a Commands – Part III

Context

[Tree] (config>subscr-mgmt>sub-ident-pol app-profile-map)

Full Context

configure subscriber-mgmt sub-ident-policy app-profile-map

Description

Commands in this context configure an application profile mapping.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host>ident-strings app-profile-string)

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host>ident-strings app-profile-string)

Full Context

configure subscriber-mgmt local-user-db ppp host identification-strings app-profile-string

configure subscriber-mgmt local-user-db ipoe host identification-strings app-profile-string

Description

This command specifies the application profile string which is encoded in the identification strings.

The no form of this command returns to the default.

Parameters

app-profile-string

Specifies the application profile string, up to 16 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy app-qos-policy)

Full Context

configure application-assurance group policy app-qos-policy

Description

Commands in this context configure an application QoS policy.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>log app-route-notifications)

Full Context

configure log app-route-notifications

Description

Specific system applications in SR OS can take action based on a route to certain IP destinations being available. This CLI branch contains configuration related to these route availability notifications. A delay can be configured between the time that a route is determined as available in the CPM, and the time that the application is notified of the available route. For example, this delay may be used to increase the chances that other system modules (such as IOMs/XCMs/MDAs/XMAs) are fully programmed with the new route before the application takes action. Currently, the only application that acts upon these route available or route changed notifications with their configurable delays is the SNMP replay feature, which receives notifications of route availability to the SNMP trap receiver destination IP address.

Platforms

All

Context

[Tree] (config>app-assure>group>policy app-service-options)

Full Context

configure application-assurance group policy app-service-options

Description

Commands in this context configure application service option characteristics.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>log>acct-policy>cr>aa>aa-sub-attributes app-service-options)

Full Context

configure log accounting-policy custom-record aa-specific aa-sub-attributes app-service-options

Description

This command enables the subscriber application service option attributes to be exported in the AA subscriber's custom record.

The no form of this command excludes the subscriber application service option attributes from the AA subscriber's custom record.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (debug>service>id>mrp applicant-sm)

Full Context

debug service id mrp applicant-sm

Description

This command enables debugging of the applicant state machine.

The no form of this command disables debugging of the applicant state machine.

Platforms

All

Context

[Tree] (config>subscr-mgmt>diam-appl-plcy application)

Full Context

configure subscriber-mgmt diameter-application-policy application

Description

This command specifies the Diameter application for which this policy contains the configuration details, such as AVPs to include and their format.

Applications are mutually exclusive.

The no form of this command reverts to the default.

Parameters

gx

Specifies that Gx is the supported application of this DIAMETER policy.

gy

Specifies that Gy is the supported application of this DIAMETER policy.

nasreq

Specifies that NASREQ is the supported application of this DIAMETER policy.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (debug>diam application)

Full Context

debug diameter application

Description

This command debugs application processing for the Diameter node. This level is session aware (the session state is maintained at this level). Connection level messages are not reported on this level.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>router>sgt-qos application)

[Tree] (config>service>vprn>sgt-qos application)

Full Context

configure router sgt-qos application

configure service vprn sgt-qos application

Description

This command configures DSCP/dot1p remarking for self-generated application traffic. When an application is configured using this command, the specified DSCP name is used for all packets generated by this application within the router instance it is configured. The instances can be base router, vprn, or management.

Using the value configured in this command:

• sets the DSCP bits in the IP packet

• maps to the FC. This value will be signaled from the CPM to the egress forwarding complex.

• based on this signaled FC, the egress forwarding complex QoS policy sets the Ethernet 802.1p and MPLS EXP bits. This includes ARP, PPPoE, and IS-IS packets that do not carry DSCP bits.

• configure the DSCP value in the egress IP header. The egress QoS policy does not overwrite this value.

Only one DSCP name can be configured per application, if multiple entries are configured, the subsequent entry overrides the previous configured entry.

The no form of this command reverts back to the default value.

Parameters

dscp-app-name

Specifies the DSCP application name.

Values

Some of the following values may only apply to specific products. Refer to the SR OS R24.x.Rx Software Release Notes for details about application support for different SR OS products:

bfd, bgp, bmp, call-trace, cflowd, dhcp, diameter, dns, ftp, grpc, gtp, http, icmp, igmp, igmp-reporter, l2tp, ldp, mld, mpls-udp-return, msdp, mtrace2, ndis, ntp, ospf, pcep, pim, ptp, radius, rip, rsvp, sflow, snmp, snmp-notification, srrp, ssh, syslog, tacplus, telnet, tftp, traceroute, vrrp

dscp-value

Specifies a value when this packet egresses; the respective egress policy should provide the mapping for the DSCP value to either LSP-EXP bits or IEEE 802.1p (dot1p) bits as appropriate. Otherwise, the default mapping applies.

Values

0 to 63

dscp-name

Specifies the DSCP name.

Values

none, be, ef, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cp9, cs1, cs2, cs3, cs4, cs5, nc1, nc2, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cp11, cp13, cp15, cp17, cp19, cp21, cp23, cp25, cp27, cp29, cp31, cp33, cp35, cp37, cp39, cp41, cp42, cp43, cp44, cp45, cp47, cp49, cp50, cp51, cp52, cp53, cp54, cp55, cp57, cp58, cp59, cp60, cp61, cp62, cp63

dot1p-priority

Specifies the dot1p priority.

Values

none, 0 to 7

dot1p-app-name

Specifies the dot1p application name.

Values

Some of the following values may only apply to specific products. Refer to the SR OS R24.x.Rx Software Release Notes for details about application support for different SR OS products:

arp, isis, pppoe

Platforms

All

Context

[Tree] (config>service>vprn>source-address application)

Full Context

configure service vprn source-address application

Description

This command specifies the source address and application name.

The no form of this command removes the interface name or IP address from the command.

Parameters

app

Specifies the application name.

Values

cflowd, ntp, ping, ptp, snmptrap, ssh, telnet, traceroute, icmp-error

ip-int-name

Specifies the name of the IP interface, up to 32 characters. If the string contains special characters (#, ?, space), the entire string must be enclosed between double quotes.

ip-address

Specifies the source IP address.

Values

ipv4-address:

a.b.c.d

Platforms

All

Context

[Tree] (config>service>vprn>log>filter>entry>match application)

Full Context

configure service vprn log filter entry match application

Description

This command adds an OS application as an event filter match criterion.

An OS application is the software entity that reports the event. Applications include IP, MPLS, OSPF, CLI, SERVICES and so on Only one application can be specified. The latest application command overwrites the previous command.

The no form of this command removes the application as a match criterion.

Default

no application — no application match criterion is specified

Parameters

eq | neq

The operator specifying the type of match.

Values

eq	equal to
neq	not equal to

application-id

The application name string.

Values

port, ppp, rip, route, policy, rsvp, security, snmp, stp, svcmgr, system, user, vrrp, vrtr

Platforms

All

Context

[Tree] (config>app-assure>group>cflowd>tcp-perf application)

[Tree] (config>app-assure>group>cflowd>comp application)

Full Context

configure application-assurance group cflowd tcp-performance application

configure application-assurance group cflowd comprehensive application

Description

This command configures applications to export performance records with cflowd.

The no form of this command removes the parameters from the configuration.

Parameters

application-name

Specifies the name defined for the application.

rate

Specifies which sampling flow rate to use; flow-rate or flow-rate2.

Values

flow-rate, flow-rate2

Default

flow-rate

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy application)

Full Context

configure application-assurance group policy application

Description

This command creates an application of an application assurance policy.

The no form of this command deletes the application. To delete an application, all associations to the application must be removed.

Parameters

application-name

Specifies a string of up to 32 characters uniquely identifying this application in the system.

create

Mandatory keyword used when creating an application. The create keyword requirement can be enabled/disabled in the environment>create context.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>app-filter>entry application)

Full Context

configure application-assurance group policy app-filter entry application

Description

This command assigns this application filter entry to an existing application. Assigning the entry to Unknown application restores the default configuration.

Parameters

application-name

Specifies an existing application name.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>charging-filter>entry>match application)

[Tree] (config>app-assure>group>policy>aqp>entry>match application)

Full Context

configure application-assurance group policy charging-filter entry match application

configure application-assurance group policy app-qos-policy entry match application

Description

This command adds an application to match criteria used by this entry.

The no form of this command removes the application from match criteria for this entry.

Default

no application

Parameters

eq

Specifies that the value configured and the value in the flow must be equal.

neq

Specifies that the value configured and the value in the flow must differ.

application-name

Specifies the name of name existing application name, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>statistics>aa-sub application)

Full Context

configure application-assurance group statistics aa-sub application

Description

This command configures aa-sub accounting statistics for export of applications of a given AA ISA group/partition.

The no form of this command removes the application name.

Parameters

application-name

Specifies an existing application name, up to 32 characters.

export-method

Specifies the method of statistics export to be used.

Values

accounting-policy, radius-accounting-policy

no-export

Allows the operator to enable the referred application group to be selected (via Diameter) for Gx-usage monitoring. Gx usage monitoring is enabled automatically (and this command is not shown) if the export-using parameter is selected for the respective application group.

Usage monitoring must be enabled at the group:partition level (config>app-assure>group>statistics>aa-sub>usage-monitoring) as well in order to allow any application/application group/charging group usage monitoring.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (debug>app-assure>group>traffic-capture>match application)

Full Context

debug application-assurance group traffic-capture match application

Description

This command configures debugging on an application.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (debug>app-assure>group>port-recorder application)

Full Context

debug application-assurance group port-recorder application

Description

This commands specifies the applications used as input by the port-recorder. Applications responsible for unknown or unidentified traffic are meant to be used by this tool.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Output

The following output is an example of configuration records TCP and UDP port numbers for the application "Unidentified TCP”.

7750# show debug 
debug
    application-assurance
        group 1:1
            port-recorder
                application "Unidentified TCP"
                rate 100
                no shutdown
            exit
        exit
    exit
exit

Context

[Tree] (config>log>filter>entry>match application)

Full Context

configure log filter entry match application

Description

This command adds an OS application as an event filter match criterion.

An OS application is the software entity that reports the event. Applications include IP, MPLS, OSPF, CLI, SERVICES and so on. Only one application can be specified. The latest application command overwrites the previous command.

The no form of this command removes the application as a match criterion.

Parameters

eq | neq

Specifies the operator match type. Valid operators are listed in Valid Operators.

Table 1. Valid Operators

Operator	Notes
eq	equal to
neq	not equal to

application-id

The application name string.

Values

application_assurance, aps, bgp, cflowd, chassis, debug, dhcp, dhcps, diameter, dynsvc, efm_oam, elmi, ering, eth_cfm, etun, fiter, gsmp, igh, igmp, igmp_snooping, ip, ipsec, isis, l2tp, lag, ldp, li, lldp, logger, mcpath, mc_redundancy, mirror, mld, mld_snooping, mpls, mpls_tp, msdp, nat, ntp, oam, open_flow, ospf, pim, pim_snooping, port, ppp, pppoe, ptp, radius, rip, rip_ng, route_policy, rsvp, security, snmp, stp, svcmgr, system, user, video, vrrp, vrtr, wlan_gw, wpp

Platforms

All

Context

[Tree] (config>system>security>source-address application)

Full Context

configure system security source-address application

Description

This command configures the source IP address specified by the source-address command.

The no form of this command removes the interface name or IP address from the command.

Parameters

app

Specifies the application name.

Values

cflowd, dns, ftp, ntp, ldap, ping, ptp, radius, sflow, snmptrap, sntp, ssh, syslog, tacplus, telnet, traceroute, mcreporter, icmp-error

ip-int-name

Specifies the name of the IP interface, up to 32 characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes.

ip-address

Specifies the source IP address.

Values

ipv4-address:

a.b.c.d

Platforms

All

Context

[Tree] (config>redundancy>multi-chassis>peer>sync>transport-encryption application)

Full Context

configure redundancy multi-chassis peer sync transport-encryption application

Description

This command configures transport encryption.

The no form of this command removes the specified application.

Parameters

application

Specifies a Multi-Chassis Synchronization (MCS) client application

keychain-name

Specifies a keychain name, up to 32 characters

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>app-assure>group>policy>chrg-fltr>entry>match application)

Full Context

configure application-assurance group policy charging-filter entry match application

Description

This command configures the addition of an application to the match criteria used by this charging filter entry.

The no form of this command removes the application match criteria.

Default

no application

Parameters

eq

Specifies that the value configured and the value in the flow must be equal.

neq

Specifies that the value configured and the value in the flow must differ.

app-group-name

Specifies the name of the application group, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (admin application-assurance)

Full Context

admin application-assurance

Description

Commands in this context perform Application Assurance (AA) configuration operations.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config application-assurance)

Full Context

configure application-assurance

Description

Commands in this context perform Application Assurance (AA) configuration operations.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>system>persistence application-assurance)

Full Context

configure system persistence application-assurance

Description

Commands in this context configure application assurance persistence parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>http-rdr-plcy application-assurance)

Full Context

configure subscriber-mgmt http-redirect-policy application-assurance

Description

This command specifies the AA application profile used for HTTP redirect portal authentication. This forwards all UDP/TCP traffic to AA for packet filtering. Any forwarding entries under the HTTP redirect policy are not taken into account because only UDP/TCP can be configured. Outbound ICMP and ICMPv6 traffic is always dropped.

Parameters

app-profile-name

Specifies an AA application profile name, up to 32 characters, that is configured in the config>app-assur>group>policy>app-prof context.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>isa application-assurance-group)

Full Context

configure isa application-assurance-group

Description

Commands in this context create an application assurance group with the specified system-unique index and configure that group’s parameters.

