages for this LSP. The ADSPEC object is used by the ingress LER to discover the minimum value of the MTU for links in the path of the LSP. By default, the ingress LER derives the LSP MTU from that of the outgoing interface of the LSP path.

A bypass LSP always signals the ADSPEC object since it protects both primary paths which signal the ADSPEC object and primary paths which do not. This means that MTU of LSP at ingress LER may change to a different value from that derived from the outgoing interface even if the primary path has ADSPEC disabled.

Default

no adspec — No ADSPEC objects are included in RSVP messages.

Platforms

All

adv-adj-addr-only

adv-adj-addr-only

Syntax

[no] adv-adj-addr-only

Context

[Tree] (config>router>ldp>session-params>peer adv-adj-addr-only)

Full Context

configure router ldp session-parameters peer adv-adj-addr-only

Description

This command provides a means for an LDP router to advertise only the local IPv4 or IPv6 interfaces it uses to establish hello adjacencies with an LDP peer. By default, when a router establishes an LDP session with a peer, it advertises in an LDP Address message the addresses of all local interfaces to allow the peer to resolve LDP FECs distributed by this router. Similarly, a router sends a Withdraw Address message to of all its peers to withdraw a local address if the corresponding interface went down or was deleted.

This new option reduces CPU processing when a large number of LDP neighbors come up or go down. The new CLI option is strongly recommended in mobile backhaul networks where the number of LDP peers can be very large.

The no form of this command reverts LDP to the default behavior of advertising all local interfaces.

Platforms

All

adv-config-policy

adv-config-policy

Syntax

adv-config-policy policy-name [create]

no adv-config-policy policy-name

Context

[Tree] (config>qos adv-config-policy)

Full Context

configure qos adv-config-policy

Description

Commands in this context configure an advanced QoS policy. This command contains only queue and policer child control parameters within a child-control node.

The parameters within the child-control node are intended to allow more precise control of the method that hierarchical virtual scheduling employs to emulate the effect of a scheduling context upon a member child queue or policer.

When a policy is created, it may be applied to a queue or policer defined within a sap-egress or sap-ingress QoS policy. It may also be applied to a queue or policer defined within an ingress or egress queue-group template. When a policy is currently associated with a QoS policy or template, the policy may be modified but not deleted (even in the event that the QoS policy or template is not in use).

While the system maintains default values for the advanced configuration parameters, no default adv-config-policy exists.

The no form of this command removes the specified advanced policy.

Parameters

policy-name

The name of the advanced QoS policy. A policy-name must be specified and conform to the policy naming guidelines. If the specified name does not exist, the optional create keyword requirements are met and the total number of policies per system will not be exceeded, an adv-config-policy of that name will be created. If the specified name does exist, the system will switch context to that adv-config-policy for the purpose of modification of the policy’s contents.

Values

Valid names consist of any string up to 32 characters, composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

Platforms

All

adv-config-policy

Syntax

adv-config-policy policy-name

no adv-config-policy

Context

[Tree] (config>qos>sap-ingress>policer adv-config-policy)

[Tree] (config>qos>sap-egress>policer adv-config-policy)

[Tree] (config>qos>sap-ingress>queue adv-config-policy)

[Tree] (config>qos>sap-egress>queue adv-config-policy)

Full Context

configure qos sap-ingress policer adv-config-policy

configure qos sap-egress policer adv-config-policy

configure qos sap-ingress queue adv-config-policy

configure qos sap-egress queue adv-config-policy

Description

This command specifies the advanced QoS policy. The advanced QoS policy contains only queue and policer child control parameters within a child-control node.

When a policy is created, it may be applied to a queue or policer defined within a sap-egress or sap-ingress QoS policy. It may also be applied to a queue or policer defined within an ingress or egress queue-group template. When a policy is currently associated with a QoS policy or template, the policy may be modified but not deleted (even in the event that the QoS policy or template is not in use).

The no form of this command removes the specified advanced policy.

Default

no adv-config-policy

Parameters

policy-name

The name of the advanced QoS policy.

Values

Valid names consist of any string up to 63 characters, composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

  • configure qos sap-ingress policer adv-config-policy
  • configure qos sap-egress policer adv-config-policy

All

  • configure qos sap-ingress queue adv-config-policy
  • configure qos sap-egress queue adv-config-policy

adv-config-policy

Syntax

adv-config-policy adv-config-policy-name

no adv-config-policy

Context

[Tree] (config>qos>qgrps>ing>qgrp>policer adv-config-policy)

[Tree] (config>qos>qgrps>egr>qgrp>queue adv-config-policy)

[Tree] (config>qos>qgrps>ing>qgrp>queue adv-config-policy)

[Tree] (config>qos>qgrps>egr>qgrp>policer adv-config-policy)

Full Context

configure qos queue-group-templates ingress queue-group policer adv-config-policy

configure qos queue-group-templates egress queue-group queue adv-config-policy

configure qos queue-group-templates ingress queue-group queue adv-config-policy

configure qos queue-group-templates egress queue-group policer adv-config-policy

Description

This command specifies the name of the advanced configuration policy to be applied with this policer.

Parameters

adv-config-policy-name

Specifies an existing advanced configuration policy up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

  • configure qos queue-group-templates ingress queue-group policer adv-config-policy
  • configure qos queue-group-templates egress queue-group policer adv-config-policy

All

  • configure qos queue-group-templates ingress queue-group queue adv-config-policy
  • configure qos queue-group-templates egress queue-group queue adv-config-policy

adv-config-policy

Syntax

adv-config-policy src-name dst-name [overwrite]

Context

[Tree] (config>qos>copy adv-config-policy)

Full Context

configure qos copy adv-config-policy

Description

This command copies existing QoS policy entries for a QoS policy-id to another QoS policy-id.

The copy command is a configuration-level maintenance tool used to create new policies using existing policies. It also allows bulk modifications to an existing policy with the use of the overwrite keyword.

Parameters

adv-config-policy

Indicates that the source policy ID and the destination policy ID are advanced policy IDs. Specify the source advanced policy ID that the copy command will attempt to copy from and specify the destination advanced policy ID to which the command will copy a duplicate of the policy.

overwrite

Specifies that this policy is to replace the existing destination advanced policy. Everything in the existing destination policy will be overwritten with the contents of the source advanced policy. If overwrite is not specified, an error will occur if the destination policy ID exists, as shown here:

Example:
    — ALA-7>config>qos# copy adv-config-policy default sp1
    — MINOR: CLI Destination "sp1" exists - use {overwrite}
    — ALA-7>config>qos#overwrite

Platforms

All

adv-local-lsr-id

adv-local-lsr-id

Syntax

[no] adv-local-lsr-id

Context

[Tree] (config>router>ldp>session-params>peer adv-local-lsr-id)

[Tree] (config>router>ldp>targeted-session>peer-template adv-local-lsr-id)

Full Context

configure router ldp session-parameters peer adv-local-lsr-id

configure router ldp targeted-session peer-template adv-local-lsr-id

Description

This command advertises a local LSR ID over a specified LDP session.

Advertisement of a local LSR ID over a given LDP session is configured using the adv-local-lsr-id command in the peer session-parameters. If a user disables the adv-local-lsr-id command, then the system will withdraw the FEC for the local LSR ID.

The SR OS router uses the following rules when advertising a local LSR ID:

  • If the session parameters have the default configuration and the targeted peer template has the default configuration, the local LSR ID is not advertised.

  • If the session parameters have the default configuration but the targeted peer template has an explicit configuration for advertisement of the local LSR ID, the targeted peer template configuration is used.

  • If the session parameters have an explicit configuration for advertisement of the local LSR ID but the targeted peer template has the default configuration, the session parameter configuration is used.

  • If both the session parameters and the targeted peer template have an explicit configuration for advertisement of the local LSR ID, then the session parameter configuration is used.

The no form of this command withdraws the FEC for the local LSR ID.

Default

no adv-local-lsr-id

Platforms

All

adv-mtu-override

adv-mtu-override

Syntax

[no] adv-mtu-override

Context

[Tree] (config>service>sdp adv-mtu-override)

Full Context

configure service sdp adv-mtu-override

Description

This command overrides the advertised VC-type MTU of all spoke-sdps of L2 services using this SDP-ID. When enabled, the router signals a VC MTU equal to the service MTU, which includes the Layer 2 header. It also allows this router to accept an MTU advertised by the far-end PE which value matches either its advertised MTU or its advertised MTU minus the L2 headers.

By default, the router advertises a VC-MTU equal to the L2 service MTU minus the Layer 2 header and always matches its advertised MTU to that signaled by the far-end PE router, otherwise the spoke-sdp goes operationally down.

When this command is enabled on the SDP, it has no effect on a spoke-sdp of an IES/VPRN spoke interface using this SDP-ID. The router continues to signal a VC MTU equal to the net IP interface MTU, which is min{ip-mtu, sdp operational path mtu - L2 headers}. The router also continues to make sure that the advertised MTU values of both PE routers match or the spoke-sdp goes operationally down.

The no form of the command disables the VC-type MTU override and returns to the default behavior.

Default

no adv-mtu-override

Platforms

All

adv-noaddrs-global

adv-noaddrs-global

Syntax

adv-noaddrs-global [esm-proxy] [esm-relay] [relay] [server]

no adv-noaddrs-global

Context

[Tree] (config>system>dhcp6 adv-noaddrs-global)

Full Context

configure system dhcp6 adv-noaddrs-global

Description

This command configures the different DHCPv6 applications to send the NoAddrsAvail Status-Code in DHCPv6 Advertise messages at the global DHCP message level.

By default, all applications send the NoAddrsAvail Status-Code in DHCPv6 Advertise messages at the IA_NA Option level.

Different applications for which NoAddrsAvail Status-Code in DHCPv6 Advertise messages can be configured at the global DHCP message level.

The only valid combination in current SR OS is adv-noaddrs-global esm-relay server.

The no form of this command reverts to the default.

Default

no adv-noaddrs-global. All applications send the NoAddrsAvail Status-Code in DHCPv6 Advertise messages at the IA_NA Option level.

Parameters

esm-proxy

Specifies the DHCPv6 proxy server on subscriber group-interfaces. Not supported in current SR OS.

esm-relay

Specifies the DHCPv6 relay on subscriber group-interfaces. Must be enabled together with the DHCPv6 server (server) application.

relay

Specifies the DHCPv6 relay on regular IES or VPRN interfaces. Not supported in current SR OS.

server

Specifies the DHCPv6 server. Must be enabled together with the DHCPv6 relay on subscriber interfaces (esm-relay) application.

Platforms

All

adv-service-mtu

adv-service-mtu

Syntax

adv-service-mtu octets

no adv-service-mtu

Context

[Tree] (config>service>epipe>spoke-sdp adv-service-mtu)

Full Context

configure service epipe spoke-sdp adv-service-mtu

Description

This command configures the MTU value signaled in targeted LDP for the spoke-SDP and the value used to validate the value signaled by the far-end PE. If configured, this value is used instead of the service MTU. However, the configuration does not affect the locally enforced value, which is still based on the service MTU. This command for the MTU cannot be configured on a spoke-SDP that is bound to an SDP with the adv-mtu-override command.

When unconfigured, an adjusted service MTU is used. See the service-mtu command for more information.

The no form of this command removes the configuration.

Default

no adv-service-mtu

Parameters

octets

The size of the MTU in octets, expressed as a decimal integer.

Values

0 to 9782

Platforms

All

adv-service-mtu

Syntax

adv-service-mtu number

no adv-service-mtu

Context

[Tree] (config>service>vpls>bgp adv-service-mtu)

[Tree] (config>service>epipe>bgp adv-service-mtu)

Full Context

configure service vpls bgp adv-service-mtu

configure service epipe bgp adv-service-mtu

Description

This command configures the Layer 2 MTU value that is advertised for BGP signaling for the service and for validation with the value signaled by the far-end PE. However, the configuration does not effect the locally enforced value, which is still based on the service MTU.

The no form of this command reverts to the default Layer 2 MTU value for BGP signaling for the service, which uses an adjusted service-mtu value. See the service-mtu command for more information.

Default

no adv-service-mtu

Parameters

number

Specifies the size, in octets, of the Layer 2 MTU value to advertise for BGP signaling for the service.

Values

0 to 9782

Platforms

All

advertise

advertise

Syntax

advertise {static | dynamic} [route-tag [1..255]]

no advertise {static | dynamic}

Context

[Tree] (config>service>ies>if>vpls>evpn>nd advertise)

[Tree] (config>service>vprn>if>vpls>evpn>nd advertise)

[Tree] (config>service>vprn>if>vpls>evpn>arp advertise)

[Tree] (config>service>ies>if>vpls>evpn>arp advertise)

Full Context

configure service ies interface vpls evpn nd advertise

configure service vprn interface vpls evpn nd advertise

configure service vprn interface vpls evpn arp advertise

configure service ies interface vpls evpn arp advertise

Description

This command enables the advertisement of static and dynamic ARP and ND entries that are installed in the ARP and ND cache into EVPN MAC/IP routes. This command must be used along with no learn-dynamic.

Default

no advertise

Parameters

static

Enables ARP/ND host routes to be created in the route table from EVPN ARP/ND entries

dynamic

Enables ARP/ND host routes to be created in the route table out of dynamic ARP/ND entries (learned from ARP/ND messages received from the hosts).

route-tag

Specifies the route tag that is added in the route table for ARP/ND host routes of type dynamic, or static. This tag can be matched on BGP VRF export and BGP peer export policies.

Values

1 to 255

Platforms

All

advertise

Syntax

advertise fad-name

no advertise

Context

[Tree] (config>router>ospf>flex-algos>flex-algo advertise)

[Tree] (config>router>isis>flex-algos>flex-algo advertise)

Full Context

configure router ospf flexible-algorithms flex-algo advertise

configure router isis flexible-algorithms flex-algo advertise

Description

This command enables the advertisement of a locally configured Flexible Algorithm Definition (FAD).

A locally defined FAD is only advertised if it is administratively enabled. A router can advertise only a single locally defined FAD by using the fad-name as reference anchor.

The winning FAD used by a router must be consistent with the winning FAD on all other routers. This avoids routing loops and traffic blackholing. The winning FAD is selected using a tie-breaker algorithm that first selects the highest advertised FAD priority and next the highest system Id.

The no form of this command removes the advertisement of a flexible algorithm definition.

Default

no advertise

Parameters

fad-name

Configures the FAD name, up to 32 characters. By default, no locally configured FAD is advertised.

Platforms

All

advertise

Syntax

advertise {mvpn-pim | mvpn-only| pim-only}

Context

[Tree] (config>service>vpls>bind>evpn-mcast-gateway advertise)

Full Context

configure service vpls allow-ip-int-bind evpn-mcast-gateway advertise

Description

This command signals the OISM gateway function type in the Inclusive Multicast Ethernet Tag routes.

Default

advertise mvpn-pim

Parameters

mvpn-pim

Specifies that the router signals the MVPN-to-OISM (MEG) and PIM-to-OISM (PEG) gateway capabilities.

mvpn-only

Specifies that the router signals the MVPN-to-OISM (MEG) gateway capabilities.

pim-only

Specifies that the router signals the PIM-to-OISM (PEG) gateway capabilities.

Platforms

All

advertise

Syntax

[no] advertise

advertise weight dynamic [max-dynamic-weight max-dynamic-weight]

advertise weight weight

Context

[Tree] (configure>service>vprn>bgp-evpn>mpls>evpn>evpn-link-bw advertise)

[Tree] (configure>service>vpls>bgp-evpn>ip-route-link-bw advertise)

Full Context

configure service vprn bgp-evpn mpls evpn-link-bandwidth advertise

configure service vpls bgp-evpn ip-route-link-bandwidth advertise

Description

This command enables the advertisement of the EVPN link bandwidth extended community along with the IP Prefix routes.

The no form of this command disables the advertisement of the EVPN link bandwidth extended community.

Default

no advertise

Parameters

weight

Specifies the weight advertised in the EVPN link bandwidth extended community for the advertised EVPN IP prefix routes for the service.

Values

1 to 128

weight dynamic

Keyword to specify that the weight is dynamically set based on the number of BGP PE-CE paths for the IP-Prefix that is advertised in an EVPN IP-Prefix route.

max-dynamic-weight

Specifies the maximum weight advertised in the EVPN link bandwidth extended community for the advertised EVPN IP-Prefix routes for the service. If weight dynamic is configured, the actual advertised weight is the minimum of the number of BGP PE-CE paths for the prefix and the configured maximum weight.

Values

1 to 128

Platforms

All

advertise-admin-group

advertise-admin-group

Syntax

advertise-admin-group {prefer-ag | eag-only | ag-eag}

no advertise-admin-group

Context

[Tree] (config>router>isis>flex-algos advertise-admin-group)

[Tree] (config>router>ospf>flex-algos advertise-admin-group)

Full Context

configure router isis flexible-algorithms advertise-admin-group

configure router ospf flexible-algorithms advertise-admin-group

Description

This command configures the type of Aministrative Group (AG) or Extended Administrative Group (EAG) TLVs the router advertises as the Interior Gateway Protocol (IGP) link attribute. This command is configured for this IGP instance.

The no form of this command removes the configuration.

Default

prefer-ag

Parameters

prefer-ag

Keyword to specify that the router advertises the Administrative Group (AG) TLV as the IGP link attribute if the affinity bits in the configure router if-attribute admin-group value command are configured between 0 to 31. If no EAG (32 to 255) affinity bits are configured, only the AG TLV is advertised as the IGP link attribute.

If the affinity bits are configured in both the AG (0 to 31) and EAG (32 to 255) range, the router advertises both the AG and the EAG TLVs as the IGP link attributes.

eag-only

Keyword to specify that the router advertises only the EAG TLV as the IGP link attribute. No AG TLV is advertised if this keyword is configured.

ag-eag

Keyword to specify that the router can advertise both the AG and the EAG TLVs as the IGP link attributes, even without the affinity bit in the EAG range configured in the configure router if-attribute admin-group value command. If no affinity bit is configured in the AG range (0 to 31), the router prunes the AG TLV. Configuring this keyword allows for backward compatibility for vendor implementations that support only AG, while still supporting EAG.

Platforms

All

advertise-bgp

advertise-bgp

Syntax

advertise-bgp route-distinguisher rd [community community]

no advertise-bgp route-distinguisher rd

Context

[Tree] (config>service>pw-routing>local-prefix advertise-bgp)

Full Context

configure service pw-routing local-prefix advertise-bgp

Description

This command enables a given prefix to be advertised in MP-BGP for dynamic MS-PW routing.

The no form of this command will explicitly withdraw a route if it has been previously advertised.

Default

no advertise-bgp

Parameters

rd

Specifies an 8-octet route distinguisher associated with the prefix. Up to 4 unique route distinguishers can be configured and advertised for a given prefix though multiple instances of the advertise-bgp command. This parameter is mandatory.

Values

(6 bytes, other 2 Bytes of type will be automatically generated) asn:number1 (RD Type 0): 2bytes ASN and 4 bytes locally administered number ip-address:number2 (RD Type 1): 4bytes IPv4 and 2 bytes locally administered number;

community

An optional BGP communities attribute associated with the advertisement. To delete a previously advertised community, advertise-bgp route-distinguisher must be run again with the same value for the RD but excluding the community attribute.

Values

community

{2-byte-as-number:comm-va1}

2-byte-asnumber

0 to 65535

comm.-val

0 to 65535

Platforms

All

advertise-capabilities

advertise-capabilities

Syntax

advertise-capabilities

Context

[Tree] (config>port>ethernet>efm-oam>discovery advertise-capabilities)

Full Context

configure port ethernet efm-oam discovery advertise-capabilities

Description

This is the top level of the hierarchy which allows for the overriding of default advertising of capabilities to a remote peer.

Platforms

All

advertise-delay

advertise-delay

Syntax

[no] advertise-delay

Context

[Tree] (config>router>ospf>te-opts advertise-delay)

Full Context

configure router ospf traffic-engineering-options advertise-delay

Description

This command configures the advertisement of link delay in the IGP LSDB within the OSPF-TE TLV attribute or when the Application Specific Link Attribute (ASLA) is enabled within the SR-TE ASLA.

When the router is configured with the configure router ospf traffic-engineering-options sr-te application-specific-link-attributes command to generate SR-TE ASLA attributes, link delay is advertised as a legacy RFC 3630 TE TLV when RSVP-TE is enabled and as an ASLA RFC 8920 TLV for SR-TE when MPLS is enabled for an interface.

SR OS accepts and handles both legacy RSVP-TE TLVs and ASLAs for the RSVP application. However, SR OS only advertises RFC 3630 legacy RSVP-TE TLVs (as recommended by RFC 8920) to avoid compatibility issues.

The no form of this command disables link delay advertisement.

Default

no advertise-delay

Platforms

All

advertise-delay

Syntax

[no] advertise-delay

Context

[Tree] (config>router>isis>te advertise-delay)

Full Context

configure router isis traffic-engineering-options advertise-delay

Description

This command enables the advertisement of link delay in the IGP LSDB within legacy Traffic Engineering (TE) attributes in IS-IS or within the Application Specific Link Attribute (ASLA) when ASLA is enabled for SR-TE or RSVP-TE applications.

When application-link-attributes legacy command is configured for SR-TE or RSVP-TE, link delay is advertised as a legacy TE TLV with the ASLA legacy bit set.

The no form of this command disables link delay advertisement.

Default

no advertise-delay

Platforms

All

advertise-external

advertise-external

Syntax

[no] advertise-external [ipv4] [ipv6] [ label-ipv4] [label-ipv6]

Context

[Tree] (config>router>bgp advertise-external)

Full Context

configure router bgp advertise-external

Description

This command allows BGP to advertise its best external route to a destination even when its best overall route is an internal route. Entering the command (or its no form) with no address family parameters is equivalent to specifying all supported address families.

The no form of this command disables Advertise Best External for the BGP family.

Default

no advertise-external

Parameters

ipv4

Enables the best-external advertisement for unlabeled unicast IPv4 routes.

ipv6

Enables the best-external advertisement for unlabeled unicast IPv6 routes.

label-ipv4

Enables the best-external advertisement for labeled-unicast IPv4 routes.

label-ipv6

Enables the best-external advertisement for labeled-unicast IPv6 routes.

Platforms

All

advertise-inactive

advertise-inactive

Syntax

[no] advertise-inactive

Context

[Tree] (config>subscr-mgmt>bgp-prng-plcy advertise-inactive)

Full Context

configure subscriber-mgmt bgp-peering-policy advertise-inactive

Description

This command enables the advertising of inactive BGP routers to other BGP peers.

By default, BGP only advertises BGP routes to other BGP peers if a given BGP route is chosen by the route table manager as the most preferred route within the system and is active in the forwarding plane. This command allows system administrators to advertise a BGP route even though it is not the most preferred route within the system for a given destination.

The no form of this command disables the advertising.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

advertise-inactive

Syntax

[no] advertise-inactive

Context

[Tree] (config>service>vprn>bgp>group advertise-inactive)

[Tree] (config>service>vprn>bgp advertise-inactive)

[Tree] (config>service>vprn>bgp>group>neighbor advertise-inactive)

Full Context

configure service vprn bgp group advertise-inactive

configure service vprn bgp advertise-inactive

configure service vprn bgp group neighbor advertise-inactive

Description

This command enables or disables the advertising of inactive BGP routers to other BGP peers.

By default, BGP only advertises BGP routes to other BGP peers if a given BGP route is chosen by the route table manager as the most preferred route within the system and is active in the forwarding plane. This command allows system administrators to advertise a BGP route even though it is not the most preferred route within the system for a given destination.

When the BGP advertise-inactive command is configured so that it applies to a BGP session it has the following effect on the IPv4, IPv6, mcast-ipv4, mcast-ipv6, label-IPv4 and label-IPv6 routes advertised to that peer:

  • If the active route for the IP prefix is a BGP route then that route is advertised.

  • If the active route for the IP prefix is a non-BGP route and there is at least one valid but inactive BGP route for the same destination then the best of the inactive and valid BGP routes is advertised unless the non-BGP active route is matched and accepted by an export policy applied to the session.

  • If the active route for the IP prefix is a non-BGP route and there are no (valid) BGP routes for the same destination then no route is advertised for the prefix unless the non-BGP active route is matched and accepted by an export policy applied to the session.

Default

no advertise-inactive

Platforms

All

advertise-inactive

Syntax

[no] advertise-inactive

Context

[Tree] (config>router>bgp advertise-inactive)

[Tree] (config>router>bgp>group>neighbor advertise-inactive)

[Tree] (config>router>bgp>group advertise-inactive)

Full Context

configure router bgp advertise-inactive

configure router bgp group neighbor advertise-inactive

configure router bgp group advertise-inactive

Description

This command enables the advertising of inactive BGP routes to other BGP peers. By default, BGP only advertises BGP routes to other BGP peers if a given BGP route is chosen by the route table manager as the most preferred route within the system and is active in the forwarding plane. This command allows system administrators to advertise a BGP route even though it is not the used route within the system for a given destination.

The no form of this command disables the advertising of inactive BGP routers to other BGP peers.

Default

no advertise-inactive

Platforms

All

advertise-interval

advertise-interval

Syntax

advertise-interval advertise-interval

no advertise-interval

Context

[Tree] (config>port>aps advertise-interval)

Full Context

configure port aps advertise-interval

Description

This command specifies the time interval, in 100s of milliseconds, between 'I am operational' messages sent by both protect and working circuits to their neighbor for multi-chassis APS.

The advertise-interval value is valid only for a multi-chassis APS as indicated by the value of the neighbor command value if it is not set to 0.0.0.0.

Default

10

Parameters

advertise-interval

Specifies the time interval, in 100s of milliseconds, between 'I am operational' messages sent by both protect and working circuits to their neighbor for multi-chassis APS.

Values

10 to 650

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-a, 7750 SR-e

advertise-ipv6-next-hops

advertise-ipv6-next-hops

Syntax

advertise-ipv6-next-hops [ipv4]

no advertise-ipv6-next-hops

Context

[Tree] (config>service>vprn>bgp>group>neighbor advertise-ipv6-next-hops)

[Tree] (config>service>vprn>bgp advertise-ipv6-next-hops)

[Tree] (config>service>vprn>bgp>group advertise-ipv6-next-hops)

Full Context

configure service vprn bgp group neighbor advertise-ipv6-next-hops

configure service vprn bgp advertise-ipv6-next-hops

configure service vprn bgp group advertise-ipv6-next-hops

Description

When this command is configured, with the IPv4 option, so that it applies to a BGP session established on top of IPv6 transport, IPv4 BGP routes can be advertised with a true IPv6 address when originated or when next-hop-self (configured or automatic) is applied.

If an IPv4 route must originate or be advertised with a next-hop-self and the corresponding advertise-ipv6-next-hops command option does not apply to the session or if an appropriate extended-nh-encoding capability was not received from the remote peer, then the route is advertised with the IPv4 system address as the BGP next-hop.

If an IPv4 route is matched by a BGP export policy entry that tries to change the next hop to an IPv6 address and the corresponding advertise-ipv6-next-hops command option does not apply to the session or if an appropriate extended-nh-encoding capability was not received from the remote peer, then the route is handled as though it was rejected by the policy entry.

This command has no effect on sessions established over IPv4 transport.

The no form of this command reverts to the default.

Default

no advertise-ipv6-next-hops

Parameters

ipv4

Allows IPv4 unicast routes to be advertised to IPv6-transport peers with an IPv6 address as the BGP next-hop in cases of route origination or next-hop-self (configured or automatic). It also allows export policies to change the BGP next-hop of an IPv4 route to an IPv6 address. All of these cases require the remote peer to advertise the necessary extended NH encoding capability. It may be necessary to configure the forward-ipv4-packets command under the appropriate interface>ipv6 contexts in order to enable datapath support for these control plane exchanges.

Platforms

All

advertise-ipv6-next-hops

Syntax

advertise-ipv6-next-hops [vpn-ipv6] [label-ipv6] [ evpn] [vpn-ipv4] [ label-ipv4] [ipv4]

no advertise-ipv6-next-hops

Context

[Tree] (config>router>bgp>group>neighbor advertise-ipv6-next-hops)

[Tree] (config>router>bgp>group advertise-ipv6-next-hops)

[Tree] (config>router>bgp advertise-ipv6-next-hops)

Full Context

configure router bgp group neighbor advertise-ipv6-next-hops

configure router bgp group advertise-ipv6-next-hops

configure router bgp advertise-ipv6-next-hops

Description

This command applies to a BGP session established on top of IPv6 transport; BGP routes belonging to the specified families can be advertised with a true IPv6 address when originated or when next-hop-self (configured or automatic) is applied.

This command has no effect on routes advertised to IPv4 peers.

When this command is not enabled, the following considerations apply:

  • If a VPN IPv6 or label IPv6 route needs to be originated or advertised with next-hop-self to an IPv6 transport peer the route is advertised with the IPv4 system address as BGP next-hop (encoded as an IPv4-mapped IPv6 address).

  • If a VPN-IPv4 or label IPv4 route needs to be originated or advertised with next-hop-self or if an appropriate extended-nh-encoding capability was not received from the remote peer, the route is advertised with the IPv4 system address as the BGP next-hop.

  • If a VPN IPv4 or label IPv4 route is matched by a BGP export policy entry that tries to change the next-hop to an IPv6 address and an appropriate extended-nh-encoding capability was not received from the remote peer, the route is handled as though it was rejected by the policy entry.

The no form of this command disables the setting of next hops to a global IPv6 address for the family.

Default

no advertise-ipv6-next-hops

Parameters

vpn-ipv6

Allows VPN IPv6 routes to be advertised to IPv6 transport peers with an IPv6 address as the BGP next-hop in cases of route origination or next-hop-self (configured or automatic).

label-ipv6

Allows label IPv6 routes to be advertised to IPv6 transport peers with an IPv6 address as the BGP next-hop in cases of route origination or next-hop-self (configured or automatic).

vpn-ipv4

Allows VPN IPv4 routes to be advertised to IPv6 transport peers with an IPv6 address as the BGP next-hop in cases of route origination or next-hop-self (configured or automatic). It also allows export policies to change the BGP next-hop of a VPN IPv4 route to an IPv6 address. All of these cases require the remote peer to advertise the necessary extended NH encoding capability.

label-ipv4

Allows label IPv4 routes to be advertised to IPv6 transport peers with an IPv6 address as the BGP next-hop in cases of route origination or next-hop-self (configured or automatic). It also allows export policies to change the BGP next-hop of a label IPv4 route to an IPv6 address. All of these cases require the remote peer to advertise the necessary extended NH encoding capability.

ipv4

Instructs BGP to advertise an extended NH encoding capability for NLRI AFI=1, NLRI SAFI=1 and next-hop AFI=2.

evpn

Allows EVPN routes to be advertised to IPv6 transport peers.

Platforms

All

advertise-label

advertise-label

Syntax

advertise-label {per-prefix | pop | pop-and-forward}

no advertise-label

Context

[Tree] (config>router>policy-options>policy-statement>default-action advertise-label)

[Tree] (config>router>policy-options>policy-statement>entry>action advertise-label)

Full Context

configure router policy-options policy-statement default-action advertise-label

configure router policy-options policy-statement entry action advertise-label

Description

This command configures the label allocation method for advertised routes. The effect of the advertise-label command depends on the context where the associated policy is applied.

Use the per-prefix option and configure the command in the default action or entry-specific action of a VRF export policy to advertise every qualifying matched route with a per-prefix label in the resulting VPN-IP routes. In this situation, non-qualifying routes include local interface routes and BGP-VPN routes. The command overrides, for specific routes, the configured label-mode of the exporting VPRN service.

Use the per-prefix option and configure the command in the default action or entry-specific action of a BGP import policy to assign a per-prefix label to qualifying label-IPv4 and label-IPv6 routes when:

  • these routes are the best path for their prefix in the respective RIB

  • there is a BGP next-hop change

A label-IPv4 or label-IPv6 route advertised with a pre-prefix label supports ECMP forwarding across multiple BGP next-hops.

The pop option is applicable in route-table-import policies. The advertised BGP label is programmed for a pop operation when:

  • a /32 IPv4 static, OSPF, or IS-IS route is matched and accepted by a label-IPv4 or label-IPv6 RIB route-table-import policy entry or default-action with this command

  • the route is a candidate to be advertised as a label-IPv4 or label-IPv6 route (due to a BGP export policy)

When the label-IPv4 RIB imports a /32 static, OSPF, or IS-IS route and then exports the route as a BGP route, the default behavior is to program a swap operation in the datapath, which swaps the BGP label with the tunnel label that takes traffic to the destination of the /32 route.

The pop-and-forward option is applicable in route-table-import policies, when these policies match an unlabeled BGP route and apply this policy action.

Use the pop-and-forward option to program the label that is advertised in the BGP-LU route to forward the packet according to the resolution of the unlabeled route that triggered the origination of the BGP-LU route. The forwarding is done without an IP FIB lookup, which can be useful in situations where the IP FIB at the exit of the MPLS tunnel is not synchronized with the FIB at the head-end of the MPLS tunnel. The advertisement of a pop-and-forward label overrides the configuration to advertise label-ipv6 routes with an explicit null label and the configuration to advertise BGP-LU with a prefix SID attribute. Those features are not available when using the pop-and-forward label.

Default

no advertise-label

Parameters

per-prefix

Sets the per-prefix label allocation for matched routes. This takes effect only in VRF export policies and BGP import policies, and only for certain types of routes.

pop

Sets the pop label allocation for matched routes. This takes effect only in label-IPv4 route-table-import policies and only applies to /32 IPv4 routes that were learned through static configuration, OSPF, or IS-IS.

pop-and-forward

Sets the pop-and-forward label allocation for matched routes. This takes effect only when an unlabeled BGP IPv4 or IPv6 route is matched by a label-IPv4 or label-IPv6 route-table-import policy.

Platforms

All

advertise-ldp-prefix

advertise-ldp-prefix

Syntax

[no] advertise-ldp-prefix

Context

[Tree] (config>router>bgp>group>neighbor advertise-ldp-prefix)

Full Context

configure router bgp group neighbor advertise-ldp-prefix

Description

This command, when configured for a session that supports the IPv4 labeled-unicast address family, allows (subject to BGP export policies) active /32 LDP FEC prefixes to be advertised to the BGP peer with an RFC 8277 label, even though there may be BGP paths for the same prefix.

Default

no advertise-ldp-prefix

Platforms

All

advertise-local

advertise-local

Syntax

[no] advertise-local

Context

[Tree] (config>service>vpls>isid-policy>entry advertise-local)

Full Context

configure service vpls isid-policy entry advertise-local

Description

The no advertise-local option prevents the advertisement of any locally defined I-VPLS ISIDs or static-isids in the range in a B-VPLS. For I-VPLS services or static-isids that are primarily unicast traffic, the use-def-mcast and no advertise-local options allows the forwarding of ISID based multicast frames locally using the default multicast. The no advertise-local option also suppresses this range of ISIDs from being advertised in ISIS. When using the use-def-mcast and no advertise-local policies, the ISIDs configured under this static-isid declarations SPBM treats the ISIDs as belonging to the default tree.

Default

advertise-local

Platforms

All

advertise-ne-profile

advertise-ne-profile

Syntax

advertise-ne-profile name

no advertise-ne-profile

Context

[Tree] (config>service>vprn>ospf>area advertise-ne-profile)

Full Context

configure service vprn ospf area advertise-ne-profile

Description

This command enables advertising of a specific NE profile using OSPFv2 LSA type 10 opaque.

The no version of this command disables advertising of NE profiles.

Default

no advertise-ne-profile

Parameters

name

Specifies the name of the NE profile to be advertised, up to 32 characters.

Platforms

All

advertise-passive-only

advertise-passive-only

Syntax

[no] advertise-passive-only

Context

[Tree] (config>service>vprn>isis advertise-passive-only)

Full Context

configure service vprn isis advertise-passive-only

Description

This command enables IS-IS for the VPRN instance to advertise only prefixes that belong to passive interfaces.

The no form of this command disables IS-IS for the VPRN instance from advertising only prefixes that belong to passive interfaces.

Platforms

All

advertise-passive-only

Syntax

[no] advertise-passive-only

Context

[Tree] (config>router>isis advertise-passive-only)

Full Context

configure router isis advertise-passive-only

Description

This command enables and disables IS-IS to advertise only prefixes that belong to passive interfaces.

Default

no advertise-passive-only

Platforms

All

advertise-router-capability

advertise-router-capability

Syntax

advertise-router-capability {area | as}

no advertise-router-capability

Context

[Tree] (config>service>vprn>isis advertise-router-capability)

[Tree] (config>service>vprn>isis>level advertise-router-capability)

Full Context

configure service vprn isis advertise-router-capability

configure service vprn isis level advertise-router-capability

Description

This command enables advertisement of a router's capabilities to its neighbors for informational and troubleshooting purposes. A new TLV as defined in RFC 4971 advertises the TE Node Capability Descriptor capability.

The parameters (area & as) control the scope of the capabilities advertisements.

The no form of this command disables this capability.

Default

no advertise-router-capability

Parameters

area

Capabilities are only advertised within the area of origin.

as

Capabilities are only advertised throughout the entire autonomous system.

Platforms

All

advertise-router-capability

Syntax

advertise-router-capability

advertise-router-capability {link | area | as}

no advertise-router-capability

Context

[Tree] (config>service>vprn>ospf>area advertise-router-capability)

[Tree] (config>service>vprn>ospf>area>if advertise-router-capability)

[Tree] (config>service>vprn>ospf3 advertise-router-capability)

[Tree] (config>service>vprn>ospf advertise-router-capability)

[Tree] (config>service>vprn>ospf3>area>if advertise-router-capability)

Full Context

configure service vprn ospf area advertise-router-capability

configure service vprn ospf area interface advertise-router-capability

configure service vprn ospf3 advertise-router-capability

configure service vprn ospf advertise-router-capability

configure service vprn ospf3 area interface advertise-router-capability

Description

This command enables advertisement of a router's capabilities to its neighbors for informational and troubleshooting purposes. A Router Information (RI) LSA as defined in RFC 4970 advertises the following capabilities:

  • OSPF graceful restart capable: no

  • OSPF graceful restart helper: yes, when enabled

  • OSPF Stub Router support: yes

  • OSPF Traffic Engineering support: yes, when enabled

  • OSPF point-to-point over LAN: yes

  • OSPF Experimental TE: no

The parameters (link, area and as) control the advertisement scope of the router capabilities.

The no form of this command disables this capability.

Default

no advertise-router-capability

Parameters

link

Capabilities are only advertised over local link and not flooded beyond.

area

Capabilities are only advertised within the area of origin.

as

Capabilities are only advertised throughout the entire autonomous system.

Platforms

All

advertise-router-capability

Syntax

advertise-router-capability {area | as}

no advertise-router-capability

Context

[Tree] (config>router>isis advertise-router-capability)

Full Context

configure router isis advertise-router-capability

Description

This command enables advertisement of a router's capabilities to its neighbors for informational and troubleshooting purposes. A TLV as defined in RFC 4971 advertises the TE Node Capability Descriptor capability.

The parameters (area and as) control the scope of the capability advertisements.

The no form of this command disables this capability.

Parameters

area

Specifies to only advertise within the area of origin.

as

Specifies to advertise throughout the entire autonomous system.

Platforms

All

advertise-router-capability

Syntax

[no] advertise-router-capability

Context

[Tree] (config>router>isis>level advertise-router-capability)

Full Context

configure router isis level advertise-router-capability

Description

This command enables router advertisement capabilities.

The no form of this command disables router advertisement capabilities.

Default

advertise-router-capability

Platforms

All

advertise-router-capability

Syntax

advertise-router-capability {link | area | as}

no advertise-router-capability

Context

[Tree] (config>router>ospf3 advertise-router-capability)

[Tree] (config>router>ospf advertise-router-capability)

Full Context

configure router ospf3 advertise-router-capability

configure router ospf advertise-router-capability

Description

This command enables advertisement of a router's capabilities to its neighbors for informational and troubleshooting purposes. A Router Information (RI) LSA as defined in RFC 4970 advertises the following capabilities:

  • OSPF graceful restart capable: no

  • OSPF graceful restart helper: yes, when enabled

  • OSPF stub router support: yes

  • OSPF traffic engineering support: yes, when enabled

  • OSPF point-to-point over LAN: yes

  • OSPF experimental TE: no

The parameters (link, area and as) control the scope of the capability advertisements.

The no form of this command disables this capability.

Default

no advertise-router-capability

Parameters

link

capabilities are only advertised over local links and not flooded beyond.

area

capabilities are only advertised within the area of origin.

as

capabilities are advertised throughout the entire autonomous system.

Platforms

All

advertise-router-capability

Syntax

[no] advertise-router-capability

Context

[Tree] (config>router>ospf>area>interface advertise-router-capability)

[Tree] (config>router>ospf>area advertise-router-capability)

[Tree] (config>router>ospf3>area>interface advertise-router-capability)

[Tree] (config>router>ospf3>area advertise-router-capability)

Full Context

configure router ospf area interface advertise-router-capability

configure router ospf area advertise-router-capability

configure router ospf3 area interface advertise-router-capability

configure router ospf3 area advertise-router-capability

Description

This command enables advertisement of a router’s capabilities to its neighbors for informational and troubleshooting purposes. A Router Information (RI) LSA as defined in RFC 4970 advertises the following capabilities:

  • OSPF graceful restart capable: no

  • OSPF graceful restart helper: yes, when enabled

  • OSPF stub router support: yes

  • OSPF traffic engineering support: yes, when enabled

  • OSPF point-to-point over LAN: yes

  • OSPF experimental TE: no

The no form of this command disables this capability.

Default

advertise-router-capability

Platforms

All

advertise-selection

advertise-selection

Syntax

advertise-selection

Context

[Tree] (config>service>vprn>sub-if>grp-if>ipv6>dhcp6>relay advertise-selection)

[Tree] (config>service>ies>sub-if>grp-if>ipv6>dhcp6>relay advertise-selection)

[Tree] (config>service>vprn>sub-if>ipv6>dhcp6>relay advertise-selection)

Full Context

configure service vprn subscriber-interface group-interface ipv6 dhcp6 relay advertise-selection

configure service ies subscriber-interface group-interface ipv6 dhcp6 relay advertise-selection

configure service vprn subscriber-interface ipv6 dhcp6 relay advertise-selection

Description

Commands in this context configure a solicit delay or a DHCPv6 preference option value to influence the advertise selection of DHCPv6 clients.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

advertise-stale-to-all-neighbors

advertise-stale-to-all-neighbors

Syntax

advertise-stale-to-all-neighbors [without-no-export]

no advertise-stale-to-all-neighbors

Context

[Tree] (config>service>vprn>bgp>graceful-restart>long-lived advertise-stale-to-all-neighbors)

[Tree] (config>service>vprn>bgp>group>neighbor>graceful-restart>long-lived advertise-stale-to-all-neighbors)

[Tree] (config>service>vprn>bgp>group>graceful-restart>long-lived advertise-stale-to-all-neighbors)

Full Context

configure service vprn bgp graceful-restart long-lived advertise-stale-to-all-neighbors

configure service vprn bgp group neighbor graceful-restart long-lived advertise-stale-to-all-neighbors

configure service vprn bgp group graceful-restart long-lived advertise-stale-to-all-neighbors

Description

This command allows BGP routes marked as LLGR stale to be advertised to BGP peers that did not advertise the LLGR capability when the session was opened. The no version of this command causes advertisement behavior to follow the rule that stale routes cannot be advertised to a peer that does not understand or implement the LLGR capability. Stale routes are withdrawn towards such peers.

When this command is configured with the without-no-export option, LLGR stales routes can be advertised to any peer (EBGP or IBGP) that did not signal the LLGR capability. Towards IBGP and confederation-EBGP peers that did not advertise the LLGR capability, the LOCAL_PREFERENCE attribute in the advertised stale routes is automatically set to zero.

When this command is configured without the without-no-export option, LLGR stale routes are not advertised to any EBGP peer that did not signal the LLGR capability. Towards IBGP and confederation-EBGP peers that did not advertise the LLGR capability the LOCAL_PREFERENCE attribute in the advertised stale routes is automatically set to zero and a NO_EXPORT standard community is automatically added to the routes.

Default

no advertise-stale-to-all-neighbors

Parameters

without-no-export

Allows LLGR stale routes to be advertised to all peers, such that they can exit the local AS.

Platforms

All

advertise-stale-to-all-neighbors

Syntax

advertise-stale-to-all-neighbors [without-no-export | no without-no-export]

no advertise-stale-to-all-neighbors

Context

[Tree] (config>router>bgp>graceful-restart>long-lived advertise-stale-to-all-neighbors)

[Tree] (config>router>bgp>group>graceful-restart>long-lived advertise-stale-to-all-neighbors)

[Tree] (config>router>bgp>group>neighbor>graceful-restart>long-lived advertise-stale-to-all-neighbors)

Full Context

configure router bgp graceful-restart long-lived advertise-stale-to-all-neighbors

configure router bgp group graceful-restart long-lived advertise-stale-to-all-neighbors

configure router bgp group neighbor graceful-restart long-lived advertise-stale-to-all-neighbors

Description

This command allows BGP routes marked as LLGR stale to be advertised to BGP peers that did not advertise the LLGR capability when the session was opened.

When this command is configured with the without-no-export option, LLGR stale routes can be advertised to any peer (EBGP or IBGP) that did not signal the LLGR capability. Towards IBGP and confederation-EBGP peers that did not advertise the LLGR capability, the LOCAL_PREFERENCE attribute in the advertised stale routes is automatically set to zero.

When this command is configured without the without-no-export option, LLGR stale routes are not advertised to any EBGP peer that did not signal the LLGR capability. Towards IBGP and confederation-EBGP peers that did not advertise the LLGR capability the LOCAL_PREFERENCE attribute in the advertised stale routes is automatically set to zero and a NO_EXPORT standard community is automatically added to the routes.

The no version of this command causes advertisement behavior to follow the rule that stale routes cannot be advertised to a peer that does not understand or implement the LLGR capability. Stale routes are withdrawn towards such peers.

Default

no advertise-stale-to-all-neighbors

Parameters

without-no-export

Allows LLGR stale routes to be advertised to all peers, such that they can exit the local AS.

Platforms

All

advertise-subnet

advertise-subnet

Syntax

[no] advertise-subnet

Context

[Tree] (config>service>vprn>ospf>area>if advertise-subnet)

Full Context

configure service vprn ospf area interface advertise-subnet

Description

This command enables advertising point-to-point interfaces as subnet routes (network number and mask). When disabled, point-to-point interfaces are advertised as host routes.

This command is not supported in the OSPF3 context.

The no form of this command disables advertising point-to-point interfaces as subnet routes meaning they are advertised as host routes.

Default

advertise-subnet — Advertises point-to-point interfaces as subnet routes.

Platforms

All

advertise-subnet

Syntax

[no] advertise-subnet

Context

[Tree] (config>router>ospf>area>interface advertise-subnet)

Full Context

configure router ospf area interface advertise-subnet

Description

This command enables advertising point-to-point interfaces as subnet routes (network number and mask). When disabled, point-to-point interfaces are advertised as host routes.

The no form of this command disables advertising point-to-point interfaces as subnet routes meaning they are advertised as host routes.

Default

advertise-subnet

Platforms

All

advertise-tunnel-link

advertise-tunnel-link

Syntax

[no] advertise-tunnel-link

Context

[Tree] (config>router>ospf advertise-tunnel-link)

[Tree] (config>router>isis advertise-tunnel-link)

Full Context

configure router ospf advertise-tunnel-link

configure router isis advertise-tunnel-link

Description

This command enables the forwarding adjacency feature. With this feature, IS-IS or OSPF advertises an RSVP LSP as a link so that other routers in the network can include it in their SPF computations. The RSVP LSP is advertised as an unnumbered point-to-point link and the link LSP or LSA has no Traffic Engineering opaque sub-TLVs, as per RFC 3906. An SR-TE LSP is not supported with forwarding adjacency.

The forwarding adjacency feature can be enabled independently from the IGP shortcut feature in CLI. If both igp-shortcut and advertise-tunnel-link options are enabled for a given IGP instance, then the advertise-tunnel-link takes precedence.

When the forwarding adjacency feature is enabled, each node advertises a p2p unnumbered link for each best metric tunnel to the router ID of any endpoint node. The node does not include the tunnels as IGP shortcuts in SPF computation directly. Instead, when the LSA or LSP that advertises the corresponding P2P unnumbered link is installed in the local routing database, the node performs an SPF using it like any other link LSA or LSP. The bidirectional check of the link requires that a link, regular or tunnel, exists in the reverse direction for the tunnel to be used in SPF.

The igp-shortcut option under the LSP name governs the use of the LSP with both the igp-shortcut and the advertise-tunnel-link options in IGP. In other words, the user can exclude a specific RSVP LSP from being used as a forwarding adjacency by entering the command config>router>mpls>lsp>no igp-shortcut.

Support is provided for resolving and forwarding IPv4 and IPv6 prefixes over IPv4 forwarding adjacency RSVP-TE LSP. Specifically, the forwarding adjacency feature supports family IPv4 in OSPFv2, family IPv6 in OSPFv3, families IPv4 and IPv6 in ISIS MT=0, and family IPv6 in ISIS MT=2.

In addition, both IPv4 and IPv6 SR-ISIS tunnels can be resolved and further tunneled over one or more RSVP-TE LSPs used as forwarding adjacencies. This is enabled by configuring both segment routing and forwarding adjacency features within an IS-IS instance in a multi-topology MT=0.

IS-IS forwarding adjacency using the advertise-tunnel-link command is not supported in combination with the IS-IS link bundling and the IS-IS metric link quality adjustment features.

The no form of this command disables forwarding adjacency and disables the advertisement of RSVP LSP into IGP.

Default

no advertise-tunnel-link

Platforms

All

advertised-stale-time

advertised-stale-time

Syntax

advertised-stale-time seconds

no advertised-stale-time

Context

[Tree] (config>service>vprn>bgp>group>neighbor>graceful-restart>long-lived advertised-stale-time)

[Tree] (config>service>vprn>bgp>group>neighbor>graceful-restart>long-lived>family advertised-stale-time)

[Tree] (config>service>vprn>bgp>graceful-restart>long-lived>family advertised-stale-time)

[Tree] (config>service>vprn>bgp>group>graceful-restart>long-lived>family advertised-stale-time)

[Tree] (config>service>vprn>bgp>group>graceful-restart>long-lived advertised-stale-time)

[Tree] (config>service>vprn>bgp>graceful-restart>long-lived advertised-stale-time)

Full Context

configure service vprn bgp group neighbor graceful-restart long-lived advertised-stale-time

configure service vprn bgp group neighbor graceful-restart long-lived family advertised-stale-time

configure service vprn bgp graceful-restart long-lived family advertised-stale-time

configure service vprn bgp group graceful-restart long-lived family advertised-stale-time

configure service vprn bgp group graceful-restart long-lived advertised-stale-time

configure service vprn bgp graceful-restart long-lived advertised-stale-time

Description

This command sets the value of the long-lived stale time that is advertised by the router in its LLGR capability. When configured in the long-lived configuration context, advertised-stale-time applies to all AFI/SAFI in the advertised LLGR capability except for any AFI/SAFI with a family-specific override. A family-specific override is configured with the advertised-stale-time command in a family context.

The no version of this command sets the advertised-stale-time value to 24 hours (86400 seconds).

Default

no advertised-stale-time

Parameters

seconds

Specifies the advertised long-lived stale time in seconds.

Values

0 to 16777215

Platforms

All

advertised-stale-time

Syntax

advertised-stale-time seconds

no advertised-stale-time

Context

[Tree] (config>router>bgp>graceful-restart>long-lived advertised-stale-time)

[Tree] (config>router>bgp>graceful-restart>long-lived>family advertised-stale-time)

[Tree] (config>router>bgp>group>graceful-restart>long-lived>family advertised-stale-time)

[Tree] (config>router>bgp>group>neighbor>graceful-restart>long-lived advertised-stale-time)

[Tree] (config>router>bgp>group>graceful-restart>long-lived advertised-stale-time)

[Tree] (config>router>bgp>group>neighbor>graceful-restart>long-lived>family advertised-stale-time)

Full Context

configure router bgp graceful-restart long-lived advertised-stale-time

configure router bgp graceful-restart long-lived family advertised-stale-time

configure router bgp group graceful-restart long-lived family advertised-stale-time

configure router bgp group neighbor graceful-restart long-lived advertised-stale-time

configure router bgp group graceful-restart long-lived advertised-stale-time

configure router bgp group neighbor graceful-restart long-lived family advertised-stale-time

Description

This command sets the value of the long-lived stale time that is advertised by the router in its LLGR capability. When configured in the long-lived configuration context, advertised-stale-time applies to all AFI/SAFI in the advertised LLGR capability except for any AFI/SAFI with a family-specific override. A family-specific override is configured with the advertised-stale-time command in a family context.

The no version of this command sets the advertised-stale-time value to 24 hours (86400 seconds).

Default

no advertised-stale-time

Parameters

seconds

Specifies the advertised long-lived stale time in seconds.

Values

0 to 16777215

Platforms

All

advertising-timeout

advertising-timeout

Syntax

advertising-timeout seconds

no advertising-timeout

Context

[Tree] (config>system>bluetooth advertising-timeout)

Full Context

configure system bluetooth advertising-timeout

Description

When the power is enabled, this command configures the pairing timeout interval for the Bluetooth device during which it advertises that it is ready to pair. If an external device does not complete the pairing within this time, then the pairing must be reinitiated.

The no form of this command disables the timeout.

Default

advertising-timeout 30

Parameters

seconds

Specifies the pairing timeout interval.

Values

30 to 3600

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

advertising-timeout

Syntax

advertising-timeout seconds

no advertising-timeout

Context

[Tree] (config>system>bluetooth advertising-timeout)

Full Context

configure system bluetooth advertising-timeout

Description

When the power is enabled, this timer controls the amount of time the Bluetooth device will advertise that is ready to pair. If an external device does not complete the pairing within this time, then the pairing must be re-initiated.

The no form of this command disables the timeout.

Default

advertising-timeout 30

Parameters

seconds

Specifies the paring timeout interval.

Values

30 to 3600

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

aes-initialization-vector

aes-initialization-vector

Syntax

aes-initialization-vector hex-string

no aes-initialization-vector

Context

[Tree] (config>app-assure>group>http-enrich>field aes-initialization-vector)

Full Context

configure application-assurance group http-enrich field aes-initialization-vector

Description

This command configures the initialization vector that is used for the AES CBC encryption.

The no form of this command removes the initialization vector.

Default

no aes-initialization-vector

Parameters

hex-string

Specifies the AES initialization vector in 34 characters, that is, 0x followed by exactly 32 hexadecimal characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

agg-rate

agg-rate

Syntax

[no] agg-rate

Context

[Tree] (config>service>ies>sub-if>grp-if>sap>egress agg-rate)

[Tree] (config>service>ies>if>sap>egress agg-rate)

[Tree] (config>service>vprn>sub-if>grp-if>sap>egress agg-rate)

Full Context

configure service ies subscriber-interface group-interface sap egress agg-rate

configure service ies interface sap egress agg-rate

configure service vprn subscriber-interface group-interface sap egress agg-rate

Description

Commands in this context configure aggregation rate parameters. This command is used to control an HQoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.

