a Commands – Part I

Context

[Tree] (config>app-assure>group>statistics aa-admit-deny)

Full Context

configure application-assurance group statistics aa-admit-deny

Description

Commands in this context configure admit-deny statistics generation.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn aa-interface)

[Tree] (config>service>ies aa-interface)

Full Context

configure service vprn aa-interface

configure service ies aa-interface

Description

This commands creates a new AA interface within an IES or VPRN service. It is used by the aa-isa to send/receive IPv4 traffic. In the context of ICAP url-filtering this interface is used by the ISA to establish ICAP TCP connections to the ICAP servers.

This interface supports /31 subnet only, and uses by default .1q encapsulation.

The system will automatically configure the ISA IP address based on the address configured by the operator under the aa-interface object (which represents the ISA sap facing interface on the ISA).

Parameters

aa-if-name

specifies the name of the AA Interface.

create

Keyword that specifies to create the interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>log>acct-policy>cr aa-specific)

Full Context

configure log accounting-policy custom-record aa-specific

Description

Commands in this context configure information for this custom record.

The no form of this command excludes aa-specific attributes in the AA subscriber's custom record.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>aqp>entry>match aa-sub)

Full Context

configure application-assurance group policy app-qos-policy entry match aa-sub

Description

This command specifies a Service Access Point (SAP) or an ESM subscriber as matching criteria.

The no form of this command removes the SAP or ESM matching criteria.

Parameters

eq

Specifies that the value configured and the value in the flow are equal.

neq

Specifies that the value configured differs from the value in the flow.

sub-ident-string

Specifies the name of an existing application assurance subscriber.

esm-mac-name

Specifies the name of an ESM-MAC subscriber.

sap-id

Specifies the SAP ID.

sap sap-id

Specifies the physical port identifier portion of the SAP definition.

sdp-id:vc-id

Specifies the spoke SDP ID and VC ID.

Values

1 to 32767

1 to 4294967295

transit-aasub-name

Specifies the name of a transit AA subscriber.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>statistics aa-sub)

Full Context

configure application-assurance group statistics aa-sub

Description

Commands in this context configure accounting and statistics collection parameters per application assurance subscribers.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>statistics>aa-sub-study aa-sub)

Full Context

configure application-assurance group statistics aa-sub-study aa-sub

Description

This command adds an existing subscriber identification to a group of special study subscribers (for example, subscribers for which per subscriber statistics and accounting records can be collected for protocols and applications of application assurance).

The no form of this command removes the subscriber from the special study subscribers.

Up to 100 subscribers can be configured into the special study group for protocols and up to a 100 potentially different subscribers can be configured into the special study group for applications.

When adding a subscriber to the special study group, accounting records and statistics generation will commence immediately. When removing a subscriber from the group, special study statistics and accounting records for that subscriber in the current interval will be lost.

Parameters

sub-ident-string

Specifies the name of a subscriber ID. The subscriber does not need to be currently active. Any sub-ident-string will be accepted. When the subscriber becomes active, statistics generation will start automatically at that time.

sap-id

Specifies the physical port identifier portion of the SAP definition.

spoke-id sdp-id:vc-id

Specifies the spoke SDP ID and VC ID.

Values

1 to 32767

1 to 4294967295

transit-aasub-name

Specifies an existing transit subscriber name string, up to 32 characters in length.

esm-mac-name

Specifies an existing ESM-MAC subscriber name, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>transit-prefix-policy>entry aa-sub)

Full Context

configure application-assurance group transit-prefix-policy entry aa-sub

Description

This command configures a transit prefix policy entry subscriber.

The no form of this command removes the transit subscriber name from the transit prefix policy configuration.

Parameters

transit-aasub-name

specifies the name of the transit prefix AA subscriber up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>log>acct-policy>cr>aa aa-sub-attributes)

Full Context

configure log accounting-policy custom-record aa-specific aa-sub-attributes

Description

Commands in this context configure aa-specific attributes such as aa-sub-attributes and counters that will be available in the AA subscriber's custom record.

The no form of this command excludes aa specific attributes from the AA subscriber's custom record.

Parameters

all

Specifies all counters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group aa-sub-congestion-detection)

Full Context

configure application-assurance group aa-sub-congestion-detection

Description

Commands in this context configure Non-Location Based DEM (NLB-DEM) parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>log>acct-policy>cr>aa aa-sub-counters)

Full Context

configure log accounting-policy custom-record aa-specific aa-sub-counters

Description

Commands in this context configure subscriber counter information. This command only applies to the 7750 SR.

The no form of this command excludes the aa-sub-counters attributes in the AA subscriber's custom record.

Parameters

all

Specifies all counters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>app-profile aa-sub-distribute-traffic-by-ip)

Full Context

configure application-assurance group policy app-profile aa-sub-distribute-traffic-by-ip

Description

This command allows the application assurance (AA) to divert traffic on the parent SAP or spoke-SDP to multiple ISAs/ESAs based on the source IP address. This is useful when the bandwidth of a single SAP is larger than the capacity of a single ISA or ESA. This is only supported for auto-created transit IP subscribers.

The traffic is diverted when hashing is enabled at the AA group level and in the parent SAP application profile.

The no form of this command does not allow AA to divert traffic on the parent SAP or spoke-SDP to different ESAs in the AA group based on the source IP address.

Default

shutdown

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s

Context

[Tree] (config>isa>aa-grp aa-sub-distribute-traffic-by-ip)

Full Context

configure isa application-assurance-group aa-sub-distribute-traffic-by-ip

Description

This command allows the application assurance (AA) to divert traffic on the parent SAP or spoke-SDP to multiple ISAs/ESAs based on the source IP address. This is useful when the bandwidth of a single SAP is larger than the capacity of a single ISA or ESA. This is only supported for auto-created transit IP subscribers.

The traffic is diverted when hashing is enabled at the AA group level and in the parent SAP application profile.

The no form of this command does not allow AA to divert traffic on the parent SAP or spoke-SDP to different ESAs in the AA group based on the source IP address.

Default

shutdown

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s

Context

[Tree] (config>app-assure>group>transit-prefix-policy>entry>match aa-sub-ip)

Full Context

configure application-assurance group transit-prefix-policy entry match aa-sub-ip

Description

This command configures a transit prefix subscriber ip address prefix. It is used when the site is on the local side, being the same side of the system as the parent SAP. The local aa-sub-ip addresses represent the src-IP in the from-SAP direction and dest-IP in the to-SAP direction.

The no form of this command deletes the aa-sub-ip address assigned from the entry configuration.

Default

no aa-sub-ip

Parameters

ip-address[/mask]

Specifies the address type of the subscriber address prefix associated with this transit prefix policy entry.

Values

ip-address[/mask] :	ipv4-address - a.b.c.d[/mask]
	mask - [1..32]
	ipv6-address - x:x:x:x:x:x:x:x/prefix-length
	x:x:x:x:x:x:d.d.d.d
	x - [0..FFFF]H
	d - [0..255]D
	prefix-length [1..128]

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group aa-sub-remote)

Full Context

configure application-assurance group aa-sub-remote

Description

This command specifies whether or not the from subscriber and to subscriber traffic direction is reversed for this group-partition.

Default

no aa-sub-remote

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>statistics aa-sub-study)

Full Context

configure application-assurance group statistics aa-sub-study

Description

Commands in this context configure accounting and statistics collection parameters per application assurance special study subscribers.

Parameters

study-type

Specifies special study protocol subscriber stats.

Values

application, protocol

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>app-profile aa-sub-suppressible)

Full Context

configure application-assurance group policy app-profile aa-sub-suppressible

Description

This command configures an app-profile as "aa-sub-suppressible”, this function is used in the context of an SRRP group interface. If an SRRP group interface is configured as "suppress-aa-sub” then subscribers with an app-profile configured as "aa-sub-suppressible” will not be diverted to Application Assurance.

The no form of this command restores the default behavior.

Default

no aa-sub-suppressible

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>aqp>entry>match aa-sub-tethering-state)

Full Context

configure application-assurance group policy app-qos-policy entry match aa-sub-tethering-state

Description

This command specifies the tethering state of the subscriber where the AQP match entry will be applied.

The tethering state match condition is meaningful when configured in non-default subscriber policy AQP. Default subscriber policy consists of those AQPs that include match criteria based on the subscriber’s configuration. Tethering state match condition is also applicable in those AQPs that include matching criteria that are derived from actual subscriber’s traffic.

The no form of this command removes detection of sub-tethering state from the configuration.

Default

no aa-sub-tethering-state

Parameters

detected

Specifies that the subscriber is in the tethering state.

not-detected

Specifies that the subscriber is not in the tethering state.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dsm aa-url-parameter)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dsm aa-url-parameter)

[Tree] (config>subscr-mgmt>http-rdr-plcy aa-url-parameter)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt aa-url-parameter

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt aa-url-parameter

configure subscriber-mgmt http-redirect-policy aa-url-parameter

Description

This command configures the AA URL parameter that is used for HTTP portal redirect.

Parameters

url-param-string

Specifies an AA URL parameter, up to 247 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config aaa)

Full Context

configure aaa

Description

Commands in this context configure authentication, authorization, and accounting.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn aaa)

Full Context

configure service vprn aaa

Description

Commands in this context configure AAA on the VPRN.

Platforms

All

Context

[Tree] (config>service>epipe>spoke-sdp aarp)

[Tree] (config>service>epipe>sap aarp)

Full Context

configure service epipe spoke-sdp aarp

configure service epipe sap aarp

Description

This command associates an AARP instance with a multi-homed SAP or spoke SDP. This instance uses the same AARP ID in the same node to provide traffic flow and packet asymmetry removal for a multi-homed SAP or spoke SDP.

The type specifies the role of this service point in the AARP: either, primary (dual-homed) or secondary (dual-homed-secondary). The AA service attributes (app-profile and transit-policy) of the primary are inherited by the secondary endpoints. All endpoints within an AARP must be of the same type (SAP or spoke), and all endpoints with an AARP must be within the same service.

The no form of this command removes the association between an AARP instance and a multi-homed SAP or spoke SDP.

Default

no aarp

Parameters

aarpid

Specifies the AARP instance associated with this SAP. If not configured, no AARP instance is associated with this SAP.

Values

1 to 65535

type

Specifies the role of the SAP referenced by the AARP instance.

Values

dual-homed — The primary dual-homed AA subscriber side service-point of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

dual-homed-secondary — One of the secondary dual-homed AA subscriber side service-points of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ipipe>spoke-sdp aarp)

Full Context

configure service ipipe spoke-sdp aarp

Description

This command associates an AARP instance to an Ipipe spoke SDP. This instance is paired with the same aarp-id in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP. The type parameter specifies the role of this service point in the AARP instance.

The no form of this command removes the association.

Default

no aarp

Parameters

aarp-id

An integer that identifies an AARP instance.

Values

1 to 65535

subscriber-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for subscriber-side traffic.

network-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for network-side traffic.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies>aarp-interface>spoke-sdp aarp)

Full Context

configure service ies aarp-interface spoke-sdp aarp

Description

This command associates an AARP instance to an AARP interface spoke SDP. This instance is paired with the same aarp-id in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP. The type parameter specifies the role of this service point in the AARP instance.

The no form of this command removes the association.

Default

no aarp

Parameters

aarp-id

Specifies an integer that identifies an AARP instance.

Values

1 to 65535

subscriber-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for subscriber-side traffic.

network-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for network-side traffic.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies>if>sap aarp)

[Tree] (config>service>ies>if>spoke-sdp aarp)

Full Context

configure service ies interface sap aarp

configure service ies interface spoke-sdp aarp

Description

This command associates an AARP instance with a multi-homed SAP or spoke SDP. This instance uses the same AARP ID in the same node or in a peer node (pre-configured) to provide traffic flow and packet asymmetry removal for a multi-homed SAP or spoke SDP.

The type specifies the role of this service point in the AARP: either, primary (dual-homed) or secondary (dual-homed-secondary). The AA service attributes (app-profile and transit-policy) of the primary are inherited by the secondary endpoints. All endpoints within an AARP must be of the same type (SAP or spoke), and all endpoints with an AARP must be within the same service.

The no form of this command removes the association between an AARP instance and a multi-homed SAP or spoke SDP.

Default

no aarp

Parameters

aarpId

Specifies the AARP instance associated with this SAP. If not configured, no AARP instance is associated with this SAP.

Values

1 to 65535

type

Specifies the role of the SAP referenced by the AARP instance.

Values

dual-homed — The primary dual-homed AA subscriber side service-point of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

dual-homed-secondary — One of the secondary dual-homed AA subscriber side service-points of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>aarp-interface>spoke-sdp aarp)

Full Context

configure service vprn aarp-interface spoke-sdp aarp

Description

This command associates an AARP instance to an AARP interface spoke SDP. This instance is paired with the same aarp-id in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP. The type parameter specifies the role of this service point in the AARP instance.

The no form of this command removes the association.

Default

no aarp

Parameters

aarp-id

An integer that identifies an AARP instance.

Values

1 to 65535

subscriber-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for subscriber-side traffic.

network-side-shunt

Specifies that the AARP type is an inter-chassis shunt service for network-side traffic.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>if>sap aarp)

[Tree] (config>service>vprn>if>spoke-sdp aarp)

Full Context

configure service vprn interface sap aarp

configure service vprn interface spoke-sdp aarp

Description

This command associates an AARP instance with a multi-homed SAP or spoke SDP. This instance uses the same AARP ID in the same node or in a peer node (pre-configured) to provide traffic flow and packet asymmetry removal for a multi-homed SAP or spoke SDP.

The type specifies the role of this service point in the AARP: either, primary (dual-homed) or secondary (dual-homed-secondary). The AA service attributes (app-profile and transit-policy) of the primary are inherited by the secondary endpoints. All endpoints within an AARP must be of the same type (SAP or spoke), and all endpoints with an AARP must be within the same service.

The no form of this command removes the association between an AARP instance and a multi-homed SAP or spoke SDP.

Default

no aarp

Parameters

aarpId

Specifies the AARP instance associated with this SAP. If not configured, no AARP instance is associated with this SAP.

Values

1 to 65535

type

Specifies the role of the SAP referenced by the AARP instance.

Values

dual-homed — The primary dual-homed AA subscriber side service-point of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

dual-homed-secondary — One of the secondary dual-homed AA subscriber side service-points of an AARP instance; only supported for Epipe, IES, and VPRN SAP and spoke SDP.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>application-assurance aarp)

Full Context

configure application-assurance aarp

Description

This command defines an Application Assurance Redundancy Protocol (AARP) instance. This instance is paired with the same aarpId in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.

The no form of this command removes the instance from the configuration.

Parameters

aarpid

An integer that identifies an AARP instance.