The no form of this command deletes the specified application assurance group from the system. The group must be shutdown first.

Parameters

application-assurance-group-index

Specifies an integer to identify the AA group

Values

1 to 255

create

Mandatory keyword used when creating an application assurance group in the ISA context. The create keyword requirement can be enabled or disabled in the environment>create context.

sub-scale

Specifies the set of scaling limits that are supported with regards to the maximum number of AA subscribers per ISA, the max flow scale, and the corresponding policy scale that can be specified.

Values

residential	Scaling limits for ISA2 residential operation (on VSR, it has the same scale as residential-8k)
residential-8k	Scaling limits for VSR or ESA-vm residential 8k sub operation
residential-16k	Scaling limits for VSR or ESA-vm residential 16k sub operation
residential-32k	Scaling limits for VSR or ESA-vm residential 32k sub operation
residential-64k	Scaling limits for VSR or ESA-vm residential 64k sub operation
vpn	Scaling limits for SR AA VPN operation
vpn-1k	Scaling limits for VSR or ESA-vm AA VPN 1k sub operation
vpn-2k	Scaling limits for VSR or ESA-vm AA VPN 2k sub operation
vpn-4k	Scaling limits for VSR or ESA-vm AA VPN 4k sub operation
vpn-8k	Scaling limits for VSR or ESA-vm AA VPN 8k sub operation
lightweight-internet	Scaling limits for ISA2 or VSR operation as a wireless LAN gateway using DSM subscribers
lightweight-internet-512k	Scaling limits for VSR or ESA-vm 512k sub operation as a wireless LAN gateway using DSM subscribers

Default

residential

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>router>isis>traffic-engineering-options application-link-attributes)

Full Context

configure router isis traffic-engineering-options application-link-attributes

Description

Commands in this context configure the advertisement of the TE attributes of each link on a per-application basis. Two applications are supported in SR OS: RSVP-TE and SR-TE.

The legacy mode of advertising TE attributes that is used in RSVP-TE is still supported but it can be disabled by using the no legacy command, which also enables per-application TE attribute advertisement for RSVP-TE.

The no form of this command deletes the context.

Default

no application-link-attributes

Platforms

All

Context

[Tree] (config>app-assure>group>transit-ip>diameter application-policy)

Full Context

configure application-assurance group transit-ip-policy diameter application-policy

Description

This command specifies the Diameter application to be used by seen IP transit subs. The application policy is defined using the config>subscr-mgmt>diameter-application-policy command.

The no form of this command removes the policy.

Default

no application-policy

Parameters

name

Specifies the name of the application policy configured using the diameter-application-policy command up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>source-address application6)

Full Context

configure service vprn source-address application6

Description

This command specifies the IPv6 source address and application.

The no form of this command removes the application and IPv6 address from the configuration.

Parameters

app

Specifies the application name.

Values

cflowd, ntp, ping, ptp, snmptrap, ssh, telnet, traceroute, icmp6-error

ipv6-address

Specifies the IPv6 address.

Values

ipv6-address:	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

All

Context

[Tree] (config>system>security>source-address application6)

Full Context

configure system security source-address application6

Description

This command configures the application to use the source IPv6 address specified by the source-address command.

The no form of this command removes the application and IPv6 address from the configuration.

Parameters

app

Specifies the application name.

Values

cflowd, dns, ftp, ldap, ntp, ping, ptp, radius, sflow, snmptrap, ssh, syslog, tacplus, telnet, traceroute, icmp6-error

ipv6-address

Specifies the IPv6 address.

Values

ipv6-address:	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

All

Context

[Tree] (config>call-trace>trace-profile applications)

Full Context

configure call-trace trace-profile applications

Description

This command enables tracing of messages and events for the specified applications.

Default

applications all

Parameters

all

Enables tracing of all packets and events, with the exception of PPP events.

connectivity-management

Enables tracing for connectivity protocols, such as DHCP, ARP, and DHCPv6, and events related to connectivity management; for example, migrant or data-triggered host creation, idling, or session timeout. In the CUPS context, this command traces uplink IBCP messages.

gx

Enables tracing of Diameter Gx messages.

gy

Enables tracing of Diameter Gy messages.

nasreq

Enables tracing of Diameter NASREQ messages.

radius-auth

Enables tracing of messages and events related to RADIUS authentication, including CoA and Disconnect.

radius-acct

Enables tracing of messages and events related to RADIUS-based accounting.

python

Enables tracing of python script execution.

ludb

Enables tracing of local user database lookups.

msap

Enables tracing of MSAP creation events.

pfcp

Enables tracing of PFCP messages.

ppp-event

Enables tracing of all events related to the PPP state machine. This can result in a large amount of event messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>pim apply-bgp-nh-override)

Full Context

configure service vprn pim apply-bgp-nh-override

Description

This command forces the RPF check to be performed via IPv4 VPN AF next-hop and not via IPv4 VPN AF VRF import extended community.

Default

no apply-bgp-nh-override

Platforms

All

Context

[Tree] (config>app-assure>group>url-filter apply-function-specific-behavior)

Full Context

configure application-assurance group url-filter apply-function-specific-behavior

Description

If this command is enabled, the default-action, default-http-redirect, and http-redirect commands at the url-filter function level (ICAP, local filtering and web service) will apply.

The no form of this command indicates that the configuration at the url-filter level will apply to all of the configured url-filter functions.

Default

no apply-function-specific-behavior

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>filter>match-list>ip-prefix-list apply-path)

[Tree] (config>filter>match-list>ipv6-prefix-list apply-path)

Full Context

configure filter match-list ip-prefix-list apply-path

configure filter match-list ipv6-prefix-list apply-path

Description

Commands in this context configure the auto-generation of address prefixes for IPv4 or IPv6 address prefix match lists. The context in which the command is executed governs whether IPv4 or IPv6 prefixes will be auto-generated.

The no form of this command removes all auto-generation configuration under the apply-path context.

Default

no apply path

Platforms

All

Context

[Tree] (config>service>vprn>pim apply-to)

Full Context

configure service vprn pim apply-to

Description

This command creates a PIM interface with default parameters.

If a manually created interface or modified interface is deleted, the interface will be recreated when the apply-to command is executed. If PIM is not required on a specific interface, then execute a shutdown command.

The apply-to command is saved first in the PIM configuration structure, all subsequent commands either create new structures or modify the defaults as created by the apply-to command.

Default

apply-to none

Parameters

all

Specifies that all VPRN and non-VPRN interfaces are automatically applied in PIM.

none

No interfaces are automatically applied in PIM. PIM interfaces must be manually configured.

Platforms

All

Context

[Tree] (config>router>pim apply-to)

Full Context

configure router pim apply-to

Description

This command creates a PIM interface with default parameters.

If a manually created or a modified interface is deleted, the interface is recreated when (re)processing the apply-to command and if PIM is not required on a specific interface a shutdown should be executed.

The apply-to command is first saved in the PIM configuration structure. Then, all subsequent commands either create new structures or modify the defaults as created by the apply-to command.

Default

apply-to none

Parameters

ies

Specifies to apply all IES interfaces in PIM.

non-ies

Specifies to apply non-IES interfaces created in PIM.

all

Specifies to apply all IES and non-IES interfaces created in PIM.

none

Removes all interfaces that are not manually created or modified. It also removes explicit no interface commands if present.

Platforms

All

Context

[Tree] (config>port aps)

Full Context

configure port aps

Description

This command configures APS (Automatic Protection Switching). APS is used by SONET/SDH add/drop multiplexers (ADMs) or other SONET/SDH-capable equipment to protect against circuit or equipment failure.

An APS group contains a working and a protect circuit and can span a single node (SC-APS) or two nodes (MC-APS).

The working and protection configurations on the 7750 SRs must match the circuit configurations on the peer. This means that the working circuit on the 7750 SR must be connected to the peer’s working circuit and the protect circuit must be connected to the peer’s protection circuit.

The aps command is only available for APS groups and not physical ports.

Platforms

7450 ESS, 7750 SR-7/12/12e, 7750 SR-a, 7750 SR-e

Context

[Tree] (config>app-assure>group aqp-initial-lookup)

Full Context

configure application-assurance group aqp-initial-lookup

Description

This command allows AA to perform AQP lookups on flows prior to complete application identification. As usual, AQP will be looked up again on identification complete. Without this, AA executes AQPs that are part of what so called "sub-default policy”. Sub-default policy is formed by regular AQPs that contain ASOs, subID and/or flow direction as matching conditions.

This behavior is required, for example, in order to be able apply GTP and SCTP filtering on the first packet of a new GTP/SCTP flow (AQP matching conditions in this case contains protocol id).

The no form of this command forces complete AQP look up on identification finish stage only.

Default

no aqp-initial-lookup

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>qos>plcr-ctrl-plcy>tier arbiter)

Full Context

configure qos policer-control-policy tier arbiter

Description

This command is used to create an arbiter within the context of tier 1 or tier 2. An arbiter is a child policer bandwidth control object that manages the throughput of a set of child policers. An arbiter allows child policers or other arbiters to parent to one of eight strict levels. Each arbiter is itself parented to either another tiered arbiter or to the root arbiter.

The root arbiter starts with its defined maximum rate and distributes the bandwidth to its directly attached child policers and arbiters beginning with priority 8. As the children at each priority level are distributed bandwidth according to their needs and limits, the root proceeds to the next lower priority until either all children’s needs are met or it runs out of bandwidth. The bandwidth given to a tiered arbiter is then divided between that arbiter’s children (child policers or a tier 2 arbiter) in the same fashion. A tiered arbiter may also have a rate limit defined that limits the amount of bandwidth it may receive from its parent.

An arbiter that is currently parented by another arbiter cannot be deleted.

Each time the policer-control-policy is applied to either a SAP, or a subscriber (through association with a sub-profile that has the policy applied), or a multiservice site, an instance of the parent policer and the arbiters is created.

Any child policer that uses the arbiter’s name in its parenting command will be associated with the arbiter instance. The child policer will also become associated with any arbiter to which its parent arbiter is parented (grandparent). Having child policers parented to an arbiter does not prevent that arbiter from being removed from the policer-control-policy. When removed, the child policers become orphaned.

You can create up to 31 tiered arbiters within the policer-control-policy on either tier 1 or tier 2 (in addition to the arbiter).

The no form of this command is used to remove an arbiter from tier 1 or tier 2. If the specified arbiter does not exist, the command returns without an error. If the specified arbiter is currently specified as the parent for another arbiter, the command will fail. When an arbiter is removed from a policer-control-policy, all instances of the arbiter will also be removed. Any child policers currently parented to the arbiter instance will become orphans and will not be bandwidth managed by the policer control policy instances parent policer.

Parameters

arbiter-name

Any unique name within the policy. Up to 31 arbiters may be created.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, 7950 XRS, VSR

Context

[Tree] (config>service>vprn>ospf3 area)

[Tree] (config>service>vprn>ospf area)

Full Context

configure service vprn ospf3 area

configure service vprn ospf area

Description

This command creates the context to configure an OSPF area. An area is a collection of network segments within an AS that have been administratively grouped together. The area ID can be specified in dotted decimal notation or as a 32-bit decimal integer.

The no form of this command deletes the specified area from the configuration. Deleting the area also removes the OSPF configuration of all the interfaces, virtual-links, sham-links, address-ranges and so on, that are currently assigned to this area.

Default

no area — No OSPF areas are defined.

Parameters

area-id

The OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal)

0 to 4294967295 (decimal integer)

Platforms

All

Context

[Tree] (config>router>ospf area)

[Tree] (config>router>ospf3 area)

Full Context

configure router ospf area

configure router ospf3 area

Description

This command creates the context to configure an OSPF or OSPF3 area. An area is a collection of network segments within an AS that have been administratively grouped together. The area ID can be specified in dotted decimal notation or as a 32-bit decimal integer.

The no form of this command deletes the specified area from the configuration. Deleting the area also removes the OSPF configuration of all the interfaces, virtual-links, and address-ranges and so on, that are currently assigned to this area.

Default

no area

Parameters

area-id

The OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal), 0 to 4294967295 (decimal integer)

Platforms

All

Context

[Tree] (debug>router>ospf area)

[Tree] (debug>router>ospf3 area)

Full Context

debug router ospf area

debug router ospf3 area

Description

This command enables debugging for an OSPF area.

Parameters

area-id

Specifies the OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

ip-address — a.b.c.d

area — 0 to 4294967295

Platforms

All

Context

[Tree] (config>router>policy-options>policy-statement>entry>from area)

Full Context

configure router policy-options policy-statement entry from area

Description

This command configures an OSPF area as a route policy match criterion.

This match criterion is only used in export policies.

All OSPF routes (internal and external) are matched using this criterion if the best path for the route is by the specified area.

The no form of this command removes the OSPF area match criterion.

Default

no area

Parameters

area-id

Specifies the OSPF area ID expressed in dotted decimal notation or as a 32-bit decimal integer.

Values

0.0.0.0 to 255.255.255.255 (dotted decimal), 0 to 4294967295 (decimal)

Platforms

All

Context

[Tree] (config>service>vprn>isis area-id)

Full Context

configure service vprn isis area-id

Description

This command configures the area ID portion of NSAP addresses for the VPRN instance. This identifies a point of connection to the network, such as a router interface, and is called a Network Service Access Point (NSAP). Addresses in the IS-IS protocol are based on the ISO NSAP addresses and Network Entity Titles (NETs), not IP addresses.

A maximum of 3 area addresses can be configured for the VPRN instance.

NSAP addresses are divided into three parts.

• Area ID — A variable length field between 1 and 13 bytes long. This includes the Authority and Format Identifier (AFI) as the most significant byte and the area ID.