When specified under a Vport, the agg-rate, port-scheduler-policy and scheduler-policy commands are mutually exclusive. Changing between the use of a scheduler policy and the use of an agg-rate or port-scheduler-policy involves removing the existing command and applying the new command.

The no form of this command disables the aggregation rate.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn subscriber-interface group-interface sap egress agg-rate
  • configure service ies subscriber-interface group-interface sap egress agg-rate

All

  • configure service ies interface sap egress agg-rate

agg-rate

Syntax

[no] agg-rate

Context

[Tree] (config>port>ethernet>access>egr>vport agg-rate)

[Tree] (config>port>ethernet>network>egr>qgrp agg-rate)

[Tree] (config>port>ethernet>access>egr>qgrp agg-rate)

Full Context

configure port ethernet access egress vport agg-rate

configure port ethernet network egress queue-group agg-rate

configure port ethernet access egress queue-group agg-rate

Description

This command controls an H-QoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.

When specified under a Vport, the agg-rate rate, port-scheduler-policy and scheduler-policy commands are mutually exclusive. Changing between the use of a scheduler policy and the use of an agg-rate/port-scheduler-policy involves removing the existing command and applying the new command.

Platforms

All

agg-rate

Syntax

[no] agg-rate

Context

[Tree] (config>service>cpipe>sap>egress agg-rate)

[Tree] (config>service>epipe>sap>egress agg-rate)

[Tree] (config>service>ipipe>sap>egress agg-rate)

Full Context

configure service cpipe sap egress agg-rate

configure service epipe sap egress agg-rate

configure service ipipe sap egress agg-rate

Description

This command is used to control an HQoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service cpipe sap egress agg-rate

All

  • configure service epipe sap egress agg-rate
  • configure service ipipe sap egress agg-rate

agg-rate

Syntax

[no] agg-rate

Context

[Tree] (config>service>template>vpls-sap-template>egress agg-rate)

[Tree] (config>service>vpls>sap>egress>encap-defined-qos>encap-group agg-rate)

[Tree] (config>service>vpls>sap>egress agg-rate)

Full Context

configure service template vpls-sap-template egress agg-rate

configure service vpls sap egress encap-defined-qos encap-group agg-rate

configure service vpls sap egress agg-rate

Description

This command is used to control an HQoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.

Platforms

All

agg-rate

Syntax

[no] agg-rate

Context

[Tree] (config>service>vprn>if>sap>egress agg-rate)

Full Context

configure service vprn interface sap egress agg-rate

Description

This command is used to control an HQoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.

Platforms

All

agg-rate

Syntax

[no] agg-rate

Context

[Tree] (config>service>cust>multi-service-site>egress agg-rate)

Full Context

configure service customer multi-service-site egress agg-rate

Description

Commands in this context control an HQoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.

The no form of the command disables the aggregate rate limit parameters.

Platforms

All

agg-rate-limit

agg-rate-limit

Syntax

agg-rate-limit agg-rate [min-resv-bw min-rate] [queue-frame-based-accounting]

no agg-rate-limit

Context

[Tree] (config>subscr-mgmt>sub-prof>egress agg-rate-limit)

Full Context

configure subscriber-mgmt sub-profile egress agg-rate-limit

Description

This command defines a subscriber aggregate limit when the subscriber profile is directly associated with an egress port based scheduler instead of a scheduler policy. The optional queue-frame-based-accounting keyword allows the subscriber queues to operate in the frame based accounting mode.

Once egress frame based accounting is enabled on the subscriber profile, all queues associated with the subscriber (created through the sla-profile associated with each subscriber host) will have their rate and CIR values interpreted as frame based values. When shaping, the queues will include the 12-byte Inter-Frame Gap (IFG) and 8-byte preamble for each packet scheduled out the queue. The profiling CIR threshold will also include the 20-byte frame encapsulation overhead. Statistics associated with the queue do not include the frame encapsulation overhead. Packet byte offset settings are not included in the applied rate when queue frame based accounting is configured, however the offsets are applied to the statistics.

The queue-frame-based-accounting keyword does not change the behavior of the egress-agg-rate-limit rate value. Since the egress-agg-rate-limit is always associated with egress port based scheduling and egress port based scheduling is dependent on frame based operation, the egress-agg-rate-limit rate is always interpreted as a frame based value.

Enabling queue-frame-based-accounting will not cause statistics for queues associated with the subscriber to be cleared.

The no form of this command removes both an egress aggregate rate limit and egress frame based accounting for all subscribers associated with the sub-profile. If a subscriber’s accounting mode is changed, the subscriber’s queue statistics are cleared.

Parameters

agg-rate

Specifies the egress aggregate rate.

Values

1 to 800000000, max

min-rate

Specifies the minimum rate of the minimum reserved bandwidth for unicast data traffic. Since minimum rate can oversubscribe subscriber bandwidth to guarantee a minimum bandwidth for unicast traffic, care must be taken in QoS provisioning to prioritize packets accordingly (downstream network elements such as the access node or aggregation nodes) when congestion occurs.

Values

0 to 800000000

queue-frame-based-accounting

Specifies whether to use frame-based accounting when evaluating the aggregation rate limit for the egress queues for this SAP.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

agg-rate-limit

Syntax

agg-rate-limit agg-rate

no agg-rate-limit

Context

[Tree] (config>port>ethernet>access>egress>vport agg-rate-limit)

Full Context

configure port ethernet access egress vport agg-rate-limit

Description

This command configures an aggregate rate for the Vport. This command is mutually exclusive with the port-scheduler-policy command.

The no form of this command reverts to the default.

Parameters

agg-rate

Specifies the rate limit for the Vport.

Values

max, 1 to 10000000

Platforms

All

agg-rate-limit

Syntax

agg-rate-limit kilobits-per-second

no agg-rate-limit

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>egress agg-rate-limit)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>egress agg-rate-limit)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw egress agg-rate-limit

configure service ies subscriber-interface group-interface wlan-gw egress agg-rate-limit

Description

This command configures an HQoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.

The no form of this command removes the rate from the configuration.

Parameters

kilobits-per-second

Specifies the aggregate rate limit.

Values

1 to 100000000, max

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

agg-rate-limit

Syntax

agg-rate-limit agg-rate [min-resv-bw min-rate] [queue-frame-based-accounting] [adaptation-rule adaptation-rule] [burst-limit size] [bytes| kilobytes]

no agg-rate-limit

Context

[Tree] (config>subscr-mgmt>sub-prof>egr agg-rate-limit)

Full Context

configure subscriber-mgmt sub-profile egress agg-rate-limit

Description

This command configures a hardware-assisted HQoS aggregate rate limit.

The no form of this command removes the rate from the configuration.

Parameters

agg-rate

Specifies the aggregate rate limit in kb/s.

Values

1 to 800000000, max

min-rate

Specifies the minimum reserved bandwidth rate.

Values

0 to 800000000, max

queue-frame-based-accounting

Enables frame-based accounting at the queue level.

adaptation-rule

Specifies the adaptation rule for the PIR value of the subscriber aggregate rate. This rule determines which configured value is adapted to oper-agg-rate based on hardware capabilities.

Values

max, min, closest

Default

closest

size

Specifies the burst limit size.

Values

1 to 14000000, default

bytes | kilobytes

Specifies whether the value is in bytes or kilobytes.

Default

bytes

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

agg-shaper-weight

agg-shaper-weight

Syntax

agg-shaper-weight weight

no agg-shaper-weight

Context

[Tree] (config>qos>sap-egress>queue agg-shaper-weight)

Full Context

configure qos sap-egress queue agg-shaper-weight

Description

This command specifies the aggregate shaper weight of the sap-egress queue.

The no form of this command returns the aggregate shaper weight to the default value.

Default

agg-shaper-weight 1

Parameters

weight

Specifies the aggregate shaper weight.

Values

1 to 100

Platforms

7750 SR-1, 7750 SR-s

aggregate

aggregate

Syntax

[no] aggregate

Context

[Tree] (config>port>ethernet>egress>hs-sec-shaper aggregate)

Full Context

configure port ethernet egress hs-secondary-shaper aggregate

Description

Commands in this context configure aggregate parameters.

The no form of this command removes all of the aggregate parameter values from the configuration of this HS secondary shaper.

Platforms

7750 SR-7/12/12e

aggregate

Syntax

aggregate ip-prefix/ip-prefix-length [summary-only] [as-set] [aggregator as-number:ip-address] [discard-component-communities] [black-hole [generate-icmp]] [community comm-id [comm-id] [ local-preference local-pref]] [description description] [tunnel-group tunnel-group-id]

aggregate ip-prefix/ip-prefix-length [summary-only] [as-set] [aggregator as-number:ip-address] [discard-component-communities] [community comm-id [comm-id]] [ indirect ip-address] [local-preference local-pref]] [description description] [tunnel-group tunnel-group-id]

no aggregate ip-prefix/ip-prefix-length

Context

[Tree] (config>service>vprn aggregate)

Full Context

configure service vprn aggregate

Description

This command creates an aggregate route. Use this command to automatically install an aggregate route in the routing table when there are one or more component routes. A component route is any route used for forwarding that is a more specific match of the aggregate.

The use of aggregate routes can reduce the number of routes that need to be advertised to neighbor routers, leading to smaller routing table sizes.

Overlapping aggregate routes may be configured; in this case a route becomes a component of only the one aggregate route with the longest prefix match. For example if one aggregate is configured as 10.0.0.0/16 and another as 10.0.0.0/24, then route 10.0.128/17 would be aggregated into 10.0.0.0/16, and route 10.0.0.128/25 would be aggregated into 10.0.0.0/24. If multiple entries are made with the same prefix and the same mask the previous entry is overwritten.

A list of up to 12 BGP communities (any mix of standard, extended, and large communities) may be associated with an aggregate route. These communities can be matched in route policies and are automatically added to BGP routes that are created from the aggregate route.

By default, aggregate routes are not installed in the forwarding table, however there are configuration options that allow an aggregate route to be installed with a black-hole next hop or with an indirect IP address as next hop.

Aggregate routes can be advertised via MP-BGP to other PEs within the network. Aggregate routes advertised using MP-BGP do not include aggregated BGP path attributes from the component routes which were used to activate the aggregate route. The aggregate route will be advertised with the minimal set of path attributes as if the aggregate was originated by the advertising routes. Export route policies should be used to control and modify the advertisement and path attributes of the aggregate routes.

The no form of this command removes the aggregate.

Default

no aggregate

Parameters

ip-prefix

The destination address of the aggregate route in dotted decimal notation.

Values

ipv4-prefix

a.b.c.d (host bits must be 0)

ipv4-prefix-length

0 to 32

ipv6-prefix

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x: [0 to FFFF]H

d: [0 to 255]D

ipv6-prefix-length

0 to 128

the ipv6-prefix and ipv6-prefix-length apply only to the 7750 SR and 7950 XRS

the mask associated with the network address expressed as a mask length

Values: 0 to 32

summary-only

This optional parameter suppresses advertisement of more specific component routes for the aggregate.

To remove the summary-only option, enter the same aggregate command without the summary-only parameter.

as-set

This optional parameter is only applicable to BGP and creates an aggregate where the path advertised for this route will be an AS_SET consisting of all elements contained in all paths that are being summarized. Use this feature carefully as it can increase the amount of route churn due to best path changes.

aggregator as-number:ip-address

This optional parameter specifies the BGP aggregator path attribute to the aggregate route. When configuring the aggregator, a two-octet AS number used to form the aggregate route must be entered, followed by the IP address of the BGP system that created the aggregate route.

discard-component-communities

This optional keyword causes the aggregate to be advertised with only the configured BGP community set, none of the communities from the component routes activating the aggregate are included. (Component attributes are never included in aggregate routes advertised to other PE routers via MP-BGP).

black-hole

This optional parameter installs the aggregate route, when activated, in the FIB with a black-hole next-hop, where packets matching this route are discarded.

generate-icmp

This optional parameter keyword generates an ICMP.

community

This configuration option associates a BGP community with the aggregate route. The community can be matched in route policies and is automatically added to BGP routes exported from the aggregate route.

comm-id

Specifies a BGP community value, up to 72 characters.

Values

[as-num:comm-val | well-known-comm | ext-comm | large-comm]

where:

  • as-num — 0 to 65535

  • comm-val — 0 to 65535

  • well-known-commnull | no-export | no-export-subconfed | no-advertise | llgr-stale | no-llgr | blackhole

  • ext-comm — the extended community, defined as one of the following:

    • {target | origin}:ip-address:comm-val

    • {target | origin}:asnum:ext-comm-val

    • {target | origin}:ext-asnum:comm-val

    • bandwidth:asnum:val-in-mbps

    • ext:4300:ovstate

    • ext:value1:value2

    • color:co-bits:color-value

    where:

    • target — route target

    • origin — route origin

    • ip-address — a.b.c.d

    • ext-comm-val — 0 to 4294967295

    • ext-asnum — 0 to 4294967295

    • val-in-mbps — 0 to 16777215

    • ovstate — 0, 1, or 2 (0 for valid, 1 for not found, 2 for invalid)

    • value1 — 0000 to FFFF

    • value2 — 0 to FFFFFFFFFFFF

    • co-bits — 00, 01, 10 or 11

    • color-value — 0 to 4294967295

  • large-commasn-or-ex:val-or-ex:val-or-ex

description

Specifies a text description stored in the configuration file for a configuration context.

local-preference

Specifies a BGP local-preference value with the aggregate route. The local-preference overrides the default local preference value of a BGP route originated by exporting the aggregate route.

Values

0 to 4294967295

indirect ip-address

This configuration option specifies that the aggregate route should be installed in the FIB with a next-hop taken from the route used to forward packets to ip-address.

Values

ipv4-prefix

a.b.c.d

ipv6-prefix

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x: [0 to FFFF]H

d: [0 to 255]D

The ipv6-prefix applies only to the 7750 SR and 7950 XRS.

tunnel-group-id

Specifies that the MC-IPsec state of the specific tunnel-group is added to the aggregate route.

Values

1 to 16

Platforms

All

aggregate

Syntax

aggregate ip-prefix/ip-prefix-length [summary-only] [as-set] [aggregator as-number:ip-address] [discard-component-communities] [black-hole [generate-icmp]] [community comm-id [comm-id]] [ description description] [local-preference local-preference] [policy policy-name]

aggregate ip-prefix/ip-prefix-length [summary-only] [as-set] [aggregator as-number:ip-address] [discard-component-communities] [community comm-id [comm-id]] [ indirect ip-address] [description description] [local-preference local-preference] [policy policy-name]

no aggregate ip-prefix/ip-prefix-length

Context

[Tree] (config>router aggregate)

Full Context

configure router aggregate

Description

This command creates an aggregate route.

Use this command to automatically install an aggregate route in the routing table when there are one or more component routes. A component route is any route used for forwarding that is a more-specific match of the aggregate.

The use of aggregate routes can reduce the number of routes that need to be advertised to neighbor routers, leading to smaller routing table sizes.

Overlapping aggregate routes may be configured; in this case a route becomes a component of only the one aggregate route with the longest prefix match. For example if one aggregate is configured as 10.0.0.0/16 and another as 10.0.0.0/24, then route 10.0.128/17 would be aggregated into 10.0.0.0/16, and route 10.0.0.128/25 would be aggregated into 10.0.0.0/24. If multiple entries are made with the same prefix and the same mask the previous entry is overwritten.

A standard 4-byte BGP community may be associated with an aggregate route in order to facilitate route policy matching.

By default aggregate routes are not installed in the forwarding table, however there are configuration options that allow an aggregate route to be installed with a black-hole next hop or with an indirect IP address as next hop.

The no form of this command removes the aggregate.

Default

no aggregate

Parameters

ip-prefix

Specifies the destination address of the aggregate route in dotted decimal notation.

Values

The following values apply to the 7750 SR and 7950 XRS:

ipv4-prefix

a.b.c.d (host bits must be 0)

ipv4-prefix-length

0 to 32

ipv6-prefix

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x:

[0 to FFFF]H

d:

[0 to 255]D

ipv6-prefix-length

0 to 128

Values

The following values apply to the 7450 ESS:

ipv4-prefix

a.b.c.d (host bits must be 0)

ipv4-prefix-length

0 to 32

ip-prefix-length

Specifies the mask associated with the network address expressed as a mask length.

Values

0 to 32

summary-only

Suppresses advertisement of more specific component routes for the aggregate.

To remove the summary-only option, enter the same aggregate command without the summary-only parameter.

as-set

This optional parameter is only applicable to BGP and creates an aggregate where the path advertised for this route will be an AS_SET consisting of all elements contained in all paths that are being summarized. Use this feature carefully as it can increase the amount of route churn due to best path changes.

as-number:ip-address

Specifies the BGP aggregator path attribute to the aggregate route. When configuring the aggregator, a two-octet AS number used to form the aggregate route must be entered, followed by the IP address of the BGP system that created the aggregate route.

discard-component-communities

Causes the aggregate to be advertised with only the configured BGP community set, none of the communities from the component routes activating the aggregate are included.

black-hole

Installs the aggregate route, when activated, in the FIB with a black-hole next-hop, where packets matching this route are discarded.

generate-icmp

Mandatory keyword to generate an ICMP.

community

Associates a BGP community with the aggregate route. The community can be matched in route policies and is automatically added to BGP routes exported from the aggregate route.

comm-id

Specifies a BGP community value, up to 72 characters. A maximum of twelve community IDs can be specified in a single statement.

Values

[as-num:comm-val | well-known-comm | ext-comm | large-comm]

where:

  • as-num — 0 to 65535

  • comm-val — 0 to 65535

  • well-known-commnull | no-export | no-export-subconfed | no-advertise | llgr-stale | no-llgr | blackhole

  • ext-comm — the extended community, defined as one of the following:

    • {target | origin}:ip-address:comm-val

    • {target | origin}:asnum:ext-comm-val

    • {target | origin}:ext-asnum:comm-val

    • bandwidth:asnum:val-in-mbps

    • ext:4300:ovstate

    • ext:value1:value2

    • color:co-bits:color-value

    where:

    • target — route target

    • origin — route origin

    • ip-address — a.b.c.d

    • ext-comm-val — 0 to 4294967295

    • ext-asnum — 0 to 4294967295

    • val-in-mbps — 0 to 16777215

    • ovstate — 0, 1, or 2 (0 for valid, 1 for not found, 2 for invalid)

    • value1 — 0000 to FFFF

    • value2 — 0 to FFFFFFFFFFFF

    • co-bits — 00, 01, 10 or 11

    • color-value — 0 to 4294967295

  • large-commasn-or-ex:val-or-ex:val-or-ex

indirect ip-address

Specifies that the aggregate route should be installed in the FIB with a next-hop taken from the route used to forward packets to ip-address.

Values

The following values apply to the 7750 SR and 7950 XRS:

ipv4-prefix

a.b.c.d

ipv6-prefix

x:x:x:x:x:x:x:x

x:x:x:x:x:x:d.d.d.d

x: [0 to FFFF]H

d: [0 to 255]D

Values

The following values apply to the 7450 ESS:

ipv4-prefix: a.b.c.d

description

Specifies a text description stored in the configuration file for a configuration context, up to 80 characters.

local-preference

Specifies a BGP local-preference value with the aggregate route. The local-preference overrides the default local preference value of a BGP route originated by exporting the aggregate route.

Values

0 to 4294967295

policy-name

Specifies the route policy, up to 64 characters.

Platforms

All

aggregate-contributor

aggregate-contributor

Syntax

[no] aggregate-contributor

Context

[Tree] (config>router>policy-options>policy-statement>entry>from>aggregate-contributor aggregate-contributor)

Full Context

configure router policy-options policy-statement entry from aggregate-contributor aggregate-contributor

Description

This command matches all routes (BGP and non-BGP) that contributed to an active aggregate route. If the prefix tree above a particular route includes no active aggregate routes, or the most specific active aggregate route in the prefix tree above this route has a policy that rejects the route, then it is not considered as an aggregate-contributor.

This match condition is only supported when used in a BGP export policy. If it is used in an entry of a BGP import policy, VRF export policy or VRF import policy, no routes are matched by that entry.

The no form of this command disables matching of routes (BGP and non-BGP) that contributed to an active aggregate route.

Platforms

All

aggregate-prefix-match

aggregate-prefix-match

Syntax

[no] aggregate-prefix-match

Context

[Tree] (config>router>ldp aggregate-prefix-match)

Full Context

configure router ldp aggregate-prefix-match

Description

The command enables the use by LDP of the aggregate prefix match procedures.

When this option is enabled, LDP performs the following procedures for all prefixes. When an LSR receives a FEC-label binding from an LDP neighbor for a given specific FEC1 element, it will install the binding in the LDP FIB if:

  • It is able to perform a successful longest IP match of the FEC prefix with an entry in the routing table, and

  • The advertising LDP neighbor is the next-hop to reach the FEC prefix.

When such a FEC-label binding has been installed in the LDP FIB, then LDP programs an NHLFE entry in the egress data path to forward packets to FEC1. It also advertises a new FEC-label binding for FEC1 to all its LDP neighbors.

When a new prefix appears in the routing table, LDP inspects the LDP FIB to determine if this prefix is a better match (a more specific match) for any of the installed FEC elements. For any FEC for which this is true, LDP may have to update the NHLFE entry for this FEC.

When a prefix is removed from the routing table, LDP inspects the LDP FIB for all FEC elements which matched this prefix to determine if another match exists in the routing table. If so, it updates the NHLFE entry accordingly. If not, it sends a label withdraw message to its LDP neighbors to remove the binding.

When the next hop for a routing prefix changes, LDP updates the LDP FIB entry for the FEC elements which matched this prefix. It also updates the NHLFE entry for these FEC elements accordingly.

The no form of this command disables the use by LDP of the aggregate prefix procedures and deletes the configuration. LDP resumes performing exact prefix match for FEC elements.

Default

no aggregate-prefix-match

Platforms

All

aggregate-sample-window

aggregate-sample-window

Syntax

aggregate-sample-window

Context

[Tree] (config>test-oam>link-meas>template aggregate-sample-window)

Full Context

configure test-oam link-measurement measurement-template aggregate-sample-window

Description

Commands in this context configure the aggregate sample window parameters to be used when the measurement template is assigned to an IP interface. The aggregate sample window is the collection of sample windows.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

aggregate-shapers

aggregate-shapers

Syntax

aggregate-shapers

Context

[Tree] (config>qos>fp-resource-policy aggregate-shapers)

Full Context

configure qos fp-resource-policy aggregate-shapers

Description

This command enters the aggregate-shapers context.

Platforms

7750 SR-1, 7750 SR-s

aggregate-stats

aggregate-stats

Syntax

aggregate-stats export-using export-method [export-method...(up to 2 max)]

aggregate-stats no-export

Context

[Tree] (config>app-assure>group>statistics>aa-sub aggregate-stats)

Full Context

configure application-assurance group statistics aa-sub aggregate-stats

Description

This command configures aa-sub accounting statistics for export of aggregate statistics of a given subscriber.

Default

aggregate-stats no-export

Parameters

export-method

Specifies the method of statistics export to be used.

Values

accounting-policy (this is the only option for sub-aggregate statistics, and it is only supported in residential and VPN sub-scale modes).

no-export

Disables the export.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

aggregate-used-paths

aggregate-used-paths

Syntax

aggregate-used-paths family [family]

no aggregate-used-paths

Context

[Tree] (config>service>vprn>bgp>group>neighbor>link-bandwidth aggregate-used-paths)

[Tree] (config>service>vprn>bgp>group>link-bandwidth aggregate-used-paths)

Full Context

configure service vprn bgp group neighbor link-bandwidth aggregate-used-paths

configure service vprn bgp group link-bandwidth aggregate-used-paths

Description

This command configures BGP to aggregate the bandwidth values from the link-bandwidth extended communities of the used multipaths towards an IP prefix when it is re-advertising a route with next-hop-self towards peers within the scope of the command, as long as the route belongs to one of the listed address families.

Aggregation is not supported unless all of the used multipaths (up to the configured ECMP limit) correspond to received BGP routes with a link-bandwidth extended community. If add-path is also enabled toward the peer, then all of the add-paths advertised to the peer encode the aggregated bandwidth in a link-bandwidth extended community.

Up to three families may be configured.

The no form of this command disables aggregation in a next-hop-self scenario and the link-bandwidth extended community in the advertised route is a copy of the link-bandwidth extended community in the received route (which may have been added by import policy or by the effect of the add-to-received-ebgp command).

Default

no aggregate-used-paths

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

Platforms

All

aggregate-used-paths

Syntax

aggregate-used-paths family [family]

no aggregate-used-paths

Context

[Tree] (config>router>bgp>group>link-bandwidth aggregate-used-paths)

[Tree] (config>router>bgp>group>neighbor>link-bandwidth aggregate-used-paths)

Full Context

configure router bgp group link-bandwidth aggregate-used-paths

configure router bgp group neighbor link-bandwidth aggregate-used-paths

Description

This command configures BGP to aggregate the bandwidth values from the link-bandwidth extended communities of the used multipaths towards an IP prefix when it is re-advertising a route with next-hop-self towards peers within the scope of the command, as long as the route belongs to one of the listed address families.

Aggregation is not supported unless all of the used multipaths (up to the configured ECMP limit) correspond to received BGP routes with a link-bandwidth extended community. If add-path is also enabled toward the peer, then all of the add-paths advertised to the peer encode the aggregated bandwidth in a link-bandwidth extended community.

Up to six families may be configured.

The no form of this command disables aggregation in a next-hop-self scenario and the link-bandwidth extended community in the advertised route is a copy of the link-bandwidth extended community in the received route (which may have been added by import policy or by the effect of the add-to-received-ebgp command).

Default

no aggregate-used-paths

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

vpn-ipv4 — Adds a link-bandwidth extended community to IPv4 VPN (SAFI 128) routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

label-ipv6 — Adds a link-bandwidth extended community to labeled-unicast IPv6 routes.

vpn-ipv6 — Adds a link-bandwidth extended community to IPv6 VPN (SAFI 128) routes.

Platforms

All

aggregation

aggregation

Syntax

[no] aggregation

Context

[Tree] (config>cflowd>collector aggregation)

Full Context

configure cflowd collector aggregation

Description

This command configures the type of aggregation scheme to be exported.

Specifies the type of data to be aggregated and to the collector.

To configure aggregation, you must decide which type of aggregation scheme to configure: autonomous system, destination prefix, protocol port, raw, source destination, or source prefix.

This can only be configured if the collector version is configured as V8.

The no form of this command removes all aggregation types from the collector configuration.

Default

no aggregation

Platforms

All

aggregator-id-zero

aggregator-id-zero

Syntax

[no] aggregator-id-zero

Context

[Tree] (config>subscr-mgmt>bgp-prng-plcy aggregator-id-zero)

Full Context

configure subscriber-mgmt bgp-peering-policy aggregator-id-zero

Description

This command is used to set the router ID in the BGP aggregator path attribute to zero when BGP aggregates routes. This prevents different routers within an AS from creating aggregate routes that contain different AS paths.

When BGP is aggregating routes, it adds the aggregator path attribute to the BGP update messages. By default, BGP adds the AS number and router ID to the aggregator path attribute.

When this command is enabled, BGP adds the router ID to the aggregator path attribute. The no form of this command used at the global level reverts to default where BGP adds the AS number and router ID to the aggregator path attribute.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

aggregator-id-zero

Syntax

[no] aggregator-id-zero

Context

[Tree] (config>service>vprn>bgp>group>neighbor aggregator-id-zero)

[Tree] (config>service>vprn>bgp>group aggregator-id-zero)

[Tree] (config>service>vprn>bgp aggregator-id-zero)

Full Context

configure service vprn bgp group neighbor aggregator-id-zero

configure service vprn bgp group aggregator-id-zero

configure service vprn bgp aggregator-id-zero

Description

This command is used to set the router ID in the BGP aggregator path attribute to zero when BGP aggregates routes. This prevents different routers within an AS from creating aggregate routes that contain different AS paths.

When BGP is aggregating routes, it adds the aggregator path attribute to the BGP update messages. By default, BGP adds the AS number and router ID to the aggregator path attribute.

When this command is enabled, BGP adds the router ID to the aggregator path attribute. This command is used at the group level to revert to the value defined under the global level, while this command is used at the neighbor level to revert to the value defined under the group level.

The no form of this command used at the global level reverts to default where BGP adds the AS number and router ID to the aggregator path attribute.

The no form of this command used at the group level reverts to the value defined at the group level.

The no form of this command used at the neighbor level reverts to the value defined at the group level.

Default

no aggregator-id-zero — BGP adds the AS number and router ID to the aggregator path attribute.

Platforms

All

aggregator-id-zero

Syntax

[no] aggregator-id-zero

Context

[Tree] (config>router>bgp>group aggregator-id-zero)

[Tree] (config>router>bgp>group>neighbor aggregator-id-zero)

[Tree] (config>router>bgp aggregator-id-zero)

Full Context

configure router bgp group aggregator-id-zero

configure router bgp group neighbor aggregator-id-zero

configure router bgp aggregator-id-zero

Description

This command sets the router ID in the BGP aggregator path attribute to zero when BGP aggregates routes. This prevents different routers within an AS from creating aggregate routes for the same prefix with different path attributes.

When BGP is aggregating routes, it adds the aggregator path attribute to the BGP update messages. By default, BGP adds the AS number and router ID to the aggregator path attribute.

When this command is enabled, BGP adds the router ID to the aggregator path attribute. This command is used at the group level to revert to the value defined under the global level, while this command is used at the neighbor level to revert to the value defined under the group level.

The no form of this command used at the global level reverts to default where BGP adds the AS number and router ID to the aggregator path attribute.

The no form of this command used at the group level reverts to the value defined at the global level.

The no form of this command used at the neighbor level reverts to the value defined at the group level.

Default

no aggregator-id-zero

Platforms

All

agi

agi

Syntax

agi agi

no agi

Context

[Tree] (config>service>epipe>spoke-sdp>pw-path-id agi)

[Tree] (config>service>cpipe>spoke-sdp>pw-path-id agi)

[Tree] (config>service>vpls>spoke-sdp>pw-path-id agi)

Full Context

configure service epipe spoke-sdp pw-path-id agi

configure service cpipe spoke-sdp pw-path-id agi

configure service vpls spoke-sdp pw-path-id agi

Description

This command configures the attachment group identifier for an MPLS-TP PW.

Parameters

agi

Specifies the attachment group identifier.

Values

0 to 4294967295

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

agi

Syntax

agi agi

no agi

Context

[Tree] (config>service>ies>red-if>spoke-sdp>pw-path-id agi)

[Tree] (config>service>ies>if>spoke-sdp>pw-path-id agi)

Full Context

configure service ies redundant-interface spoke-sdp pw-path-id agi

configure service ies interface spoke-sdp pw-path-id agi

Description

This command configures the attachment group identifier for an MPLS-TP PW.

Parameters

agi

Specifies the attachment group identifier.

Values

0 to 4294967295

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

  • configure service ies redundant-interface spoke-sdp pw-path-id agi

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service ies interface spoke-sdp pw-path-id agi

agi

Syntax

agi attachment-group-identifier

no agi

Context

[Tree] (config>service>vprn>red-if>spoke-sdp>pw-path-id agi)

[Tree] (config>service>vprn>if>spoke-sdp>pw-path-id agi)

Full Context

configure service vprn redundant-interface spoke-sdp pw-path-id agi

configure service vprn interface spoke-sdp pw-path-id agi

Description

This command configures the attachment group identifier for an MPLS-TP PW.

Parameters

attachment-group-identifier

Specifies the attachment group identifier.

Values

0 to 4294967295

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

  • configure service vprn redundant-interface spoke-sdp pw-path-id agi

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service vprn interface spoke-sdp pw-path-id agi

agi

Syntax

agi route-identifier

no agi

Context

[Tree] (config>mirror>mirror-dest>remote-src>spoke-sdp>pw-path-id agi)

[Tree] (config>mirror>mirror-dest>spoke-sdp>pw-path-id agi)

Full Context

configure mirror mirror-dest remote-source spoke-sdp pw-path-id agi

configure mirror mirror-dest spoke-sdp pw-path-id agi

Description

This command configures the attachment group identifier for an MPLS-TP PW.

Parameters

route-identifier

Specifies the attachment group identifier.

Values

0 to 4294967295

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

aging

aging

Syntax

aging days

no aging

Context

[Tree] (config>system>security>password aging)

Full Context

configure system security password aging

Description

This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval. Note the aging starts after the last password configuration or update. This timer is persistence (per user) over a node reboot or activity switch between CPMs. When the user changes the password, the timer is reset to the maximum age. When the password for a user ages out, the user is prompted at login to change the password. Console/SSH/Telnet supports password change prompt.

The no form of this command reverts to the default value.

Parameters

days

Specifies the maximum number of days the password is valid.

Values

1 to 500

Note:

This command applies to local users.

Platforms

All

ah-ext-hdr

ah-ext-hdr

Syntax

ah-ext-hdr {true | false}

no ah-ext-hdr

Context

[Tree] (config>filter>ipv6-filter>entry>match ah-ext-hdr)

Full Context

configure filter ipv6-filter entry match ah-ext-hdr

Description

This command enables match on existence of AH Extension Header in the IPv6 filter policy.

The no form of this command ignores AH Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.

Default

no ah-ext-hdr

Parameters

true

Matches a packet with an AH Extension Header.

false

Matches a packet without an AH Extension Header.

Platforms

All

aigp

aigp

Syntax

[no] aigp

Context

[Tree] (config>router>bgp>group aigp)

[Tree] (config>router>bgp>group>neighbor aigp)

Full Context

configure router bgp group aigp

configure router bgp group neighbor aigp

Description

This command enables or disables Accumulated IGP (AIGP) path attribute support with one or more BGP peers. BGP path selection among routes with an associated AIGP metric is based on the end-to-end IGP metrics of the different BGP paths, even when these BGP paths span more than one AS and IGP instance.

The effect of disabling AIGP (using the no form of this command or implicit) is to remove the AIGP attribute from advertised routes, if present, and to ignore the AIGP attribute in received routes.

Default

no aigp

Platforms

All

aigp-metric

aigp-metric

Syntax

aigp-metric metric

aigp-metric add

aigp-metric igp

no aigp-metric

Context

[Tree] (config>router>policy-options>policy-statement>default-action aigp-metric)

[Tree] (config>router>policy-options>policy-statement>entry>action aigp-metric)

Full Context

configure router policy-options policy-statement default-action aigp-metric

configure router policy-options policy-statement entry action aigp-metric

Description

This command assigns a BGP AIGP metric to routes matching the entry. The effect of this command on a route matched and accepted by a route policy entry depends on how the policy is applied (BGP import policy vs. BGP export policy), the type of route and the specific form of this command.

In a BGP import policy this command is used to:

  • Associate an AIGP metric with an IBGP route received with an empty AS path and no AIGP attribute.

  • Associate an AIGP metric with an EBGP route received without an AIGP attribute that has an AS path containing only AS numbers belonging to the local AIGP administrative domain.

  • Modify the received AIGP metric value prior to BGP path selection.

In a BGP export policy this command is used to:

  • Add the AIGP attribute and set the AIGP metric value in a BGP route originated by exporting a direct, static or IGP route from the routing table.

  • Remove the AIGP attribute from a route advertisement to a particular peer.

  • Modify the AIGP metric value in a route advertisement to a particular peer.

Default

no aigp-metric

Parameters

metric

Administratively defined metric.

Values

0 to 4294967295

Default

name — The AIGP metric parameter variable name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

add

Adds the AIGP attribute.

igp

Sets the AIGP metric to the IGP metric.

Platforms

All

ais-enable

ais-enable

Syntax

[no] ais-enable

Context

[Tree] (config>port>ethernet>eth-cfm>mep ais-enable)

[Tree] (config>lag>eth-cfm>mep ais-enable)

Full Context

configure port ethernet eth-cfm mep ais-enable

configure lag eth-cfm mep ais-enable

Description

This command enables the reception of AIS messages.

The no form of this command reverts to the default values.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ais-enable

Syntax

[no] ais-enable

Context

[Tree] (config>service>epipe>sap>eth-cfm ais-enable)

[Tree] (config>service>epipe>sap>eth-cfm>mep ais-enable)

[Tree] (config>service>epipe>spoke-sdp>eth-cfm>mep ais-enable)

Full Context

configure service epipe sap eth-cfm ais-enable

configure service epipe sap eth-cfm mep ais-enable

configure service epipe spoke-sdp eth-cfm mep ais-enable

Description

This command enables the generation and the reception of AIS messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ais-enable

Syntax

[no] ais-enable

Context

[Tree] (config>service>vpls>mesh-sdp>eth-cfm>mep ais-enable)

[Tree] (config>service>vpls>spoke-sdp>eth-cfm>mep ais-enable)

[Tree] (config>service>vpls>sap>eth-cfm>mep ais-enable)

Full Context

configure service vpls mesh-sdp eth-cfm mep ais-enable

configure service vpls spoke-sdp eth-cfm mep ais-enable

configure service vpls sap eth-cfm mep ais-enable

Description

This command enables the generation and the reception of AIS messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ais-enable

Syntax

[no] ais-enable

Context

[Tree] (config>service>ies>if>spoke-sdp>eth-cfm ais-enable)

Full Context

configure service ies interface spoke-sdp eth-cfm ais-enable

Description

This command configures the reception of Alarm Indication Signal (AIS) message.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ais-enable

Syntax

[no] ais-enable

Context

[Tree] (config>service>vprn>sub-if>grp-if>sap>eth-cfm ais-enable)

[Tree] (config>service>vprn>sap>eth-cfm>mep ais-enable)

[Tree] (config>service>vprn>if>spoke-sdp>eth-cfm ais-enable)

Full Context

configure service vprn subscriber-interface group-interface sap eth-cfm ais-enable

configure service vprn sap eth-cfm mep ais-enable

configure service vprn interface spoke-sdp eth-cfm ais-enable

Description

This command configures the reception of Alarm Indication Signal (AIS) message.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

  • configure service vprn subscriber-interface group-interface sap eth-cfm ais-enable

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service vprn interface spoke-sdp eth-cfm ais-enable

ais-enable

Syntax

[no] ais-enable

Context

[Tree] (config>router>mpls>if>mpls-tp-mep ais-enable)

Full Context

configure router mpls interface mpls-tp-mep ais-enable

Description

This command enables MPLS-TP AIS insertion for the forward and reverse directions of all MPLS-TP transit paths using the MPLS interface. This causes the generation of AIS packets in the forward or reverse directions of a path if a fault is detected on the applicable underlying interface for the ingress of the path direction.

The no form of this command disables AIS insertion.

Default

no ais-enable

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

alarm

alarm

Syntax

alarm rmon-alarm-id variable-oid oid-string interval seconds [sample-type] [startup-alarm alarm-type] [rising-event rmon-event-id rising-threshold threshold] [falling-event rmon-event-id falling-threshold threshold] [owner owner-string]

no alarm rmon-alarm-id

Context

[Tree] (config>system>thresholds>rmon alarm)

Full Context

configure system thresholds rmon alarm

Description

The alarm command configures an entry in the RMON-MIB alarmTable. The alarm command controls the monitoring and triggering of threshold crossing events. In order for notification or logging of a threshold crossing event to occur there must be at least one associated rmon>event configured.

The agent periodically takes statistical sample values from the MIB variable specified for monitoring and compares them to thresholds that have been configured with the alarm command. The alarm command configures the MIB variable to be monitored, the polling period (interval), sampling type (absolute or delta value), and rising and falling threshold parameters. If a sample has crossed a threshold value, the associated event is generated.

Use the no form of this command to remove an rmon-alarm-id from the configuration.

Parameters

rmon-alarm-id

Specifies a numerical identifier for the alarm being configured. The number of alarms that can be created is limited to 1200. Alarm ID values above 65400 are used for dynamic system threshold commands and should be avoided.

Values

1 to 65535

oid-string

Specifies the SNMP object identifier of the particular variable to be sampled. Only SNMP variables that resolve to an ASN.1 primitive type of integer (integer, Integer32, Counter32, Counter64, Gauge, or TimeTicks) may be sampled. The oid-string, up to 255 characters, may be expressed using either the dotted string notation or as object name plus dotted instance identifier. For example, "1.3.6.1.2.1.2.2.1.10.184582144" or "ifInOctets.184582144".

seconds

Specifies the polling period over which the data is sampled and compared with the rising and falling thresholds. When setting this interval value, care should be taken in the case of ’delta’ type sampling - the interval should be set short enough that the sampled variable is very unlikely to increase or decrease by more than 2147483647 - 1 during a single sampling interval. Care should also be taken not to set the interval value too low to avoid creating unnecessary processing overhead.

Values

1 to 2147483647

sample-type

Specifies the method of sampling the selected variable and calculating the value to be compared against the thresholds.

Values

absolute — Specifies that the value of the selected variable will be compared directly with the thresholds at the end of the sampling interval.

delta — Specifies that the value of the selected variable at the last sample will be subtracted from the current value, and the difference compared with the thresholds.

Default

absolute

alarm-type

Specifies the alarm that may be sent when this alarm is first created.

If the first sample is greater than or equal to the rising threshold value and startup-alarm is equal to rising or either, then a single rising threshold crossing event is generated.

If the first sample is less than or equal to the falling threshold value and startup-alarm is equal to falling or either, a single falling threshold crossing event is generated.

Values

rising, falling, either

Default

either

rising-event rmon-event-id

Specifies the identifier of the rmon>event that specifies the action to be taken when a rising threshold crossing event occurs.

If there is no corresponding event configured for the specified rmon-event-id, then no association exists and no action is taken.

If the rising-event rmon-event-id has a value of zero (0), no associated event exists.

If a rising-event rmon-event-id is configured, the CLI requires a rising-threshold to also be configured.

Values

0 to 65535

Default

0

rising-threshold threshold

Specifies a threshold for the sampled statistic. When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is greater than or equal to this threshold and the associated startup-alarm is equal to rising or either.

After a rising threshold crossing event is generated, another such event will not be generated until the sampled value falls below this threshold and reaches less than or equal the falling-threshold value.

Values

-2147483648 to 2147483647

Default

0

falling-event rmon-event-id

Specifies the identifier of the rmon>event that specifies the action to be taken when a falling threshold crossing event occurs. If there is no corresponding event configured for the specified rmon-event-id, then no association exists and no action is taken. If the falling-event has a value of zero (0), no associated event exists.

If a falling-event is configured, the CLI requires a falling-threshold to also be configured.

Values

0 to 65535

Default

0

falling-threshold threshold

Specifies a threshold for the sampled statistic. When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single threshold crossing event will be generated. A single threshold crossing event will also be generated if the first sample taken is less than or equal to this threshold and the associated startup-alarm is equal to falling or either.

After a falling threshold crossing event is generated, another such event will not be generated until the sampled value rises above this threshold and reaches greater than or equal the rising-threshold value.

Values

-2147483648 to 2147483647

Default

0

owner-string

Specifies the owner string; the owner identifies the creator of this alarm. It defaults to "TiMOS CLI". This parameter is defined primarily to allow entries that have been created in the RMON-MIB alarmTable by remote SNMP managers to be saved and reloaded in a CLI configuration file. The owner will not normally be configured by CLI users and can be a maximum of 80 characters long.

Default

TiMOS CLI

Configuration example


alarm 3 variable-oid ifInOctets.184582144 interval 20 sample-type delta 
start-alarm either rising-event 5 rising-threshold 10000 falling-event 5 
falling-threshold 9000 owner "TiMOS CLI"

Platforms

All

alarm

Syntax

[no] alarm

Context

[Tree] (config>sys>security>cpu-protection>policy alarm)

Full Context

configure system security cpu-protection policy alarm

Description

This command enables the generation of an event when a rate is exceed. The event includes information about the offending source. Only one event is generated per monitor period.

The no form of this command disables the notifications.

Default

no alarm

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-7s, 7750 SR-14s, 7950 XRS

alarm-contact-in-power

alarm-contact-in-power

Syntax

alarm-contact-in-power {on | off}

Context

[Tree] (config>system alarm-contact-in-power)

Full Context

configure system alarm-contact-in-power

Description

This command allows the user to enable a supply of +24V output power on the +24VDC pin of the Alarm Interface Port of the CPM. When enabled, the power supplied through the +24VDC output pin can be used as a source voltage for the alarm contact input pins. The +24VDC output can be used to supply power for monitoring external sensor devices such as cabinet door sensors instead of using an external power source. If users want to use a separate external power source, they should disable the supply of power to the +24VDC output pin by using this CLI command.

Default

alarm-contact-in-power off

Parameters

on

Specifies to turn on power to the +24VDC output pin of the Alarm Interface Port of the CPM.

off

Specifies to turn off power to the +24VDC output pin of the Alarm Interface Port of the CPM.

Platforms

7750 SR-a

alarm-contact-input

alarm-contact-input

Syntax

alarm-contact-input input-pin-number

Context

[Tree] (config>system alarm-contact-input)

Full Context

configure system alarm-contact-input

Description

Commands in this context configure the alarm contact input pin parameters for the specified input pin.

Parameters

input-pin-number

Specifies the alarm contact input pin.

Values

1 to 4

Platforms

7750 SR-a

alarm-notification

alarm-notification

Syntax

alarm-notification

Context

[Tree] (config>lag>eth-cfm>mep alarm-notification)

[Tree] (config>eth-tunnel>path>eth-cfm>mep alarm-notification)

Full Context

configure lag eth-cfm mep alarm-notification

configure eth-tunnel path eth-cfm mep alarm-notification

Description

This command configures the MEP alarm notification parameter.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

alarm-notification

Syntax

alarm-notification

Context

[Tree] (config>service>vpls>eth-cfm>mep alarm-notification)

[Tree] (config>service>vprn>sap>eth-cfm>mep alarm-notification)

[Tree] (config>service>vpls>sap>eth-cfm>mep alarm-notification)

[Tree] (config>service>ies>if>spoke-sdp>eth-cfm>mep alarm-notification)

[Tree] (config>port>ethernet>eth-cfm>mep alarm-notification)

[Tree] (config>service>vpls>spoke-sdp>eth-cfm>mep alarm-notification)

[Tree] (config>router>if>eth-cfm>mep alarm-notification)

[Tree] (config>service>epipe>spoke-sdp>eth-cfm>mep alarm-notification)

[Tree] (config>service>vprn>if>sap>eth-cfm>mep alarm-notification)

[Tree] (config>service>vprn>sub-if>grp-if>sap>eth-cfm>mep alarm-notification)

[Tree] (config>service>ipipe>sap>eth-cfm>mep alarm-notification)

[Tree] (config>service>epipe>sap>eth-cfm>mep alarm-notification)

[Tree] (config>lag>eth-cfm>eth-cfm>mep alarm-notification)

[Tree] (config>service>vpls>mesh-sdp>eth-cfm>mep alarm-notification)

[Tree] (config>service>vprn>if>spoke-sdp>eth-cfm>mep alarm-notification)

[Tree] (config>service>ies>sub-if>grp-if>sap>eth-cfm>mep alarm-notification)

[Tree] (config>service>ies>if>sap>eth-cfm>mep alarm-notification)

Full Context

configure service vpls eth-cfm mep alarm-notification

configure service vprn sap eth-cfm mep alarm-notification

configure service vpls sap eth-cfm mep alarm-notification

configure service ies interface spoke-sdp eth-cfm mep alarm-notification

configure port ethernet eth-cfm mep alarm-notification

configure service vpls spoke-sdp eth-cfm mep alarm-notification

configure router interface eth-cfm mep alarm-notification

configure service epipe spoke-sdp eth-cfm mep alarm-notification

configure service vprn interface sap eth-cfm mep alarm-notification

configure service vprn subscriber-interface group-interface sap eth-cfm mep alarm-notification

configure service ipipe sap eth-cfm mep alarm-notification

configure service epipe sap eth-cfm mep alarm-notification

configure lag eth-cfm eth-cfm mep alarm-notification

configure service vpls mesh-sdp eth-cfm mep alarm-notification

configure service vprn interface spoke-sdp eth-cfm mep alarm-notification

configure service ies subscriber-interface group-interface sap eth-cfm mep alarm-notification

configure service ies interface sap eth-cfm mep alarm-notification

Description

Commands in this context configure the Fault Notification Generation time values for raising the alarm and resetting the CCM defect alarm. These timers are used for network management processes and are not tied into delaying the notification to the fault management system on the network element. These timers do not affect fault propagation mechanisms.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service vprn interface sap eth-cfm mep alarm-notification
  • configure service epipe spoke-sdp eth-cfm mep alarm-notification
  • configure port ethernet eth-cfm mep alarm-notification
  • configure service vpls eth-cfm mep alarm-notification
  • configure service epipe sap eth-cfm mep alarm-notification
  • configure service vpls spoke-sdp eth-cfm mep alarm-notification
  • configure service ies interface sap eth-cfm mep alarm-notification
  • configure service vprn interface spoke-sdp eth-cfm mep alarm-notification
  • configure service vpls mesh-sdp eth-cfm mep alarm-notification
  • configure service vpls sap eth-cfm mep alarm-notification
  • configure router interface eth-cfm mep alarm-notification
  • configure service ies interface spoke-sdp eth-cfm mep alarm-notification
  • configure service ipipe sap eth-cfm mep alarm-notification

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

  • configure service vprn subscriber-interface group-interface sap eth-cfm mep alarm-notification
  • configure service ies subscriber-interface group-interface sap eth-cfm mep alarm-notification

alarm-notification

Syntax

alarm-notification

Context

[Tree] (config>eth-ring>path>eth-cfm>mep alarm-notification)

Full Context

configure eth-ring path eth-cfm mep alarm-notification

Description

Commands in this context configure the MEP alarm notification parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

alarms

alarms

Syntax

alarms

Context

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle>video>analyzer alarms)

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle>channel>source-override>video>analyzer alarms)

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle>channel>video>analyzer alarms)

Full Context

configure mcast-management multicast-info-policy bundle video analyzer alarms

configure mcast-management multicast-info-policy bundle channel source-override video analyzer alarms

configure mcast-management multicast-info-policy bundle channel video analyzer alarms

Description

Commands in this context configure alarms for the analyzer (VQM).

Platforms

7450 ESS, 7750 SR-1, 7750 SR-7/12/12e, 7750 SR-1s, 7750 SR-2s, 7750 SR-7s, 7750 SR-14s

alarms

Syntax

alarms

Context

[Tree] (config>li>x-interfaces>x3 alarms)

Full Context

configure li x-interfaces x3 alarms

Description

This command enables the configuration of X3 alarms.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

alarms

Syntax

alarms

Context

[Tree] (config>system alarms)

Full Context

configure system alarms

Description

Commands in this context configure facility alarm parameters. Alarm support is intended to cover a focused subset of router states that are likely to indicate service impacts (or imminent service impacts) related to the overall state of hardware assemblies (cards, fans, links, and so on).

Platforms

All

alc-acct-triggered-reason

alc-acct-triggered-reason

Syntax

[no] alc-acct-triggered-reason

Context

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute alc-acct-triggered-reason)

Full Context

configure subscriber-mgmt radius-accounting-policy include-radius-attribute alc-acct-triggered-reason

Description

This command includes the alc-acct-triggered-reason attribute.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

alc-error-code

alc-error-code

Syntax

[no] alc-error-code

Context

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute alc-error-code)

Full Context

configure subscriber-mgmt radius-accounting-policy include-radius-attribute alc-error-code

Description

This command enables RADIUS accounting messages to include an error number and error code when the subscriber host session terminates. To obtain a complete list of error numbers and their corresponding codes, use the tools>dump>aaa>radius-acct-terminate-cause command.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

alg

alg

Syntax

alg

Context

[Tree] (config>service>nat>nat-policy alg)

[Tree] (config>service>nat>firewall-policy alg)

[Tree] (config>service>nat>up-nat-policy alg)

Full Context

configure service nat nat-policy alg

configure service nat firewall-policy alg

configure service nat up-nat-policy alg

Description

Commands in this context configure application layer gateway (ALG) parameters of this policy.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

  • configure service nat up-nat-policy alg
  • configure service nat nat-policy alg

7750 SR, 7750 SR-e, 7750 SR-s, VSR

  • configure service nat firewall-policy alg

algorithm

algorithm

Syntax

algorithm flex-algo-id

no algorithm

Context

[Tree] (conf>router>segment-routing>srv6>micro-segment-locator algorithm)

[Tree] (config>router>segment-routing>srv6>locator algorithm)

Full Context

configure router segment-routing segment-routing-v6 micro-segment-locator algorithm

configure router segment-routing segment-routing-v6 locator algorithm

Description

This command configures an IGP flexible algorithm identifier for an SRv6 or micro-segment locator.

A locator can only be part of a single algorithm but it can be used in multiple IGP instances.

The no form of this command returns the locator to the base IGP algorithm 0.

Default

no algorithm

Parameters

flex-algo-id

Specifies the flexible algorithm ID.

Values

128 to 255

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS, VSR

alias

alias

Syntax

alias alias-name alias-command-name

no alias alias-name

Context

[Tree] (environment alias)

Full Context

environment alias

Description

This command enables the substitution of a command line (or part of a command line) by an alias. Use this command to create alternative or easier to remember or understand names for an entity or command string. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. The special characters forward slash (/) and backslash (\) cannot be used as the first character inside an alias string. An alias can contain a double quote character by preceding the quote with a backslash (\) character (for example, alias my-alias "| match \"string\""). Only a single command can be present in the command string (the command can be long with many parameters but there is no support for aliases that include multiple CLI commands or lines). This command can be entered in any context but must be created in the root environment context.

For example, to create an alias named soi to display OSPF interfaces, enter the following command:

alias soi "show router ospf interface”

Complex aliases can be created to have shortcuts for customized show routine output.

environment alias my-summary "| match expression \"----|Description|Interface|Admin State|Oper State|Transceiver Type|Optical Compliance|Link Length\" | match invert-match expression \"Ethernet Interface|OTU Interface\" | match invert-match expression \"----\" post-lines 1"

and then used like this:

show port detail my-summary

Parameters

alias-name

Specifies the alias name, up to 80 characters. Do not use a valid command string for the name of the alias. If the alias specified is an actual command, this causes the command to be replaced by the alias.

alias-command-name

Specifies the command name to be associated, up to 320 characters.

Platforms

All

align

align

Syntax

[no] align

Context

[Tree] (config>log>acct-policy align)

Full Context

configure log accounting-policy align

Description

This command enables alignment of statistics collection to the nearest interval within an hour. Enabling the alignment allows statistics collection into an accounting file that is being synchronized across multiple network nodes in the network.

The no form of this command disables alignment of statistics collection.

Default

no align

Platforms

All

all

all

Syntax

all [group grp-ip-address] [source ip-address] [detail]

no all

Context

[Tree] (debug>service>id>pim-snooping all)

Full Context

debug service id pim-snooping all

Description

This command enables or disables debugging for all the PIM modules.