Values

1 to 65535

create

Keyword used to create the AARP instance.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies aarp-interface)

Full Context

configure service ies aarp-interface

Description

This command creates an AARP interface for connecting a service to a peer node AARP service. This instance is paired with the same AARP interface in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.

The no form of this command deletes the interface.

Default

no aarp-interface

Parameters

aarp-interface-name

Specifies a string of up to 32 characters identifying the interface.

create

Keyword used to create the AARP interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn aarp-interface)

Full Context

configure service vprn aarp-interface

Description

This command creates an AARP interface for connecting a service to a peer node AARP service. This instance is paired with the same AARP interface in a peer node as part of a configuration to provide flow and packet asymmetry removal for traffic for a multi-homed SAP or spoke SDP.

The no form of this command deletes the interface.

Default

no aarp-interface

Parameters

aarp-interface-name

Specifies the AARP interface name.

create

Keyword used to create the AARP interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>aqp>entry>action abandon-tcp-optimization)

Full Context

configure application-assurance group policy app-qos-policy entry action abandon-tcp-optimization

Description

This command causes TCPO to stop for flows matching this AQP entry. The flows are counted as TCPO abandoned by policy flows.

The no form of this command removes abandon TCPO from actions on flows matching this AQP entry.

Default

no abandon-tcp-optimization

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy abort)

Full Context

configure application-assurance group policy abort

Description

This command ends the current editing session and aborts any changes entered during this policy editing session.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>router>bfd abort)

Full Context

configure router bfd abort

Description

This command discards the changes made to a BFD template during an active session.

Platforms

All

Context

[Tree] (config>router>route-next-hop-policy abort)

Full Context

configure router route-next-hop-policy abort

Description

This command discards the changes made to route next-hop templates during an active session.

Platforms

All

Context

[Tree] (config>system>sync-if-timing abort)

Full Context

configure system sync-if-timing abort

Description

This command is required to discard changes that have been made to the synchronous interface timing configuration during a session.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>router>policy-options abort)

Full Context

configure router policy-options abort

Description

This command is required to discard changes made to a route policy.

Platforms

All

Context

[Tree] (config>qos>adv-config-policy>child-control>bandwidth-distribution above-offered-allowance)

Full Context

configure qos adv-config-policy child-control bandwidth-distribution above-offered-allowance

Description

Commands in this context edit the parameters that control the child's above-offered-allowance bandwidth. These parameters are only applicable when the port scheduler is configured to use the above-offered-allowance-control algorithm, otherwise they are ignored.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>qos>adv-config-policy>child-control>bandwidth-distribution above-offered-cap)

Full Context

configure qos adv-config-policy child-control bandwidth-distribution above-offered-cap

Description

This command is used to limit the operationally configured shaping or policing rate on the child associated with the policy. After the parent virtual scheduler or policer control policy determines the appropriate rate for a specific child, a separate operation decides the actual PIR that should be configured for that child. When the parent determines that the distributed rate is equal to or less than the child’s offered rate, the configured operational PIR will be equal to that determined rate. But when the parent determines that the child’s offered rate is less than the available bandwidth the child could consume, the operational PIR may be set to a value larger than the distributed bandwidth. This extra rate is not currently used by the child because the offered rate is less. The system provides this extra bandwidth in case the child’s offered rate increases before the next sampling interval is complete, to mitigate the periodic nature of the child’s operational PIR adjustments. The increase in the offered rate is not subtracted from the parent’s remaining distribution bandwidth for lower priority children, only the determined rate is considered consumed by the parent virtual scheduler or policer control policy instance. The actual operationally configured PIR will never be greater than the child’s administratively defined PIR.

This 'fair share’ PIR configuration behavior may result in the sum of the children’s PIRs exceeding the aggregate rate of the parent. If this behavior violates the downstream QoS requirements, the above-offered-cap command may be used to minimize or eliminate the increase in the child’s configured PIR.

If the above-offered-cap command is used with a percent-based value, the increase is a function of the configured PIR value on the policer or queue. In this case, care should be taken that the child is either configured with an explicit PIR rate (other than max) or the child’s administrative PIR is defined using the percent-rate command with the local parameter enabled if an explicit value is not needed. When a maximum PIR is in use on the child, the system attempts to interpret the maximum child forwarding rate. This rate could be very large if the child is associated with multiple ingress or egress ports.

If the child’s administrative PIR is modified while a percent based above-offered-cap is in effect, the system automatically uses the new relative limit value the next time the child’s operational PIR is distributed.

When this command is not specified or removed, the child’s operational 'fair share’ operational PIR may be configured up to the child’s administrative PIR, based on the actual parental bandwidth available at the child’s priority level.

The no form of this command is used to remove a fair share operational PIR rate increase limit from all child policers and queues associated with the policy.

Parameters

percent-of-admin-pir

When the percent qualifier is used, the following percent-of-admin-pir parameter specifies the percentage of the child’s administrative PIR that is used as the fair share increase limit. The new operational PIR result is capped by the child’s PIR. If a value of 0 or 0.00 is used, the system will disable the fair share increase function and only configure the actual distribution rate. If a value of 100 or 100.00 is used, the system will interpret this equivalent to executing the no above-offered-cap command and return the fair-share operation to the default behavior.

Values

0.00 to 100.00

rate-in-kilobits-per-second

When the rate qualifier is used, the rate-in-kilobits-per-second parameter specifies an explicit rate, in kb/s, that are used as the limit to the child’s fair share increase to the operational PIR. The new operational PIR result is capped by the child’s PIR. If a value of 0 is used, the system will disable the fair share increase function and only configure the actual distribution rate.

Values

0 to 100,000,000

Platforms

All

Context

[Tree] (config>test-oam>link-meas>template>sw>thr absolute)

[Tree] (config>test-oam>link-meas>template>asw>thr absolute)

Full Context

configure test-oam link-measurement measurement-template sample-window threshold absolute

configure test-oam link-measurement measurement-template aggregate-sample-window threshold absolute

Description

This command specifies the delta, in microseconds, that a new delay measurement must differ from the previously reported measurement to be reported directly to the routing engine.

The no form of this command reverts to the default value.

Default

absolute 0

Parameters

microseconds

Specifies the difference, in microseconds.

A value of 0 (zero) indicates that the absolute threshold is not used for reporting.

Values

0 to 100000

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>service>system>bgp-evpn>eth-seg ac-df-capability)

Full Context

configure service system bgp-evpn ethernet-segment ac-df-capability

Description

This command configures the inclusion or exclusion of the Attachment Circuit-influenced (AC-Influenced) designated forwarder (DF) election capability (AC-DF) capability into the DF Election for the Ethernet Segment.

The SR OS supports the AC-DF capability, in accordance with RFC 8584. The include option is the default command setting. The AC-DF capability is enabled by default to support the EVPN auto-discovery per EVI/ES (AD per EVI/ES) routes for a specific PE, which ensures that the PE is included in the candidate DF election list.

Configuring the exclude option disables the AC-DF capability. When ac-df-capability exclude is configured on a specific Ethernet Segment (ES), the presence or absence of the AD per EVI/ES routes from the ES peers do not modify the candidate DF Election list for the ES. The exclude option is recommended in ESs that use an oper-group monitored by the access LAG to signal standby lacp or power-off.

All PE routers attached to the same ES must be configured consistently for the AC-DF capability.

Default

ac-df-capability include

Parameters

include

Specifies that AC-DF capability is enabled.

exclude

Specifies that AC-DF capability is disabled.

Platforms

All

Context

[Tree] (config>subscr-mgmt>auth-policy accept-authorization-change)

Full Context

configure subscriber-mgmt authentication-policy accept-authorization-change

Description

This command specifies whether or not the system should handle the CoA messages initiated by the RADIUS server, and provide for mid-session interval changes of policies applicable to subscriber hosts.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>radius-server>server accept-coa)

[Tree] (config>router>radius-server>server accept-coa)

Full Context

configure service vprn radius-server server accept-coa

configure router radius-server server accept-coa

Description

This command configures this server for Change of Authorization messages. The system will process the CoA request from the external server if configured with this command; otherwise the CoA request is dropped.

The no form of this command disables the command.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>bgp>group>link-bandwidth accept-from-ebgp)

[Tree] (config>service>vprn>bgp>group>neighbor>link-bandwidth accept-from-ebgp)

Full Context

configure service vprn bgp group link-bandwidth accept-from-ebgp

configure service vprn bgp group neighbor link-bandwidth accept-from-ebgp

Description

This command configures BGP to accept and use the link-bandwidth extended community attached to any route received from any EBGP peer in the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community is encoded as a non-transitive type. This means that by default it should not be attached to any route advertised to an EBGP peer and it should be discarded when received in any route from an EBGP peer. This command overrides the standard behavior.

Up to three families may be configured.

The no form of this command restores the default behavior of discarding the link-bandwidth extended community in any route received from an EBGP peer.

Default

no accept-from-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

Platforms

All

Context

[Tree] (config>router>bgp>group>link-bandwidth accept-from-ebgp)

[Tree] (config>router>bgp>group>neighbor>link-bandwidth accept-from-ebgp)

Full Context

configure router bgp group link-bandwidth accept-from-ebgp

configure router bgp group neighbor link-bandwidth accept-from-ebgp

Description

This command configures BGP to accept and use the link-bandwidth extended community attached to any route received from any EBGP peer in the scope of the command, as long as that route belongs to one of the listed address families.

The link-bandwidth extended community is encoded as a non-transitive type. This means that by default it should not be attached to any route advertised to an EBGP peer and it should be discarded when received in any route from an EBGP peer. This command overrides the standard behavior.

Up to six families may be configured.

The no form of this command restores the default behavior of discarding the link-bandwidth extended community in any route received from an EBGP peer.

Default

no accept-from-ebgp

Parameters

family

Specifies the address families for which receiving the link-bandwidth extended community from EBGP peers should be supported.

Values

ipv4 — Adds a link-bandwidth extended community to unlabeled unicast IPv4 routes.

label-ipv4 — Adds a link-bandwidth extended community to labeled-unicast IPv4 routes.

vpn-ipv4 — Adds a link-bandwidth extended community to IPv4 VPN (SAFI 128) routes.

ipv6 — Adds a link-bandwidth extended community to unlabeled unicast IPv6 routes.

label-ipv6 — Adds a link-bandwidth extended community to labeled-unicast IPv6 routes.

vpn-ipv6 — Adds a link-bandwidth extended community to IPv6 VPN (SAFI 128) routes.

Platforms

All

Context

[Tree] (config>service>vprn>sub-if>grp-if>data-trigger accept-ipv6-link-local-address)

[Tree] (config>service>ies>sub-if>grp-if>data-trigger accept-ipv6-link-local-address)

Full Context

configure service vprn subscriber-interface group-interface data-trigger accept-ipv6-link-local-address

configure service ies subscriber-interface group-interface data-trigger accept-ipv6-link-local-address

Description

This command configures the system to authenticate the subscriber based on an IPv6 packet with a source IP Link Local Address (LLA). The trigger only occurs if the anti-spoof is type nh-mac. If the anti-spoof is not nh-mac, the packet with an IPv6 LLA is ignored.

The no form of this command removes the configuration.

Default

no accept-ipv6-link-local-address

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vpls>bgp-evpn accept-ivpls-evpn-flush)

Full Context

configure service vpls bgp-evpn accept-ivpls-evpn-flush

Description

This command enables the system to accept non-zero Ethernet tag MAC routes and process them only for C-MAC flushing. This command can be changed on the fly without shutting down BGP-EVPN MPLS.

The no version of the command prevents the router from processing B-MAC/ISID routes for cmac-flush.

Default

no accept-ivpls-evpn-flush

Platforms

All

Context

[Tree] (config>subscr-mgmt>ppp-policy>mlppp accept-mrru)

Full Context

configure subscriber-mgmt ppp-policy mlppp accept-mrru

Description

This command is applicable only to LAC. MRRU option is an indication that the session is of MLPPPoX type. The 7750 SR LAC never initiates the MRRU option in LCP negotiation process. However, it responds to MRRU negotiation request by the client.

This command provides an option to specifically enable or disable negotiation of MLPPPoX on a capture SAP level or on a group interface level.

The no form of this command causes the MRRU option in LCP to not be negotiated by LAC.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

Context

[Tree] (config>router>bgp>group>neighbor>outbound-route-filtering>extended-community accept-orf)

[Tree] (config>router>bgp>group>outbound-route-filtering>extended-community accept-orf)

[Tree] (config>router>bgp>outbound-route-filtering>extended-community accept-orf)

Full Context

configure router bgp group neighbor outbound-route-filtering extended-community accept-orf

configure router bgp group outbound-route-filtering extended-community accept-orf

configure router bgp outbound-route-filtering extended-community accept-orf

Description

This command instructs the router to negotiate the receive capability in the BGP ORF negotiation with a peer, and accept filters that the peer wants to send.

The no form of this command causes the router to remove the accept capability in the BGP ORF negotiation with a peer, and to clear any existing ORF filters that are currently in place.

Default

no accept-orf

Platforms

All

Context

[Tree] (config>port>ethernet>efm-oam accept-remote-loopback)

Full Context

configure port ethernet efm-oam accept-remote-loopback

Description

This command enables reactions to loopback control OAM PDUs from peers.

The no form of this command disables reactions to loopback control OAM PDUs.

Default

no accept-remote-loopback

Platforms

All

Context

[Tree] (config>aaa>radius-srv-plcy accept-script-policy)

Full Context

configure aaa radius-server-policy accept-script-policy

Description

This command specifies the RADIUS script policy used to change the RADIUS attributes of the incoming Access-Accept messages.

Parameters

policy-name

Specifies the name of the Python script to modify Access-Accept messages, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>auth-policy accept-script-policy)

Full Context

configure subscriber-mgmt authentication-policy accept-script-policy

Description

This command specifies the RADIUS script policy used to change the RADIUS attributes of the incoming Access-Accept messages.

The no form of this command reverts to the default.

Parameters

policy-name

Specifies the name of the Python script to modify Access-Accept messages, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>system>security>pki>ca-profile>cmpv2 accept-unprotected-errormsg)

Full Context

configure system security pki ca-profile cmpv2 accept-unprotected-errormsg

Description

This command enables the system to accept both protected and unprotected CMPv2 error message. Without this command, system will only accept protected error messages.

The no form of this command causes the system to only accept protected PKI confirmation message.

Default

no accept-unprotected-errormsg

Platforms

All

Context

[Tree] (config>system>security>pki>ca-profile>cmpv2 accept-unprotected-pkiconf)

Full Context

configure system security pki ca-profile cmpv2 accept-unprotected-pkiconf

Description

This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will only accept protected PKI confirmation message.

The no form of this command causes the system to only accept protected PKI confirmation message.