• System ID — A six-byte system identification. When not configured, the system ID is derived from the configurations for configure router isis router-id, configure router router-id, or system address ipv4 address. If the previous commands are not configured, the system ID defaults to the last four octets of the chassis MAC address.

• Selector ID — A one-byte selector identification that must contain zeros when configuring a NET. This value is not configurable. The selector ID is always 00.

The NET is constructed like an NSAP but the selector byte contains a 00 value. NET addresses are exchanged in hello and LSP PDUs. All net addresses configured on the node are advertised to its neighbors.

For Level 1 interfaces, neighbors can have different area IDs, but, they must have at least one area ID (AFI + area) in common. Sharing a common area ID, they become neighbors and area merging between the potentially different areas can occur.

For Level 2 (only) interfaces, neighbors can have different area IDs. However, if they have no area IDs in common, they become only Level 2 neighbors and Level 2 LSPs are exchanged.

For Level 1 and Level 2 interfaces, neighbors can have different area IDs. If they have at least one area ID (AFI + area) in common, they become neighbors. In addition to exchanging Level 2 LSPs, area merging between potentially different areas can occur.

If multiple area-id commands are entered, the system ID of all subsequent entries must match the first area address.

The no form of this command removes the area address.

Platforms

All

Context

[Tree] (config>router>isis area-id)

Full Context

configure router isis area-id

Description

This command was previously named the net network-entity-title command. The area-id command allows you to configure the area ID portion of NSAP addresses which identifies a point of connection to the network, such as a router interface, and is called a Network Service Access Point (NSAP). Addresses in the IS-IS protocol are based on the ISO NSAP addresses and Network Entity Titles (NETs), not IP addresses.

A maximum of three area addresses can be configured.

NSAP addresses are divided into three parts.

• Area ID — A variable length field between 1 and 13 bytes long. This includes the Authority and Format Identifier (AFI) as the most significant byte and the area ID.

• System ID — A six-byte system identification. When not configured, the system ID is derived from the configurations for configure router isis router-id, configure router router-id, or system address ipv4 address. If the previous commands are not configured, the system ID defaults to the last four octets of the chassis MAC address.

• Selector ID — A one-byte selector identification that must contain zeros when configuring a NET. This value is not configurable. The selector ID is always 00.

The NET is constructed like an NSAP but the selector byte contains a 00 value. NET addresses are exchanged in hello and LSP PDUs. All net addresses configured on the node are advertised to its neighbors.

For Level 1 interfaces, neighbors can have different area IDs, but, they must have at least one area ID (AFI + area) in common. Sharing a common area ID, they become neighbors and area merging between the potentially different areas can occur.

For Level 2 (only) interfaces, neighbors can have different area IDs. However, if they have no area IDs in common, they become only Level 2 neighbors and Level 2 LSPs are exchanged.

For Level 1 and Level 2 interfaces, neighbors can have different area IDs. If they have at least one area ID (AFI + area) in common, they become neighbors. In addition to exchanging Level 2 LSPs, area merging between potentially different areas can occur.

If multiple area-id commands are entered, the system ID of all subsequent entries must match the first area address.

The no form of this command removes the area address.

Parameters

area-address

Specifies a 1 — 13-byte address. Of the total 20 bytes comprising the NET, only the first 13 bytes can be manually configured. As few as one byte can be entered or, at most, 13 bytes. If less than 13 bytes are entered, the rest is padded with zeros.

Platforms

All

Context

[Tree] (config>service>vprn>ospf>area>nssa area-range)

[Tree] (config>service>vprn>ospf>area area-range)

[Tree] (config>service>vprn>ospf3>area area-range)

[Tree] (config>service>vprn>ospf3>area>nssa area-range)

Full Context

configure service vprn ospf area nssa area-range

configure service vprn ospf area area-range

configure service vprn ospf3 area area-range

configure service vprn ospf3 area nssa area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, it is configured to be advertised or not advertised into other areas. Multiple range commands are used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ipv6-prefix/prefix-length

The IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ipv6-prefix	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x: [0 to FFFF]H
	d: [0 to 255]D
ipv6-prefix-length	0 to 128

mask

The subnet mask for the range expressed as a decimal integer mask length or in dotted decimal notation.

Values

0 to 32 (mask length), 0.0.0.0 to 255.255.255.255 (dotted decimal)

advertise | not-advertise

Specifies whether or not to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

The default is advertise.

Platforms

All

Context

[Tree] (config>router>ospf>area area-range)

[Tree] (config>router>ospf>area>nssa area-range)

Full Context

configure router ospf area area-range

configure router ospf area nssa area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, the range is configured to be advertised or not advertised into other areas. Multiple range commands may be used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ip-prefix

Specifies the IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ip-prefix/mask: ip-prefix a.b.c.d (host bits must be 0)

mask

Specifies the subnet mask for the range expressed as a decimal integer mask length or in dotted decimal notation.

Values

0 to 32 (mask length), 0.0.0.0 to 255.255.255.255 (dotted decimal)

advertise | not-advertise

Specifies whether to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

Default

advertise

Platforms

All

Context

[Tree] (config>router>ospf3>area>nssa area-range)

[Tree] (config>router>ospf3>area area-range)

Full Context

configure router ospf3 area nssa area-range

configure router ospf3 area area-range

Description

This command creates ranges of addresses on an Area Border Router (ABR) for the purpose of route summarization or suppression. When a range is created, the range is configured to be advertised or not advertised into other areas. Multiple range commands may be used to summarize or hide different ranges. In the case of overlapping ranges, the most specific range command applies.

ABRs send summary link advertisements to describe routes to other areas. To minimize the number of advertisements that are flooded, you can summarize a range of IP addresses and send reachability information about these addresses in an LSA.

The no form of this command deletes the range (non) advertisement.

Default

no area-range

Parameters

ip-prefix/prefix-length

Specifies the IP prefix in dotted decimal notation for the range used by the ABR to advertise that summarizes the area into another area.

Values

ip-prefix/mask:

• ip-prefix a.b.c.d (host bits must be 0)

ipv6-prefix:

• x:x:x:x:x:x:x:x (eight 16-bit pieces)

• x:x:x:x:x:x:d.d.d.d

• x: [0 to FFFF]H

• d: [0 to 255]D

prefix-length: 0 to 128

advertise | not-advertise

Specifies whether or not to advertise the summarized range of addresses into other areas. The advertise keyword indicates the range will be advertised, and the keyword not-advertise indicates the range will not be advertised.

Default

advertise

Platforms

All

Context

[Tree] (debug>router>ospf3 area-range)

[Tree] (debug>router>ospf area-range)

Full Context

debug router ospf3 area-range

debug router ospf area-range

Description

This command enables debugging for an OSPF area range.

Parameters

ip-address

Specifies the IPv4 or IPv6 address for the range used by the ABR to advertise the area into another area.

Values

ipv4-address:

• a.b.c.d

ipv6-address:

• x:x:x:x:x:x:x:x (eight 16-bit pieces)

• x:x:x:x:x:x:d.d.d.d

• x: [0 to FFFF]H

• d: [0 to 255]D

Platforms

All

Context

[Tree] (config>router>segment-routing>srv6>locator argument-length)

[Tree] (conf>router>sr>srv6>micro-segment argument-length)

Full Context

configure router segment-routing segment-routing-v6 locator argument-length

configure router segment-routing segment-routing-v6 micro-segment argument-length

Description

This command configures the argument length for an SRv6 or micro-segment locator.

The sum of the function length, argument length, and the locator prefix length must not exceed 128 bits. This is enforced in CLI validation.

The following commands are used to configure the function length and locator prefix length:

• configure router segment-routing segment-routing-v6 locator function-length
• configure router segment-routing segment-routing-v6 locator prefix ip-prefix

Default

argument-length 0

Parameters

length

Specifies the argument length.

Values

0, 16

Platforms

7450 ESS, 7750 SR, 7750 SR-s, 7950 XRS, VSR

Context

[Tree] (config>subscr-mgmt>gtp>peer-profile>mme>qos arp)

[Tree] (config>subscr-mgmt>gtp>peer-profile>ggsn>qos arp)

[Tree] (config>subscr-mgmt>gtp>peer-profile>pgw>qos arp)

Full Context

configure subscriber-mgmt gtp peer-profile mme qos arp

configure subscriber-mgmt gtp peer-profile ggsn qos arp

configure subscriber-mgmt gtp peer-profile pgw qos arp

Description

The command configures the allocation and retention priority to be used in the GTP messages as QoS IE (for a Gn interface) or Bearer QoS (for GTPv2).

The no form of this command reverts to the default.

Default

arp 1

Parameters

arp-value

Specifies the Allocation/Retention Priority (ARP).

Values

1 to 3 (for ggsn context)

Values

1 to 15 (for pgw and mme context)

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>if>vpls>evpn arp)

[Tree] (config>service>ies>if>vpls>evpn arp)

Full Context

configure service vprn interface vpls evpn arp

configure service ies interface vpls evpn arp

Description

Commands in this context configure ARP host route parameters.

Platforms

All

Context

[Tree] (debug>router>ip arp)

Full Context

debug router ip arp

Description

This command configures route table debugging.

Platforms

All

Context

[Tree] (config>service>ies>sub-if>grp-if arp-host)

[Tree] (config>service>vprn>sub-if>grp-if arp-host)

[Tree] (config>subscr-mgmt>msap-policy>vpls-only arp-host)

[Tree] (config>service>vpls>sap arp-host)

Full Context

configure service ies subscriber-interface group-interface arp-host

configure service vprn subscriber-interface group-interface arp-host

configure subscriber-mgmt msap-policy vpls-only-sap-parameters arp-host

configure service vpls sap arp-host

Description

Commands in this context configure ARP host parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (debug>service>id arp-host)

Full Context

debug service id arp-host

Description

This command enables and configures ARP host debugging.

The no form of this command disables ARP host debugging.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>if arp-host-route)

[Tree] (config>service>ies>if arp-host-route)

Full Context

configure service vprn interface arp-host-route

configure service ies interface arp-host-route

Description

Commands in this context configure ARP host routes to populate.

Platforms

All

Context

[Tree] (config>router>if arp-learn-unsolicited)

[Tree] (config>service>ies>if arp-learn-unsolicited)

[Tree] (config>service>vprn>if arp-learn-unsolicited)

Full Context

configure router interface arp-learn-unsolicited

configure service ies interface arp-learn-unsolicited

configure service vprn interface arp-learn-unsolicited

Description

This command allows the ARP application to learn new entries based on any received ARP message (GARP, ARP-Request, or ARP-Reply, such as any frame with ethertype 0x0806).

The no form of this command disables the above behavior and causes ARP entries to only be learned when needed, that is, when the router receives an ARP-reply after an ARP-request triggered by received traffic.

Platforms

All

Context

[Tree] (config>service>ies>interface arp-limit)

Full Context

configure service ies interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, a log event is raised. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

no arp-limit

Parameters

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

Default

90

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

Platforms

All

Context

[Tree] (config>service>vprn>if arp-limit)

Full Context

configure service vprn interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, an SNMP trap is sent. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

90 percent

Parameters

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

Platforms

All

Context

[Tree] (config>router>if arp-limit)

Full Context

configure router interface arp-limit

Description

This command configures the maximum amount of dynamic IPv4 ARP entries that can be learned on an IP interface.

When the number of dynamic ARP entries reaches the configured percentage of this limit, an SNMP trap is sent. When the limit is exceeded, no new entries are learned until an entry expires and traffic to these destinations will be dropped. Entries that have already been learned will be refreshed.

The no form of this command removes the arp-limit.

Default

no arp-limit

Parameters

limit

The number of entries that can be learned on an IP interface expressed as a decimal integer. If the limit is set to 0, dynamic ARP learning is disabled and no dynamic ARP entries are learned.

Values

0 to 524288

log-only

Enables the warning message to be sent at the specified threshold percentage, and also when the limit is exceeded. However, entries above the limit will be learned.

percent

The threshold value (as a percentage) that triggers a warning message to be sent.

Values

0 to 100

Platforms

All

Context

[Tree] (config>service>vpls>bgp-evpn arp-nd-extended-community-advertisement)

Full Context

configure service vpls bgp-evpn arp-nd-extended-community-advertisement

Description

This command enables the advertisement of the RFC 9047 ARP/ND extended community along with the MAC/IP routes that are advertised for local static and dynamic proxy ARP or ND entries. This command also controls the processing of the ARP/ND extended community and the selection of ARP or ND entries based on the inmutable flag.

The no form of this command disables the advertisement of the RFC 9047 ARP/ND extended community.

Default

no arp-nd-extended-community-advertisement

Platforms

All

Context

[Tree] (config>service>vpls>bgp-evpn arp-nd-only-with-fdb-advertisement)

Full Context

configure service vpls bgp-evpn arp-nd-only-with-fdb-advertisement

Description

This command enables the router to advertise local ARP/ND entries of VPRN interfaces using this VPLS BGP-EVPN service when the corresponding local MAC is programmed in the FDB.

The no form of this command disables the advertisement of the ARP/ND entries.

Default

no arp-nd-only-with-fdb-advertisement

Platforms

All

Context

[Tree] (config>service>vprn>sub-if>grp-if arp-populate)

[Tree] (config>service>vprn>if arp-populate)

[Tree] (config>service>ies>if arp-populate)

[Tree] (config>service>ies>sub-if>grp-if arp-populate)

Full Context

configure service vprn subscriber-interface group-interface arp-populate

configure service vprn interface arp-populate

configure service ies interface arp-populate

configure service ies subscriber-interface group-interface arp-populate

Description

This command, when enabled, disables dynamic learning of ARP entries. Instead, the ARP table is populated with static and dynamic entries from the DHCP Lease State Table (enabled with lease-populate), and optionally with static entries entered with the static-host command.