Parameters

grp-ip-address

Debugs information associated with all PIM modules

Values

multicast group address (IPv4 or IPv6)

ip-address

Debugs information associated with all PIM modules

Values

IPv4 or IPv6 address

detail

Debugs detailed information on all PIM modules

Platforms

All

all

Syntax

all [detail]

no all

Context

[Tree] (debug>router>mpls>event all)

[Tree] (debug>router>rsvp>event all)

Full Context

debug router mpls event all

debug router rsvp event all

Description

This command debugs all events.

The no form of the command disables the debugging.

Parameters

detail

Displays detailed information about all events.

Platforms

All

all

Syntax

all [detail]

no all

Context

[Tree] (debug>router>rsvp>packet all)

Full Context

debug router rsvp packet all

Description

This command debugs all packets.

The no form of the command disables the debugging.

Parameters

detail

Displays detailed information about all RSVP packets.

Platforms

All

all

Syntax

all [group grp-ip-address] [source ip-address] [detail]

no all

Context

[Tree] (debug>router>pim all)

Full Context

debug router pim all

Description

This command enables debugging for all the PIM modules.

The no form of this command disables debugging PIM modules.

Parameters

grp-ip-address

Debugs information associated with all PIM modules.

Values

IPv4 or IPv6 address

ip-address

Debugs information associated with all PIM modules.

Values

IPv4 or IPv6 address

detail

Debugs detailed information on all PIM modules.

Platforms

All

all

Syntax

[no] all

Context

[Tree] (debug>router>rpki-session>packet all)

Full Context

debug router rpki-session packet all

Description

This command enables debugging for all RPKI packets.

The no form of this command disables debugging for all RPKI packets.

Platforms

All

all

Syntax

all

Context

[Tree] (config>log>acct-policy>cr>aa>aa-from-sub-cntr all)

[Tree] (config>log>acct-policy>cr>aa>aa-to-sub-cntr all)

[Tree] (config>log>acct-policy>cr>aa>aa-sub-cntr all)

[Tree] (config>log>acct-policy>cr>aa>aa-sub-attr all)

Full Context

configure log accounting-policy custom-record aa-specific from-aa-sub-counters all

configure log accounting-policy custom-record aa-specific to-aa-sub-counters all

configure log accounting-policy custom-record aa-specific aa-sub-counters all

configure log accounting-policy custom-record aa-specific aa-sub-attributes all

Description

This command includes all counters and only applies to the 7750 SR.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

all-authorized-session-addresses

all-authorized-session-addresses

Syntax

[no] all-authorized-session-addresses

Context

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute all-authorized-session-addresses)

Full Context

configure subscriber-mgmt radius-accounting-policy include-radius-attribute all-authorized-session-addresses

Description

This command specifies to include all included and authorized address/prefix attributes in session accounting and is applicable only for session-accounting mode.

With this flag enabled, all IP address attributes explicitly enabled to be included are the following:

  • delegated-ipv6-prefix

  • framed-ip-address

  • framed-ip-netmask

  • framed-ipv6-prefix

  • ipv6-address

These are included if the corresponding addresses or prefixes are authorized (via access-accept or ludb) and independent if they are used or not.

The no form of this command reverts to the default.

Default

no all-authorized-session-addresses

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

all-events

all-events

Syntax

all-events

Context

[Tree] (debug>service>id>mrp all-events)

Full Context

debug service id mrp all-events

Description

This command enables MRP debugging for the applicant, leave all, periodic and registrant state machines and enables debugging of received and transmitted MRP PDUs.

Platforms

All

all-events

Syntax

all-events

Context

[Tree] (debug>service>id>stp all-events)

Full Context

debug service id stp all-events

Description

This command enables STP debugging for all events.

The no form of the command disables debugging.

Platforms

All

all-l1isis

all-l1isis

Syntax

all-l1isis ieee-address

no all-l1isis

Context

[Tree] (config>service>vprn>isis all-l1isis)

Full Context

configure service vprn isis all-l1isis

Description

This command specifies the MAC address to use for the VPRN instance of the Layer 1 IS-IS routers. The MAC address should be a multicast address.

The no form of this command reverts to the default value.

Default

all-l1isis 01:80:c2:00:00:14

Parameters

ieee-address

Specifies the destination MAC address for all Layer 1 I-IS neighbors on the link for this ISIS instance.

Platforms

All

all-l1isis

Syntax

all-l1isis ieee-address

no all-l1isis

Context

[Tree] (config>router>isis all-l1isis)

Full Context

configure router isis all-l1isis

Description

This command enables you to specify the MAC address to use for all Layer 1 IS-IS routers. The MAC address should be a multicast address.

The no form of this command reverts to the default value.

Default

01:80:c2:00:00:14

Parameters

ieee-address

Specifies the destination MAC address for all Layer 1 I-IS neighbors on the link for this IS-IS instance.

Platforms

All

all-l2isis

all-l2isis

Syntax

all-l2isis ieee-address

no all-l2isis

Context

[Tree] (config>service>vprn>isis all-l2isis)

Full Context

configure service vprn isis all-l2isis

Description

This command specifies the MAC address to use for Layer 2 IS-IS routers for the VPRN instance. The MAC address should be a multicast address.

The no form of this command reverts to the default value.

Default

all-l2isis 01:80:c2:00:00:15

Parameters

ieee-address

Specifies the destination MAC address for all Layer 2 ISIS neighbors on the link for this ISIS instance.

Platforms

All

all-l2isis

Syntax

all-l2isis ieee-address

no all-l2isis

Context

[Tree] (config>router>isis all-l2isis)

Full Context

configure router isis all-l2isis

Description

This command enables you to specify the MAC address to use for all Layer 2 IS-IS routers. The MAC address should be a multicast address.

The no form of this command reverts to the default value.

Default

01:80:c2:00:00:15

Parameters

ieee-address

Specifies the destination MAC address for all Layer 2 IS-IS neighbors on the link for this IS-IS instance.

Platforms

All

all-octets-offered-count

all-octets-offered-count

Syntax

[no] all-octets-offered-count

Context

[Tree] (config>subscr-mgmt>acct-plcy>cr>queue>i-counters all-octets-offered-count)

[Tree] (config>subscr-mgmt>acct-plcy>cr>ref-queue>i-counters all-octets-offered-count)

Full Context

configure subscriber-mgmt radius-accounting-policy custom-record queue i-counters all-octets-offered-count

configure subscriber-mgmt radius-accounting-policy custom-record ref-queue i-counters all-octets-offered-count

Description

This command includes all octets offered in the count.

The no form of this command excludes the octets offered in the count.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

all-octets-offered-count

Syntax

[no] all-octets-offered-count

Context

[Tree] (config>log>acct-policy>cr>queue>i-counters all-octets-offered-count)

[Tree] (config>log>acct-policy>cr>ref-queue>i-counters all-octets-offered-count)

Full Context

configure log accounting-policy custom-record queue i-counters all-octets-offered-count

configure log accounting-policy custom-record ref-queue i-counters all-octets-offered-count

Description

This command includes all octets offered in the count.

The no form of this command excludes the octets offered in the count.

Default

no all-octets-offered-count

Platforms

All

all-packets-offered-count

all-packets-offered-count

Syntax

[no] all-packets-offered-count

Context

[Tree] (config>subscr-mgmt>acct-plcy>cr>queue>i-counters all-packets-offered-count)

[Tree] (config>subscr-mgmt>acct-plcy>cr>ref-queue>i-counters all-packets-offered-count)

Full Context

configure subscriber-mgmt radius-accounting-policy custom-record queue i-counters all-packets-offered-count

configure subscriber-mgmt radius-accounting-policy custom-record ref-queue i-counters all-packets-offered-count

Description

This command includes all packets offered in the count.

The no form of this command excludes the packets offered in the count.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

all-packets-offered-count

Syntax

[no] all-packets-offered-count

Context

[Tree] (config>log>acct-policy>cr>ref-queue>i-counters all-packets-offered-count)

[Tree] (config>log>acct-policy>cr>queue>i-counters all-packets-offered-count)

Full Context

configure log accounting-policy custom-record ref-queue i-counters all-packets-offered-count

configure log accounting-policy custom-record queue i-counters all-packets-offered-count

Description

This command includes all packets offered in the count.

The no form of this command excludes the packets offered in the count.

Default

no all-packets-offered-count

Platforms

All

allocate-dual-sids

allocate-dual-sids

Syntax

[no] allocate-dual-sids

Context

[Tree] (config>router>ospf>segm-rtng>adj-sid allocate-dual-sids)

[Tree] (config>router>isis>segm-rtng>adj-sid allocate-dual-sids)

[Tree] (config>router>ospf3>segm-rtng>adj-sid allocate-dual-sids)

Full Context

configure router ospf segment-routing adjacency-sid allocate-dual-sids

configure router isis segment-routing adjacency-sid allocate-dual-sids

configure router ospf3 segment-routing adjacency-sid allocate-dual-sids

Description

This command enables the support of two SR-MPLS adjacency SIDs per interface. A protected and unprotected adjacency SID is instantiated and advertised. If an SR-MPLS adjacency SID already exists, an additional complementary (protected or unprotected) adjacency SID is created on the interface.

The no form of this command disables the support of two SR-MPLS adjacency SIDs per interface.

Default

no allocate-dual-sids

Platforms

All

allocation

allocation

Syntax

allocation explicit-percent percent-of-parent-pool

allocation port-bw-weight pool-weight

no allocation

Context

[Tree] (config>qos>hs-port-pool-policy>alt-port-class-pools>class-pool allocation)

[Tree] (config>qos>hs-port-pool-policy>std-port-class-pools>class-pool allocation)

Full Context

configure qos hs-port-pool-policy alt-port-class-pools class-pool allocation

configure qos hs-port-pool-policy std-port-class-pools class-pool allocation

Description

This command sizes the associated class-pool based on either the specified explicit-percent percent-of-parent-pool or based on the dynamic port bandwidth portioning mechanism. Setting an explicit percentage prevents the port-class pool from participating in the dynamic port level bandwidth-based distribution of the mid-pool’s size as the port bandwidth weight of the port-class pool becomes zero (0). Setting a port bandwidth weight causes the explicit percent value to become zero (0) disabling explicit sizing of the port-class pool.

The no form of the command sets the percent-of-parent-pool value to zero (0) and the pool-weight parameter to 1 for the port-class pool, restoring the default settings.

Default

allocation 1

Parameters

percent-of-parent-pool

Specifies the percentage of parent pool being allocated. This parameter must be configured when specifying the explicit-percent. The percent-of-parent-pool value is expressed as a percentage with two decimal places (100th of a percent) that indicates that the port-class pool should be sized by applying the value to the parent mid-pool size. Specifying explicit-percent forces the port-bw-weight to a zero (0) value (disabled).

Values

0.01 to 100.00

pool-weight

Specifies port bandwidth weight being allocated. The port-bw-weight and explicit-percent commands are mutually exclusive. The pool-weight parameter is required when specifying the port bandwidth weight and defines both that the port-class pool should be sized in the port bandwidth distribution of the mid-pool’s size and what the distribution weight should be for the port-class pool compared to other port-class pools associated with the same mid-pool when competing for the port’s distribution portion.

Values

1 to 100

Platforms

7750 SR-7/12/12e

allocation-percent

allocation-percent

Syntax

allocation-percent percent-of-parent-pool

no allocation-percent

Context

[Tree] (config>qos>hs-pool-policy>mid-tier>mid-pool allocation-percent)

Full Context

configure qos hs-pool-policy mid-tier mid-pool allocation-percent

Description

This command sizes the associated mid-pool based on the specified percent of the parent pool. The size is obtained by applying the specified percentage value to the current root-pool size acting as the mid-pool’s parent. Whenever the parent root-pool is changed to a new root-pool or the size of the current parent root-pool is modified, the mid-pool’s size is updated.

The no form of the command reverts to the default.

Default

allocation-percent 1.00

Parameters

percent-of-parent-pool

Specifies the percent of the parent pool. This parameter is required when the allocation-percent command is executed. This parameter defines the percentage of the root pool's size to derive the size of the mid-pool. The value is specified as a percentage with two decimal places (100th of a percent).

Values

0.01 to 100.00

Platforms

7750 SR-7/12/12e

allocation-weight

allocation-weight

Syntax

allocation-weight pool-weight

no allocation-weight

Context

[Tree] (config>qos>hs-pool-policy>root-tier>root-pool allocation-weight)

Full Context

configure qos hs-pool-policy root-tier root-pool allocation-weight

Description

This command specifies the weight that is applied to the root pool and is divided by the sum of all root pool weights to derive the pool’s buffer allocation factor. The amount of buffers remaining after the system-reserve percentage is applied is multiplied by the buffer allocation factor to derive the pool size.

Root pools function as an oversubscription control mechanism. A root pool acts as the root of a hierarchy of buffer pools and queues with respect to buffer allocation. Because the sum of the root pool sizes does not exceed the total number of buffers available, the number of buffers indicated by the root pools size is always be available to the queues within the root pools hierarchy, queues from one hierarchy can never steal buffers from another.

A root pool hierarchy is based on the dynamic parenting of one or more mid-tier pools to a root pool. A mid-tier pool represents the buffering allowed for all port-class pools mapped to the mid-tier pool. Each mid-tier pool is sized as a percentage of the root pool to which it is parented. The sum of the mid-tier pools percentages for a root pool may be greater than 100 percent, which allows the root pool to be oversubscribed. This can be beneficial when large fluctuations in mid-tier buffer utilization are expected and a given mid-tier pool should be allowed to exceed its fair share of buffering.

Through the mapping hierarchy presented above, each queue is mapped to a port-class pool, mid-tier pool, and root pool.

A root pool with an allocation-weight set to "0” is considered inactive and is not allocated buffers. Mid-tier pools cannot be parented to a root pool with a weight set to "0”. After a mid-tier pool is associated with a root pool, the root pool’s weight cannot be set to "0”.

As port classes are mapped to mid-tier pools in a different policy than mid-tier pools are mapped to root pools, a port-class pool can be mapped to a mid-tier pool that is not parented to a root pool. A queue mapped indirectly to a non-parented mid-tier pool has its operational MBS value set to zero and drops all incoming packets.

When a root pool’s allocation weight is modified, all root pools, mid-tier pools, and port class pool sizes are reevaluated and modified when necessary.

The no form of the command restores the default allocation-weight value to the associated root pool. Root pool 1 has a different default weight than root pools 2 through 8. The no allocation-weight command fails for root pools 2 through 8 if the root pool is currently parented to a class pool.

Default

root-pool 1: allocation-weight 100

root-pool 2 to 16: allocation-weight 0

Parameters

pool-weight

Defines the weight of the associated root-pool root-pool-id and is used by the system to calculate the size of the root buffer pool. This parameter is required when executing the allocation-weight command. Setting the pool-weight to 0 disables the pool and prevents the root pool from being a parent to any class pools. Root pool 1 cannot be set with an allocation weight of 0.

Values

root-pool 1: 1 to 100

root-pool 2 to 16: 0 to 100

Platforms

7750 SR-7/12/12e

allow-boot-license-violations

allow-boot-license-violations

Syntax

[no] allow-boot-license-violations

Context

[Tree] (config>system allow-boot-license-violations)

Full Context

configure system allow-boot-license-violations

Description

This command configures whether the system should allow successful execution of the bootup configuration file when it contains license violations. When enabled, the system will not error on any configuration that causes a license violation and as a result permits the system to come into service. However, if violations are detected, the system reboots after a period of time if the violations are not fixed. See the 7450 ESS, 7750 SR, 7950 XRS and VSR Pay-as-You-Grow Licensing Reference Guide for more information.

Platforms

All

allow-directed-broadcasts

allow-directed-broadcasts

Syntax

[no] allow-directed-broadcasts

Context

[Tree] (config>service>ies>if allow-directed-broadcasts)

[Tree] (config>service>vprn>nw-if allow-directed-broadcasts)

[Tree] (config>router>if allow-directed-broadcasts)

[Tree] (config>service>vprn>if allow-directed-broadcasts)

Full Context

configure service ies interface allow-directed-broadcasts

configure service vprn network-interface allow-directed-broadcasts

configure router interface allow-directed-broadcasts

configure service vprn interface allow-directed-broadcasts

Description

This command enables the forwarding of directed broadcasts out of the IP interface.

A directed broadcast is a packet received on a local router interface destined for the subnet broadcast address on another IP interface. The allow-directed-broadcasts command on an IP interface enables or disables the transmission of packets destined to the subnet broadcast address of the egress IP interface.

When enabled, a frame destined to the local subnet on this IP interface is sent as a subnet broadcast out this interface. Care should be exercised when allowing directed broadcasts as it is a well-known mechanism used for denial-of-service attacks.

When disabled, directed broadcast packets discarded at this egress IP interface are counted in the normal discard counters for the egress SAP.

Note:

Allowing directed broadcasts is a well-known mechanism used for denial-of-service attacks.

By default, directed broadcasts are not allowed and are discarded at this egress IP interface.

The no form of this command disables the forwarding of directed broadcasts out of the IP interface. All broadcasts are dropped.

Default

no allow-directed-broadcasts — Directed broadcasts are dropped.

Platforms

All

allow-dot1q-msaps

allow-dot1q-msaps

Syntax

[no] allow-dot1q-msaps

Context

[Tree] (config>service>vpls>sap allow-dot1q-msaps)

Full Context

configure service vpls sap allow-dot1q-msaps

Description

This command enables support for single tagged traffic triggering managed SAP creation on a qinq encapsulated capture SAP.

With this command enabled, a single tagged trigger packet received on a qinq encapsulated capture SAP (x/y/z:*.* or x/y/z:tag.*) can trigger the creation of an x/y/z:tag.0 managed SAP (MSAP).

The config>system>ethernet>new-qinq-untagged-sap command should be configured:

  • as a prerequisite for an x/y/z:tag.* capture-sap

  • where x/y/z:tag1.0 and x/y/z:tag1.tag2 MSAPs for an x/y/z:*.* capture-sap should co-exist

Note that enabling new-qinq-untagged-sap affects the behavior of existing <port-id>:tag.0 SAPs.

With the allow-dot1q-msaps command disabled (default), a single tagged trigger packet received on a qinq encapsulated capture SAP (x/y/z:*.* or x/y/z:tag.*) is dropped as "Invalid QTag”.

This command cannot be enabled on:

  • a dot1q encapsulated capture-sap

  • an inverse capture sap (x/y/z:*.tag)

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

allow-egress-remark-dscp

allow-egress-remark-dscp

Syntax

[no] allow-egress-remark-dscp

Context

[Tree] (config>oam-pm>session>ip allow-egress-remark-dscp)

Full Context

configure oam-pm session ip allow-egress-remark-dscp

Description

This command instructs the egress QoS process to modify the DSCP based on the egress QoS configuration. This command exposes the DSCP to egress DSCP processing rules.

The no form of this command instructs the egress QoS process to ignore the DSCP and allow it to bypass egress QoS. If the config>qos>network>egress>remark force command is configured for the network egress QoS profile, the egress QoS process is applied and the DSCP can be overwritten regardless of the allow-egress-remark-dscp configuration.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

allow-egress-remark-dscp

Syntax

[no] allow-egress-remark-dscp

Context

[Tree] (config>test-oam>link-meas>template>twl allow-egress-remark-dscp)

Full Context

configure test-oam link-measurement measurement-template twamp-light allow-egress-remark-dscp

Description

This command instructs the egress QoS process to modify the DSCP based on the egress QoS configuration. This command exposes the DSCP to egress DSCP processing rules.

If the config>qos>network>egress>remark-force command is configured for the network egress QoS profile, the egress QoS process is applied and the DSCP can be overwritten regardless of the allow-egress-remark-dscp configuration.

The no form of this command reverts to the default value, bypassing egress QoS processing of the DSCP.

Default

no allow-egress-remark-dscp

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

allow-export-bgp-vpn

allow-export-bgp-vpn

Syntax

[no] allow-export-bgp-vpn

Context

[Tree] (config>service>vprn allow-export-bgp-vpn)

Full Context

configure service vprn allow-export-bgp-vpn

Description

This command allows routes leaked from another local VPRN service to be re-exported by this VPRN in the form of new VPN-IP routes. The service label, route targets, and BGP next-hop of the re-advertised routes are based on the configuration and default values of the re-exporting VPRN.

When re-exporting leaked routes, the following restrictions apply.

  • The allow-export-bgp-vpn command is not configurable in combination with any of the following commands: carrier-carrier-vpn (CSC), label-mode next-hop (LPN), type {hub | spoke | subscriber-split-horizon}, redundant-interface, and export-inactive-bgp.

  • Re-exported routes always have the per-VRF label of the exporting VPRN; label-per-prefix advertisement is not supported.

  • The best-external (inactive BGP) routes leaked by another VPRN cannot be re-exported by a VPRN configured with allow-export-bgp-vpn.

Caution:

When a VPRN configured with allow-export-bgp-vpn advertises a leaked route, the split-horizon context is lost. A re-exported route can be easily advertised back to the sending peer unless this is blocked by BGP export policies. This can cause route flaps or other similar instability.

If the no form of this command is configured, leaked routes cannot be re-advertised as VPN-IP routes; they can only be re-advertised to PE-CE BGP peers of the VPRN.

Default

no allow-export-bgp-vpn

Platforms

All

allow-flex-algo-fallback

allow-flex-algo-fallback

Syntax

[no] allow-flex-algo-fallback

Context

[Tree] (config>service>epipe>bgp-evpn>mpls>auto-bind-tunnel allow-flex-algo-fallback)

[Tree] (config>service>vpls>bgp-evpn>mpls>auto-bind-tunnel allow-flex-algo-fallback)

[Tree] (config>router>bgp>next-hop-resolution>shortcut-tunnel>family allow-flex-algo-fallback)

[Tree] (config>service>vprn>bgp-evpn>mpls>auto-bind-tunnel allow-flex-algo-fallback)

[Tree] (config>service>vprn>bgp-ipvpn>mpls>auto-bind-tunnel allow-flex-algo-fallback)

[Tree] (config>router>bgp>next-hop-resolution>labeled-routes>transport-tunnel>family allow-flex-algo-fallback)

Full Context

configure service epipe bgp-evpn mpls auto-bind-tunnel allow-flex-algo-fallback

configure service vpls bgp-evpn mpls auto-bind-tunnel allow-flex-algo-fallback

configure router bgp next-hop-resolution shortcut-tunnel family allow-flex-algo-fallback

configure service vprn bgp-evpn mpls auto-bind-tunnel allow-flex-algo-fallback

configure service vprn bgp-ipvpn mpls auto-bind-tunnel allow-flex-algo-fallback

configure router bgp next-hop-resolution labeled-routes transport-tunnel family allow-flex-algo-fallback

Description

This command configures a router to relax the strictly enforced Flex-Algorithm aware autobind, which is enabled through an import policy configured with the action flex-algo command.

If the allow-flex-algo-fallback command is enabled, the BGP router can autobind to a fallback algorithm 0 tunnel if no target Flex-Algorithm tunnel is available. If the allow-flex-algo-fallback command is disabled, the BGP autobind is strictly enforced to an intended Flex-Algorithm tunnel, which may cause traffic loss if no corresponding Flex-Algorithm tunnel exists.

The no form of this command removes the allow-flex-algo-fallback command from the configuration.

Default

no allow-flex-algo-fallback

Platforms

All

allow-fragmentation

allow-fragmentation

Syntax

[no] allow-fragmentation

Context

[Tree] (config>service>sdp allow-fragmentation)

[Tree] (config>service>pw-template allow-fragmentation)

Full Context

configure service sdp allow-fragmentation

configure service pw-template allow-fragmentation

Description

This command disables the setting of the do-not-fragment bit in the IP header of GRE encapsulated service traffic. This feature is only applicable to GRE SDPs and will be applied to all service traffic using the associated GRE SDP.

The no form of this command removes the command from the active configuration and returns the associated SDP to its default which is to set the do-not-fragment bit in all GRE encapsulated service traffic.

Default

no allow-fragmentation

Platforms

All

allow-ftp

allow-ftp

Syntax

[no] allow-ftp

Context

[Tree] (config>service>vprn>management allow-ftp)

Full Context

configure service vprn management allow-ftp

Description

This commands allows access to the FTP server from VPRN.

The no form of this command removes FTP access for this VPRN.

Platforms

All

allow-ftp

Syntax

[no] allow-ftp

Context

[Tree] (config>system>security>management allow-ftp)

Full Context

configure system security management allow-ftp

Description

This command allows access to the FTP server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the FTP server.

Default

allow-ftp

Platforms

All

allow-grpc

allow-grpc

Syntax

[no] allow-grpc

Context

[Tree] (config>system>security>management allow-grpc)

Full Context

configure system security management allow-grpc

Description

This command allows access to the gRPC server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the gRPC server.

Platforms

All

allow-grpc

Syntax

[no] allow-grpc

Context

[Tree] (config>service>vprn>management allow-grpc)

Full Context

configure service vprn management allow-grpc

Description

This commands allows access to the GRPC server from VPRN.

The no form of this command removes GRPC access for this VPRN.

Platforms

All

allow-icmp-redirect

allow-icmp-redirect

Syntax

[no] allow-icmp-redirect

Context

[Tree] (config>router allow-icmp-redirect)

Full Context

configure router allow-icmp-redirect

Description

This command allows ICMP redirects received on the management interface.

The no form of this command drops the ICMP redirects received on the management interface.

Platforms

All

allow-icmp6-redirect

allow-icmp6-redirect

Syntax

[no] allow-icmp-redirect

Context

[Tree] (config>router allow-icmp6-redirect)

Full Context

configure router allow-icmp6-redirect

Description

This command allows IPv6 ICMP redirects received on the management interface.

The no form of this command drops the IPv6 ICMP redirects received on the management interface.

Platforms

All

allow-immediate

allow-immediate

Syntax

[no] allow-immediate

Context

[Tree] (config>system>management-interface>cli>classic-cli allow-immediate)

Full Context

configure system management-interface cli classic-cli allow-immediate

Description

This command enables write access in the classic CLI configuration branch without having to use the classic CLI candidate edit functionality.

The no form of this command blocks write access and configuration changes in the classic CLI configuration branch, and the classic CLI configuration branch is read-only. This enforces using the classic CLI candidate edit functionality, including candidate commit, to modify the router configuration, instead of allowing immediate line-by-line configuration changes.

Default

allow-immediate

Platforms

All

allow-ip-int-bind

allow-ip-int-bind

Syntax

[no] allow-ip-int-bind

Context

[Tree] (config>service>vpls allow-ip-int-bind)

Full Context

configure service vpls allow-ip-int-bind

Description

The allow-ip-int-bind command that sets a flag on the VPLS or I-VPLS service that enables the ability to attach an IES or VPRN IP interface to the VPLS service in order to make the VPLS service routable. When the allow-ip-int-bind command is not enabled, the VPLS service cannot be attached to an IP interface.

VPLS Configuration Constraints for Enabling allow-ip-int-bind

When attempting to set the allow-ip-int-bind VPLS flag, the system first checks to see if the correct configuration constraints exist for the VPLS service and the network ports. The following VPLS features must be disabled or not configured for the allow-ip-int-bind flag to set:

  • SAP ingress QoS policies applied to the VPLS SAPs cannot have MAC match criteria defined

  • The VPLS service type cannot be B-VPLS or M-VPLS

  • MVR from Routed VPLS and to another SAP is not supported

  • Enhanced and Basic Subscriber Management (ESM and BSM) features

  • Network domain on SDP bindings

Once the VPLS allow-ip-int-bind flag is set on a VPLS service, the above features cannot be enabled on the VPLS service.

Network Port Hardware Constraints

The system also checks to ensure that all ports configured in network mode are associated with FlexPath2 forwarding planes. If a port is currently in network mode and the port is associated with a FlexPath1 forwarding plane, the allow-ip-int-bind command will fail. Once the allow-ip-int-bind flag is set on any VPLS service, attempting to enable network mode on a port associated with a FlexPath1 forwarding plane will fail.

VPLS SAP Hardware Constraints

Besides VPLS configuration and network port hardware association, the system also checks to that all SAPs within the VPLS are created on Ethernet ports and the ports are associated with FlexPath2 forwarding planes. Certain Ethernet ports and virtual Ethernet ports are not supported which include CCAG virtual ports (VSM based). If a SAP in the VPLS exists on an unsupported port type or is associated with a FlexPath1 forwarding plane, the allow-ip-int-bind command will fail. Once the allow-ip-int-bind flag is set on the VPLS service, attempting to create a VPLS SAP on the wrong port type or associated with a FlexPath1 forwarding plane will fail.

VPLS Service Name Bound to IP Interface without allow-ip-int-bind flag Set

If a service name is applied to a VPLS service and that service name is also bound to an IP interface but the allow-ip-int-bind flag has not been set on the VPLS service context, the system attempt to resolve the service name between the VPLS service and the IP interface will fail. After the allow-ip-int-bind flag is successfully set on the VPLS service, either the service name on the VPLS service must be removed and reapplied or the IP interface must be re-initialized using the shutdown / no shutdown commands. This will cause the system to reattempt the name resolution process between the IP interface and the VPLS service.

The no form of this command resets the allow-ip-int-bind flag on the VPLS service. If the VPLS service currently has an IP interface from an IES or VPRN service attached, the no allow-ip-int-bind command will fail. Once the allow-ip-int-bind flag is reset on the VPLS service, the configuration and hardware restrictions associated with setting the flag are removed. The port network mode hardware restrictions are also removed.

Platforms

All

allow-ipv6-udp-checksum-zero

allow-ipv6-udp-checksum-zero

Syntax

[no] allow-ipv6-udp-checksum-zero

Context

[Tree] (config>test-oam>link-meas>template>twl allow-ipv6-udp-checksum-zero)

[Tree] (config>service>vprn>twamp-light>reflector allow-ipv6-udp-checksum-zero)

[Tree] (config>router>twamp-light>reflector allow-ipv6-udp-checksum-zero)

Full Context

configure test-oam link-measurement measurement-template twamp-light allow-ipv6-udp-checksum-zero

configure service vprn twamp-light reflector allow-ipv6-udp-checksum-zero

configure router twamp-light reflector allow-ipv6-udp-checksum-zero

Description

This command configures the acceptance of IPv6 packets with UDP checksums of 0.This optional configuration allows the router to process arriving IPv6 TWAMP Test packets that contain IPv6 UDP checksum of 0x0000. The UDP port specific to this TWAMP Light test bypasses the default discard IPv6 UDP checksum 0x0000. If this optional command is not configured, IPv6 UDP checksum 0x000 arriving packets are discarded.

The no form of this command reverts to the default value, discarding packets that arrive with an IPv6 UDP checksum of 0x0000.

Default

no allow-ipv6-udp-checksum-zero

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

allow-lease-query

allow-lease-query

Syntax

[no] allow-lease-query

Context

[Tree] (config>service>vprn>dhcp6>server allow-lease-query)

[Tree] (config>router>dhcp6>server allow-lease-query)

Full Context

configure service vprn dhcp6 local-dhcp-server allow-lease-query

configure router dhcp6 local-dhcp-server allow-lease-query

Description

If enabled, the local DHCPv6 server will handle and reply to lease query messages.

The no form of this command disables lease query support.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

allow-list

allow-list

Syntax

allow-list allow-list-name

no allow-list

Context

[Tree] (config>app-assure>group>url-filter>local-filtering allow-list)

Full Context

configure application-assurance group url-filter local-filtering allow-list

Description

This command adds an allow-list URL list to the local filtering URL filter policy.

The no form of this command removes the URL list object.

Default

no allow-list

Parameters

allow-list-name

Specifies the URL list name.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

allow-local-management

allow-local-management

Syntax

[no] allow-local-management

Context

[Tree] (config>service>vprn>grt>enable-grt allow-local-management)

Full Context

configure service vprn grt-lookup enable-grt allow-local-management

Description

This command enables the support of specific management protocols over VPRN interfaces that terminate on Base routing context IPv4 and IPv6 interface addresses, including Base loopback and system addresses. Global Routing Table (GRT) leaking is used to enable the visibility and access of the Base interface addresses in the VPRN. The supported protocols are Telnet, FTP, SNMP, TACACS+, RADIUS (IPv4 only, not IPv6), SSH (including applications that ride over the standard SSH TCP port 22 such as SCP and SFTP) and NETCONF (configured on port 22 or 830).

Ping and traceroute responses from the Base router interfaces are supported but are not configurable.

The allow-local-management command does not control the support for management protocols terminating on VPRN interfaces directly. See "Node Management using VPRN" in the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 3 Services Guide: IES and VPRN for more information. Also, see the access command in the config>service>vprn>snmp context, and the commands in the config>service>vprn>management context.

Platforms

All

allow-multiple-wan-addresses

allow-multiple-wan-addresses

Syntax

[no] allow-multiple-wan-addresses

Context

[Tree] (config>service>ies>sub-if>ipv6 allow-multiple-wan-addresses)

[Tree] (config>service>ies>sub-if>grp-if>ipv6 allow-multiple-wan-addresses)

[Tree] (config>service>vprn>sub-if>ipv6 allow-multiple-wan-addresses)

[Tree] (config>service>vprn>sub-if>grp-if>ipv6 allow-multiple-wan-addresses)

Full Context

configure service ies subscriber-interface ipv6 allow-multiple-wan-addresses

configure service ies subscriber-interface group-interface ipv6 allow-multiple-wan-addresses

configure service vprn subscriber-interface ipv6 allow-multiple-wan-addresses

configure service vprn subscriber-interface group-interface ipv6 allow-multiple-wan-addresses

Description

This command enables host to have two WAN addresses, one from DHCP IA_NA and one from SLAAC assignment.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

allow-netconf

allow-netconf

Syntax

[no] allow-netconf

Context

[Tree] (config>system>security>management allow-netconf)

Full Context

configure system security management allow-netconf

Description

This command allows access to the NETCONF server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the NETCONF server.

Platforms

All

allow-netconf

Syntax

[no] allow-netconf

Context

[Tree] (config>service>vprn>management allow-netconf)

Full Context

configure service vprn management allow-netconf

Description

This commands allows access to the NETCONF server from VPRN.

The no form of this command removes NETCONF access for this VPRN.

Platforms

All

allow-qinq-network-interface

allow-qinq-network-interface

Syntax

[no] allow-qinq-network-interface

Context

[Tree] (config>system>ip allow-qinq-network-interface)

Full Context

configure system ip allow-qinq-network-interface

Description

This command is a system-wide option that allows the creation of network interfaces on a QinQ encapsulated VLAN.

When enabled, the maximum number of allowed MPLS labels is reduced by 1 to allow for the additional VLAN tag at egress processing.

The no form of this command reverts the option to the default value, which is to not allow network interfaces on QinQ encapsulated VLANs.

Default

no allow-qinq-network-interface

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

allow-reverse-route-override

allow-reverse-route-override

Syntax

allow-reverse-route-override [type]

no allow-reverse-route-override

Context

[Tree] (config>service>vprn>ipsec allow-reverse-route-override)

Full Context

configure service vprn ipsec allow-reverse-route-override

Description

This command allows a new dynamic LAN-to-LAN tunnel that terminates in the private VPRN service to be created with an overlapping reverse route.

The no form of this command reverts to the default value.

Default

no allow-reverse-route-override

Parameters

type

Specifies the action to take when the system accepts a new reverse route.

Values

same-idi — Specifies that the system accepts a new reverse route and removes the existing route only if the IDi of the new tunnel is the same as existing route.

any-idi — Specifies that the system accepts a new reverse route and removes the existing route regardless of the IDi.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

allow-sr-over-srte

allow-sr-over-srte

Syntax

[no] allow-sr-over-srte

Context

[Tree] (config>router>isis>igp-sc allow-sr-over-srte)

[Tree] (config>router>ospf>igp-sc allow-sr-over-srte)

Full Context

configure router isis igp-shortcut allow-sr-over-srte

configure router ospf igp-shortcut allow-sr-over-srte

Description

This command enables the SR-TE LSPs as eligible SRv4 or SRv6 IGP shortcuts.

For SR-MPLS SRv4 and SRv6, IGP shortcuts can only use SR-TE LSPs with allow-sr-over-srte explicitly enabled that have an adjacency SID as top SID in the SR-TE LSP. IPv4 and IPv6 addresses can use all available SR-TE LSPs as shortcuts regardless of the explicit allow-sr-over-srte configuration.

Under ECMP, when IGP allow-sr-over-srte is configured, preference is given to the SR-TE LSPs with allow-sr-over-srte explicitly configured over the LSPs that do not have allow-sr-over-srte configured.

The no form of this command disables the eligibility.

Default

no allow-sr-over-srte

Platforms

All

allow-ssh

allow-ssh

Syntax

[no] allow-ssh

Context

[Tree] (config>service>vprn>management allow-ssh)

Full Context

configure service vprn management allow-ssh

Description

This command allows configuration of the SSH parameters.

The no form of this command disallows configuration of the SSH parameters.

Platforms

All

allow-ssh

Syntax

[no] allow-ssh

Context

[Tree] (config>system>security>management allow-ssh)

Full Context

configure system security management allow-ssh

Description

This command allows the SSH parameters to be configured from Base and Management routers.

The no form of this command disallows SSH parameters from being configured.

Default

allow-ssh

Platforms

All

allow-static

allow-static

Syntax

allow-static

no allow-static

Context

[Tree] (config>router>bgp>next-hop-res>labeled-routes allow-static)

Full Context

configure router bgp next-hop-resolution labeled-routes allow-static

Description

This command allows the BGP next-hop of label-IPv4, label-IPv6, VPN-IPv4, and VPN-IPv6 routes received from any EBGP or IBGP peer to be resolved using static routes, except for static default routes (0/0 and ::/0).

A static route is less preferred than a local or interface route for resolving the BGP next-hop of labeled route, but more preferred than other IGP routes or tunnels.

Note:

A label-IPv4 or label-IPv6 route can be resolved by a static blackhole route, even when the allow-static command is not configured, but only if the static blackhole route is the longest prefix match (LPM) static route for the BGP next-hop address.

Default

no allow-static

Platforms

All

allow-telnet

allow-telnet

Syntax

[no] allow-telnet

Context

[Tree] (config>service>vprn>management allow-telnet)

Full Context

configure service vprn management allow-telnet

Description

This command allows access to the Telnet server from a VPRN.

The no form of this command removes the Telnet access.

Platforms

All

allow-telnet

Syntax

[no] allow-telnet

Context

[Tree] (config>system>security>management allow-telnet)

Full Context

configure system security management allow-telnet

Description

This command allows access to the Telnet server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the Telnet server.

Default

allow-telnet

Platforms

All

allow-telnet6

allow-telnet6

Syntax

[no] allow-telnet6

Context

[Tree] (config>service>vprn>management allow-telnet6)

Full Context

configure service vprn management allow-telnet6

Description

This command allows access to the Telnet IPv6 server from a VPRN.

The no form of this command removes the Telnet IPv6 access.

Platforms

All

allow-telnet6

Syntax

[no] allow-telnet6

Context

[Tree] (config>system>security>management allow-telnet6)

Full Context

configure system security management allow-telnet6

Description

This command allows access to the Telnet IPv6 server from Base and Management routers if it is operationally up.

The no form of this command disallows access to the Telnet IPv6 server.

Default

allow-telnet6

Platforms

All

allow-unmatching-prefixes

allow-unmatching-prefixes

Syntax

[no] allow-unmatching-prefixes

Context

[Tree] (config>service>vprn>sub-if>ipv6 allow-unmatching-prefixes)

[Tree] (config>service>ies>sub-if>ipv6 allow-unmatching-prefixes)

Full Context

configure service vprn subscriber-interface ipv6 allow-unmatching-prefixes

configure service ies subscriber-interface ipv6 allow-unmatching-prefixes

Description

This command allows address assignment for IPoEv6 and PPPoEv6 hosts in cases where the subscriber host assigned IPv6 address or prefix falls outside of the subscriber-prefix range explicitly configured for the subscriber-interface (configure>service>vprn/ies>sub-if>ipv6) or the subscriber-prefix is not configured at all.

SLAAC hosts is installed in the FDB as /64 entries, the length of the installed DHCP-PD prefix is dictated by the prefix-length and the DHCP-NA host is installed as /128 entries.

IPv4 subscriber hosts are unaffected by this command.

The no form of this command reverts to the default.

Default

no allow-unmatching-prefixes

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

allow-unmatching-subnets

allow-unmatching-subnets

Syntax

[no] allow-unmatching-subnets

Context

[Tree] (config>service>vprn>subscriber-interface allow-unmatching-subnets)

Full Context

configure service vprn subscriber-interface allow-unmatching-subnets

Description

This command specifies whether subscriber hosts with a subnet that does not match any of the subnets configured on this interface, are allowed.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

allow-unmatching-subnets

Syntax

[no] allow-unmatching-subnets

Context

[Tree] (config>service>vprn>sub-if>ipv6 allow-unmatching-subnets)

[Tree] (config>service>ies>sub-if>ipv6 allow-unmatching-subnets)

Full Context

configure service vprn subscriber-interface ipv6 allow-unmatching-subnets

configure service ies subscriber-interface ipv6 allow-unmatching-subnets

Description

This command allows address assignment for IPoEv6 and PPPoEv6 hosts in cases where the subscriber host assigned IPv6 address or prefix falls outside of the subscriber-prefix range explicitly configured for the subscriber-interface (configure>service>vprn/ies>sub-if>ipv6) or the subscriber-prefix is not configured at all.

SLAAC hosts are installed in the FDB as /64 entries, the length of the installed DHCP-PD prefix is dictated by the prefix-length and the DHCP-NA host is installed as /128 entries.

IPv4 subscriber hosts are unaffected by this command.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

allow-unmatching-subnets

Syntax

[no] allow-unmatching-subnets

Context

[Tree] (config>service>ies>subscriber-interface allow-unmatching-subnets)

Full Context

configure service ies subscriber-interface allow-unmatching-subnets

Description

This command specifies whether subscriber hosts with a subnet that does not match any of the subnets configured on this interface, are allowed.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

allow-unresolved-leaking

allow-unresolved-leaking

Syntax

[no] allow-unresolved-leaking

Context

[Tree] (config>router>bgp>next-hop-res allow-unresolved-leaking)

Full Context

configure router bgp next-hop-resolution allow-unresolved-leaking

Description

This command instructs BGP, in the base router instance, to allow its routes to be leaked to other (VPRN) BGP instances, even if the routes to be leaked do not have a BGP next hop that can be resolved by the base instance.

By default, BGP routes cannot be leaked to another BGP instance unless they are resolvable by the instance that receives them.

The no form of this command provides the default behavior.

Default

no allow-unresolved-leaking

Platforms

All

allow-unsecure-connection

allow-unsecure-connection

Syntax

[no] allow-unsecure-connection

Context

[Tree] (config>system>grpc allow-unsecure-connection)

Full Context

configure system grpc allow-unsecure-connection

Description

This command enables unsecure operation of gRPC connections. This means that TCP connections are not encrypted, including username and password information.

This command can be enabled only if there is no TLS profile assigned to the gRPC server.

The no form of this command enables TLS encryption on gRPC connections.

Default

no allow-unsecure-connection

Platforms

All

allow-unsecure-connection

Syntax

[no] allow-unsecure-connection

Context

[Tree] (config>system>management-interface>remote-management allow-unsecure-connection)

Full Context

configure system management-interface remote-management allow-unsecure-connection

Description

This command enables unsecure operation of all remote manager connections. In an unsecured operation, connections are not encrypted, including the username and password information.

This command and client-tls-profile are mutually exclusive. This means it can be used only if there are no TLS profiles assigned to the server.

If this command is also configured in the config>system>management-interface>remote-management> manager context, that configuration takes precedence.

The no form of this command disables unsecured connections.

Default

no allow-unsecure-connection

Platforms

All

allow-unsecure-connection

Syntax

[no] allow-unsecure-connection

Context

[Tree] (config>system>management-interface>remote-management>manager allow-unsecure-connection)

Full Context

configure system management-interface remote-management manager allow-unsecure-connection

Description

This command allows an unsecured connection to the remote managers; the TCP connection is not encrypted. This includes username and password information.

This command and client-tls-profile are mutually exclusive.

This command takes precedence over the same command configured in the config> system>management-interface>remote-management context, if applicable.

The no form of this command disables unsecured connections for the specified manager.

Default

no allow-unsecure-connection

Platforms

All

allow-unsecure-connection

Syntax

[no] allow-unsecure-connection

Context

[Tree] (config>system>telemetry>destination-group allow-unsecure-connection)

Full Context

configure system telemetry destination-group allow-unsecure-connection

Description

This command enables an unsecured connection for a specified destination group.

This command is mutually exclusive with the tls-client-profile command.

The no form of this command disables unsecured connections for the specified destination group.

Default

no allow-unsecure-connection

Platforms

All

allow-unsecure-connection

Syntax

[no] allow-unsecure-connection

Context

[Tree] (config>system>grpc-tunnel>destination-group allow-unsecure-connection)

Full Context

configure system grpc-tunnel destination-group allow-unsecure-connection

Description

This command enables an unsecured connection for a specified destination group, which allows a gRPC tunnel to run without a secured transport protocol. Data is transferred in unencrypted form.

This command is mutually exclusive with the tls-client-profile command.

The no form of this command disables unsecured connections for the specified destination group.

Default

no allow-unsecure-connection

Platforms

All

allow-unsecured-msgs

allow-unsecured-msgs

Syntax

[no] allow-unsecured-msgs

Context

[Tree] (config>service>ies>if>ipv6>secure-nd allow-unsecured-msgs)

Full Context

configure service ies interface ipv6 secure-nd allow-unsecured-msgs

Description

This command specifies whether unsecured messages are accepted. When Secure Neighbor Discovery (SeND) is enabled, only secure messages are accepted by default.

The no form of this command disables accepting unsecured messages.

Platforms

All

allow-unsecured-msgs

Syntax

[no] allow-unsecured-msgs

Context

[Tree] (config>service>vprn>if>send allow-unsecured-msgs)

Full Context

configure service vprn interface ipv6 secure-nd allow-unsecured-msgs

Description

This command specifies whether unsecured messages are accepted. When Secure Neighbor Discovery (SeND) is enabled, only secure messages are accepted by default.

The no form of this command disables accepting unsecured messages.

Platforms

All

allow-unsecured-msgs

Syntax

[no] allow-unsecured-msgs

Context

[Tree] (config>router>if>ipv6>secure-nd allow-unsecured-msgs)

Full Context

configure router interface ipv6 secure-nd allow-unsecured-msgs

Description

This command specifies whether unsecured messages are accepted. When Secure Neighbor Discovery (SeND) is enabled, only secure messages are accepted by default.

The no form of this command disables accepting unsecured messages.

Platforms

All

allow-user-name

allow-user-name

Syntax

[no] allow-user-name

Context

[Tree] (config>system>security>password>complexity-rules allow-user-name)

Full Context

configure system security password complexity-rules allow-user-name

Description

The user name is allowed to be used as part of the password.

The no form of this command does not allow user name to be used as password.

Default

no allow-user-name

Platforms

All

allowed-peer-as

allowed-peer-as

Syntax

[no] allowed-peer-as min-as-number [max max-as-number]

Context

[Tree] (config>service>vprn>bgp>group>dynamic-neighbor>match>prefix allowed-peer-as)

Full Context

configure service vprn bgp group dynamic-neighbor match prefix allowed-peer-as

Description

This command configures a single peer AS value or a contiguous range of peer AS values to associate with a prefix from which dynamic BGP sessions can be accepted.

If an incoming dynamic BGP session is associated with the prefix then the peer’s AS, as reported in the OPEN message, is checked against the list of allowed-peer-as values. If the peer AS is not contained in one of the allowed-peer-as commands, then the connection is rejected with a Bad_Peer_AS error. If there is no allowed-peer-as configuration in the matched prefix, then the ASN in the peer’s OPEN message, is checked against the group level peer-as.

The no form of this command removes an allowed-peer-as entry.

Default

no allowed-peer-as

Parameters

min-as-number

Specifies an allowed peer AS value as well as the start of an allowed range if the max-as-number value is also configured.

Values

1 to 4294967295

max-as-number

Specifies the end of an allowed range.

Values

1 to 4294967295

Platforms

All

allowed-peer-as

Syntax

[no] allowed-peer-as min-as-number [max max-as-number]

Context

[Tree] (config>router>bgp>group>dynamic-neighbor>match>prefix allowed-peer-as)

Full Context

configure router bgp group dynamic-neighbor match prefix allowed-peer-as

Description

This command configures a single peer AS value or a contiguous range of peer AS values to associate with a prefix from which dynamic BGP sessions can be accepted.

If an incoming dynamic BGP session is associated with the prefix, then the peer’s AS, as reported in the OPEN message, is checked against the list of allowed-peer-as values. If the peer AS is not contained in one of the allowed-peer-as commands, then the connection is rejected with a Bad_Peer_AS error. If there is no allowed-peer-as configuration in the matched prefix, then the ASN in the peer’s OPEN message, is checked against the group level peer-as.

The no form of this command removes an allowed-peer-as entry.

Default

no allowed-peer-as

Parameters

min-as-number

Specifies an allowed peer AS value as well as the start of an allowed range if the max-as-number value is also configured.

Values

1 to 4294967295

max-as-number

Specifies the end of an allowed range.

Values

1 to 4294967295

Platforms

All

allowed-peer-as

Syntax

[no] allowed-peer-as min-as-number [max max-as-number]

Context

[Tree] (config>service>vprn>bgp>group>dynamic-neighbor>interface allowed-peer-as)

[Tree] (config>router>bgp>group>dynamic-neighbor>interface allowed-peer-as)

Full Context

configure service vprn bgp group dynamic-neighbor interface allowed-peer-as

configure router bgp group dynamic-neighbor interface allowed-peer-as

Description

This command configures a singular allowed peer AS value or a range of acceptable values.

The no form of this command removes an allowed peer AS value or range of acceptable values.

Parameters

min-as-number

Specifies an allowed peer AS value as well as the start of an allowed range if the max-as-number value is also configured.

Values

1 to 4294967295

max-as-number

Specifies the end of an allowed range.

Values

1 to 4294967295

Platforms

All

allowed-source-macs

allowed-source-macs

Syntax

allowed-source-macs

Context

[Tree] (config>port>ethernet>dot1x>per-host-authentication allowed-source-macs)

Full Context

configure port ethernet dot1x per-host-authentication allowed-source-macs

Description

Commands in this context add the source MAC addresses of the hosts to the allowed MAC list.

Platforms

All

already-signed-in

already-signed-in

Syntax

[no] already-signed-in

Context

[Tree] (config>subscr-mgmt>wlan-gw>ue-query>state already-signed-in)

Full Context

configure subscriber-mgmt wlan-gw ue-query state already-signed-in

Description

This command enables matching on UEs that are already signed in.

The no form of this command disables matching on UEs that are already signed in, unless all state matching is disabled.

Default

no already-signed-in

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

alt-port-class-pools

alt-port-class-pools

Syntax

alt-port-class-pools

Context

[Tree] (config>qos>hs-port-pool-policy alt-port-class-pools)

Full Context

configure qos hs-port-pool-policy alt-port-class-pools

Description

Commands in this context configure alternate port class pools parameters. Within this context, the corresponding port-class pools can be associated with a mid-pool, explicitly sized as a percentage of the mid-pool size, dynamically sized based on relative port bandwidth, or have a slope policy applied.

Platforms

7750 SR-7/12/12e

alternate-profile

alternate-profile

Syntax

alternate-profile alternate-profile-name [create]

no alternate-profile alternate-profile-name

Context

[Tree] (config>system>ptp alternate-profile)

Full Context

configure system ptp alternate-profile

Description

This command creates an alternate profile configuration for use in PTP messaging.

The alternate profile can be used at the edge of a network to provide PTP time or frequency distribution outward to external PTP clocks.

The alternate profile cannot be deleted if it is configured as the profile under a PTP port.

The no form of this command removes the alternate profile configuration.

Parameters

alternate-profile-name

Configures the alternate profile name, up to 64 characters. The string "profile” in any uppercase or lowercase form cannot be used for the alternate profile name.

create

Keyword used to create the alternate profile.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

alternate-profile

Syntax

alternate-profile alternate-profile-name

no alternate-profile alternate-profile-name

Context

[Tree] (config>system>ptp>port alternate-profile)

Full Context

configure system ptp port alternate-profile

Description

This command assigns the alternate profile configuration that is used for PTP messaging on the port.

If no alternate profile is specified, the primary profile is used.

If an alternate-profile-name is specified, that alternate profile must already exist in the configuration.

The no form of this command removes the profile assignment.

Parameters

alternate-profile-name

Assigns the alternate profile name, up to 64 characters. The string "profile” in any uppercase or lowercase form cannot be used for the alternate profile name.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

always-compare-med

always-compare-med

Syntax

always-compare-med {zero | infinity}

no always-compare-med strict-as {zero | infinity}

no always-compare-med

Context

[Tree] (config>service>vprn>bgp>path-selection always-compare-med)

[Tree] (config>router>bgp>best-path-selection always-compare-med)

Full Context

configure service vprn bgp best-path-selection always-compare-med

configure router bgp best-path-selection always-compare-med

Description

This command configures the comparison of BGP routes based on the MED attribute. The default behavior of SR OS (equivalent to the no form of this command) is to only compare two routes on the basis of MED if they have the same neighbor AS (the first non-confed AS in the received AS_PATH attribute). Also by default, a route without a MED attribute is handled the same as though it had a MED attribute with the value 0. The always-compare-med command without the strict-as keyword allows MED to be compared even if the paths have a different neighbor AS; in this case, if neither zero nor infinity is specified, the zero option is inferred, meaning a route without a MED is handled the same as though it had a MED attribute with the value 0. When the strict-as keyword is present, MED is only compared between paths from the same neighbor AS, and in this case, zero or infinity is mandatory and tells BGP how to interpret paths without a MED attribute.

Default

no always-compare-med

Parameters

zero

Specifies that for routes learned without a MED attribute that a zero (0) value is used in the MED comparison. The routes with the lowest metric are the most preferred.

infinity

Specifies for routes learned without a MED attribute that a value of infinity (2^32-1) is used in the MED comparison. This in effect makes these routes the least desirable.

strict-as

Specifies that the BGP MED values are only compared if the route comes from the same neighbor AS.

Platforms

All

always-set-sender-for-ir

always-set-sender-for-ir

Syntax

[no] always-set-sender-for-ir

Context

[Tree] (config>system>security>pki>ca-profile>cmpv2 always-set-sender-for-ir)

Full Context

configure system security pki ca-profile cmpv2 always-set-sender-for-ir

Description

This command specifies to always set the sender field in CMPv2 header of all Initial Registration (IR) messages with the subject name. By default, the sender field is only set if an optional certificate is specified in the CMPv2 request.