Default

no accept-unprotected-pkiconf

Platforms

All

Context

[Tree] (config>test-oam>sath acceptance-criteria-template)

Full Context

configure test-oam service-activation-testhead acceptance-criteria-template

Description

Commands in this context configure the test acceptance criteria policy that the service test testhead OAM tool uses to determine the test result after test completion.

The acceptance-criteria-template "default” value is attached to every service-stream created under the service-test context for which no explicit acceptance criteria template policy is configured by the user.

The default acceptance criteria template is not user-configurable.

The default template does not set any thresholds and only reports the end-of-run values. The following are the default template settings:

• no description

• no delay-var-threshold

• no delay-threshold

• no loss-threshold

• no loss-threshold-policing

• no cir-threshold

• no pir-threshold

• no m-factor

The no form of this command removes the test acceptance criteria.

Default

acceptance-criteria-template default

Parameters

accept-crit-tmpl-name

Specifies the name, up to 64 characters, of the test acceptance criteria. This name is also used when starting the throughput test.

create

Mandatory keyword to instantiate the template.

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS

Context

[Tree] (config>test-oam>sath>svc-test>svc-stream acceptance-criteria-template)

Full Context

configure test-oam service-activation-testhead service-test service-stream acceptance-criteria-template

Description

This command creates a link to an acceptance criteria template policy configured by the user for the specified service stream.

Assign the default acceptance-criteria-template "default” to remove the existing template in a service stream.

Default

acceptance-criteria-template default

Parameters

accept-crit-tmpl-name

Specifies the name, up to 64 characters, of a preconfigured acceptance criteria.

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS

Context

[Tree] (config>subscr-mgmt>steering-profile access)

Full Context

configure subscriber-mgmt steering-profile access

Description

This command specifies a routing instance to be used as a network VAS router in the steering profile.

The no form of this command removes the router instance.

Parameters

router-instance

Specifies the router instance to be used as an access VAS router.

Values

router-instance:	router-name | vprn-svc-id
router-name:	"Base”
vprn-svc-id:	1 to 2147483647

service-name

Specifies the service name, up to 64 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>port>ethernet access)

Full Context

configure port ethernet access

Description

This command configures Ethernet access port parameters.

Platforms

All

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext access)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext access)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext access

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext access

Description

Commands in this context configure the access side of HLE for the VLAN range.

The no form of this command disables the vRGW parameters enabled in this context.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>port access)

[Tree] (config>card>mda access)

Full Context

configure port access

configure card mda access

Description

This command enables the access context to configure egress and ingress pool policy parameters.

On the MDA level, access egress and ingress pools are only allocated on channelized MDAs.

Platforms

All

Context

[Tree] (config>card>fp>ingress access)

Full Context

configure card fp ingress access

Description

This CLI node contains the access forwarding-plane parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

Context

[Tree] (config>lag access)

Full Context

configure lag access

Description

Commands in this context configure access parameters.

Platforms

All

Context

[Tree] (config>eth-tunnel>lag-emulation access)

Full Context

configure eth-tunnel lag-emulation access

Description

Commands in this context configure eth-tunnel load sharing access parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>service>vprn>snmp access)

Full Context

configure service vprn snmp access

Description

This command enables SNMP access using VPRN interface addresses. This command allows SNMP messages destined to the VPRN interface IP addresses for this VPRN (including VPRN interfaces that are bound to R-VPLS services) to be processed by the SNMP agent on the router. SNMP messages that arrive on VPRN interfaces but are destined to IP addresses in the Base routing context that can be accessed in the VPRN (for example, the router system address via grt leaking) do not require snmp access to be enabled but do require allow-local-management to be enabled.

Using an SNMP community defined inside the VPRN context (configure service vprn snmp community) allows access to a subset of the full SNMP data model. This subset can be seen in the output of show system security view "vprn-view".

Using an SNMP community defined in the system context (configure system security snmp community) allows access to the full SNMP data model (unless otherwise restricted used SNMP views).

Alternatively, grt leaking and a Base routing IP address can be used (along with an SNMP community defined at the system context) to get access to the entire SNMP data model (see the allow-local-management command).

The Nokia NSP cannot discover or fully manage an SR OS router using an SNMP community defined inside the VPRN context. Full SNMP access requires using one of the approaches described above.

Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for detailed information about SNMP.

Platforms

All

Context

[Tree] (config>system>security>user access)

[Tree] (config>system>security>user-template access)

Full Context

configure system security user access

configure system security user-template access

Description

This command configures user permissions for router management access methods.

To deny an existing access method, enter the no form of this command followed by the method to be denied; for example, no access ftp denies FTP access.

The no form of this command removes the user permission for all management access methods.

Default

no access

Parameters

ftp

Specifies FTP access.

snmp

Specifies SNMP access. This keyword is only configurable in the configure system security user context.

console

Specifies Bluetooth, console port CLI, SCP/SFTP, SSH CLI, and Telnet CLI access.

li

Specifies Lawful Intercept (LI) command access.

netconf

Specifies NETCONF access.

grpc

Specifies gRPC access.

scp-sftp

Specifies SCP/SFTP access.

console-port-cli

Specifies console port CLI access.

ssh-cli

Specifies SSH CLI access.

telnet-cli

Specifies Telnet CLI access.

bluetooth

Specifies Bluetooth access.

Platforms

All

Context

[Tree] (config>system>security>snmp access)

Full Context

configure system security snmp access

Description

This command creates an association between a user group, a security model, and the views that the user group can access. Access parameters must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2. An access group is defined by a unique combination of the group name, security model and security level.

Access groups are used by the usm-community command.

Access must be configured unless security is limited to SNMPv1/SNMPv2c with community strings. See the community command.

Default access group configurations cannot be modified or deleted.

To remove the user group with associated, security model(s), and security level(s), use:

no access group group-name

To remove a security model and security level combination from a group, use:

no access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy}

Parameters

group-name

Specify a unique group name up to 32 characters.

security-model {snmpv1 | snmpv2c | usm}

Specifies the security model required to access the views configured in this node. A group can have multiple security models. For example, one view may only require SNMPv1/ SNMPv2c access while another view may require USM (SNMPv3) access rights.

security-level {no-auth-no-priv | auth-no-priv | privacy}

Specifies the required authentication and privacy levels to access the views configured in this node.

security-level no-auth-no-privacy

Specifies that no authentication and no privacy (encryption) is required. When configuring the user’s authentication, select the none option.

security-level auth-no-privacy

Specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication.

security-level privacy

Specifies that both authentication and privacy (encryption) is required. When this option is configured, both the group and the user must be configured for authentication. The user must also be configured for privacy.

context-name

Specifies a set of SNMP objects that are associated with the context-name.

The context-name is treated as either a full context-name string or a context name prefix depending on the keyword specified (exact or prefix).

prefix-match

Specifies the context name prefix-match keywords, exact or prefix. This parameter applies only to the 7750 SR.

The VPRN context names begin with a vprn prefix. The numerical value is associated with the service ID that the VPRN was created with and identifies the service in the service domain. For example, when a new VPRN service is created such as config>service>vprn 2345 customer 1, a VPRN with context name vprn2345 is created.

The exact keyword specifies that an exact match between the context name and the prefix value is required. For example, when context vprn2345 exact is entered, matches for only vprn2345 are considered.

The prefix keyword specifies that only a match between the prefix and the starting portion of context name is required. If only the prefix keyword is specified, simple wildcard processing is used. For example, when context vprn prefix is entered, all vprn contexts are matched.

Default

exact

view-name-1

Specifies the SNMP view used to control which MIB objects can be accessed using a read (get) operation.

view-name-2

Specifies the SNMP view used to control which MIB objects can be accessed using a write (set) operation.

view-name-3

Specifies the SNMP view used to control which MIB objects can be accessed for notifications.

Values

none

Platforms

All

Context

[Tree] (config>aaa>l2tp-acct-plcy>radius-acct-server access-algorithm)

Full Context

configure aaa l2tp-accounting-policy radius-accounting-server access-algorithm

Description

This command configures the algorithm used to access the list of configured RADIUS servers.

The no form of this command reverts to the default.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>rad-acct-plcy>server access-algorithm)

Full Context

configure application-assurance radius-accounting-policy radius-accounting-server access-algorithm

Description

This command configures the algorithm used to access the list of configured RADIUS servers.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>acct-plcy>server access-algorithm)

[Tree] (config>subscr-mgmt>auth-plcy>radius-auth-server access-algorithm)

Full Context

configure subscriber-mgmt radius-accounting-policy radius-accounting-server access-algorithm

configure subscriber-mgmt authentication-policy radius-authentication-server access-algorithm

Description

This command configures the algorithm used to access the list of configured RADIUS servers.

The no form of this command reverts to the default.

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>radius-srv-plcy>servers access-algorithm)

Full Context

configure aaa radius-server-policy servers access-algorithm

Description

This command configures the algorithm used to select a RADIUS server from the pool of configured RADIUS servers.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

hash-based

Select a RADIUS server based on the calculated hash result of the configured load-balance-key under the radius-proxy server hierarchy. This parameter is only applicable for radius-proxy server scenarios and results in an unpredictable RADIUS server selection if used in other scenarios.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>system>security>radius access-algorithm)

[Tree] (config>service>vprn>aaa>rmt-srv>radius access-algorithm)

Full Context

configure system security radius access-algorithm

configure service vprn aaa remote-servers radius access-algorithm

Description

This command indicates the algorithm used to access the set of RADIUS servers.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

Platforms

All

Context

[Tree] (config>aaa>isa-radius-plcy>servers access-algorithm)

Full Context

configure aaa isa-radius-policy servers access-algorithm

Description

This command defines the algorithm used to access the list of available RADIUS servers. A RADIUS server is considered available initially and marked as unavailable if no response packets are received in a period equal to the configured packet timeout multiplied by the retry count after sending a request. A server is always marked as available when any valid RADIUS packet is received from that server. Some access algorithms periodically probe unavailable servers by sending a single request. If the server responds to the request, it is immediately marked as available.

Default

access-algorithm direct

Parameters

direct

Specifies that the first server is used as primary server for all requests, the second as secondary and so on.

round-robin

Specifies that the first server is used as primary server for the first request, the second server as primary for the second request, and so on. If the router gets to the end of the list, it starts again with the first server.

hashed-based

Specifies that the selection is based on the hash-based procedures.

direct-priority

Specifies that the first server is used for all requests. If that server is not available, the second server is used, and so on. This method periodically probes and falls back to higher-priority servers.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host access-loop-encapsulation)

Full Context

configure subscriber-mgmt local-user-db ppp host access-loop-encapsulation

Description

Commands in this context configure access loop information.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host access-loop-information)

Full Context

configure subscriber-mgmt local-user-db ppp host access-loop-information

Description

Commands in this context configure access loop information in the local user database.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>auth-plcy>include-radius-attribute access-loop-options)

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute access-loop-options)

Full Context

configure subscriber-mgmt authentication-policy include-radius-attribute access-loop-options

configure subscriber-mgmt radius-accounting-policy include-radius-attribute access-loop-options

Description

This command enables inclusion of access loop information: Broadband Forum (BBF) access loop characteristics, DSL line state and DSL type. The BBF access loop characteristics are returned as BBF specific RADIUS attributes where DSL line state and DSL type are returned as Nokia-specific RADIUS VSAs.

Information obtained via the ANCP protocol has precedence over information received in PPPoE Vendor Specific BBF tags or DHCP Vendor Specific BBF Options.

If ANCP is utilized and interim accounting update is enabled, any Port Up event from GSMP will initiate in an interim update. Port Up messages can include information such as an update on the current subscriber actual-upstream-speed. The next interim accounting message is from port up triggering point.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group access-network-location)

Full Context

configure application-assurance group access-network-location

Description

Commands in this context configure parameters related to dynamic experience management, also known as Access Network Location (ANL).

These parameters include location source type congestion point and congestion detection parameters (such as roundtrip delay thresholds), if applicable.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>aaa>rmt-srv>tacplus>req access-operation-cmd)

[Tree] (config>system>security>tacplus>request-format access-operation-cmd)

Full Context

configure service vprn aaa remote-servers tacplus request-format access-operation-cmd

configure system security tacplus request-format access-operation-cmd

Description

This command sends an operation argument in authorization requests.

In model-driven interfaces, this command configures the system to send the operation in the cmd argument, and the path in the cmd-args argument, in TACACS+ authorization requests. This command does not apply to authorization requests in classic interfaces.

The no form of this command removes the operation from the configuration.

Default

no access-operation-cmd

Parameters

access-operation

Specifies that an operation in the authorization request is sent.

Values

delete — Keyword that sends the operation "cmd=delete" and "cmd-args=path".

Platforms

All

Context

[Tree] (config>service>dynsvc>ladb>user>idx accounting)

Full Context

configure service dynamic-services local-auth-db user-name index accounting

Description

This command creates a context for one of the two accounting destinations specified in the dynamic services policy. In this context, overrides of RADIUS accounting parameters can be specified.

The no form of this command removes the RADIUS accounting overrides context from the configuration.

Parameters

{1 | 2}

Indicates one of the two RADIUS accounting destinations.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>system>security>radius accounting)

[Tree] (config>service>vprn>aaa>rmt-srv>radius accounting)

Full Context

configure system security radius accounting

configure service vprn aaa remote-servers radius accounting

Description

This command enables RADIUS accounting.

The no form of this command disables RADIUS accounting.

Default

no accounting

Platforms

All

Context

[Tree] (config>system>security>tacplus accounting)

[Tree] (config>service>vprn>aaa>rmt-srv>tacplus accounting)

Full Context

configure system security tacplus accounting

configure service vprn aaa remote-servers tacplus accounting

Description

This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.

Default

no accounting

Parameters

record-type start-stop

Specifies that a TACACS+ start packet is sent whenever the user executes a command and a TACACS+ stop packet when command execution is complete.

record-type stop-only

Specifies that only a TACACS+ stop packet is sent whenever the command execution is complete.

Platforms

All

Context

[Tree] (config>aaa>isa-radius-plcy>servers>server accounting)

Full Context

configure aaa isa-radius-policy servers server accounting

Description

This command configures accounting for this server.

Parameters

udp-port

Specifies the UDP port number on which to contact the RADIUS server for authentication.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>dynsvc>policy accounting-1)

Full Context

configure service dynamic-services dynamic-services-policy accounting-1

Description

Commands in this context configure the first RADIUS accounting destination and corresponding RADIUS accounting parameters for dynamic data services.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>dynsvc>policy accounting-2)

Full Context

configure service dynamic-services dynamic-services-policy accounting-2

Description

Commands in this context configure the second RADIUS accounting destination and corresponding RADIUS accounting parameters for dynamic data services.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>log>storage accounting-files-total-size)

Full Context

configure log file-storage-control accounting-files-total-size

Description

This command configures the limit for the total space that all accounting files can occupy on each storage device on the active CPM.

When this threshold is reached, new accounting files are no longer created in the \act-collect directory of the storage device until SR OS removes older accounting files from the \act directory and the occupancy is below the limit. Currently open, in-progress accounting files in the \act-collect directory are not affected by this limit and are completed.

When unconfigured, there is no specific limit for the total size of all accounting files.

Only accounting files in the \act directory with system generated names (including no file extension) are applicable toward the total size limit.

If a user manually adds or deletes accounting files from the \act directory, the size of the files is not taken into account for up to 1 hour.

The configured total size limit is not validated against the actual size of the installed storage devices. If the configured limit is larger than the installed compact flash (CF) device, the limit is never reached.

The no form of this command removes the total size limit for accounting files.

Default

no accounting-files-total-size

Parameters

megabytes

Specifies the total size limit for accounting files, in MB.

Values

50 to 4,194,304 MBytes (4 TBytes, 2²² MB)

Default

0

Platforms

All

Context

[Tree] (config>subscr-mgmt>sub-prof accounting-policy)

Full Context

configure subscriber-mgmt sub-profile accounting-policy

Description

This command specifies the policy to use to collect accounting statistics on this subscriber profile.

A maximum of one accounting policy can be associated with a profile at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>sub-if>grp-if>sap accounting-policy)

[Tree] (config>service>vprn>if>sap accounting-policy)

[Tree] (config>service>ies>if>sap accounting-policy)

[Tree] (config>service>vpls>spoke-sdp accounting-policy)

[Tree] (config>service>vpls>sap accounting-policy)

[Tree] (config>service>vpls>mesh-sdp accounting-policy)

[Tree] (config>service>vprn>if>spoke-sdp accounting-policy)

[Tree] (config>service>ies>sub-if>grp-if>sap accounting-policy)

Full Context

configure service vprn subscriber-interface group-interface sap accounting-policy

configure service vprn interface sap accounting-policy

configure service ies interface sap accounting-policy

configure service vpls spoke-sdp accounting-policy

configure service vpls sap accounting-policy

configure service vpls mesh-sdp accounting-policy

configure service vprn interface spoke-sdp accounting-policy

configure service ies subscriber-interface group-interface sap accounting-policy

Description

This command creates the accounting policy context that can be applied to an interface SAP or interface SAP spoke SDP.

An accounting policy must be defined before it can be associated with a SAP or SDP.

If the policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SAP or SDP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SAP or SDP, and the accounting policy reverts to the default.

Default

no accounting policy

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

• configure service ies subscriber-interface group-interface sap accounting-policy
• configure service vprn subscriber-interface group-interface sap accounting-policy

All

• configure service vpls sap accounting-policy
• configure service vpls spoke-sdp accounting-policy
• configure service vprn interface sap accounting-policy
• configure service ies interface sap accounting-policy
• configure service vpls mesh-sdp accounting-policy
• configure service vprn interface spoke-sdp accounting-policy

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>vlan-tag-ranges>range>xconnect accounting-policy)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>vlan-tag-ranges>range>xconnect accounting-policy)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range xconnect accounting-policy

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range xconnect accounting-policy

Description

This command configures the ISA RADIUS accounting policy for the cross-connect.

The no form of this command removes the ISA RADIUS accounting policy from the cross-connect UE.

Parameters

isa-radius-policy-name

Specifies the identifier of the ISA RADIUS policy name, up to 32 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dsm accounting-policy)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dsm accounting-policy)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt accounting-policy

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt accounting-policy

Description

This command specifies the isa-radius-policy used for accounting messages originated from the ISAs in the wlan-gw group. The policy can specify up to five accounting servers and configuration-specific to these accounting servers. It also specifies configuration specific to RADIUS client on ISAs and RADIUS attributes to be included in accounting messages.

Parameters

policy-name

Specifies the name of the account policy up to 32 characters.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>card>fp>ingress>access>queue-group accounting-policy)

[Tree] (config>card>fp>ingress>network>queue-group accounting-policy)

Full Context

configure card fp ingress access queue-group accounting-policy

configure card fp ingress network queue-group accounting-policy

Description

This command configures an accounting policy that can apply to a queue-group on the forwarding plane.

An accounting policy must be configured before it can be associated to an interface. If the accounting policy-id does not exist, an error is returned.

Accounting policies associated with service billing can only be applied to SAPs. The accounting policy can be associated with an interface at a time.

The no form of this command removes the accounting policy association from the queue-group.

Default

No accounting policies are specified by default. You must explicitly specify a policy. If configured, the accounting policy configured as the default is used.

Parameters

acct-policy-id

Specifies the name of the accounting policy to use for the queue-group.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

Context

[Tree] (config>port>sonet-sdh>path>network accounting-policy)

[Tree] (config>port>ethernet>network>egr>qgrp accounting-policy)

[Tree] (config>port>ethernet>access>ing>qgrp accounting-policy)

[Tree] (config>port>ethernet>network accounting-policy)

[Tree] (config>port>tdm>e1>channel-group>network accounting-policy)

[Tree] (config>port>tdm>ds1>channel-group>network accounting-policy)

[Tree] (config>port>ethernet accounting-policy)

[Tree] (config>port>ethernet>access>egr>qgrp accounting-policy)

[Tree] (config>port>tdm>e3>network accounting-policy)

[Tree] (config>port>tdm>ds3>network accounting-policy)

Full Context

configure port sonet-sdh path network accounting-policy

configure port ethernet network egress queue-group accounting-policy

configure port ethernet access ingress queue-group accounting-policy

configure port ethernet network accounting-policy

configure port tdm e1 channel-group network accounting-policy

configure port tdm ds1 channel-group network accounting-policy

configure port ethernet accounting-policy

configure port ethernet access egress queue-group accounting-policy

configure port tdm e3 network accounting-policy

configure port tdm ds3 network accounting-policy

Description

This command configures an accounting policy that can apply to an interface.

An accounting policy must be configured before it can be associated to an interface. If the accounting policy-id does not exist, an error is returned.

Accounting policies associated with service billing can only be applied to SAPs. Accounting policies associated with network ports can only be associated with interfaces. Only one accounting policy can be associated with an interface at a time.

The no form of this command removes the accounting policy association from the network interface, and the accounting policy reverts to the default.

Default

No accounting policies are specified by default. You must explicitly specify a policy. If configured, the accounting policy configured as the default is used.

Parameters

policy-id

The accounting policy-id of an existing policy. Accounting policies record either service (access) or network information. A network accounting policy can only be associated with the network port configurations. Accounting policies are configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

• configure port sonet-sdh path network accounting-policy

All

• configure port ethernet access egress queue-group accounting-policy
• configure port ethernet accounting-policy
• configure port ethernet access ingress queue-group accounting-policy
• configure port ethernet network accounting-policy
• configure port ethernet network egress queue-group accounting-policy

7450 ESS, 7750 SR-7/12/12e, 7750 SR-a, 7750 SR-e

• configure port tdm e1 channel-group network accounting-policy
• configure port tdm e3 network accounting-policy
• configure port tdm ds3 network accounting-policy
• configure port tdm ds1 channel-group network accounting-policy

Context

[Tree] (config>service>epipe>sap accounting-policy)

[Tree] (config>service>cpipe>sap accounting-policy)

[Tree] (config>service>epipe>spoke-sdp accounting-policy)

[Tree] (config>service>ipipe>sap accounting-policy)

Full Context

configure service epipe sap accounting-policy

configure service cpipe sap accounting-policy

configure service epipe spoke-sdp accounting-policy

configure service ipipe sap accounting-policy

Description

This command creates the accounting policy context that can be applied to a SAP.

An accounting policy must be defined before it can be associated with a SAP. If the policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SAP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SAP, and the accounting policy reverts to the default.

Default

no accounting policy

Parameters

acct-policy-id

Enter the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

• configure service ipipe sap accounting-policy
• configure service epipe spoke-sdp accounting-policy
• configure service epipe sap accounting-policy

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

• configure service cpipe sap accounting-policy

Context

[Tree] (config>service>ies>if>spoke-sdp accounting-policy)

Full Context

configure service ies interface spoke-sdp accounting-policy

Description

This command configures an accounting-policy.

Parameters

acct-policy-id

Specifies an accounting policy ID.

Values

1 to 99

Platforms

All

Context

[Tree] (config>router>ldp>egr-stats>fec-pfx accounting-policy)

Full Context

configure router ldp egress-statistics fec-prefix accounting-policy

Description

This command associates an accounting policy to the MPLS instance.

An accounting policy must be defined before it can be associated else an error message is generated.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Enter the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

Context

[Tree] (config>router>mpls>lsp>ingr-stats accounting-policy)

[Tree] (config>router>mpls>lsp-template>egr-stats accounting-policy)

[Tree] (config>router>mpls>ingr-stats>p2mp-template-lsp accounting-policy)

[Tree] (config>router>mpls>ingr-stats>lsp accounting-policy)

[Tree] (config>router>mpls>ingr-stats>p2p-template-lsp accounting-policy)

[Tree] (config>router>mpls>lsp>egr-stats accounting-policy)

Full Context

configure router mpls lsp ingress-statistics accounting-policy

configure router mpls lsp-template egress-statistics accounting-policy

configure router mpls ingress-statistics p2mp-template-lsp accounting-policy

configure router mpls ingress-statistics lsp accounting-policy

configure router mpls ingress-statistics p2p-template-lsp accounting-policy

configure router mpls lsp egress-statistics accounting-policy

Description

This command associates an accounting policy to the MPLS instance.

The config>router>mpls>ingr-stats>p2mp-template-lsp>accounting-policy command is supported on the 7750 SR, 7950 XRS, and with VPLS only on the 7450 ESS.

An accounting policy must be defined before it can be associated else an error message is generated.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

• configure router mpls lsp ingress-statistics accounting-policy

All

• configure router mpls ingress-statistics lsp accounting-policy
• configure router mpls lsp egress-statistics accounting-policy
• configure router mpls ingress-statistics p2mp-template-lsp accounting-policy
• configure router mpls ingress-statistics p2p-template-lsp accounting-policy
• configure router mpls lsp-template egress-statistics accounting-policy

Context

[Tree] (config>app-assure>group>statistics>app accounting-policy)

[Tree] (config>app-assure>group>statistics>protocol accounting-policy)

[Tree] (config>app-assure>group>statistics>aa-admit-deny accounting-policy)

[Tree] (config>isa>aa-grp>statistics>perform accounting-policy)

[Tree] (config>app-assure>group>statistics>aa-part accounting-policy)

[Tree] (config>app-assure>group>statistics>aa-sub accounting-policy)

[Tree] (config>app-assure>group>statistics>app-grp accounting-policy)

[Tree] (config>app-assure>group>statistics>aa-sub-study accounting-policy)

Full Context

configure application-assurance group statistics application accounting-policy

configure application-assurance group statistics protocol accounting-policy

configure application-assurance group statistics aa-admit-deny accounting-policy

configure isa application-assurance-group statistics performance accounting-policy

configure application-assurance group statistics aa-partition accounting-policy

configure application-assurance group statistics aa-sub accounting-policy

configure application-assurance group statistics app-group accounting-policy

configure application-assurance group statistics aa-sub-study accounting-policy

Description

This command specifies the existing accounting policy to use for AA. Accounting policies are configured in the config>log>accounting-policy context.

Parameters

acct-policy-id

Specifies the existing accounting policy to use for applications.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>saa>test accounting-policy)

Full Context

configure saa test accounting-policy

Description

This command associates an accounting policy to the SAA test. The accounting policy must already be defined before it can be associated otherwise an error message is generated.

A notification (trap) is issued whenever a test is completed or terminates.

The no form of this command removes the accounting policy association.

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

Context

[Tree] (config>oam-pm>session>meas-interval accounting-policy)

Full Context

configure oam-pm session meas-interval accounting-policy

Description

This optional command allows the operator to assign an accounting policy and the policy-id (configured under the config>log>accounting-policy) with a record-type of complete-pm. This runs the data collection process for completed measurement intervals in memory, file storage, and maintenance functions moving data from memory to flash. A single accounting policy can be applied to a measurement interval.

The no form of this command removes the accounting policy.

Parameters

acct-policy-id

Specifies the accounting policy to be applied to the measurement interval.

Values

1 to 99

Platforms

All

Context

[Tree] (config>service>sdp accounting-policy)

[Tree] (config>service>pw-template accounting-policy)

Full Context

configure service sdp accounting-policy

configure service pw-template accounting-policy

Description

This command creates the accounting policy context that can be applied to an SDP. An accounting policy must be defined before it can be associated with a SDP. If the acct-policy-id does not exist, an error message is generated.

A maximum of one accounting policy can be associated with a SDP at one time. Accounting policies are configured in the config>log context.

The no form of this command removes the accounting policy association from the SDP, and the accounting policy reverts to the default.

Default

no accounting-policy

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

Context

[Tree] (config>log accounting-policy)

Full Context

configure log accounting-policy

Description

This command creates an access or network accounting policy. An accounting policy defines the accounting records that are created.

Access accounting policies are policies that can be applied to one or more SAPs. Changes made to an existing policy, using any of the sub-commands, are applied immediately to all SAPs where this policy is applied.

If an accounting policy is not specified on a SAP, then accounting records are produced in accordance with the access policy designated as the default. If a default access policy is not specified, then no accounting records are collected other than the records for the accounting policies that are explicitly configured.

Only one policy can be regarded as the default access policy. If a policy is configured as the default policy, then a no default command must be used to allow the data that is currently being collected to be written before a new access default policy can be configured.

Network accounting policies are policies that can be applied to one or more network ports or SONET/SDH channels. Any changes made to an existing policy, using any of the sub-commands, will be applied immediately to all network ports or SONET/SDH channels where this policy is applied.

If no accounting policy is defined on a network port, accounting records will be produced in accordance with the default network policy as designated with the default command. If no network default policy is created, then no accounting records will be collected other than the records for the accounting policies explicitly configured. Default accounting policies cannot be explicitly applied. For example, for accounting-policy 10, if default is set, then that policy cannot be used:

A:node-2>config>service>vpls>spoke-sdp# accounting-policy 10

Only one policy can be regarded as the default network policy. If a policy is configured as the default policy, then a no default command must be used to allow the data that is currently being collected to be written before a new network default policy can be configured.

The no form of this command deletes the policy from the configuration. The accounting policy cannot be removed unless it is removed from all the SAPs, network ports or channels where the policy is applied.

Parameters

policy-id

Specifies the policy ID that uniquely identifies the accounting policy, expressed as a decimal integer.

Values

1 to 99

Platforms

All

Context

[Tree] (conf>router>segment-routing>sr-policies>egress-stats accounting-policy)

Full Context

configure router segment-routing sr-policies egress-statistics accounting-policy

Description

This command adds the accounting record type to the accounting policy that is forwarded to the configured accounting file. A record name can only be used in one accounting policy. To obtain a list of all record types that can be configured, use the show log accounting-records command.

To configure an accounting policy for access ports, select a service record. To change the record name to another service record, configure the new record name with this command.

When configuring an accounting policy for network ports, select a network record. To change the record name to another network record, configure the new record name with this command.

The no form of this command removes the accounting policy association from the egress statistics configuration.

Default

no accounting-policy

Parameters

acct-policy-id

Specifies the accounting policy-id as configured in the config>log>accounting-policy context.

Values

1 to 99

Platforms

All

Context

[Tree] (config>test-oam>sath>svc-test accounting-policy)

Full Context

configure test-oam service-activation-testhead service-test accounting-policy

Description

This command creates a link to an accounting policy for the specified service test. The record of the accounting policy must be set to complete-service-activation-test.

The no form of this command removes the policy.

Default

no accounting-policy

Parameters

acct-policy-id

Specifies an identifier for the service test accounting policy.

Values

1 to 99

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS

Context

[Tree] (config>system>security>radius accounting-port)

[Tree] (config>service>vprn>aaa>rmt-srv>radius accounting-port)

Full Context

configure system security radius accounting-port

configure service vprn aaa remote-servers radius accounting-port

Description

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

Default

accounting-port 1813

Parameters

port

Specifies the UDP port number.

Values

1 to 65535

Platforms

All

Context

[Tree] (config>aaa>l2tp-acct-plcy accounting-type)

Full Context

configure aaa l2tp-accounting-policy accounting-type

Description

This command specifies the accounting type for the L2TP tunnel accounting policy.

The no form of this command reverts to the default.

Default

accounting-type session tunnel

Parameters

session

Enables tunnel level accounting, including:

Tunnel-Link-Start

Tunnel-Link-Stop

Tunnel-Link-Reject

tunnel

Enables link level accounting, including:

Tunnel-Start

Tunnel-Stop

Tunnel-Reject

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>vlan-tag-ranges>range>xconnect accounting-update-interval)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>vlan-tag-ranges>range>xconnect accounting-update-interval)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range xconnect accounting-update-interval

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range xconnect accounting-update-interval

Description

This command configures the time interval between consecutive interim accounting update messages. If not configured, the system does not send interim accounting update messages.

The no form of this command removes the value from the cross-connect configuration.

Parameters

interval

Specifies the time interval between consecutive interim accounting update messages in minutes.

Values

5 to 259200

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dsm accounting-update-interval)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dsm accounting-update-interval)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt accounting-update-interval

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range distributed-sub-mgmt accounting-update-interval

Description

This command enables the interim accounting and specifies the interim accounting interval.

Parameters

interval

Specifies the interim accounting interval in minutes.

Values

5 to 259200

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute acct-authentic)

Full Context

configure subscriber-mgmt radius-accounting-policy include-radius-attribute acct-authentic

Description

This command enables the generation of the acct-authentic RADIUS attribute.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>acct-plcy>include-radius-attribute acct-delay-time)

Full Context

configure subscriber-mgmt radius-accounting-policy include-radius-attribute acct-delay-time

Description

This command enables the generation of the acct-delay-time RADIUS attribute.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>isa-radius-plcy>acct-include-attributes acct-delay-time)

Full Context

configure aaa isa-radius-policy acct-include-attributes acct-delay-time

Description

This command enables the acct-delay-time.

Default

no acct-delay-time

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>isa-radius-plcy acct-include-attributes)

Full Context

configure aaa isa-radius-policy acct-include-attributes

Description

This command configures attributes to be included in RADIUS accounting messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>radius-srv-plcy>servers>buffering acct-interim)

Full Context

configure aaa radius-server-policy servers buffering acct-interim

Description

This command enables RADIUS accounting interim update message buffering.

1. The message is stored in the buffer, a lifetime timer is started and the message is sent to the RADIUS server

2. If after retry*timeout seconds no RADIUS accounting response is received for the interim update then a new attempt to send the message is started after minimum[(min-val*2n), max-val] seconds.

3. Repeat step 2 until for one of the following:

   1. a RADIUS accounting response is received.

   2. the lifetime of the buffered message expires.

   3. a new RADIUS accounting interim-update or a RADIUS accounting stop for the same accounting session-id and radius-server-policy is stored in the buffer.

   4. the message is manually purged from the message buffer via a clear command.

4. The message is purged from the buffer.

The no form of this command disables RADIUS accounting interim update message buffering.

Parameters

min-val

Specifies the minimum interval in seconds between attempts to resend the RADIUS accounting interim update.

Values

1 to 3600

max-val

Specifies the maximum interval in seconds between attempts to resend the RADIUS accounting interim update.

Values

1 to 3600

lifetime

Specifies the lifetime in hours.

Values

1 to 25

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>radius-srv-plcy acct-on-off)

Full Context

configure aaa radius-server-policy acct-on-off

Description

This command controls the sending of Accounting-On and Accounting-Off messages and the acct-on-off oper-state of the radius-server-policy:

acct-on-off: enables the sending of Accounting-On and Accounting-Off messages for this radius-server-policy. The acct-on-off oper-state is always not blocked.

acct-on-off oper-state-change [group group-name]: enables the sending of Accounting-On and Accounting-Off messages for this radius-server-policy. The acct-on-off oper-state is function of the Accounting-response received for the Accounting-On and Accounting-Off. Optionally, sets the acct-on-off oper-state of the acct-on-off-group.

acct-on-off monitor-group group-name: no Accounting-On and Accounting-Off messages are sent for this radius-server-policy. The acct-on-off oper-state is inherited from the acct-on-off-group.

The no form of this command disables the sending of Accounting-On and Accounting-Off messages.

Parameters

group-name

Specifies the name of an acct-on-off group up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa acct-on-off-group)

Full Context

configure aaa acct-on-off-group

Description

This command creates an acct-on-off-group.

An acct-on-off-group can be referenced by:

• A single radius-server-policy as controller — The acct-on-off oper-state of the acct-on-off-group is set to the acct-on-off oper-state of the radius-server-policy.

• Multiple radius-server-policies as monitor — The acct-on-off oper-state of the radius-server-policy is inherited from the acct-on-off oper-state of the acct-on-off group.

The no form of this command deletes the acct-on-off-group.

Parameters

group-name

Specifies the name of an acct-on-off group up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host acct-policy)

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host acct-policy)

Full Context

configure subscriber-mgmt local-user-db ppp host acct-policy

configure subscriber-mgmt local-user-db ipoe host acct-policy

Description

This command specifies the accounting policy used for sending an Accounting Stop message to report RADIUS authentication failures of PPPoE sessions. A duplicate policy can be specified if a copy of the Accounting Stop message must be sent to another destination.

Reporting RADIUS authentication failures with an Accounting Stop message must be enabled in the RADIUS authentication policy ("send-acct-stop-on-fail”).

A duplicate RADIUS accounting policy can be specified if the accounting stop resulting from a RADIUS authentication failure must also be sent to a second RADIUS destination.

The no form of this command reverts to the default.

Parameters

acct-policy-name

Specifies the name of a RADIUS accounting policy, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>router>radius-server>server acct-port)

[Tree] (config>service>vprn>radius-server>server acct-port)

Full Context

configure router radius-server server acct-port

configure service vprn radius-server server acct-port

Description

This command specifies the UDP listening port for RADIUS accounting requests.

The no form of this command resets the UDP port to its default value (1813).

Default

acct-port 1813

Parameters

port

Specifies the UDP listening port for accounting requests of the external RADIUS server.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>acct-plcy acct-request-script-policy)

Full Context

configure subscriber-mgmt radius-accounting-policy acct-request-script-policy

Description

This command configures the Python script policy to modify Accounting-Request messages.

The no form of this command removes the policy name from the configuration.

Parameters

policy-name

Specifies the Python script policy to modify Accounting-Request messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>radius-srv-plcy acct-request-script-policy)

Full Context

configure aaa radius-server-policy acct-request-script-policy

Description

This command specifies the name of the RADIUS script policy used to change the RADIUS attributes of the Accounting-Request messages.

Parameters

policy-name

Specifies the name of the Python script to modify Accounting-Request messages, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>auth-plcy>include-radius-attribute acct-session-id)

Full Context

configure subscriber-mgmt authentication-policy include-radius-attribute acct-session-id

Description

The acct-session-id attribute for each subscriber host is generated at the very beginning of the session initiation. This command will enable or disable sending this attribute to the RADIUS server in the Access-Request messages regardless of whether the accounting is enabled or not. The acct-session-id attribute can be used to address the subscriber hosts from the RADIUS server in the CoA Request.

The acct-session-id attribute is unique per subscriber host network wide. It is a 22 byte field comprised of the system MAC address along with the creation time and a sequence number in a hex format.

The no form of this command reverts to the default.

Default

no acct-session-id

Parameters

session-id-type

Specifies the format for the acct-session-id attribute used in RADIUS accounting requests.

Values

host, session

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>ipsec>rad-acct-plcy>include acct-stats)

Full Context

configure ipsec radius-accounting-policy include-radius-attribute acct-stats

Description

This command enables the system to include accounting attributes in RADIUS acct-stop and interim-update packets.

The no form of this command disables the system from including accounting attributes in RADIUS acct-stop and interim-update packets.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>radius-srv-plcy>servers>buffering acct-stop)

Full Context

configure aaa radius-server-policy servers buffering acct-stop

Description

This command enables RADIUS accounting stop message buffering.

1. The message is stored in the buffer, a lifetime timer is started and the message is sent to the RADIUS server

2. If after retry*timeout seconds no RADIUS accounting response is received for the accounting stop, then a new attempt to send the message is started after minimum[(min-val*2n), max-val] seconds.

3. Repeat step 2 until one of the following events occurs:

   1. A RADIUS accounting response is received.

   2. The lifetime of the buffered message expires.

   3. The message is manually purged from the message buffer via a clear command.

4. The message is purged from the buffer.

The no form of this command disables RADIUS accounting stop message buffering.

Parameters

min-val

Specifies the minimum interval in seconds between attempts to resend the RADIUS accounting stop.

Values

1 to 3600

max-val

Specifies the maximum interval in seconds between attempts to resend the RADIUS accounting stop.

Values

1 to 3600

lifetime

Specifies the lifetime in hours.

Values

1 – 25

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>isa-radius-plcy>acct-include-attributes acct-trigger-reason)

Full Context

configure aaa isa-radius-policy acct-include-attributes acct-trigger-reason

Description

This command enables the acct-trigger-reason.

Default

no acct-trigger-reason

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>l2tp-acct-plcy acct-tunnel-connection-fmt)

Full Context

configure aaa l2tp-accounting-policy acct-tunnel-connection-fmt

Description

This command configures the accounting tunnel connection ascii-specification.

Default

no acct-tunnel-connection-fmt

Parameters

ascii-spec

Specifies the ASCII specifications.

<ascii-spec>	<char-specification> <ascii-spec>
char-specification	<ascii-char> | <char-origin>
ascii-char	a printable ASCII character
char-origin	%<origin>
origin	n | s | S | t | T | c | C
	n	Call Serial Number
	s | S	Local (s) or Remote (S) Session Id
	t | T	Local (t) or Remote (T) Tunnel Id
	c | C	Local (c) or Remote (C) Connection Id

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>acct-plcy acct-tunnel-connection-fmt)

Full Context

configure subscriber-mgmt radius-accounting-policy acct-tunnel-connection-fmt

Description

This command specifies the string that is sent in the accounting message.

Default

no acct-tunnel-connection-fmt

Parameters

ascii-spec

Specifies the accounting tunnel connection ASCII specification.

Values

asci-spec	<char-specification> <ascii-spec>
char-specification	<ascii-char> | <char-origin>
ascii-char	A printable ASCII character
char-origin	%<origin>
origin	n | s | S | t | T | c | C
	n	Call Serial Number
	s | S	Local (s) or Remote (S) Session Id
	t | T	Local (t) or Remote (T) Tunnel Id
	c | C	Local (c) or Remote (C) Connection Id

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>isa-radius-plcy acct-update-triggers)

Full Context

configure aaa isa-radius-policy acct-update-triggers

Description

Commands in this context enable or disable the sending of triggered interim-updates, with the exception of the following:

• After an update interval change, an interim update is always sent to indicate the start of the new interval.

• Mobility-triggered updates are configured in the (service vprn <svc-id> | router) wlan-gw mobility-triggered-acct context.

• NAT port block allocation depends on the inclusion of NAT-related attributes (port-range, outside-service, outside-ip).

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt accu-stats-policy)

Full Context

configure subscriber-mgmt accu-stats-policy

Description

This command creates a storage policy for cumulative statistics for subscribers. The policy defines the specific direction for the policer or the queue to be stored and performs the following functions.

• The policy stores subscriber statistics even if the subscriber session has ended. The subscriber statistics can be viewed even if the subscriber is offline.

• When the subscriber session ends, the statistics are added to the past statistics stored in memory so that all previous session statistics are accumulated. The accumulated statistics are not persistent; they are only stored in memory and reset to zero when the chassis reboots.

The no form of this command deletes the policy only when it is no longer referenced by a subscriber profile.

Parameters

policy-name

Specifies the name for the policy, up to 32 characters.

create

Configures an entry for the policy.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>sub-profile accu-stats-policy)

Full Context

configure subscriber-mgmt sub-profile accu-stats-policy

Description

This command associates an accumulated statistics policy with a subscriber profile.

The no form of this command removes the association of the accu-stats-policy from the subscriber profile. It is possible to remove the policy from the subscriber profile while the subscriber is still online, however, the statistics remain in memory and must be cleared manually, using the clear subscriber-mgmt accu-stats active-subs no-accu-stats-policy command.

Parameters

policy-name

Specifies the name of the accumulated statistics policy, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (debug>router>rsvp>packet ack)

Full Context

debug router rsvp packet ack

Description

This command debugs ack events.

The no form of the command disables the debugging.

Parameters

detail

Displays detailed information about ack events.

Platforms

All

Context

[Tree] (config>router>wpp>portals>portal ack-auth-retry-count)

[Tree] (config>service>vprn>wpp>portals>portal ack-auth-retry-count)

Full Context

configure router wpp portals portal ack-auth-retry-count

configure service vprn wpp portals portal ack-auth-retry-count

Description

This command configures the number of retransmissions of an ACK_OUT message.

The no form of this command reverts to the default.

Default

ack-auth-retry-count 5

Parameters

value

Specifies the number of retransmissions of an ACK_OUT message.

Values

0 to 5

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>epipe>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>cpipe>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>vpls>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service epipe spoke-sdp control-channel-status acknowledgment

configure service cpipe spoke-sdp control-channel-status acknowledgment

configure service vpls spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Platforms

All

• configure service vpls spoke-sdp control-channel-status acknowledgment
• configure service epipe spoke-sdp control-channel-status acknowledgment

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

• configure service cpipe spoke-sdp control-channel-status acknowledgment

Context

[Tree] (config>service>ies>red-if>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>ies>if>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service ies redundant-interface spoke-sdp control-channel-status acknowledgment

configure service ies interface spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Default

no acknowledgment

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

• configure service ies redundant-interface spoke-sdp control-channel-status acknowledgment

All

• configure service ies interface spoke-sdp control-channel-status acknowledgment

Context

[Tree] (config>service>vprn>if>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>service>vprn>red-if>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure service vprn interface spoke-sdp control-channel-status acknowledgment

configure service vprn redundant-interface spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Platforms

All

• configure service vprn interface spoke-sdp control-channel-status acknowledgment

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

• configure service vprn redundant-interface spoke-sdp control-channel-status acknowledgment

Context

[Tree] (config>mirror>mirror-dest>spoke-sdp>control-channel-status acknowledgment)

[Tree] (config>mirror>mirror-dest>remote-src>spoke-sdp>control-channel-status acknowledgment)

Full Context

configure mirror mirror-dest spoke-sdp control-channel-status acknowledgment

configure mirror mirror-dest remote-source spoke-sdp control-channel-status acknowledgment

Description

This command enables the acknowledgment of control channel status messages. By default, no acknowledgment packets are sent.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>filter>dhcp-filter>entry action)

Full Context

configure filter dhcp-filter entry action

Description

This command specifies the action to take on DHCP host creation when the filter entry matches.

The no form of this command reverts to the default wherein the host creation proceeds as normal.

Parameters

bypass-host-creation

Specifies that the host creation is bypassed.

drop

Specifies that the DHCP message is dropped.

Platforms

All

Context

[Tree] (config>filter>dhcp6-filter>entry action)

Full Context

configure filter dhcp6-filter entry action

Description

This command specifies the action to take on DHCP6 host creation when the filter entry matches.

The no form of this command reverts to the default wherein the host creation proceeds as normal.

Parameters

bypass-host-creation

Specifies that the host creation is bypassed.

Values

na — Bypasses the DHCP6 NA hosts creation.

pd — Bypasses the DHCP6 PD hosts creation.

drop

Specifies that the DHCP6 message is dropped.

Platforms

All

Context

[Tree] (config>router>policy-options>policy-statement>entry action)

Full Context

configure router policy-options policy-statement entry action

Description

This command creates the context to configure actions to take for routes matching a route policy statement entry.

This command is required and must be entered for the entry to be active.

Any route policy entry without the action command will be considered incomplete and will be inactive.

The no form of this command deletes the action context from the entry.

Default

no action

Parameters

accept

Specifies that routes matching the entry match criteria will be accepted and propagated.

next-entry

Specifies that the actions specified would be made to the route attributes and then policy evaluation would continue with next policy entry (if any others are specified).

next-policy

Specifies that the actions specified would be made to the route attributes and then policy evaluation would continue with next route policy (if any others are specified).

drop

Specifies that routes matching the entry match criteria should be rejected. This parameter provides a context for modifying route properties.

reject

Specifies that routes matching the entry match criteria should be rejected. This parameter does not provide a context for modifying route properties.

Platforms

All

Context

[Tree] (config>service>vprn>if>dhcp>option action)

[Tree] (config>subscr-mgmt>msap-policy>vpls-only>dhcp>option action)

[Tree] (config>service>vprn>sub-if>grp-if>dhcp>option action)

[Tree] (config>service>vpls>sap>dhcp>option action)

[Tree] (config>service>ies>sub-if>grp-if>dhcp>option action)

[Tree] (config>service>ies>if>dhcp>option action)

Full Context

configure service vprn interface dhcp option action

configure subscriber-mgmt msap-policy vpls-only-sap-parameters dhcp option action

configure service vprn subscriber-interface group-interface dhcp option action

configure service vpls sap dhcp option action

configure service ies subscriber-interface group-interface dhcp option action

configure service ies interface dhcp option action

Description

This command configures the processing required when the SR OS receives a DHCP request that already has a Relay Agent Information Option (Option 82) field in the packet.

The no form of this command returns the system to the default value.

Default

action keep — Per RFC 3046, DHCP Relay Agent Information Option, section 2.1.1, Reforwarded DHCP requests. The default is to keep the existing information intact. The exception to this is if the giaddr of the received packet is the same as the ingress address on the router. In that case the packet is dropped and an error is logged.

Parameters

replace

In the upstream direction (from the user), the existing Option 82 field is replaced with the Option 82 field from the router. In the downstream direction (towards the user) the Option 82 field is stripped (in accordance with RFC 3046).

drop

Specifies that the packet is dropped, and an error is logged.

keep

Specifies that the existing information is kept in the packet and the router does not add any additional information. In the downstream direction the Option 82 field is not stripped and is sent on towards the client.

The behavior is slightly different in case of Vendor Specific Options (VSOs). When the keep parameter is specified, the router inserts its own VSO into the Option 82 field. This is only done when the incoming message has already an Option 82 field.

If no Option 82 field is present, the router will not create the Option 82 field. In this in that case, no VSO is added to the message.

Platforms

All

• configure service vpls sap dhcp option action
• configure service vprn interface dhcp option action
• configure service ies interface dhcp option action

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

• configure service ies subscriber-interface group-interface dhcp option action
• configure service vprn subscriber-interface group-interface dhcp option action
• configure subscriber-mgmt msap-policy vpls-only-sap-parameters dhcp option action

Context

[Tree] (config>log>filter>entry action)

[Tree] (config>service>vprn>log>filter>entry action)

Full Context

configure log filter entry action

configure service vprn log filter entry action

Description

This command specifies a drop or forward action associated with the filter entry. If neither drop nor forward is specified, the default-action will be used for traffic that conforms to the match criteria. This could be considered a No-Op filter entry used to explicitly exit a set of filter entries without modifying previous actions.

Multiple action statements entered will overwrite previous actions.

The no form of this command removes the specified action statement.

Default

Action specified by the default-action command will apply.

Parameters

drop

Specifies packets matching the entry criteria will be dropped.

forward

Specifies packets matching the entry criteria will be forwarded.

Platforms

All

Context

[Tree] (config>log>filter>entry action)

Full Context

configure log filter entry action

Description

This command specifies a drop or forward action associated with the filter entry. If neither drop nor forward is specified, the default-action will be used for traffic that conforms to the match criteria. This could be considered a No-Op filter entry used to explicitly exit a set of filter entries without modifying previous actions.

Multiple action statements entered will overwrite previous actions.

The no form of this command removes the specified action statement.

Default

no action

Parameters

drop

Specifies packets matching the entry criteria will be dropped.

forward

Specifies packets matching the entry criteria will be forwarded.

Platforms

All

Context

[Tree] (config>subscr-mgmt>isa-svc-chain>vas-filter>entry action)

Full Context

configure subscriber-mgmt isa-service-chaining vas-filter entry action

Description

Commands in this context configure an action to be performed for traffic that matches a configured match criteria in the filter entry. The action can be configured as being applicable to upstream traffic, downstream traffic, or both.

The no form of this command removes the direction from the configuration.

Parameters

direction

Specifies the direction for the action in a VAS filter entry.

Values

upstream, downstream

create

Keyword used to create the action’s direction. The create keyword requirement can be enabled or disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>egr-ip>entry action)

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>egr-ipv6>entry action)

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>ingr-ip>entry action)

[Tree] (config>subscr-mgmt>cat-map>category>exh-lvl>ingr-ipv6>entry action)

Full Context

configure subscriber-mgmt category-map category exhausted-credit-service-level egress-ip-filter-entries entry action

configure subscriber-mgmt category-map category exhausted-credit-service-level egress-ipv6-filter-entries entry action

configure subscriber-mgmt category-map category exhausted-credit-service-level ingress-ip-filter-entries entry action

configure subscriber-mgmt category-map category exhausted-credit-service-level ingress-ipv6-filter-entries entry action

Description

This command configures the action for the filter entry.

The no form of this command reverts to the default.

Default

action drop

Parameters

drop

Specifies to drop the packets matching the IP filter entry.

forward

Specifies to forward the packets matching the IP filter entry.

http-redirect url [allow-override]

Specifies the HTTP web address, up to 255 characters, that is sent to the user’s browser for redirection.

Note:

This action is not supported for IPv6 filter entries.

The specified URL can be overridden by a Diameter Credit Control Server when the following conditions are met:

• a Final-Unit-Indication AVP is present in the Multiple-Services-Credit-Control AVP of a CCA message

• the Final-Unit-Action AVP is set to REDIRECT (1)

• a Redirect-Server AVP is included with the following:

  • the Redirect-Address-Type AVP set to URL (2)

  • the Redirect-Server-Address AVP containing the URL to use for this rating group (category-map)

• the out of credit action for the corresponding rating group is set to change-service-level using one of the following commands:

  • configure>subscriber-mgmt>credit-control-policy policy-name>out-of-credit-action change-service-level

  • configure>subscriber-mgmt>category-map category-map-name category category-name>out-of-credit-action-override change-service-level

• an IPv4 HTTP redirect action with allow-override is specified in the exhausted credit service level context for the corresponding rating group using the command configure>subscriber-mgmt>category-map category-map-name category category-name>exhausted-credit-service-level>ingress-ip-filter-entries> entry entry-id>action http-redirect url allow-override

In all other cases, the URL specified in the Redirect-Server-Address AVP is ignored and the configured URL is used. The URL received from the Credit Control Server is included in the output of show>service>active-subscribers>credit-control. The allow-override is ignored for RADIUS credit control.

The following variables can optionally be added in the configured URL (http-redirect url) and in the override URL from the Credit Control Server (Redirect-Server-Address AVP):

• $IP – Customer’s IP address

• $MAC – Customer’s MAC address

• $URL – Original requested URL

• $SAP – Customer’s SAP

• $SUB – Customer’s subscriber identification string

• $CID – string that represents the circuit-id or interface-id of the subscriber host (hexadecimal format)

• $RID – string that represents the remote-id of the subscriber host (hexadecimal format)

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>shcv-policy>periodic action)

Full Context

configure subscriber-mgmt shcv-policy periodic action

Description

This command configures the action to take when the periodic connectivity verification failed.

The no form of this command reverts to the default.

Default

action alarm

Parameters

alarm

Raises an alarm indicating that the host is disconnected.

remove

Raises an alarm and releases all allocated resources (addresses, prefixes, queues, table entries, and so on). Static hosts are removed.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>isa-filter>ipv6>entry action)

[Tree] (config>subscr-mgmt>isa-filter>entry action)

Full Context

configure subscriber-mgmt isa-filter ipv6 entry action

configure subscriber-mgmt isa-filter entry action

Description

This command specifies what should happen to packets that do match this entry.

The no form of this command reverts to the default value.

Default

action none

Parameters

drop

Specifies to drop the packet.

forward

Specifies to forward the packet.

none

Specifies to ignore the entry and continue processing with subsequent entries.

rdr-url-string

Specifies the URL to which matching HTTP flows are redirected, up to 255 characters. The URL can be overridden by AAA. Non-HTTP packets are dropped. The URL supports the $URL, $MAC, and $IP variables. For other macro substitutions, the string is not modified.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>isa-policer action)

Full Context

configure subscriber-mgmt isa-policer action

Description

This command specifies what happens to packets that are in-profile and out-of-profile.

The no form of this command reverts to the default value.

Default

action permit-deny

Parameters

permit-deny

Drops all packets that are out of profile (they do not conform to the PIR).

priority-mark

Currently not supported. The policer will take no action.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>card>mda>event action)

Full Context

configure card mda event action

Description

This command defines the action to be taken when a specific hardware error event is raised against the target mda.

Only one action can be enabled at a time. Entering a new action will override a previously defined action.

The no form of this command sets the action to the default value.

Default

action log-only

Parameters

log-only

Specifies to pass the log event to log management. No other action is taken.

reset-mda

Specifies to reset the mda.

fail-mda

Specifies to set the operational state of the mda to Failed. This Failed state will persist until the clear mda command is issued (reset) or the mda is removed and re-inserted (re-seat).

Platforms

All

Context

[Tree] (configure>system>security>profile>netconf>base-op-authorization action)

Full Context

configure system security profile netconf base-op-authorization action

Description

This command enables the NETCONF <action> RPC.

The no form of this command disables the RPC.

Default

no action

Platforms

All

Context

[Tree] (config>app-assure>group>policer action)

Full Context

configure application-assurance group policer action

Description

This command configures the action to be performed by single-bucket bandwidth policers for non-conformant traffic.

Dual bucket bandwidth policers cannot have their action configured and always mark traffic below CIR in profile, between CIR and PIR out of profile, and drop traffic above PIR. Flow policers always discard non-conformant traffic.

When multiple application assurance policers are configured against a single flow (including policers at both subscriber and system), the final action done to the flow/packet will be a logical OR of all policers actions. For example, if only of the policers requires the packet to be discarded, the packet will be dropped regardless of the action of the other policers.

Default

action permit-deny

Parameters

priority-mark

Non-conformant traffic will be marked out of profile and the conformant traffic will be marked in profile. The new marking will overwrite any previous IOM QoS marking done to a packet.

permit-deny

Non-conformant traffic will be dropped.

monitor

Records the duration and volume of non-conformant traffic. The non-conformant traffic is not dropped. This parameter is only applicable to single-rate flow-level policers.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>aqp>entry action)

Full Context

configure application-assurance group policy app-qos-policy entry action

Description

Commands in this context configure AQP actions to be performed on flows that match the AQP entry’s match criteria.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>sess-fltr>entry action)

Full Context

configure application-assurance group session-filter entry action

Description

This command configures the action for this entry.

Parameters

deny

Specifies that packets matching the criteria are denied.

permit

Specifies that packets matching the criteria are permitted.

event-log-name

Specifies the event log name, up to 32 characters.

http-redirect-name

Specifies the HTTP redirect name, up to 32 characters.

tcp-optimizer

Specifies to use TCP Optimization (TCPO) on the matching flows. The TCPO policy referenced within this session filter entry is configured under the AA group. If the TCPO action is removed from a session-filter entry, the existing flows are not affected. However, no new TCP flows are optimized.

tcp-optimizer-name

Specifies the name of the TCPO policy, up to 32 characters.

redirect

Configures a session filter entry action to perform Layer 3 or Layer 4 redirect. For the matching flows, AA replaces the destination address (IP address or port) with the configured values. In the reverse direction (toward the subscriber), AA restores the original IP and port numbers (as the source IP and port fields).

If the redirect action is removed from a session filter, the existing redirected flows are not affected, and redirect still occurs. However, no redirect will be applied to newly-established flows.

ip-address

Specifies a valid unicast server IPv4 or IPv6 address to forward the traffic to.

dst-port

Specifies a valid TCP/UDP server destination port number.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>gtp>gtp-fltr>imsi-apn-fltr>entry action)

Full Context

configure application-assurance group gtp gtp-filter imsi-apn-filter entry action

Description

This command configures an action for the IMSI-APN filter entry.

Default

action permit

Parameters

permit

Specifies to permit packets that do not match any message entries.

deny

Specifies to deny packets that do not match any message entries.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>nat>nat-classifier>entry action)

Full Context

configure service nat nat-classifier entry action

Description

This command specifies the action to take for packets that match this nat-classifier entry. The no form of the command removes the specified action statement. By default, the entry is ignored (skipped). Consequently, the action from another matching entry is applied. If there are no other matching entries found, the default-action is applied.

Default

no action.

Parameters

dnat

Performs the DNAT function. The destination IP address of the packet traversing the router in the direction from inside to outside is replaced by the configured IP address. Destination port is not translated. In the opposite direction (from outside to inside), the source address in the returning packet is restored to the original value.

forward

Specifies that the forward action ensures that the packet is transparently passed through the nat-classifier.

ip-address ip-address

Specifies that the destination IP address replaces the original IP address in the packet traveling from inside to outside.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>filter>ip-filter>entry action)

[Tree] (config>filter>ipv6-filter>entry action)

[Tree] (config>filter>mac-filter>entry action)

Full Context

configure filter ip-filter entry action

configure filter ipv6-filter entry action

configure filter mac-filter entry action

Description

Commands in this context configure a primary (no option specified) or secondary (secondary option specified) action to be performed on packets matching this filter entry. An ACL filter entry remains inactive (is not programmed in hardware) until a specific action is configured for that entry.

A primary action supports any filter entry action, a secondary action is used for redundancy and defines a redundant Layer 3 PBR action for an Layer 3 PBR primary action or a redundant L2 PBF action for a Layer 2 PBF primary action.

The no form of this command removes the specific action configured in the context of the action command. The primary action cannot be removed if a secondary action exists.

Default

no action

Parameters

secondary

Specifies a secondary action to be performed on packets matching this filter entry. A secondary action can only be configured if a primary action is configured.

Platforms

All

Context

[Tree] (config>qos>sap-ingress>ip-criteria>entry action)

[Tree] (config>qos>sap-ingress>mac-criteria>entry action)

[Tree] (config>qos>sap-ingress>ipv6-criteria>entry action)

Full Context

configure qos sap-ingress ip-criteria entry action

configure qos sap-ingress mac-criteria entry action

configure qos sap-ingress ipv6-criteria entry action

Description

This mandatory command associates the forwarding class or enqueuing priority with specific IP, IPv6, or MAC criteria entry ID. The action command supports setting the forwarding class parameter to a subclass. Packets that meet all match criteria within the entry have their forwarding class and enqueuing priority overridden based on the parameters included in the action parameters. When the forwarding class is not specified in the action command syntax, a matching packet preserves (or inherits) the existing forwarding class derived from earlier matches in the classification hierarchy. When the enqueuing priority is not specified in the action, a matching packet preserves (or inherits) the existing enqueuing priority derived from earlier matches in the classification hierarchy.

When a policer is specified in the action, a matching packet is directed to the configured policer instead of the policer/queue assigned to the forwarding class of the packet.

The action command must be executed for the match criteria to be added to the active list of entries. If the entry is designed to prevent more explicit (higher entry ID) entries from matching certain packets, the fc fc-name and match protocol fields should not be defined when executing action. This allows packets matching the entry to preserve the forwarding class and enqueuing priority derived from previous classification rules.

Each time action is executed on a specific entry ID, the previously entered values for fc fc-name and priority are overridden with the newly defined parameters or inherit previous matches when a parameter is omitted.

The no form of this command removes the entry from the active entry list. Removing an entry on a policy immediately removes the entry from all SAPs using the policy. All previous parameters for the action is lost.

If no action is specified, the action specified by the default-fc command will be used.

Parameters

fc fc-name

The value given for fc fc-name must be one of the predefined forwarding classes in the system. Specifying the fc fc-name is required. When a packet matches the rule, the forwarding class is only overridden when the fc fc-name parameter is defined on the rule. If the packet matches and the forwarding class is not explicitly defined in the rule, the forwarding class is inherited based on previous rule matches.

The subclass-name parameter is optional and used with the fc-name parameter to define a pre-existing subclass. The fc-name and subclass-name parameters must be separated by a period (.). If subclass-name does not exist in the context of fc-name, an error will occur. If subclass-name is removed using the no fc fc-name.subclass-name force command, the default-fc command will automatically drop the subclass-name and only use fc-name (the parent forwarding class for the subclass) as the forwarding class.

Values

fc:	class[.subclass]
		class: be, l2, af, l1, h2, ef, h1, nc
		subclass: 29 characters max

Default

Inherit (When fc fc-name is not defined, the rule preserves the previous forwarding class of the packet.)

priority

The priority parameter overrides the default enqueuing priority for all packets received on a SAP using this policy that match this rule. Specifying the priority (high or low) is optional. When a packet matches the rule, the enqueuing priority is only overridden when the priority parameter is defined on the rule. If the packet matches and priority is not explicitly defined in the rule, the enqueuing priority is inherited based on previous rule matches.

Default

Inherit (When the priority (high or low) is not defined, the rule preserves the previous enqueuing priority of the packet)

high

The high parameter is used in conjunction with the priority parameter. Setting the priority enqueuing parameter to high for a packet increases the likelihood to enqueue the packet when the queue is congested. The enqueuing priority only affects ingress SAP queuing. When the packet is placed in a buffer on the queue, the significance of the enqueuing priority is lost.

low

The low parameter is used in conjunction with the priority parameter. Setting the priority enqueuing parameter to low for a packet decreases the likelihood to enqueue the packet when the queue is congested. The enqueuing priority only affects ingress SAP queuing. When the packet is placed in a buffer on the ingress queue, the significance of the enqueuing priority is lost.

Default

Inherit

policer-id

A valid policer-id must be specified. The parameter policer-id references a policer-id that has already been created within the sap-ingress QoS policy.

Values

1 to 63

Platforms

All

Context

[Tree] (config>qos>sap-egress>ipv6-criteria>entry action)

[Tree] (config>qos>sap-egress>ip-criteria>entry action)

Full Context

configure qos sap-egress ipv6-criteria entry action

configure qos sap-egress ip-criteria entry action

Description

This command defines the reclassification actions that should be performed on any packet matching the defined IP flow criteria within the entries match node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an egress packet on the SAP matches the specified IP flow entry, the forwarding class, or profile or egress queue accounting behavior may be overridden. By default, the forwarding class and profile of the packet is derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all IP precedence- or DSCP-based reclassification rule actions when an explicit reclassification action is defined for the entry.

It is also possible to redirect the egress packet to a configured policer. The forwarding class or profile can also be optionally specified.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. In show and info commands, the entry will display no action as the specified reclassification action for the entry. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate packets egressing a SAP with the SAP egress policy defined. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed either with explicit reclassification entries or without any actions defined. Specifying action without any trailing reclassification actions allows packets matching the entry to exit the evaluation list without matching entries lower in the list. Executing no action on an entry removes the entry from the evaluation list and also removes any explicitly defined reclassification actions associated with the entry.

The fc keyword is optional. When specified, the egress classification rule will overwrite the forwarding class derived from ingress. The new forwarding class is used for egress remarking and queue mapping decisions.

The profile keyword is optional. When specified, the egress classification rule will overwrite the profile of the packet derived from ingress. The new profile value is used for egress remarking and queue congestion behavior.

The policer keyword is optional. When specified, the egress packet will be redirected to the configured policer. Optional parameters allow the user to control how the forwarded policed traffic exits the egress port. By default, the policed forwarded traffic will use a queue in the egress port’s policer-output-queue queue group; alternatively, a queue in an instance of a user-configured queue group can be used or a local SAP egress queue.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any packets egress a SAP associated with the SAP egress QoS policy.

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

fc	class
	class	be, l2, af, l1, h2, ef, h1, nc

profile {in | out | exceed | inplus}

The profile reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of the ingress profiling decision. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

The in parameter is mutually exclusive to the exceed, inplus, and out parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When in is specified, any packets matching the reclassification rule will be treated as in-profile by the egress forwarding plane.

out

The out parameter is mutually exclusive to the exceed, inplus, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When out is specified, any packets matching the reclassification rule will be treated as out-of-profile by the egress forwarding plane.

exceed

The exceed parameter is mutually exclusive to the out, inplus, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When exceed is specified, any packets matching the reclassification rule will be treated as exceed-profile by the egress forwarding plane.

inplus

The inplus parameter is mutually exclusive to the out, exceed, and in parameters following the profile reclassification action keyword. In, exceed, inplus, or out must be specified when the profile keyword is present. When inplus is specified, any packets matching the reclassification rule will be treated as inplus-profile by the egress forwarding plane.

policer policer-id

When the action policer command is executed, a valid policer ID must be specified. The parameter policer ID references a policer ID that has already been created within the SAP egress QoS policy.

Values

1 to 63

port-redirect-group-queue queue queue-id

Used to override the forwarding class default egress queue destination to an egress port queue group. The specific egress queue group instance to use is specified at the time the QoS policy is applied to the SAP. Therefore, this parameter is only valid if SAP-based redirection is required. The queue parameter overrides the policer’s default egress queue destination to a specified queue-id in the egress port queue group instance.

Values

1 to 8

queue queue-id

This parameter overrides the policer’s default egress queue destination to a specified local SAP queue of that queue-id. A queue of ID queue-id must exist within the egress QoS policy.

Values

1 to 8

use-fc-mapped-queue

This parameter overrides the policer’s default egress queue destination to the queue mapped by the traffic’s forwarding class.

Platforms

All

Context

[Tree] (config>qos>network>egress>ipv6-criteria>entry action)

[Tree] (config>qos>network>egress>ip-criteria>entry action)

Full Context

configure qos network egress ipv6-criteria entry action

configure qos network egress ip-criteria entry action

Description

This command defines the reclassification actions that are performed on any packet matching the defined IP flow criteria within the entry’s matched node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an egress packet matches the specified IP flow entry, the forwarding class and profile may be overridden. By default, the forwarding class and profile of the packet are derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all IP precedence-based or DSCP-based reclassification rule actions when an explicit reclassification action is defined for the entry.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate egress packets. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed.

The fc and profile keywords are optional. When specified, the egress classification rule will overwrite the forwarding class and profile derived from ingress. The new forwarding class and profile are used for egress remarking, queue mapping decisions, and queue congestion behavior.

The port-redirect-group keyword is optional. When specified, the egress packet will be redirected to the configured queue or policer in the specified egress network queue group. By default, the policed forwarded traffic will use the regular network queue to which the packet's forwarding class is mapped. Alternatively, a queue in the network egress queue group instance can be used for post-policed traffic by specifying a queue after the policer parameter. The port-redirect-group keyword requires that the network egress queue group instance is specified when this network QoS policy is applied to a network interface. The port-redirect-group is not supported on a 7750 SR-a4/a8.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any egress packets.

Default

no action

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. The profile reclassification action is mandatory when an fc is specified. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

be, l2, af, l1, h2, ef, h1, nc

profile {in | out | exceed | inplus}

The profile reclassification action is mandatory when an fc is specified, otherwise it is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of the ingress profiling decision. In, exceed, inplus, or out must be specified when the profile keyword is present. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

When specified, any packets matching the reclassification rule will be treated as in-profile by the egress forwarding plane.

out

When specified, any packets matching the reclassification rule will be treated as out-of-profile by the egress forwarding plane.

exceed

When specified, any packets matching the reclassification rule will be treated as exceed-profile by the egress forwarding plane.

inplus

When specified, any packets matching the reclassification rule will be treated as inplus-profile by the egress forwarding plane.

queue queue-id

Used to override the forwarding class default egress queue destination to the specified network egress queue group instance queue. The specific egress queue group instance to use is specified at the time the QoS policy is applied to the network interface.

Values

1 to 8

policer policer-id

Specifies a valid policer ID that has already been created within the network egress queue group instance.

Values

1 to 16

queue queue-id

The queue following the configured policer overrides the default policed traffic egress queue destination to a specified queue in the network egress queue group instance.

Values

1 to 8

Platforms

All

Context

[Tree] (config>qos>network>ingress>ip-criteria>entry action)

[Tree] (config>qos>network>ingress>ipv6-criteria>entry action)

Full Context

configure qos network ingress ip-criteria entry action

configure qos network ingress ipv6-criteria entry action

Description

This command defines the reclassification actions that are performed on any packet matching the defined IP flow criteria within the entry’s matched node. When defined under the ip-criteria context, the reclassification only applies to IPv4 packets. When defined under the ipv6-criteria context, the reclassification only applies to IPv6 packets.

If an ingress packet matches the specified IP flow entry, the forwarding class and profile may be overridden. By default, the forwarding class and profile of the packet are derived from ingress classification and profiling functions. Matching an IP flow reclassification entry will override all non-criteria reclassification rule actions when an explicit reclassification action is defined for the entry.

When an IP flow entry is first created, the entry will have no explicit behavior defined as the reclassification actions to be performed. When the entry is defined with no action, the entry will not be populated in the IP flow reclassification list used to evaluate ingress packets. An IP flow reclassification entry is only added to the evaluation list when the action command for the entry is executed.

The no form of this command removes all reclassification actions from the IP flow reclassification entry and also removes the entry from the evaluation list. An entry removed from the evaluation list will not be matched to any ingress packets.

Default

no action

Parameters

fc fc-name

The fc reclassification action is optional. When specified, packets matching the IP flow reclassification entry will be explicitly reclassified to the forwarding class specified as fc-name regardless of the ingress classification decision. The fc-name defined must be one of the eight forwarding classes supported by the system. The profile reclassification action is mandatory when an fc is specified. To remove the forwarding class reclassification action for the IP flow entry, the action command must be re-executed without the fc reclassification action defined.

Values

be, l2, af, l1, h2, ef, h1, nc

profile {in | out}

The profile reclassification action is mandatory. Packets matching the IP flow reclassification entry will be explicitly reclassified to the configured profile regardless of other ingress profiling decisions. In or out must be specified when the profile keyword is present. To remove the profile reclassification action for the IP flow reclassification entry, the action command must be re-executed without the profile reclassification action defined.

in

When specified, any packets matching the reclassification rule will be treated as in-profile by the ingress forwarding plane.

out

When specified, any packets matching the reclassification rule will be treated as out-of-profile by the ingress forwarding plane.

Platforms

All

Context

[Tree] (config>router>if>dhcp>option action)

Full Context

configure router interface dhcp option action

Description

This command configures the processing required when the 7450 ESS, 7750 SR, 7950 XRS, and VSR router receives a DHCP request that already has a Relay Agent Information Option (Option 82) field in the packet.

The no form of this command returns the system to the default value.

Default

Per RFC 3046, DHCP Relay Agent Information Option, section 2.1.1, Reforwarded DHCP requests, the default is to keep the existing information intact. The exception to this is if the GI address of the received packet is the same as the ingress address on the router. In that case the packet is dropped and an error is logged.

Parameters

replace

In the upstream direction (from the user), the existing Option 82 field is replaced with the Option 82 field from the router. In the downstream direction (toward the user) the Option 82 field is stripped (in accordance with RFC 3046).

drop

The packet is dropped, and an error is logged.

keep

The existing information is kept in the packet and the router does not add any additional information. In the downstream direction the Option 82 field is not stripped and is sent on toward the client.

The behavior is slightly different in case of Vendor Specific Options (VSOs). When the keep parameter is specified, the router will insert his own VSO into the Option 82 field. This will only be done when the incoming message has already an Option 82 field.

If no Option 82 field is present, the router will not create the Option 82 field. In this in that case, no VSO will be added to the message.

Platforms

All

Context

[Tree] (config>serv>mrp>mrp-policy>entry action)

Full Context

configure service mrp mrp-policy entry action

Description

This command specifies the action to be applied to the MMRP attributes (Group B-MACs) whose ISIDs match the specified ISID criteria in the related entry.

The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and will be inactive. If neither keyword is specified (no action is used), this is considered a No-Op policy entry used to explicitly set an entry inactive without modifying match criteria or removing the entry itself. Multiple action statements entered will overwrite previous actions parameters when defined. To remove a parameter, use the no form of the action command with the specified parameter.

The no form of the command removes the specified action statement. The entry is considered incomplete and hence rendered inactive without the action keyword.

Default

no action

Parameters

action

Specifies the action for the MRP policy entry.

block

Specifies that the matching MMRP attributes will not be declared or registered on this SAP or SDP.

allow

Specifies that the matching MMRP attributes will be declared and registered on this SAP or SDP.

end-station

Specifies that an end-station emulation is present on this SAP or SDP for the MMRP attributes related with matching ISIDs. Equivalent action with the block keyword on that SAP or SDP. The attributes associated with the matching ISIDs are not declared or registered on the SAP or SDP. The matching attributes on the other hand are mapped as static MMRP entries on the SAP or SDP which implicitly instantiates in the data plane as a MFIB entry associated with that SAP or SDP for the related Group B-MAC. For the other SAPs/SDPs in the BVPLS with MRP enabled (no shutdown). This means that the permanent declaration of the matching attributes, as in the case when the IVPLS instances associated with these ISIDs were locally configured.

If an MRP policy has end-station action in one entry, the only default action allowed in the policy is block. Also no other actions are allowed to be configured in other entry configured under the policy.

This policy will apply even if the MRP is shutdown on the local SAP or SDP or for the whole BVPLS to allow for manual creation of MMRP entries in the data plane. Specifically the following rules apply:

• If service vpls mrp shutdown is executed, and the MMRP on all SAP or SDPs is shutdown, then MRP PDUs pass-through transparently.

• If service vpls mrp no shutdown, and the endstation statement (even with no ISID values in the related match statement) is used in an MRP policy applied to SAP or SDP, then no declaration is sent on SAP or SDP. The provisioned ISIDs in the match statement are registered on that SAP or SDP and are propagated on all the other MRP enabled endpoints.

Platforms

All

Context

[Tree] (config>system>security>mgmt-access-filter>mac-filter>entry action)

[Tree] (config>system>security>mgmt-access-filter>ip-filter>entry action)

[Tree] (config>system>security>mgmt-access-filter>ipv6-filter>entry action)

Full Context

configure system security management-access-filter mac-filter entry action

configure system security management-access-filter ip-filter entry action

configure system security management-access-filter ipv6-filter entry action

Description

This command creates the action associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

If the packet does not meet any of the match criteria the configured default action is applied.

Parameters

permit

Specifies that packets matching the configured criteria will be permitted.

deny

Specifies that packets matching the configured selection criteria will be denied and that a ICMP host unreachable message will not be issued.

deny-host-unreachable

Specifies that packets matching the configured selection criteria will be denied and that a host unreachable message will not be issued.

The deny-host-unreachable parameter only applies to ip-filter and ipv6-filter.

Platforms

All

Context

[Tree] (config>sys>security>cpm-filter>mac-filter>entry action)

[Tree] (config>sys>security>cpm-filter>ip-filter>entry action)

[Tree] (config>sys>security>cpm-filter>ipv6-filter>entry action)

Full Context

configure system security cpm-filter mac-filter entry action

configure system security cpm-filter ip-filter entry action

configure system security cpm-filter ipv6-filter entry action

Description

This command specifies the action to take for packets that match this filter entry.

Default

action drop

Parameters

accept

Specifies packets matching the entry criteria will be forwarded.

drop

Specifies packets matching the entry criteria will be dropped.

queue queue-id

Specifies packets matching the entry criteria will be forward to the specified CPM hardware queue.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>system>security>profile>entry action)

Full Context

configure system security profile entry action

Description

This command configures the action associated with the profile entry.

Parameters

deny

Specifies that commands matching the entry command match criteria are to be denied.

permit

Specifies that commands matching the entry command match criteria is permitted.

read-only

Specifies the commands matching the entry command match criteria is available with read-only access.

Platforms

All

Context

[Tree] (config>log>event-handling>handler action-list)

Full Context

configure log event-handling handler action-list

Description

Commands in this context configure the EHS handler action list.

Platforms

All

Context

[Tree] (config>python>py-script action-on-fail)

Full Context

configure python python-script action-on-fail

Description

This command specifies the action taken when Python fails to modify the given message.

The no form of this command reverts to the default.

Default

action-on-fail drop

Parameters

drop

Specifies that the packet will be dropped.

passthrough

Specifies that the packet that is sent out without any modifications.

Platforms

All

Context

[Tree] (config>aaa>radius-scr-plcy action-on-fail)

Full Context

configure aaa radius-script-policy action-on-fail

Description

specifies the action taken when Python fails to modify the RADIUS message.

The no form of this command reverts to the default.

Default

action-on-fail drop

Parameters

drop

Specifies that the packet will be dropped.

passthrough

Specifies that the packet will be sent out without any modifications.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (admin>system>license activate)

Full Context

admin system license activate

Description

This command performs an activation on the license file pointed to by the command line argument. The file is first validated as described in the admin>system>license>validate command and upon success, replaces the existing license attributes in the system with the information in the new license file.

The license attributes that are active on a system can be viewed with the show>licensing>entitlements command.

Parameters

file-url

Specifies the file URL location to read the license file.

Values

local-url, remote-url

Note:

IPv6 addresses apply only to 7750 SR and 7950 XRS.

now

If the now keyword is not present, the operator is prompted to confirm the activation. With the now keyword the license file is activated without the additional prompt.

Platforms

All

Context

[Tree] (admin>system>security>secure-boot activate)

Full Context

admin system security secure-boot activate

Description

This command activates Secure Boot to enforce digital signature verification of the software on every boot.

Once Secure Boot is activated on a CPM, the capability is permanently enabled and cannot be disabled.

Parameters

cpm-slot

Specifies the CPM slot.

Values

A,B

cpm-serial-number

Specifies the CPM serial number, up to 256 characters.

code

Specifies the secure boot confirmation code, up to 32 characters.

Platforms

7750 SR-1, 7750 SR-s, 7950 XRS-20e

Context

[Tree] (config>service>vpls>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>epipe>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>cpipe>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>vprn>if>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>epipe>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>ies>if>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>ies>if>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>cpipe>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>ipipe>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>ipipe>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

[Tree] (config>service>vpls>sap>ingress>criteria-overrides>ip-criteria activate-entry-tag)

[Tree] (config>service>vprn>if>sap>ingress>criteria-overrides>ipv6-criteria activate-entry-tag)

Full Context

configure service vpls sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service epipe sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service cpipe sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service vprn interface sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service epipe sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service ies interface sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service ies interface sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service cpipe sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service ipipe sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service ipipe sap ingress criteria-overrides ipv6-criteria activate-entry-tag

configure service vpls sap ingress criteria-overrides ip-criteria activate-entry-tag

configure service vprn interface sap ingress criteria-overrides ipv6-criteria activate-entry-tag

Description

This command activates the entry tag.

The no form of this command removes any existing entry tags from the SAP.

Parameters

activate-entry-tag

Specifies the tag identifier value for activation.

Values

1 to 255

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>service>vprn>if active-cpm-protocols)

Full Context

configure service vprn interface active-cpm-protocols

Description

This command enables CPM protocols on this interface.

Platforms

All

Context

[Tree] (config>cflowd active-flow-timeout)

Full Context

configure cflowd active-flow-timeout

Description

This command configures the maximum amount of time before an active flow is aged out of the active cache. If an individual flow is active for the specified amount of time, the flow is aged out and a new flow is created on the next packet sampled for that flow.

Existing flows do not inherit the new active-flow-timeout value if this parameter is changed while cflowd is active. The active-flow-timeout value for a flow is set when the flow is first created in the active cache table and does not change dynamically.

The no form of this command resets the timeout back to the default value.

Default

active-flow-timeout 1800

Parameters

seconds

Specifies the value, in seconds, before an active flow is exported.

Values

30 to 36000

Platforms

All

Context

[Tree] (config>service>ipipe>endpoint active-hold-delay)

[Tree] (config>service>epipe>endpoint active-hold-delay)

[Tree] (config>service>cpipe>endpoint active-hold-delay)

Full Context

configure service ipipe endpoint active-hold-delay

configure service epipe endpoint active-hold-delay

configure service cpipe endpoint active-hold-delay

Description

This command specifies that the node will delay sending the change in the T-LDP status bits for the VLL endpoint when the MC-LAG transitions the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby or when any object in the endpoint. For example, SAP, ICB, or regular spoke SDP, transitions from up to down operational state.

By default, when the MC-LAG transitioned the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby, the node sends immediately new T-LDP status bits indicating the new value of "standby” over the spoke SDPs which are on the mate-endpoint of the VLL. The same applies when any object in the endpoint changes an operational state from up to down.

There is no delay applied to the VLL endpoint status bit advertisement when the MC-LAG transitions the LAG subgroup which hosts the SAP from standby to active or when any object in the endpoint transitions to an operationally up state.

Default

active-hold-delay 0

Parameters

active-hold-delay

Specifies the active hold delay in 100s of milliseconds.

A value of zero means that when the MC-LAG transitioned the LAG subgroup which hosts the SAP for this VLL endpoint from active to standby, the node sends immediately new T-LDP status bits indicating the new value of standby over the spoke SDPs which are on the mate-endpoint of the VLL. The same applies when any object in the endpoint changes an operational state from up to down.

Values

0 to 60

Platforms

All

• configure service epipe endpoint active-hold-delay
• configure service ipipe endpoint active-hold-delay

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

• configure service cpipe endpoint active-hold-delay

Context

[Tree] (config>router>p2mp-sr-tree>p2mp-policy>candidate-path active-instance)

Full Context

configure router p2mp-sr-tree p2mp-policy candidate-path active-instance

Description

This command configures the active instance of a P2MP candidate path for the P2MP SR tree as a primary or a secondary instance. Before configuring the active instance ID, the candidate path instance must be configured using the configure router p2mp-sr-tree p2mp-policy candidate-path path-instances index instance command.

The no form of this command removes the active instance.

Default

no active-instance

Parameters

instance-id

Specifies the active instance as primary (1) or secondary (2).

Values

1, 2

Platforms

All

Context

[Tree] (config>isa>wlan-gw-group active-iom-limit)

Full Context

configure isa wlan-gw-group active-iom-limit

Description

This command specifies the number of WLAN-GW IOMs used as active IOMs from the total number of configured WLAN-GW IOMs. If there are more configured IOM than active-iom-limit, then the remaining number of IOMs is designated as backup(s).

The no form of this command removes the number from the configuration.

Parameters

number

Specifies the number of IOMs in this WLAN Gateway ISA group that are intended for active use.

Values

1 to 3

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>dhcp active-lease-time)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>dhcp active-lease-time)

Full Context

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range dhcp active-lease-time

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range dhcp active-lease-time

Description

This command configures the lease time for an authenticated user.

Default

active-lease-time min 10

Parameters

hours

Specifies the number of active lease time hours.

Values

1 to 1

minutes

Specifies the number of active lease time minutes.

Values

5 to 59

seconds

Specifies the number of active lease time seconds.

Values

1 to 59

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>isa>wlan-gw-group active-mda-limit)

Full Context

configure isa wlan-gw-group active-mda-limit

Description

This command specifies how many ISAs may be in active use by the WLAN-GW group at the same time. If the maximum number of active ISAs is reached and more ISAs are added to the group, the new ISAs are considered to be in standby mode.

The no form of this command removes the limit on the maximum number of active ISAs.

Parameters

number

Specifies the number of WLAN-GW ISAs intended for active use.

Values

1 to 14

Platforms

7750 SR, 7750 SR-e, 7750 SR-s

Context

[Tree] (config>isa>nat-group active-mda-limit)

Full Context

configure isa nat-group active-mda-limit

Description

This command configures the number of active ESA-VM or ISA members in a NAT group.

The system automatically selects which ESA-VMs or ISAs are active. In active/standby (A/S) redundancy mode, the correlation between ESA-VM or ISA members is direct, meaning each ESA-VM or ISA equates to one member. In active/active (A/A) redundancy mode, an individual ESA-VM or ISA may be associated with multiple members.

For A/S redundancy, any surplus ESA-VMs or ISAs beyond the configured active threshold automatically transition to standby. These standby units remain idle until an active unit fails, at which point a standby unit takes over, handling traffic from only one failed active unit. This setup allows for the configuration of multiple standby units to provide resilience against several concurrent failures.

In A/A redundancy, the combination of this command and the failed-mda-limit command guides the distribution of resources among ESA-VMs or ISAs, essentially defining how the members are structured.

In both A/S and A/A modes, the system strives to maintain the configured number of active members as outlined by the active MDA limit, drawing from the pool of available spare resources to compensate for any failures. If the actual number of active members drops below this limit because of a lack of available spares, the NAT group status changes to degraded. In this state, traffic intended for the missing ESA-VM or ISA members (up to the active MDA limit) is blackholed. In Layer 2-aware NAT this condition can be circumvented where traffic can bypass NAT altogether and be directly routed within the internal network that may have an alternate path to a backup NAT system. For additional details, see "L2-Aware bypass" in the 7450 ESS, 7750 SR, and VSR Multiservice Integrated Service Adapter and Extended Services Appliance Guide.

The no form of this command removes the active MDA limit configuration.

Default

no active-mda-limit

Parameters

number

Specifies the active MDA limit.

Values

1 to 28

Platforms