The host’s IP address and MAC address are placed in the system ARP cache as a managed entry. Static hosts must be defined on the interface using the static-host command. Dynamic hosts are enabled on the system through enabling lease-populate in the IP interface DHCP context.

In the event that both a static host and a dynamic host share the same IP and MAC address, the system’s ARP cache retains the host information until both the static and dynamic information are removed.

Both static and dynamic hosts override static ARP entries. Static ARP entries are marked as inactive when they conflict with static or dynamic hosts and will be repopulated once all static and dynamic host information for the IP address are removed. Since static ARP entries are not possible when static subscriber hosts are defined or when DHCP lease state table population is enabled, conflict between static ARP entries and the arp-populate function is not an issue.

Enabling the arp-populate command removes any dynamic ARP entries learned on this interface from the ARP cache.

The arp-populate command fails if an existing static ARP entry exists for this interface.

When arp-populate is enabled, the system does not send out ARP requests for hosts that are not in the ARP cache. Only statically configured and DHCP learned hosts are reachable through an IP interface with arp-populate enabled. The arp-populate command can only be enabled on IES and VPRN interfaces supporting Ethernet encapsulation.

The no form of this command disables ARP cache population functions for static and dynamic hosts on the interface. All static and dynamic host information for this interface is removed from the system’s ARP cache. Any existing static ARP entries previously inactive due to static or dynamic hosts will be populated in the system ARP cache.

Default

no arp-populate

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

• configure service ies subscriber-interface group-interface arp-populate
• configure service vprn subscriber-interface group-interface arp-populate

All

• configure service ies interface arp-populate
• configure service vprn interface arp-populate

Context

[Tree] (config>service>ies>if arp-populate-host-route)

Full Context

configure service ies interface arp-populate-host-route

Description

This command enables the addition or deletion of host routes in the route table derived from ARP entries in the ARP cache. To enable this command, the interface must be shut down. The command triggers the population of host routes in the route table out of their corresponding static, dynamic, or EVPN types in the ARP table. ARP entries installed by subscriber management, local interfaces, and others, do not create host routes.

The no form of this command disables the creation of host routes from the ARP cache.

Platforms

All

Context

[Tree] (config>service>ies>if arp-proactive-refresh)

Full Context

configure service ies interface arp-proactive-refresh

Description

This command enables the router to always send out a single refresh message with no entries 30 seconds prior to the timeout of the entry.

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of whether the IOM receives traffic.

Platforms

All

Context

[Tree] (config>service>vprn>if arp-proactive-refresh)

Full Context

configure service vprn interface arp-proactive-refresh

Description

This command enables the router to always send out a refresh message 30 seconds prior to the timeout of the entry (a single refresh message with no retries).

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of the IOM receiving traffic.

Platforms

All

Context

[Tree] (config>router>if arp-proactive-refresh)

Full Context

configure router interface arp-proactive-refresh

Description

This command enables the router to always send out a refresh message 30 seconds prior to the timeout of the entry (a single refresh message with no retries).

The no form of this command sets the default behavior, in which an entry is marked as stale 30 seconds prior to age-out, and the router only sends an ARP request to refresh the entry if the IOM receives traffic that uses it. If so, the IOM asks the ARP application to send a refresh message. With arp-proactive-refresh enabled, the ARP module sends a refresh message regardless of the IOM receiving traffic.

Platforms

All

Context

[Tree] (config>service>vpls>sap arp-reply-agent)

Full Context

configure service vpls sap arp-reply-agent

Description

This command enables a special ARP response mechanism in the system for ARP requests destined to static or dynamic hosts associated with the SAP. The system responds to each ARP request using the host’s MAC address as the both the source MAC address in the Ethernet header and the target hardware address in the ARP header.

ARP replies and requests received on a SAP with arp-reply-agent enabled is evaluated by the system against the anti-spoof filter entries associated with the ingress SAP (if the SAP has anti-spoof filtering enabled). ARPs from unknown hosts on the SAP is discarded when anti-spoof filtering is enabled.

The ARP reply agent only responds if the ARP request enters an interface (SAP, spoke SDP or mesh SDP) associated with the VPLS instance of the SAP.

A received ARP request that is not in the ARP reply agent table is flooded to all forwarding interfaces of the VPLS capable of broadcast except the ingress interface while honoring split-horizon constraints.

Static hosts can be defined on the SAP using the host command. Dynamic hosts are enabled on the system by enabling the lease-populate command in the SAP’s dhcp context. If both a static host and a dynamic host share the same IP and MAC address, the VPLS ARP reply agent will retain the host information until both the static and dynamic information are removed. If both a static and dynamic host share the same IP address, but different MAC addresses, the VPLS ARP reply agent is populated with the static host information.

The arp-reply-agent command fails if an existing static host on the SAP does not have both MAC and IP addresses specified. Once the ARP reply agent is enabled, creating a static host on the SAP without both an IP address and MAC address will fail.

The apr-reply-agent can only be enabled on SAPs supporting Ethernet encapsulation.

The no form of the command disables arp-reply-agent functions for static and dynamic hosts on the SAP.

Default

no arp-reply-agent

Parameters

sub-ident

Configures the arp-reply-agent to discard ARP requests received on the SAP that are targeted for a known host on the same SAP with the same subscriber identification.

Hosts are identified by their subscriber information. For DHCP subscriber hosts, the subscriber hosts, the subscriber information is configured using the optional subscriber parameter string.

When arp-reply-agent is enabled with sub-ident:

• If the subscriber information for the destination host exactly matches the subscriber information for the originating host and the destination host is known on the same SAP as the source, the ARP request is silently discarded.

• If the subscriber information for the destination host or originating host is unknown or undefined, the source and destination hosts are not considered to be the same subscriber. The ARP request is forwarded outside the SAP’s Split Horizon Group.

• When sub-ident is not configured, the arp-reply-agent does not attempt to identify the subscriber information for the destination or originating host and will not discard an ARP request based on subscriber information.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>msap-policy>vpls-only arp-reply-agent)

Full Context

configure subscriber-mgmt msap-policy vpls-only-sap-parameters arp-reply-agent

Description

This command enables a special ARP response mechanism in the system for ARP requests destined to static or dynamic hosts associated with the SAP. The system responds to each ARP request using the hosts MAC address as the both the source MAC address in the Ethernet header and the target hardware address in the ARP header.

ARP replies and requests received on an MSAP with arp-reply-agent enabled is evaluated by the system against the anti-spoof filter entries associated with the ingress SAP (if the SAP has anti-spoof filtering enabled). ARPs from unknown hosts on the SAP is discarded when anti-spoof filtering is enabled.

The ARP reply agent only responds if the ARP request enters an interface (SAP, spoke-SDP or mesh-SDP) associated with the VPLS instance of the MSAP.

A received ARP request that is not in the ARP reply agent table is flooded to all forwarding interfaces of the VPLS capable of broadcast except the ingress interface while honoring split-horizon constraints.

Static hosts can be defined using the host command. Dynamic hosts are enabled on the system by enabling the lease-populate command in the dhcp context. In the event that both a static host and a dynamic host share the same IP and MAC address, the VPLS ARP reply agent will retain the host information until both the static and dynamic information are removed. In the event that both a static and dynamic host share the same IP address, but different MAC addresses, the VPLS ARP reply agent is populated with the static host information.

The arp-reply-agent command will fail if an existing static host does not have both MAC and IP addresses specified. Once the ARP reply agent is enabled, creating a static host on the MSAP without both an IP address and MAC address will fail.

The ARP-reply-agent may only be enabled on SAPs supporting Ethernet encapsulation.

The no form of this command disables ARP-reply-agent functions for static and dynamic hosts on the MSAP.

Parameters

sub-ident

Configures the arp-reply-agent to discard ARP requests received on the MSAP that are targeted for a known host on the same MSAP with the same subscriber identification.

Hosts are identified by their subscriber information. For DHCP subscriber hosts, the subscriber hosts, the subscriber information is configured using the optional subscriber parameter string.

When arp-reply-agent is enabled with sub-ident:

• If the subscriber information for the destination host exactly matches the subscriber information for the originating host and the destination host is known on the same MSAP as the source, the ARP request is silently discarded.

• If the subscriber information for the destination host or originating host is unknown or undefined, the source and destination hosts are not considered to be the same subscriber. The ARP request is forwarded outside the MSAP’s Split Horizon Group.

• When sub-ident is not configured, the arp-reply-agent does not attempt to identify the subscriber information for the destination or originating host and will not discard an ARP request based on subscriber information.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies>if arp-retry-timer)

Full Context

configure service ies interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 seconds.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30,000 ms)

Platforms

All

Context

[Tree] (config>service>vprn>if arp-retry-timer)

[Tree] (config>service>vprn>network-interface arp-retry-timer)

Full Context

configure service vprn interface arp-retry-timer

configure service vprn network-interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 s.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30 000 ms)

Platforms

All

Context

[Tree] (config>router>if arp-retry-timer)

Full Context

configure router interface arp-retry-timer

Description

This command allows the arp retry timer to be configured to a specific value.

The timer value is entered as a multiple of 100 ms. So a timer value of 1, means the ARP timer will be set to 100 ms.

The no form of this command removes the command from the active configuration and returns the ARP retry timer to its default value of 5 seconds.

Default

arp-retry-timer 50

Parameters

timer-multiple

Specifies the multiple of 100 ms that the ARP retry timer will be configured as.

Values

1 to 300 (equally a timer range of 100 ms to 30,000 ms)

Platforms

All

Context

[Tree] (config>service>vprn>if arp-timeout)

[Tree] (config>service>ies>if arp-timeout)

[Tree] (config>service>vprn>sub-if>grp-if arp-timeout)

[Tree] (config>service>ies>sub-if>grp-if arp-timeout)

Full Context

configure service vprn interface arp-timeout

configure service ies interface arp-timeout

configure service vprn subscriber-interface group-interface arp-timeout

configure service ies subscriber-interface group-interface arp-timeout

Description

This command configures the minimum time in seconds an ARP entry learned on the IP interface is stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host, otherwise, the ARP entry is aged from the ARP table. If arp-timeout is set to a value of zero seconds, ARP aging is disabled.

When the arp-populate and lease-populate commands are enabled on an interface, the ARP table entries will no longer be dynamically learned, but instead by snooping DHCP ACK message from a DHCP server. In this case the configured arp-timeout value has no effect.

The default value for arp-timeout is 14400 seconds (4 hours).

The no form of this command reverts to the default value.

Default

arp-timeout 14400

Parameters

seconds

Specifies the minimum number of seconds a learned ARP entry is stored in the ARP table, expressed as a decimal integer. A value of zero specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

All

• configure service vprn interface arp-timeout
• configure service ies interface arp-timeout

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

• configure service ies subscriber-interface group-interface arp-timeout
• configure service vprn subscriber-interface group-interface arp-timeout

Context

[Tree] (config>service>vpls>interface arp-timeout)

Full Context

configure service vpls interface arp-timeout

Description

This command configures the minimum time in seconds an ARP entry learned on the IP interface will be stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host, otherwise, the ARP entry is aged from the ARP table. If arp-timeout is set to a value of zero seconds, ARP aging is disabled.

The default value for arp-timeout is 14400 seconds (4 hours).

The no form of this command restores arp-timeout to the default value.

Default

arp-timeout 14400

Parameters

seconds

The minimum number of seconds a learned ARP entry will be stored in the ARP table, expressed as a decimal integer. A value of zero specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

All

Context

[Tree] (config>router>if arp-timeout)

Full Context

configure router interface arp-timeout

Description

This command configures the minimum time, in seconds, an ARP entry learned on the IP interface is stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host. Otherwise, the ARP entry is aged from the ARP table. If the arp-timeout value is set to 0 seconds, ARP aging is disabled.

The no form of this command reverts to the default value.

Default

no arp-timeout

Parameters

seconds

The minimum number of seconds a learned ARP entry is stored in the ARP table, expressed as a decimal integer. A value of 0 specifies that the timer is inoperative and learned ARP entries will not be aged.

Values

0 to 65535

Platforms

All

Context

[Tree] (config>cflowd>collector>aggregation as-matrix)

Full Context

configure cflowd collector aggregation as-matrix

Description

This command specifies that the aggregation data should be based on autonomous system (AS) information. An AS matrix contains packet and byte counters for traffic from either source-destination autonomous systems or last-peer to next-peer autonomous systems.

The no form of this command removes this type of aggregation from the collector configuration.

Default

no as-matrix

Platforms

All

Context

[Tree] (config>subscr-mgmt>bgp-prng-plcy as-override)

Full Context

configure subscriber-mgmt bgp-peering-policy as-override

Description

This command replaces all instances of the peer's AS number with the local AS number in a BGP route's AS_PATH.

This command breaks BGP's loop detection mechanism. It should be used carefully.

The no form of this command reverts to the default.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>bgp>group>neighbor as-override)

[Tree] (config>service>vprn>bgp>group as-override)

Full Context

configure service vprn bgp group neighbor as-override

configure service vprn bgp group as-override

Description

This command replaces all instances of the peer's AS number with the local AS number in a BGP route's AS_PATH.

This command breaks BGP's loop detection mechanism. It should be used carefully.