Default

no always-set-sender-for-ir

Platforms

All

amber-alarm-threshold

amber-alarm-threshold

Syntax

amber-alarm-threshold percentage

no amber-alarm-threshold

Context

[Tree] (config>port>access>ingress>pool amber-alarm-threshold)

[Tree] (config>port>access>egress>pool amber-alarm-threshold)

[Tree] (config>port>network>egress>pool amber-alarm-threshold)

Full Context

configure port access ingress pool amber-alarm-threshold

configure port access egress pool amber-alarm-threshold

configure port network egress pool amber-alarm-threshold

Description

This command configures the threshold for the amber alarm on the over-subscription allowed.

Users can selectively enable amber or red alarm thresholds. But if both are enabled (non-zero), the amber alarm threshold cannot be more than the red alarm threshold.

The no form of this command reverts to the default value.

Default

no amber-alarm-threshold

Parameters

percentage

Specifies the amber alarm threshold.

Values

1 to 1000

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

amber-alarm-threshold

Syntax

amber-alarm-threshold percentage

no amber-alarm-threshold

Context

[Tree] (config>card>fp>ingress>network>pool amber-alarm-threshold)

Full Context

configure card fp ingress network pool amber-alarm-threshold

Description

This command configures the threshold for the amber alarm on the over-subscription allowed.

Users can selectively enable amber or red alarm thresholds. But if both are enabled (non-zero) then the red alarm threshold must be greater than the amber alarm threshold.

The no form of this command reverts to the default value.

Default

no amber-alarm-threshold

Parameters

percentage

Specifies the amber alarm threshold.

Values

1 to 1000

Platforms

All

ambr

ambr

Syntax

ambr down-link down-link-kbps up-link up-link-kbps

no ambr

Context

[Tree] (config>subscr-mgmt>gtp>peer-profile>ggsn>qos ambr)

[Tree] (config>subscr-mgmt>gtp>peer-profile>mme>qos ambr)

[Tree] (config>subscr-mgmt>gtp>peer-profile>pgw>qos ambr)

Full Context

configure subscriber-mgmt gtp peer-profile ggsn qos ambr

configure subscriber-mgmt gtp peer-profile mme qos ambr

configure subscriber-mgmt gtp peer-profile pgw qos ambr

Description

This command configures the Aggregated Maximum Bit Rate (AMBR) to be sent in the APN AMBR IE. The contents of this IE can be overridden by RADIUS or report-rate mechanisms. If those mechanisms specify a partial value, such as only specifying the down-link parameter, the other value is picked up from the ambr configuration.

For GTPv1, the no form of this command implies that the IE will not be sent. If a partial value is received from another source, the missing value will use the following defaults:

  • 10000 kb/s up-link

  • 20000 kb/s down-link

For GTPv2, the no form of this command reverts to the default of 10000 kb/s up-link and 20000 kb/s down-link.

Default

no ambr - for ggsn

ambr down-link 20000 up-link 10000 - for mme and pgw

Parameters

down-link-kbps

Specifies the downlink AMBR.

Values

0 to 10000000

up-link-kbps

Specifies the uplink AMBR.

Values

0 to 10000000

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

ambr-qos-mapping

ambr-qos-mapping

Syntax

ambr-qos-mapping

Context

[Tree] (config>subscr-mgmt>gtp>apn-policy>apn ambr-qos-mapping)

Full Context

configure subscriber-mgmt gtp apn-policy apn ambr-qos-mapping

Description

Mapping of an incoming APN-AMBR to SR OS QoS overrides.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

an-gw-address

an-gw-address

Syntax

[no] an-gw-address

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy>gx>include-avp an-gw-address)

Full Context

configure subscriber-mgmt diameter-application-policy gx include-avp an-gw-address

Description

This command configures the IPv4 address of the node.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

analyze-gre-payload

analyze-gre-payload

Syntax

[no] analyze-gre-payload

Context

[Tree] (config>cflowd analyze-gre-payload)

Full Context

configure cflowd analyze-gre-payload

Description

This command enables cflowd analysis of the inner IP packet in a sampled GRE packet that is transiting the local router.

If the GRE packet terminates on the local node, the inner IP payload is analyzed and reported using existing IPv4 or IPv6 flow templates. This behavior is not affected by this command.

If this parameter is enabled and a GRE packet is transiting the local node, the inner payload is reported using the GRE Flow Template. (Template ID 308 or 309)

This behavior is only supported with V10 (IPFIX) collectors.

The no form of this command disables cflowd analysis of the inner IP packet in a sampled GRE packet.

Platforms

All

analyze-l2tp-traffic

analyze-l2tp-traffic

Syntax

[no] analyze-l2tp-traffic

Context

[Tree] (config>cflowd analyze-l2tp-traffic)

Full Context

configure cflowd analyze-l2tp-traffic

Description

This command causes cflowd to look for and analyze the inner IP header of an L2TPv2 frame.

L2TPv2 traffic is identified by either the source or destination UDP port numbering that is set to 1701.

The no form of this command disables this function.

Default

no analyze-l2tp-traffic

Platforms

All

analyze-v4overv6-traffic

analyze-v4overv6-traffic

Syntax

[no] analyze-v4overv6-traffic

Context

[Tree] (config>cflowd analyze-v4overv6-traffic)

Full Context

configure cflowd analyze-v4overv6-traffic

Description

This command causes cflowd to look for and analyze the inner IPv4 header of IPv4overIPv6 frames that include MAP-E as well as DS-Lite and SAM traffic.

The no form of this command disables this function.

Default

no analyze-v4overv6-traffic

Platforms

All

analyzer

analyzer

Syntax

[no] analyzer

Context

[Tree] (config>isa>video-group analyzer)

Full Context

configure isa video-group analyzer

Description

This command specifies whether or not the video analyzer is enabled for all streams on this video group.

The no form of the command disables the analyzer for the group.

Default

no analyzer

Platforms

7450 ESS, 7750 SR-1, 7750 SR-7/12/12e, 7750 SR-1s, 7750 SR-2s, 7750 SR-7s, 7750 SR-14s

analyzer

Syntax

[no] analyzer

Context

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle>channel>source-override>video analyzer)

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle>channel>video analyzer)

[Tree] (config>mcast-mgmt>mcast-info-plcy>bundle>video analyzer)

Full Context

configure mcast-management multicast-info-policy bundle channel source-override video analyzer

configure mcast-management multicast-info-policy bundle channel video analyzer

configure mcast-management multicast-info-policy bundle video analyzer

Description

This command enables or disables the analyzer for the group.

Platforms

7450 ESS, 7750 SR-1, 7750 SR-7/12/12e, 7750 SR-1s, 7750 SR-2s, 7750 SR-7s, 7750 SR-14s

ancp

ancp

Syntax

ancp

Context

[Tree] (config>subscr-mgmt ancp)

[Tree] (config>subscr-mgmt>sub-prof ancp)

Full Context

configure subscriber-mgmt ancp

configure subscriber-mgmt sub-profile ancp

Description

Commands in this context configure Access Node Control Protocol (ANCP) parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

ancp

Syntax

ancp

Context

[Tree] (config>service>vpls>gsmp>group ancp)

[Tree] (config>service>vprn>gsmp>group ancp)

Full Context

configure service vpls gsmp group ancp

configure service vprn gsmp group ancp

Description

Commands in this context configure Access Node Control Protocol (ANCP) parameters for this GSMP group.

Platforms

All

ancp

Syntax

[no] ancp

Context

[Tree] (config>service>vprn>gsmp>group ancp)

Full Context

configure service vprn gsmp group ancp

Description

Commands in this context configure ANCP parameters for this GSMP group.

The no form of this command disables the ANCP parameters configured in this context.

Platforms

All

ancp

Syntax

ancp ancp-string ancp-string loopback [count send-count] [timeout timeout] [alarm]

ancp subscriber sub-ident-string loopback [count send-count] [timeout timeout] [alarm]

Context

[Tree] (oam ancp)

Full Context

oam ancp

Description

This command sends an OAM request to the access node. ANCP can be used to send OAM messages to the access node. The access node must be able to accept these messages and signals such support by the capability negotiations. If the operator attempts to send an OAM command to an access node that does not support, the operation results in an error.

Parameters

ancp-string

Specifies an existing ANCP string, up to 63 characters.

loopback

Sends an OAM loopback test request to the access node.

send-count

Specifies the number of messages the access node uses to test the circuit. If omitted, the number is determined by the access node via local policy.

Values

1 to 32

timeout

Specifies the length of time, in seconds, that the controlling node waits for a result.

Values

1 to 255

alarm

Specifies that the CLI the result is returned to the CLI and a trap is issued to indicate the test has finished. If the flag is used through SNMP the results are available in the results MIB and after the node sends the trap to indicate the results are ready.

sub-ident-string

Specifies an existing subscriber-id, up to 32 characters. The node uses the ancp-string value associated with the provided subscriber-id to identify the circuit.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

ancp

Syntax

ancp

Context

[Tree] (config>system>persistence ancp)

Full Context

configure system persistence ancp

Description

This command configures ANCP persistence parameters.

Platforms

All

ancp-policy

ancp-policy

Syntax

ancp-policy policy-name [create]

no ancp-policy policy-name

Context

[Tree] (config>subscr-mgmt>ancp ancp-policy)

Full Context

configure subscriber-mgmt ancp ancp-policy

Description

This command creates an Access Node Control Protocol (ANCP) policy. The policy is associated with either the ANCP string (static case) or subscriber-profile (dynamic case) and defines the behavior of the hosts belonging to these profiles.

ANCP policies control rates and subscribers based on port-up/port-down messages from the access node. When configured, the 7450 ESS or 7750 SR should stop SHCV to a host that is part of a port defined to be down (by port-down message). When the node receives a port-up message for a port that was in port-down state, the node will initiate the SHCV process immediately to verify connectivity.

When ANCP is used with Enhanced Subscriber Management, the ANCP string last associated with the subscriber is used. All hosts of a subscriber is updated with the new ANCP string.

The no form of this command removes the policy name from the ANCP configuration.

Parameters

policy-name

Configures the ANCP policy name, up to 32 characters.

create

Keyword used to create the ANCP policy. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

ancp-policy

Syntax

ancp-policy name

Context

[Tree] (config>subscr-mgmt>sub-prof>ancp ancp-policy)

Full Context

configure subscriber-mgmt sub-profile ancp ancp-policy

Description

This command specifies an existing Access Node Control Protocol (ANCP) policy to associate with the subscriber profile. The policy is associated with either the ANCP string (static case) or subscriber-profile (dynamic case) and defines the behavior of the hosts belonging to these profiles.

The no form of this command removes the policy name from the ANCP configuration.

Parameters

name

Specifies an existing ANCP policy name, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

ancp-static-map

ancp-static-map

Syntax

ancp-static-map

Context

[Tree] (config>subscr-mgmt>ancp ancp-static-map)

Full Context

configure subscriber-mgmt ancp ancp-static-map

Description

Commands in this context configure a static ANCP name map.

Default

ancp-static-map

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

ancp-string

ancp-string

Syntax

ancp-string ancp-string

no ancp-string

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host>ident-strings ancp-string)

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host>ident-strings ancp-string)

Full Context

configure subscriber-mgmt local-user-db ppp host identification-strings ancp-string

configure subscriber-mgmt local-user-db ipoe host identification-strings ancp-string

Description

This command specifies the ANCP string which is encoded in the identification strings.

The no form of this command returns to the default.

Parameters

ancp-string

Specifies the ANCP string, up to 63 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

ancp-string

Syntax

ancp-string ancp-string

no ancp-string

Context

[Tree] (config>service>vpls>sap>static-host ancp-string)

[Tree] (config>service>vprn>sub-if>grp-if>sap>static-host ancp-string)

[Tree] (config>service>vprn>if>sap>static-host ancp-string)

[Tree] (config>service>ies>sub-if>grp-if>sap>static-host ancp-string)

[Tree] (config>service>ies>if>sap>static-host ancp-string)

Full Context

configure service vpls sap static-host ancp-string

configure service vprn subscriber-interface group-interface sap static-host ancp-string

configure service vprn interface sap static-host ancp-string

configure service ies subscriber-interface group-interface sap static-host ancp-string

configure service ies interface sap static-host ancp-string

Description

This command specifies the ANCP string associated to this SAP host.

The no form of this command reverts to the default.

Parameters

ancp-string

Specifies the ANCP string up to 63 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

anno-rx-timeout

anno-rx-timeout

Syntax

anno-rx-timeout count

no anno-rx-timeout

Context

[Tree] (config>system>ptp anno-rx-timeout)

Full Context

configure system ptp anno-rx-timeout

Description

This command configures the announceReceiptTimeout value for all peer associations. This defines the number of Announce message intervals that must expire with no received Announce messages before declaring an ANNOUNCE_RECIPT_TIMEOUT event.

The announce-rx-timeout cannot be changed unless PTP is shut down.

Default

anno-rx-timeout 3

Parameters

count

Specifies the announce packet interval, in log form.

Values

2 to 10

Default

3

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

announce

announce

Syntax

[no] announce

Context

[Tree] (config>service>nat>pcp-server-policy>opcode announce)

Full Context

configure service nat pcp-server-policy opcode announce

Description

This command enables/disables support for the announce opcode.

Default

no announce

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

antenna-cable-delay

antenna-cable-delay

Syntax

antenna-cable-delay nanoseconds

Context

[Tree] (config>port>gnss antenna-cable-delay)

Full Context

configure port gnss antenna-cable-delay

Description

This command configures the expected signal delay resulting from the length of the GNSS antenna cable, for platforms that support one or more embedded GNSS receivers.

Default

0

Parameters

nanoseconds

Specifies the signal delay in nanoseconds.

Values

0 to 1000

Platforms

7750 SR-1-24D, 7750 SR-1-46S, 7750 SR-1-48D, 7750 SR-1-92S, 7750 SR-1x-48D, 7750 SR-1x-92S, 7750 SR-1se, 7750 SR-2se

anti-spoof

anti-spoof

Syntax

anti-spoof type

no anti-spoof

Context

[Tree] (config>service>ies>sub-if>grp-if>sap anti-spoof)

[Tree] (config>service>vprn>sub-if>grp-if>sap anti-spoof)

[Tree] (config>service>vpls>sap anti-spoof)

[Tree] (config>service>ies>sap anti-spoof)

[Tree] (config>service>vprn>sub-if>grp-if>pppoe anti-spoof)

[Tree] (config>service>ies>sub-if>grp-if>sap-parameters anti-spoof)

[Tree] (config>service>ies>sub-if>grp-if>pppoe anti-spoof)

[Tree] (config>service>vprn>sub-if>grp-if>sap-parameters anti-spoof)

[Tree] (config>subscr-mgmt>msap-policy>ies-vprn-only-sap-parameters anti-spoof)

Full Context

configure service ies subscriber-interface group-interface sap anti-spoof

configure service vprn subscriber-interface group-interface sap anti-spoof

configure service vpls sap anti-spoof

configure service ies sap anti-spoof

configure service vprn subscriber-interface group-interface pppoe anti-spoof

configure service ies subscriber-interface group-interface sap-parameters anti-spoof

configure service ies subscriber-interface group-interface pppoe anti-spoof

configure service vprn subscriber-interface group-interface sap-parameters anti-spoof

configure subscriber-mgmt msap-policy ies-vprn-only-sap-parameters anti-spoof

Description

This command enables anti-spoof filtering and optionally changes the anti-spoof matching type for the SAP.

The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, mac, ip-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.

Enabling anti-spoof filtering on a subscriber-facing SAP causes the anti-spoof table to be populated with all static and dynamic host information available on the SAP. Enabling anti-spoof filtering on the SAP will fail if any static hosts are defined without the proper addresses specified for the selected anti-spoof filter type.

When enabled, forwarding IP packets that ingress the SAP is dependent on a successful anti-spoof table match with an entry in the table. DHCP and non-IP packets (including ARP) are not subject to anti-spoof filtering. If an entry does not match the ingress packet, the packet is silently discarded while incrementing the SAP discard counter.

Anti-spoof filtering is only allowed on VPLS SAPs, IES SAP-based IP interfaces, and VPRN SAP-based IP interfaces. Anti-spoof filtering is not available on IES or VPRN SDP bound IP interfaces. Anti-spoof filtering is not supported on Epipe and other VLL type services. Support for anti-spoofing is dependent on SAP based service interfaces. Note VPRN and VLL are supported on the 7750 SR only.

Note:

Anti-spoofing filters, with type ip-mac, must be enabled to perform Enhanced Subscriber Management (as described in the Triple Play Enhanced Subscriber Management section).

The no form of this command disables anti-spoof filtering on the SAP.

Default

no anti-spoof

Parameters

type

Specifies the anti-spoof filtering type for this SAP.

Values

ip — Specifies to use only the source IP address in its lookup. If a static host exists on the SAP without an IP address specified, the anti-spoof ip command fails.

ip-mac — Specifies to use both the source IP address and the source MAC address in its lookup.

mac — Specifies to use only the source MAC address in its lookup. If a static host exists on the SAP without a specified MAC address, the anti-spoof mac command fails.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vpls sap anti-spoof
  • configure service vprn subscriber-interface group-interface pppoe anti-spoof
  • configure subscriber-mgmt msap-policy ies-vprn-only-sap-parameters anti-spoof
  • configure service ies subscriber-interface group-interface pppoe anti-spoof
  • configure service vprn subscriber-interface group-interface sap anti-spoof
  • configure service ies subscriber-interface group-interface sap anti-spoof

7750 SR, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn subscriber-interface group-interface sap-parameters anti-spoof
  • configure service ies subscriber-interface group-interface sap-parameters anti-spoof

anti-spoof

Syntax

anti-spoof {ip | ip-mac | nh-mac}

no anti-spoof

Context

[Tree] (config>service>ies>sub-if>grp-if>sap anti-spoof)

[Tree] (config>service>vprn>sub-if>grp-if>sap anti-spoof)

Full Context

configure service ies subscriber-interface group-interface sap anti-spoof

configure service vprn subscriber-interface group-interface sap anti-spoof

Description

This command configures the anti-spoof type of the MSAP.

The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, ip-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.

The no form of this command reverts to the default.

Note:

For IES and VPRN subscriber group interfaces, setting no anti-spoof sets the default anti-spoofing type which is ip-mac.

Parameters

ip

Configures SAP anti-spoof filtering to use only the source IP address in its lookup. If a static host exists on the SAP without an IP address specified, the anti-spoof type ip command fails.

Note:

This parameter is not applicable in the config>subscr-mgmt>msap-policy context.

ip-mac

Configures SAP anti-spoof filtering to use both the source IP address and the source MAC address in its lookup. The anti-spoof type ip-mac command fails if the default anti-spoof filter type of the SAP is ip-mac and the default is not overridden, or if the SAP does not support Ethernet encapsulation.

nh-mac

Indicates that the ingress anti-spoof is based on the source MAC and egress anti-spoof is based on the nh-ip-address .

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

anti-spoof

Syntax

anti-spoof type

no anti-spoof

Context

[Tree] (config>service>ies>if>sap anti-spoof)

[Tree] (config>service>vprn>if>sap anti-spoof)

[Tree] (config>service>vpls>sap anti-spoof)

Full Context

configure service ies interface sap anti-spoof

configure service vprn interface sap anti-spoof

configure service vpls sap anti-spoof

Description

This command enables anti-spoof filtering and optionally changes the anti-spoof matching type for the SAP.

The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, mac, ip-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.

The no form of the command disables anti-spoof filtering on the SAP.

Default

no anti-spoof

Parameters

type

Specifies the anti-spoof filtering type for this SAP.

Values

ip — Configures SAP anti-spoof filtering to use only the source IP address in its lookup. If a static host exists on the SAP without an IP address specified, the anti-spoof type ip command fails.

ip-mac — Configures SAP anti-spoof filtering to use both the source IP address and the source MAC address in its lookup. If a static host exists on the SAP without both the IP address and MAC address specified, the anti-spoof type ip-mac command fails. This is also true if the default anti-spoof filter type of the SAP is ip-mac and the default is not overridden. The anti-spoof type ip-mac command will also fail if the SAP does not support Ethernet encapsulation.

mac — Configures SAP anti-spoof filtering to use only the source MAC address in its lookup. Setting the anti-spoof filter type to mac is not allowed on non-Ethernet encapsulated SAPs. If a static host exists on the SAP without a specified MAC address, the anti-spoof type mac command fails. The anti-spoof type mac command will also fail if the SAP does not support Ethernet encapsulation.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

anti-spoof

Syntax

anti-spoof pppoe-anti-spoofing-type

no anti-spoof

Context

[Tree] (config>service>vprn>sub-if>grp-if>pppoe anti-spoof)

[Tree] (config>service>ies>sub-if>grp-if>pppoe anti-spoof)

Full Context

configure service vprn subscriber-interface group-interface pppoe anti-spoof

configure service ies subscriber-interface group-interface pppoe anti-spoof

Description

This command specifies the type of PPPoE anti-spoof filtering to use.

The no form of this command reverts to the default.

Default

anti-spoof mac-sid

Parameters

pppoe-anti-spoofing-type

Specifies the PPPoE anti-spoof filtering.

Values

mac-sid, mac-sid-ip

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

anti-spoof

Syntax

anti-spoof {ip | mac | ip-mac | nh-mac}

no anti-spoof-type

Context

[Tree] (config>service>vprn>if>sap anti-spoof)

Full Context

configure service vprn interface sap anti-spoof

Description

This command enables anti-spoof filtering and optionally changes the anti-spoof matching type for the interface.

The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, mac, ip-mac, nh-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.

The no form of this command reverts to the default.

Default

Filter type default types:

  • anti-spoof ip (Non-Ethernet encapsulated SAP)

  • anti-spoof ip-mac (Ethernet encapsulated SAP)

  • no anti-spoof-type (other SAPs)

Parameters

ip

Configures SAP anti-spoof filtering to use only the source IP address in its lookup. If a static host exists on the SAP without an IP address specified, the anti-spoof type ip command fails.

mac

Configures SAP anti-spoof filtering to use only the source MAC address in its lookup. Setting the anti-spoof filter type to mac is not allowed on non-Ethernet encapsulated SAPs. If a static host exists on the SAP without a specified MAC address, the anti-spoof type mac command fails. The anti-spoof type mac command will also fail if the SAP does not support Ethernet encapsulation.

ip-mac

Configures SAP anti-spoof filtering to use both the source IP address and the source MAC address in its lookup. If a static host exists on the SAP without both the IP address and MAC address specified, the anti-spoof type ip-mac command fails. This is also true if the default anti-spoof filter type of the SAP is ip-mac and the default is not overridden. The anti-spoof type ip-mac command will also fail if the SAP does not support Ethernet encapsulation.

nh-mac

Indicates that the ingress anti-spoof is based on the source MAC address and the egress anti-spoof is based on the nh-ip-address.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

anti-spoof

Syntax

[no] anti-spoof

Context

[Tree] (config>app-assure>group>http-enrich>field anti-spoof)

Full Context

configure application-assurance group http-enrich field anti-spoof

Description

This command configures the HTTP header enrichment anti-spoofing functionality.

The no form of this command disables anti-spoofing functionality.

Default

no anti-spoof

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

anycast

anycast

Syntax

[no] anycast rp-ip-address

Context

[Tree] (config>service>vprn>pim>rp anycast)

Full Context

configure service vprn pim rp anycast

Description

This command configures a PIM anycast protocol instance for the RP being configured. Anycast enables fast convergence when a PIM RP router fails by allowing receivers and sources to rendezvous at the closest RP.

The no form of this command removes the anycast instance from the configuration.

Parameters

rp-ip-address

Configure the loopback IP address shared by all routes that form the RP set for this anycast instance. Only a single address can be configured. If another anycast command is entered with an address then the old address will be replaced with the new address. If no ip-address is entered then the command is simply used to enter the anycast CLI level.

Values

Any valid loopback address configured on the node.

Platforms

All

anycast

Syntax

anycast ipv6-address

no anycast ipv6-address

Context

[Tree] (config>service>vprn>pim>rp>ipv6 anycast)

Full Context

configure service vprn pim rp ipv6 anycast

Description

This command configures an IPv6 PIM anycast protocol instance for the RP being configured. Anycast enables fast convergence when a PIM RP router fails by allowing receivers and sources to rendezvous at the closest RP.

The no form of this command removes the anycast instance from the configuration.

Parameters

ipv6-address

Configures the loopback IP address shared by all routes that form the RP set for this anycast instance. Only a single address can be configured. If another anycast command is entered with an address then the old address will be replaced with the new address. If no address is entered then the command is simply used to enter the anycast CLI context.

Values

ipv6-address

: x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x [0 to FFFF]H

d [0 to 255]D

Platforms

All

anycast

Syntax

[no] anycast rp-ip-address

Context

[Tree] (config>router>pim>rp anycast)

Full Context

configure router pim rp anycast

Description

This command configures a PIM anycast protocol instance for the RP being configured. Anycast enables fast convergence when a PIM RP router fails by allowing receivers and sources to rendezvous at the closest RP.

The no form of this command removes the anycast instance from the configuration.

Parameters

rp-ip-address

Specifies the loopback IP address shared by all routes that form the RP set for this anycast instance. Only a single address can be configured. If another anycast command is entered with an address then the old address will be replaced with the new address. If no ip-address is entered then the command is simply used to enter the anycast CLI level.

Values

Any valid loopback address configured on the node.

Platforms

All

anycast

Syntax

[no] anycast ipv6-address

Context

[Tree] (config>router>pim>rp>ipv6 anycast)

Full Context

configure router pim rp ipv6 anycast

Description

This command configures a PIM anycast protocol instance for the RP being configured. Anycast enables fast convergence when a PIM RP router fails by allowing receivers and sources to rendezvous at the closest RP.

The no form of this command removes the anycast instance from the configuration.

Parameters

ipv6-address

Specifies the loopback IPv6 address shared by all routes that form the RP set for this anycast instance. Only a single address can be configured. If another anycast command is entered with an address then the old address is replaced with the new address. If no ipv6-address is entered then the command is simply used to enter the anycast CLI level.

Values

Any valid loopback address configured on the node.

Platforms

All

ap-mac-learn-failed

ap-mac-learn-failed

Syntax

ap-mac-learn-failed {true | false | not-specified}

Context

[Tree] (config>subscr-mgmt>wlan-gw>tunnel-query ap-mac-learn-failed)

Full Context

configure subscriber-mgmt wlan-gw tunnel-query ap-mac-learn-failed

Description

This command specifies the matching criteria of tunnels based on whether or not learning the associated AP-MAC address last failed.

Default

ap-mac-learn-failed not-specified

Parameters

true

Specifies matching of tunnels status where learning of the AP-MAC address succeeded.

false

Specifies matching of tunnels status where learning of the AP-MAC address failed.

not-specified

Specifies no matching on the AP-MAC address learning status.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn

apn

Syntax

apn apn

no apn

Context

[Tree] (config>service>vprn>gtp>uplink apn)

[Tree] (config>router>gtp>uplink apn)

Full Context

configure service vprn gtp uplink apn

configure router gtp uplink apn

Description

This command configures the Network Identifier part of the APN.

The no form of this command removes the string from the configuration.

Default

no apn

Parameters

apn

Specifies the APN used for this IMSI to connect to this Mobile Gateway, up to 80 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn

Syntax

apn {apn-name | unknown} [create]

no apn {apn-name | unknown}

Context

[Tree] (config>subscr-mgmt>gtp>apn-policy apn)

Full Context

configure subscriber-mgmt gtp apn-policy apn

Description

This command configures the parameters that should be applied to incoming connections with the APN specified. Multiple APN nodes can be defined per APN policy.

For each APN-policy, one unknown APN entry can be created. This APN is used by all connections not matching another APN.

The no form of this command removes the APN from the policy. Only new sessions are affected by the removal.

Parameters

apn-name

Specifies the APN name as it appears in GTP messaging, up to 80 characters.

create

Creates an apn-name instance. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn

Syntax

[no] apn

Context

[Tree] (config>subscr-mgmt>auth-plcy>include-radius-attribute apn)

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute apn)

Full Context

configure subscriber-mgmt authentication-policy include-radius-attribute apn

configure subscriber-mgmt radius-accounting-policy include-radius-attribute apn

Description

This command enables the inclusion of the APN n AAA protocols as signaled in the incoming GTP setup message.

The no form of this command disables the inclusion of the attribute.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn

Syntax

apn apn-string

no apn

Context

[Tree] (config>app-assure>group>gtp>gtp-fltr>imsi-apn-fltr>entry apn)

Full Context

configure application-assurance group gtp gtp-filter imsi-apn-filter entry apn

Description

This command configures a matching condition for an APN configured as a GTP filter.

Parameters

apn-string

Specifies the match string, which can include 1 to 32 characters.

If no APN is specified, the entry will not check for the APN IE in GTP-C packets.

Values

string: The extracted APN must match string exactly.

^string: The extracted APN must start with string.

string$: The extracted APN must end with string.

WILDCARD_APN: Special string that indicates that the extracted APN must be "*” (that is, a length octet with value one, followed by the ASCII code for the asterisk)

EMPTY_APN: Special string that indicates that the extracted APN must be empty (that is, "”)

ANY_APN: Special string that indicates that the extracted APN IE must be present and can have any value in order for the filter entry to match

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn-ambr

apn-ambr

Syntax

[no] apn-ambr

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy>gx>include-avp apn-ambr)

Full Context

configure subscriber-mgmt diameter-application-policy gx include-avp apn-ambr

Description

This command enables the inclusion of the APN-Aggregate-Max-Bitrate-DL and APN-Aggregate-Max-Bitrate-UL AVPs inside the QoS-Information AVP, as signaled in the incoming GTP message.

The no form of this command disables the inclusion of the AVPs.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn-ambr-dl

apn-ambr-dl

Syntax

apn-ambr-dl agg-rate

apn-ambr-dl arbiter arbiter-name

apn-ambr-dl hs-sla-agg-rate

apn-ambr-dl policer policer-id

apn-ambr-dl queue queue-id

apn-ambr-dl scheduler scheduler-name

no apn-ambr-dl

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy>gx>3gpp-qos-mapping apn-ambr-dl)

Full Context

configure subscriber-mgmt diameter-application-policy gx 3gpp-qos-mapping apn-ambr-dl

Description

This command configures the APN-Aggregate-Max-Bitrate-DL AVP. When enabled, the AVP is interpreted as a rate override for the specified egress QoS object. For queues and policers, the PIR is overridden.

This override uses the same QoS override mechanism as the native Gx and RADIUS-based QoS overrides. Therefore, a subsequent Gx/RADIUS-based override removes this override and an APN-AMBR based override removes any preceding Gx/RADIUS-based override.

The no form of this command disables the override mechanism based on APN-AMBR.

Parameters

agg-rate

Specifies to map to an aggregate rate.

arbiter-name

Specifies the name of the arbiter to be overridden.

hs-sla-agg-rate

Specifies to map to an HS SLA aggregate rate.

policer-id

Specifies the ID of the policer to be overridden.

queue-id

Specifies the ID of the queue to be overridden.

scheduler-name

Specifies the name of the scheduler to be overridden.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn-ambr-ul

apn-ambr-ul

Syntax

apn-ambr-ul arbiter arbiter-name

apn-ambr-ul policer policer-id

apn-ambr-ul queue queue-id

apn-ambr-ul scheduler scheduler-name

no apn-ambr-ul

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy>gx>3gpp-qos-mapping apn-ambr-ul)

Full Context

configure subscriber-mgmt diameter-application-policy gx 3gpp-qos-mapping apn-ambr-ul

Description

This command configures the APN-Aggregate-Max-Bitrate-UL AVP. When enabled, the AVP is interpreted as a rate override for the specified egress QoS object. For queues and policers, the PIR is overridden.

This override uses the same QoS override mechanism as the native Gx and RADIUS-based QoS overrides. Therefore, a subsequent Gx/RADIUS-based override removes this override and an APN-AMBR based override removes any preceding Gx/RADIUS-based override.

The no form of this command disables the override mechanism based on APN-AMBR.

Parameters

arbiter-name

Specifies the name of the arbiter to be overridden.

policer-id

Specifies the ID of the policer to be overridden.

queue-id

Specifies the ID of the queue to be overridden.

scheduler-name

Specifies the name of the scheduler to be overridden.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn-policy

apn-policy

Syntax

apn-policy apn-policy-name

no apn-policy

Context

[Tree] (config>router>gtp>s11>interface apn-policy)

[Tree] (config>service>vprn>gtp>s11>interface apn-policy)

Full Context

configure router gtp s11 interface apn-policy

configure service vprn gtp s11 interface apn-policy

Description

This command configures an Access Point Name (APN) policy for the S11 interface.

The no form of this command removes the APN policy.

Parameters

apn-policy-name

Specifies the name of the policy, up to 32 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

apn-policy

Syntax

apn-policy policy-name [create]

no apn-policy policy-name

Context

[Tree] (config>subscr-mgmt>gtp apn-policy)

Full Context

configure subscriber-mgmt gtp apn-policy

Description

This command configures an APN policy that defines parameters to be used when setting up a new incoming GTP connection. Each APN can be mapped to its own set of parameters.

The no form of this command removes the policy from the system. A policy can only be removed if it is not in use.

Parameters

policy-name

Specifies the name of the policy, up to 32 characters.

create

Creates an entry.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-filter

app-filter

Syntax

app-filter

Context

[Tree] (config>app-assure>group>policy app-filter)

Full Context

configure application-assurance group policy app-filter

Description

Commands in this context configure an application filter for application assurance.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-group

app-group

Syntax

app-group app-group-name [rate]

no app-group app-group-name

Context

[Tree] (config>app-assure>group>cflowd>comp app-group)

[Tree] (config>app-assure>group>cflowd>rtp-perf app-group)

[Tree] (config>app-assure>group>cflowd>tcp-perf app-group)

Full Context

configure application-assurance group cflowd comprehensive app-group

configure application-assurance group cflowd rtp-performance app-group

configure application-assurance group cflowd tcp-performance app-group

Description

This command configures application groups to export performance records with cflowd.

The no form of this command removes the parameters from the configuration.

Parameters

app-group-name

Specifies the application group name.

rate

Specifies which sampling flow rate to use; flow-rate or flow-rate2.

Values

flow-rate, flow-rate2

Default

flow-rate

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-group

Syntax

app-group application-group-name [create]

no app-group application-group-name

Context

[Tree] (config>app-assure>group>policy app-group)

Full Context

configure application-assurance group policy app-group

Description

This command creates an application group for an application assurance policy.

The no form of this command deletes the application group from the configuration. All associations must be removed in order to delete a group.

Default

no app-group

Parameters

application-group-name

A string of up to 32 characters uniquely identifying this application group in the system.

create

Mandatory keyword used when creating an application group. The create keyword requirement can be enabled/disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-group

Syntax

app-group app-group-name

Context

[Tree] (config>app-assure>group>policy>application app-group)

Full Context

configure application-assurance group policy application app-group

Description

This command associates an application with an application group of an application assurance policy.

Parameters

app-group-name

A string of up to 32 characters uniquely identifying an existing application in the system.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-group

Syntax

app-group {eq | neq} application-group-name

no app-group

Context

[Tree] (config>app-assure>group>policy>aqp>entry>match app-group)

[Tree] (config>app-assure>group>policy>charging-filter>entry>match app-group)

Full Context

configure application-assurance group policy app-qos-policy entry match app-group

configure application-assurance group policy charging-filter entry match app-group

Description

This command adds app-group to match criteria used by this entry.

The no form of this command removes the app-group from match criteria for this entry.

Default

no app-group

Parameters

eq

Specifies that the value configured and the value in the flow must be equal.

neq

Specifies that the value configured and the value in the flow must differ.

application-group-name

Specifies the name of the existing application group entry, up to 32 characters

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-group

Syntax

app-group app-group-name export-using export-method [export-method ...(up to 2 max)]

app-group app-group-name no-export

no app-group app-group-name

Context

[Tree] (config>app-assure>group>statistics>aa-sub app-group)

Full Context

configure application-assurance group statistics aa-sub app-group

Description

Commands in this context configure accounting and statistics collection parameters per system for application groups of application assurance for a given AA ISA group/partition.

The no form of this command removes the application group name.

Parameters

app-group-name

Specifies an existing application group name, up to 32 characters.

export-method

Specifies the method of statistics export to be used.

Values

accounting-policy, radius-accounting-policy

no-export

Allows the operator to enable the referred to application group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective application group.

Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-group

Syntax

app-group {eq | neq} application-group-name

no app-group

Context

[Tree] (config>app-assure>group>policy>chrg-fltr>entry>match app-group)

Full Context

configure application-assurance group policy charging-filter entry match app-group

Description

This command configures the addition of an application group to the match criteria used by this charging filter entry.

The no form of this command removes the application group match criteria.

Default

no app-group

Parameters

eq

Specifies that the value configured and the value in the flow must be equal.

neq

Specifies that the value configured and the value in the flow must differ.

application-group-name

Specifies the name of the existing application group entry, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-profile

app-profile

Syntax

app-profile app-profile-name

no app-profile

Context

[Tree] (config>service>ies>if>sap app-profile)

[Tree] (config>service>vprn>if>sap app-profile)

[Tree] (config>service>vprn>sub-if>grp-if>sap app-profile)

[Tree] (config>service>vpls>spoke-sdp app-profile)

[Tree] (config>service>vpls>sap>static-host app-profile)

[Tree] (config>service>vprn>if>sap>static-host app-profile)

[Tree] (config>service>ies>sub-if>grp-if>sap app-profile)

[Tree] (config>service>vpls>sap app-profile)

[Tree] (config>service>ies>if>sap>static-host app-profile)

[Tree] (config>service>vprn>if>spoke-sdp app-profile)

[Tree] (config>service>ies>if>spoke-sdp app-profile)

Full Context

configure service ies interface sap app-profile

configure service vprn interface sap app-profile

configure service vprn subscriber-interface group-interface sap app-profile

configure service vpls spoke-sdp app-profile

configure service vpls sap static-host app-profile

configure service vprn interface sap static-host app-profile

configure service ies subscriber-interface group-interface sap app-profile

configure service vpls sap app-profile

configure service ies interface sap static-host app-profile

configure service vprn interface spoke-sdp app-profile

configure service ies interface spoke-sdp app-profile

Description

This command specifies an application profile name.

The no form of this command reverts to the default.

Parameters

app-profile-name

Specifies the application profile name up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-profile

Syntax

app-profile app-profile-name [scope scope-type]

no app-profile

Context

[Tree] (config>service>ies>sub-if>grp-if>sap>static-host app-profile)

[Tree] (config>service>vprn>sub-if>grp-if>sap>static-host app-profile)

Full Context

configure service ies subscriber-interface group-interface sap static-host app-profile

configure service vprn subscriber-interface group-interface sap static-host app-profile

Description

This command specifies an application profile name.

Parameters

app-profile-name

Specifies the application profile name up to 32 characters in length.

scope-type

Specifies the scope to which the application profile is assigned in the context.

Values

subscriber - The application profile applies to this context with subscriber scope (all hosts or devices).

mac - The application profile applies to this context with MAC scope (single device).

Default

subscriber

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-profile

Syntax

app-profile app-profile-name

no app-profile

Context

[Tree] (config>service>ipipe>spoke-sdp app-profile)

[Tree] (config>service>epipe>sap app-profile)

[Tree] (config>service>epipe>spoke-sdp app-profile)

[Tree] (config>service>ipipe>sap app-profile)

Full Context

configure service ipipe spoke-sdp app-profile

configure service epipe sap app-profile

configure service epipe spoke-sdp app-profile

configure service ipipe sap app-profile

Description

This command configures the application profile name.

Parameters

app-profile-name

Specifies an existing application profile name configured in the config>app-assure>group>policy context.

Platforms

All

  • configure service ipipe spoke-sdp app-profile
  • configure service ipipe sap app-profile

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

  • configure service epipe sap app-profile
  • configure service epipe spoke-sdp app-profile

app-profile

Syntax

app-profile app-profile-name [create]

no app-profile app-profile-name

Context

[Tree] (config>app-assure>group>policy app-profile)

Full Context

configure application-assurance group policy app-profile

Description

This command creates an application profile and commands in this context configure the profile parameters.

The no form of this command removes the application profile from the configuration.

Parameters

app-profile-name

Specifies the name of the application profile up to 32 characters.

create

Mandatory keyword used when creating an application profile. The create keyword requirement can be enabled/disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-profile

Syntax

[no] app-profile

Context

[Tree] (config>log>acct-policy>cr>aa>aa-sub-attributes app-profile)

Full Context

configure log accounting-policy custom-record aa-specific aa-sub-attributes app-profile

Description

This command enables the subscriber app-profile attribute information to be exported in the AA subscriber's custom record.

The no form of this command excludes the subscriber app-profile attribute from the AA subscriber's custom record.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-profile-map

app-profile-map

Syntax

app-profile-map

Context

[Tree] (config>subscr-mgmt>sub-ident-pol app-profile-map)

Full Context

configure subscriber-mgmt sub-ident-policy app-profile-map

Description

Commands in this context configure an application profile mapping.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-profile-string

app-profile-string

Syntax

app-profile-string app-profile-string

no app-profile-string

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host>ident-strings app-profile-string)

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host>ident-strings app-profile-string)

Full Context

configure subscriber-mgmt local-user-db ppp host identification-strings app-profile-string

configure subscriber-mgmt local-user-db ipoe host identification-strings app-profile-string

Description

This command specifies the application profile string which is encoded in the identification strings.

The no form of this command returns to the default.

Parameters

app-profile-string

Specifies the application profile string, up to 16 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-qos-policy

app-qos-policy

Syntax

app-qos-policy

Context

[Tree] (config>app-assure>group>policy app-qos-policy)

Full Context

configure application-assurance group policy app-qos-policy

Description

Commands in this context configure an application QoS policy.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-route-notifications

app-route-notifications

Syntax

app-route-notifications

Context

[Tree] (config>log app-route-notifications)

Full Context

configure log app-route-notifications

Description

Specific system applications in SR OS can take action based on a route to certain IP destinations being available. This CLI branch contains configuration related to these route availability notifications. A delay can be configured between the time that a route is determined as available in the CPM, and the time that the application is notified of the available route. For example, this delay may be used to increase the chances that other system modules (such as IOMs/XCMs/MDAs/XMAs) are fully programmed with the new route before the application takes action. Currently, the only application that acts upon these route available or route changed notifications with their configurable delays is the SNMP replay feature, which receives notifications of route availability to the SNMP trap receiver destination IP address.

Platforms

All

app-service-options

app-service-options

Syntax

app-service-options

Context

[Tree] (config>app-assure>group>policy app-service-options)

Full Context

configure application-assurance group policy app-service-options

Description

Commands in this context configure application service option characteristics.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

app-service-options

Syntax

[no] app-service-options

Context

[Tree] (config>log>acct-policy>cr>aa>aa-sub-attributes app-service-options)

Full Context

configure log accounting-policy custom-record aa-specific aa-sub-attributes app-service-options

Description

This command enables the subscriber application service option attributes to be exported in the AA subscriber's custom record.

The no form of this command excludes the subscriber application service option attributes from the AA subscriber's custom record.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

applicant-sm

applicant-sm

Syntax

[no] applicant-sm

Context

[Tree] (debug>service>id>mrp applicant-sm)

Full Context

debug service id mrp applicant-sm

Description

This command enables debugging of the applicant state machine.

The no form of this command disables debugging of the applicant state machine.

Platforms

All

application

application

Syntax

application {gx | gy | nasreq}

no application

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy application)

Full Context

configure subscriber-mgmt diameter-application-policy application

Description

This command specifies the Diameter application for which this policy contains the configuration details, such as AVPs to include and their format.

Applications are mutually exclusive.

The no form of this command reverts to the default.

Parameters

gx

Specifies that Gx is the supported application of this DIAMETER policy.

gy

Specifies that Gy is the supported application of this DIAMETER policy.

nasreq

Specifies that NASREQ is the supported application of this DIAMETER policy.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

application

Context

[Tree] (debug>diam application)

Full Context

debug diameter application

Description

This command debugs application processing for the Diameter node. This level is session aware (the session state is maintained at this level). Connection level messages are not reported on this level.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

application dscp-app-name dscp {dscp-value | dscp-name}

application dot1p-app-name dot1p dot1p-priority

no application {dscp-app-name | dot1p-app-name}

Context

[Tree] (config>router>sgt-qos application)

[Tree] (config>service>vprn>sgt-qos application)

Full Context

configure router sgt-qos application

configure service vprn sgt-qos application

Description

This command configures DSCP/dot1p remarking for self-generated application traffic. When an application is configured using this command, the specified DSCP name is used for all packets generated by this application within the router instance it is configured. The instances can be base router, vprn, or management.

Using the value configured in this command:

  • sets the DSCP bits in the IP packet

  • maps to the FC. This value will be signaled from the CPM to the egress forwarding complex.

  • based on this signaled FC, the egress forwarding complex QoS policy sets the Ethernet 802.1p and MPLS EXP bits. This includes ARP, PPPoE, and IS-IS packets that do not carry DSCP bits.

  • configure the DSCP value in the egress IP header. The egress QoS policy does not overwrite this value.

Only one DSCP name can be configured per application, if multiple entries are configured, the subsequent entry overrides the previous configured entry.

The no form of this command reverts back to the default value.

Parameters

dscp-app-name

Specifies the DSCP application name.

Values

Some of the following values may only apply to specific products. Refer to the SR OS R22.x.Rx Software Release Notes for details about application support for different SR OS products:

bfd, bgp, bmp, call-trace, cflowd, dhcp, diameter, dns, ftp, grpc, gtp, http, icmp, igmp, igmp-reporter, l2tp, ldp, mld, mpls-udp-return, msdp, mtrace2, ndis, ntp, ospf, pcep, pim, ptp, radius, rip, rsvp, sflow, snmp, snmp-notification, srrp, ssh, syslog, tacplus, telnet, tftp, traceroute, vrrp

dscp-value

Specifies a value when this packet egresses; the respective egress policy should provide the mapping for the DSCP value to either LSP-EXP bits or IEEE 802.1p (dot1p) bits as appropriate. Otherwise, the default mapping applies.

Values

0 to 63

dscp-name

Specifies the DSCP name.

Values

none, be, ef, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cp9, cs1, cs2, cs3, cs4, cs5, nc1, nc2, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cp11, cp13, cp15, cp17, cp19, cp21, cp23, cp25, cp27, cp29, cp31, cp33, cp35, cp37, cp39, cp41, cp42, cp43, cp44, cp45, cp47, cp49, cp50, cp51, cp52, cp53, cp54, cp55, cp57, cp58, cp59, cp60, cp61, cp62, cp63

dot1p-priority

Specifies the dot1p priority.

Values

none, 0 to 7

dot1p-app-name

Specifies the dot1p application name.

Values

Some of the following values may only apply to specific products. Refer to the SR OS R22.x.Rx Software Release Notes for details about application support for different SR OS products:

arp, isis, pppoe

Platforms

All

application

Syntax

application app [ip-int-name | ip-address]

no application app

Context

[Tree] (config>service>vprn>source-address application)

Full Context

configure service vprn source-address application

Description

This command specifies the source address and application name.

The no form of this command removes the interface name or IP address from the command.

Parameters

app

Specifies the application name.

Values

cflowd, ntp, ping, ptp, snmptrap, ssh, telnet, traceroute, icmp-error

ip-int-name

Specifies the name of the IP interface, up to 32 characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed between double quotes.

ip-address

Specifies the source IP address.

Values

ipv4-address:

a.b.c.d

Platforms

All

application

Syntax

application {eq | neq} application-id

no application

Context

[Tree] (config>service>vprn>log>filter>entry>match application)

Full Context

configure service vprn log filter entry match application

Description

This command adds an OS application as an event filter match criterion.

An OS application is the software entity that reports the event. Applications include IP, MPLS, OSPF, CLI, SERVICES and so on Only one application can be specified. The latest application command overwrites the previous command.

The no form of this command removes the application as a match criterion.

Default

no application — no application match criterion is specified

Parameters

eq | neq

The operator specifying the type of match.

Values

eq

equal to

neq

not equal to

application-id

The application name string.

Values

port, ppp, rip, route, policy, rsvp, security, snmp, stp, svcmgr, system, user, vrrp, vrtr

Platforms

All

application

Syntax

application application-name [rate]

no application application-name

Context

[Tree] (config>app-assure>group>cflowd>rtp-perf application)

[Tree] (config>app-assure>group>cflowd>tcp-perf application)

[Tree] (config>app-assure>group>cflowd>comp application)

Full Context

configure application-assurance group cflowd rtp-performance application

configure application-assurance group cflowd tcp-performance application

configure application-assurance group cflowd comprehensive application

Description

This command configures applications to export performance records with cflowd.

The no form of this command removes the parameters from the configuration.

Parameters

application-name

Specifies the name defined for the application.

rate

Specifies which sampling flow rate to use; flow-rate or flow-rate2.

Values

flow-rate, flow-rate2

Default

flow-rate

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

application application-name [create]

no application application-name

Context

[Tree] (config>app-assure>group>policy application)

Full Context

configure application-assurance group policy application

Description

This command creates an application of an application assurance policy.

The no form of this command deletes the application. To delete an application, all associations to the application must be removed.

Parameters

application-name

Specifies a string of up to 32 characters uniquely identifying this application in the system.

create

Mandatory keyword used when creating an application. The create keyword requirement can be enabled/disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

application application-name

Context

[Tree] (config>app-assure>group>policy>app-filter>entry application)

Full Context

configure application-assurance group policy app-filter entry application

Description

This command assigns this application filter entry to an existing application. Assigning the entry to Unknown application restores the default configuration.

Parameters

application-name

Specifies an existing application name.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

application {eq | neq} application-name

no application

Context

[Tree] (config>app-assure>group>policy>aqp>entry>match application)

[Tree] (config>app-assure>group>policy>charging-filter>entry>match application)

Full Context

configure application-assurance group policy app-qos-policy entry match application

configure application-assurance group policy charging-filter entry match application

Description

This command adds an application to match criteria used by this entry.

The no form of this command removes the application from match criteria for this entry.

Default

no application

Parameters

eq

Specifies that the value configured and the value in the flow must be equal.

neq

Specifies that the value configured and the value in the flow must differ.

application-name

Specifies the name of name existing application name, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

application application-name export-using export-method [export-method...(up to 2 max)]

application application-name no-export

no application application-name

Context

[Tree] (config>app-assure>group>statistics>aa-sub application)

Full Context

configure application-assurance group statistics aa-sub application

Description

This command configures aa-sub accounting statistics for export of applications of a given AA ISA group/partition.

The no form of this command removes the application name.

Parameters

application-name

Specifies an existing application name, up to 32 characters.

export-method

Specifies the method of statistics export to be used.

Values

accounting-policy, radius-accounting-policy

no-export

Allows the operator to enable the referred application group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective application group.

Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

application {eq | neq} application-name

no application

Context

[Tree] (debug>app-assure>group>traffic-capture>match application)

Full Context

debug application-assurance group traffic-capture match application

Description

This command configures debugging on an application.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

[no] application application-name

Context

[Tree] (debug>app-assure>group>port-recorder application)

Full Context

debug application-assurance group port-recorder application

Description

This commands specifies the applications used as input by the port-recorder. Applications responsible for unknown or unidentified traffic are meant to be used by this tool.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Output

The following sample configuration records TCP and UDP port numbers for the application "Unidentified TCP”.

Sample Output
7750# show debug 
debug
    application-assurance
        group 1:1
            port-recorder
                application "Unidentified TCP"
                rate 100
                no shutdown
            exit
        exit
    exit
exit

application

Syntax

application {eq | neq} application-id

no application

Context

[Tree] (config>log>filter>entry>match application)

Full Context

configure log filter entry match application

Description

This command adds an OS application as an event filter match criterion.

An OS application is the software entity that reports the event. Applications include IP, MPLS, OSPF, CLI, SERVICES and so on. Only one application can be specified. The latest application command overwrites the previous command.

The no form of this command removes the application as a match criterion.

Parameters

eq | neq

Specifies the operator match type. Valid operators are listed in Valid Operators.

Table 3. Valid Operators

Operator

Notes

eq

equal to

neq

not equal to

application-id

The application name string.

Values

application_assurance, aps, bgp, cflowd, chassis, debug, dhcp, dhcps, diameter, dynsvc, efm_oam, elmi, ering, eth_cfm, etun, fiter, gsmp, igh, igmp, igmp_snooping, ip, ipsec, isis, l2tp, lag, ldp, li, lldp, logger, mcpath, mc_redundancy, mirror, mld, mld_snooping, mpls, mpls_tp, msdp, nat, ntp, oam, open_flow, ospf, pim, pim_snooping, port, ppp, pppoe, ptp, radius, rip, rip_ng, route_policy, rsvp, security, snmp, stp, svcmgr, system, user, video, vrrp, vrtr, wlan_gw, wpp

Platforms

All

application

Syntax

application app [ip-int-name | ip-address]

no application app

Context

[Tree] (config>system>security>source-address application)

Full Context

configure system security source-address application

Description

This command configures the source IP address specified by the source-address command.

The no form of this command removes the interface name or IP address from the command.

Parameters

app

Specifies the application name.

Values

cflowd, dns, ftp, ntp, ldap, ping, ptp, radius, sflow, snmptrap, sntp, ssh, syslog, tacplus, telnet, traceroute, mcreporter, icmp-error

ip-int-name

Specifies the name of the IP interface, up to 32 characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

ip-address

Specifies the source IP address.

Values

ipv4-address:

a.b.c.d

Platforms

All

application

Syntax

application application [keychain keychain-name]

no application application

Context

[Tree] (config>redundancy>multi-chassis>peer>sync>transport-encryption application)

Full Context

configure redundancy multi-chassis peer sync transport-encryption application

Description

This command configures transport encryption.

The no form of this command removes the specified application.

Parameters

application

Specifies a Multi-Chassis Synchronization (MCS) client application

keychain-name

Specifies a keychain name, up to 32 characters

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application

Syntax

application {eq | neq} app-group-name

no application

Context

[Tree] (config>app-assure>group>policy>chrg-fltr>entry>match application)

Full Context

configure application-assurance group policy charging-filter entry match application

Description

This command configures the addition of an application to the match criteria used by this charging filter entry.

The no form of this command removes the application match criteria.

Default

no application

Parameters

eq

Specifies that the value configured and the value in the flow must be equal.

neq

Specifies that the value configured and the value in the flow must differ.

app-group-name

Specifies the name of the application group, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application-assurance

application-assurance

Syntax

application-assurance

Context

[Tree] (admin application-assurance)

Full Context

admin application-assurance

Description

Commands in this context perform Application Assurance (AA) configuration operations.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application-assurance

Syntax

application-assurance

Context

[Tree] (config application-assurance)

Full Context

configure application-assurance

Description

Commands in this context perform Application Assurance (AA) configuration operations.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application-assurance

Syntax

application-assurance

Context

[Tree] (config>system>persistence application-assurance)

Full Context

configure system persistence application-assurance

Description

Commands in this context configure application assurance persistence parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application-assurance

Syntax

application-assurance app-profile-name

Context

[Tree] (config>subscr-mgmt>http-rdr-plcy application-assurance)

Full Context

configure subscriber-mgmt http-redirect-policy application-assurance

Description

This command specifies the AA application profile used for HTTP redirect portal authentication. This forwards all UDP/TCP traffic to AA for packet filtering. Any forwarding entries under the HTTP redirect policy are not taken into account because only UDP/TCP can be configured. Outbound ICMP and ICMPv6 traffic is always dropped.

Parameters

app-profile-name

Specifies an AA application profile name, up to 32 characters, that is configured in the config>app-assur>group>policy>app-prof context.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

application-assurance-group

application-assurance-group

Syntax

application-assurance-group application-assurance-group-index [create] [aa-sub-scale sub-scale]

no application-assurance-group application-assurance-group-index

Context

[Tree] (config>isa application-assurance-group)

Full Context

configure isa application-assurance-group

Description

Commands in this context create an application assurance group with the specified system-unique index and configure that group’s parameters.

The no form of this command deletes the specified application assurance group from the system. The group must be shutdown first.

Parameters

application-assurance-group-index

Specifies an integer to identify the AA group

Values

1 to 255

create

Mandatory keyword used when creating an application assurance group in the ISA context. The create keyword requirement can be enabled or disabled in the environment>create context.

sub-scale

Specifies the set of scaling limits that are supported with regards to the maximum number of AA subscribers per ISA, the max flow scale, and the corresponding policy scale that can be specified.

Values

residential

Scaling limits for ISA2 residential operation (on VSR, it has the same scale as residential-8k)

residential-8k

Scaling limits for VSR or ESA-vm residential 8k sub operation

residential-16k

Scaling limits for VSR or ESA-vm residential 16k sub operation

residential-32k

Scaling limits for VSR or ESA-vm residential 32k sub operation

residential-64k

Scaling limits for VSR or ESA-vm residential 64k sub operation

vpn

Scaling limits for SR AA VPN operation

vpn-1k

Scaling limits for VSR or ESA-vm AA VPN 1k sub operation

vpn-2k

Scaling limits for VSR or ESA-vm AA VPN 2k sub operation

vpn-4k

Scaling limits for VSR or ESA-vm AA VPN 4k sub operation

vpn-8k

Scaling limits for VSR or ESA-vm AA VPN 8k sub operation

lightweight-internet

Scaling limits for ISA2 or VSR operation as a wireless LAN gateway using DSM subscribers

lightweight-internet-512k

Scaling limits for VSR or ESA-vm 512k sub operation as a wireless LAN gateway using DSM subscribers

Default

residential

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application-link-attributes

application-link-attributes

Syntax

[no] application-link-attributes

Context

[Tree] (config>router>isis>traffic-engineering-options application-link-attributes)

Full Context

configure router isis traffic-engineering-options application-link-attributes

Description

Commands in this context configure the advertisement of the TE attributes of each link on a per-application basis. Two applications are supported in SR OS: RSVP-TE and SR-TE.

The legacy mode of advertising TE attributes that is used in RSVP-TE is still supported but it can be disabled by using the no legacy command, which also enables per-application TE attribute advertisement for RSVP-TE.

The no form of this command deletes the context.

Default

no application-link-attributes

Platforms

All

application-policy

application-policy

Syntax

[no] application-policy name

Context

[Tree] (config>app-assure>group>transit-ip>diameter application-policy)

Full Context

configure application-assurance group transit-ip-policy diameter application-policy

Description

This command specifies the Diameter application to be used by seen IP transit subs. The application policy is defined using the config>subscr-mgmt>diameter-application-policy command.

The no form of this command removes the policy.

Default

no application-policy

Parameters

name

Specifies the name of the application policy configured using the diameter-application-policy command up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

application6

application6

Syntax

application6 app ipv6-address

no application6 app

Context

[Tree] (config>service>vprn>source-address application6)

Full Context

configure service vprn source-address application6

Description

This command specifies the IPv6 source address and application.

The no form of this command removes the application and IPv6 address from the configuration.

Parameters

app

Specifies the application name.

Values

cflowd, ntp, ping, ptp, snmptrap, ssh, telnet, traceroute, icmp6-error

ipv6-address

Specifies the IPv6 address.

Values

ipv6-address:

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

Platforms

All

application6

Syntax

application6 app ipv6-address

no application6

Context

[Tree] (config>system>security>source-address application6)

Full Context

configure system security source-address application6

Description

This command configures the application to use the source IPv6 address specified by the source-address command.

The no form of this command removes the application and IPv6 address from the configuration.

Parameters

app

Specifies the application name.

Values

cflowd, dns, ftp, ldap, ntp, ping, ptp, radius, sflow, snmptrap, ssh, syslog, tacplus, telnet, traceroute, icmp6-error

ipv6-address

Specifies the IPv6 address.

Values

ipv6-address:

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

Platforms

All

applications

applications

Syntax

applications all

applications [connectivity-management] [gx] [gy] [nasreq] [radius-auth] [radius-acct] [python] [ludb] [msap] [ppp-event]

no applications

Context

[Tree] (config>call-trace>trace-profile applications)

Full Context

configure call-trace trace-profile applications

Description

This command enables tracing of messages and events for the specified applications.

Default

applications all

Parameters

all

Enables tracing of all packets and events, with the exception of PPP events.

connectivity-management

Enables tracing for connectivity protocols, such as DHCP, ARP, and DHCPv6, and events related to connectivity management; for example, migrant or data-triggered host creation, idling, or session timeout.

gx

Enables tracing of Diameter Gx messages.

gy

Enables tracing of Diameter Gy messages.

nasreq

Enables tracing of Diameter NASREQ messages.

radius-auth

Enables tracing of messages and events related to RADIUS authentication, including CoA and Disconnect.

radius-acct

Enables tracing of messages and events related to RADIUS-based accounting.

python

Enables tracing of python script execution.

ludb

Enables tracing of local user database lookups.

msap

Enables tracing of MSAP creation events.

ppp-event

Enables tracing of all events related to the PPP state machine. This can result in a large amount of event messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

apply-bgp-nh-override

apply-bgp-nh-override

Syntax

[no] apply-bgp-nh-override

Context

[Tree] (config>service>vprn>pim apply-bgp-nh-override)

Full Context

configure service vprn pim apply-bgp-nh-override

Description

This command forces the RPF check to be performed via IPv4 VPN AF next-hop and not via IPv4 VPN AF VRF import extended community.

Default

no apply-bgp-nh-override

Platforms

All

apply-function-specific-behavior

apply-function-specific-behavior

Syntax

[no] apply-function-specific-behavior

Context

[Tree] (config>app-assure>group>url-filter apply-function-specific-behavior)

Full Context

configure application-assurance group url-filter apply-function-specific-behavior

Description

If this command is enabled, the default-action, default-http-redirect, and http-redirect commands at the url-filter function level (ICAP, local filtering and web service) will apply.

The no form of this command indicates that the configuration at the url-filter level will apply to all of the configured url-filter functions.

Default

no apply-function-specific-behavior

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

apply-path

apply-path

Syntax

[no] apply-path

Context

[Tree] (config>filter>match-list>ipv6-prefix-list apply-path)

[Tree] (config>filter>match-list>ip-prefix-list apply-path)

Full Context

configure filter match-list ipv6-prefix-list apply-path

configure filter match-list ip-prefix-list apply-path

Description

Commands in this context configure the auto-generation of address prefixes for IPv4 or IPv6 address prefix match lists. The context in which the command is executed governs whether IPv4 or IPv6 prefixes will be auto-generated.

The no form of this command removes all auto-generation configuration under the apply-path context.

Default

no apply path

Platforms

All

apply-to

apply-to

Syntax

apply-to {all | none}

Context

[Tree] (config>service>vprn>pim apply-to)

Full Context

configure service vprn pim apply-to

Description

This command creates a PIM interface with default parameters.

If a manually created interface or modified interface is deleted, the interface will be recreated when the apply-to command is executed. If PIM is not required on a specific interface, then execute a shutdown command.

The apply-to command is saved first in the PIM configuration structure, all subsequent commands either create new structures or modify the defaults as created by the apply-to command.

Default

apply-to none

Parameters

all

Specifies that all VPRN and non-VPRN interfaces are automatically applied in PIM.

none

No interfaces are automatically applied in PIM. PIM interfaces must be manually configured.

Platforms

All

apply-to

Syntax

apply-to {ies | non-ies | all | none}

Context

[Tree] (config>router>pim apply-to)

Full Context

configure router pim apply-to

Description

This command creates a PIM interface with default parameters.

If a manually created or a modified interface is deleted, the interface is recreated when (re)processing the apply-to command and if PIM is not required on a specific interface a shutdown should be executed.

The apply-to command is first saved in the PIM configuration structure. Then, all subsequent commands either create new structures or modify the defaults as created by the apply-to command.

Default

apply-to none

Parameters

ies

Specifies to apply all IES interfaces in PIM.

non-ies

Specifies to apply non-IES interfaces created in PIM.

all

Specifies to apply all IES and non-IES interfaces created in PIM.

none

Removes all interfaces that are not manually created or modified. It also removes explicit no interface commands if present.

Platforms

All

aps

aps

Syntax

aps

Context

[Tree] (config>port aps)

Full Context

configure port aps

Description

This command configures APS (Automatic Protection Switching). APS is used by SONET/SDH add/drop multiplexers (ADMs) or other SONET/SDH-capable equipment to protect against circuit or equipment failure.

An APS group contains a working and a protect circuit and can span a single node (SC-APS) or two nodes (MC-APS).

The working and protection configurations on the 7750 SRs must match the circuit configurations on the peer. This means that the working circuit on the 7750 SR must be connected to the peer’s working circuit and the protect circuit must be connected to the peer’s protection circuit.

The aps command is only available for APS groups and not physical ports.

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-a, 7750 SR-e

aqp-initial-lookup

aqp-initial-lookup

Syntax

aqp-initial-lookup

no aqp-initial-lookup

Context

[Tree] (config>app-assure>group aqp-initial-lookup)

Full Context

configure application-assurance group aqp-initial-lookup

Description

This command allows AA to perform AQP lookups on flows prior to complete application identification. As usual, AQP will be looked up again on identification complete. Without this, AA executes AQPs that are part of what so called "sub-default policy”. Sub-default policy is formed by regular AQPs that contain ASOs, subID and/or flow direction as matching conditions.

This behavior is required, for example, in order to be able apply GTP and SCTP filtering on the first packet of a new GTP/SCTP flow (AQP matching conditions in this case contains protocol id).

The no form of this command forces complete AQP look up on identification finish stage only.

Default

no aqp-initial-lookup

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

arbiter

arbiter

Syntax

arbiter arbiter-name [create]

no arbiter arbiter-name

Context

[Tree] (config>qos>plcr-ctrl-plcy>tier arbiter)

Full Context

configure qos policer-control-policy tier arbiter

Description

This command is used to create an arbiter within the context of tier 1 or tier 2. An arbiter is a child policer bandwidth control object that manages the throughput of a set of child policers. An arbiter allows child policers or other arbiters to parent to one of eight strict levels. Each arbiter is itself parented to either another tiered arbiter or to the root arbiter.

The root arbiter starts with its defined maximum rate and distributes the bandwidth to its directly attached child policers and arbiters beginning with priority 8. As the children at each priority level are distributed bandwidth according to their needs and limits, the root proceeds to the next lower priority until either all children’s needs are met or it runs out of bandwidth. The bandwidth given to a tiered arbiter is then divided between that arbiter’s children (child policers or a tier 2 arbiter) in the same fashion. A tiered arbiter may also have a rate limit defined that limits the amount of bandwidth it may receive from its parent.

An arbiter that is currently parented by another arbiter cannot be deleted.

Each time the policer-control-policy is applied to either a SAP, or a subscriber (through association with a sub-profile that has the policy applied), or a multiservice site, an instance of the parent policer and the arbiters is created.

Any child policer that uses the arbiter’s name in its parenting command will be associated with the arbiter instance. The child policer will also become associated with any arbiter to which its parent arbiter is parented (grandparent). Having child policers parented to an arbiter does not prevent that arbiter from being removed from the policer-control-policy. When removed, the child policers become orphaned.

You can create up to 31 tiered arbiters within the policer-control-policy on either tier 1 or tier 2 (in addition to the arbiter).

The no form of this command is used to remove an arbiter from tier 1 or tier 2. If the specified arbiter does not exist, the command returns without an error. If the specified arbiter is currently specified as the parent for another arbiter, the command will fail. When an arbiter is removed from a policer-control-policy, all instances of the arbiter will also be removed. Any child policers currently parented to the arbiter instance will become orphans and will not be bandwidth managed by the policer control policy instances parent policer.

Parameters

arbiter-name

Any unique name within the policy. Up to 31 arbiters may be created.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

area

area

Syntax

[no] area area-id

Context

[Tree] (config>service>vprn>ospf3 area)

[Tree] (config>service>vprn>ospf area)

Full Context

configure service vprn ospf3 area

configure service vprn ospf area

Description

This command creates the context to configure an OSPF area. An area is a collection of network segments within an AS that have been administratively grouped together. The area ID can be specified in dotted decimal notation or as a 32-bit decimal integer.

The no form of this command deletes the specified area from the configuration. Deleting the area also removes the OSPF configuration of all the interfaces, virtual-links, sham-links, address-ranges and so on, that are currently assigned to this area.

Default

no area — No OSPF areas are defined.

Parameters

area-id

The OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal)

0 to 4294967295 (decimal integer)

Platforms

All

area

Syntax

[no] area area-id

Context

[Tree] (config>router>ospf3 area)

[Tree] (config>router>ospf area)

Full Context

configure router ospf3 area

configure router ospf area

Description

This command creates the context to configure an OSPF or OSPF3 area. An area is a collection of network segments within an AS that have been administratively grouped together. The area ID can be specified in dotted decimal notation or as a 32-bit decimal integer.

The no form of this command deletes the specified area from the configuration. Deleting the area also removes the OSPF configuration of all the interfaces, virtual-links, and address-ranges and so on, that are currently assigned to this area.

Default

no area

Parameters

area-id

The OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal), 0 to 4294967295 (decimal integer)

Platforms

All

area

Syntax

area [area-id]

no area

Context

[Tree] (debug>router>ospf area)

[Tree] (debug>router>ospf3 area)

Full Context

debug router ospf area

debug router ospf3 area

Description

This command enables debugging for an OSPF area.

Parameters

area-id

Specifies the OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

ip-address — a.b.c.d

area — 0 to 4294967295

Platforms

All

area

Syntax

area area-id

no area

Context

[Tree] (config>router>policy-options>policy-statement>entry>from area)

Full Context

configure router policy-options policy-statement entry from area

Description

This command configures an OSPF area as a route policy match criterion.

This match criterion is only used in export policies.

All OSPF routes (internal and external) are matched using this criterion if the best path for the route is by the specified area.

The no form of this command removes the OSPF area match criterion.

Default

no area

Parameters

area-id

Specifies the OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal), 0 to 4294967295 (decimal)

Platforms

All

area-id

area-id

Syntax

[no] area-id area-address

Context

[Tree] (config>service>vprn>isis area-id)

Full Context

configure service vprn isis area-id

Description

This command configures the area ID portion of NSAP addresses for the VPRN instance. This identifies a point of connection to the network, such as a router interface, and is called a Network Service Access Point (NSAP). Addresses in the IS-IS protocol are based on the ISO NSAP addresses and Network Entity Titles (NETs), not IP addresses.

A maximum of 3 area addresses can be configured for the VPRN instance.

NSAP addresses are divided into three parts. Only the area ID portion is configurable.

  • Area ID — A variable length field between 1 and 13 bytes long. This includes the Authority and Format Identifier (AFI) as the most significant byte and the area ID.

  • System ID — A six-byte system identification. This value is not configurable. The system ID is derived from the system or router ID.

  • Selector ID — A one-byte selector identification that must contain zeros when configuring a NET. This value is not configurable. The selector ID is always 00.

The NET is constructed like an NSAP but the selector byte contains a 00 value. NET addresses are exchanged in hello and LSP PDUs. All net addresses configured on the node are advertised to its neighbors.

For Level 1 interfaces, neighbors can have different area IDs, but, they must have at least one area ID (AFI + area) in common. Sharing a common area ID, they become neighbors and area merging between the potentially different areas can occur.

For Level 2 (only) interfaces, neighbors can have different area IDs. However, if they have no area IDs in common, they become only Level 2 neighbors and Level 2 LSPs are exchanged.

For Level 1 and Level 2 interfaces, neighbors can have different area IDs. If they have at least one area ID (AFI + area) in common, they become neighbors. In addition to exchanging Level 2 LSPs, area merging between potentially different areas can occur.

If multiple area-id commands are entered, the system ID of all subsequent entries must match the first area address.

The no form of this command removes the area address.

Platforms

All

area-id

Syntax

[no] area-id area-address

Context

[Tree] (config>router>isis area-id)

Full Context

configure router isis area-id

Description

This command was previously named the net network-entity-title command. The area-id command allows you to configure the area ID portion of NSAP addresses which identifies a point of connection to the network, such as a router interface, and is called a Network Service Access Point (NSAP). Addresses in the IS-IS protocol are based on the ISO NSAP addresses and Network Entity Titles (NETs), not IP addresses.

A maximum of three area addresses can be configured.

NSAP addresses are divided into three parts. Only the area ID portion is configurable.

  • Area ID — A variable length field between 1 and 13 bytes long. This includes the Authority and Format Identifier (AFI) as the most significant byte and the area ID.

  • System ID — A six-byte system identification. This value is not configurable. The system ID is derived from the system or router ID.

  • Selector ID — A one-byte selector identification that must contain zeros when configuring a NET. This value is not configurable. The selector ID is always 00.

The NET is constructed like an NSAP but the selector byte contains a 00 value. NET addresses are exchanged in hello and LSP PDUs. All net addresses configured on the node are advertised to its neighbors.

For Level 1 interfaces, neighbors can have different area IDs, but, they must have at least one area ID (AFI + area) in common. Sharing a common area ID, they become neighbors and area merging between the potentially different areas can occur.

For Level 2 (only) interfaces, neighbors can have different area IDs. However, if they have no area IDs in common, they become only Level 2 neighbors and Level 2 LSPs are exchanged.

For Level 1 and Level 2 interfaces, neighbors can have different area IDs. If they have at least one area ID (AFI + area) in common, they become neighbors. In addition to exchanging Level 2 LSPs, area merging between potentially different areas can occur.

If multiple area-id commands are entered, the system ID of all subsequent entries must match the first area address.

The no form of this command removes the area address.

Parameters

area-address

Specifies a 1 — 13-byte address. Of the total 20 bytes comprising the NET, only the first 13 bytes can be manually configured. As few as one byte can be entered or, at most, 13 bytes. If less than 13 bytes are entered, the rest is padded with zeros.

Platforms

All

area-range

area-range

Syntax

area-range ip-prefix/prefix-length [advertise | not-advertise]

no area-range ip-prefix/mask

area-range ipv6-prefix/prefix-length [advertise | not-advertise]

no area-range ipv6-prefix/prefix-length

Context

[Tree] (config>service>vprn>ospf>area area-range)

[Tree] (config>service>vprn>ospf3>area>nssa area-range)

[Tree] (config>service>vprn>ospf>area>nssa area-range)

[Tree] (config>service>vprn>ospf3>area area-range)

Full Context

configure service vprn ospf area area-range

configure service vprn ospf3 area nssa area-range

configure service vprn ospf area nssa area-range

configure service vprn ospf3 area area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, it is configured to be advertised or not advertised into other areas. Multiple range commands are used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ipv6-prefix/prefix-length

The IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ipv6-prefix

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x: [0 to FFFF]H

d: [0 to 255]D

ipv6-prefix-length

0 to 128

mask

The subnet mask for the range expressed as a decimal integer mask length or in dotted decimal notation.

Values

0 to 32 (mask length), 0.0.0.0 to 255.255.255.255 (dotted decimal)

advertise | not-advertise

Specifies whether or not to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

The default is advertise.

Platforms

All

area-range

Syntax

area-range ip-prefix/mask [ advertise | not-advertise]

no area-range ip-prefix/mask

Context

[Tree] (config>router>ospf>area area-range)

[Tree] (config>router>ospf>area>nssa area-range)

Full Context

configure router ospf area area-range

configure router ospf area nssa area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, the range is configured to be advertised or not advertised into other areas. Multiple range commands may be used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ip-prefix

Specifies the IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ip-prefix/mask: ip-prefix a.b.c.d (host bits must be 0)

mask

Specifies the subnet mask for the range expressed as a decimal integer mask length or in dotted decimal notation.

Values

0 to 32 (mask length), 0.0.0.0 to 255.255.255.255 (dotted decimal)

advertise | not-advertise

Specifies whether to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

Default

advertise

Platforms

All

area-range

Syntax

area-range ipv4-prefix/mask | ipv6-prefix/prefix-length [advertise | not-advertise]

no area-range ipv4-prefix/mask | ipv6-prefix/prefix-length

Context

[Tree] (config>router>ospf3>area area-range)

[Tree] (config>router>ospf3>area>nssa area-range)

Full Context

configure router ospf3 area area-range

configure router ospf3 area nssa area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, the range is configured to be advertised or not advertised into other areas. Multiple range commands may be used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ip-prefix/prefix-length

Specifies the IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ip-prefix/mask:

  • ip-prefix a.b.c.d (host bits must be 0)

ipv6-prefix:

  • x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:x:x:d.d.d.d

  • x: [0 to FFFF]H

  • d: [0 to 255]D

prefix-length: 0 to 128

advertise | not-advertise

Specifies whether or not to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

Default

advertise

Platforms

All

area-range

Syntax

area-range [ip-address]

no area-range

Context

[Tree] (debug>router>ospf area-range)

[Tree] (debug>router>ospf3 area-range)

Full Context

debug router ospf area-range

debug router ospf3 area-range

Description

This command enables debugging for an OSPF area range.

Parameters

ip-address

Specifies the IPv4 or IPv6 address for the range used by the ABR to advertise the area into another area.

Values

ipv4-address:

  • a.b.c.d

ipv6-address:

  • x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:x:x:d.d.d.d

  • x: [0 to FFFF]H

  • d: [0 to 255]D

Platforms

All

arp

arp

Syntax

arp arp-value

no arp

Context

[Tree] (config>subscr-mgmt>gtp>peer-profile>mme>qos arp)

[Tree] (config>subscr-mgmt>gtp>peer-profile>ggsn>qos arp)

[Tree] (config>subscr-mgmt>gtp>peer-profile>pgw>qos arp)

Full Context

configure subscriber-mgmt gtp peer-profile mme qos arp

configure subscriber-mgmt gtp peer-profile ggsn qos arp

configure subscriber-mgmt gtp peer-profile pgw qos arp

Description

The command configures the allocation and retention priority to be used in the GTP messages as QoS IE (for a Gn interface) or Bearer QoS (for GTPv2).

The no form of this command reverts to the default.

Default

arp 1

Parameters

arp-value

Specifies the Allocation/Retention Priority (ARP).

Values

1 to 3 (for ggsn context)

Values

1 to 15 (for pgw and mme context)

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

arp

Syntax

arp

Context

[Tree] (config>service>vprn>if>vpls>evpn arp)

[Tree] (config>service>ies>if>vpls>evpn arp)

Full Context

configure service vprn interface vpls evpn arp

configure service ies interface vpls evpn arp

Description

Commands in this context configure ARP host route parameters.

Platforms

All

arp

Syntax

arp

Context

[Tree] (debug>router>ip arp)

Full Context

debug router ip arp

Description

This command configures route table debugging.

Platforms

All

arp-host

arp-host

Syntax

arp-host

Context

[Tree] (config>service>vpls>sap arp-host)

[Tree] (config>service>vprn>sub-if>grp-if arp-host)

[Tree] (config>subscr-mgmt>msap-policy>vpls-only arp-host)

[Tree] (config>service>ies>sub-if>grp-if arp-host)

Full Context

configure service vpls sap arp-host

configure service vprn subscriber-interface group-interface arp-host

configure subscriber-mgmt msap-policy vpls-only-sap-parameters arp-host

configure service ies subscriber-interface group-interface arp-host

Description

Commands in this context configure ARP host parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

arp-host

Syntax

[no] arp-host

Context

[Tree] (debug>service>id arp-host)

Full Context

debug service id arp-host

Description

This command enables and configures ARP host debugging.

The no form of this command disables ARP host debugging.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

arp-host-route

arp-host-route

Syntax

arp-host-route

Context

[Tree] (config>service>vprn>if arp-host-route)

[Tree] (config>service>ies>if arp-host-route)

Full Context

configure service vprn interface arp-host-route

configure service ies interface arp-host-route

Description

Commands in this context configure ARP host routes to populate.

Platforms

All

arp-learn-unsolicited

arp-learn-unsolicited

Syntax

[no] arp-learn-unsolicited

Context

[Tree] (config>service>vprn>if arp-learn-unsolicited)

[Tree] (config>router>if arp-learn-unsolicited)

[Tree] (config>service>ies>if arp-learn-unsolicited)

Full Context

configure service vprn interface arp-learn-unsolicited

configure router interface arp-learn-unsolicited

configure service ies interface arp-learn-unsolicited

Description

This command allows the ARP application to learn new entries based on any received ARP message (GARP, ARP-Request, or ARP-Reply, such as any frame with ethertype 0x0806).

The no form of this command disables the above behavior and causes ARP entries to only be learned when needed, that is, when the router receives an ARP-reply after an ARP-request triggered by received traffic.

Platforms

All

arp-limit

arp-limit

Syntax

arp-limit limit [log-only] [threshold percent]

no arp-limit

Context

[Tree] (config>service>ies>interface arp-limit)

Full Context

configure service ies interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, a log event is raised. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

no arp-limit

Parameters

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

Default

90

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

Platforms

All

arp-limit

Syntax

arp-limit limit [log-only] [threshold percent]

no arp-limit

Context

[Tree] (config>service>vprn>if arp-limit)

Full Context

configure service vprn interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, an SNMP trap is sent. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

90 percent

Parameters

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

Platforms

All

arp-limit

Syntax

arp-limit limit [log-only] [threshold percent]

no arp-limit

Context

[Tree] (config>router>if arp-limit)

Full Context

configure router interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, an SNMP trap is sent. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

no arp-limit

Parameters

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

Platforms

All

arp-nd-extended-community-advertisement

arp-nd-extended-community-advertisement

Syntax

[no] arp-nd-extended-community-advertisement

Context

[Tree] (config>service>vpls>bgp-evpn arp-nd-extended-community-advertisement)

Full Context

configure service vpls bgp-evpn arp-nd-extended-community-advertisement

Description

This command enables the advertisement of the RFC9047 ARP/ND extended community along with the MAC/IP routes that are advertised for local static and dynamic proxy ARP or ND entries. This command also controls the processing of the ARP/ND extended community and the selection of ARP or ND entries based on the inmutable flag.

The no form of this command disables the advertisement of the RFC9047 ARP/ND extended community.

Default

no arp-nd-extended-community-advertisement

Platforms

All

arp-populate

arp-populate

Syntax

[no] arp-populate

Context

[Tree] (config>service>ies>if arp-populate)

[Tree] (config>service>vprn>sub-if>grp-if arp-populate)

[Tree] (config>service>ies>sub-if>grp-if arp-populate)

[Tree] (config>service>vprn>if arp-populate)

Full Context

configure service ies interface arp-populate

configure service vprn subscriber-interface group-interface arp-populate

configure service ies subscriber-interface group-interface arp-populate

configure service vprn interface arp-populate

Description

This command, when enabled, disables dynamic learning of ARP entries. Instead, the ARP table is populated with static and dynamic entries from the DHCP Lease State Table (enabled with lease-populate), and optionally with static entries entered with the static-host command.

The host’s IP address and MAC address are placed in the system ARP cache as a managed entry. Static hosts must be defined on the interface using the static-host command. Dynamic hosts are enabled on the system through enabling lease-populate in the IP interface DHCP context.

In the event that both a static host and a dynamic host share the same IP and MAC address, the system’s ARP cache retains the host information until both the static and dynamic information are removed.

Both static and dynamic hosts override static ARP entries. Static ARP entries are marked as inactive when they conflict with static or dynamic hosts and will be repopulated once all static and dynamic host information for the IP address are removed. Since static ARP entries are not possible when static subscriber hosts are defined or when DHCP lease state table population is enabled, conflict between static ARP entries and the arp-populate function is not an issue.

Enabling the arp-populate command removes any dynamic ARP entries learned on this interface from the ARP cache.

The arp-populate command fails if an existing static ARP entry exists for this interface.

When arp-populate is enabled, the system does not send out ARP requests for hosts that are not in the ARP cache. Only statically configured and DHCP learned hosts are reachable through an IP interface with arp-populate enabled. The arp-populate command can only be enabled on IES and VPRN interfaces supporting Ethernet encapsulation.

The no form of this command disables ARP cache population functions for static and dynamic hosts on the interface. All static and dynamic host information for this interface is removed from the system’s ARP cache. Any existing static ARP entries previously inactive due to static or dynamic hosts will be populated in the system ARP cache.

Default

no arp-populate

Platforms

All

  • configure service vprn interface arp-populate
  • configure service ies interface arp-populate

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn subscriber-interface group-interface arp-populate
  • configure service ies subscriber-interface group-interface arp-populate

arp-populate-host-route

arp-populate-host-route

Syntax

[no] arp-populate-host-route

Context

[Tree] (config>service>ies>if arp-populate-host-route)

Full Context

configure service ies interface arp-populate-host-route

Description

This command enables the addition or deletion of host routes in the route table derived from ARP entries in the ARP cache. To enable this command, the interface must be shut down. The command triggers the population of host routes in the route table out of their corresponding static, dynamic, or EVPN types in the ARP table. ARP entries installed by subscriber management, local interfaces, and others, do not create host routes.

The no form of this command disables the creation of host routes from the ARP cache.

Platforms

All

arp-proactive-refresh

arp-proactive-refresh

Syntax

[no] arp-proactive-refresh

Context

[Tree] (config>service>ies>if arp-proactive-refresh)

Full Context

configure service ies interface arp-proactive-refresh

Description

This command enables the router to always send out a single refresh message with no entries 30 seconds prior to the timeout of the entry.

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of whether the IOM receives traffic.

Platforms

All

arp-proactive-refresh

Syntax

[no] arp-proactive-refresh

Context

[Tree] (config>service>vprn>if arp-proactive-refresh)

Full Context

configure service vprn interface arp-proactive-refresh

Description

This command enables the router to always send out a refresh message 30 seconds prior to the timeout of the entry (a single refresh message with no retries).

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of the IOM receiving traffic.

Platforms

All

arp-proactive-refresh

Syntax

[no] arp-proactive-refresh

Context

[Tree] (config>router>if arp-proactive-refresh)

Full Context

configure router interface arp-proactive-refresh

Description

This command enables the router to always send out a refresh message 30 seconds prior to the timeout of the entry (a single refresh message with no retries).

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of the IOM receiving traffic.

Platforms

All

arp-reply-agent

arp-reply-agent

Syntax

arp-reply-agent [sub-ident]

no arp-reply-agent

Context

[Tree] (config>service>vpls>sap arp-reply-agent)

Full Context

configure service vpls sap arp-reply-agent

Description

This command enables a special ARP response mechanism in the system for ARP requests destined to static or dynamic hosts associated with the SAP. The system responds to each ARP request using the host’s MAC address as the both the source MAC address in the Ethernet header and the target hardware address in the ARP header.

ARP replies and requests received on a SAP with arp-reply-agent enabled is evaluated by the system against the anti-spoof filter entries associated with the ingress SAP (if the SAP has anti-spoof filtering enabled). ARPs from unknown hosts on the SAP is discarded when anti-spoof filtering is enabled.

The ARP reply agent only responds if the ARP request enters an interface (SAP, spoke SDP or mesh SDP) associated with the VPLS instance of the SAP.

A received ARP request that is not in the ARP reply agent table is flooded to all forwarding interfaces of the VPLS capable of broadcast except the ingress interface while honoring split-horizon constraints.

Static hosts can be defined on the SAP using the host command. Dynamic hosts are enabled on the system by enabling the lease-populate command in the SAP’s dhcp context. If both a static host and a dynamic host share the same IP and MAC address, the VPLS ARP reply agent will retain the host information until both the static and dynamic information are removed. If both a static and dynamic host share the same IP address, but different MAC addresses, the VPLS ARP reply agent is populated with the static host information.

The arp-reply-agent command fails if an existing static host on the SAP does not have both MAC and IP addresses specified. Once the ARP reply agent is enabled, creating a static host on the SAP without both an IP address and MAC address will fail.

The apr-reply-agent can only be enabled on SAPs supporting Ethernet encapsulation.

The no form of the command disables arp-reply-agent functions for static and dynamic hosts on the SAP.

Default

no arp-reply-agent

Parameters

sub-ident

Configures the arp-reply-agent to discard ARP requests received on the SAP that are targeted for a known host on the same SAP with the same subscriber identification.

Hosts are identified by their subscriber information. For DHCP subscriber hosts, the subscriber hosts, the subscriber information is configured using the optional subscriber parameter string.

When arp-reply-agent is enabled with sub-ident:

  • If the subscriber information for the destination host exactly matches the subscriber information for the originating host and the destination host is known on the same SAP as the source, the ARP request is silently discarded.

  • If the subscriber information for the destination host or originating host is unknown or undefined, the source and destination hosts are not considered to be the same subscriber. The ARP request is forwarded outside the SAP’s Split Horizon Group.

  • When sub-ident is not configured, the arp-reply-agent does not attempt to identify the subscriber information for the destination or originating host and will not discard an ARP request based on subscriber information.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

arp-reply-agent

Syntax

arp-reply-agent [sub-ident]

no arp-reply-agent

Context

[Tree] (config>subscr-mgmt>msap-policy>vpls-only arp-reply-agent)

Full Context

configure subscriber-mgmt msap-policy vpls-only-sap-parameters arp-reply-agent

Description

This command enables a special ARP response mechanism in the system for ARP requests destined to static or dynamic hosts associated with the SAP. The system responds to each ARP request using the hosts MAC address as the both the source MAC address in the Ethernet header and the target hardware address in the ARP header.

ARP replies and requests received on an MSAP with arp-reply-agent enabled is evaluated by the system against the anti-spoof filter entries associated with the ingress SAP (if the SAP has anti-spoof filtering enabled). ARPs from unknown hosts on the SAP is discarded when anti-spoof filtering is enabled.

The ARP reply agent only responds if the ARP request enters an interface (SAP, spoke-SDP or mesh-SDP) associated with the VPLS instance of the MSAP.

A received ARP request that is not in the ARP reply agent table is flooded to all forwarding interfaces of the VPLS capable of broadcast except the ingress interface while honoring split-horizon constraints.

Static hosts can be defined using the host command. Dynamic hosts are enabled on the system by enabling the lease-populate command in the dhcp context. In the event that both a static host and a dynamic host share the same IP and MAC address, the VPLS ARP reply agent will retain the host information until both the static and dynamic information are removed. In the event that both a static and dynamic host share the same IP address, but different MAC addresses, the VPLS ARP reply agent is populated with the static host information.

The arp-reply-agent command will fail if an existing static host does not have both MAC and IP addresses specified. Once the ARP reply agent is enabled, creating a static host on the MSAP without both an IP address and MAC address will fail.

The ARP-reply-agent may only be enabled on SAPs supporting Ethernet encapsulation.

The no form of this command disables ARP-reply-agent functions for static and dynamic hosts on the MSAP.

Parameters

sub-ident

Configures the arp-reply-agent to discard ARP requests received on the MSAP that are targeted for a known host on the same MSAP with the same subscriber identification.

Hosts are identified by their subscriber information. For DHCP subscriber hosts, the subscriber hosts, the subscriber information is configured using the optional subscriber parameter string.

When arp-reply-agent is enabled with sub-ident:

  • If the subscriber information for the destination host exactly matches the subscriber information for the originating host and the destination host is known on the same MSAP as the source, the ARP request is silently discarded.

  • If the subscriber information for the destination host or originating host is unknown or undefined, the source and destination hosts are not considered to be the same subscriber. The ARP request is forwarded outside the MSAP’s Split Horizon Group.

  • When sub-ident is not configured, the arp-reply-agent does not attempt to identify the subscriber information for the destination or originating host and will not discard an ARP request based on subscriber information.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

arp-retry-timer

arp-retry-timer

Syntax

arp-retry-timer timer-multiple

no arp-retry-timer

Context

[Tree] (config>service>ies>if arp-retry-timer)

Full Context

configure service ies interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 seconds.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30,000 ms)

Platforms

All

arp-retry-timer

Syntax

arp-retry-timer timer-multiple

no arp-retry-timer

Context

[Tree] (config>service>vprn>if arp-retry-timer)

[Tree] (config>service>vprn>network-interface arp-retry-timer)

Full Context

configure service vprn interface arp-retry-timer

configure service vprn network-interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 s.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30 000 ms)

Platforms

All

arp-retry-timer

Syntax

arp-retry-timer timer-multiple

no arp-retry-timer

Context

[Tree] (config>router>if arp-retry-timer)

Full Context

configure router interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 seconds.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30,000 ms)

Platforms

All

arp-timeout

arp-timeout

Syntax

arp-timeout seconds

no arp-timeout

Context

[Tree] (config>service>ies>sub-if>grp-if arp-timeout)

[Tree] (config>service>vprn>sub-if>grp-if arp-timeout)

[Tree] (config>service>ies>if arp-timeout)

[Tree] (config>service>vprn>if arp-timeout)

Full Context

configure service ies subscriber-interface group-interface arp-timeout

configure service vprn subscriber-interface group-interface arp-timeout

configure service ies interface arp-timeout

configure service vprn interface arp-timeout

Description

This command configures the minimum time in seconds an ARP entry learned on the IP interface is stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host, otherwise, the ARP entry is aged from the ARP table. If arp-timeout is set to a value of zero seconds, ARP aging is disabled.

When the arp-populate and lease-populate commands are enabled on an interface, the ARP table entries will no longer be dynamically learned, but instead by snooping DHCP ACK message from a DHCP server. In this case the configured arp-timeout value has no effect.

The default value for arp-timeout is 14400 seconds (4 hours).

The no form of this command reverts to the default value.

Default

arp-timeout 14400

Parameters

seconds

Specifies the minimum number of seconds a learned ARP entry is stored in the ARP table, expressed as a decimal integer. A value of zero specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn subscriber-interface group-interface arp-timeout
  • configure service ies subscriber-interface group-interface arp-timeout

All

  • configure service vprn interface arp-timeout
  • configure service ies interface arp-timeout

arp-timeout

Syntax

arp-timeout seconds

no arp-timeout

Context

[Tree] (config>service>vpls>interface arp-timeout)

Full Context

configure service vpls interface arp-timeout

Description

This command configures the minimum time in seconds an ARP entry learned on the IP interface will be stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host, otherwise, the ARP entry is aged from the ARP table. If arp-timeout is set to a value of zero seconds, ARP aging is disabled.

The default value for arp-timeout is 14400 seconds (4 hours).

The no form of this command restores arp-timeout to the default value.

Default

arp-timeout 14400

Parameters

seconds

The minimum number of seconds a learned ARP entry will be stored in the ARP table, expressed as a decimal integer. A value of zero specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

All

arp-timeout

Syntax

arp-timeout seconds

no arp-timeout

Context

[Tree] (config>router>if arp-timeout)

Full Context

configure router interface arp-timeout

Description

This command configures the minimum time, in seconds, an ARP entry learned on the IP interface is stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host. Otherwise, the ARP entry is aged from the ARP table. If the arp-timeout value is set to 0 seconds, ARP aging is disabled.

The no form of this command reverts to the default value.

Default

no arp-timeout

Parameters

seconds

The minimum number of seconds a learned ARP entry is stored in the ARP table, expressed as a decimal integer. A value of 0 specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

All

as-matrix

as-matrix

Syntax

[no] as-matrix

Context

[Tree] (config>cflowd>collector>aggregation as-matrix)

Full Context

configure cflowd collector aggregation as-matrix

Description

This command specifies that the aggregation data should be based on autonomous system (AS) information. An AS matrix contains packet and byte counters for traffic from either source-destination autonomous systems or last-peer to next-peer autonomous systems.

The no form of this command removes this type of aggregation from the collector configuration.

Default

no as-matrix

Platforms

All

as-override

as-override

Syntax

[no] as-override

Context

[Tree] (config>subscr-mgmt>bgp-prng-plcy as-override)

Full Context

configure subscriber-mgmt bgp-peering-policy as-override

Description

This command replaces all instances of the peer's AS number with the local AS number in a BGP route's AS_PATH.

This command breaks BGP's loop detection mechanism. It should be used carefully.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

as-override

Syntax

[no] as-override

Context

[Tree] (config>service>vprn>bgp>group as-override)

[Tree] (config>service>vprn>bgp>group>neighbor as-override)

Full Context

configure service vprn bgp group as-override

configure service vprn bgp group neighbor as-override

Description

This command replaces all instances of the peer's AS number with the local AS number in a BGP route's AS_PATH.

This command breaks BGP's loop detection mechanism. It should be used carefully.

Default

no as-override

Platforms

All

as-override

Syntax

[no] as-override

Context

[Tree] (config>router>bgp>group as-override)

[Tree] (config>router>bgp>group>neighbor as-override)

Full Context

configure router bgp group as-override

configure router bgp group neighbor as-override

Description

This command enables BGP to monitor the outbound routes toward the peer and whenever there is a route with the peer’s autonomous system number (ASN) in the AS_PATH, all occurrences are removed and replaced with the advertising router’s local ASN (or its confederation ID if the peer is outside the confederation).

In the group context, the no form of this command disables the functionality. In the neighbor context, the no form of this command causes the setting to be inherited from the group level.

Default

no as-override

Platforms

All

as-path

as-path

Syntax

[no] as-path name

Context

[Tree] (config>router>policy-options as-path)

Full Context

configure router policy-options as-path

Description

This command creates a route policy AS path to use in route policy entries.

The no form of this command deletes the AS path.

Default

no as-path

Parameters

name

The AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

Platforms

All

as-path

Syntax

as-path name

no as-path

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path)

Full Context

configure router policy-options policy-statement entry from as-path

Description

This command configures an AS path regular expression statement as a match criterion for the route policy entry.

If no AS path criterion is specified, any AS path is considered to match.

AS path regular expression statements are configured at the global route policy level (config>router>policy-options>as-path name).

The no form of this command removes the AS path regular expression statement as a match criterion.

Default

no as-path

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end", " @variable@end", or "start@variable@".

Platforms

All

as-path

Syntax

as-path {add | replace} name

no as-path

Context

[Tree] (config>router>policy-options>policy-statement>default-action as-path)

[Tree] (config>router>policy-options>policy-statement>entry>action as-path)

Full Context

configure router policy-options policy-statement default-action as-path

configure router policy-options policy-statement entry action as-path

Description

This command assigns a BGP AS path list to routes matching the route policy statement entry.

If no AS path list is specified, the AS path attribute is not changed.

The no form of this command disables the AS path list editing action from the route policy entry.

Default

no as-path

Parameters

add

Specifies that the AS path list is to be prepended to an existing AS list.

replace

Specifies AS path list replaces any existing as path attribute.

name

Specifies the AS path list name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end"," @variable@end", or "start@variable@".

The name specified must already be defined.

Platforms

All

as-path-group

as-path-group

Syntax

[no] as-path-group name

Context

[Tree] (config>router>policy-options as-path-group)

Full Context

configure router policy-options as-path-group

Description

This command creates a route policy AS path regular expression statement to use in route policy entries.

The no form of this command deletes the AS path regular expression statement.

Default

no as-path-group

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

Platforms

All

as-path-group

Syntax

as-path-group name

no as-path-group name

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path-group)

Full Context

configure router policy-options policy-statement entry from as-path-group

Description

This command creates a route policy AS path regular expression statement to use in route policy entries.

The no form of this command deletes the AS path regular expression statement.

Default

no as-path-group

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end", " @variable@end", or "start@variable@".

Platforms

All

as-path-ignore

as-path-ignore

Syntax

as-path-ignore [ipv4] [ipv6] [ label-ipv4] [label-ipv6]

no as-path-ignore

Context

[Tree] (config>service>vprn>bgp>path-selection as-path-ignore)

Full Context

configure service vprn bgp best-path-selection as-path-ignore

Description

This command configures whether AS path length is considered in the selection of the best BGP route for a prefix.

If an address family is listed in this command, the length of AS paths is not a factor in the route selection process for routes of that address family.

The no form of this command removes the parameter from the configuration.

Default

no as-path-ignore

Parameters

ipv4

Specifies that the AS path length is ignored for all unlabeled unicast IPv4 routes.

ipv6

Specifies that the AS path length is ignored for all unlabeled unicast IPv6 routes.

label-ipv4

Specifies that the AS path length is ignored for all labeled unicast IPv4 routes.

label-ipv6

Specifies that the AS path length is ignored for all labeled unicast IPv6 routes.

Platforms

All

as-path-ignore

Syntax

as-path-ignore [ipv4] [label-ipv4] [ vpn-ipv4] [ipv6] [ label-ipv6] [vpn-ipv6] [mcast-ipv4] [mcast-ipv6] [ mvpn-ipv4] [mvpn-ipv6] [l2-vpn]

no as-path-ignore

Context

[Tree] (config>router>bgp>best-path-selection as-path-ignore)

Full Context

configure router bgp best-path-selection as-path-ignore

Description

This command configures whether AS path length is considered in the selection of the best BGP route for a prefix.

If an address family is listed in this command, then the length of AS paths is not a factor in the route selection process for routes of that address family.

The no form of this command removes the parameter from the configuration.

Default

no as-path-ignore

Parameters

ipv4

Specifies that the AS-path length will be ignored for all unlabeled unicast IPv4 routes.

label-ipv4

Specifies that the AS-path length will be ignored for all labeled-unicast IPv4 routes.

vpn-ipv4

Specifies that the length AS-path will be ignored for all VPN IPv4 (SAFI 128) routes.

ipv6

Specifies that the AS-path length will be ignored for all unlabeled unicast IPv6 routes.

label-ipv6

Specifies that the AS-path length will be ignored for all labeled-unicast IPv6 routes.

vpn-ipv6

Specifies that the AS-path length will be ignored for all VPN IPv6 (SAFI 128) routes.

mcast-ipv4

Specifies that the AS-path length will be ignored for all IPv4 multicast routes.

mcast-ipv6

Specifies that the AS-path length will be ignored for all IPv6 multicast routes.

mvpn-ipv4

Specifies that the AS-path length will be ignored for all IPv4 MVPN routes.

mvpn-ipv6

Specifies that the AS-path length will be ignored for all IPv6 MVPN routes.

l2-vpn

Specifies that the AS-path length will be ignored for all L2-VPN NLRIs.

Platforms

All

as-path-length

as-path-length

Syntax

as-path-length length [equal | or-higher | or-lower] [unique]

no as-path-length

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path-length)

Full Context

configure router policy-options policy-statement entry from as-path-length

Description

This command matches BGP routes based on their AS path length (the number of AS numbers in the AS_PATH).

If no comparison qualifiers are present (equal, or-higher, or-lower), then equal is the implied default.

Confederation member AS numbers in the AS_PATH do not count towards the total. An AS_SET element is considered to have a length of 1.

The unique option counts.

A non-BGP route does not match a policy entry if it contains the as-path-length command.

Default

no as-path-length

Parameters

length

Specifies the length of the AS path.

Values

0 to 255, or a parameter name delimited by starting and ending at-sign (@) characters

equal

Specifies that matched routes should have the same number of AS path elements as the value specified.

or-higher

Specifies that matched routes should have the same or a greater number of AS path elements as the value specified.

or-lower

Specifies that matched routes should have the same or a lower number of AS path elements as the value specified.

unique

Specifies that only the unique AS numbers should be counted (that is, multiple occurrences of the same AS number in the sequence count as one).

Platforms

All

as-path-prepend

as-path-prepend

Syntax

as-path-prepend as-path [repeat]

as-path-prepend most-recent [repeat]

no as-path-prepend

Context

[Tree] (config>router>policy-options>policy-statement>entry>action as-path-prepend)

[Tree] (config>router>policy-options>policy-statement>default-action as-path-prepend)

Full Context

configure router policy-options policy-statement entry action as-path-prepend

configure router policy-options policy-statement default-action as-path-prepend

Description

The command prepends a BGP AS number once or numerous times to the AS path attribute of routes matching the route policy statement entry.

If an AS number is not configured, the AS path is not changed.

If the optional number is specified, then the AS number is prepended as many times as indicated by the number.

The no form of this command disables the AS path prepend action from the route policy entry.

Default

no as-path-prepend

Parameters

as-path

Specifies the AS number to prepend expressed as a decimal integer.

Values

1 to 4294967295

param-name — Specifies the AS path parameter variable name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

repeat

Specifies the number of times to prepend the specified AS number expressed as a decimal integer.

Values

1 to 50

param-name — Specifies the AS path parameter variable name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

most-recent

Specifies that the most recent AS number must be prepended to the AS-Path attribute of the route.

Platforms

All

asbr

asbr

Syntax

[no] asbr [trace-path domain-id]

no asbr

[no] asbr

Context

[Tree] (config>router>ospf3 asbr)

[Tree] (config>router>ospf asbr)

Full Context

configure router ospf3 asbr

configure router ospf asbr

Description

This command configures the router as an Autonomous System Boundary Router (ASBR) if the router is to be used to export routes from the Routing Table Manager (RTM) into this instance of OSPF. After a router is configured as an ASBR, the export policies into this OSPF domain take effect. If no policies are configured, no external routes are redistributed into the OSPF domain.

The no form of this command removes the ASBR status and withdraws the routes redistributed from the Routing Table Manager into this instance of OSPF from the link state database.

When configuring multiple instances of OSPF, there is a risk of loops because networks are advertised by multiple domains configured with multiple interconnections to one another. To prevent this from happening, all routers in a domain should be configured with the same domain ID. Each domain (OSPF-instance) should be assigned a specific bit value in the 32-bit tag mask.

When an external route is originated by an ASBR using an internal OSPF route in a given domain, the corresponding bit is set in the AS-external LSA. As the route gets redistributed from one domain to another, more bits are set in the tag mask, each corresponding to the OSPF domain the route visited. Route redistribution looping is prevented by checking the corresponding bit as part of the export policy; if the bit corresponding to the announcing OSPF process is already set, the route is not exported there.

Domain IDs are incompatible with any other use of normal tags. The domain ID should be configured with a value between 1 and 31 by each router in a given OSPF domain (OSPF Instance).

When an external route is originated by an ASBR using an internal OSPF route in a given domain, the corresponding (1-31) bit is set in the AS-external LSA.

As the route gets redistributed from one domain to another, more bits are set in the tag mask, each corresponding to the OSPF domain the route visited. Route redistribution looping is prevented by checking the corresponding bit as part of the export policy; if the bit corresponding to the announcing OSPF process is already set, the route is not exported there.

Default

no asbr

Parameters

domain-id

Specifies the domain ID.

Values

1 to 31

Default

0

Platforms

All

assert

assert

Syntax

assert [group grp-ip-address] [source ip-address] [detail]

no assert

Context

[Tree] (debug>router>pim assert)

Full Context

debug router pim assert

Description

This command enables debugging for PIM assert mechanism.

The no form of this command disables PIM assert debugging.

Parameters

grp-ip-address

Debugs information associated with the PIM assert mechanism.

Values

multicast group address (ipv4, ipv6)

ip-address

Debugs information associated with the PIM assert mechanism.

Values

source address (ipv4, ipv6)

detail

Debugs detailed information on the PIM assert mechanism.

Platforms

All

assert-period

assert-period

Syntax

assert-period assert-period

no assert-period

Context

[Tree] (config>service>vprn>pim>if assert-period)

Full Context

configure service vprn pim interface assert-period

Description

This command configures the period in seconds for periodic refreshes of PIM Assert messages on an interface.

The no form of this command reverts to the default.

Default

assert-period 60

Parameters

assert-period

Specifies the period, in seconds, for periodic refreshes of PIM Assert messages on an interface.

Values

1 to 300

Platforms

All

assert-period

Syntax

assert-period assert-period

no assert-period

Context

[Tree] (config>router>pim>interface assert-period)

Full Context

configure router pim interface assert-period

Description

This command configures the period for periodic refreshes of PIM Assert messages on an interface.

The no form of this command removes the assert-period from the configuration.

Default

no assert-period

Parameters

assert-period

Specifies the period, in seconds, for periodic refreshes of PIM Assert messages on an interface.

Values

1 to 300

Platforms

All

assignment

assignment

Syntax

assignment {port port-id | card slot-number}

no assignment

Context

[Tree] (config>service>cust>multi-service-site assignment)

Full Context

configure service customer multi-service-site assignment

Description

This command assigns a multi-service customer site to a specific chassis slot, port, or channel. This allows the system to allocate the resources necessary to create the virtual schedulers defined in the ingress and egress scheduler policies as they are specified. This also verifies that each SAP assigned to the site exists within the context of the proper customer ID and that the SAP was configured on the proper slot, port, or channel. The assignment must be given prior to any SAP associations with the site.

The no form of this command removes the port, channel, or slot assignment. If the customer site has not yet been assigned, the command has no effect and returns without any warnings or messages.

Default

no assignment

Parameters

port-id

Assigns the multi-service customer site to the port-id or port-id.channel-id given. When the multi-service customer site is assigned to a specific port or channel, all SAPs associated with this customer site must be on a service owned by the customer and created on the defined port or channel. The defined port or channel must already have been pre-provisioned on the system but need not be installed when the customer site assignment is made.

Syntax: port-id[:encap-val]

Values

For the 7950 XRS:

slot/mda/port [.channel]

eth-tunnel-id - eth-tunnel-<id>

eth-tunnel

keyword

id

[1..1024]

lag-id

lag-id

lag

keyword

id

1 to 800

id

[1..1024]

eth-sat-id

esat-id/slot/port

esat

keyword

id: 1 to 20

u

keyword

pxc-id

pxc-<id>.<sub-port>

pxc

keyword

id: 1 to 64

sub-port

a, b

lag

keyword

id

1 to 800

1 to 800

pw-id

pw-<id>

pw

keyword

id

1 to 32767

For the 7750 SR and the 7450 ESS:

port-id

slot/mda/port[.channel]

aps-id

aps-group-id[.channel]

aps keyword

group-id

1 to 128

eth-tunnel-id

eth-tunnel-<id>

eth-tunnel

keyword

id

1 to 1024

lag-id

lag-id

lag

keyword

id

1 to 800

id

1 to 1024

eth-sat-id

esat-<id>/<slot>/[u]<port>

esat

keyword

id

1 to 20

u

keyword for up-link port

tdm-sat-id

tsat-<id>/<slot>/[<u>]<port>.<channel>

tsat

keyword

id

1 to 20

u

keyword for up-link port

pxc-id

psc-id.sub-port

pxc psc-id.sub-port

pxc

keyword

id: 1 to 64

sub-port: a, b

pw-id

pw-<id>

pw

keyword

id

1 to 32767

slot-number

1 to 10

fpe-id

1 to 64

slot-number

Assigns the multi-service customer site to the slot-number given. When the multi-service customer site is assigned to a specific slot in the chassis, all SAPs associated with this customer site must be on a service owned by the customer and created on the defined chassis slot. The defined slot must already be pre-provisioned on the system but need not be installed when the customer site assignment is made.