Default

no as-override

Platforms

All

Context

[Tree] (config>router>bgp>group>neighbor as-override)

[Tree] (config>router>bgp>group as-override)

Full Context

configure router bgp group neighbor as-override

configure router bgp group as-override

Description

This command enables BGP to monitor the outbound routes toward the peer and whenever there is a route with the peer’s autonomous system number (ASN) in the AS_PATH, all occurrences are removed and replaced with the advertising router’s local ASN (or its confederation ID if the peer is outside the confederation).

In the group context, the no form of this command disables the functionality. In the neighbor context, the no form of this command causes the setting to be inherited from the group level.

Default

no as-override

Platforms

All

Context

[Tree] (config>router>policy-options as-path)

Full Context

configure router policy-options as-path

Description

This command creates a route policy AS path to use in route policy entries.

The no form of this command deletes the AS path.

Default

no as-path

Parameters

name

The AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes.

Platforms

All

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path)

Full Context

configure router policy-options policy-statement entry from as-path

Description

This command configures an AS path regular expression statement as a match criterion for the route policy entry.

If no AS path criterion is specified, any AS path is considered to match.

AS path regular expression statements are configured at the global route policy level (config>router>policy-options>as-path name).

The no form of this command removes the AS path regular expression statement as a match criterion.

Default

no as-path

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end", " @variable@end", or "start@variable@".

Platforms

All

Context

[Tree] (config>router>policy-options>policy-statement>entry>action as-path)

[Tree] (config>router>policy-options>policy-statement>default-action as-path)

Full Context

configure router policy-options policy-statement entry action as-path

configure router policy-options policy-statement default-action as-path

Description

This command assigns a BGP AS path list to routes matching the route policy statement entry.

If no AS path list is specified, the AS path attribute is not changed.

The no form of this command disables the AS path list editing action from the route policy entry.

Default

no as-path

Parameters

add

Specifies that the AS path list is to be prepended to an existing AS list.

replace

Specifies AS path list replaces any existing as path attribute.

name

Specifies the AS path list name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end"," @variable@end", or "start@variable@".

The name specified must already be defined.

Platforms

All

Context

[Tree] (config>router>policy-options as-path-group)

Full Context

configure router policy-options as-path-group

Description

This command creates a route policy AS path regular expression statement to use in route policy entries.

The no form of this command deletes the AS path regular expression statement.

Default

no as-path-group

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

Platforms

All

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path-group)

Full Context

configure router policy-options policy-statement entry from as-path-group

Description

This command creates a route policy AS path regular expression statement to use in route policy entries.

The no form of this command deletes the AS path regular expression statement.

Default

no as-path-group

Parameters

name

Specifies the AS path regular expression name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must be enclosed by at-signs (@) and may be midstring; for example, "@variable@," "start@variable@end", " @variable@end", or "start@variable@".

Platforms

All

Context

[Tree] (config>service>vprn>bgp>path-selection as-path-ignore)

Full Context

configure service vprn bgp best-path-selection as-path-ignore

Description

This command configures whether AS path length is considered in the selection of the best BGP route for a prefix.

If an address family is listed in this command, the length of AS paths is not a factor in the route selection process for routes of that address family.

The no form of this command removes the parameter from the configuration.

Default

no as-path-ignore

Parameters

ipv4

Specifies that the AS path length is ignored for all unlabeled unicast IPv4 routes.

ipv6

Specifies that the AS path length is ignored for all unlabeled unicast IPv6 routes.

label-ipv4

Specifies that the AS path length is ignored for all labeled unicast IPv4 routes.

label-ipv6

Specifies that the AS path length is ignored for all labeled unicast IPv6 routes.

Platforms

All

Context

[Tree] (config>router>bgp>best-path-selection as-path-ignore)

Full Context

configure router bgp best-path-selection as-path-ignore

Description

This command configures whether AS path length is considered in the selection of the best BGP route for a prefix.

If an address family is listed in this command, then the length of AS paths is not a factor in the route selection process for routes of that address family.

The no form of this command removes the parameter from the configuration.

Default

no as-path-ignore

Parameters

ipv4

Specifies that the AS-path length will be ignored for all unlabeled unicast IPv4 routes.

label-ipv4

Specifies that the AS-path length will be ignored for all labeled-unicast IPv4 routes.

vpn-ipv4

Specifies that the length AS-path will be ignored for all VPN IPv4 (SAFI 128) routes.

ipv6

Specifies that the AS-path length will be ignored for all unlabeled unicast IPv6 routes.

label-ipv6

Specifies that the AS-path length will be ignored for all labeled-unicast IPv6 routes.

vpn-ipv6

Specifies that the AS-path length will be ignored for all VPN IPv6 (SAFI 128) routes.

mcast-ipv4

Specifies that the AS-path length will be ignored for all IPv4 multicast routes.

mcast-ipv6

Specifies that the AS-path length will be ignored for all IPv6 multicast routes.

mvpn-ipv4

Specifies that the AS-path length will be ignored for all IPv4 MVPN routes.

mvpn-ipv6

Specifies that the AS-path length will be ignored for all IPv6 MVPN routes.

l2-vpn

Specifies that the AS-path length will be ignored for all L2-VPN NLRIs.

Platforms

All

Context

[Tree] (config>router>policy-options>policy-statement>entry>from as-path-length)

Full Context

configure router policy-options policy-statement entry from as-path-length

Description

This command matches BGP routes based on their AS path length (the number of AS numbers in the AS_PATH).

If no comparison qualifiers are present (equal, or-higher, or-lower), then equal is the implied default.

Confederation member AS numbers in the AS_PATH do not count towards the total. An AS_SET element is considered to have a length of 1.

The unique option counts.

A non-BGP route does not match a policy entry if it contains the as-path-length command.

Default

no as-path-length

Parameters

length

Specifies the length of the AS path.

Values

0 to 255, or a parameter name delimited by starting and ending at-sign (@) characters

equal

Specifies that matched routes should have the same number of AS path elements as the value specified.

or-higher

Specifies that matched routes should have the same or a greater number of AS path elements as the value specified.

or-lower

Specifies that matched routes should have the same or a lower number of AS path elements as the value specified.

unique

Specifies that only the unique AS numbers should be counted (that is, multiple occurrences of the same AS number in the sequence count as one).

Platforms

All

Context

[Tree] (config>router>policy-options>policy-statement>entry>action as-path-prepend)

[Tree] (config>router>policy-options>policy-statement>default-action as-path-prepend)

Full Context

configure router policy-options policy-statement entry action as-path-prepend

configure router policy-options policy-statement default-action as-path-prepend

Description

The command prepends a BGP AS number once or numerous times to the AS path attribute of routes matching the route policy statement entry.

If an AS number is not configured, the AS path is not changed.

If the optional number is specified, then the AS number is prepended as many times as indicated by the number.

The no form of this command disables the AS path prepend action from the route policy entry.

Default

no as-path-prepend

Parameters

as-path

Specifies the AS number to prepend expressed as a decimal integer.

Values

1 to 4294967295

param-name — Specifies the AS path parameter variable name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

repeat

Specifies the number of times to prepend the specified AS number expressed as a decimal integer.

Values

1 to 50

param-name — Specifies the AS path parameter variable name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes. Policy parameters must start and end with at-signs (@); for example, "@variable@”.

most-recent

Specifies that the most recent AS number must be prepended to the AS-Path attribute of the route.

Platforms

All

Context

[Tree] (config>router>ospf asbr)

[Tree] (config>router>ospf3 asbr)

Full Context

configure router ospf asbr

configure router ospf3 asbr

Description

This command configures the router as an Autonomous System Boundary Router (ASBR) if the router is to be used to export routes from the Routing Table Manager (RTM) into this instance of OSPF. After a router is configured as an ASBR, the export policies into this OSPF domain take effect. If no policies are configured, no external routes are redistributed into the OSPF domain.

The no form of this command removes the ASBR status and withdraws the routes redistributed from the Routing Table Manager into this instance of OSPF from the link state database.

When configuring multiple instances of OSPF, there is a risk of loops because networks are advertised by multiple domains configured with multiple interconnections to one another. To prevent this from happening, all routers in a domain should be configured with the same domain ID. Each domain (OSPF-instance) should be assigned a specific bit value in the 32-bit tag mask.

When an external route is originated by an ASBR using an internal OSPF route in a given domain, the corresponding bit is set in the AS-external LSA. As the route gets redistributed from one domain to another, more bits are set in the tag mask, each corresponding to the OSPF domain the route visited. Route redistribution looping is prevented by checking the corresponding bit as part of the export policy; if the bit corresponding to the announcing OSPF process is already set, the route is not exported there.

Domain IDs are incompatible with any other use of normal tags. The domain ID should be configured with a value between 1 and 31 by each router in a given OSPF domain (OSPF Instance).

When an external route is originated by an ASBR using an internal OSPF route in a given domain, the corresponding (1-31) bit is set in the AS-external LSA.

As the route gets redistributed from one domain to another, more bits are set in the tag mask, each corresponding to the OSPF domain the route visited. Route redistribution looping is prevented by checking the corresponding bit as part of the export policy; if the bit corresponding to the announcing OSPF process is already set, the route is not exported there.

Default

no asbr

Parameters

domain-id

Specifies the domain ID.

Values

1 to 31

Default

0

Platforms

All

Context

[Tree] (debug>router>pim assert)

Full Context

debug router pim assert

Description

This command enables debugging for PIM assert mechanism.

The no form of this command disables PIM assert debugging.

Parameters

grp-ip-address

Debugs information associated with the PIM assert mechanism.

Values

multicast group address (ipv4, ipv6)

ip-address

Debugs information associated with the PIM assert mechanism.

Values

source address (ipv4, ipv6)

detail

Debugs detailed information on the PIM assert mechanism.

Platforms

All

Context

[Tree] (config>service>vprn>pim>if assert-period)

Full Context

configure service vprn pim interface assert-period

Description

This command configures the period in seconds for periodic refreshes of PIM Assert messages on an interface.

The no form of this command reverts to the default.

Default

assert-period 60

Parameters

assert-period

Specifies the period, in seconds, for periodic refreshes of PIM Assert messages on an interface.

Values

1 to 300

Platforms

All

Context

[Tree] (config>router>pim>interface assert-period)

Full Context

configure router pim interface assert-period

Description

This command configures the period for periodic refreshes of PIM Assert messages on an interface.

The no form of this command removes the assert-period from the configuration.

Default

no assert-period

Parameters

assert-period

Specifies the period, in seconds, for periodic refreshes of PIM Assert messages on an interface.

Values

1 to 300

Platforms

All

Context

[Tree] (config>service>cust>multi-service-site assignment)

Full Context

configure service customer multi-service-site assignment

Description

This command assigns a multi-service customer site to a specific chassis slot, port, or channel. This allows the system to allocate the resources necessary to create the virtual schedulers defined in the ingress and egress scheduler policies as they are specified. This also verifies that each SAP assigned to the site exists within the context of the proper customer ID and that the SAP was configured on the proper slot, port, or channel. The assignment must be given prior to any SAP associations with the site.

The no form of this command removes the port, channel, or slot assignment. If the customer site has not yet been assigned, the command has no effect and returns without any warnings or messages.

Default

no assignment

Parameters

port-id

Assigns the multi-service customer site to the port-id or port-id.channel-id given. When the multi-service customer site is assigned to a specific port or channel, all SAPs associated with this customer site must be on a service owned by the customer and created on the defined port or channel. The defined port or channel must already have been pre-provisioned on the system but need not be installed when the customer site assignment is made.

Syntax: port-id[:encap-val]

Values

For the 7950 XRS:

slot/mda/port [.channel]
eth-tunnel-id - eth-tunnel-<id>
	eth-tunnel	keyword
	id	[1..1024]
lag-id	lag-id
	lag	keyword
	id	1 to 800
	id	[1..1024]
eth-sat-id	esat-id/slot/port
	esat	keyword
	id: 1 to 20
	u	keyword
pxc-id	pxc-<id>.<sub-port>
	pxc	keyword
	id: 1 to 64
	sub-port	a, b
lag		keyword
id	1 to 800	1 to 800
pw-id	pw-<id>
	pw	keyword
	id	1 to 32767

For the 7750 SR and the 7450 ESS:

port-id	slot/mda/port[.channel]
	aps-id	aps-group-id[.channel]
		aps keyword
		group-id	1 to 128
	eth-tunnel-id	eth-tunnel-<id>
		eth-tunnel	keyword
		id	1 to 1024
	lag-id	lag-id
		lag	keyword
		id	1 to 800
		id	1 to 1024
	eth-sat-id	esat-<id>/<slot>/[u]<port>
		esat	keyword
		id	1 to 20
		u	keyword for up-link port
	tdm-sat-id	tsat-<id>/<slot>/[<u>]<port>.<channel>
		tsat	keyword
		id	1 to 20
		u	keyword for up-link port
	pxc-id	psc-id.sub-port
		pxc psc-id.sub-port
		pxc	keyword
		id: 1 to 64
		sub-port: a, b
	pw-id	pw-<id>
		pw	keyword
		id	1 to 32767
slot-number	1 to 10
fpe-id	1 to 64

slot-number

Assigns the multi-service customer site to the slot-number given. When the multi-service customer site is assigned to a specific slot in the chassis, all SAPs associated with this customer site must be on a service owned by the customer and created on the defined chassis slot. The defined slot must already be pre-provisioned on the system but need not be installed when the customer site assignment is made.

Values

Any pre-provisioned slot number for the chassis type that allows SAP creation.

1 to 20

fpe-id

Specifies the multi-service-site (MSS) assignment to an FPE object for the purpose of controlling aggregated bandwidth across a set of PW SAPs.

Values

1 to 64

Platforms

All

Context

[Tree] (debug>router>l2tp assignment-id)

Full Context

debug router l2tp assignment-id

Description

This command enables and configures debugging for the L2TP tunnel with a given assignment ID.

Parameters

assignment-id

Specifies a string that distinguishes this L2TP tunnel, up to 63 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vpls>vxlan assisted-replication)

Full Context

configure service vpls vxlan assisted-replication

Description

This command enables the Assisted Replication (AR) function for VXLAN tunnels in the service. The execution of this command triggers the BGP EVPN to send an update containing the inclusive multicast route for the service and the AR type=AR Replicator (AR-R) or AR Leaf (AR-L).

The Replicators switch the VXLAN traffic back to VXLAN destinations when the IP destination address matches their own AR-IP address. Leaf nodes select a Replicator node and send all the Broadcast or Multicast frames to it so that the Replicator can replicate the traffic on their behalf.

Enabling or disabling the AR function, or changing the role between the replicator and leaf requires the BGP EVPN MPLS to be shutdown.

If the leaf parameter is configured, the system creates a Broadcast or Multicast (BM) destination to the selected AR-R and Unknown Unicast (U) destinations to the rest of the VTEPs. If no replicator exists, the leaf creates BUM bindings to all the VTEPs.

If the replicator parameter is configured, the system will create BUM destinations to the remote leafs, Regular Network Virtualization Edge routers (RNVE), and other AR-Rs. The system will perform assisted replication for traffic from known VTEPs only (that is, where the routes have been received and programmed toward a VTEP).

The no version of this command removes the AR function from the service.

Default

no assisted-replication

Parameters

replicator-activation-time seconds

Optional parameter that can be added to the leaf parameter. It specifies the wait time before the leaf can begin sending traffic to a new replicator and is used to allow some time for the replicator to learn about the leaf.

Values

1 to 255

Default

0 seconds (indicates no replicator-activation-time and no delay in sending packets to the AR-R)

replicator | leaf

Selects the AR role of the router for the service.

Platforms

All

Context

[Tree] (config>service>system>vxlan assisted-replication-ip)

Full Context

configure service system vxlan assisted-replication-ip

Description

The assisted-replication-ip (AR-IP) command defines the IP address that supports the AR-R function in the router. The AR-IP address must also be defined as a loopback address in the base router and advertised in the IGP/BGP so that it is accessible to the remote NVE/PEs in the Overlay network.

If the AR-R function is enabled in a service, the Broadcast and Multicast frames encapsulated in VXLAN packets arriving at the router are replicated to the other VXLAN destinations within the service (except the destination pointing at the originator of the packet).

The no version of this command removes the AR IP address.

Default

no assisted-replication-ip

Parameters

ip-address

Specifies the assisted replication IP address.

Platforms

All

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext assistive-address-resolution)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>vrgw>lanext assistive-address-resolution)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext assistive-address-resolution

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range vrgw lanext assistive-address-resolution

Description

This command enables assistive address resolution (AAR) for HLE services.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vpls>sap>pfcp association)

Full Context

configure service vpls sap pfcp association

Description

This command links this capture SAP to a PFCP association. This command enables CUPS for this capture SAP and makes any trigger packets eligible for forwarding to the BNG CUPS CPF.

The no form of this command disables CUPS for this capture SAP.

Parameters

name

Specifies the name of the association, up to 32 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>eth-cfm>domain association)

Full Context

configure eth-cfm domain association

Description

This command configures the Maintenance Association (MA) for the domain.

Parameters

ma-index

Specifies the MA index value.

Values

1 to 4294967295

ma-name-format

Specifies a value that represents the type (format).

Values

icc-based:	Only applicable to a Y.1731 context where the domain format is configured as none. Allows for a name of exactly 13 characters.
integer:	0 to 65535 (integer value 0 means the MA is not attached to a VID)
string:	raw ascii
vid:	0 to 4095
vpn-id:	RFC-2685, Virtual Private Networks Identifier
	xxx:xxxx, where x is a value between 00 and FF,
	for example, 00164D:AABBCCDD

Default

integer

ma-name

Specifies the part of the MA identifier that is unique within the maintenance domain name, up to 45 characters.

admin-name

Specifies a creation time required parameter that allows the operator to assign a name value to the domain container. This is used for information and migration purposes. This value cannot be modified without destroying the domain. If no admin-name exists, the configured md-index value is converted into a character string to become the admin-name reference. When upgrading from a release that does not include the admin-name configuration option, the md-index is converted into a character string. After an admin-name value is assigned, it cannot be modified.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>router>pcep>pcc>pce-assoc>div association-id)

Full Context

configure router pcep pcc pce-associations diversity association-id

Description

This command configures the diversity association ID. The user must specify an association ID.

The no form of the command removes the association ID from the diversity association.

Default

no association-id

Parameters

association-id

Specifies the diversity association ID.

Values

1 to 65535

Platforms

All

Context

[Tree] (config>router>pcep>pcc>pce-assoc>plcy association-id)

Full Context

configure router pcep pcc pce-associations policy association-id

Description

This command configures the policy association ID. The user must specify an association ID.

The no form of the command removes the association ID from the policy association.

Default

no association-id

Parameters

association-id

Specifies the policy association ID.

Values

1 to 65535

Platforms

All

Context

[Tree] (config>router>pcep>pcc>pce-assoc>div association-source)

Full Context

configure router pcep pcc pce-associations diversity association-source

Description

This command configures the source IP address of the diversity association.

The no form of the command removes the IP address from the diversity association.

Default

no association-source

Parameters

ip-address

Specifies the source IP address.

Values

ipv4-address:	a.b.c.d
ipv6-address:	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

All

Context

[Tree] (config>router>pcep>pcc>pce-assoc>plcy association-source)

Full Context

configure router pcep pcc pce-associations policy association-source

Description

This command configures the source IP address of the policy association.

The no form of the command removes IP address from the policy association.

Default

no association-source

Parameters

ip-address

Specifies the source IP address.

Values

ipv4-address:	a.b.c.d
ipv6-address:	x:x:x:x:x:x:x:x (eight 16-bit pieces)
	x:x:x:x:x:x:d.d.d.d
	x - [0 to FFFF]H
	d - [0 to 255]D

Platforms

All

Context

[Tree] (config>port>otu async-mapping)

Full Context

configure port otu async-mapping

Description

This command allows the user to configure the port to support asynchronous mapping of the payload inside the OTU. If the port is configured for async-mapping and the payload clock is asynchronous to the OTU clock, there will be positive or negative pointer justification that will show up in the OTU statistics and the data will be received error free. If the port is configured for synchronous mapping and the received data is asynchronously mapped, there will be errors in the received data.

async-mapping is the only mode of operation that is supported on the OTU3 encapsulated 40-Gigabit Ethernet and therefore the 'no async-mapping' is not supported on that port type and the default on the is async-mapping.

The no form of this command configures the port to receive synchronously mapped data.

Default

no async-mapping

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>system>management-interface>ops>global-timeout asynchronous-execution)

Full Context

configure system management-interface operations global-timeouts asynchronous-execution

Description

This command configures the period of time that operations launched as "asynchronous” are allowed to execute before being automatically stopped by the SR OS.

An asynchronous operation is not deleted from the system when it is stopped. See the asynchronous-retention command.

If a specific execution timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Default

asynchronous-execution 3600

Parameters

seconds

Specifies the period of time, in seconds, that asynchronous operations are allowed to execute.

Values

1 to 604800

never

Keyword to specify that an execution timeout is not applied to asynchronous operations.

Platforms

All

Context

[Tree] (config>system>management-interface>ops>global-timeout asynchronous-retention)

Full Context

configure system management-interface operations global-timeouts asynchronous-retention

Description

This command configures the period of time that data related to operations launched as "asynchronous” is retained in the system. After the retention timeout expires, all information related to the operation is deleted, including any status information and result data.

If a specific retention timeout is not included in the request for a particular asynchronous operation, this system-level timeout applies.

Default

asynchronous-retention 86400

Parameters

seconds

Specifies the period of time, in seconds, that data related to asynchronous operations is retained in the system.

Values

1 to 604800

never

Keyword to specify that data related to asynchronous operations will persist in memory until explicitly deleted.

Platforms

All

Context

[Tree] (config>system>security>password attempts)

Full Context

configure system security password attempts

Description

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.

If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no attempts command resets all values to default.

Default

attempts 3 time 5 lockout 10

Parameters

count

Specifies the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.

Values

1 to 64

minutes

Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.

Values

0 to 60

minutes

Specifies the lockout period, in minutes, during which the user is not allowed to login.

Values

0 to 1440, or infinite

If the user exceeds the attempted count times in the specified time, then that user is locked out from any further login attempts for the configured lockout time period.

Values

0 to 1440

Values

infinite; user is locked out and must wait until manually unlocked before any further attempts.

Platforms

All

Context

[Tree] (config>system>security>snmp attempts)

Full Context

configure system security snmp attempts

Description

This command configures a threshold value of unsuccessful SNMPv2 or SNMPv3 connection attempts allowed in a specified time frame. The command parameters are used to counter denial of service (DoS) attacks through SNMP.

If the threshold is exceeded, the host is locked out for the lockout time period.

The no form of the command restores the default values.

Default

attempts 20 time 5 lockout 10

Parameters

count

Specifies the number unsuccessful SNMP attempts allowed for the specified time.

Values

1 to 64

minutes1

Specifies period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out.

Values

0 to 60

minutes2

Specifies the lockout period in minutes where the host is not allowed to login. When the host exceeds the attempted count times in the specified time, then that host is locked out from any further login attempts for the configured time period.

Values

0 to 1440

Platforms

All

Context

[Tree] (file attrib)

Full Context

file attrib

Description

This command sets or clears/resets the read-only attribute for a file in the local file system. To list all files and their current attributes enter attrib or attrib x where x is either the filename or a wildcard (*).

When an attrib command is entered to list a specific file or all files in a directory, the file’s attributes are displayed with or without an "R” preceding the filename. The "R” implies that the +r is set and that the file is read-only. Files without the "R” designation implies that the -r is set and that the file is read-write-all. For example:

ALA-1>file cf3:\ # attrib
cf3:\bootlog.txt
cf3:\bof.cfg
cf3:\boot.ldr
cf3:\sr1.cfg
cf3:\test
cf3:\bootlog_prev.txt
cf3:\BOF.SAV 

Parameters

file-url

Specifies the URL for the local file.

Values

local-url	[cflash-id/][file-path] up to 200 characters, including cflash-id directory length 99 chars max each
remote-url	[{ftp:// | tftp://}login:pswd@remote-locn/][file-path]
	up to 247 characters
	directory length up to 199 characters
remote-locn	[hostname | ipv4-address | [ipv6-address]]
ipv4-address	a.b.c.d
ipv6-address	x:x:x:x:x:x:x:x[-interface]
	x:x:x:x:x:x:d.d.d.d[-interface]
	x - [0 to FFFF]H
	d - [0 to 255]D
	interface - up to 32 characters, for link local addresses 255
cflash-id	cf1:, cf1-A:, cf1-B:, cf2:, cf2-A:, cf2-B:, cf3:, cf3-A:, cf3-B:

+r

Sets the read-only attribute on the specified file.

-r

Clears/resets the read-only attribute on the specified file.

Platforms

All

Context

[Tree] (config>service>vprn>nat>inside>subscriber-identification attribute)

[Tree] (config>router>nat>inside>subscriber-identification attribute)

Full Context

configure service vprn nat inside subscriber-identification attribute

configure router nat inside subscriber-identification attribute

Description

This command defines the attribute that will in addition to framed-ip-address (inside IP address) and service-id be used for correlating BNG subscriber with the NAT subscriber.

Only a single attribute at the time can be configured. The attribute will be extracted from the BNG accounting start and/or interim-update messages via RADIUS accounting proxy server. This attribute can be then optionally passed to the Large Scale NAT44 accounting server. User-name attribute (if included) in Large Scale NAT44 accounting messages will be automatically set to the subscriber-id string.

The attribute parameter can be changed at any given time and the change will be reflected automatically when the next interim-update message from the BNG host is received by the RADIUS accounting proxy.

In case that the BNG accounting message in RADIUS accounting proxy does not contain this attribute, subscriber aware Large Scale NAT44 functionality for this particular subscriber will be disabled.

Default

attribute vendor "nokia" attribute-type "alc-sub-string"

Parameters

vendor vendor-id

specifies the RADIUS vendor ID.

Values

standard, nokia (6527), 3gpp

Default

nokia

attribute-type attribute-type

Specifies the RADIUS attribute to be used as subscriber. identifier

Values

alc-sub-string (nokia) — Subscriber-id string (Alc-Subsc-ID-Str) is cached in Large Scale NAT44 application and used to correlate Large Scale NAT44 subscriber to BNG subscriber.

user-name (stnd) — User-Name standard RADIUS attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber.

class (stnd) — Class standard RADIUS attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber. Class attribute is initially set and send by RADIUS server. As such it must be echoed by BNG in all accounting messages.

station-id (stnd) — Calling-Station-Id RADIUS attribute is cached in Large Scale NAT44 application and is used to correlate Large Scale NAT44 subscriber to BNG subscriber.

imsi (3gpp) — International Mobile Subscriber Identification is used in WiFi Offload applications as a SIM card identifier.

imei (3gpp) — International Mobile Equipment Identification is used in WiFi Offload applications as a physical phone device identifier.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>router>radius-proxy>server attribute-matching)

[Tree] (config>service>vprn>radius-proxy>server attribute-matching)

Full Context

configure router radius-proxy server attribute-matching

configure service vprn radius-proxy server attribute-matching

Description

Commands in this context select the RADIUS policy for authentication and accounting based on the RADIUS attribute. This feature is supported for both the ESM RADIUS proxy and the ISA RADIUS proxy.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>system>bgp-evpn>ad-per-evi-routes attribute-propagation)

Full Context

configure service system bgp-evpn ad-per-evi-routes attribute-propagation

Description

This command enables attribute propagation in multi-instance Epipe services.

The no form of this command disables the propagation of attributes, including D-PATH, even if the domain-id is configured in the service.

Default

no attribute-propagation

Platforms

All

Context

[Tree] (config>service>vprn>bgp attribute-set)

Full Context

configure service vprn bgp attribute-set

Description

Commands in this context configure the handling of attribute set (ATTR_SET) attributes in BGP routes received from PE-CE peers of the VPRN.

ATTR_SET is an optional transitive BGP path attribute standardized by RFC 6368 that is added to BGP Layer 3 VPN routes to provide logical separation between the BGP domain of a customer and the BGP domain of a service provider.

Platforms

All

Context

[Tree] (config>service>vprn>bgp-ipvpn attribute-set)

Full Context

configure service vprn bgp-ipvpn attribute-set

Description

Commands in this context configure the handling of attribute set (ATTR_SET) attributes attached to VPN-IP routes imported into or exported from the VPRN.

ATTR_SET is an optional transitive BGP path attribute standardized by RFC 6368 that is added to BGP Layer 3 VPN routes to provide logical separation between the BGP domain of a customer and the BGP domain of a service provider.

Platforms

All

Context

[Tree] (config>service>vpls>mrp>mmrp attribute-table-high-wmark)

[Tree] (config>service>vpls>mrp>mvrp attribute-table-high-wmark)

Full Context

configure service vpls mrp mmrp attribute-table-high-wmark

configure service vpls mrp mvrp attribute-table-high-wmark

Description

This command specifies the percentage filling level of the MMRP attribute table where logs and traps are sent.

Default

attribute-table-high-wmark 95

Parameters

high-water-mark

Specifies the utilization of the MRP attribute table of this service at which a table full alarm will be raised by the agent, as a percentage.

Values

0 to 100

Platforms

All

Context

[Tree] (config>service>vpls>mrp>mmrp attribute-table-low-wmark)

[Tree] (config>service>vpls>mrp>mvrp attribute-table-low-wmark)

Full Context

configure service vpls mrp mmrp attribute-table-low-wmark

configure service vpls mrp mvrp attribute-table-low-wmark

Description

This command specifies the MMRP attribute table low watermark as a percentage. When the percentage filling level of the MMRP attribute table drops below the configured value, the corresponding trap is cleared and/or a log entry is added.

Default

attribute-table-low-wmark 90

Parameters

low-water-mark

Specifies utilization of the MRP attribute table of this service at which a table full alarm will be cleared by the agent, as a percentage.

Values

0 to 100

Platforms

All

Context

[Tree] (config>service>vpls>mrp>mmrp attribute-table-size)

Full Context

configure service vpls mrp mmrp attribute-table-size

Description

This command controls the number of attributes accepted on a per B-VPLS basis. When the limit is reached, no new attributes will be registered.

If a new lower limit (smaller than the current number of attributes) from a local or dynamic I-VPLS is being provisioned, a CLI warning will be issued stating that the system is currently beyond the new limit. The value will be accepted, but any creation of new attributes will be blocked under the attribute count drops below the new limit; the software will then start enforcing the new limit.

Default

maximum number of attributes

Parameters

value

The maximum number of attributes accepted per B-VPLS.

Values

1 to 2048 (Full participants)

1 to 8191 (End-Station-Only participants)

Platforms

All

Context

[Tree] (config>service>vpls>mrp>mvrp attribute-table-size)

Full Context

configure service vpls mrp mvrp attribute-table-size

Description

This command controls the number of attributes accepted on a per M-VPLS basis. When the limit is reached, no new attributes will be registered.

If a new lower limit (smaller than the current number of attributes) is being provisioned, a CLI warning will be issued stating that the system is currently beyond the new limit. The value will be accepted, but any creation of new attributes will be blocked under the attribute count drops below the new limit; the software will then start enforcing the new limit.

Default

maximum number of attributes

Parameters

value

Specifies the number of attributes accepted on a per M-VPLS basis

Values

1 to 4095 for MVRP

Platforms

All

Context

[Tree] (config>service>system>bgp-evpn>ip-prefix-routes>iff attribute-uniform-propagation)

Full Context

configure service system bgp-evpn ip-prefix-routes interface-ful attribute-uniform-propagation

Description

This command enables the uniform propagation of BGP attributes for EVPN Interface-ful (EVPN-IFF) routes. EVPN-IFF is used in R-VPLS services with bgp-evpn>ip-route-advertisement. When enabled, the received EVPN-IFF routes for the R-VPLS can be propagated with the original BGP path attributes into EVPN-IFL, IPVPN, EVPN-IFF (in other R-VPLS services), or BGP IP routes advertised for the attached VPRN. This command also enables the attribute propagation in the opposite direction; for example, from EVPN-IFL, IPVPN, IP, or EVPN-IFF routes into EVPN-IFF routes.

The propagation is in accordance with the uniform mode defined in draft-ietf-bess-evpn-ipvpn-interworking.

The no form of this command re-originates the BGP path attributes when propagating EVPN-IFF routes into other inter-subnet forwarding families.

Default

no attribute-uniform-propagation

Platforms

All

Context

[Tree] (config>router>isis>loopfree-alternates augment-route-table)

Full Context

configure router isis loopfree-alternates augment-route-table

Description

This command enables IS-IS to attach Remote LFA specific information to RTM entries for use by other protocols. This command requires configure router isis lfa remote-lfa to be enabled. Currently only LDP makes use of this additional information.

The no form of this command disables IS-IS to attach Remote LFA specific information to RTM entries for use by other protocols.

Platforms

All

Context

[Tree] (config>router>ospf>loopfree-alternates augment-route-table)

Full Context

configure router ospf loopfree-alternates augment-route-table

Description

This command enables OSPF to attach Remote LFA (rLFA) information to RTM entries for use by other protocols. Before this command is configured, the configure router ospf lfa remote-lfa command, must be enabled on the system. Currently, only LDP makes use of this additional information.

The no form of this command disables the attachment of rLFA-specific information to RTM entries for use by other protocols.

Default

no augment-route-table

Platforms

All

Context

[Tree] (debug>router>rsvp>event auth)

Full Context

debug router rsvp event auth

Description

This command debugs auth events.

The no form of the command disables the debugging.

Platforms

All

Context

[Tree] (debug>router>rip auth)

Full Context

debug router rip auth

Description

This command enables debugging for RIP authentication.

Parameters

ip-int-name | ip-address

Debugs the RIP authentication for the neighbor IP address or interface.

Platforms

All

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host auth-domain-name)

Full Context

configure subscriber-mgmt local-user-db ipoe host auth-domain-name

Description

This command sets the domain name which can be appended to user-name in RADIUS-authentication-request message for the given host.

The no form of this command removes the domain name from the host configuration.

Parameters

domain-name

Specifies the domain name, up to 32 characters, to be appended to user-name in RADIUS-authentication-request message for the given host.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>isa-radius-plcy auth-include-attributes)

Full Context

configure aaa isa-radius-policy auth-include-attributes

Description

This command configures attributes to be included in RADIUS authentication messages.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>bgp-prng-plcy auth-keychain)

Full Context

configure subscriber-mgmt bgp-peering-policy auth-keychain

Description

This command configures the BGP authentication key for all peers.

The keychain allows the rollover of authentication keys during the lifetime of a session.

The no form of this command reverts to the default.

Parameters

name

Specifies the name of an existing keychain, up to 32 characters, to use for the specified TCP session or sessions.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>bgp>group auth-keychain)

[Tree] (config>service>vprn>bgp auth-keychain)

[Tree] (config>service>vprn>bgp>group>neighbor auth-keychain)

Full Context

configure service vprn bgp group auth-keychain

configure service vprn bgp auth-keychain

configure service vprn bgp group neighbor auth-keychain

Description

This command configures the BGP authentication key for all peers.

The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of an existing keychain, up to 32 characters, to use for the specified TCP session or sessions.

Platforms

All

Context

[Tree] (config>service>vprn>isis>level auth-keychain)

[Tree] (config>service>vprn>isis auth-keychain)

Full Context

configure service vprn isis level auth-keychain

configure service vprn isis auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface for the VPRN instance. The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

All

Context

[Tree] (config>router>isis auth-keychain)

[Tree] (config>router>isis>level auth-keychain)

Full Context

configure router isis auth-keychain

configure router isis level auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface. The keychain allows the rollover of authentication keys during the lifetime of a session.

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

All

Context

[Tree] (config>service>vprn>ospf>area>if auth-keychain)

[Tree] (config>service>vprn>ospf>area>sham-link auth-keychain)

[Tree] (config>service>vprn>ospf>area>virtual-link auth-keychain)

Full Context

configure service vprn ospf area interface auth-keychain

configure service vprn ospf area sham-link auth-keychain

configure service vprn ospf area virtual-link auth-keychain

Description

This command enables the authentication keychain.

Parameters

name

Specifies the name of the authentication keychain, up to 32 characters.

Platforms

All

Context

[Tree] (config>router>ldp>tcp-session-params auth-keychain)

[Tree] (config>router>ldp>tcp-session-params>peer-transport auth-keychain)

Full Context

configure router ldp tcp-session-parameters auth-keychain

configure router ldp tcp-session-parameters peer-transport auth-keychain

Description

This command configures the TCP authentication keychain to use for the TCP session. The per-peer authentication configuration takes precedence over the global authentication configuration.

Parameters

name

Specifies the name of the keychain, up to 32 characters. This keychain is used for the specified TCP session or sessions, and allows the rollover of authentication keys during the lifetime of a session. The peer address used must be the TCP session transport address.

Platforms

All

Context

[Tree] (config>router>rsvp>interface auth-keychain)

Full Context

configure router rsvp interface auth-keychain

Description

This command configures an authentication keychain to use for authentication of protocol messages sent and received over the associated interface. The keychain must include a valid entry to properly authenticate protocol messages, including a key, specification of a supported authentication algorithm, and beginning time. Each entry may also include additional options to control the overall lifetime of each entry to allow for the seamless rollover of without affecting the protocol adjacencies.

The no form of the auth-keychain command removes the association between the routing protocol and any keychain currently used.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

All

Context

[Tree] (config>router>bgp>group>neighbor auth-keychain)

[Tree] (config>router>bgp>group auth-keychain)

[Tree] (config>router>bgp auth-keychain)

Full Context

configure router bgp group neighbor auth-keychain

configure router bgp group auth-keychain

configure router bgp auth-keychain

Description

This command configures a TCP authentication keychain to use for the session. The keychain allows the rollover of authentication keys during the lifetime of a session.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified TCP session or sessions.

Platforms

All

Context

[Tree] (config>router>ospf>area>virtual-link auth-keychain)

[Tree] (config>router>ospf>area>interface auth-keychain)

Full Context

configure router ospf area virtual-link auth-keychain

configure router ospf area interface auth-keychain

Description

This command configures an authentication keychain to use for the protocol interface. The keychain allows the rollover of authentication keys during the lifetime of a session.

The no form of this command removes the association to a previously specified keychain.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters, to use for the specified protocol session or sessions.

Platforms

All

Context

[Tree] (config>router>pcep>pcc>peer auth-keychain)

[Tree] (config>router>pcep>pce auth-keychain)

Full Context

configure router pcep pcc peer auth-keychain

configure router pcep pce auth-keychain

Description

This command specifies a keychain to be used for TCP-AO authentication between the PCC and the PCE. The keychain must first be configured in the configure system security keychain context.

Default

no auth-keychain

Parameters

name

Specifies the name of the keychain, up to 32 characters.

Platforms

All

• configure router pcep pcc peer auth-keychain

VSR-NRC

• configure router pcep pce auth-keychain

Context

[Tree] (config>ipsec>ike-policy auth-method)

Full Context

configure ipsec ike-policy auth-method

Description

This command specifies the authentication method used with this IKE policy.

The no form of this command removes the parameter from the configuration.

Default

no auth-method

Parameters

psk

Both client and gateway authenticate each other by a hash derived from a pre-shared secret. Both client and gateway must have the PSK. This work with both IKEv1 and IKEv2

plain-psk-xauth

Both client and gateway authenticate each other by pre-shared key and RADIUS. This work with IKEv1 only.

psk-radius

Use the pre-shared-key and RADIUS to authenticate. IKEv2 remote-access tunnel only.

cert-radius

Use the certificate, public/private key and RADIUS to authenticate. IKEv2 remote-access tunnel only.

eap

Use the EAP to authenticate peer. IKEv2 remote-access tunnel only

auto-eap-radius

Use EAP or potentially other method to authenticate the peer. IKEv2 remote-access tunnel only. Also see config>ipsec>ike-policy auto-eap-method and config>ipsec>ike-policy auto-eap-own-method.

auto-eap

Use the EAP or potentially other RADIUS-related method to authenticate the peer. IKEv2 remote-access tunnel only. Also see config>ipsec>ike-policy auto-eap-method and config>ipsec>ike-policy auto-eap-own-method.

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>subscr-mgmt>loc-user-db>ipoe>host auth-policy)

[Tree] (config>subscr-mgmt>loc-user-db>ppp>host auth-policy)

Full Context

configure subscriber-mgmt local-user-db ipoe host auth-policy

configure subscriber-mgmt local-user-db ppp host auth-policy

Description

This command configures the authentication policy of this host and PPPoE hosts. This authentication policy is only used if no authentication policy is defined at the interface level. For DHCP hosts, the host entry should not contain any other information needed for setup of the host (IP address, ESM strings, and so on.). For PPPoE hosts, the authentication policy configured here must have its PPPoE authentication method set to pap-chap, otherwise the request is dropped.

The no form of this command reverts to the default.

Parameters

policy-name

Specifies the authentication policy name, up to 32 characters

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>router>radius-server>server auth-port)

[Tree] (config>service>vprn>radius-server>server auth-port)

Full Context

configure router radius-server server auth-port

configure service vprn radius-server server auth-port

Description

This command specifies the UDP listening port for RADIUS authentication requests.

The no form of this commands resets the UDP port to its default value (1812)

Default

auth-port 1812

Parameters

port

Specifies the UDP listening port for accounting requests of the external RADIUS server.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>aaa>radius-srv-plcy auth-request-script-policy)

Full Context

configure aaa radius-server-policy auth-request-script-policy

Description

This command specifies the name of the RADIUS script policy used to change the RADIUS attributes of the Access-Request messages.

Parameters

policy-name

Specifies the name of the Python script to modify Access-Request messages, up to 32 characters

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>ntp authenticate)

Full Context

configure service vprn ntp authenticate

Description

This command enables authentication for the NTP server.

Platforms

All

Context

[Tree] (config>system>security>tls>server-tls-profile authenticate-client)

Full Context

configure system security tls server-tls-profile authenticate-client

Description

Commands in this context configure client authentication parameters.

Platforms

All

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range authenticate-on-dhcp)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range authenticate-on-dhcp)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range authenticate-on-dhcp

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range authenticate-on-dhcp

Description

This command enables initial authentication (when there is no state for the UE on the ISA), to be triggered by DHCP DISCOVER or REQUEST. The default behavior is authentication based on first Layer 3 packet.

The no form of this command reverts to the default.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>vlan-ranges>range>vrgw>brg authenticated-brg-only)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range>brg authenticated-brg-only)

[Tree] (config>service>vprn>sub-if>grp-if>brg authenticated-brg-only)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>vlan-ranges>range>vrgw>brg authenticated-brg-only)

[Tree] (config>service>ies>sub-if>grp-if>brg authenticated-brg-only)

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range>brg authenticated-brg-only)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-ranges range vrgw brg authenticated-brg-only

configure service vprn subscriber-interface group-interface wlan-gw ranges range brg authenticated-brg-only

configure service vprn subscriber-interface group-interface brg authenticated-brg-only

configure service vprn subscriber-interface group-interface wlan-gw vlan-ranges range vrgw brg authenticated-brg-only

configure service ies subscriber-interface group-interface brg authenticated-brg-only

configure service ies subscriber-interface group-interface wlan-gw ranges range brg authenticated-brg-only

Description

This command indicates that only BRGs that are pre-authenticated using the RADIUS proxy are allowed in this context.

The no form of this command removes the restriction.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>router>l2tp>group>ppp authentication)

[Tree] (config>service>vprn>l2tp>group>tunnel>ppp authentication)

[Tree] (config>service>vprn>l2tp>group>ppp authentication)

[Tree] (config>router>l2tp>group>tunnel>ppp authentication)

Full Context

configure router l2tp group ppp authentication

configure service vprn l2tp group tunnel ppp authentication

configure service vprn l2tp group ppp authentication

configure router l2tp group tunnel ppp authentication

Description

This command configures the PPP authentication protocol to negotiate authentication.

Default

authentication pref-chap

Parameters

chap

Specifies to always use CHAP for authentication.

pap

Specifies to always use PAP for authentication.

pref-chap

Specifies to use CHAP as the preferred authentication method, and to use PAP if that attempt fails.

pref-pap

Specifies to use PAP as the preferred authentication method, and to use CHAP if that attempt fails.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>dynsvc>policy authentication)

Full Context

configure service dynamic-services dynamic-services-policy authentication

Description

Commands in this context configure authentication parameters for data-triggered dynamic services.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (debug>subscr-mgmt authentication)

Full Context

debug subscriber-mgmt authentication

Description

This command debugs subscriber authentication.

Parameters

policy-name

Specifies an existing subscriber management authentication policy name.

ieee-address

Specifies the 48-bit MAC address xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx.

circuit-id

Specify the circuit-id, up to 256 characters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>ies>sub-if>grp-if>wlan-gw>ranges>range authentication)

[Tree] (config>service>vprn>sub-if>grp-if>wlan-gw>ranges>range authentication)

Full Context

configure service ies subscriber-interface group-interface wlan-gw vlan-tag-ranges range authentication

configure service vprn subscriber-interface group-interface wlan-gw vlan-tag-ranges range authentication

Description

Commands in this context create configuration for authenticating a user from the WLAN-GW ISA.

Platforms

7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>service>vprn>ospf3>area>if authentication)

[Tree] (config>service>vprn>ospf3>area>virtual-link authentication)

Full Context

configure service vprn ospf3 area interface authentication

configure service vprn ospf3 area virtual-link authentication

Description

This command configures OPSFv3 confidentiality authentication.

The no form of this command removes the SA name from the configuration.

Parameters

bidirectional sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

inbound sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

outbound sa-name

Specifies the IPsec security association name in case the OSPFv3 traffic on the interface has to be authenticated.

Platforms

All

Context

[Tree] (config>ipsec>static-sa authentication)

Full Context

configure ipsec static-sa authentication

Description

This command configures the authentication algorithm to use for an IPsec manual SA.

Default

no authentication

Parameters

auth-algorithm

Specifies the authentication algorithm to be used.

Values

mda5, sha1

ascii-string

Specifies an ASCII key; 16 characters for md5 and 20 characters for sha1.

hex-string

Specifies a HEX key; 32 hex nibbles for md5 and 40 hex nibbles for sha1.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to management interface.

Platforms

All

Context

[Tree] (config>aaa>isa-radius-plcy>servers>server authentication)

Full Context

configure aaa isa-radius-policy servers server authentication

Description

This command configures authentication for this server.

Default

no authentication

Parameters

udp-port

Specifies the UDP port number on which to contact the RADIUS server for authentication.

Values

1 to 65535

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>li>x-interfaces>lics>lic authentication)

Full Context

configure li x-interfaces lics lic authentication

Description

This command configures the parameters for authentication of INE and LIC on the X1 and X2 interfaces.

The no form of this command removes the configured parameters.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

Context

[Tree] (config>system>security>user>snmp authentication)

Full Context

configure system security user snmp authentication

Description

This command configures the SNMPv3 authentication and privacy protocols for the user to communicate with the router. The keys are stored in an encrypted format in the configuration.

The keys configured with these commands must be localized keys, which are a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the tools perform system management-interface snmp generate-key command to generate localized authentication and privacy keys.

Default

authentication none

Parameters

none

Keyword to specify that no authentication protocol is used. If none is specified, privacy cannot be configured.

authentication-protocol

Specifies the SNMPv3 authentication protocol.

Values

hmac-md5-96 — Specifies use of the HMAC-MD5-96 authentication protocol.

hmac-sha1-96 — Specifies use of the HMAC-SHA-96 authentication protocol.

hmac-sha2-224 — Specifies use of the HMAC-SHA-224 authentication protocol.

hmac-sha2-256 — Specifies use of the HMAC-SHA-256 authentication protocol.

hmac-sha2-384 — Specifies use of the HMAC-SHA-384 authentication protocol.

hmac-sha-512 — Specifies use of the HMAC-SHA-512 authentication protocol.

authentication-key

Specifies the localized authentication key, which is entered as a hexadecimal string; the character length depends on the specified authentication protocol. The following table lists the authentication protocol key lengths.

Table 2. Authentication protocol key lengths

Authentication protocol	Character lengths
HMAC-MD5-96	32
HMAC-SHA-96	40
HMAC-SHA-224	56
HMAC-SHA-256	64
HMAC-SHA-384	96
HMAC-SHA-512	128

privacy-none

Keyword to specify that a privacy protocol is not used in the communication.

Default

privacy none

privacy-protocol

Specifies the SNMPv3 privacy protocol.

Values

cbc-des — Specifies the use of the CBC-DES privacy protocol.

cfb128-aes-128 — Specifies the use of the CFB128-AES-128 privacy protocol.

cfb128-aes-192 — Specifies the use of the CFB128-AES-192 privacy protocol.

cfb128-aes-256 — Specifies the use of the CFB128-AES-256 privacy protocol.

privacy-key

Specifies the localized privacy key, which is entered as a hexadecimal string; the character length depends on the specified privacy protocol. The following table lists the privacy protocol key lengths.

Table 3. Privacy protocol key lengths

Privacy protocol	Character length
CBC-DES	32
CFB128-AES-128	32
CFB128-AES-192	48
CFB128-AES-256	64

hash

Keyword that specifies the key is entered in an encrypted form. If the hash or hash2 keyword is not specified, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Keyword that specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone; that is, the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 keyword is not specified, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Keyword that specifies the custom encryption to the management interface.

Platforms

All

Context

[Tree] (config>router>ospf3>area>interface authentication)

[Tree] (config>router>ospf3>area>virtual-link authentication)

Full Context

configure router ospf3 area interface authentication

configure router ospf3 area virtual-link authentication

Description

This command configures the password used by the OSPF3 interface or virtual-link to send and receive OSPF3 protocol packets on the interface when simple password authentication is configured.

All neighboring routers must use the same type of authentication and password for proper protocol communication.

By default, no authentication key is configured.

The no form of this command removes the authentication.

Default

no authentication

Parameters

bidirectional sa-name

Specifies bidirectional OSPF3 authentication.

inbound sa-name

Specifies the inbound security association (SA) name for OSPF3 authentication.

outbound sa-name

Specifies the outbound SA name for OSPF3 authentication.

Platforms

All

Context

[Tree] (config>service>vprn>isis authentication-check)

Full Context

configure service vprn isis authentication-check

Description

This command sets an authentication check to reject PDUs that do not match the type or key requirements for the VPRN instance.

The default behavior when authentication is configured is to reject all IS-IS protocol PDUs that have a mismatch in either the authentication type or authentication key.

When no authentication-check is configured, authentication PDUs are generated and IS-IS PDUs are authenticated on receipt. However, mismatches cause an event to be generated and will not be rejected.

The no form of this command allows authentication mismatches to be accepted and generates a log event.

Default

authentication-check — Rejects authentication mismatches.

Platforms

All

Context

[Tree] (config>service>vprn>ntp authentication-check)

Full Context

configure service vprn ntp authentication-check

Description

This command provides the option to skip the rejection of NTP PDUs that do not match the authentication key-id, type or key requirements. The default behavior when authentication is configured is to reject all NTP protocol PDUs that have a mismatch in either the authentication key-id, type or key.

When authentication-check is enabled, NTP PDUs are authenticated on receipt. However, mismatches cause a counter to be increased, one counter for type and one for key-id, one for type, value mismatches. These counters are visible in a show command.

The no form of this command allows authentication mismatches to be accepted; the counters however are maintained.

Default

authentication-check — Rejects authentication mismatches.

Platforms

All

Context

[Tree] (config>system>time>ntp authentication-check)

Full Context

configure system time ntp authentication-check

Description

This command provides the option to skip the rejection of NTP PDUs that do not match the authentication key-id, type or key requirements. The default behavior when authentication is configured is to reject all NTP protocol PDUs that have a mismatch in either the authentication key-id, type or key.

When authentication-check is enabled, NTP PDUs are authenticated on receipt. However, mismatches cause a counter to be increased, one counter for type and one for key-id, one for type, value mismatches. These counters are visible in a show command.

The no form of this command allows authentication mismatches to be accepted; the counters however are maintained.

Default

authentication-check

Platforms

All

Context

[Tree] (config>router>isis authentication-check)

Full Context

configure router isis authentication-check

Description

This command sets an authentication check to reject PDUs that do not match the type or key requirements.

The default behavior when authentication is configured is to reject all IS-IS protocol PDUs that have a mismatch in either the authentication type or authentication key.

When no authentication-check is configured, authentication PDUs are generated and IS-IS PDUs are authenticated on receipt. However, mismatches cause an event to be generated and will not be rejected.

The no form of this command allows authentication mismatches to be accepted and generates a log event.

Default

authentication-check

Platforms

All

Context

[Tree] (config>subscr-mgmt>bgp-prng-plcy authentication-key)

Full Context

configure subscriber-mgmt bgp-peering-policy authentication-key

Description

This command configures the BGP authentication key.

The MD5 message-based digest is used to perform authentication between neighboring routers before setting up the BGP session by verifying the password. The authentication key can be any combination of letters or numbers from 1 to 16.

The no form of this command removes the authentication password from the configuration and effectively disables authentication.

Parameters

authentication-key

Specifies an authentication key. The key can be up to 255 characters (unencrypted).

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 342 characters (encrypted).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

custom

Specifies the custom encryption to the management interface.

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, VSR

Context

[Tree] (config>redundancy>multi-chassis>peer authentication-key)

Full Context

configure redundancy multi-chassis peer authentication-key

Description

This command configures the authentication key used between this node and the multi-chassis peer. The authentication key can be any combination of letters or numbers. The no form of the command removes the authentication key.

Default

no authentication-key

Parameters

authentication-key

Specifies the authentication key. Allowed values are any string up to 20 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, ?, space), the entire string must be enclosed within double quotes.

hash-key

Specifies the hash key. The key can be any combination of ASCII characters up to 33 (hash1-key) or 55 (hash2-key) characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (" ”).

hash

Specifies the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, cleartext form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.