Values

Any pre-provisioned slot number for the chassis type that allows SAP creation.

1 to 20

fpe-id

Specifies the multi-service-site (MSS) assignment to an FPE object for the purpose of controlling aggregated bandwidth across a set of PW SAPs.

Values

1 to 64

Platforms

All

assignment-id

assignment-id

Syntax

assignment-id assignment-id

Context

[Tree] (debug>router>l2tp assignment-id)

Full Context

debug router l2tp assignment-id

Description

This command enables and configures debugging for the L2TP tunnel with a given assignment ID.

Parameters

assignment-id

Specifies a string that distinguishes this L2TP tunnel, up to 63 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

assisted-replication

assisted-replication

Syntax

assisted-replication {replicator | leaf} [replicator-activation-time seconds]

no assisted-replication

Context

[Tree] (config>service>vpls>vxlan assisted-replication)

Full Context

configure service vpls vxlan assisted-replication

Description

This command enables the Assisted Replication (AR) function for VXLAN tunnels in the service. The execution of this command triggers the BGP EVPN to send an update containing the inclusive multicast route for the service and the AR type=AR Replicator (AR-R) or AR Leaf (AR-L).

The Replicators switch the VXLAN traffic back to VXLAN destinations when the IP destination address matches their own AR-IP address. Leaf nodes select a Replicator node and send all the Broadcast or Multicast frames to it so that the Replicator can replicate the traffic on their behalf.

Enabling or disabling the AR function, or changing the role between the replicator and leaf requires the BGP EVPN MPLS to be shutdown.

If the leaf parameter is configured, the system creates a Broadcast or Multicast (BM) destination to the selected AR-R and Unknown Unicast (U) destinations to the rest of the VTEPs. If no replicator exists, the leaf creates BUM bindings to all the VTEPs.

If the replicator parameter is configured, the system will create BUM destinations to the remote leafs, Regular Network Virtualization Edge routers (RNVE), and other AR-Rs. The system will perform assisted replication for traffic from known VTEPs only (that is, where the routes have been received and programmed toward a VTEP).

The no version of this command removes the AR function from the service.

Default

no assisted-replication

Parameters

replicator-activation-time seconds

Optional parameter that can be added to the leaf parameter. It specifies the wait time before the leaf can begin sending traffic to a new replicator and is used to allow some time for the replicator to learn about the leaf.

Values

1 to 255

Default

0 seconds (indicates no replicator-activation-time and no delay in sending packets to the AR-R)

replicator | leaf

Selects the AR role of the router for the service.

Platforms

All

assisted-replication-ip

assisted-replication-ip

Syntax

assisted-replication-ip ip-address

no assisted-replication-ip

Context

[Tree] (config>service>system>vxlan assisted-replication-ip)

Full Context

configure service system vxlan assisted-replication-ip

Description

The assisted-replication-ip (AR-IP) command defines the IP address that supports the AR-R function in the router. The AR-IP address must also be defined as a loopback address in the base router and advertised in the IGP/BGP so that it is accessible to the remote NVE/PEs in the Overlay network.

If the AR-R function is enabled in a service, the Broadcast and Multicast frames encapsulated in VXLAN packets arriving at the router are replicated to the other VXLAN destinations within the service (except the destination pointing at the originator of the packet).

The no version of this command removes the AR IP address.

Default

no assisted-replication-ip

Parameters

ip-address

Specifies the assisted replication IP address.

Platforms

All

assistive-address-resolution

assistive-address-resolution

Syntax

[no] assistive-address-resolution

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext assistive-address-resolution)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext assistive-address-resolution)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext assistive-address-resolution

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext assistive-address-resolution

Description

This command enables assistive address resolution (AAR) for HLE services.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

association

association

Syntax

association name

no association

Context

[Tree] (config>service>vpls>sap>pfcp association)

Full Context

configure service vpls sap pfcp association

Description

This command links this capture SAP to a PFCP association. This command enables CUPS for this capture SAP and makes any trigger packets eligible for forwarding to the BNG CUPS CPF.

The no form of this command disables CUPS for this capture SAP.

Parameters

name

Specifies the name of the association, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

association

Syntax

association ma-index [format {format}] name ma-name [admin-name admin-name]

association ma-index

no association ma-index

Context

[Tree] (config>eth-cfm>domain association)

Full Context

configure eth-cfm domain association

Description

This command configures the Maintenance Association (MA) for the domain.

Parameters

ma-index

Specifies the MA index value.

Values

1 to 4294967295

format

Specifies a value that represents the type (format).

Values

icc-based, integer, string, vid, vpn-id

icc-based:

Only applicable to a Y.1731 context where the domain format is configured as none. Allows for exactly a 13 character name.

integer

0 to 65535 (integer value 0 means the MA is not attached to a VID.)

string:

raw ascii

vid:

0 to 4095

vpn-id:

RFC 2685, Virtual Private Networks Identifier

xxx:xxxx, where x is a value between 00 and FF.

for example 00164D:AABBCCDD

Default

integer

ma-name

Specifies the part of the maintenance association identifier which is unique within the maintenance domain name.

Values

1 to 45 characters

admin-name admin-name

Specifies a creation time required parameter that allows the operator to assign a name value to the domain container. This is used for information and migration purposes. This value cannot be modified without destroying the domain. If no admin-name exists, the configured md-index value will be converted into a character string to become the admin-name reference. When upgrading from a release that does not include the admin-name configuration option, the md-index will be converted into a character string. Once a value is assigned to this admin-name value it cannot be modified.

Values

1 to 64 characters

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

association-id

association-id

Syntax

association-id association-id

no association-id

Context

[Tree] (config>router>pcep>pcc>pce-assoc>div association-id)

Full Context

configure router pcep pcc pce-associations diversity association-id

Description

This command configures the diversity association ID. The user must specify an association ID.

The no form of the command removes the association ID from the diversity association.

Default

no association-id

Parameters

association-id

Specifies the diversity association ID.

Values

1 to 65535

Platforms

All

association-id

Syntax

association-id association-id

no association-id

Context

[Tree] (config>router>pcep>pcc>pce-assoc>plcy association-id)

Full Context

configure router pcep pcc pce-associations policy association-id

Description

This command configures the policy association ID. The user must specify an association ID.

The no form of the command removes the association ID from the policy association.

Default

no association-id

Parameters

association-id

Specifies the policy association ID.

Values

1 to 65535

Platforms

All

association-source

association-source

Syntax

association-source ip-address

no association-source

Context

[Tree] (config>router>pcep>pcc>pce-assoc>div association-source)

Full Context

configure router pcep pcc pce-associations diversity association-source

Description

This command configures the source IP address of the diversity association.

The no form of the command removes the IP address from the diversity association.

Default

no association-source

Parameters

ip-address

Specifies the source IP address.

Values

ipv4-address:

a.b.c.d

ipv6-address:

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

Platforms

All

association-source

Syntax

association-source ip-address

no association-source

Context

[Tree] (config>router>pcep>pcc>pce-assoc>plcy association-source)

Full Context

configure router pcep pcc pce-associations policy association-source

Description

This command configures the source IP address of the policy association.

The no form of the command removes IP address from the policy association.

Default

no association-source

Parameters

ip-address

Specifies the source IP address.

Values

ipv4-address:

a.b.c.d

ipv6-address:

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

Platforms

All

async-mapping

async-mapping

Syntax

[no] async-mapping

Context

[Tree] (config>port>otu async-mapping)

Full Context

configure port otu async-mapping

Description

This command allows the user to configure the port to support asynchronous mapping of the payload inside the OTU. If the port is configured for async-mapping and the payload clock is asynchronous to the OTU clock, there will be positive or negative pointer justification that will show up in the OTU statistics and the data will be received error free. If the port is configured for synchronous mapping and the received data is asynchronously mapped, there will be errors in the received data.

async-mapping is the only mode of operation that is supported on the OTU3 encapsulated 40-Gigabit Ethernet and therefore the 'no async-mapping' is not supported on that port type and the default on the is async-mapping.

The no form of this command configures the port to receive synchronously mapped data.

Default

no async-mapping

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

asynchronous-execution

asynchronous-execution

Syntax

asynchronous-execution seconds

asynchronous-execution never

Context

[Tree] (config>system>management-interface>ops>global-timeout asynchronous-execution)

Full Context

configure system management-interface operations global-timeouts asynchronous-execution

Description

This command configures the period of time that operations launched as "asynchronous” are allowed to execute before being automatically stopped by the SR OS.

An asynchronous operation is not deleted from the system when it is stopped. See the asynchronous-retention command.

If a specific execution timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Note:

This execution timeout is part of the general global operations infrastructure and is separate and independent from any operation-specific timeouts (for example, the ping operation also has its own timeout parameter).

Default

asynchronous-execution 3600

Parameters

seconds

Specifies the period of time, in seconds, that asynchronous operations are allowed to execute.

Values

1 to 604800

never

Keyword to specify that an execution timeout is not applied to asynchronous operations.

Platforms

All

asynchronous-retention

asynchronous-retention

Syntax

asynchronous-retention seconds

asynchronous-retention never

Context

[Tree] (config>system>management-interface>ops>global-timeout asynchronous-retention)

Full Context

configure system management-interface operations global-timeouts asynchronous-retention

Description

This command configures the period of time that data related to operations launched as "asynchronous” is retained in the system. After the retention timeout expires, all information related to the operation is deleted, including any status information and result data.

If a specific retention timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Default

asynchronous-retention 86400

Parameters

seconds

Specifies the period of time, in seconds, that data related to asynchronous operations is retained in the system.

Values

1 to 604800

never

Keyword to specify that data related to asynchronous operations will persist in memory until explicitly deleted.

Platforms

All

attempts

attempts

Syntax

attempts count [time minutes1 [lockout minutes2]

no attempts

Context

[Tree] (config>system>security>password attempts)

Full Context

configure system security password attempts

Description

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.

If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no attempts command resets all values to default.

Note:

This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP.

Default

attempts 3 time 5 lockout 10

Parameters

count

Specifies the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.

Values

1 to 64

minutes

Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.

Values

0 to 60

minutes

Specifies the lockout period, in minutes, during which the user is not allowed to login.

Values

0 to 1440, or infinite

If the user exceeds the attempted count times in the specified time, then that user is locked out from any further login attempts for the configured lockout time period.

Values

0 to 1440

Values

infinite; user is locked out and must wait until manually unlocked before any further attempts.

Platforms

All

attempts

Syntax

attempts [count] [time minutes1] [lockout minutes2]

no attempts

Context

[Tree] (config>system>security>snmp attempts)

Full Context

configure system security snmp attempts

Description

This command configures a threshold value of unsuccessful SNMPv2 or SNMPv3 connection attempts allowed in a specified time frame. The command parameters are used to counter denial of service (DoS) attacks through SNMP.

If the threshold is exceeded, the host is locked out for the lockout time period.

The no form of the command restores the default values.

Default

attempts 20 time 5 lockout 10

Parameters

count

Specifies the number unsuccessful SNMP attempts allowed for the specified time.

Values

1 to 64

minutes1

Specifies period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out.

Values

0 to 60

minutes2

Specifies the lockout period in minutes where the host is not allowed to login. When the host exceeds the attempted count times in the specified time, then that host is locked out from any further login attempts for the configured time period.

Values

0 to 1440

Platforms

All

attrib

attrib

Syntax

attrib [+r | -r] file-url

attrib

Context

[Tree] (file attrib)

Full Context

file attrib

Description

This command sets or clears/resets the read-only attribute for a file in the local file system. To list all files and their current attributes enter attrib or attrib x where x is either the filename or a wildcard (*).

When an attrib command is entered to list a specific file or all files in a directory, the file’s attributes are displayed with or without an "R” preceding the filename. The "R” implies that the +r is set and that the file is read-only. Files without the "R” designation implies that the -r is set and that the file is read-write-all. For example:

ALA-1>file cf3:\ # attrib
cf3:\bootlog.txt
cf3:\bof.cfg
cf3:\boot.ldr
cf3:\sr1.cfg
cf3:\test
cf3:\bootlog_prev.txt
cf3:\BOF.SAV 

Parameters

file-url

Specifies the URL for the local file.

Values

local-url

[cflash-id/][file-path] up to 200 characters, including cflash-id directory length 99 chars max each

remote-url

[{ftp:// | tftp://}login:pswd@remote-locn/][file-path]

up to 247 characters

directory length up to 199 characters

remote-locn

[hostname | ipv4-address | [ipv6-address]]

ipv4-address

a.b.c.d

ipv6-address

x:x:x:x:x:x:x:x[-interface]

x:x:x:x:x:x:d.d.d.d[-interface]

x - [0 to FFFF]H

d - [0 to 255]D

interface - up to 32 characters, for link local addresses 255

cflash-id

cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

+r

Sets the read-only attribute on the specified file.

-r

Clears/resets the read-only attribute on the specified file.

Platforms

All

attribute

attribute

Syntax

attribute [vendor vendor-id] attribute-type attribute-type

no attribute

Context

[Tree] (config>router>nat>inside>subscriber-identification attribute)

[Tree] (config>service>vprn>nat>inside>subscriber-identification attribute)

Full Context

configure router nat inside subscriber-identification attribute

configure service vprn nat inside subscriber-identification attribute

Description

This command defines the attribute that will in addition to framed-ip-address (inside IP address) and service-id be used for correlating BNG subscriber with the NAT subscriber.

Only a single attribute at the time can be configured. The attribute will be extracted from the BNG accounting start and/or interim-update messages via RADIUS accounting proxy server. This attribute can be then optionally passed to the Large Scale NAT44 accounting server. User-name attribute (if included) in Large Scale NAT44 accounting messages will be automatically set to the subscriber-id string.

The attribute parameter can be changed at any given time and the change will be reflected automatically when the next interim-update message from the BNG host is received by the RADIUS accounting proxy.

In case that the BNG accounting message in RADIUS accounting proxy does not contain this attribute, subscriber aware Large Scale NAT44 functionality for this particular subscriber will be disabled.

Default

attribute vendor "nokia" attribute-type "alc-sub-string"

Parameters

vendor vendor-id

specifies the RADIUS vendor ID.

Values

standard, nokia (6527), 3gpp

Default

nokia

attribute-type attribute-type

Specifies the RADIUS attribute to be used as subscriber. identifier

Values

alc-sub-string (nokia) — Subscriber-id string (Alc-Subsc-ID-Str) is cached in Large Scale NAT44 application and used to correlate Large Scale NAT44 subscriber to BNG subscriber.

user-name (stnd) — User-Name standard RADIUS attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber.

class (stnd) — Class standard RADIUS attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber. Class attribute is initially set and send by RADIUS server. As such it must be echoed by BNG in all accounting messages.

station-id (stnd) — Calling-Station-Id RADIUS attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber.

imsi (3gpp) — International Mobile Subscriber Identification is used in WiFi Offload applications as a SIM card identifier.

imei (3gpp) — International Mobile Equipment Identification is used in WiFi Offload applications as a physical phone device identifier.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

attribute-matching

attribute-matching

Syntax

attribute-matching

Context

[Tree] (config>service>vprn>radius-proxy>server attribute-matching)

[Tree] (config>router>radius-proxy>server attribute-matching)

Full Context

configure service vprn radius-proxy server attribute-matching

configure router radius-proxy server attribute-matching

Description

Commands in this context select the RADIUS policy for authentication and accounting based on the RADIUS attribute. This feature is supported for both the ESM RADIUS proxy and the ISA RADIUS proxy.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

attribute-table-high-wmark

attribute-table-high-wmark

Syntax

no attribute-table-high-wmark high-water-mark

no attribute-table-high-wmark

Context

[Tree] (config>service>vpls>mrp>mmrp attribute-table-high-wmark)

[Tree] (config>service>vpls>mrp>mvrp attribute-table-high-wmark)

Full Context

configure service vpls mrp mmrp attribute-table-high-wmark

configure service vpls mrp mvrp attribute-table-high-wmark

Description

This command specifies the percentage filling level of the MMRP attribute table where logs and traps are sent.

Default

attribute-table-high-wmark 95

Parameters

high-water-mark

Specifies the utilization of the MRP attribute table of this service at which a table full alarm will be raised by the agent, as a percentage.

Values

0 to 100

Platforms

All

attribute-table-low-wmark

attribute-table-low-wmark

Syntax

attribute-table-low-wmark low-water-mark

no attribute-table-low-wmark

Context

[Tree] (config>service>vpls>mrp>mvrp attribute-table-low-wmark)

[Tree] (config>service>vpls>mrp>mmrp attribute-table-low-wmark)

Full Context

configure service vpls mrp mvrp attribute-table-low-wmark

configure service vpls mrp mmrp attribute-table-low-wmark

Description

This command specifies the MMRP attribute table low watermark as a percentage. When the percentage filling level of the MMRP attribute table drops below the configured value, the corresponding trap is cleared and/or a log entry is added.

Default

attribute-table-low-wmark 90

Parameters

low-water-mark

Specifies utilization of the MRP attribute table of this service at which a table full alarm will be cleared by the agent, as a percentage.

Values

0 to 100

Platforms

All

attribute-table-size

attribute-table-size

Syntax

attribute-table-size max-attributes

no attribute-table-size

Context

[Tree] (config>service>vpls>mrp>mmrp attribute-table-size)

Full Context

configure service vpls mrp mmrp attribute-table-size

Description

This command controls the number of attributes accepted on a per B-VPLS basis. When the limit is reached, no new attributes will be registered.

If a new lower limit (smaller than the current number of attributes) from a local or dynamic I-VPLS is being provisioned, a CLI warning will be issued stating that the system is currently beyond the new limit. The value will be accepted, but any creation of new attributes will be blocked under the attribute count drops below the new limit; the software will then start enforcing the new limit.

Default

maximum number of attributes

Parameters

value

The maximum number of attributes accepted per B-VPLS.

Values

1 to 2048 (Full participants)

1 to 8191 (End-Station-Only participants)

Platforms

All

attribute-table-size

Syntax

[no] attribute-table-size value

Context

[Tree] (config>service>vpls>mrp>mvrp attribute-table-size)

Full Context

configure service vpls mrp mvrp attribute-table-size

Description

This command controls the number of attributes accepted on a per M-VPLS basis. When the limit is reached, no new attributes will be registered.

If a new lower limit (smaller than the current number of attributes) is being provisioned, a CLI warning will be issued stating that the system is currently beyond the new limit. The value will be accepted, but any creation of new attributes will be blocked under the attribute count drops below the new limit; the software will then start enforcing the new limit.

Default

maximum number of attributes

Parameters

value

Specifies the number of attributes accepted on a per M-VPLS basis

Values

1 to 4095 for MVRP

Platforms

All

audio-template

audio-template

Syntax

audio-template

Context

[Tree] (config>app-assure>group>cflowd>rtp-perf audio-template)

Full Context

configure application-assurance group cflowd rtp-performance audio-template

Description

Commands in this context configure the audio template for cflowd fields.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

augment-route-table

augment-route-table

Syntax

[no] augment-route-table

Context

[Tree] (config>router>isis>loopfree-alternates augment-route-table)

Full Context

configure router isis loopfree-alternates augment-route-table

Description

This command enables IS-IS to attach Remote LFA specific information to RTM entries for use by other protocols. This command requires configure router isis lfa remote-lfa to be enabled. Currently only LDP makes use of this additional information.

The no form of this command disables IS-IS to attach Remote LFA specific information to RTM entries for use by other protocols.

Platforms

All

augment-route-table

Syntax

[no] augment-route-table

Context

[Tree] (config>router>ospf>loopfree-alternates augment-route-table)

Full Context

configure router ospf loopfree-alternates augment-route-table

Description

This command enables OSPF to attach Remote LFA (rLFA) information to RTM entries for use by other protocols. Before this command is configured, the configure router ospf lfa remote-lfa command, must be enabled on the system. Currently, only LDP makes use of this additional information.

The no form of this command disables the attachment of rLFA-specific information to RTM entries for use by other protocols.

Default

no augment-route-table

Platforms

All

auth

auth

Syntax

[no] auth

Context

[Tree] (debug>router>rsvp>event auth)

Full Context

debug router rsvp event auth

Description

This command debugs auth events.

The no form of the command disables the debugging.

Platforms

All

auth

Syntax

[no] auth [neighbor ip-int-name | ip-address]

Context

[Tree] (debug>router>rip auth)

Full Context

debug router rip auth

Description

This command enables debugging for RIP authentication.

Parameters

ip-int-name | ip-address

Debugs the RIP authentication for the neighbor IP address or interface.

Platforms

All

auth-domain-name

auth-domain-name

Syntax

auth-domain-name domain-name

no auth-domain-name

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host auth-domain-name)

Full Context

configure subscriber-mgmt local-user-db ipoe host auth-domain-name

Description

This command sets the domain name which can be appended to user-name in RADIUS-authentication-request message for the given host.

The no form of this command removes the domain name from the host configuration.

Parameters

domain-name

Specifies the domain name, up to 32 characters, to be appended to user-name in RADIUS-authentication-request message for the given host.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auth-include-attributes

auth-include-attributes

Syntax

[no] auth-include-attributes

Context

[Tree] (config>aaa>isa-radius-plcy auth-include-attributes)

Full Context

configure aaa isa-radius-policy auth-include-attributes

Description

This command configures attributes to be included in RADIUS authentication messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auth-keychain

auth-keychain

Syntax

auth-keychain name

no auth-keychain

Context

[Tree] (config>subscr-mgmt>bgp-prng-plcy auth-keychain)

Full Context

configure subscriber-mgmt bgp-peering-policy auth-keychain

Description

This command configures the BGP authentication key for all peers.

The keychain allows the rollover of authentication keys during the lifetime of a session.

The no form of this command reverts to the default.

Parameters

name

Specifies the name of an existing keychain, up to 32 characters, to use for the specified TCP session or sessions.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auth-keychain

Syntax

auth-keychain name

Context

[Tree] (config>service>vprn>bgp>group>neighbor auth-keychain)

[Tree] (config>service>vprn>bgp auth-keychain)

[Tree] (config>service>vprn>bgp>group auth-keychain)

Full Context

configure service vprn bgp group neighbor auth-keychain

configure service vprn bgp auth-keychain

configure service vprn bgp group auth-keychain

Description

This command configures the BGP authentication key for all peers.

The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of an existing keychain, up to 32 characters, to use for the specified TCP session or sessions.

Platforms

All

auth-keychain

Syntax

auth-keychain name

Context

[Tree] (config>service>vprn>isis auth-keychain)

[Tree] (config>service>vprn>isis>level auth-keychain)

Full Context

configure service vprn isis auth-keychain

configure service vprn isis level auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface for the VPRN instance. The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

All

auth-keychain

Syntax

auth-keychain name

Context

[Tree] (config>router>isis>level auth-keychain)

[Tree] (config>router>isis auth-keychain)

Full Context

configure router isis level auth-keychain

configure router isis auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface. The keychain allows the rollover of authentication keys during the lifetime of a session.

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

All

auth-keychain

Syntax

auth-keychain name

Context

[Tree] (config>service>vprn>ospf>area>virtual-link auth-keychain)

[Tree] (config>service>vprn>ospf>area>if auth-keychain)

[Tree] (config>service>vprn>ospf>area>sham-link auth-keychain)

Full Context

configure service vprn ospf area virtual-link auth-keychain

configure service vprn ospf area interface auth-keychain

configure service vprn ospf area sham-link auth-keychain

Description

This command enables the authentication keychain.

Parameters

name

Specifies the name of the authentication keychain, up to 32 characters.

Platforms

All

auth-keychain

Syntax

auth-keychain name

Context

[Tree] (config>router>ldp>tcp-session-params auth-keychain)

[Tree] (config>router>ldp>tcp-session-params>peer-transport auth-keychain)

Full Context

configure router ldp tcp-session-parameters auth-keychain

configure router ldp tcp-session-parameters peer-transport auth-keychain

Description

This command configures the TCP authentication keychain to use for the TCP session. The per-peer authentication configuration takes precedence over the global authentication configuration.

Parameters

name

Specifies the name of the keychain, up to 32 characters. This keychain is used for the specified TCP session or sessions, and allows the rollover of authentication keys during the lifetime of a session. The peer address used must be the TCP session transport address.

Platforms

All

auth-keychain

Syntax

auth-keychain name

Context

[Tree] (config>router>rsvp>interface auth-keychain)

Full Context

configure router rsvp interface auth-keychain

Description

This command configures an authentication keychain to use for authentication of protocol messages sent and received over the associated interface. The keychain must include a valid entry to properly authenticate protocol messages, including a key, specification of a supported authentication algorithm, and beginning time. Each entry may also include additional options to control the overall lifetime of each entry to allow for the seamless rollover of without affecting the protocol adjacencies.

The no form of the auth-keychain command removes the association between the routing protocol and any keychain currently used.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

All

auth-keychain

Syntax

auth-keychain name

Context

[Tree] (config>router>bgp>group>neighbor auth-keychain)

[Tree] (config>router>bgp>group auth-keychain)

[Tree] (config>router>bgp auth-keychain)

Full Context

configure router bgp group neighbor auth-keychain

configure router bgp group auth-keychain

configure router bgp auth-keychain

Description

This command configures a TCP authentication keychain to use for the session. The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified TCP session or sessions.

Platforms

All

auth-keychain

Syntax

auth-keychain

Context

[Tree] (config>router>ospf>area>interface auth-keychain)

[Tree] (config>router>ospf>area>virtual-link auth-keychain)

Full Context

configure router ospf area interface auth-keychain

configure router ospf area virtual-link auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface. The keychain allows the rollover of authentication keys during the lifetime of a session.

The no form of this command removes the association to a previously specified keychain.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

All

auth-method

auth-method

Syntax

auth-method {psk | plain-psk-xauth | cert-auth | psk-radius | cert-radius | eap | auto-eap-radius | auto-eap}

no auth-method

Context

[Tree] (config>ipsec>ike-policy auth-method)

Full Context

configure ipsec ike-policy auth-method

Description

This command specifies the authentication method used with this IKE policy.

The no form of this command removes the parameter from the configuration.

Default

no auth-method

Parameters

psk

Both client and gateway authenticate each other by a hash derived from a pre-shared secret. Both client and gateway must have the PSK. This work with both IKEv1 and IKEv2

plain-psk-xauth

Both client and gateway authenticate each other by pre-shared key and RADIUS. This work with IKEv1 only.

psk-radius

Use the pre-shared-key and RADIUS to authenticate. IKEv2 remote-access tunnel only.

cert-radius

Use the certificate, public/private key and RADIUS to authenticate. IKEv2 remote-access tunnel only.

eap

Use the EAP to authenticate peer. IKEv2 remote-access tunnel only

auto-eap-radius

Use EAP or potentially other method to authenticate the peer. IKEv2 remote-access tunnel only. Also see config>ipsec>ike-policy auto-eap-method and config>ipsec>ike-policy auto-eap-own-method.

auto-eap

Use the EAP or potentially other RADIUS-related method to authenticate the peer. IKEv2 remote-access tunnel only. Also see config>ipsec>ike-policy auto-eap-method and config>ipsec>ike-policy auto-eap-own-method.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auth-policy

auth-policy

Syntax

auth-policy policy-name

no auth-policy

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host auth-policy)

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host auth-policy)

Full Context

configure subscriber-mgmt local-user-db ipoe host auth-policy

configure subscriber-mgmt local-user-db ppp host auth-policy

Description

This command configures the authentication policy of this host and PPPoE hosts. This authentication policy is only used if no authentication policy is defined at the interface level. For DHCP hosts, the host entry should not contain any other information needed for setup of the host (IP address, ESM strings, and so on.). For PPPoE hosts, the authentication policy configured here must have its PPPoE authentication method set to pap-chap, otherwise the request is dropped.

The no form of this command reverts to the default.

Parameters

policy-name

Specifies the authentication policy name, up to 32 characters

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auth-port

auth-port

Syntax

auth-port port

no auth-port

Context

[Tree] (config>service>vprn>radius-server>server auth-port)

[Tree] (config>router>radius-server>server auth-port)

Full Context

configure service vprn radius-server server auth-port

configure router radius-server server auth-port

Description

This command specifies the UDP listening port for RADIUS authentication requests.

The no form of this commands resets the UDP port to its default value (1812)

Default

auth-port 1812

Parameters

port

Specifies the UDP listening port for accounting requests of the external RADIUS server.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auth-request-script-policy

auth-request-script-policy

Syntax

auth-request-script-policy policy-name

no auth-request-script-policy

Context

[Tree] (config>aaa>radius-srv-plcy auth-request-script-policy)

Full Context

configure aaa radius-server-policy auth-request-script-policy

Description

This command specifies the name of the RADIUS script policy used to change the RADIUS attributes of the Access-Request messages.

Parameters

policy-name

Specifies the name of the Python script to modify Access-Request messages, up to 32 characters

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authenticate

authenticate

Syntax

[no] authenticate

Context

[Tree] (config>service>vprn>ntp authenticate)

Full Context

configure service vprn ntp authenticate

Description

This command enables authentication for the NTP server.

Platforms

All

authenticate-client

authenticate-client

Syntax

authenticate-client

Context

[Tree] (config>system>security>tls>server-tls-profile authenticate-client)

Full Context

configure system security tls server-tls-profile authenticate-client

Description

Commands in this context configure client authentication parameters.

Platforms

All

authenticate-on-dhcp

authenticate-on-dhcp

Syntax

[no] authenticate-on-dhcp

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range authenticate-on-dhcp)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range authenticate-on-dhcp)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range authenticate-on-dhcp

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range authenticate-on-dhcp

Description

This command enables initial authentication (when there is no state for the UE on the ISA), to be triggered by DHCP DISCOVER or REQUEST. The default behavior is authentication based on first Layer 3 packet.

The no form of this command reverts to the default.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

authenticated-brg-only

authenticated-brg-only

Syntax

[no] authenticated-brg-only

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>brg authenticated-brg-only)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>vlan-ranges>range>vrgw>brg authenticated-brg-only)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>vlan-ranges>range>vrgw>brg authenticated-brg-only)

[Tree] (config>service>ies>sub-if>grp-if>brg authenticated-brg-only)

[Tree] (config>service>vprn>sub-if>grp-if>brg authenticated-brg-only)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>brg authenticated-brg-only)

Full Context

configure service ies subscriber-interface group-interface wlan-gw ranges range brg authenticated-brg-only

configure service ies subscriber-interface group-interface wlan-gw vlan-ranges range vrgw brg authenticated-brg-only

configure service vprn subscriber-interface group-interface wlan-gw vlan-ranges range vrgw brg authenticated-brg-only

configure service ies subscriber-interface group-interface brg authenticated-brg-only

configure service vprn subscriber-interface group-interface brg authenticated-brg-only

configure service vprn subscriber-interface group-interface wlan-gw ranges range brg authenticated-brg-only

Description

This command indicates that only BRGs that are pre-authenticated using the RADIUS proxy are allowed in this context.

The no form of this command removes the restriction.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication

authentication

Syntax

authentication {chap | pap | pref-chap | prep-pap}

Context

[Tree] (config>router>l2tp>group>ppp authentication)

[Tree] (config>router>l2tp>group>tunnel>ppp authentication)

[Tree] (config>service>vprn>l2tp>group>tunnel>ppp authentication)

[Tree] (config>service>vprn>l2tp>group>ppp authentication)

Full Context

configure router l2tp group ppp authentication

configure router l2tp group tunnel ppp authentication

configure service vprn l2tp group tunnel ppp authentication

configure service vprn l2tp group ppp authentication

Description

This command configures the PPP authentication protocol to negotiate authentication.

Default

authentication pref-chap

Parameters

chap

Specifies to always use CHAP for authentication.

pap

Specifies to always use PAP for authentication.

pref-chap

Specifies to use CHAP as the preferred authentication method, and to use PAP if that attempt fails.

pref-pap

Specifies to use PAP as the preferred authentication method, and to use CHAP if that attempt fails.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication

Syntax

authentication

Context

[Tree] (config>service>dynsvc>policy authentication)

Full Context

configure service dynamic-services dynamic-services-policy authentication

Description

Commands in this context configure authentication parameters for data-triggered dynamic services.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication

Syntax

authentication [policy policy-name] [mac-addr ieee-address] [circuit-id circuit-id]

Context

[Tree] (debug>subscr-mgmt authentication)

Full Context

debug subscriber-mgmt authentication

Description

This command debugs subscriber authentication.

Parameters

policy-name

Specifies an existing subscriber management authentication policy name.

ieee-address

Specifies the 48-bit MAC address xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx.

circuit-id

Specify the circuit-id, up to 256 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication

Syntax

authentication

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range authentication)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range authentication)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range authentication

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range authentication

Description

Commands in this context create configuration for authenticating a user from the WLAN-GW ISA.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

authentication

Syntax

authentication bidirectional sa-name

authentication inbound sa-name outbound sa-name

no authentication

Context

[Tree] (config>service>vprn>ospf3>area>virtual-link authentication)

[Tree] (config>service>vprn>ospf3>area>if authentication)

Full Context

configure service vprn ospf3 area virtual-link authentication

configure service vprn ospf3 area interface authentication

Description

This command configures OPSFv3 confidentiality authentication.

The no form of this command removes the SA name from the configuration.

Parameters

bidirectional sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

inbound sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

outbound sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

Platforms

All

authentication

Syntax

authentication ascii-algorithm ascii-key ascii-string [hash | hash2 | custom]

authentication auth-algorithm hex-key hex-string [hash | hash2 | custom]

no authentication

Context

[Tree] (config>ipsec>static-sa authentication)

Full Context

configure ipsec static-sa authentication

Description

This command configures the authentication algorithm to use for an IPsec manual SA.

Default

no authentication

Parameters

auth-algorithm

Specifies the authentication algorithm to be used.

Values

mda5, sha1

ascii-string

Specifies an ASCII key; 16 characters for md5 and 20 characters for sha1.

hex-string

Specifies a HEX key; 32 hex nibbles for md5 and 40 hex nibbles for sha1.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication

Syntax

authentication [port udp-port]

no authentication

Context

[Tree] (config>aaa>isa-radius-plcy>servers>server authentication)

Full Context

configure aaa isa-radius-policy servers server authentication

Description

This command configures authentication for this server.

Default

no authentication

Parameters

udp-port

Specifies the UDP port number on which to contact the RADIUS server for authentication.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

authentication

Syntax

[no] authentication

Context

[Tree] (config>li>x-interfaces>lics>lic authentication)

Full Context

configure li x-interfaces lics lic authentication

Description

This command configures the parameters for authentication of INE and LIC on the X1 and X2 interfaces.

The no form of this command removes the configured parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

authentication

Syntax

authentication none

authentication authentication-protocol authentication-key [privacy-none] [hash | hash2 | custom]

authentication authentication-protocol authentication-key privacy privacy-protocol privacy-key [hash | hash2 | custom]

no authentication

Context

[Tree] (config>system>security>user>snmp authentication)

Full Context

configure system security user snmp authentication

Description

This command configures the SNMPv3 authentication and privacy protocols for the user to communicate with the router. The keys are stored in an encrypted format in the configuration.

The keys configured with these commands must be localized keys, which are a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate localized authentication and privacy keys.

Default

authentication none

Parameters

none

Keyword to specify that no authentication protocol is used. If none is specified, privacy cannot be configured.

authentication-protocol

Specifies the SNMPv3 authentication protocol.

Values

hmac-md5-96 — Specifies use of the HMAC-MD5-96 authentication protocol.

hmac-sha1-96 — Specifies use of the HMAC-SHA-96 authentication protocol.

hmac-sha2-224 — Specifies use of the HMAC-SHA-224 authentication protocol.

hmac-sha2-256 — Specifies use of the HMAC-SHA-256 authentication protocol.

hmac-sha2-384 — Specifies use of the HMAC-SHA-384 authentication protocol.

hmac-sha-512 — Specifies use of the HMAC-SHA-512 authentication protocol.

authentication-key

Specifies the localized authentication key, which is entered as a hexadecimal string; the character length depends on the specified authentication protocol. The following table lists the authentication protocol key lengths.

Table 4. Authentication protocol key lengths

Authentication protocol

Character lengths

HMAC-MD5-96

32

HMAC-SHA-96

40

HMAC-SHA-224

56

HMAC-SHA-256

64

HMAC-SHA-384

96

HMAC-SHA-512

128

privacy-none

Keyword to specify that a privacy protocol is not used in the communication.

Default

privacy none

privacy-protocol

Specifies the SNMPv3 privacy protocol.

Values

cbc-des — Specifies the use of the CBC-DES privacy protocol. This parameter is not available in FIPS-140-2 mode.

cfb128-aes-128 — Specifies the use of the CFB128-AES-128 privacy protocol.

cfb128-aes-192 — Specifies the use of the CFB128-AES-192 privacy protocol.

cfb128-aes-256 — Specifies the use of the CFB128-AES-256 privacy protocol.

privacy-key

Specifies the localized privacy key, which is entered as a hexadecimal string; the character length depends on the specified privacy protocol. The following table lists the privacy protocol key lengths.

Table 5. Privacy protocol key lengths
Privacy protocol

Character length

CBC-DES

32

CFB128-AES-128

32

CFB128-AES-192

48

CFB128-AES-256

64
hash

Keyword that specifies the key is entered in an encrypted form. If the hash or hash2 keyword is not specified, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Keyword that specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone; that is, the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 keyword is not specified, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Keyword that specifies the custom encryption to the management interface.

Platforms

All

authentication

Syntax

authentication bidirectional sa-name

authentication [inbound sa-name outbound sa-name]

no authentication

Context

[Tree] (config>router>ospf3>area>interface authentication)

[Tree] (config>router>ospf3>area>virtual-link authentication)

Full Context

configure router ospf3 area interface authentication

configure router ospf3 area virtual-link authentication

Description

This command configures the password used by the OSPF3 interface or virtual-link to send and receive OSPF3 protocol packets on the interface when simple password authentication is configured.

All neighboring routers must use the same type of authentication and password for proper protocol communication.

By default, no authentication key is configured.

The no form of this command removes the authentication.

Default

no authentication

Parameters

bidirectional sa-name

Specifies bidirectional OSPF3 authentication.

inbound sa-name

Specifies the inbound security association (SA) name for OSPF3 authentication.

outbound sa-name

Specifies the outbound SA name for OSPF3 authentication.

Platforms

All

authentication-check

authentication-check

Syntax

[no] authentication-check

Context

[Tree] (config>service>vprn>isis authentication-check)

Full Context

configure service vprn isis authentication-check

Description

This command sets an authentication check to reject PDUs that do not match the type or key requirements for the VPRN instance.

The default behavior when authentication is configured is to reject all IS-IS protocol PDUs that have a mismatch in either the authentication type or authentication key.

When no authentication-check is configured, authentication PDUs are generated and IS-IS PDUs are authenticated on receipt. However, mismatches cause an event to be generated and will not be rejected.

The no form of this command allows authentication mismatches to be accepted and generates a log event.

Default

authentication-check — Rejects authentication mismatches.

Platforms

All

authentication-check

Syntax

[no] authentication-check

Context

[Tree] (config>service>vprn>ntp authentication-check)

Full Context

configure service vprn ntp authentication-check

Description

This command provides the option to skip the rejection of NTP PDUs that do not match the authentication key-id, type or key requirements. The default behavior when authentication is configured is to reject all NTP protocol PDUs that have a mismatch in either the authentication key-id, type or key.

When authentication-check is enabled, NTP PDUs are authenticated on receipt. However, mismatches cause a counter to be increased, one counter for type and one for key-id, one for type, value mismatches. These counters are visible in a show command.

The no form of this command allows authentication mismatches to be accepted; the counters however are maintained.

Default

authentication-check — Rejects authentication mismatches.

Platforms

All

authentication-check

Syntax

[no] authentication-check

Context

[Tree] (config>system>time>ntp authentication-check)

Full Context

configure system time ntp authentication-check

Description

This command provides the option to skip the rejection of NTP PDUs that do not match the authentication key-id, type or key requirements. The default behavior when authentication is configured is to reject all NTP protocol PDUs that have a mismatch in either the authentication key-id, type or key.

When authentication-check is enabled, NTP PDUs are authenticated on receipt. However, mismatches cause a counter to be increased, one counter for type and one for key-id, one for type, value mismatches. These counters are visible in a show command.

The no form of this command allows authentication mismatches to be accepted; the counters however are maintained.

Default

authentication-check

Platforms

All

authentication-check

Syntax

[no] authentication-check

Context

[Tree] (config>router>isis authentication-check)

Full Context

configure router isis authentication-check

Description

This command sets an authentication check to reject PDUs that do not match the type or key requirements.

The default behavior when authentication is configured is to reject all IS-IS protocol PDUs that have a mismatch in either the authentication type or authentication key.

When no authentication-check is configured, authentication PDUs are generated and IS-IS PDUs are authenticated on receipt. However, mismatches cause an event to be generated and will not be rejected.

The no form of this command allows authentication mismatches to be accepted and generates a log event.

Default

authentication-check

Platforms

All

authentication-key

authentication-key

Syntax

authentication-key [authentication-key | hash-key] [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>subscr-mgmt>bgp-prng-plcy authentication-key)

Full Context

configure subscriber-mgmt bgp-peering-policy authentication-key

Description

This command configures the BGP authentication key.

The MD5 message-based digest is used to perform authentication between neighboring routers before setting up the BGP session by verifying the password. The authentication key can be any combination of letters or numbers from 1 to 16.

The no form of this command removes the authentication password from the configuration and effectively disables authentication.

Parameters

authentication-key

Specifies an authentication key. The key can be up to 255 characters (unencrypted).

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 342 characters (encrypted).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to the management interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>redundancy>multi-chassis>peer authentication-key)

Full Context

configure redundancy multi-chassis peer authentication-key

Description

This command configures the authentication key used between this node and the multi-chassis peer. The authentication key can be any combination of letters or numbers. The no form of the command removes the authentication key.

Default

no authentication-key

Parameters

authentication-key

Specifies the authentication key. Allowed values are any string up to 20 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 33 (hash1-key) or 55 (hash2-key) characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key [authentication-key | hash-key] [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>subscr-mgmt>rip-policy authentication-key)

Full Context

configure subscriber-mgmt rip-policy authentication-key

Description

This command configures the BGP authentication key.

Authentication is performed between neighboring routers before setting up the BGP session by verifying the password. Authentication is performed using the MD5 message-based digest. The authentication key can be any combination of letters or numbers from 1 to 16.

The no form of this command removes the authentication password from the configuration and effectively disables authentication.

Default

Authentication is disabled and the authentication password is empty.

Parameters

authentication-key

Specifies the authentication key. The key can be any combination of ASCII characters up to 255 characters (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 342 characters (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2| custom]

no authentication-key

Context

[Tree] (config>service>ies>if>vrrp authentication-key)

Full Context

configure service ies interface vrrp authentication-key

Description

The authentication-key command, within the vrrp virtual-router-id context, is used to assign a simple text password authentication key to generate master VRRP advertisement messages and validating received VRRP advertisement messages.

The authentication-key command is one of the few commands not affected by the presence of the owner keyword. If simple text password authentication is not required, the authentication-key command is not required. If the command is re-executed with a different password key defined, the new key will be used immediately. If a no authentication-key command is executed, the password authentication key is restored to the default value. The authentication-key command may be executed at any time.

To change the current in-use password key on multiple virtual router instances:

  • Identify the current master

  • Shutdown the virtual router instance on all backups

  • Execute the authentication-key command on the master to change the password key

  • Execute the authentication-key command and no shutdown command on each backup key

The no form of the command removes the authentication key.

Default

No default. The authentication data field contains the value 0 in all 16 octets.

Parameters

authentication-key

The key parameter identifies the simple text password used when VRRP Authentication Type 1 is enabled on the virtual router instance. Type 1 uses a string eight octets long that is inserted into all transmitted VRRP advertisement messages and compared against all received VRRP advertisement messages. The authentication data fields are used to transmit the key.

The key parameter is expressed as a string consisting up to eight alpha-numeric characters. Spaces must be contained in quotation marks (" ”). The quotation marks are not considered part of the string.

The string is case sensitive and is left-justified in the VRRP advertisement message authentication data fields. The first field contains the first four characters with the first octet (starting with IETF RFC bit position 0) containing the first character. The second field holds the fifth through eighth characters. Any unspecified portion of the authentication data field is padded with the value 0 in the corresponding octet.

Values

Any 7-bit printable ASCII character.

Exceptions:

Double quote (")

ASCII 34

Carriage Return

ASCII 13

Line Feed

ASCII 10

Tab

ASCII 9

Backspace

ASCII 8

hash-key

The hash key. The key can be any combination of ASCII characters up to 22 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>service>vprn>bgp>group authentication-key)

[Tree] (config>service>vprn>bgp authentication-key)

[Tree] (config>service>vprn>bgp>group>neighbor authentication-key)

Full Context

configure service vprn bgp group authentication-key

configure service vprn bgp authentication-key

configure service vprn bgp group neighbor authentication-key

Description

This command configures the BGP authentication key.

Authentication is performed between neighboring routers before setting up the BGP session by verifying the password. Authentication is performed using the MD5 message-based digest. The authentication key can be any combination of letters or numbers from 1 to 16.

The no form of this command removes the authentication password from the configuration and effectively disables authentication.

Default

no authentication-key

Parameters

authentication-key

Specifies an authentication key. The key can be up to 255 characters (unencrypted).

hash-key

The hash key. The key can be any combination of ASCII characters up to 342 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key [authentication-key | hash-key] [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>service>vprn>if>vrrp authentication-key)

Full Context

configure service vprn interface vrrp authentication-key

Description

The authentication-key command, within the vrrp virtual-router-id context, is used to assign a simple text password authentication key to generate master VRRP advertisement messages and validate received VRRP advertisement messages.

The authentication-key command is one of the few commands not affected by the presence of the owner keyword. If simple text password authentication is not required, this command is not required. If the command is re-executed with a different password key defined, the new key will be used immediately. If a no authentication-key command is executed, the password authentication key is restored to the default value. The authentication-key command may be executed at any time.

To change the current in-use password key on multiple virtual router instances:

  • Identify the current master

  • Shut down the virtual router instance on all backups

  • Execute the authentication-key command on the master to change the password key

  • Execute the authentication-key command and the no shutdown command on each backup key

The no form of this command restores the default null string to the value of key.

Parameters

authentication-key

The key parameter identifies the simple text password used when VRRP Authentication Type 1 is enabled on the virtual router instance. Type 1 uses a string eight octets long that is inserted into all transmitted VRRP advertisement messages and compared against all received VRRP advertisement messages. The authentication data fields are used to transmit the key.

The key parameter is expressed as a string consisting of up to eight alpha-numeric characters. Spaces must be contained in quotation marks ( " ” ). The quotation marks are not considered part of the string.

The string is case sensitive and is left-justified in the VRRP advertisement message authentication data fields. The first field contains the first four characters with the first octet (starting with IETF RFC bit position 0) containing the first character. The second field holds the fifth through eighth characters. Any unspecified portion of the authentication data field is padded with the value 0 in the corresponding octet.

Values

Any 7-bit printable ASCII character.

Exceptions:

Double quote (")

ASCII 34

Carriage Return

ASCII 13

Line Feed

ASCII 10

Tab

ASCII 9

Backspace

ASCII 8

hash-key

The hash key. The key can be any combination of ASCII characters up to 22 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”)

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>service>vprn>isis>level authentication-key)

[Tree] (config>service>vprn>isis authentication-key)

Full Context

configure service vprn isis level authentication-key

configure service vprn isis authentication-key

Description

This command sets the authentication key used to verify PDUs sent by neighboring routers on the interface for the VPRN instance.

Neighboring routers use passwords to authenticate PDUs sent from an interface. For authentication to work, both the authentication key and the authentication type on a segment must match. The OSPF Commands statement must also be included.

To configure authentication on the global level, configure this command in the config>router>isis context. When this parameter is configured on the global level, all PDUs are authenticated including the Hello PDU.

To override the global setting for a specific level, configure the authentication-key command in the config>router>isis>level context. When configured within the specific level, hello PDUs are not authenticated.

The no form of this command removes the authentication key.

Default

no authentication-key — No authentication key is configured.

Parameters

authentication-key

The authentication key. The key can be any combination of ASCII characters up to 255 characters in length (un-encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

The hash key. The key can be any combination of ASCII characters up to 342 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key [authentication-key | hash-key] [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>service>vprn>msdp>peer authentication-key)

[Tree] (config>service>vprn>msdp>group>peer authentication-key)

Full Context

configure service vprn msdp peer authentication-key

configure service vprn msdp group peer authentication-key

Description

This command configures a Message Digest 5 (MD5) authentication key to be used with a specific Multicast Source Discovery Protocol (MSDP) peering session. The authentication key must be configured per peer as such no global or group configuration is possible.

The no form of this command removes the authentication key.

Default

no authentication-key (All MSDP messages are accepted and the MD5 signature option authentication key is disabled.)

Parameters

authentication-key

Specifies the authentication key. Allowed values are any string up to 256 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), enclose the entire string in quotation marks (" ”).

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 451 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key key-id key key [hash | hash2 | custom] type {des | message-digest}

no authentication-key key-id

Context

[Tree] (config>service>vprn>ntp authentication-key)

Full Context

configure service vprn ntp authentication-key

Description

This command sets the authentication key-id, type and key used to authenticate NTP PDUs sent by the broadcast server function toward external clients or to authenticate NTP PDUs received from external unicast clients within the VPRN routing instance. For authentication to work, the authentication key-id, type, and key value must match.

The no form of this command removes the authentication key.

Parameters

key-id

Configure the authentication key-id that will be used by the node when transmitting or receiving Network Time Protocol packets.

Entering the authentication-key command with a key-id value that matches an existing configuration key will result in overriding the existing entry.

Recipients of the NTP packets must have the same authentication key-id, type, and key value in order to use the data transmitted by this node. This is an optional parameter.

Values

1 to 255

key

The authentication key associated with the configured key-id, the value configured in this parameter is the actual value used by other network elements to authenticate the NTP packet.

The key can be any combination of ASCII characters up to 8 characters in length (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (".”).

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

type

This parameter determines if DES or message-digest authentication is used.

This is a required parameter; either DES or message-digest must be configured.

Values

des — Specifies that DES authentication is used for this key. The des value is not supported in FIPS-140-2 mode.

message-digest — Specifies that MD5 authentication in accordance with RFC 2104 is used for this key.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>service>vprn>ospf>area>sham-link authentication-key)

[Tree] (config>service>vprn>ospf>area>if authentication-key)

[Tree] (config>service>vprn>ospf>area>virtual-link authentication-key)

Full Context

configure service vprn ospf area sham-link authentication-key

configure service vprn ospf area interface authentication-key

configure service vprn ospf area virtual-link authentication-key

Description

This command configures the password used by the OSPF interface or virtual-link to send and receive OSPF protocol packets on the interface when simple password authentication is configured.

This command is not valid in the OSPF3 context.

All neighboring routers must use the same type of authentication and password for proper protocol communication. If the authentication-type is configured as password, then this key must be configured.

By default, no authentication key is configured.

This command is not supported in the OSPF context.

The no form of this command removes the authentication key.

Default

no authentication-key — No authentication key is defined.

Parameters

authentication-key

The authentication key. The key can be any combination of ASCII characters up to 8 characters in length (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

The hash key. The key can be any combination of ASCII characters up to 22 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>service>vprn>rip>group authentication-key)

[Tree] (config>service>vprn>rip authentication-key)

[Tree] (config>service>vprn>rip>group>neighbor authentication-key)

Full Context

configure service vprn rip group authentication-key

configure service vprn rip authentication-key

configure service vprn rip group neighbor authentication-key

Description

This command sets the authentication password to be passed between RIP neighbors.

The authentication type and authentication key must match exactly to authenticate and then process the RIP message.

The no form of this command removes the authentication password from the configuration and disables authentication.

Default

no authentication-key

Parameters

authentication-key

The authentication key. The key can be any combination of ASCII characters up to 16 characters in length (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

The hash key. The key can be any combination of ASCII characters up to 33 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>router>ldp>tcp-session-params>peer-transport authentication-key)

[Tree] (config>router>ldp>tcp-session-params authentication-key)

Full Context

configure router ldp tcp-session-parameters peer-transport authentication-key

configure router ldp tcp-session-parameters authentication-key

Description

This command specifies the authentication key used to establish a session between LDP peers. Authentication uses the MD5 message-based digest. The peer address used in authentication must be the TCP session transport address. If one or more transport addresses used in the Hello adjacencies to the same peer LSR are different from the LSR-ID value, the user must add each transport address to the authentication-key configuration as a separate peer. As a result, when the TCP connection is bootstrapped by a specific Hello adjacency, the authentication can operate over that TCP connection by using its specific transport address. The per peer authentication configuration takes precedence over global authentication configuration, and authentication keychain configuration takes precedence over authentication key configuration.

The no form of this command disables authentication.

Parameters

authentication-key

Specifies the authentication key. The key can be any combination of ASCII characters, up to 255 characters (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

Specifies the hash key. The key can be any combination of up to 33 alphanumeric characters. If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex, encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to the management interface.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>router>rsvp>interface authentication-key)

Full Context

configure router rsvp interface authentication-key

Description

This command specifies the authentication key for use between RSVP neighbors to authenticate RSVP messages. Authentication uses the MD5 message-based digest.

When enabled on an RSVP interface, authentication of RSVP messages operates in both directions of the interface. A router maintains a security association using one authentication key for each interface to an RSVP neighbor.

An RSVP neighbor transmits an authenticating digest of the RSVP message that is computed using the shared authentication key and a keyed-hash algorithm. The message digest is included in an INTEGRITY object, which also contains a flags field, a key identifier field, and a sequence number field. An RSVP neighbor uses the key together with the authentication algorithm to process received RSVP messages. The RSVP MD5 authentication complies to the procedures for RSVP message generation in RFC 2747, RSVP Cryptographic Authentication.

The MD5 implementation does not support the authentication challenge procedures in RFC 2747.

The no form of this command disables authentication.

Default

no authentication-key - The authentication key value is the null string.

Parameters

authentication-key

Specifies the authentication key. The key can be any combination of ASCII characters up to 16 characters in length (unencrypted). If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

hash-key

Specifies the hash key. The key can be any combination of up 33 alphanumeric characters. If spaces are used in the string, enclose the entire string in quotation marks (" ”)

This is useful when a user must configure the parameter, but for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>router>msdp>peer authentication-key)

[Tree] (config>router>msdp>group>peer authentication-key)

Full Context

configure router msdp peer authentication-key

configure router msdp group peer authentication-key

Description

This command configures a Message Digest 5 (MD5) authentication key to be used with a specific Multicast Source Discovery Protocol (MSDP) peering session. The authentication key must be configured per peer as such no global or group configuration is possible.

The no form of the command configures acceptance of all MSDP messages and disables the MD5 signature option authentication key.

Default

no authentication-key

Parameters

authentication-key

Specifies the authentication key. The key can be any combination of printable, 7-bit ASCII characters, up to 255 characters long in the config>router>msdp>peer context, or up to 127 characters long in the config>router>msdp>group>peer context. If the string contains special characters (#, $, spaces, and so on), enclose the entire string in quotation marks (" ”).

hash-key

Specifies a hash key. The key can be any combination of ASCII characters up to 451 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, although, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies that the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [{hash | hash2 | custom}]

no authentication-key

Context

[Tree] (config>router>if>vrrp authentication-key)

Full Context

configure router interface vrrp authentication-key

Description

This command sets the simple text authentication key used to generate master VRRP advertisement messages and validates VRRP advertisements.

If simple text password authentication is not required, the authentication-key command is not required.

The command is configurable in both non-owner and owner vrrp nodal contexts.

The key parameter identifies the simple text password to be used when VRRP Authentication Type 1 is enabled on the virtual router instance. Type 1 uses an eight octet long string that is inserted into all transmitted VRRP advertisement messages and is compared against all received VRRP advertisement messages. The authentication data fields are used to transmit the key.

The key string is case sensitive and is left justified in the VRRP advertisement message authentication data fields. The first field contains the first four characters with the first octet (starting with IETF RFC bit position 0) containing the first character. The second field similarly holds the fifth through eighth characters. Any unspecified portion of the authentication data field is padded with a 0 value in the corresponding octet.

If the command is re-executed with a different password key defined, the new key is used immediately.

The authentication-key command can be executed at anytime.

To change the current in-use password key on multiple virtual router instances:

Identify the current master.

  1. Shutdown the virtual router instance on all backups.

  2. Execute the authentication-key command on the master to change the password key.

  3. Execute the authentication-key command and no shutdown command on each backup.

The no form of the command reverts to the default value.

Default

no authentication-key — The authentication key value is the null string.

Parameters

authentication-key

The authentication key. Allowed values are any string up to 8 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

hash-key

The hash key. The key can be any combination of ASCII characters up to 22 (hash-key1) or 121 (hash-key2) characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key key-id key key [hash | hash2 | custom] type {des | message-digest}

no authentication-key key-id

Context

[Tree] (config>system>time>ntp authentication-key)

Full Context

configure system time ntp authentication-key

Description

This command sets the authentication key-id, type and key used to authenticate NTP PDUs sent to or received by other network elements participating in the NTP protocol. For authentication to work, the authentication key-id, type and key value must match.

The no form of the command removes the authentication key.

Parameters

key-id

Configures the authentication key-id that will be used by the node when transmitting or receiving Network Time Protocol packets

Entering the authentication-key command with a key-id value that matches an existing configuration key will result in overriding the existing entry.

Recipients of the NTP packets must have the same authentication key-id, type, and key value in order to use the data transmitted by this node. This is an optional parameter.

Values

1 to 255

key

Specifies the authentication key associated with the configured key-id, the value configured in this parameter is the actual value used by other network elements to authenticate the NTP packet.

The key can be any combination of ASCII characters up to 32 characters for message-digest (md5) or 8 characters for des (length limits are unencrypted lengths). If spaces are used in the string, enclose the entire string in quotation marks (".”).

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

type

Determines if DES or message-digest authentication is used.

This is a required parameter; either DES or message-digest must be configured.

des

Specifies that DES authentication is used for this key. The des option is not permitted in FIPS-140-2 mode.

message-digest

Specifies that MD5 authentication in accordance with RFC 2104 is used for this key.

Platforms

All

authentication-key

Syntax

authentication-key [authentication-key | hash-key] [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>router>bgp>group>neighbor authentication-key)

[Tree] (config>router>bgp>group authentication-key)

[Tree] (config>router>bgp authentication-key)

Full Context

configure router bgp group neighbor authentication-key

configure router bgp group authentication-key

configure router bgp authentication-key

Description

This command configures the BGP authentication key.

Authentication is performed between neighboring routers before setting up the BGP session by verifying the password. Authentication is performed using the MD5 message based digest.

The no form of this command reverts to the default value.

Default

no authentication-key

Parameters

authentication-key

Specifies an authentication key. The key can be up to 255 characters (unencrypted).

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 342 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key [authentication-key | hash-key] [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>router>isis authentication-key)

[Tree] (config>router>isis>level authentication-key)

Full Context

configure router isis authentication-key

configure router isis level authentication-key

Description

This command sets the authentication key used to verify PDUs sent by neighboring routers on the interface.

Neighboring routers use passwords to authenticate PDUs sent from an interface. For authentication to work, both the authentication key and the authentication type on a segment must match. The authentication-type command must also be included.

To configure authentication on the global level, configure this command in the config>router>isis context. When this parameter is configured on the global level, all PDUs are authenticated, including the hello PDU.

To override the global setting for a specific level, configure the authentication-key command in the config>router>isis>level context. When configured within the specific level, hello PDUs are not authenticated.

The no form of this command removes the authentication key.

Default

no authentication-key

Parameters

authentication-key

Specifies the authentication key. The key can be any combination of ASCII characters up to 255 characters in length (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 342 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key [authentication-key | hash-key] [hash | hash2 | custom]

no authentication-key

Context

[Tree] (config>router>ospf>area>interface authentication-key)

[Tree] (config>router>ospf>area>virtual-link authentication-key)

Full Context

configure router ospf area interface authentication-key

configure router ospf area virtual-link authentication-key

Description

This command configures the password used by the OSPF interface or virtual link to send and receive OSPF protocol packets on the interface when simple password authentication is configured.

All neighboring routers must use the same type of authentication and password for proper protocol communication. If authentication-type password is configured, this key must be configured.

By default, no authentication key is configured.

The no form of this command removes the authentication key.

Default

no authentication-key

Parameters

authentication-key

Specifies the authentication key. The key can be any combination of ASCII characters up to 8 characters in length (unencrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 22 characters (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-key

Syntax

authentication-key {authentication-key | hash-key} [{hash | hash2 | custom}]

no authentication-key

Context

[Tree] (config>router>rip>group authentication-key)

[Tree] (config>router>rip authentication-key)

[Tree] (config>router>rip>group>neighbor authentication-key)

Full Context

configure router rip group authentication-key

configure router rip authentication-key

configure router rip group neighbor authentication-key

Description

This command sets the authentication password to be passed between RIP neighbors.

The authentication type and authentication key must match exactly for the RIP message to be considered authentic and processed.

The no form of the command removes the authentication password from the configuration and disables authentication.

Default

no authentication-key

Parameters

authentication-key

Specifies the authentication key. Allowed values are any string up to 16 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 33 characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

authentication-order

authentication-order

Syntax

authentication-order [method-1] [method-2] [method-3] [method-4] [exit-on-reject]

no authentication-order

Context

[Tree] (config>system>security>password authentication-order)

Full Context

configure system security password authentication-order

Description

This command configures the sequence in which password authentication, authorization, and accounting is attempted among the local user database, RADIUS servers, TACACS+ servers, and LDAP servers.

The authentication order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.

If all (operational) methods are attempted and no authentication for a particular login has been granted, then an entry in the security log documents the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.

The no form of this command reverts to the default authentication sequence.

The authentication-order is not applicable to SNMPv3. SNMPv3 messages ignore the configured authentication-order and are authorized using the locally configured users only. TACACS+, RADIUS, and LDAP are not supported for SNMPv3 authentication.

Note:

This command applies to a local user, in addition to users on RADIUS, TACACS, and LDAP.

Default

authentication-order radius tacplus ldap local

Parameters

method-1

Specifies the first password authentication method to attempt.

Values

local, radius, tacplus, ldap

method-2

Specifies the second password authentication method to attempt.

Values

local, radius, tacplus, ldap

method-3

Specifies the third password authentication method to attempt.

Values

local, radius, tacplus, ldap

method-4

Specifies the fourth password authentication method to attempt.

Values

local, radius, tacplus, ldap

local

Specifies the password authentication based on the local password database.

radius

Specifies RADIUS authentication.

tacplus

Specifies TACACS+ authentication.

ldap

Specifies LDAP authentication.

exit-on-reject

When enabled and if one of the AAA methods configured in the authentication order sends a reject, then the next method in the order will not be tried. If the exit-on-reject keyword is not specified and if one AAA method sends a reject, the next AAA method will be attempted. If in this process, all the AAA methods are exhausted, it will be considered as a reject.

A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting will only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration will other configured methods be attempted. If the local keyword is the first authentication and:

  • exit-on-reject is configured and the user does not exist, the user is not authenticated

  • the user is authenticated locally, then other methods, if configured, it is used for authorization and accounting

  • the user is configured locally but without console access, login is denied

Platforms

All

authentication-origin

authentication-origin

Syntax

authentication-origin

Context

[Tree] (config>subscr-mgmt authentication-origin)

Full Context

configure subscriber-mgmt authentication-origin

Description

Commands in this context configure a subscriber’s authentication origin.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication-over-bypass

authentication-over-bypass

Syntax

authentication-over-bypass [enable | disable]

Context

[Tree] (config>router>rsvp authentication-over-bypass)

Full Context

configure router rsvp authentication-over-bypass

Description

This command configures the MD5 authentication over the bypass LSP of all Point of Local Repairs (PLRs) and Merge Points (MPs) on the router. Only enable this command when the TE interfaces in the RSVP-TE network use the same MD5 authentication parameters.

When a Point of Local Repair (PLR) activates a bypass LSP towards a Merge Point (MP), by default, the INTEGRITY object corresponding to the bypass LSP interface is not added to a transmitted RSVP message except for packets of routed RSVP messages (Resv, Srefresh, and ACK), and only when the packet is intended for a bypass LSP endpoint (PLR or MP) that is a directly connected neighbor.

When this command is enabled, the INTEGRITY object of the interface corresponding to the bypass LSP is added to a transmitted RSVP message regardless of whether the bypass LSP endpoint (PLR or MP) is a directly connected RSVP neighbor. The INTEGRITY object is included with the following RSVP messages: Path, PathTear, PathErr, Resv, ResvTear, ResvErr, Srefresh, and ACK.

In all cases, an RSVP message received from a PLR or a MP (sender address in the SenderTemplate/FilterSpec is different from an Extended Tunnel Id in a Session Object), and which includes the INTEGRITY object is authenticated against the bypass LSP interface. An RSVP message received from a PLR or MP without the INTEGRITY object is also accepted.

Default

authentication-over-bypass disable

Parameters

enable

Enables the MD5 authentication over the bypass LSP of all PLRs on the node.

disable

Disables the MD5 authentication over the bypass LSP of all PLRs on the node.

Platforms

All

authentication-policy

authentication-policy

Syntax

authentication-policy auth-policy-name

no authentication-policy

Context

[Tree] (config>service>vprn>l2tp>group>ppp authentication-policy)

[Tree] (config>router>l2tp>group>tunnel>ppp authentication-policy)

[Tree] (config>service>vprn>l2tp>group>tunnel>ppp authentication-policy)

[Tree] (config>router>l2tp>group>ppp authentication-policy)

Full Context

configure service vprn l2tp group ppp authentication-policy

configure router l2tp group tunnel ppp authentication-policy

configure service vprn l2tp group tunnel ppp authentication-policy

configure router l2tp group ppp authentication-policy

Description

This command configures the RADIUS authentication policy that will be used to authenticate PPP sessions on the LNS.

The no form of this command reverts to the default value.

Default

no authentication-policy

Parameters

auth-policy-name

Specifies the authentication policy name.

Values

32 chars max

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication-policy

Syntax

authentication-policy name [create]

no authentication-policy

Context

[Tree] (config>subscr-mgmt authentication-policy)

Full Context

configure subscriber-mgmt authentication-policy

Description

This command creates a RADIUS authentication policy containing parameters to authenticate subscriber sessions. The policies can be applies to an IES or VPRN interface or group interface, or a VPLS SAP.

The no form of this command removes the policy from the configuration.

Parameters

name

Specifies the name of the authentication profile. The string is case sensitive and limited to 32 ASCII 7-bit printable characters.

create

Keyword used to create the authentication policy. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication-policy

Syntax

authentication-policy name

no authentication-policy

Context

[Tree] (config>service>vprn>if authentication-policy)

[Tree] (config>service>ies>sub-if>grp-if authentication-policy)

[Tree] (config>service>vprn>sub-if>grp-if authentication-policy)

[Tree] (config>service>ies>if authentication-policy)

Full Context

configure service vprn interface authentication-policy

configure service ies subscriber-interface group-interface authentication-policy

configure service vprn subscriber-interface group-interface authentication-policy

configure service ies interface authentication-policy

Description

This command assigns a RADIUS authentication policy to the interface.

The no form of this command removes the policy from the interface configuration.

Parameters

name

Specifies the authentication policy name.

Platforms

All

  • configure service ies interface authentication-policy
  • configure service vprn interface authentication-policy

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn subscriber-interface group-interface authentication-policy
  • configure service ies subscriber-interface group-interface authentication-policy

authentication-policy

Syntax

authentication-policy name

no authentication-policy

Context

[Tree] (config>service>vpls>sap authentication-policy)

Full Context

configure service vpls sap authentication-policy

Description

For a regular SAP (bridged CO model), this command defines which subscriber authentication policy must be applied when a DHCP message is received on the interface. The authentication policies must already be defined. The policy is only applied when DHCP snooping is enabled on the SAP.

For a capture SAP, this command specifies the RADIUS authentication policy to use for subscriber session authentication when a valid trigger packet is received. The same authentication policy must be assigned on the group-interface where the MSAP for the subscriber session is created.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication-policy

Syntax

authentication-policy policy-name

no authentication-policy

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>authentication authentication-policy)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>authentication authentication-policy)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range authentication authentication-policy

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range authentication authentication-policy

Description

This command assigns a RADIUS authentication policy configured under the aaa context for authenticating users on WLAN-GW ISA.

The no form of this command removes the policy from the configuration.

Parameters

policy-name

Specifies the name of the authentication policy up to 32 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

authentication-policy

Syntax

authentication-policy name

no authentication-policy

Context

[Tree] (config>app-assure>group>transit-ip>radius authentication-policy)

Full Context

configure application-assurance group transit-ip-policy radius authentication-policy

Description

This command configures the RADIUS authentication-policy for the IP transit policy.

Default

no authentication-policy

Parameters

name

Specifies the authentication policy name, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

authentication-type

authentication-type

Syntax

authentication-type {none | password | message-digest | message-digest-20}

no authentication-type

Context

[Tree] (config>subscr-mgmt>rip-plcy authentication-type)

Full Context

configure subscriber-mgmt rip-policy authentication-type

Description

This command sets the type of authentication to be used between RIP neighbors. The type and password must match exactly for the RIP message to be considered authentic and processed.

The no form of this command removes the authentication type from the configuration and effectively disables authentication.

Parameters

none

Disables authentication at a given level (global, group, neighbor). If the command does not exist in the configuration, the parameter is inherited.

password

Specifies enable simple password (plain text) authentication. If authentication is enabled and no authentication type is specified in the command, simple password authentication is enabled.

message-digest

Configures 16 byte message digest for MD5 authentication. If this option is configured, then at least one message-digest-key must be configured.

message-digest-20

Configures 20 byte message digest for MD5 authentication in accordance with RFC 2082, RIP-2 MD5 Authentication. If this option is configured, then at least one message-digest-key must be configured.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

authentication-type

Syntax

authentication-type {password | message-digest}

no authentication

Context

[Tree] (config>service>vprn>isis>level authentication-type)

[Tree] (config>service>vprn>isis authentication-type)

Full Context

configure service vprn isis level authentication-type

configure service vprn isis authentication-type

Description

This command enables either simple password or message digest authentication or must go in either the global IS-IS or IS-IS level context.

Both the authentication key and the authentication type on a segment must match. The authentication-key statement must also be included.

Configure the authentication type on the global level in the config>router>isis context.

Configure or override the global setting by configuring the authentication type in the config>router>isis>level context.

The no form of this command disables authentication.

Default

no authentication-type — No authentication type is configured and authentication is disabled.

Parameters

password

Specifies that simple password (plain text) authentication is required.

message-digest

Specifies that MD5 authentication in accordance with RFC2104 is required.

Platforms

All

authentication-type

Syntax

authentication-type {password | message-digest}

no authentication-type

Context

[Tree] (config>service>vprn>ospf>area>sham-link authentication-type)

[Tree] (config>service>vprn>ospf>area>virtual-link authentication-type)

[Tree] (config>service>vprn>ospf>area>if authentication-type)

Full Context

configure service vprn ospf area sham-link authentication-type

configure service vprn ospf area virtual-link authentication-type

configure service vprn ospf area interface authentication-type

Description

This command enables authentication and specifies the type of authentication to be used on the OSPF interface, virtual-link, and sham-link.

This command is not valid in the OSPF3 context.

Both simple password and message-digest authentication are supported.

The no form of this command disables authentication on the interface.

Default

no authentication-type — No authentication is enabled on an interface.

Parameters

password

This keyword enables simple password (plain text) authentication. If authentication is enabled and no authentication type is specified in the command, simple password authentication is enabled.

message-digest

This keyword enables message digest MD5 authentication in accordance with RFC1321. If this option is configured, then at least one message-digest-key must be configured.

Platforms

All

authentication-type

Syntax

authentication-type {none | password | message-digest | message-digest-20}

no authentication-type

Context

[Tree] (config>service>vprn>rip authentication-type)

[Tree] (config>service>vprn>rip>group authentication-type)

[Tree] (config>service>vprn>rip>group>neighbor authentication-type)

Full Context

configure service vprn rip authentication-type

configure service vprn rip group authentication-type

configure service vprn rip group neighbor authentication-type

Description

This command defines the type of authentication used between RIP neighbors. The type and password must match exactly to authenticate and then process the RIP message.

The no form of this command removes the authentication type from the configuration and effectively disables authentication.

Default

no authentication-type

Parameters

none

No authentication is used.

password

A simple cleartext password is sent.

message-digest

MD5 authentication is used.

message-digest-20

MD20 authentication is used.

Platforms

All

authentication-type

Syntax

authentication-type {password | message-digest}

no authentication

Context

[Tree] (config>router>isis>level authentication-type)

[Tree] (config>router>isis authentication-type)

Full Context

configure router isis level authentication-type

configure router isis authentication-type

Description

This command enables either simple password or message digest authentication or must go in either the global IS-IS or IS-IS level context.

Both the authentication key and the authentication type on a segment must match. The authentication-key statement must also be included.

Configure the authentication type on the global level in the config>router>isis context.

Configure or override the global setting by configuring the authentication type in the config>router>isis>level context.

The no form of this command disables authentication.

Parameters

password

Specifies that simple password (plain text) authentication is required.

message-digest

Specifies that MD5 authentication in accordance with RFC2104 is required.

Platforms

All

authentication-type

Syntax

authentication-type {password | message-digest}

no authentication-type

Context

[Tree] (config>router>ospf>area>interface authentication-type)

[Tree] (config>router>ospf>area>virtual-link authentication-type)

Full Context

configure router ospf area interface authentication-type

configure router ospf area virtual-link authentication-type

Description

This command enables authentication and specifies the type of authentication to be used on the OSPF interface.

Both simple password and message-digest authentication are supported.

By default, authentication is not enabled on an interface.

The no form of this command disables authentication on the interface.

Default

no authentication-type

Parameters

password

Enables the simple password (plain text) authentication. If authentication is enabled and no authentication type is specified in the command, simple password authentication is enabled.

message-digest

Enables message digest MD5 authentication in accordance with RFC1321. If this option is configured, then at least one message-digest-key must be configured.

Platforms

All

authentication-type

Syntax

authentication-type {none | password | message-digest | message-digest-20}

no authentication-type

Context

[Tree] (config>router>rip>group authentication-type)

[Tree] (config>router>rip>group>neighbor authentication-type)

[Tree] (config>router>rip authentication-type)

Full Context

configure router rip group authentication-type

configure router rip group neighbor authentication-type

configure router rip authentication-type

Description

This command sets the type of authentication to be used between RIP neighbors.

The type and password must match exactly for the RIP message to be considered authentic and processed.

The no form of the command removes the authentication type from the configuration and effectively disables authentication.

Default

no authentication-type

Parameters

none

The none parameter explicitly disables authentication at a given level (global, group, neighbor). If the command does not exist in the configuration, the parameter is inherited.

password

Specifies that the password enables simple password (plain text) authentication. If authentication is enabled and no authentication type is specified in the command, simple password authentication is enabled.

message-digest

Configures 16 byte message digest for MD5 authentication. If this option is configured, then at least one message-digest-key must be configured.

message-digest-20

Configures 20 byte message digest for MD5 authentication in accordance with RFC 2082, RIP-2 MD5 Authentication. If this option is configured, then at least one message-digest-key must be configured.

Platforms

All

authenticator-init

authenticator-init

Syntax

[no] authenticator-init

Context

[Tree] (config>port>ethernet>dot1x>per-host-authentication authenticator-init)

Full Context

configure port ethernet dot1x per-host-authentication authenticator-init

Description

This command configures the authenticator-initiated mode of the host.

The no form of this command disables the authenticator-initiated mode of the host.

Default

authenticator-init

Platforms

All

authorization

authorization

Syntax

authorization

Context

[Tree] (config>system>security>cli-script authorization)

Full Context

configure system security cli-script authorization

Description

Commands in this context authorize CLI script execution.

Platforms

All

authorization

Syntax

[no] authorization

Context

[Tree] (config>service>vprn>aaa>remote-servers>radius authorization)

Full Context

configure service vprn aaa remote-servers radius authorization

Description

This command configures RADIUS authorization parameters for the system.

Default

no authorization

Platforms

All

authorization

Syntax

[no] authorization

Context

[Tree] (config>system>security>radius authorization)

Full Context

configure system security radius authorization

Description

This command configures RADIUS authorization parameters for the system.

Default

no authorization

Platforms

All

authorization

Syntax

[no] authorization [use-priv-lvl]

Context

[Tree] (config>system>security>tacplus authorization)

[Tree] (config>service>vprn>aaa>remote-servers>tacplus authorization)

Full Context

configure system security tacplus authorization

configure service vprn aaa remote-servers tacplus authorization

Description

This command controls how TACACS+ is used for command authorization.

If this command is enabled without the use-priv-lvl option, then each command is sent to the TACACS+ server for authorization (this is true whether the tacplus use-default-template setting is enabled or not).

If the tacplus authorization command is disabled, and the tacplus use-default-template setting is enabled, then the local profile in the user-template tacplus_default is used for command authorization.

Default

no authorization

Parameters

use-priv-lvl

Automatically performs a single authorization request to the TACACS+ server for cmd* (all commands) immediately after login, and then use the local profile associated (via the priv-lvl-map) with the priv-lvl returned by the TACACS+ server for all subsequent authorization (except enable-admin). After the initial authorization for cmd*, no further authorization requests are sent to the TACACS+ server (except enable-admin). If the TACACS+ server does not return a priv-lvl for a user, the profile from the user-template tacplus_default is used for command authorization (as long as tacplus use-default-template is enabled, otherwise all commands are rejected).

Platforms

All

authorized-only

authorized-only

Syntax

[no] authorized-only

Context

[Tree] (config>subscr-mgmt>wlan-gw>ue-query>state authorized-only)

Full Context

configure subscriber-mgmt wlan-gw ue-query state authorized-only

Description

This command enables matching on UEs in an authorized state.

The no form of this command disables matching on UEs in an authorized state, unless all state matching is disabled.

Default

no authorized-only

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

auto-bandwidth

auto-bandwidth

Syntax

[no] auto-bandwidth

Context

[Tree] (config>router>mpls>lsp auto-bandwidth)

[Tree] (config>router>mpls>lsp-template auto-bandwidth)

Full Context

configure router mpls lsp auto-bandwidth

configure router mpls lsp-template auto-bandwidth

Description

This command enables (and the no form disables) automatic adjustments of LSP bandwidth.

Auto-bandwidth at the LSP level cannot be executed unless adaptive is configured in the config>router>mpls>lsp context.

Default

no auto-bandwidth

Platforms

All

auto-bandwidth-multipliers

auto-bandwidth-multipliers

Syntax

auto-bandwidth-multipliers sample-multiplier number1 adjust-multiplier number2

no auto-bandwidth-multipliers

Context

[Tree] (config>router>mpls auto-bandwidth-multipliers)

Full Context

configure router mpls auto-bandwidth-multipliers

Description

This command specifies the number of collection intervals in the adjust interval.

Default

auto-bandwidth-multipliers sample-multiplier 1 adjust-multiplier 288

Parameters

sample-multiplier number1

Specifies the multiplier for collection intervals in a sample interval.

Values

1 to 511

adjust-multiplier number2

Specifies the number of collection intervals in the adjust interval.

Values

1 to 16383

Platforms

All

auto-bind-tunnel

auto-bind-tunnel

Syntax

auto-bind-tunnel

Context

[Tree] (config>service>epipe>bgp-evpn>mpls auto-bind-tunnel)

[Tree] (config>service>vpls>bgp-evpn>mpls auto-bind-tunnel)

[Tree] (config>service>vprn>bgp-evpn>mpls auto-bind-tunnel)

[Tree] (config>service>vprn>bgp-ipvpn>mpls auto-bind-tunnel)

Full Context

configure service epipe bgp-evpn mpls auto-bind-tunnel

configure service vpls bgp-evpn mpls auto-bind-tunnel

configure service vprn bgp-evpn mpls auto-bind-tunnel

configure service vprn bgp-ipvpn mpls auto-bind-tunnel

Description

Commands in this context configure automatic binding of a VPRN service using tunnels to MP-BGP peers.

The auto-bind-tunnel node is simply a context to configure the binding of BGP IPVPN or EVPN routes to tunnels. The user must configure the resolution option to enable auto-bind resolution to tunnels in TTM. If the resolution option is explicitly set to disabled, the auto-binding to tunnel is removed.

If resolution is set to any, any supported tunnel type in the Epipe/VPRN/VPLS context is selected following TTM preference. If one or more explicit tunnel types are specified using the resolution-filter option, then only these tunnel types are selected again following the TTM preference.

The user must set resolution to filter in order to activate the list of tunnel-types configured under resolution-filter.

In VPRN services and for BGP-IPVPN, when an explicit SDP to a BGP next hop is configured (config>service>vprn>spoke-sdp), it overrides the auto-bind-tunnel selection for that BGP next hop only. There is no support for reverting automatically to the auto-bind-tunnel selection if the explicit SDP goes down. The user must delete the explicit spoke-sdp in the VPRN service context to resume using the auto-bind-tunnel selection for the BGP next hop.

Platforms

All

auto-boot

auto-boot

Syntax

auto-boot [management-port] [inband [ vlan vlan-id | vlan-discovery]] [ipv4] [ipv6] [client-identifier {string ascii-string | hex hex-string | chassis-mac}] [include-user-class] [timeout minutes]

auto-boot ospf [neid neid-hex-string] [vendor-id vendor-id] [neip-ipv4 ip-address] [neip-ipv6 ipv6-address] [port-mtu mtu-bytes] [ospf-mtu ip-mtu-bytes] [vlan vlan-id] [timeout minutes]

no auto-boot

Context

[Tree] (bof auto-boot)

Full Context

bof auto-boot

Description

This command enables the auto-boot flag in the BOF and configures the auto-boot options for ZTP. When modifying auto-boot options using CLI, all required options must be explicitly configured, as the default cases will no longer be used.

The no form of this command disables the auto-boot flag.

Default

no auto-boot

Parameters

management-port

Specifies that the out-of-band management port (Mgmt port) should be used for ZTP.

inband

Specifies that in-band management through an Ethernet port should be used for ZTP. Unless the vlan-discovery flag is used, the inband option disables VLAN discovery.

vlan-id

Specifies an in-band VLAN to use for the auto-boot process.

Values

1 to 4094

vlan-discovery

Floods all VLANs (1 to 4094) with DHCP discovery messages and is supported only on inband ports. The first offer received on a specific VLAN is processed.

ipv4

Enables IPv4 DHCP discovery. This parameter is mandatory if the ipv6 parameter is not specified.

ipv6

Enables IPv6 DHCP solicitation. This parameter is mandatory if the ipv4 parameter is not specified.

ascii-string

Specifies a DHCP client identification string, up to 58 ASCII characters, to be used for Option 61 (IPv4) or Option 1 (IPv6).

hex-string

Specifies a DHCP client identification string, up to 116 hexadecimal nibbles, to be used for Option 61 (IPv4) or Option 1 (IPv6).

Values

0x0 to 0xFFFFFFFF

chassis-mac

Specifies that the chassis MAC address should be used as the DHCP client identification string for Option 61 (IPv4) or Option 1 (IPv6).

include-user-class

Specifies that Option 77 should be included in DHCP messages.

client-identifier

Specifies that a custom client ID should be used in network discovery requests.

minutes

Specifies the time interval after which, if the auto-boot process is unsuccessful (in the case of auto-boot using OSPF, if no OSPF adjacency is found), the node is rebooted and the auto-boot process is retried.

Values

30 to 1440

Default

30

ospf

Specifies that OSPF auto-discovery should be used.

neid-hex-string

Specifies a hexadecimal network element identification string.

Values

0x10101to 0xFEFEFE

ip-address

Specifies the IPv4 address for the network element.

Values

a.b.c.d

Default

vendor-id.neid-hex-string

ipv6-address

Specifies the IPv6 address for the network element.

Values

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x [0 to FFFF]H

d [0 to 255]D

Default

The IPv6 version of vendor-id.neid-hex-string

vendor-id

Specifies the vendor identification number. The number 140 corresponds to "Nokia”.

Values

1 to 254

Default

140

ip-mtu-bytes

Specifies the OSPF MTU in bytes.

Values

512 to 9786

Default

1500

mtu-bytes

Specifies the port MTU in bytes.

Values

512 to 9800

Default

The default MTU of the port type.

Platforms

7450 ESS-7, 7750 SR-1, 7750 SR-7, 7750 SR-1e, 7750 SR-2e, 7750 SR-s

auto-config

auto-config

Syntax

[no] auto-config

Context

[Tree] (config>service>epipe>spoke-sdp-fec auto-config)

Full Context

configure service epipe spoke-sdp-fec auto-config

Description

This command enables single sided automatic endpoint configuration of the spoke SDP. The router acts as the passive T-PE for signaling this MS-PW.

Automatic Endpoint Configuration allows the configuration of a spoke SDP endpoint without specifying the TAII associated with that spoke SDP. It allows a single-sided provisioning model where an incoming label mapping message with a TAII that matches the SAII of that spoke SDP to be automatically bound to that endpoint. In this mode, the far end T-PE actively initiates MS-PW signaling and will send the initial label mapping message using T-LDP, while the router T-PE for which auto-config is specified will act as the passive T-PE.

The auto-config command is blocked in CLI if signaling active has been enabled for this spoke SDP. It is only applicable to spoke SDPs configured under the Epipe, IES and VPRN interface context.

The no form of this command means that the router T-PE either acts as the active T-PE (if signaling active is configured) or automatically determines which router will initiate MS-PW signaling based on the prefix values configured in the SAII and TAII of the spoke SDP. If the SAII has the greater prefix value, then the router will initiate MS-PW signaling without waiting for a label mapping message from the far end. However, if the TAII has the greater value prefix, then the router will assume that the far end T-PE will initiate MS-PW signaling and will wait for that label mapping message before responding with a T-LDP label mapping message for the MS-PW in the reverse direction.

Default

no auto-config

Platforms

All

auto-config-save

auto-config-save

Syntax

[no] auto-config-save

Context

[Tree] (config>system>management-interface>cli>md-cli auto-config-save)

Full Context

configure system management-interface cli md-cli auto-config-save

Description

This command enables the functionality to automatically write the running configuration to the saved configuration file as part of a successful commit operation.

The no form of this command disables this functionality.

Default

auto-config-save

Platforms

All

auto-config-save

Syntax

[no] auto-config-save

Context

[Tree] (config>system>netconf auto-config-save)

Full Context

configure system netconf auto-config-save

Description

This command enables the functionality to automatically write the running configuration to the saved configuration file as part of a successful commit operation.

The no form of this command disables this functionality.

Default

auto-config-save

Platforms

All

auto-config-save

Syntax

[no] auto-config-save

Context

[Tree] (config>system>grpc>gnmi auto-config-save)

Full Context

configure system grpc gnmi auto-config-save

Description

This command enables the functionality to automatically write the running configuration to the saved configuration file as part of a successful commit operation.

The no form of this command disables this functionality.

Default

auto-config-save

Platforms

All

auto-creation

auto-creation

Syntax

[no] auto-creation

Context

[Tree] (config>qos>fp-resource-policy>aggregate-shapers auto-creation)

Full Context

configure qos fp-resource-policy aggregate-shapers auto-creation

Description

This command enables the auto-creation of hardware aggregate shapers on the specified FP. After enabling, the corresponding FP is rebooted.

The no version of this command disables auto-creation of hardware aggregate shapers.

Default

no auto-creation

Platforms

7750 SR-1, 7750 SR-s

auto-crl-update

auto-crl-update

Syntax

auto-crl-update [create]

no auto-crl-update

Context

[Tree] (config>system>security>pki>ca-prof auto-crl-update)

Full Context

configure system security pki ca-profile auto-crl-update

Description

This command creates an auto CRL update configuration context with the create parameter, or enters the auto-crl-update configuration context without the create parameter.

This mechanism auto downloads a CRL file from a list of configured HTTP URLs either periodically or before existing CRL expires. If the downloaded CRL is more recent than the existing one, then the existing one will be replaced.

Note:

The configured URL must point to a DER encoded CRL file.

Parameters

create

Creates an auto CRL update for the ca-profile.

Platforms

All

auto-crl-update

Syntax

[no] auto-crl-update

Context

[Tree] (debug>certificate auto-crl-update)

Full Context

debug certificate auto-crl-update

Description

This command enables trace for automated and manual CRL updates.

Platforms

All

auto-disc-route-advertisement

auto-disc-route-advertisement

Syntax

[no] auto-disc-route-advertisement

Context

[Tree] (config>service>vpls>bgp-evpn>vxlan auto-disc-route-advertisement)

Full Context

configure service vpls bgp-evpn vxlan auto-disc-route-advertisement

Description

This command enables sending route advertisements on auto-discovery.

The no form of this command disables sending route advertisements on auto-discovery.

Default

no auto-disc-route-advertisement

Platforms

All

auto-discovery

auto-discovery

Syntax

auto-discovery [default | mdt-safi] [source-address ip-address]

Context

[Tree] (config>service>vprn>mvpn auto-discovery)

Full Context

configure service vprn mvpn auto-discovery

Description

This command enables MVPN membership auto-discovery through BGP. When auto-discovery is enabled, PIM peering on the inclusive provider tunnel is disabled. Changing auto-discovery configuration requires shutdown of this VPRN instance.

The no form of this command disables MVPN membership auto-discovery through BGP.

Default

auto-discovery default

Parameters

default

Enables AD route exchange based on format defined in NG-MVPN (RFC6514).

mdt-safi

Enables AD route exchange based on mdt-safi format defined in draft-rosen-vpn-mcast.

This command optionally specifies a source-address - an IP address to be used by Rosen MVPN or NG-MVPN for core diversity, non-default IGP instances (not using system IP). Two unique IP addresses for PIM or GRE MVPNs are supported. The two unique IP address restriction does not apply to MVPNs with MPLS tunnels (for example, RSVP and MLDP). For instances using default System IP, source address configuration should not be specified to avoid consuming one of the addresses.

Explicitly defining a source-address allows GRE-encapsulated Rosen MVPN or NG-MVPN multicast traffic (Default and Data MDT) to originate from a configured IP address, so the source IP address of the GRE packets will not be the default system IP address.

Value:

ip-address

An IPv4 address. To achieve the desired functionality the address should be a pre-configured non-default ISIS or OSPF loopback address for an IGP instance using loopback address different from the system IP loopback.

Platforms

All

auto-discovery

Syntax

auto-discovery [default]

no auto-discovery

Context

[Tree] (config>router>pim>gtm auto-discovery)

Full Context

configure router pim gtm auto-discovery

Description

This command enables multicast auto-discovery over BGP for GTM.

The no form of this command disables auto-discovery.

Default

no auto-discovery

Parameters

default

Enables the default auto-discovery mode.

Platforms

All

auto-discovery-disable

auto-discovery-disable

Syntax

[no] auto-discovery-disable

Context

[Tree] (config>service>vprn>mvpn>pt>selective auto-discovery-disable)

Full Context

configure service vprn mvpn provider-tunnel selective auto-discovery-disable

Description

This command disables C-trees to P-tunnel binding auto-discovery through BGP so it is signaled using PIM join TLVs.

This command requires the c-mcast-signaling parameter to be set to PIM.

For multi-stream S-PMSI, this command must be enabled for BGP auto-discovery to function.

The no form of this command enables multicast VPN membership auto-discovery through BGP.

Default

auto-discovery-disable

Platforms

All

auto-eap-method

auto-eap-method

Syntax

auto-eap-method {psk | cert | psk-or-cert}

Context

[Tree] (config>ipsec>ike-policy auto-eap-method)

Full Context

configure ipsec ike-policy auto-eap-method

Description

This command enables following behavior for IKEv2 remote-access tunnel when auth-method is configured as auto-eap-radius:

  • If there is no AUTH payload in IKE_AUTH request, then system use EAP to authenticate client and also will own-auth-method to generate AUTH payload.

  • If there is AUTH payload in IKE_AUTH request:

    • if auto-eap-method is psk, then system proceed as auth-method:psk-radius

    • if auto-eap-method is cert, then system proceed as auth-method:cert-radius

    • if auto-eap-method is psk-or-cert, then:

      • if the "Auth Method" field of AUTH payload is PSK, then system proceed as auth-method:psk-radius

      • if the "Auth Method" field of AUTH payload is RSA or DSS, then system proceed as auth-method:cert-radius

    • The system will use auto-eap-own-method to generate AUTH payload.

This command only applies when auth-method is configured as auto-eap-radius.

Default

auto-eap-method cert

Parameters

psk

Uses the pre-shared-key as the authentication method.

cert

Uses the certificate as the authentication method.

psk-or-cert

Uses either the pre-shared-key or certificate based on the "Auth Method” field of the received AUTH payload.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auto-eap-own-method

auto-eap-own-method

Syntax

auto-eap-own-method {psk | cert}

Context

[Tree] (config>ipsec>ike-policy auto-eap-own-method)

Full Context

configure ipsec ike-policy auto-eap-own-method

Description

This command enables following behavior for IKEv2 remote-access tunnel when auth-method is configured as auto-eap-radius:

  • If there is no AUTH payload in IKE_AUTH request, then system use EAP to authenticate client and also will own-auth-method to generate AUTH payload.

  • If there is AUTH payload in IKE_AUTH request:

    • if auto-eap-method is psk, then system proceed as auth-method:psk-radius.

    • if auto-eap-method is cert, then system proceed as auth-method:cert-radius.

    • if auto-eap-method is psk-or-cert, then:

      • if the "Auth Method" field of AUTH payload is PSK, then system proceed as auth-method:psk-radius.

      • if the "Auth Method" field of AUTH payload is RSA or DSS, then system proceed as auth-method:cert-radius.

    • The system will use auto-eap-own-method to generate AUTH payload.

This command only applies when auth-method is configured as auto-eap-radius.

Default

auto-eap-own-method cert

Parameters

psk

Uses a pre-shared-key to generate AUTH payload.

cert

Uses a public/private key to generate AUTH payload.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auto-edge

auto-edge

Syntax

[no] auto-edge

Context

[Tree] (config>service>vpls>spoke-sdp>stp auto-edge)

[Tree] (config>service>template>vpls-sap-template>stp auto-edge)

[Tree] (config>service>vpls>sap>stp auto-edge)

Full Context

configure service vpls spoke-sdp stp auto-edge

configure service template vpls-sap-template stp auto-edge

configure service vpls sap stp auto-edge

Description

This command configures automatic detection of the edge port characteristics of the SAP or spoke-SDP.

If auto-edge is enabled, and STP concludes there is no bridge behind the spoke-SDP, the OPER_EDGE variable will dynamically be set to true. If auto-edge is enabled, and a BPDU is received, the OPER_EDGE variable will dynamically be set to true (see edge-port [config>service>vpls>sap>stp edge-port, config>service>template>vpls-sap-template>stp edge-port, config>service>vpls>spoke-sdp>stp edge-port]).

The no form of this command returns the auto-detection setting to the default value.

Default

auto-edge

Platforms

All

auto-edge

Syntax

[no] auto-edge

Context

[Tree] (config>service>pw-template>stp auto-edge)

Full Context

configure service pw-template stp auto-edge

Description

This command configures automatic detection of the edge port characteristics of the SAP or spoke SDP.

If auto-edge is enabled, and STP concludes there is no bridge behind the spoke SDP, the OPER_EDGE variable will dynamically be set to true. If auto-edge is enabled, and a BPDU is received, the OPER_EDGE variable will dynamically be set to true (see config>service>pw-template>stp edge-port).

The no form of this command returns the auto-detection setting to the default value.

Default

auto-edge

Platforms

All

auto-esi

auto-esi

Syntax

auto-esi {none | type-1}

Context

[Tree] (config>service>system>bgp-evpn>eth-seg auto-esi)

Full Context

configure service system bgp-evpn ethernet-segment auto-esi

Description

This command configures the auto-ESI type to use in the Ethernet segment (ES).

The default mode is none and forces the user to configure a manual ESI. When type-1 is configured, a manual ESI cannot be configured and the ESI is auto-derived in accordance with the RFC 7432 ESI type 1 definition.

An ESI type 1 encodes 0x01 in the ESI type octet (T=0x01) and indicates that IEEE 802.1AX LACP is used between the PEs and CEs.

The ESI is auto-derived from the LACP PDUs by concatenating the following parameters:

  • CE LACP system MAC address (6 octets)

    The CE LACP system MAC address is encoded in the high-order 6 octets of the ESI value field.

  • CE LACP port Key (2 octets)

    The CE LACP port key is encoded in the 2 octets next to the system MAC address.

  • the remaining octet is set to 0x00.

Parameters

type-1

Specifies an auto-generated ESI value.

none

Specifies the configuration of a manual ESI.

Platforms

All

auto-establish

auto-establish

Syntax

[no] auto-establish

Context

[Tree] (config>router>l2tp>group>tunnel auto-establish)

Full Context

configure router l2tp group tunnel auto-establish

Description

This command specifies if this tunnel is to be automatically set up by the system.

Default

no auto-establish

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auto-establish

Syntax

[no] auto-establish

Context

[Tree] (config>service>vprn>l2tp>group>tunnel auto-establish)

Full Context

configure service vprn l2tp group tunnel auto-establish

Description

This command specifies if this tunnel is to be automatically set up by the system.

Default

no auto-establish

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auto-establish

Syntax

[no] auto-establish

Context

[Tree] (config>service>ies>if>ipsec>ipsec-tunnel>dyn auto-establish)

[Tree] (config>ipsec>trans-mode-prof>dyn auto-establish)

[Tree] (config>service>vprn>if>ipsec>ipsec-tunnel>dyn auto-establish)

[Tree] (config>router>if>ipsec>ipsec-tunnel>dyn auto-establish)

[Tree] (config>service>vprn>if>sap>ipsec-tun>dyn auto-establish)

Full Context

configure service ies interface ipsec ipsec-tunnel dynamic-keying auto-establish

configure ipsec ipsec-transport-mode-profile dynamic-keying auto-establish

configure service vprn interface ipsec ipsec-tunnel dynamic-keying auto-establish

configure router interface ipsec ipsec-tunnel dynamic-keying auto-establish

configure service vprn interface sap ipsec-tunnel dynamic-keying auto-establish

Description

This command enables automatic attempts to establish a phase 1 exchange.

The system automatically establishes a phase 1 SA as soon as the tunnel is provisioned and enabled (no shutdown). This option should only be configured on one side of the tunnel.

Any associated static routes remains up as long as the tunnel is up, even though it may actually be operationally down according to the CLI.

The no form of this command disables the automatic attempts to establish a phase 1 exchange.

Default

no auto-establish

Platforms

VSR

  • configure service vprn interface ipsec ipsec-tunnel dynamic-keying auto-establish
  • configure service ies interface ipsec ipsec-tunnel dynamic-keying auto-establish
  • configure router interface ipsec ipsec-tunnel dynamic-keying auto-establish

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

  • configure service vprn interface sap ipsec-tunnel dynamic-keying auto-establish
  • configure ipsec ipsec-transport-mode-profile dynamic-keying auto-establish

auto-learn-mac-protect

auto-learn-mac-protect

Syntax

[no] auto-learn-mac-protect

Context

[Tree] (config>service>vpls>endpoint auto-learn-mac-protect)

[Tree] (config>service>pw-template>split-horizon-group auto-learn-mac-protect)

Full Context

configure service vpls endpoint auto-learn-mac-protect

configure service pw-template split-horizon-group auto-learn-mac-protect

Description

This command enables the automatic protection of source MAC addresses learned on the associated object. MAC protection is used in conjunction with the restrict-protected-src, restrict-unprotected-dst, and mac-protect commands. When auto-learn-mac-protect command is applied or removed, the MAC addresses are cleared from the related object.

When the auto-learn-mac-protect is enabled on an SHG the action only applies to the associated SAPs (no action is taken by default for spoke SDPs in the SHG). To enable this function for spoke SDPs within a SHG, the auto-learn-mac-protect command must be enabled explicitly under the spoke SDP. If required, the auto-learn-mac-protect command can also be enabled explicitly under specific SAPs within the SHG.

The no form of the command reverts to the default.

Default

no auto-learn-mac-protect

Platforms

All

auto-learn-mac-protect

Syntax

auto-learn-mac-protect [exclude-list name]

no auto-learn-mac-protect

Context

[Tree] (config>service>vpls>split-horizon-group auto-learn-mac-protect)

[Tree] (config>service>pw-template auto-learn-mac-protect)

[Tree] (config>service>vpls>spoke-sdp auto-learn-mac-protect)

[Tree] (config>service>vpls>mesh-sdp auto-learn-mac-protect)

[Tree] (config>service>vpls>sap auto-learn-mac-protect)

Full Context

configure service vpls split-horizon-group auto-learn-mac-protect

configure service pw-template auto-learn-mac-protect

configure service vpls spoke-sdp auto-learn-mac-protect

configure service vpls mesh-sdp auto-learn-mac-protect

configure service vpls sap auto-learn-mac-protect

Description

This command specifies whether to enable automatic population of the MAC protect list with source MAC addresses learned on the associated object under which the command is configured.

When configured, dynamically learned MAC Source Addresses (SA) are protected only if they are learned on an object with ALMP configured and there is no exclude list associated to the same object or if there is an exclude list but the MAC does not match any entry.

The same list can be used in multiple objects of the same or different service. If the list is empty, ALMP does not exclude any learned MAC from protection on the object.

The no form of the command disables the automatic population of the MAC protect list.

Default

auto-learn-mac-protect

Parameters

name

Specifies the name of the exclude list, up to 32 characters.

Platforms

All

auto-lifetimes

auto-lifetimes

Syntax

[no] auto-lifetimes

Context

[Tree] (config>subscr-mgmt>rtr-adv-plcy>pfx-opt>stateful auto-lifetimes)

Full Context

configure subscriber-mgmt router-advertisement-policy prefix-options stateful auto-lifetimes

Description

This command adjusts the valid and preferred lifetime values of the router advertisement from the DHCP lease of the subscriber. Every router advertisement sent to the subscriber is derived from the DHCP lease in real time. The route advertisement is always sent on a DHCP Renew.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auto-lsp

auto-lsp

Syntax

auto-lsp lsp-template template-name {policy peer-prefix-policy [peer-prefix-policy] | one-hop}

no auto-lsp lsp-template template-name

Context

[Tree] (config>router>mpls auto-lsp)

Full Context

configure router mpls auto-lsp

Description

This command enables the automatic creation of an RSVP point-to-point LSP to a destination node whose router ID matches a prefix in the specified peer prefix policy. This LSP type is referred to as auto-LSP of type mesh.

The user can associate multiple templates with same or different peer prefix policies. Each application of an LSP template with a given prefix in the prefix list results in the instantiation of a single CSPF computed LSP primary path using the LSP template parameters as long as the prefix corresponds to a router ID for a node in the TE database. This command does not support the automatic signaling of a secondary path for an LSP. If the signaling of multiple LSPs to the same destination node is required, the user must apply a separate LSP template to the same or different prefix list that contains the same destination node. Each instantiated LSP will have a unique LSP ID and a unique tunnel ID. This command also does not support the signaling of a non-CSPF LSP. The selection of the no cspf option in the LSP template is blocked.

Up to five peer prefix policies can be associated with a given LSP template at all times. Each time the user runs the auto-lsp command with the same or different prefix policy associations, or the user changes a prefix policy associated with an LSP template, the system re-evaluates the prefix policy. The outcome of the re-evaluation tells MPLS if an existing LSP needs to be torn down or if a new LSP needs to be signaled to a destination address that is already in the TE database.

If a /32 prefix is added to (removed from) or if a prefix range is expanded (shrunk) in a prefix list associated with an LSP template, the preceding prefix policy re-evaluation is performed.

The user must perform a no shutdown of the template before the template takes effect. After a template is in use, the user must shut down the template before effecting any changes to the parameters, except for those LSP parameters for which the change can be handled with the Make-Before-Break (MBB) procedures. These parameters are bandwidth and enabling fast-reroute with or without the hop-limit or node-protect options. For all other parameters, the user must shut down the template, makes the change, and perform a no shutdown. This results in the existing instances of the LSP using this template to be torn down and re-signaled.

When a router with a router ID that matches a prefix in the prefix list appears in the TE database, it is a trigger to signal the LSP. The signaled LSP is installed in the Tunnel Table Manager (TTM) and is available to applications such as LDP-over-RSVP, resolution of BGP label routes, resolution of BGP, IGP, and static routes. It is, however, not available for use as a provisioned SDP for explicit binding or auto-binding by services.

Except for the MBB limitations to the configuration parameter change in the LSP template, MBB procedures for manual and timer based re-signaling of the LSP, for TE Graceful Shutdown and for soft preemption are supported.

The one-to-one option under fast-reroute, the LSP Diff-Serv class-type and backup-class-type parameters are not supported. If diffserv-te is enabled under RSVP, the auto-created LSP is still signaled but with the default LSP class type.

If the one-hop option is specified instead of a prefix list, this command enables the automatic signaling of one-hop point-to-point LSPs using the specified template to all directly connected neighbors. This LSP type is referred to as auto-LSP of type one-hop. Although the provisioning model and CLI syntax differ from that of a mesh LSP only by the absence of a prefix list, the actual behavior is quite different. When this command is executed, the TE database keeps track of each TE link that comes up to a directly connected IGP neighbor whose router ID is discovered. It then instructs MPLS to signals an LSP with a destination address matching the router ID of the neighbor and with a strict hop consisting of the address of the interface used by the TE link. Thus, the auto-lsp command with the one-hop option results in one or more LSPs signaled to the neighboring router.

An auto-created mesh or one-hop LSP can collect egress statistics at the ingress LER by adding the egress-statistics node configuration into the LSP template. The user can also collect ingress statistics at the egress LER by using the same ingress-statistics node configuration. The user must specify the full LSP name as signaled by the ingress LER in the RSVP session name field of the Session Attribute object in the received Path message.

This feature also provides for the auto-creation of an SR-TE mesh LSP and for an SR-TE one-hop LSP.

The SR-TE mesh LSP feature specifically binds a mesh-p2p-srte LSP template with one or more prefix lists. When the TE database discovers a router that has a router ID matching an entry in the prefix list, it triggers MPLS to instantiate an SR-TE LSP to that router using the LSP parameters in the LSP template.

The SR-TE one-hop LSP feature specifically activates a one-hop-p2p-srte LSP template. In this case, the TE database keeps track of each TE link that comes up to a directly connected IGP neighbor. It then instructs MPLS to instantiate a SR-TE LSP with the following parameters:

  • the source address of the local router

  • an outgoing interface matching the interface index of the TE-link

  • a destination address matching the router ID of the neighbor on the TE link

In both types of SR-TE auto-LSP, the router’s hop-to-label translation computes the label stack required to instantiate the LSP.

Note:

An SR-TE auto-LSP can be reported to a PCE but cannot be delegated or have its paths computed by PCE.

The no form of this command deletes all LSPs signaled using the specified template and prefix policy. When the one-hop option is used, it deletes all one-hop LSPs signaled using the specified template to all directly-connected neighbors.

Parameters

lsp-template template-name

Specifies an LSP template name, up to 32 characters in length.

policy peer-prefix-policy

Specifies an peer prefix policy name, up to 32 characters in length.

one-hop

Enables the automatic signaling of one-hop point-to-point LSPs.

Platforms

All

auto-mep-discovery

auto-mep-discovery

Syntax

[no] auto-mep-discovery

Context

[Tree] (config>eth-cfm>domain>assoc auto-mep-discovery)

Full Context

configure eth-cfm domain association auto-mep-discovery

Description

This command enables the ability to auto-discover remote MEPs from a peer MEP sending ETH-CC.

The no form of this command disables the ability to auto-discover remote MEPs from a peer MEP sending ETH-CC.

Default

no auto-mep-discovery

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

auto-reply

auto-reply

Syntax

[no] auto-reply

Context

[Tree] (config>service>vprn>sub-if>grp-if>ipv6 auto-reply)

[Tree] (config>service>ies>sub-if>grp-if>ipv6 auto-reply)

Full Context

configure service vprn subscriber-interface group-interface ipv6 auto-reply

configure service ies subscriber-interface group-interface ipv6 auto-reply

Description

This command assists IP-only static hosts to resolve their default gateway and MAC. By default, the BNG anti-spoof filter drops packets from unknown hosts. The auto-reply features first allow hosts to resolve their default gateway and afterwards allow them to forward traffic. Using the data traffic, the BNG can utilize the data-trigger mechanism to learn the host’s MAC and populate the full IP+MAC static host entry.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auto-rp

auto-rp

Syntax

auto-rp [detail]

no auto-rp

Context

[Tree] (debug>router>pim auto-rp)

Full Context

debug router pim auto-rp

Description

This command enables debugging for PIM auto-RP.

The no form of this command disables PIM auto-RP debugging.

Parameters

detail

Debugs detailed information on the PIM auto-RP mechanism.

Platforms

All

auto-rp-discovery

auto-rp-discovery

Syntax

auto-rp-discovery [candidate] [mapping-agent]

no auto-rp-discovery

Context

[Tree] (config>service>vprn>pim>rp auto-rp-discovery)

Full Context

configure service vprn pim rp auto-rp-discovery

Description

This command enables the auto-RP protocol in discovery mode. In discovery mode, RP-mapping and RP-candidate messages are received and forwarded to downstream nodes. RP-mapping messages are received locally to learn the availability of RP nodes present in the network. In a VPRN configuration, Nokia recommends that a local loopback interface should be created with the same IP address as the system IP address.

The following configuration guidelines apply.

  • Either bsr-candidate for IPv4 or auto-rp-discovery can be configured; the two mechanisms cannot be enabled together.

  • bsr-candidate for IPv6 and auto-rp-discovery for IPv4 can be enabled together.

  • auto-rp-discovery cannot be enabled together with mdt-type sender-only or mdt-type receiver-only, or wildcard-spmsi configurations.

This command also enables the auto-RP listener functionality. The auto-RP listener forwards the candidate 224.0.1.39 and mapping 224.0.1.40 messages over the PIM interfaces.

The no form of this command disables auto-RP discovery, auto-RP listener, candidate, and mapping-agent.

Default

no auto-rp-discovery

Parameters

candidate

Specifies that the RP is a candidate RP. The auto-RP C-RP announces the candidate RP messages on the 224.0.1.39 multicast address. This functionality is in addition to the listener functionality enabled by the auto RP discovery.

The default value is no candidate.

mapping agent

Specifies the mapping agent on the node. The auto-RP MA observes the auto-rp-announcement messages, selects the RP, and generates the RP discovery 224.0.1.40 messages. This functionality is in addition to the auto RP discovery functionality.

The default value is no mapping-agent.

Platforms

All

auto-rp-discovery

Syntax

auto-rp-discovery [candidate] [mapping-agent]

no auto-rp-discovery

Context

[Tree] (config>router>pim>rp auto-rp-discovery)

Full Context

configure router pim rp auto-rp-discovery

Description

This command enables the auto-RP protocol in discovery mode. In discovery mode, RP-mapping and RP candidate messages are received and forwarded to downstream nodes. RP-mapping messages are received locally to learn the availability of RP nodes present in the network.

The following configuration guidelines apply.

  • Either bsr-candidate for IPv4 or auto-rp-discovery can be configured; the two mechanisms cannot be enabled together.

  • bsr-candidate for IPv6 and auto-rp-discovery for IPv4 can be enabled together.

This command also enables the auto-RP listener functionality. The auto-RP listener forwards the candidate 224.0.1.39 and mapping 224.0.1.40 messages over the PIM interfaces.

The no form of this command disables auto-RP discovery, auto-RP listener, candidate, and mapping-agent.

Default

no auto-rp-discovery

Parameters

candidate

Specifies that the RP is a candidate RP. The auto-RP C-RP announces the candidate RP messages on the 224.0.1.39 multicast address. This functionality is in addition to the listener functionality enabled by the auto RP discovery.

The default value is no candidate.

mapping agent

Specifies the mapping agent on the node. The auto-RP MA observes the auto-rp-announcement messages, selects the RP, and generates the RP discovery 224.0.1.40 messages. This functionality is in addition to the auto RP discovery functionality.

The default value is no mapping-agent.

Platforms

All

auto-rx

auto-rx

Syntax

auto-rx

Context

[Tree] (config>router>ldp>targeted-session auto-rx)

Full Context

configure router ldp targeted-session auto-rx

Description

Commands in this context configure an automatic targeted LDP session and accept targeted Hello messages from any peer.

Platforms

All

auto-srrp-id-range

auto-srrp-id-range

Syntax

auto-srrp-id-range start start-id end end-id

no auto-srrp-id-range

Context

[Tree] (config>redundancy>srrp auto-srrp-id-range)

Full Context

configure redundancy srrp auto-srrp-id-range

Description

This command reserves IDs for internal SRRP objects created for inter-UPF resiliency. Manually provisioned SRRP instances cannot use these reserved IDs.

The no form of this command removes the reservation of IDs.

Parameters

start-id

Specifies the lower bound of the ID range.

Values

1 to 4294967294

end-id

Specifies the upper bound of the ID range.

Values

2 to 4294967295

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auto-sub-id-key

auto-sub-id-key

Syntax

auto-sub-id-key

Context

[Tree] (config>subscr-mgmt auto-sub-id-key)

Full Context

configure subscriber-mgmt auto-sub-id-key

Description

Commands in this context configure auto-generated subscriber identification key parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

auto-tx

auto-tx

Syntax

auto-tx

Context

[Tree] (config>router>ldp>targeted-session auto-tx)

Full Context

configure router ldp targeted-session auto-tx

Description

Commands in this context configure an automatic targeted LDP session and send targeted Hello messages towards PQ nodes determined by the rLFA algorithm.

Platforms

All

autoconfigure

autoconfigure

Syntax

autoconfigure

Context

[Tree] (bof autoconfigure)

Full Context

bof autoconfigure

Description

Commands in this context autoconfigure the IP address for the BOF. The IPv4 DHCP client, IPv6 DHCP client, and NDP/RA can be configured on the management interface.

Default

no autoconfigure

Platforms

7450 ESS-7, 7750 SR-1, 7750 SR-7, 7750 SR-1e, 7750 SR-2e, 7750 SR-s

autonegotiate

autonegotiate

Syntax

autonegotiate [limited]

no autonegotiate

Context

[Tree] (config>port>ethernet autonegotiate)

Full Context

configure port ethernet autonegotiate

Description

This command enables speed and duplex autonegotiation on Fast Ethernet ports and enables far-end fault indicator support on Gb ports.

There are three possible settings for autonegotiation:

  • "on” or enabled with full port capabilities advertised

  • "off” or disabled where there are no autonegotiation advertisements

  • "limited” where a single speed/duplex is advertised.

When autonegotiation is enabled on a port, the link attempts to automatically negotiate the link speed and duplex parameters. If autonegotiation is enabled, the configured duplex and speed parameters are ignored.

When autonegotiation is disabled on a port, the port does not attempt to autonegotiate and will only operate at the speed and duplex settings configured for the port. Note that disabling autonegotiation on Gb ports is not allowed as the IEEE 802.3 specification for Gb Ethernet requires autonegotiation be enabled for far end fault indication.

If the autonegotiate limited keyword option is specified the port will auto-negotiate but will only advertise a specific speed and duplex. The speed and duplex advertised are the speed and duplex settings configured for the port. One use for limited mode is for multi-speed Gb ports to force Gb operation while keeping autonegotiation enabled for compliance with IEEE 802.3.

Router requires that autonegotiation be disabled or limited for ports in a Link Aggregation Group to guarantee a specific port speed.

The no form of this command disables autonegotiation on this port.

Default

autonegotiate

Parameters

limited

The Ethernet interface will automatically negotiate link parameters with the far end, but will only advertise the speed and duplex mode specified by the Ethernet config>port>ethernet speed and config>port>ethernet duplex commands.

Platforms

All

autonegotiate

Syntax

[no] autonegotiate

Context

[Tree] (bof autonegotiate)

Full Context

bof autonegotiate

Description

This command enables speed and duplex autonegotiation on the management Ethernet port in the running configuration and the Boot Option File (BOF).

When autonegotiation is enabled, the link attempts to automatically negotiate the link speed and duplex parameters. If autonegotiation is enabled, then the configured duplex and speed parameters are ignored.

The no form of this command disables the autonegotiate feature on this port.

Platforms

All

autonomous

autonomous

Syntax

[no] autonomous

Context

[Tree] (config>service>vprn>sub-if>ipv6>rtr-adv>pfx-op autonomous)

[Tree] (config>service>ies>sub-if>grp-if>ipv6>rtr-adv>pfx-opt autonomous)

[Tree] (config>service>vprn>sub-if>grp-if>ipv6>rtr-adv>pfx-opt autonomous)

[Tree] (config>service>ies>sub-if>ipv6>rtr-adv>pfx-opt autonomous)

Full Context

configure service vprn subscriber-interface ipv6 rtr-adv pfx-op autonomous

configure service ies subscriber-interface group-interface ipv6 router-advertisements prefix-options autonomous

configure service vprn subscriber-interface group-interface ipv6 router-advertisements prefix-options autonomous

configure service ies subscriber-interface ipv6 router-advertisements prefix-options autonomous

Description

This command enables the option that determines whether or not the prefix can be used for stateless address autoconfiguration.

The no form of this command disables the option.

Default

no autonomous

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

autonomous

Syntax

[no] autonomous

Context

[Tree] (config>service>vprn>router-advert>if>prefix autonomous)

Full Context

configure service vprn router-advertisement interface prefix autonomous

Description

This command specifies whether the prefix can be used for stateless address autoconfiguration.

Default

autonomous

Platforms

All

autonomous

Syntax

[no] autonomous

Context

[Tree] (config>router>router-advert>if>prefix autonomous)

Full Context

configure router router-advertisement interface prefix autonomous

Description

This command specifies whether the prefix can be used for stateless address autoconfiguration.

Default

autonomous

Platforms

All

autonomous-system

autonomous-system

Syntax

autonomous-system as-number

no autonomous-system

Context

[Tree] (config>service>vprn autonomous-system)

Full Context

configure service vprn autonomous-system

Description

This command defines the autonomous system (AS) to be used by this VPN routing/forwarding (VRF). This command defines the autonomous system to be used by this VPN routing

The no form of this command removes the defined AS from this VPRN context.

Default

no autonomous-system

Parameters

as-number

Specifies the AS number for the VPRN service.

Values

1 to 4294967295

Platforms

All

autonomous-system

Syntax

autonomous-system autonomous-system

no autonomous-system

Context

[Tree] (config>router autonomous-system)

Full Context

configure router autonomous-system

Description

This command configures the autonomous system (AS) number for the router. A router can only belong to one AS. An AS number is a globally unique number with an AS. This number is used to exchange exterior routing information with neighboring ASs and as an identifier of the AS itself.

If the AS number is changed on a router with an active BGP instance, the new AS number is not used until the BGP instance is restarted either by administratively disabling/enabling (shutdown/no shutdown) the BGP instance or rebooting the system with the new configuration.

Default

no autonomous-system

Parameters

autonomous-system

Specifies the autonomous system number expressed as a decimal integer.

Values

1 to 4294967295

Platforms

All

autonomous-system-type

autonomous-system-type

Syntax

autonomous-system-type {origin | peer}

Context

[Tree] (config>cflowd>collector autonomous-system-type)

Full Context

configure cflowd collector autonomous-system-type

Description

This command defines whether the autonomous system (AS) information included in the flow data is based on the originating AS or external peer AS of the routes.

This option is only allowed if the collector is configured as Version 5 or Version 8.

Default

autonomous-system-type origin

Parameters

origin

Specifies that the AS information included in the flow data is based on the originating AS.

peer

Specifies that the AS information included in the flow data is based on the peer AS.

Platforms

All

aux-channel-enable

aux-channel-enable

Syntax

[no] aux-channel-enable

Context

[Tree] (config>open-flow>of-switch aux-channel-enable)

Full Context

configure open-flow of-switch aux-channel-enable

Description

This command enables auxiliary connections for the given H-OFS instance. If enabled, the H-OFS switch sets up a statistics auxiliary channel (Auxiliary ID 1) and a packet-in auxiliary channel (Auxiliary ID 2) for the main connection to every configured OpenFlow controller.

The no form of this command disables auxiliary connections.

Default

no aux-channel-enable

Platforms

All

aux-stats

aux-stats

Syntax

[no] aux-stats sr

Context

[Tree] (config>router>mpls aux-stats)

Full Context

configure router mpls aux-stats

Description

This command enables and configures counters for the specified labeled traffic type in an auxiliary MPLS statistics table. The sr keyword indicates to the system to increment packet and octet counters of that table for any type of Segment Routing traffic (SR-OSPF, SR-ISIS, SR-TE, and so on). This command cannot be used in specific system configurations. This command does not impact the overall counting of MPLS packets and octets shown, for example, by the show router mpls interface [ip-int-name | ip-address] statistics command.

The no form of this command disables the counters of the auxiliary MPLS statistics table. The no form of this command cannot be used if dark bandwidth accounting is enabled (config>router>rsvp>dbw-accounting).

Default

aux-stats sr

Parameters

sr

Specifies the type of traffic to count in the auxiliary MPLS statistics table. Refers to any type of Segment Routing traffic (SR-OSPF, SR-ISIS, SR-TE, and so on).

Platforms

7750 SR, 7750 SR-s, 7950 XRS, VSR

availability

availability

Syntax

availability

Context

[Tree] (config>oam-pm>session>ethernet>lmm availability)

Full Context

configure oam-pm session ethernet lmm availability

Description

Commands in this context activate, collect, and record availability statistics for LMM tests. These computations are not enabled by default. In order to modify parameters within a session, including these availability parameters, the LMM test must be shut down.

Platforms

All

avg-flr-event

avg-flr-event

Syntax

avg-flr-event {forward | backward} threshold raise-threshold-percentage [clear clear-threshold-percentage]

no avg-flr-event {forward | backward}

Context

[Tree] (config>oam-pm>session>ethernet>slm>loss-events avg-flr-event)

[Tree] (config>oam-pm>session>ethernet>lmm>loss-events avg-flr-event)

[Tree] (config>oam-pm>session>ip>twamp-light>loss-events avg-flr-event)

Full Context

configure oam-pm session ethernet slm loss-events avg-flr-event

configure oam-pm session ethernet lmm loss-events avg-flr-event

configure oam-pm session ip twamp-light loss-events avg-flr-event

Description

This command sets the frame loss ratio threshold configuration to be applied and checked at the end of the measurement interval for the specified direction. This is a percentage based on average frame loss ratio over the entire measurement interval. If the clear-threshold-percent value is not specified, the traffic crossing alarm is stateless. Stateless means the state is not carried forward to other measurement intervals. Each measurement interval is analyzed independently and without regard to any previous window. Each unique event can only be raised once within measurement interval. If the optional clear-threshold-percent value is specified, the traffic crossing alarm uses stateful behavior. Stateful means each unique previous event state is carried forward to following measurement intervals. If a threshold crossing event is raised another is not raised until a measurement interval completes and the clear threshold has not been exceeded. A clear event is raised under that condition.

The no form of this command removes the event threshold for frame loss ratio. The direction must be included with the no command.

Default

no avg-flr-event forward

no avg-flr-event backward

Parameters

forward

Specifies the threshold is applied to the forward direction value.

backward

Specifies the threshold is applied to the backward direction value.

raise-threshold-percentage

Specifies the rising percentage that determines when the event is to be generated.

Values

0.001 to 100.000

clear-threshold-percentage

Specifies an optional value used for stateful behavior that allows the operator to configure a percentage of loss value lower than the rising percentage to indicate when the clear event should be generated.

Values

0.000 to 99.999

A value 0.000 means that the FLR must be 0.000.

Platforms

All

  • configure oam-pm session ethernet lmm loss-events avg-flr-event
  • configure oam-pm session ethernet slm loss-events avg-flr-event

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure oam-pm session ip twamp-light loss-events avg-flr-event

avg-frame-overhead

avg-frame-overhead

Syntax

avg-frame-overhead percent

no avg-frame-overhead

Context

[Tree] (config>subscr-mgmt>sla-prof>egress>qos>queue avg-frame-overhead)

Full Context

configure subscriber-mgmt sla-profile egress qos queue avg-frame-overhead

Description

This command configures the average frame overhead to define the average percentage that the offered load to a queue will expand during the frame encapsulation process before sending traffic on-the-wire. While the avg-frame-overhead value may be defined on any queue, it is only used by the system for queues that egress a SONET or SDH port or channel. Queues operating on egress Ethernet ports automatically calculate the frame encapsulation overhead based on a 20 byte per packet rule (8 bytes for preamble and 12 bytes for Inter-Frame Gap).

When calculating the frame encapsulation overhead for port scheduling purposes, the system determines the following values:

  • Offered-load — The offered-load of a queue is calculated by starting with the queue depth in octets, adding the received octets at the queue and subtracting queue discard octets. The result is the number of octets the queue has available to transmit. This is the packet based offered-load.

  • Frame encapsulation overhead — Using the avg-frame-overhead parameter, the frame encapsulation overhead is simply the queues current offered-load (how much has been received by the queue) multiplied by the avg-frame-overhead. If a queue had an offered load of 10000 octets and the avg-frame-overhead equals 10%, the frame encapsulation overhead would be 10000 x 0.1 or 1000 octets.

For egress Ethernet queues, the frame encapsulation overhead is calculated by multiplying the number of offered-packets for the queue by 20 bytes. If a queue was offered 50 packets then the frame encapsulation overhead would be 50 x 20 or 1000 octets.

  • Frame based offered-load — The frame based offered-load is calculated by adding the offered-load to the frame encapsulation overhead. If the offered-load is 10000 octets and the encapsulation overhead was 1000 octets, the frame based offered-load would equal 11000 octets.

  • Packet to frame factor — The packet to frame factor is calculated by dividing the frame encapsulation overhead by the queues offered-load (packet based). If the frame encapsulation overhead is 1000 octets and the offered-load is 10000 octets then the packet to frame factor would be 1000 / 10000 or 0.1. When in use, the avg-frame-overhead is the same as the packet to frame factor making this calculation unnecessary.

  • Frame based CIR — The frame based CIR is calculated by multiplying the packet to frame factor with the queues configured CIR and then adding that result to that CIR. If the queue CIR is set at 500 octets and the packet to frame factor equals 0.1, the frame based CIR would be 500 x 1.1 or 550 octets.

  • Frame based within-cir offered-load — The frame based within-cir offered-load is the portion of the frame based offered-load considered to be within the frame-based CIR. The frame based within-cir offered-load is the lesser of the frame based offered-load and the frame based CIR. If the frame based offered-load equaled 11000 octets and the frame based CIR equaled 550 octets, the frame based within-cir offered-load would be limited to 550 octets. If the frame based offered-load equaled 450 octets and the frame based CIR equaled 550 octets, the frame based within-cir offered-load would equal 450 octets (or the entire frame based offered-load).

As a special case, when a policer, queue or associated intermediate scheduler is configured with a CIR-weight equal to 0, the system automatically sets the queue’s frame based within-cir offered-load to 0, preventing it from receiving bandwidth during the port scheduler’s within-cir pass.

  • Frame based PIR — The frame based PIR is calculated by multiplying the packet to frame factor with the queue’s configured PIR and then adding the result to that PIR. If the queue PIR is set to 7500 octets and the packet to frame factor equals 0.1, the frame based PIR would be 7500 x 1.1 or 8250 octets.

  • Frame based within-pir offered-load — The frame based within-pir offered-load is the portion of the frame based offered-load considered to be within the frame based PIR. The frame based within-pir offered-load is the lesser of the frame based offered-load and the frame based PIR. If the frame based offered-load equaled 11000 octets and the frame based PIR equaled 8250 octets, the frame based within-pir offered-load would be limited to 8250 octets. If the frame based offered-load equaled 7000 octets and the frame based PIR equaled 8250 octets, the frame based within-pir offered load would equal 7000 octets.

Port scheduler operation using frame transformed rates — The port scheduler uses the frame based rates to determine the maximum rates that each queue may receive during the within-cir and above-cir bandwidth allocation passes. During the within-cir pass, a queue may receive up to its frame based within-cir offered-load. The maximum it may receive during the above-cir pass is the difference between the frame based within-pir offered load and the amount of actual bandwidth allocated during the within-cir pass.

SAP and subscriber SLA-profile average frame overhead override — The average frame overhead parameter on a sap-egress may be overridden at an individual egress queue basis. On each SAP and within the sla-profile policy used by subscribers an avg-frame-overhead command may be defined under the queue-override context for each queue. When overridden, the queue instance will use its local value for the average frame overhead instead of the sap-egress defined overhead.

The no form of this command reverts to the default. When set to 0, the system uses the packet based queue statistics for calculating port scheduler priority bandwidth allocation. If the no avg-frame-overhead command is executed in a queue-override queue id context, the avg-frame-overhead setting for the queue within the sap-egress QoS policy takes effect.

Default

avg-frame-overhead 0

Parameters

percent

Specifies the average amount of packet-to-frame encapsulation overhead expected for the queue. This value is not used by the system for egress Ethernet queues.

Values

0.00 to 100.00, default

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

avg-frame-overhead

Syntax

avg-frame-overhead percent

no avg-frame-overhead

Context

[Tree] (config>service>ies>sub-if>grp-if>sap>egress>queue-override>queue avg-frame-overhead)

[Tree] (config>service>ies>if>sap>ingress>queue-override>queue avg-frame-overhead)

[Tree] (config>service>ies>if>sap>egress>queue-override>queue avg-frame-overhead)

[Tree] (config>service>vpls>sap>ingress>queue-override>queue avg-frame-overhead)

Full Context

configure service ies subscriber-interface group-interface sap egress queue-override queue avg-frame-overhead

configure service ies interface sap ingress queue-override queue avg-frame-overhead

configure service ies interface sap egress queue-override queue avg-frame-overhead

configure service vpls sap ingress queue-override queue avg-frame-overhead

Description

This command configures the average frame overhead to define the average percentage that the offered load to a queue expands during the frame encapsulation process before sending traffic on-the-wire. While the avg-frame-overhead value may be defined on any queue, it is only used by the system for queues that egress a Sonet or SDH port or channel. Queues operating on egress Ethernet ports automatically calculate the frame encapsulation overhead based on a 20 byte per packet rule (8 bytes for preamble and 12 bytes for Inter-Frame Gap).

When calculating the frame encapsulation overhead for port scheduling purposes, the system determines the following values:

  • Offered-Load — The offered-load of a queue is calculated by starting with the queue depth in octets, adding the received octets at the queue and subtracting queue discard octets. The result is the number of octets the queue has available to transmit. This is the packet-based offered-load.

  • Frame-encapsulation overhead — Using the avg-frame-overhead parameter, the frame-encapsulation overhead is simply the queue’s current offered-load (how much has been received by the queue) multiplied by the avg-frame-overhead. If a queue had an offered load of 10,000 octets and the avg-frame-overhead equals 10%, the frame-encapsulation overhead would be 10,000 x 0.1 or 1,000 octets.

For egress Ethernet queues, the frame-encapsulation overhead is calculated by multiplying the number of offered-packets for the queue by 20 bytes. If a queue was offered 50 packets then the frame-encapsulation overhead would be 50 x 20 or 1,000 octets.

  • Frame-based offered-load — The frame-based offered-load is calculated by adding the offered-load to the frame-encapsulation overhead. If the offered-load is 10,000 octets and the encapsulation overhead was 1,000 octets, the frame-based offered-load would equal 11,000 octets.

  • Packet to frame factor — The packet to frame factor is calculated by dividing the frame-encapsulation overhead by the queue’s offered-load (packet-based). If the frame-encapsulation overhead is 1,000 octets and the offered-load is 10,000 octets then the packet to frame factor would be 1,000 / 10,000 or 0.1. When in use, the avg-frame-overhead is the same as the packet to frame factor making this calculation unnecessary.

  • Frame-based CIR — The frame-based CIR is calculated by multiplying the packet to frame factor with the queue’s configured CIR, then adding that result to that CIR. If the queue CIR is set at 500 octets and the packet to frame factor equals 0.1, the frame-based CIR would be 500 x 1.1 or 550 octets.

  • Frame-based within-CIR offered-load — The frame-based within-CIR offered-load is the portion of the frame-based offered-load considered to be within the frame-based CIR. The frame-based within-CIR offered-load is the lesser of the frame-based offered-load and the frame-based CIR. If the frame-based offered-load equaled 11000 octets and the frame-based CIR equaled 550 octets, the frame-based within-CIR offered-load would be limited to 550 octets. If the frame-based offered-load equaled 450 octets and the frame-based CIR equaled 550 octets, the frame-based within-CIR offered-load would equal 450 octets (or the entire frame-based offered-load).

As a special case, when a queue or associated intermediate scheduler is configured with a CIR-weight equal to 0, the system automatically sets the queue’s frame-based within-CIR offered-load to 0, preventing it from receiving bandwidth during the port scheduler’s within-CIR pass.

  • Frame-based PIR — The frame-based PIR is calculated by multiplying the packet to frame factor with the queue’s-configured PIR, then adding the result to that PIR. If the queue PIR is set to 7500 octets and the packet to frame factor equals 0.1, the frame-based PIR would be 7,500 x 1.1 or 8,250 octets.

  • Frame-based within-pir offered-load — The frame-based within-pir offered-load is the portion of the frame-based offered-load considered to be within the frame-based PIR. The frame-based within-pir offered-load is the lesser of the frame-based offered-load and the frame-based PIR. If the frame-based offered-load equaled 11,000 octets and the frame-based PIR equaled 8250 octets, the frame-based within-pir offered-load would be limited to 8,250 octets. If the frame-based offered-load equaled 7,000 octets and the frame-based PIR equaled 8,250 octets, the frame-based within-pir offered load would equal 7,000 octets.

Port Scheduler Operation Using Frame Transformed Rates — The port scheduler uses the frame-based rates to figure the maximum rates that each queue may receive during the within-CIR and above-CIR bandwidth allocation passes. During the within-CIR pass, a queue may receive up to its frame-based within-CIR offered-load. The maximum it may receive during the above-CIR pass is the difference between the frame-based within-pir offered load and the amount of actual bandwidth allocated during the within-CIR pass.

SAP and Subscriber SLA-Profile Average Frame Overhead Override — The average frame overhead parameter on a sap-egress may be overridden on an individual egress queue basis; on each SAP and within the sla-profile policy used by subscribers. An avg-frame-overhead command may be defined under the queue-override context for each queue. When overridden, the queue instance uses its local value for the average frame overhead instead of the sap-egress defined overhead.

The no form of this command restores the average frame overhead parameter for the queue to the default value of 0 percent. When set to 0, the system uses the packet-based queue statistics for calculating port scheduler priority bandwidth allocation. If the no avg-frame-overhead command is executed in a queue-override queue id context, the avg-frame-overhead setting for the queue within the sap-egress QoS policy takes effect.

Default

avg-frame-overhead 0

Parameters

percent

Sets the average amount of packet-to-frame encapsulation overhead expected for the queue. This value is not used by the system for egress Ethernet queues. This parameter only applies to the 7450 ESS and 7750 SR.

Values

0.00 to 100.00

Platforms

All

avg-frame-overhead

Syntax

avg-frame-overhead percent

no avg-frame-overhead

Context

[Tree] (config>service>vpls>sap>egress>queue-override>queue avg-frame-overhead)

Full Context

configure service vpls sap egress queue-override queue avg-frame-overhead

Description

This command configures the average frame overhead to define the average percentage that the offered load to a queue will expand during the frame encapsulation process before sending traffic on-the-wire. While the avg-frame-overhead value may be defined on any queue, it is only used by the system for queues that egress a SONET or SDH port or channel. Queues operating on egress Ethernet ports automatically calculate the frame encapsulation overhead based on a 20 byte per packet rule (8 bytes for preamble and 12 bytes for Inter-Frame Gap).

When calculating the frame encapsulation overhead for port scheduling purposes, the system determines the following values:

  • Offered-load — The offered-load of a queue is calculated by starting with the queue depth in octets, adding the received octets at the queue and subtracting queue discard octets. The result is the number of octets the queue has available to transmit. This is the packet based offered-load.

  • Frame encapsulation overhead — Using the avg-frame-overhead parameter, the frame encapsulation overhead is simply the queue’s current offered-load (how much has been received by the queue) multiplied by the avg-frame-overhead. If a queue had an offered load of 10000 octets and the avg-frame-overhead equals 10%, the frame encapsulation overhead would be 10000 x 0.1 or 1000 octets.

For egress Ethernet queues, the frame encapsulation overhead is calculated by multiplying the number of offered-packets for the queue by 20 bytes. If a queue was offered 50 packets then the frame encapsulation overhead would be 50 x 20 or 1000 octets.

  • Frame based offered-load — The frame based offered-load is calculated by adding the offered-load to the frame encapsulation overhead. If the offered-load is 10000 octets and the encapsulation overhead was 1000 octets, the frame based offered-load would equal 11000 octets.

  • Packet to frame factor — The packet to frame factor is calculated by dividing the frame encapsulation overhead by the queue’s offered-load (packet based). If the frame encapsulation overhead is 1000 octets and the offered-load is 10000 octets then the packet to frame factor would be 1000 / 10000 or 0.1. When in use, the avg-frame-overhead will be the same as the packet to frame factor making this calculation unnecessary.

  • Frame based CIR — The frame based CIR is calculated by multiplying the packet to frame factor with the queue’s configured CIR and then adding that result to that CIR. If the queue CIR is set at 500 octets and the packet to frame factor equals 0.1, the frame based CIR would be 500 x 1.1 or 550 octets.

  • Frame based within-cir offered-load — The frame based within-cir offered-load is the portion of the frame based offered-load considered to be within the frame-based CIR. The frame based within-cir offered-load is the lesser of the frame based offered-load and the frame based CIR. If the frame based offered-load equaled 11000 octets and the frame based CIR equaled 550 octets, the frame based within-cir offered-load would be limited to 550 octets. If the frame based offered-load equaled 450 octets and the frame based CIR equaled 550 octets, the frame based within-cir offered-load would equal 450 octets (or the entire frame based offered-load).

As a special case, when a queue or associated intermediate scheduler is configured with a CIR-weight equal to 0, the system automatically sets the queue’s frame based within-cir offered-load to 0, preventing it from receiving bandwidth during the port scheduler’s within-cir pass.

  • Frame based PIR — The frame based PIR is calculated by multiplying the packet to frame factor with the queue’s configured PIR and then adding the result to that PIR. If the queue PIR is set to 7500 octets and the packet to frame factor equals 0.1, the frame based PIR would be 7500 x 1.1 or 8250 octets.

  • Frame based within-pir offered-load — The frame based within-pir offered-load is the portion of the frame based offered-load considered to be within the frame based PIR. The frame based within-pir offered-load is the lesser of the frame based offered-load and the frame based PIR. If the frame based offered-load equaled 11000 octets and the frame based PIR equaled 8250 octets, the frame based within-pir offered-load would be limited to 8250 octets. If the frame based offered-load equaled 7000 octets and the frame based PIR equaled 8250 octets, the frame based within-pir offered load would equal 7000 octets.

Port scheduler operation using frame transformed rates — The port scheduler uses the frame based rates to calculate the maximum rates that each queue may receive during the within-cir and above-cir bandwidth allocation passes. During the within-cir pass, a queue may receive up to its frame based within-cir offered-load. The maximum it may receive during the above-cir pass is the difference between the frame based within-pir offered load and the amount of actual bandwidth allocated during the within-cir pass.

SAP and subscriber SLA-profile average frame overhead override — The average frame overhead parameter on a sap-egress may be overridden at an individual egress queue basis. On each SAP and within the sla-profile policy used by subscribers an avg-frame-overhead command may be defined under the queue-override context for each queue. When overridden, the queue instance will use its local value for the average frame overhead instead of the sap-egress defined overhead.

The no form of this command restores the average frame overhead parameter for the queue to the default value of 0 percent. When set to 0, the system uses the packet based queue statistics for calculating port scheduler priority bandwidth allocation. If the no avg-frame-overhead command is executed in a queue-override queue id context, the avg-frame-overhead setting for the queue within the sap-egress QoS policy takes effect.

Default

avg-frame-overhead 0

Parameters

percent

This parameter sets the average amount of packet-to-frame encapsulation overhead expected for the queue. This value is not used by the system for egress Ethernet queues.

Values

0 to 100

Platforms

All

avg-frame-overhead

Syntax

avg-frame-overhead percentage

no avg-frame-overhead

Context

[Tree] (config>service>cpipe>sap>egress>queue-override>queue avg-frame-overhead)

[Tree] (config>service>epipe>sap>egress>queue-override>queue avg-frame-overhead)

[Tree] (config>service>ipipe>sap>egress>queue-override>queue avg-frame-overhead)

Full Context

configure service cpipe sap egress queue-override queue avg-frame-overhead

configure service epipe sap egress queue-override queue avg-frame-overhead

configure service ipipe sap egress queue-override queue avg-frame-overhead

Description

This command configures the average frame overhead to define the average percentage that the offered load to a queue will expand during the frame encapsulation process before sending traffic on-the-wire. While the avg-frame-overhead value may be defined on any queue, it is only used by the system for queues that egress a SONET or SDH port or channel. Queues operating on egress Ethernet ports automatically calculate the frame encapsulation overhead based on a 20 byte per packet rule (8 bytes for preamble and 12 bytes for Inter-Frame Gap).

When calculating the frame encapsulation overhead for port scheduling purposes, the system determines the following values:

  • Offered-load — The offered-load of a queue is calculated by starting with the queue depth in octets, adding the received octets at the queue and subtracting queue discard octets. The result is the number of octets the queue has available to transmit. This is the packet based offered-load.

  • Frame encapsulation overhead — Using the avg-frame-overhead parameter, the frame encapsulation overhead is simply the queue’s current offered-load (how much has been received by the queue) multiplied by the avg-frame-overhead. If a queue had an offered load of 10000 octets and the avg-frame-overhead equals 10%, the frame encapsulation overhead would be 10000 x 0.1 or 1000 octets.

    For egress Ethernet queues, the frame encapsulation overhead is calculated by multiplying the number of offered-packets for the queue by 20 bytes. If a queue was offered 50 packets, then the frame encapsulation overhead would be 50 x 20 or 1000 octets.

  • Frame based offered-load — The frame based offered-load is calculated by adding the offered-load to the frame encapsulation overhead. If the offered-load is 10000 octets and the encapsulation overhead was 1000 octets, the frame based offered-load would equal 11000 octets.

  • Packet to frame factor — The packet to frame factor is calculated by dividing the frame encapsulation overhead by the queue’s offered-load (packet based). If the frame encapsulation overhead is 1000 octets and the offered-load is 10000 octets, then the packet to frame factor would be 1000 / 10000 or 0.1. When in use, the avg-frame-overhead will be the same as the packet to frame factor making this calculation unnecessary.

  • Frame based CIR — The frame based CIR is calculated by multiplying the packet to frame factor with the queue’s configured CIR and then adding that result to that CIR. If the queue CIR is set at 500 octets and the packet to frame factor equals 0.1, the frame based CIR would be 500 x 1.1 or 550 octets.

  • Frame based within-cir offered-load — The frame based within-cir offered-load is the portion of the frame based offered-load considered to be within the frame-based CIR. The frame based within-cir offered-load is the lesser of the frame based offered-load and the frame based CIR. If the frame based offered-load equaled 11000 octets and the frame based CIR equaled 550 octets, the frame based within-cir offered-load would be limited to 550 octets. If the frame based offered-load equaled 450 octets and the frame based CIR equaled 550 octets, the frame based within-cir offered-load would equal 450 octets (or the entire frame based offered-load).

    As a special case, when a queue or associated intermediate scheduler is configured with a CIR-weight equal to 0, the system automatically sets the queue’s frame based within-cir offered-load to 0, preventing it from receiving bandwidth during the port scheduler’s within-cir pass.

  • Frame based PIR — The frame based PIR is calculated by multiplying the packet to frame factor with the queue’s configured PIR and then adding the result to that PIR. If the queue PIR is set to 7500 octets and the packet to frame factor equals 0.1, the frame based PIR would be 7500 x 1.1 or 8250 octets.

  • Frame based within-pir offered-load — The frame based within-pir offered-load is the portion of the frame based offered-load considered to be within the frame based PIR. The frame based within-pir offered-load is the lesser of the frame based offered-load and the frame based PIR. If the frame based offered-load equaled 11000 octets and the frame based PIR equaled 8250 octets, the frame based within-pir offered-load would be limited to 8250 octets. If the frame based offered-load equaled 7000 octets and the frame based PIR equaled 8250 octets, the frame based within-pir offered load would equal 7000 octets.

Port scheduler operation using frame transformed rates — The port scheduler uses the frame based rates to figure the maximum rates that each queue may receive during the within-cir and above-cir bandwidth allocation passes. During the within-cir pass, a queue may receive up to its frame based within-cir offered-load. The maximum it may receive during the above-cir pass is the difference between the frame based within-pir offered load and the amount of actual bandwidth allocated during the within-cir pass.

On the 7450 ESS and 7750 SR, SAP and subscriber SLA-profile average frame overhead override — The average frame overhead parameter on a sap-egress may be overridden at an individual egress queue basis. On each SAP and within the sla-profile policy used by subscribers an avg-frame-overhead command may be defined under the queue-override context for each queue. When overridden, the queue instance will use its local value for the average frame overhead instead of the sap-egress defined overhead.

The no form of this command restores the average frame overhead parameter for the queue to the default value of 0 percent. When set to 0, the system uses the packet based queue statistics for calculating port scheduler priority bandwidth allocation. If the no avg-frame-overhead command is executed in a queue-override queue id context, the avg-frame-overhead setting for the queue within the sap-egress QoS policy takes effect.

Default

avg-frame-overhead 0

Parameters

percent

This parameter sets the average amount of packet-to-frame encapsulation overhead expected for the queue. This value is not used by the system for egress Ethernet queues.

Values

0.00 to 100.00

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

  • configure service cpipe sap egress queue-override queue avg-frame-overhead

All

  • configure service epipe sap egress queue-override queue avg-frame-overhead
  • configure service ipipe sap egress queue-override queue avg-frame-overhead

avg-frame-overhead

Syntax

avg-frame-overhead percent

no avg-frame-overhead

Context

[Tree] (config>service>vprn>if>sap>egress>queue-override>queue avg-frame-overhead)

Full Context

configure service vprn interface sap egress queue-override queue avg-frame-overhead

Description

This command configures the average frame overhead to define the average percentage that the offered load to a queue will expand during the frame encapsulation process before sending traffic on-the-wire. While the avg-frame-overhead value may be defined on any queue, it is only used by the system for queues that egress a Sonet or SDH port or channel. Queues operating on egress Ethernet ports automatically calculate the frame encapsulation overhead based on a 20 byte per packet rule (8 bytes for preamble and 12 bytes for Inter-Frame Gap).

When calculating the frame encapsulation overhead for port scheduling purposes, the system determines the following values:

  • Offered-load — The offered-load of a queue is calculated by starting with the queue depth in octets, adding the received octets at the queue and subtracting queue discard octets. The result is the number of octets the queue has available to transmit. This is the packet based offered-load.

  • Frame encapsulation overhead — Using the avg-frame-overhead parameter, the frame encapsulation overhead is simply the queue’s current offered-load (how much has been received by the queue) multiplied by the avg-frame-overhead. If a queue had an offered load of 10000 octets and the avg-frame-overhead equals 10%, the frame encapsulation overhead would be 10000 x 0.1 or 1000 octets.

For egress Ethernet queues, the frame encapsulation overhead is calculated by multiplying the number of offered-packets for the queue by 20 bytes. If a queue was offered 50 packets then the frame encapsulation overhead would be 50 x 20 or 1000 octets.

  • Frame based offered-load — The frame based offered-load is calculated by adding the offered-load to the frame encapsulation overhead. If the offered-load is 10000 octets and the encapsulation overhead was 1000 octets, the frame based offered-load would equal 11000 octets.

  • Packet to frame factor — The packet to frame factor is calculated by dividing the frame encapsulation overhead by the queue’s offered-load (packet based). If the frame encapsulation overhead is 1000 octets and the offered-load is 10000 octets then the packet to frame factor would be 1000 / 10000 or 0.1. When in use, the avg-frame-overhead will be the same as the packet to frame factor making this calculation unnecessary.

  • Frame based CIR — The frame based CIR is calculated by multiplying the packet to frame factor with the queue’s configured CIR and then adding that result to that CIR. If the queue CIR is set at 500 octets and the packet to frame factor equals 0.1, the frame based CIR would be 500 x 1.1 or 550 octets.

  • Frame based within-cir offered-load — The frame based within-cir offered-load is the portion of the frame based offered-load considered to be within the frame-based CIR. The frame based within-cir offered-load is the lesser of the frame based offered-load and the frame based CIR. If the frame based offered-load equaled 11000 octets and the frame based CIR equaled 550 octets, the frame based within-cir offered-load would be limited to 550 octets. If the frame based offered-load equaled 450 octets and the frame based CIR equaled 550 octets, the frame based within-cir offered-load would equal 450 octets (or the entire frame based offered-load).

As a special case, when a queue or associated intermediate scheduler is configured with a CIR-weight equal to 0, the system automatically sets the queue’s frame based within-cir offered-load to 0, preventing it from receiving bandwidth during the port scheduler’s within-cir pass.

  • Frame based PIR — The frame based PIR is calculated by multiplying the packet to frame factor with the queue’s configured PIR and then adding the result to that PIR. If the queue PIR is set to 7500 octets and the packet to frame factor equals 0.1, the frame based PIR would be 7500 x 1.1 or 8250 octets.

  • Frame based within-pir offered-load — The frame based within-pir offered-load is the portion of the frame based offered-load considered to be within the frame based PIR. The frame based within-pir offered-load is the lesser of the frame based offered-load and the frame based PIR. If the frame based offered-load equaled 11000 octets and the frame based PIR equaled 8250 octets, the frame based within-pir offered-load would be limited to 8250 octets. If the frame based offered-load equaled 7000 octets and the frame based PIR equaled 8250 octets, the frame based within-pir offered load would equal 7000 octets.

Port scheduler operation using frame transformed rates — The port scheduler uses the frame based rates to determine the maximum rates that each queue may receive during the within-cir and above-cir bandwidth allocation passes. During the within-cir pass, a queue may receive up to its frame based within-cir offered-load. The maximum it may receive during the above-cir pass is the difference between the frame based within-pir offered load and the amount of actual bandwidth allocated during the within-cir pass.

SAP and subscriber SLA-profile average frame overhead override — The average frame overhead parameter on a sap-egress may be overridden at an individual egress queue basis. On each SAP and within the sla-profile policy used by subscribers an avg-frame-overhead command may be defined under the queue-override context for each queue. When overridden, the queue instance will use its local value for the average frame overhead instead of the sap-egress defined overhead.

The no form of this command restores the average frame overhead parameter for the queue to the default value of 0 percent. When set to 0, the system uses the packet based queue statistics for calculating port scheduler priority bandwidth allocation. If the no avg-frame-overhead command is executed in a queue-override queue id context, the avg-frame-overhead setting for the queue within the sap-egress QoS policy takes effect.

Default

0

Parameters

percent

This parameter sets the average amount of packet-to-frame encapsulation overhead expected for the queue. This value is not used by the system for egress Ethernet queues.

Values

0 to 100

Platforms

All

avg-frame-overhead

Syntax

avg-frame-overhead percent

no avg-frame-overhead

Context

[Tree] (config>qos>sap-egress>queue avg-frame-overhead)

Full Context

configure qos sap-egress queue avg-frame-overhead

Description

This command configures the average frame overhead to define the average percentage that the offered load to a queue will expand during the frame encapsulation process before sending traffic on-the-wire. While the avg-frame-overhead value may be defined on any queue, it is only used by the system for queues that egress a Sonet or SDH port or channel. Queues operating on egress Ethernet ports automatically calculate the frame encapsulation overhead based on a 20 byte per packet rule (8 bytes for preamble and 12 bytes for Inter-Frame Gap).

When calculating the frame encapsulation overhead for port scheduling purposes, the system determines the following values:

  • Offered-Load — The offered-load of a queue is calculated by starting with the queue depth in octets, adding the received octets at the queue and subtracting queue discard octets. The result is the number of octets the queue has available to transmit. This is the packet-based offered-load.

  • Frame-encapsulation overhead — Using the avg-frame-overhead parameter, the frame-encapsulation overhead is simply the queue’s current offered-load (how much has been received by the queue) multiplied by the avg-frame-overhead. If a queue had an offered load of 10,000 octets and the avg-frame-overhead equals 10%, the frame-encapsulation overhead would be 10,000 x 0.1 or 1,000 octets.

For egress Ethernet queues, the frame-encapsulation overhead is calculated by multiplying the number of offered-packets for the queue by 20 bytes. If a queue was offered 50 packets, then the frame-encapsulation overhead would be 50 x 20 or 1,000 octets.

  • Frame-based offered-load — The frame-based offered-load is calculated by adding the offered-load to the frame-encapsulation overhead. If the offered-load is 10,000 octets and the encapsulation overhead was 1,000 octets, the frame-based offered-load would equal 11,000 octets.

  • Packet to frame factor — The packet to frame factor is calculated by dividing the frame-encapsulation overhead by the queue’s offered-load (packet-based). If the frame-encapsulation overhead is 1,000 octets and the offered-load is 10,000 octets, then the packet to frame factor would be 1,000 / 10,000 or 0.1. When in use, the avg-frame-overhead will be the same as the packet to frame factor making this calculation unnecessary.

  • Frame-based CIR — The frame-based CIR is calculated by multiplying the packet to frame factor with the queue’s configured CIR, then adding that result to that CIR. If the queue CIR is set at 500 octets and the packet to frame factor equals 0.1, the frame-based CIR would be 500 x 1.1 or 550 octets.

  • Frame-based within-CIR offered-load — The frame-based within-CIR offered-load is the portion of the frame-based offered-load considered to be within the frame-based CIR. The frame-based within-CIR offered-load is the lesser of the frame-based offered-load and the frame-based CIR. If the frame-based offered-load equaled 11000 octets and the frame-based CIR equaled 550 octets, the frame-based within-CIR offered-load would be limited to 550 octets. If the frame-based offered-load equaled 450 octets and the frame-based CIR equaled 550 octets, the frame-based within-CIR offered-load would equal 450 octets (or the entire frame-based offered-load).

As a special case, when a queue or associated intermediate scheduler is configured with a CIR-weight equal to 0, the system automatically sets the queue’s frame-based within-CIR offered-load to 0, preventing it from receiving bandwidth during the port scheduler’s within-CIR pass.

  • Frame-based PIR — The frame-based PIR is calculated by multiplying the packet to frame factor with the queue’s-configured PIR, then adding the result to that PIR. If the queue PIR is set to 7500 octets and the packet to frame factor equals 0.1, the frame-based PIR would be 7,500 x 1.1 or 8,250 octets.

  • Frame-based within-pir offered-load — The frame-based within-pir offered-load is the portion of the frame-based offered-load considered to be within the frame-based PIR. The frame-based within-pir offered-load is the lesser of the frame-based offered-load and the frame-based PIR. If the frame-based offered-load equaled 11,000 octets and the frame-based PIR equaled 8250 octets, the frame-based within-pir offered-load would be limited to 8,250 octets. If the frame-based offered-load equaled 7,000 octets and the frame-based PIR equaled 8,250 octets, the frame-based within-pir offered load would equal 7,000 octets.

Port Scheduler Operation Using Frame Transformed Rates — The port scheduler uses the frame-based rates to figure the maximum rates that each queue may receive during the within-CIR and above-CIR bandwidth allocation passes. During the within-CIR pass, a queue may receive up to its frame-based within-CIR offered-load. The maximum it may receive during the above-CIR pass is the difference between the frame-based within-pir offered load and the amount of actual bandwidth allocated during the within-CIR pass.

SAP and Subscriber SLA-Profile Average Frame Overhead Override — The average frame overhead parameter on a sap-egress may be overridden on an individual egress queue basis; on each SAP and within the sla-profile policy used by subscribers. An avg-frame-overhead command may be defined under the queue-override context for each queue. When overridden, the queue instance will use its local value for the average frame overhead instead of the sap-egress defined overhead.

The no form of this command restores the average frame overhead parameter for the queue to the default value of 0 percent. When set to 0, the system uses the packet-based queue statistics for calculating port scheduler priority bandwidth allocation. If the no avg-frame-overhead command is executed in a queue-override queue id context, the avg-frame-overhead setting for the queue within the sap-egress QoS policy takes effect.

Default

no avg-frame-overhead

Parameters

percent

This parameter sets the average amount of packet-to-frame encapsulation overhead expected for the queue. This value is not used by the system for egress Ethernet queues. This parameter only applies to the 7450 ESS and 7750 SR.

Values

0.00 to 100.00

Platforms

All

avg-frame-overhead

Syntax

avg-frame-overhead percent

no avg-frame-overhead

Context

[Tree] (config>qos>network-queue>queue avg-frame-overhead)

Full Context

configure qos network-queue queue avg-frame-overhead

Description

This command configures the average frame overhead to define the average percentage that the offered load to a queue will expand during the frame encapsulation process before sending traffic on-the-wire. While the avg-frame-overhead value may be defined on any queue, it is only used by the system for queues that egress a SONET or SDH port or channel. Queues operating on egress Ethernet ports automatically calculate the frame encapsulation overhead based on a 20 byte per packet rule (8 bytes for preamble and 12 bytes for Inter-Frame Gap).

When calculating the frame encapsulation overhead for port scheduling purposes, the system determines the following values:

  • Offered-Load — The offered-load of a queue is calculated by starting with the queue depth in octets, adding the received octets at the queue and subtracting queue discard octets. The result is the number of octets the queue has available to transmit. This is the packet-based offered-load.

  • Frame-encapsulation overhead — Using the avg-frame-overhead parameter, the frame-encapsulation overhead is the queue’s current offered-load (how much has been received by the queue) multiplied by the avg-frame-overhead. If a queue had an offered load of 10 000 octets and the avg-frame-overhead equals 10%, the frame-encapsulation overhead would be 10 000 x 0.1 or 1000 octets.

For egress Ethernet queues, the frame-encapsulation overhead is calculated by multiplying the number of offered-packets for the queue by 20 bytes. If a queue was offered 50 packets, the frame-encapsulation overhead would be 50 x 20 or 1000 octets.

  • Frame-based offered-load — The frame-based offered-load is calculated by adding the offered-load to the frame-encapsulation overhead. If the offered-load is 10,000 octets and the encapsulation overhead was 1000 octets, the frame-based offered-load would equal 11 000 octets.

  • Packet to frame factor — The packet to frame factor is calculated by dividing the frame-encapsulation overhead by the queue’s offered-load (packet-based). If the frame-encapsulation overhead is 1000 octets and the offered-load is 10 000 octets, then the packet to frame factor would be 1000 / 10 000 or 0.1. When in use, the avg-frame-overhead will be the same as the packet to frame factor, making this calculation unnecessary.

  • Frame-based CIR — The frame-based CIR is calculated by multiplying the packet to frame factor with the queue’s-configured CIR, then adding that result to that CIR. If the queue CIR is set at 500 octets and the packet to frame factor equals 0.1, the frame-based CIR would be 500 x 1.1 or 550 octets.

  • Frame-based within-CIR offered-load — The frame-based within-CIR offered-load is the portion of the frame-based offered-load considered to be within the frame-based CIR. The frame-based within-CIR offered-load is the lesser of the frame-based offered-load and the frame-based CIR. If the frame-based offered-load equaled 11 000 octets and the frame-based CIR equaled 550 octets, the frame-based within-CIR offered-load would be limited to 550 octets. If the frame-based offered-load equaled 450 octets and the frame-based CIR equaled 550 octets, the frame-based within-CIR offered-load would equal 450 octets (or the entire frame-based offered-load).

As a special case, when a queue or associated intermediate scheduler is configured with a CIR-weight equal to 0, the system automatically sets the queue’s frame-based within-CIR offered-load to 0, preventing it from receiving bandwidth during the port scheduler’s within-CIR pass.

  • Frame-based PIR — The frame-based PIR is calculated by multiplying the packet to frame factor with the queue’s-configured PIR, then adding the result to that PIR. If the queue PIR is set to 7500 octets and the packet to frame factor equals 0.1, the frame-based PIR would be 7500 x 1.1 or 8250 octets.

  • Frame-based within-pir offered-load — The frame-based within-pir offered-load is the portion of the frame-based offered-load considered to be within the frame-based PIR. The frame-based within-pir offered-load is the lesser of the frame-based offered-load and the frame-based PIR. If the frame-based offered-load equaled 11,000 octets and the frame-based PIR equaled 8250 octets, the frame-based within-pir offered-load would be limited to 8,250 octets. If the frame-based offered-load equaled 7,000 octets and the frame-based PIR equaled 8,250 octets, the frame-based within-pir offered load would equal 7,000 octets.

Port Scheduler Operation Using Frame Transformed Rates — The port scheduler uses the frame-based rates to figure the maximum rates that each queue may receive during the within-CIR and above-CIR bandwidth allocation passes. During the within-CIR pass, a queue may receive up to its frame-based within-CIR offered load. The maximum it may receive during the above-CIR pass is the difference between the frame-based within-PIR offered load and the amount of actual bandwidth allocated during the within-CIR pass.

SAP and Subscriber SLA-Profile Average Frame Overhead Override (applies only to the 7450 ESS and 7750 SR) — The average frame overhead parameter on a sap-egress may be overridden at an individual egress queue basis. On each SAP and within the sla-profile policy used by subscribers, an avg-frame-overhead command may be defined under the queue-override context for each queue. When overridden, the queue instance will use its local value for the average frame overhead instead of the sap-egress-defined overhead.

The no form of this command restores the average frame overhead parameter for the queue to the default value of 0%. When set to 0, the system uses the packet-based queue statistics for calculating port scheduler priority bandwidth allocation. If the no avg-frame-overhead command is executed in a queue-override queue id context, the avg-frame-overhead setting for the queue within the sap-egress QoS policy takes effect.

Default

no avg-frame-overhead

Parameters

percent

This parameter sets the average number of packet-to-frame encapsulation overhead expected for the queue. This value is not used by the system for egress Ethernet queues.

Values

0.00 to 100.00

Platforms

All

avp-hiding

avp-hiding

Syntax

avp-hiding {sensitive | always}

no avp-hiding

Context

[Tree] (config>service>vprn>l2tp avp-hiding)

[Tree] (config>router>l2tp avp-hiding)

Full Context

configure service vprn l2tp avp-hiding

configure router l2tp avp-hiding

Description

This command configures Attribute Value Pair (AVP) hiding. This capability can be used to avoid the passing of sensitive data, such as user passwords, as cleartext in an AVP.

The no form of this command reverts to the default value.

Default

no avp-hiding

Parameters

sensitive

AVP hiding is used only for sensitive information (such as username/password).

always

AVP hiding is always used.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

avp-hiding

Syntax

avp-hiding {sensitive | always}

no avp-hiding

Context

[Tree] (config>service>vprn>l2tp>group avp-hiding)

Full Context

configure service vprn l2tp group avp-hiding

Description

This command configures Attribute Value Pair (AVP) hiding. This capability can be used to avoid the passing of sensitive data, such as user passwords, as cleartext in an AVP.

The no form of this command returns the value to never allow AVP hiding.

Default

no avp-hiding

Parameters

avp-hiding

Specifies the method to be used for the authentication of the tunnels in this L2TP group.

Values

sensitive — AVP hiding is used only for sensitive information (such as username/password).

always — AVP hiding is always used.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

avp-hiding

Syntax

avp-hiding {never | sensitive | always}

no avp-hiding

Context

[Tree] (config>service>vprn>l2tp>group>tunnel avp-hiding)

Full Context

configure service vprn l2tp group tunnel avp-hiding

Description

This command configures Attribute Value Pair (AVP) hiding. This capability can be used to avoid the passing of sensitive data, such as user passwords, as cleartext in an AVP.

Caution:

Nokia recommends that sensitive information not be sent in cleartext.

The no form of this command removes the parameter of the configuration and indicates that the value on group level will be taken.

Default

no avp-hiding

Parameters

avp-hiding

Specifies the method to be used for the authentication of the tunnel.

Values

never — AVP hiding is not used.

sensitive — AVP hiding is used only for sensitive information (such as username/password).

always — AVP hiding is always used.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR