Page 1 7450 ESS OS Router Configuration Guide Software Version: 7450 ESS OS 11.0 R5 October 2013 Document Part Number: 93-0103-10-05 *93-0103-10-05*...
Page 2 Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
Page 3: Table Of Contents
Getting Started Alcatel-Lucent 7450 ESS-Series Router Configuration Process ....... .17 IP Router Configuration Configuring IP Router Parameters .
Page 4 Table of Contents Configuring IPv6 Parameters ............67 Router Advertisement.
Page 5 Table of Contents VRRP Virtual Router Policy Constraints ..........282 VRRP Virtual Router Instance Base Priority .
Page 6 Table of Contents Monitor Commands ............. . .366 Clear Commands.
Page 7 Table of Contents Modifying a Filter Policy............424 Deleting a Filter Policy .
Page 8 Table of Contents Dependencies ..............549 Cflowd Configuration Management Tasks .
Page 9 IST OF ABLES Getting Started Table 1: Configuration Process ............17 IP Router Configuration Table 2: QPPB Interactions with SAP Ingress QoS .
Page 10 List of Tables Page 10 7450 ESS OS Router Configuration Guide...
Page 11 IST OF IGURES IP Router Configuration Figure 1: Use of QPPB to Differentiate Traffic in an ISP Network .......27 Figure 2: Confederation Configuration .
Page 12 List of Figures Page 12 7450 ESS OS Router Configuration Guide...
Page 13: Preface
Preface About This Guide This guide describes logical IP routing interfaces, virtual routers, IP and MAC-based filtering, and cflowd support and presents configuration and implementation examples. This document is organized into functional chapters and provides concepts and descriptions of the implementation flow, as well as Command Line Interface (CLI) syntax and command usage.
Page 14: List Of Technical Publications
Preface List of Technical Publications The documentation set is composed of the following books: • 7450 ESS OS Basic System Configuration Guide This guide describes basic system configurations and operations. • 7450 ESS OS System Management Guide This guide describes system security and access configurations as well as event logging and accounting logs.
Page 15: Technical Support
If you purchased a service agreement for your router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased an Alcatel-Lucent service agreement, contact your welcome center at: Web: http://www.alcatel-lucent.com/wps/portal/support...
Page 16 Preface Page 16 7450 ESS OS Router Configuration Guide...
Page 17: Getting Started
In This Chapter This chapter provides process flow information to configure routing entities, virtual routers, IP and MAC filters. Alcatel-Lucent 7450 ESS-Series Router Configuration Pro- cess Table 1 lists the tasks necessary to configure logical IP routing interfaces, virtual routers, IP and MAC-based filtering, and Cflowd.
Page 18: Getting Started
Getting Started Page 18 7450 ESS OS Router Configuration Guide...
Page 19: Ip Router Configuration
IP Router Configuration In This Chapter This chapter provides information about commands required to configure basic router parameters. Topics in this chapter include: • Configuring IP Router Parameters on page 20  Interfaces on page 20  Autonomous Systems (AS) on page 37 ...
Page 20: Configuring Ip Router Parameters
Configuring IP Router Parameters Configuring IP Router Parameters In order to provision services on an Alcatel-Lucent router, logical IP routing interfaces must be configured to associate attributes such as an IP address, port or the system with the IP interface.
Page 21: Network Domains
IP Router Configuration Network Domains In order to determine which network ports (and hence which network complexes) are eligible to transport traffic of individual SDPs, network-domain is introduced. This information is then used for the sap-ingress queue allocation algorithm applied to VPLS SAPs. This algorithm is optimized in such a way that no sap-ingress queues are allocated if the given port does not belong to the network-domain used in the given VPLS.
Page 22: System Interface
Configuring IP Router Parameters System Interface The system interface is associated with the network entity (such as a specific router or switch), not a specific interface. The system interface is also referred to as the loopback address. The system interface is associated during the configuration of the following entities: •...
Page 23: Unicast Reverse Path Forwarding Check (Urpf)
IP Router Configuration Unicast Reverse Path Forwarding Check (uRPF) This section applies to the 7750-SR, 7710-SR, 7950-SR and the 7450-ESS. uRPF helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.
Page 24: Creating An Ip Address Range
Configuring IP Router Parameters Creating an IP Address Range An IP address range can be reserved for exclusive use for services by defining the config>router>service-prefix command. When the service is configured, the IP address must be in the range specified as a service prefix. If no service prefix command is configured, then no limitation exists.
Page 25: Qos Policy Propagation Using Bgp (Qppb)
IP Router Configuration QoS Policy Propagation Using BGP (QPPB) This section discusses QPPB as it applies to VPRN, IES, and router interfaces. Refer to the Internet Enhanced Service section in the Services Guide and the IP Router Configuration section in the 7x50 SR OS Router Configuration Guide. QoS policy propagation using BGP (QPPB) is a feature that allows a route to be installed in the routing table with a forwarding-class and priority so that packets matching the route can receive the associated QoS.
Page 26 Configuring IP Router Parameters achieved by advertising the source prefix with a BGP community, as discussed above. However, in this case other approaches are equally valid, such as marking the DSCP or other CoS fields based on source IP address so that downstream domains can take action based on a common understanding of the QoS treatment implied by different DSCP values.
Page 27: Ip Router Configuration
IP Router Configuration Route Policy: Route Policy: Accept all routes with AS_PATH Accept all routes with AS_PATH ending with ASN 300 and set fcto ending with ASN 300 and set fcto high-1 high-1 QoSPolicy: QoSPolicy: Lookup the source IP address of all Lookup the destination IP address packets arriving on this interface to of all packets arriving on this...
Page 28: Qppb
Configuring IP Router Parameters QPPB There are two main aspects of the QPPB feature: • The ability to associate a forwarding-class and priority with certain routes in the routing table. • The ability to classify an IP packet arriving on a particular IP interface to the forwarding- class and priority associated with the route that best matches the packet.
Page 29 IP Router Configuration • BGP import policies:  config>router>bgp>import  config>router>bgp>group>import  config>router>bgp>group>neighbor>import  config>service>vprn>bgp>import  config>service>vprn>bgp>group>import  config>service>vprn>bgp>group>neighbor>import • RIP import policies:  config>router>rip>import  config>router>rip>group>import  config>router>rip>group>neighbor>import  config>service>vprn>rip>import  config>service>vprn>rip>group>import  config>service>vprn>rip>group>neighbor>import As evident from above, QPPB route policies support routes learned from RIP and BGP neighbors of a VPRN as well as for routes learned from RIP and BGP neighbors of the base/global routing instance.
Page 30 Configuring IP Router Parameters Priority is optional when specifying the forwarding class of a static route, but once configured it can only be deleted and returned to unspecified by deleting the entire static route. Displaying QoS Information Associated with Routes The following commands are enhanced to show the forwarding-class and priority associated with the displayed routes: •...
Page 31 IP Router Configuration Enabling QPPB on an IP interface To enable QoS classification of ingress IP packets on an interface based on the QoS information associated with the routes that best match the packets the qos-route-lookup command is necessary in the configuration of the IP interface. The qos-route-lookup command has parameters to indicate whether the QoS result is based on lookup of the source or destination IP address in every packet.
Page 32 Configuring IP Router Parameters QPPB When Next-Hops are Resolved by QPPB Routes In some circumstances (IP VPN inter-AS model C, Carrier Supporting Carrier, indirect static routes, etc.) an IPv4 or IPv6 packet may arrive on a QPPB-enabled interface and match a route A1 whose next-hop N1 is resolved by a route A2 with next-hop N2 and perhaps N2 is resolved by a route A3 with next-hop N3, etc.
Page 33: Qppb And Grt Lookup
IP Router Configuration QPPB and GRT Lookup Source-address based QPPB is not supported on any SAP or spoke SDP interface of a VPRN configured with the grt-lookup command. QPPB Interaction with SAP Ingress QoS Policy When QPPB is enabled on a SAP IP interface the forwarding class of a packet may change from fc1, the original fc determined by the SAP ingress QoS policy to fc2, the new fc determined by QPPB.
Page 34: Table 2: Qppb Interactions With Sap Ingress Qos
Configuring IP Router Parameters Table 2: QPPB Interactions with SAP Ingress QoS Original FC New FC Profile Priority (drop DE=1 In/out of profile object object preference) override marking mapping mapping Profile mode Profile mode From new From QPPB, unless From new From original FC queue queue...
Page 35 IP Router Configuration Table 2: QPPB Interactions with SAP Ingress QoS (Continued) Original FC New FC Profile Priority (drop DE=1 In/out of profile object object preference) override marking mapping mapping Profile mode Priority Ignored If DE=1 override then From new From original FC queue mode queue...
Page 36: Router Id
Configuring IP Router Parameters Router ID The router ID, a 32-bit number, uniquely identifies the router within an autonomous system (AS) (see Autonomous Systems (AS) on page 37). In protocols such as OSPF, routing information is exchanged between areas, groups of networks that share routing information. It can be set to be the same as the loopback address.
Page 37: Autonomous Systems (As)
IP Router Configuration Autonomous Systems (AS) Networks can be grouped into areas. An area is a collection of network segments within an AS that have been administratively assigned to the same group. An area’s topology is concealed from the rest of the AS, which results in a significant reduction in routing traffic. Routing in the AS takes place on two levels, depending on whether the source and destination of a packet reside in the same area (intra-area routing) or different areas (inter-area routing).
Page 38: Confederations
Configuring IP Router Parameters Confederations Configuring confederations is optional and should only be implemented to reduce the IBGP mesh inside an AS. An AS can be logically divided into smaller groupings called sub-confederations and then assigned a confederation ID (similar to an autonomous system number). Each sub- confederation has fully meshed IBGP and connections to other ASs outside of the confederation.
Page 39: Figure 2: Confederation Configuration
IP Router Configuration There are no default confederations. Router confederations must be explicitly created. Figure 2 depicts a confederation configuration example. Confederation 2002 AS 200 AS 300 Confederation Member 1 Confederation Member 3 ALA-B ALA-C ALA-E ALA-F AS 100 ALA-A ALA-D ALA-G AS 400...
Page 40: Proxy Arp
Static ARP is used when an Alcatel-Lucent router needs to know about a device on an interface that cannot or does not respond to ARP requests. Thus, the configuration can state that if it has a packet with a certain IP address to send it to the corresponding ARP address.
Page 41: Dhcp Relay
IP Router Configuration DHCP Relay Refer to 7450 ESSOS Triple Play Guide for information about DHCP and support provided by the 7450 ESS as well as configuration examples. 7450 ESS OS Router Configuration Guide Page 41...
Page 42: Internet Protocol Versions
Configuring IP Router Parameters Internet Protocol Versions The TiMOS implements IP routing functionality, providing support for IP version 4 (IPv4) and IP version 6 (IPv6). IP version 6 (RFC 1883, Internet Protocol, Version 6 (IPv6)) is a newer version of the Internet Protocol designed as a successor to IP version 4 (IPv4) (RFC-791, Internet Protocol).
Page 43: Table 3: Ipv6 Header Field Descriptions
IP Router Configuration Table 3: IPv6 Header Field Descriptions Field Description Version 4-bit Internet Protocol version number = 6. Prio. 4-bit priority value. Flow Label 24-bit flow label. Payload Length 16-bit unsigned integer. The length of payload, for example, the rest of the packet following the IPv6 header, in octets.
Page 44: Ipv6 Applications
Configuring IP Router Parameters IPv6 Applications Examples of the IPv6 applications supported by the TiMOS include: • IPv6 Internet exchange peering — Figure 4 shows an IPv6 Internet exchange where multiple ISPs peer over native IPv6. IPv6 IX ISP A ISP B Peering IPIPE_007...
Page 45: Figure 6: Ipv6 Services To Enterprise Customers And Home Users
IPv6 in an environment where not only IPv4 exists but native IPv6 networks depend on IPv4 for greater IPv6 connectivity. Alcatel-Lucent router supports dynamic IPv6 over IPv4 tunneling. The ipv4 source and destination address are taken from configuration, the source address is the ipv4 system address and the ipv4 destination is the next hop from the configured 6over4 tunnel.
Page 46: Dns
Configuring IP Router Parameters The DNS client is extended to use IPv6 as transport and to handle the IPv6 address in the DNS AAAA resource record from an IPv4 or IPv6 DNS server. An assigned name can be used instead of an IPv6 address since IPv6 addresses are more difficult to remember than IPv4 addresses.
Page 47: Ipv6 Provider Edge Router Over Mpls (6Pe)
IP Router Configuration IPv6 Provider Edge Router over MPLS (6PE) 6PE allows IPv6 domains to communicate with each other over an IPv4 MPLS core network. This architecture requires no backbone infrastructure upgrades and no re-configuration of core routers, because forwarding is purely based on MPLS labels. 6PE is a cost effective solution for IPv6 deployment.
Page 48 Configuring IP Router Parameters 6PE Control Plane Support The 6PE MP-BGP routers support: • IPv4/IPv6 dual-stack • MP-BGP can be used between 6PE routers to exchange IPv6 reachability information.  The 6PE routers exchange IPv6 prefixes over MP-BGP sessions running over IPv4 transport.
Page 49: Bi-Directional Forwarding Detection
IP Router Configuration Bi-directional Forwarding Detection Bi-directional Forwarding Detection (BFD) is a light-weight, low-overhead, short-duration detection of failures in the path between two systems. If a system stops receiving BFD messages for a long enough period (based on configuration) it is assumed that a failure along the path has occurred and the associated protocol or service is notified of the failure.
Page 50: Control Packet Format
Configuring IP Router Parameters Control Packet Format The BFD control packet has 2 sections, a mandatory section and an optional authentication section. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Vers | Diag...
Page 51 IP Router Configuration Table 4: BFD Control Packet Field Descriptions (Continued) Field Description (Continued) Length Length of the BFD control packet, in bytes. My Discriminator A unique, nonzero discriminator value generated by the transmitting system, used to demultiplex multiple BFD sessions between the same pair of systems. Your Discriminator The discriminator received from the corresponding remote system.
Page 52: Bfd For Rsvp-Te
Configuring IP Router Parameters BFD for RSVP-TE BFD will notify RSVP-TE if the BFD session goes down, in addition to notifying other configured BFD enabled protocols (for example, OSPF, IS-IS and PIM). This notification will then be used by RSVP-TE to begin the reconvergence process. This greatly accelerates the overall RSVP-TE response to network failures.
Page 53: Echo Support
IP Router Configuration Echo Support Echo support for BFD calls for the support of the echo function within BFD. By supporting BFD echo, the router loops back received BFD echo messages to the original sender based on the destination IP address in the packet. The echo function is useful when the local router does not have sufficient CPU power to handle a periodic polling rate at a high frequency.
Page 54: Bfd Support For Bgp
Configuring IP Router Parameters BFD Support for BGP This feature enhancement allows BGP peers to be associated with the BFD session. If the BFD session failed, then BGP peering will also be torn down. Centralized BFD The following applications of centralized BFD require BFD to run on the SF/CPM. •...
Page 55: Figure 10: Bfd For Ies/Vprn Over Spoke Sdp
IP Router Configuration Metro Metro POP 1 POP 2 IES/ IES/ VPRN VPRN Primary Path Spoke Spoke Headend Router Headend Router Secondary Path IES/ IES/ Note: VPRN VPRN In this case BFD is run between the IES/VPRN interfaces Metro Metro independent of the SPD/LSP paths POP 4 POP 3...
Page 56: Figure 11: Bfd Over Lag
Configuring IP Router Parameters BFD Over LAG and VSM Interfaces A second application for a central BFD implementation is so BFD can be supported over LAG or VSM interface. This is useful where BFD is not used for link failure detection but instead for node failure detection.
Page 57: Aggregate Next Hop
IP Router Configuration Aggregate Next Hop This feature adds the ability to configure an indirect next-hop for aggregate routes. The indirect next-hop specifies where packets will be forwarded if they match the aggregate route but not a more-specific route in the IP forwarding table. 7450 ESS OS Router Configuration Guide Page 57...
Page 58: Process Overview
Process Overview Process Overview The following items are components to configure basic router parameters. • Interface — A logical IP routing interface. Once created, attributes like an IP address, port, link aggregation group or the system can be associated with the IP interface. •...
Page 59: Configuration Notes
IP Router Configuration Configuration Notes The following information describes router configuration caveats. • A system interface and associated IP address should be specified. • Boot options file (BOF) parameters must be configured prior to configuring router parameters. • Confederations can be configured before protocol connections (such as BGP) and peering parameters are configured.
Page 60 Configuration Notes Page 60 7450 ESS OS Router Configuration Guide...
Page 61: Configuring An Ip Router With Cli
IP Router Configuration Configuring an IP Router with CLI This section provides information to configure an IP router. Topics in this section include: • Router Configuration Overview on page 62 • Basic Configuration on page 63 • Common Configuration Tasks on page 64 ...
Page 62: Router Configuration Overview
Router Configuration Overview Router Configuration Overview In an Alcatel-Lucent router, an interface is a logical named entity. An interface is created by specifying an interface name under the context. This is the global router configure>router configuration context where objects like static routes are defined. An IP interface name can be up to 32 alphanumeric characters long, must start with a letter, and is case-sensitive;...
Page 63: Basic Configuration
IP Router Configuration Basic Configuration NOTE: Refer to each specific chapter for specific routing protocol information and command syntax to configure protocols such as OSPF and BGP. The most basic router configuration must have the following: • System name • System address The following example displays a router configuration: A:ALA-A>...
Page 64: Common Configuration Tasks
Common Configuration Tasks Common Configuration Tasks The following sections describe basic system tasks. • Configuring a System Name on page 64 • Configuring Interfaces on page 65  Configuring a System Interface on page 65  Configuring a Network Interface on page 65 •...
Page 65: Configuring Interfaces
IP Router Configuration Configuring Interfaces The following command sequences create a system and a logical IP interface. The system interface assigns an IP address to the interface, and then associates the IP interface with a physical port. The logical interface can associate attributes like an IP address or port. Note that the system interface cannot be deleted.
Page 66 Common Configuration Tasks The following displays an IP configuration output showing interface information. A:ALA-A>config>router# info #------------------------------------------ # IP Configuration #------------------------------------------ interface "system" address 10.10.0.4/32 exit interface "to-ALA-2" address 10.10.24.4/24 port 1/1/1 egress filter ip 10 exit exit #------------------------------------------ A:ALA-A>config>router# To enable CPU protection: CLI Syntax: config>router interface interface-name cpu-protection policy-id...
Page 67: Configuring Ipv6 Parameters
IP Router Configuration Configuring IPv6 Parameters IPv6 interfaces and associated routing protocols may only be configured on the following systems: • Chassis systems running in chassis mode c or d. • Chassis systems running in mixed-mode, with IPv6 functionality limited to those interface on slots with IOM3-XPs/IMMs or later line cards.
Page 68: Router Advertisement
Common Configuration Tasks Router Advertisement To configure the router to originate router advertisement messages on an interface, the interface must be configured under the router-advertisement context and be enabled (no shutdown). All other router advertisement configuration parameters are optional. Use the following CLI syntax to enable router advertisement and configure router advertisement parameters: CLI Syntax: config>router# router-advertisement interface ip-int-name...
Page 69: Configuring Proxy Arp
IP Router Configuration Configuring Proxy ARP To configure proxy ARP, you can configure: • A prefix list in the config>router>policy-options>prefix-list context. • A route policy statement in the config>router>policy-options>policy-statement context and apply the specified prefix list.  In the policy statement entry>to context, specify the host source address(es) for which ARP requests can or cannot be forwarded to non-local networks, depending on the specified action.
Page 70 Common Configuration Tasks Use the following CLI syntax to configure the policy statement specified in the proxy-arp-policy policy-statement command. CLI Syntax: config>router# policy-options begin commit policy-statement name default-action {accept | next-entry | next-policy | re- ject} entry entry-id action {accept | next-entry | next-policy | reject} prefix-list name [name...(upto 5 max)] from prefix-list name [name...(upto 5 max)]...
Page 71 IP Router Configuration The following displays a proxy ARP configuration example: A:ALA-49>config>router>if# info ---------------------------------------------- address 128.251.10.59/24 local-proxy-arp proxy-arp policy-statement "ProxyARPpolicy" exit ---------------------------------------------- A:ALA-49>config>router>if# 7450 ESS OS Router Configuration Guide Page 71...
Page 72: Creating An Ip Address Range
Common Configuration Tasks Creating an IP Address Range An IP address range can be reserved for exclusive use for services by defining the command. When the service is configured, the IP address config>router>service-prefix must be in the range specified as a service prefix. If no service prefix command is configured, then no limitation exists.
Page 73 IP Router Configuration Assume the egress LER advertised a FEC for some /24 prefix using the fec-originate command. At the ingress LER, LDP resolves the FEC by checking in RTM that an exact match exists for this prefix. Once LDP activated the FEC, it programs the NHLFE in the egress data path and the LDP tunnel information in the ingress data path tunnel table.
Page 74 Common Configuration Tasks When the preferred RTM entry corresponds to an LDP shortcut route, spraying will be performed across the multiple next-hops for the LDP FEC. The FEC next-hops can either be direct link LDP neighbors or T-LDP neighbors reachable over RSVP LSPs in the case of LDP-over-RSVP but not both.
Page 75 IP Router Configuration Interaction with LDP Shortcut for Static Route Resolution There is no interaction between LDP shortcut for static route resolution and the LDP shortcut for IGP route resolution. A static route will continue to be resolved by searching an LDP LSP which FEC prefix matches the specified indirect next-hop for the route.
Page 76: Deriving The Router Id
Common Configuration Tasks Deriving the Router ID The router ID defaults to the address specified in the system interface command. If the system interface is not configured with an IP address, then the router ID inherits the last four bytes of the MAC address.
Page 77: Configuring A Confederation
IP Router Configuration Configuring a Confederation Configuring a confederation is optional. The AS and confederation topology design should be carefully planned. Autonomous system (AS), confederation, and BGP connection and peering parameters must be explicitly created on each participating router. Identify AS numbers, confederation numbers, and members participating in the confederation.
Page 78: Configuring An Autonomous System
Common Configuration Tasks Configuring an Autonomous System Configuring an autonomous system is optional. Use the following CLI syntax to configure an autonomous system: CLI Syntax: config>router autonomous-system as-number The following displays an autonomous system configuration example: A;ALA-A>config>router# info #------------------------------------------ # IP Configuration #------------------------------------------ interface "system"...
Page 79: Configuring Overload State On A Single Sfm
IP Router Configuration Configuring Overload State on a Single SFM A 7x50 system with a single SFM installed has a system multicast throughput that is only a half of a 7x50 system with dual SFMs installed. For example, in a mixed environment in which IOM1s, IOM2s, and IOM3s are installed in the same system (chassis mode B or C), system multicast throughput doubles when redundant SFMs are used instead of a single SFM.
Page 80: Service Management Tasks
Service Management Tasks Service Management Tasks This section discusses the following service management tasks: • Changing the System Name on page 80 • Modifying Interface Parameters on page 81 • Deleting a Logical IP Interface on page 82 Changing the System Name em command sets the name of the device and is used in the prompt string.
Page 81: Modifying Interface Parameters
IP Router Configuration Modifying Interface Parameters Starting at the level, navigate down to the router interface context. config>router To modify an IP address, perform the following steps: Example A:ALA-A>config>router# interface “to-sr1” A:ALA-A>config>router>if# shutdown A:ALA-A>config>router>if# no address A:ALA-A>config>router>if# address 10.0.0.25/24 A:ALA-A>config>router>if# no shutdown To modify a port, perform the following steps: Example A:ALA-A>config>router# interface “to-sr1”...
Page 82: Deleting A Logical Ip Interface
Service Management Tasks Deleting a Logical IP Interface The no form of the command typically removes the entry, but all entity associations interface must be shut down and/or deleted before an interface can be deleted. 1. Before an IP interface can be deleted, it must first be administratively disabled with the command.
Page 83: Ip Router Command Reference
IP Router Configuration IP Router Command Reference Command Hierarchies Configuration Commands • Router Commands on page 84 • Router L2TP Commands on page 86 • Router Interface Commands on page 89 • Router Interface IPv6 Commands on page 91 • Router Advertisement Commands on page 92 •...
Page 84 IP Router Command Reference Router Commands config [router-name] — router ip-prefix/ip-prefix-length [summary-only] [as-set] [aggregator as-number: ip- — aggregate address] [community comm-id] [black-hole | indirect ip-address] — no aggregate ip-prefix/mask — ipv4-prefix a.b.c.d autonomous-system autonomous-system — no ipv4-prefix a.b.c.d autonomous-system confed-as-num members as-number [as-number...(up to 15 max)] —...
Page 85 IP Router Configuration Router BFD commands config — router — bfd name [create] — bfd-template — bfd-template name — transmit-interval transmit-interval — no transmit-interval — receive-interval receive-interval — no receive-interval — cv-tx transmit-interval — no cv-tx — echo-receive echo-interval — no echo-receive —...
Page 86 IP Router Command Reference Router L2TP Commands config [router-name] — router — l2tp — calling-number-format ascii-spec — no calling-number-format {always} — challenge — no challenge — destruct-timeout destruct-timeout — no destruct-timeout — exclude-avps calling-number — no exclude-avps tunnel-group-name [create] — group —...
Page 87 IP Router Configuration — session-assign-method weighted — no session-assign-method — session-limit session-limit — no session-limit tunnel-name [create] — tunnel — no tunnel tunnel-name — [no] auto-establish {never | sensitive | always} — avp-hiding — no avp-hiding — challenge challenge-mode — no challenge —...
Page 88 IP Router Command Reference configure — router — l2tp — tunnel-selection-blacklist — add-tunnel never on reason>[reason...(upto 8 max)] — add-tunnel — no add-tunnel — add-tunnel — max-list-length count — no max-list-length — max-time minutes — no max-time — timeout-action action —...
Page 89 IP Router Configuration Router Interface Commands config — router [router-name] — [no] ip-int-name [unnumbered-mpls-tp] interface {ip-address/mask | ip-address netmask} [broadcast {all-ones | host- — address ones}] — no address — [no] allow-directed-broadcasts — arp-timeout seconds — no arp-timeout transmit-interval [receive receive-interval] [multiplier multiplier] [echo- —...
Page 90 IP Router Command Reference — network-domain network-domain-name — no network-domain — [no] ntp-broadcast — port port-name — no port — [no] proxy-arp-policy — [no] ptp-hw-assist [source | destination] — qos-route-lookup — no qos-route-lookup network-policy-id [egress-port-redirect-group queue-group-name] [egress- — instance instance-id]] [ingress-fp- redirect-group queue-group-name ingress- instance instance-id] —...
Page 91 IP Router Configuration Router Interface IPv6 Commands config — router [router-name] — [no] interface ip-int-name — [no] ipv6 ipv6-address/prefix-length [eui-64] — address — no address ipv6-address/prefix-length transmit-interval [receive receive-interval] [multiplier multiplier] — [echo-receive echo-interval [type cpm-np] — no — icmp6 [number seconds] —...
Page 92 IP Router Command Reference Router Advertisement Commands config — router — [no] router-advertisement — [no] interface ip-int-name — current-hop-limit number — no current-hop-limit — [no] managed-configuration — max-advertisement-interval seconds — no max-advertisement-interval — min-advertisement-interval seconds — no min-advertisement-interval — mtu-bytes —...
Page 93 IP Router Configuration Show Commands show — router router-instance — router service-name service-name [family] [active] — aggregate [ ip-int-name | ip-address/mask | mac ieee-mac-address | summary] [local | dynamic | — static | managed] — authentication — statistics interface [ip-int-name | ip-address] —...
Page 94 IP Router Command Reference [ip-address | ip-int-name | mac ieee-mac-address | summary] — neighbor [detail] [network-domain-name] — network-domains [name | damping | prefix-list name | as-path name | community name | admin] — policy — policy-edits [family] [ip-prefix[/prefix-length] [longer|exact|protocol protocol-name] [all]] —...
Page 95 IP Router Configuration Clear Commands clear [router-instance] — router {all | ip-addr | interface {ip-int-name | ip-addr}} — — — session src-ip ip-address dst-ip ip-address — statistics src-ip ip-address dst-ip ip-address — statistics — dhcp [ip-int-name | ip-address] — statistics —...
Page 96 IP Router Command Reference Debug Commands debug — trace — destination trace-destination — enable — [no] [module module-name] [type event-type] [class event-class] [task task- trace-point name] [function function-name] — router router-instance — — [no] — icmp — no icmp [ip-int-name] —...
Page 97: Configuration Commands
IP Router Configuration Configuration Commands Generic Commands shutdown [no] shutdown Syntax config>router>interface Context The shutdown command administratively disables the entity. When disabled, an entity does not Description change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.
Page 98: Router Global Commands
Router Global Commands Router Global Commands router Syntax router router-name config Context This command enables the context to configure router parameters, and interfaces, route policies, and Description protocols. router-name — Specify the router-name. Parameters router-name: Base, management Values Base Default aggregate aggregate ip-prefix/ip-prefix-length [summary-only] [as-set] [aggregator as-number: ip- Syntax...
Page 99 IP Router Configuration ip-prefix — The destination address of the aggregate route in dotted decimal notation. Parameters ipv4-prefix a.b.c.d (host bits must be 0) Values ipv4-prefix-length 0 — 32 The mask associated with the network address expressed as a mask length. 0 —...
Page 100 Router Global Commands No autonomous system number is defined. Default autonomous-system — The autonomous system number expressed as a decimal integer. Parameters 1 — 4294967295 Values confederation confederation confed-as-num members as-number [as-number...up to 15 max] Syntax no confederation [confed-as-num members as-number...up to 15 max] config>router Context This command creates confederation autonomous systems within an AS.
Page 101 IP Router Configuration The no form of the command disables ECMP path sharing. If ECMP is disabled and multiple routes are available at the best preference and equal cost, then the route with the lowest next-hop IP address is used. no ecmp Default max-ecmp-routes —...
Page 102 Router Global Commands b. Timeout of a BFD session to a next-hop when BFD is enabled on the OSPF/IS-IS interface When the SPF computation determines there is more than one primary next-hop for a prefix, it will not program any LFA next-hop in RTM. Thus, the IP prefix will resolve to the multiple equal-cost primary next-hops that provide the required protection.
Page 103 IP Router Configuration static-label Syntax static-label max-lsp-labels number static-svc-labels number no static-label config>router>mpls-labels Context This command enables the range of MPLS static label values reserved for LSPs and for VCs Description (pseudowires) to be configured. For LSPs, these ranges only apply to static MPLS-TP paths configured under config>router>mpls>lsp.
Page 104 Router Global Commands This command opens context for defining network-domains. This command is applicable only in the Description base routing context. description [no] description string Syntax config>router>network-domains>network-domain Context This command creates a text description stored in the configuration file for a configuration context. Description The no form of the command removes the description string from the context.
Page 105 IP Router Configuration The no form of the command to reverts to the default value. The system uses the system interface address (which is also the loopback address). Default If a system interface address is not configured, use the last 32 bits of the chassis MAC address. router-id —...
Page 106 Router Global Commands When this option is specified, the addresses configured are exclusively used for services and cannot be assigned to network ports. sgt-qos Syntax sgt-qos config>router Context This command configures DSCP/Dot1p re-marking for self-generated traffic. Description application application dscp-app-name dscp {dscp-value |dscp-name} Syntax application dot1p-app-name dot1p dot1p-priority no application {dscp-app-name|dot1p-app-name}...
Page 107 IP Router Configuration config>router>sgt-qos Context This command configures DSCP name to FC mapping. Description dscp-name — Specifies the DSCP name. Parameters be, ef, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cp9, cs1, cs2, cs3, cs4, cs5, nc1, nc2, af11, Values af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cp11, cp13, cp15, cp17, cp19, cp21, cp23, cp25, cp27, cp29, cp31, cp33, cp35, cp37, cp39, cp41, cp42, cp43, cp44, cp45, cp47, cp49, cp50, cp51, cp52, cp53, cp54, cp55, cp57,...
Page 108 Router Global Commands receive-interval Syntax receive-interval receive-interval no receive-interval config>router>bfd>bfd-template Context This command specifies the receive timer used for BFD packets. If the template is used for a BFD Description session on an MPLS-TP LSP, then this timer is used for CC packets. no receive-interval Default receive-interval —...
Page 109 IP Router Configuration Default multiplier Syntax multiplier multiplier no multiplier config>router>bfd>bfd-template Context This command specifies the detect multiplier used for a BFD session. If a BFD control packet is not Description received for a period of multiplier x receive-interval, then the session is declared down. Default multiplier —...
Page 110 Router Global Commands single-sfm-overload single-sfm-overload [holdoff-time holdoff-time] Syntax no single-sfm-overload config>router Context This command, if enabled, will cause the OSPF for the service to enter an overload state when the Description node only has a single SFM functioning. The no form of this command causes the overload state to be cleared. no single-sfm-overload Default holdoff-time —...
Page 111 IP Router Configuration No static routes are defined. Default ip-prefix/prefix-length — The destination address of the static route. Parameters ipv4-prefix a.b.c.d (host bits must be 0) Values ipv4-prefix-length 0 — 32 ip-address — The IP address of the IP interface. The ip-addr portion of the address command specifies the IP host address that will be used by the IP interface within the subnet.
Page 112 Router Global Commands • If there are multiple static routes with the same preference but different metrics then the lower cost (metric) route will be installed. • If there are multiple static routes with equal preferences and metrics then ECMP rules apply .
Page 113: Table 5: Default Route Preferences
IP Router Configuration the indirect next-hop address will not be used. If not set then the IGP next-hop to the indirect next-hop address can be used as the next-hop of the last resort. tag — Adds a 32-bit integer tag to the static route. The tag is used in route policies to control distribution of the route into other protocols.
Page 114 Router Global Commands mcast-family — Enables submission of the IPv4 or IPv6 static route into IPv4 or IPv6 multicast RTM. Values mcast-ipv4, mcast-ipv6 rsvp-te — This parameter allows the static route to be resolved via an RSVP-TE based LSP. The static route nexthop will be resolved via the best RSVP-TE based LSP to the associated indirect next hop.
Page 115 IP Router Configuration 172.31.117.1 138.203.0.0/16 Remote Static 05h01m11s 172.31.117.1 172.31.117.0/24 Local Local 05h04m10s management ------------------------------------------------------------------------------- No. of Routes: 3 =============================================================================== *B:Dut-C>config>router# *B:Dut-C>config>router# show router "management" route-table ipv6 =============================================================================== IPv6 Route Table (Router: management) =============================================================================== Dest Prefix Type Proto Pref Next Hop[Interface Name] Metric ------------------------------------------------------------------------------- 1::/96...
Page 116 Router Global Commands 3000::AC1F:7567 management ------------------------------------------------------------------------------- No. of Static Routes: 1 =============================================================================== *B:Dut-C>config>router# Page 116 7450 ESS OS Router Configuration Guide...
Page 117: Router L2Tp Commands
IP Router Configuration Router L2TP Commands l2tp Syntax l2tp config>router Context This command enables the context to configure L2TP parameters. L2TP extends the PPP model by Description allowing Layer 2 and PPP endpoints to reside on different devices interconnected by a packet- switched network.
Page 118 Router L2TP Commands next-attempt next-attempt {same-preference-level | next-preference-level} Syntax no next-attempt configure>router>l2tp Context configure>service>vprn>l2tp This command enables tunnel selection algorithm based on the tunnel preference level. Description same-preference-level — In case that the tunnel-spec selection algorithm evaluates into a tunnel that Parameters is currently unavailable (for example tunnel in a blacklist) then the next elected tunnel, if available, will be chosen within the same preference-level as the last attempted tunnel.
Page 119 IP Router Configuration tunnel-selection-blacklist Syntax tunnel-selection-blacklist config>router>l2tp Context This command enables the context to configure L2TP Tunnel Selection Blacklist parameters. Description add-tunnel Syntax add-tunnel never add-tunnel on reason [reason...(upto 8 max)] no add-tunnel configure>router>l2tp>tunnel-selection-blacklist Context configure>service>vprn>l2tp>tunnel-selection-blacklist This command will force the tunnel to the blacklist and render it unavailable for new sessions for the Description duration of pre-configured time.
Page 120 Router L2TP Commands (5) Protocol version not supported The receipt of the following Result Codes will NEVER blacklist a tunnel: (0) Reserved (3) Control channel already exist (7) Finite state machine error (8) Undefined Transmission of the following Result Codes will NEVER blacklist a tunnel: (1) General request to clear control connection (3) Control channel already exist (6) Requestor is being shutdown...
Page 121 IP Router Configuration no max-time configure>router>l2tp>tunnel-selection-blacklist Context configure>service>vprn>l2tp>tunnel-selection-blacklist This command configures time for which an entity (peer or a tunnel) are kept in the blacklist. Description 5 minutes Default minutes — Specifies the maximum time a tunnel or peer may remain in the blacklist Parameters 1..60 Values...
Page 122 Router L2TP Commands accept — Specifies that this system accepts any source IP address change of received L2TP control Parameters messages related to a locally originated tunnel in the state waitReply and rejectsany peer address change for other tunnels; in case the new peer IPaddress is accepted, it is learned and used as destination addressin subsequent L2TP messages.
Page 123 IP Router Configuration session-limit Syntax session-limit session-limit no session-limit config>router>l2tp Context This command configures the L2TP session limit for the router. L2TP is connection-oriented. The Description L2TP Network Server (LNS) and LAC maintain state for each call that is initiated or answered by an LAC.
Page 124 Router L2TP Commands no challenge Default always Values destruct-timeout Syntax destruct-timeout destruct-timeout no destruct-timeout config>router>l2tp>group Context config>router>l2tp>group>tunnel This command configures the period of time that the data of a disconnected tunnel will persist before Description being removed. The no form of the command removes the value from the configuration. no destruct-timeout Default destruct-timeout —...
Page 125 IP Router Configuration no idle-timeout config>router>l2tp>group Context This command configures the period of time that an established tunnel with no active sessions will Description persist before being disconnected. Enter the no form of the command to maintain a persistent tunnel. The no form of the command removes the idle timeout from the configuration.
Page 126 Router L2TP Commands local-address Syntax local-address ip-address no local-address config>router>l2tp>group>tunnel Context This command configures the local address. Description ip-address — Specifies the IP address used during L2TP authentication. Parameters local-name Syntax local-name host-name no local-name config>router>l2tp>group Context config>router>l2tp>group>tunnel This command creates the local host name used by this system for the tunnels in this L2TP group Description during the authentication phase of tunnel establishment.
Page 127 IP Router Configuration max-retries-not-estab Syntax max-retries-not-estab max-retries no max-retries-not-estab config>router>l2tp>group Context config>router>l2tp>group>tunnel This command configures the number of retries allowed for this L2TP tunnel while it is not Description established, before its control connection goes down. The no form of the command removes the value from the configuration. no max-retries-not-estab Default max-retries —...
Page 128 Router L2TP Commands authentication authentication {chap|pap|pref-chap} Syntax config>router>l2tp>group>ppp Context This command configures the PPP authentication protocol to negotiate. Description authentication-policy Syntax authentication-policy auth-policy-name no authentication-policy config>router>l2tp>group>ppp Context This command configures the authentication policy. Description auth-policy-name — Specifies the authentication policy name. Parameters 32 chars max Values...
Page 129 IP Router Configuration This command configures the PPP keepalive interval and multiplier. Description seconds — Specifies in seconds the interval. Parameters 10 — 300 Values multiplier — Specifies the multiplier. 1 — 5 Values Syntax mtu mtu-bytes no mtu config>router>l2tp>group>ppp Context This command configures the maximum PPP MTU size.
Page 130 Router L2TP Commands local-user-db-name — Specifies the local user database name. Parameters 32 chars max Values session-assign-method Syntax session-assign-method weighted no session-assign-method config>router>l2tp>group Context This command specifies how new sessions are assigned to one of the set of suitable tunnels that are Description available or could be made available.
Page 131 IP Router Configuration Router L2TP Tunnel Commands tunnel tunnel tunnel-name [create] Syntax no tunnel tunnel-name config>router>l2tp>group Context This command configures an L2TP tunnel. A tunnel exists between a LAC-LNS pair and consists of a Description Control Connection and zero or more L2TP sessions. The tunnel carries encapsulated PPP datagrams and control messages between the LAC and the L2TP Network Server (LNS).
Page 132 Router L2TP Commands challenge Syntax challenge challenge-mode no challenge config>router>l2tp>group>tunnel Context This command configures the use of challenge-response authentication. Description The no form of the command removes the parameter from the configuration and indicates that the value on group level will be taken. no challenge Default challenge-mode —...
Page 133 IP Router Configuration idle-timeout — Specifies the idle timeout, in seconds. Parameters 0 — 3600 Values infinite — Specifies that the tunnel will not be closed when idle. peer Syntax peer ip-address no peer config>router>l2tp>group>tunnel Context This command configures the peer address. Description The no form of the command removes the IP address from the tunnel configuration.
Page 134 Router L2TP Commands tunnel-selection-blacklist Syntax tunnel-selection-blacklist config>router>l2tp Context This command enables the context to configure L2TP Tunnel Selection Blacklist parameters. Description add-tunnel Syntax add-tunnel never add-tunnel on reason [reason...(upto 8 max)] no add-tunnel configure>router>l2tp>tunnel-selection-blacklist Context configure>service>vprn>l2tp>tunnel-selection-blacklist This command will force the tunnel to the blacklist and render it unavailable for new sessions for the Description duration of pre-configured time.
Page 135 IP Router Configuration (5) Protocol version not supported The receipt of the following Result Codes will NEVER blacklist a tunnel: (0) Reserved (3) Control channel already exist (7) Finite state machine error (8) Undefined Transmission of the following Result Codes will NEVER blacklist a tunnel: (1) General request to clear control connection (3) Control channel already exist (6) Requestor is being shutdown...
Page 136 Router L2TP Commands configure>service>vprn>l2tp>tunnel-selection-blacklist This command configures time for which an entity (peer or a tunnel) are kept in the blacklist. Description 5 minutes Default minutes — Specifies the maximum time a tunnel or peer may remain in the blacklist Parameters 1..60 Values...
Page 137: Router Interface Commands
IP Router Configuration Router Interface Commands interface [no] interface ip-int-name [unnumbered-mpls-tp] Syntax config>router Context This command creates a logical IP routing or unnumbered MPLS-TP interface. Once created, Description attributes like IP address, port, or system can be associated with the IP interface. Interface names are case-sensitive and must be unique within the group of IP interfaces defined for config router interface and config service ies interface.
Page 138 Router Interface Commands unnumbered-mpls-tp, then it can only be associated with an Ethernet port or VLAN, using the port command. Either a unicast, multicast or broadcast remote MAC address may be configured using the static-arp command. Only static ARP is supported. Page 138 7450 ESS OS Router Configuration Guide...
Page 139 IP Router Configuration address address {ip-address/mask | ip-address netmask} [broadcast {all-ones | host-ones}] Syntax no address config>router>interface Context This command assigns an IP address, IP subnet, and broadcast address format to an IP interface. Only Description one IP address can be associated with an IP interface. An IP address must be assigned to each IP interface.
Page 140 Router Interface Commands mask — The subnet mask in dotted decimal notation. When the IP prefix is not specified in CIDR notation, a space separates the ip-addr from a traditional dotted decimal mask. The mask parameter indicates the complete mask that will be used in a logical ‘AND’ function to derive the local subnet of the IP address.
Page 141 IP Router Configuration or disables the transmission of packets destined to the subnet broadcast address of the egress IP interface. When enabled, a frame destined to the local subnet on this IP interface is sent as a subnet broadcast out this interface. NOTE: Allowing directed broadcasts is a well-known mechanism used for denial- of-service attacks.
Page 142 Router Interface Commands transmit-interval — Sets the transmit interval, in milliseconds, for the BFD session. Parameters 10 — 100000 Values Default receive receive-interval — Sets the receive interval, in milliseconds, for the BFD session. 10 — 100000 Values Default multiplier multiplier — Set the multiplier for the BFD session. 3—...
Page 143 IP Router Configuration cpu-protection Syntax cpu-protection policy-id no cpu-protection config>router>interface Context This command assigns an existing CPU protection policy for the interface. The CPU protection Description policies are configured in the config>sys>security>cpu-protection>policy cpu-protection-policy-id context. policy-id — Specifies an existing CPU protection policy. Parameters 1 —...
Page 144 Router Interface Commands This command enables the collection of ingress interface IP stats. This command is only appliable to Description IP statistics, and not to uRPF statistics. If enabled, then the following statistics are collected: • IPv4 offered packets • IPv4 offered octets •...
Page 145 IP Router Configuration local-proxy-arp [no] local-proxy-arp Syntax config>router>interface Context This command enables local proxy ARP on the interface. Description no local-proxy-arp Default lag-link-map-profile Syntax lag-link-map-profile link-map-profile-id no lag-link-map-profile config>router>if Context This command assigns a pre-configured lag link map profile to a SAP/network interface configured Description on a LAG or a PW port that exists on a LAG.
Page 146 Router Interface Commands If the preferred RTM entry corresponds to an IP next-hop, the IPv4 packet is forwarded unlabelled. When ECMP is enabled and multiple equal-cost next-hops exit for the IGP route, the ingress IOM will spray the packets for this route based on hashing routine currently supported for IPv4 packets. When the preferred RTM entry corresponds to an LDP shortcut route, spraying will be performed across the multiple next-hops for the LDP FEC.
Page 147 IP Router Configuration If the user changes the value of the LDP synchronization timer parameter, the new value will take effect at the next synchronization event. In other words, if the timer is still running, it will continue using the previous value. If parallel links exist to the same neighbor, then the bindings and services should remain UP as long as there is one interface that is UP.
Page 148 Router Interface Commands config>router>interface Context This command assigns a specific MAC address to an IP interface. Only one MAC address can be Description assigned to an IP interface. When multiple mac commands are entered, the last command overwrites the previous command. The no form of the command returns the MAC address of the IP interface to the default value.
Page 149 IP Router Configuration interface that has no physical port specified will be accepted, but will have no effect as long as a corresponding port, or LAG, is defined.. Single interfaces can be associated with multiple network-domains. per default “default” network domain is assigned Default ntp-broadcast [no] ntp-broadcast...
Page 150 Router Interface Commands ccag keyword 1 — 8 path-id a, b cc-type .sap-net, .net-sap lag-id lag-id keyword 1 — 200 proxy-arp-policy [no] proxy-arp-policy policy-name [policy-name...(up to 5 max)] Syntax config>router>interface Context This command enables and configure proxy ARP on the interface and specifies an existing policy- Description statement to analyze match and action criteria that controls the flow of routing information to and from a given protocol, set of protocols, or a particular neighbor.
Page 151 IP Router Configuration qos-route-lookup qos-route-lookup [source | destination] Syntax no qos-route-lookup config>router>interface Context config>router>interface>ipv6 This command enables QoS classification of the ingress IP packets on an interface based on the QoS Description information associated with routes in the forwarding table. If the optional destination parameter is specified and the destination address of an incoming IP packet matches a route with QoS information the packet is classified to the fc and priority associated with that route, overriding the fc and priority/profile determined from the sap-ingress or network qos...
Page 152 Router Interface Commands This command associates a network Quality of Service (QoS) policy with a network IP interface. Description Only one network QoS policy can be associated with an IP interface at one time. Attempts to associate a second QoS policy return an error. Associating a network QoS policy with a network interface is useful for the following purposes: •...
Page 153 IP Router Configuration remote-proxy-arp config>router>interface Context This command enables remote proxy ARP on the interface. Description no remote-proxy-arp Default secondary secondary {[ip-address/mask | ip-address netmask]} [broadcast {all-ones | host-ones}] Syntax [igp-inhibit] no secondary ip-addr config>router>interface Context Use this command to assign up to 16 secondary IP addresses to the interface. Each address can be Description configured in an IP address, IP subnet or broadcast address format.
Page 154 Router Interface Commands The all-ones keyword following the broadcast parameter specifies that the broadcast address used by the IP interface for this IP address will be 255.255.255.255, also known as the local broadcast. The host-ones keyword following the broadcast parameter specifies that the broadcast address used by the IP interface for this IP address will be the subnet broadcast address.
Page 155 IP Router Configuration ieee-mac-addr — Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff, where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses. strip-label [no] strip-label Syntax...
Page 156 Router Interface Commands functions. The profile of a packet is either derived from ingress classification or ingress policing. The default marking state for network IP interfaces is trusted. This is equivalent to declaring no tos- marking-state on the network IP interface. When undefined or set to tos-marking-state trusted, the trusted state of the interface will not be displayed when using show config or show info unless the detail parameter is given.
Page 157 IP Router Configuration qos-route-lookup qos-route-lookup [source | destination] Syntax no qos-route-lookup config>router>if Context config>router>if>ipv6 This command enables QoS classification of the ingress IP packets on an interface based on the QoS Description information associated with routes in the forwarding table. If the optional destination parameter is specified and the destination address of an incoming IP packet matches a route with QoS information the packet is classified to the fc and priority associated with that route, overriding the fc and priority/profile determined from the sap-ingress or network qos...
Page 158 Router Interface Commands disabled Default mode mode {strict | loose | strict-no-ecmp} Syntax no mode config>router>if>urpf-check Context config>router>if>>ipv6>urpf-check This command specifies the mode of unicast RPF check. Description The no form of the command reverts to the default (strict) mode. strict Default strict —...
Page 159 IP Router Configuration config>router>mh-primary-interface Context config>router>mh-secondary-interface This command assigns an IP address, IP subnet and broadcast address format to an IP interface. Only Description one IP address can be associated with an IP interface. An IP address must be assigned to each IP interface for the interface to be active.
Page 160 Router Interface Commands netmask — The subnet mask in dotted decimal notation. 0.0.0.0 - 255.255.255.255 (nework bits all 1 and host bits all 0). Values description Syntax description description-string no description config>router>mh-primary-interface Context config>router>mh-secondary-interface This command creates a text description stored in the configuration file for a configuration context. Description The no form of the command removes the description string from the context.
Page 161 IP Router Configuration address is advertised via IGPs and LDP protocols to allow the resolution of BGP routes advertised with this address by the primary multihoming router. The no form of the command disables this setting. no mh-secondary-interface Default hold-time Syntax hold-time holdover-time no hold-time...
Page 162 Router Interface Commands Router Interface Filter Commands egress Syntax egress config>router>interface Context This command enables access to the context to configure egress network filter policies for the IP Description interface. If an egress filter is not defined, no filtering is performed. ingress Syntax ingress...
Page 163 IP Router Configuration Router Interface ICMP Commands icmp Syntax icmp config>router>interface Context This command enables access to the context to configure Internet Control Message Protocol (ICMP) Description parameters on a network IP interface. ICMP is a message control and error reporting protocol that also provides information relevant to IP packet processing.
Page 164 Router Interface Commands number — The maximum number of ICMP redirect messages to send, expressed as a decimal integer. Parameters This parameter must be specified with the time parameter. 10 — 1000 Values seconds — The time frame, in seconds, used to limit the number of ICMP redirect messages that can be issued,expressed as a decimal integer.
Page 165 IP Router Configuration By default, generation of ICMP destination unreachables messages is enabled at a maximum rate of 100 per 10 second time interval. The no form of the command disables the generation of ICMP destination unreachables on the router interface.
Page 166 Router Interface Commands Router Interface IPv6 Commands ipv6 [no] ipv6 Syntax config>router>interface Context This command configures IPv6 for a router interface. Description The no form of the command disables IPv6 on the interface. not enabled Default address address {ipv6-address/prefix-length} [eui-64] Syntax no address {ipv6-address/prefix-length} config>router>if>ipv6...
Page 167 IP Router Configuration packet-too-big packet-too-big [number seconds] Syntax no packet-too-big config>router>if>ipv6>icmp6 Context This command configures the rate for ICMPv6 packet-too-big messages. Description number — Limits the number of packet-too-big messages issued per the time frame specifed in the Parameters seconds parameter. 10 —...
Page 168 Router Interface Commands number — Limits the number of redirects issued per the time frame specifed in seconds parameter. Parameters 10 — 1000 Values seconds — Determines the time frame, in seconds, that is used to limit the number of redirects issued per time frame.
Page 169 IP Router Configuration link-local-address link-local-address ipv6-address [preferred] Syntax no link-local-address config>router>if>ipv6 Context This command configures the link local address. Description local-proxy-nd [no] local-proxy-nd Syntax config>router>if>ipv6 Context This command enables local proxy neighbor discovery on the interface. Description The no form of the command disables local proxy neighbor discovery. proxy-nd-policy proxy-nd-policy policy-name [policy-name...(up to 5 max)] Syntax...
Page 170 Router Interface Commands ipv6-address — The IPv6 address assigned to a router interface. Parameters ipv6-address: x:x:x:x:x:x:x:x (eight 16-bit pieces) Values x:x:x:x:x:x:d.d.d.d [0 — FFFF]H [0 — 255]D mac-address — Specifies the MAC address for the neighbor in the form of xx:xx:xx:xx:xx:xx or xx- xx-xx-xx-xx-xx.
Page 171: Router Advertisement Commands
IP Router Configuration Router Advertisement Commands router-advertisement [no] router-advertisement Syntax config>router Context This command configures router advertisement properties. By default, it is disabled for all IPv6 Description enabled interfaces. The no form of the command disables all IPv6 interface. However, the no interface interface-name command disables a specific interface.
Page 172 Router Advertisement Commands managed-configuration [no] managed-configuration Syntax config>router>router-advert>if Context This command sets the managed address configuration flag. This flag indicates that DHCPv6 is Description available for address configuration in addition to any address autoconfigured using stateless address autoconfiguration. . no managed-configuration Default max-advertisement-interval [no] max-advertisement-interval seconds...
Page 173 IP Router Configuration This command configures the MTU for the nodes to use to send packets on the link. Description no mtu — The MTU option is not sent in the router advertisement messages. Default the MTU for the nodes to use to send packets on the link. mtu-bytes —...
Page 174 Router Advertisement Commands enabled Default on-link [no] on-link Syntax config>router>router-advert>if>prefix Context This command specifies whether the prefix can be used for onlink determination. Description enabled Default preferred-lifetime [no] preferred-lifetime {seconds | infinite} Syntax config>router>router-advert>if Context This command configures the remaining length of time in seconds that this prefix will continue to be Description preferred, such as, time until deprecation.
Page 175 IP Router Configuration reachable-time Syntax reachable-time milli-seconds no reachable-time config>router>router-advert>if Context This command configures how long this router should be considered reachable by other nodes on the Description link after receiving a reachability confirmation. no reachable-time Default milli-seconds — Specifies the length of time the router should be considered reachable. Parameters 0 —...
Page 176 Router Advertisement Commands config>router>router-advert>if Context This command enables sending router advertisement messages using the VRRP virtual MAC Description address, provided that the virtual router is currently the master. If the virtual router is not the master, no router advertisement messages are sent. The no form of the command disables sending router advertisement messages.
Page 177: Show Commands
IP Router Configuration Show Commands aggregate aggregate [family] [active] Syntax show>router Context This command displays aggregate routes. Description family — Specifies to display IPv4 or IPv6 aggregate routes. Parameters ipv4, ipv6 Values active — When the active keyword is specified, inactive aggregates are filtered out. Sample Output *A:CPM133>config>router# show router aggregate ===============================================================================...
Page 178 Show Commands [local | dynamic | static | managed] — Only displays ARP information associated with the keyword. ARP Table Output — The following table describes the ARP table output fields: Output Label Description The IP address of the ARP entry. IP Address The MAC address of the ARP entry.
Page 179 IP Router Configuration ARP Table =============================================================================== IP Address MAC Address Expiry Type Interface ------------------------------------------------------------------------------- 10.10.13.1 04:5b:01:01:00:02 03:53:09 to-ser1 =============================================================================== A:ALA-A# authentication Syntax authentication show>router Context This command enables the command to display authentication statistics. Description statistics Syntax statistics statistics interface [ip-int-name | ip-address] statistics policy name show>router>authentication Context...
Page 180 Show Commands Client Packets Authenticate Ok : 12 =================================================================== A:ALU-3> Syntax show>router Context This command enables the context to display bi-directional forwarding detection (BFD) information. Description Sample Output *A:Dut-D# show router 3 bfd session =============================================================================== BFD Session =============================================================================== InterfaceState Tx Intvl Rx Intvl Multipl Remote Address...
Page 181 IP Router Configuration bfd-template Syntax bfd-template template-name show>router>bfd Context This command displays BFD template information. Description Sample Output *A:mlstp-dutA# show router bfd bfd-template "privatebed-bfd-template" =============================================================================== BFD Template privatebed-bfd-template =============================================================================== Template Name : privatebed-* Template Type : cpmNp Transmit Timer : 10 msec Receive Timer : 10 msec CV Transmit Interval...
Page 182 Show Commands 0::0.0.0.0 mplsTp cpm-np pp::lsp-35 Up (3) 1000 1000 0::0.0.0.0 mplsTp cpm-np pp::lsp-36 Up (3) 1000 1000 0::0.0.0.0 mplsTp cpm-np pp::lsp-37 Up (3) 1000 1000 0::0.0.0.0 mplsTp cpm-np pp::lsp-38 Up (3) 1000 1000 0::0.0.0.0 mplsTp cpm-np pp::lsp-39 Up (3) 1000 1000 0::0.0.0.0...
Page 183 IP Router Configuration port-1-3 port-1-3 port-1-4 port-1-4 port-1-5 =============================================================================== *A:Dut-B# session session [src ip-address [dst ip-address] | detail] Syntax session [type type] session [summary] show>router>bfd Context This command displays session information. Description ip-address — Only displays the interface information associated with the specified IP address. Parameters ipv4-address a.b.c.d (host bits must be 0)
Page 184 Show Commands =============================================================================== Interface State Tx Intvl Rx Intvl Multipl Remote Address Protocols Tx Pkts Rx Pkts Type ------------------------------------------------------------------------------- port-1-1 Up (3) 10.1.1.3 pim isis 50971 50718 port-1-1 Up (3) 3FFE::A01:103 static bgp cpm-np port-1-1 Up (3) FE80::A0A:A03 pim isis ospf3 cpm-np port-1-2 Up (3)
Page 185 IP Router Configuration Local Discr : 42 Local State : Up (3) Local Diag : 3 (Neighbor signalled s* Local Mode : Async Local Min Tx : 10 Local Mult Last Sent (ms) : 6 Local Min Rx : 10 Type : cpm-np Remote Discr...
Page 186 Show Commands port-1-4 Up (3) =============================================================================== *A:Dut-B# *A:Dut-D# show router bfd session summary ============================= BFD Session Summary ============================= Termination Session Count ----------------------------- central cpm-np iom, slot 1 iom, slot 2 iom, slot 3 iom, slot 4 iom, slot 5 Total ============================= *A:Dut-D# dhcp...
Page 187 IP Router Configuration If an IP address or interface name is specified, then only data regarding the specified interface is displayed. ip-int-name | ip-address — Displays statistics for the specified IP interface. Parameters Show DHCP Statistics Output — The following table describes the output fields for DHCP. Output statistics.
Page 188 Show Commands 7 REPLY 8 RELEASE 9 DECLINE 10 RECONFIGURE 11 INFO_REQUEST 12 RELAY_FORW 13 RELAY_REPLY -------------------------------------------------------------------------- Dhcp6 Drop Reason Counters : -------------------------------------------------------------------------- 1 Dhcp6 oper state is not Up on src itf 2 Dhcp6 oper state is not Up on dst itf 3 Relay Reply Msg on Client Itf 4 Hop Count Limit reached 5 Missing Relay Msg option, or illegal msg type...
Page 189 IP Router Configuration Indicates whether IP Auto Filter is enabled on the interface. Auto Filter Indicates whether Auto ARP table population is enabled on the interface. Snoop Indicates the total number of router interfaces on the router. Interfaces Sample Output A:ALA-1# show router dhcp summary =============================================================================== DHCP6 Summary (Router: Base)
Page 190 Show Commands Sample Output A:ALA-A# show router ecmp =============================================================================== Router ECMP =============================================================================== Instance Router Name ECMP Configured-ECMP-Routes ------------------------------------------------------------------------------- Base True =============================================================================== A:ALA-A# fib slot-number [family] [ip-prefix/prefix-length] [longer] [secondary] [exclude-services] Syntax fib slot-number [family] summary fib slot-number nh-table-usage show>router Context This command displays the active FIB entries for a specific IOM. Description slot-number —...
Page 191 IP Router Configuration ------------------------------------------------------------------------ Total Entries : 1 ------------------------------------------------------------------------ ======================================================================== *A:Dut-C# show router fib 1 1.1.1.1/32 =============================================================================== FIB Display =============================================================================== Prefix Protocol NextHop ------------------------------------------------------------------------------- 1.1.1.1/32 10.20.1.1 (Transport:RSVP LSP:1) ------------------------------------------------------------------------------- Total Entries : 1 ------------------------------------------------------------------------------- =============================================================================== *A:Dut-C# show router fib 1 =============================================================================== FIB Display ===============================================================================...
Page 192 Show Commands ------------------------------------------------------------------------------- =============================================================================== Page 192 7450 ESS OS Router Configuration Guide...
Page 193 IP Router Configuration fp-tunnel-table fp-tunnel-table slot-number [ip-prefix/prefix-length] Syntax show>router Context This command displays the IOM/IMM label, next-hop and outgoing interface information for BGP, Description LDP and RSVP tunnels used in any of the following applications: • BGP shortcut (configure>router>bgp>igp-shortcut) • IGP shortcut (config>router>isis[ospf]>rsvp-shortcut) •...
Page 194 Show Commands Label Description (Continued) The number of messages that exceeded the time threshold. Time Exceeded The number of echo requests. Echo Request The number of times the local router was solicited. Router Solicits The number of times the neighbor router was solicited. Neighbor Solicits The number of error messages.
Page 195 IP Router Configuration interface interface [interface-name] Syntax show>router>icmpv6 Context This command displays interface ICMPv6 statistics. Description interface-name — Only displays entries associated with the specified IP interface name. Parameters icmp6 interface Output — The following table describes the show router icmp6 interface output Output fields: Label...
Page 196 Show Commands Router Solicits Router Advertisements Neighbor Solicits : 20 Neighbor Advertisements : 21 ------------------------------------------------------------------------------- Sent Total : 47 Errors Destination Unreachable : 0 Redirects Time Exceeded Pkt Too Big Echo Request Echo Reply Router Solicits Router Advertisements Neighbor Solicits : 27 Neighbor Advertisements : 20 ===============================================================================...
Page 197 IP Router Configuration interface interface [{[ip-address | ip-int-name] [statistics] [detail] [family]} | [summary] | [exclude- Syntax services] interface family [detail]] show>router Context This command displays the router IP interface table sorted by interface index. Description ip-address — Only displays the interface information associated with the specified IP address. Parameters ipv4-address a.b.c.d (host bits must be 0)
Page 198 Show Commands Label Description (Continued) Down — The IP interface is administratively disabled. Up — The IP interface is administratively enabled. Down — The IP interface is operationally disabled. Up — The IP interface is operationally disabled. Network — The IP interface is a network/core IP interface. Mode Service —...
Page 199 IP Router Configuration FE80::200:FF:FE00:4/64 PREFERRED ip-11.4.114.4 Up/Up Up/Up Network 6/1/2 11.4.114.4/24 3FFE::B04:7204/120 PREFERRED FE80::200:FF:FE00:4/64 PREFERRED ip-12.2.4.4 Up/Up Down/Down Network 3/1/2 12.2.4.4/24 3FFE::C02:404/120 ip-13.2.4.4 Up/Up Down/Down Network 3/1/3 13.2.4.4/24 3FFE::D02:404/120 ip-14.2.4.4 Up/Up Down/Down Network 3/1/4 14.2.4.4/24 3FFE::E02:404/120 ip-15.2.4.4 Up/Up Down/Down Network 3/1/5 15.2.4.4/24 3FFE::F02:404/120 ip-21.2.4.4...
Page 200 Show Commands mda-1-1 Up/Down 20.12.0.43/32 mda-2-1 Up/Down 20.12.0.44/32 mda-2-2 Up/Down 20.12.0.45/32 mda-3-1 Up/Down 20.12.0.46/32 ------------------------------------------------------------------------------- Interfaces : 4 =============================================================================== A:ALA-A# show router interface to-ser1 =============================================================================== Interface Table =============================================================================== Interface-Name Type IP-Address Mode ------------------------------------------------------------------------------- to-ser1 10.10.13.3/24 Network =============================================================================== A:ALA-A# A:ALA-A# show router interface exclude-services =============================================================================== Interface Table ===============================================================================...
Page 201 IP Router Configuration Label Description (Continued) The last change in operational status. Last Oper Change The global interface index of the IP router interface. Global If Index The SAP identifier. Sap ID The TOS byte value in the logged packet. TOS Marker Network —...
Page 202 Show Commands ------------------------------------------------------------------------------- Interface ------------------------------------------------------------------------------- If Name : to-sim1621 Admin State : Up Oper (v4/v6) : Up/-- Protocols : None IP Addr/mask : 1.1.1.2/24 Address Type : Primary IGP Inhibit : Disabled Broadcast Address : Host-ones HoldUp-Time Track Srrp Inst ------------------------------------------------------------------------------- Details -------------------------------------------------------------------------------...
Page 203 IP Router Configuration Qos Details ------------------------------------------------------------------------------- Ing Qos Policy : (none) Egr Qos Policy : (none) Ingress FP QGrp : (none) Egress Port QGrp : (none) Ing FP QGrp Inst : (none) Egr Port QGrp Inst: (none) =============================================================================== * indicates that the corresponding row element may have been truncated. B:bksim1619# *A:Dut-C# show router 1 interface "mda-3-1"...
Page 204 Show Commands ------------------------------------------------------------------------------- Details ------------------------------------------------------------------------------- Description : tms-2-1 If Index Virt. If Index Last Oper Chg : 09/14/2011 08:39:24 Global If Index : 122 If Type : TMS Rx Pkts : 13508 Rx Bytes : 864512 Tx Pkts : 13552 Tx Bytes : 867328 Tx Discard Pkts...
Page 205 IP Router Configuration A:ALA-A# *A:Dut-C# show router 1 interface "mda-3-1" detail =============================================================================== Interface Table (Service: 1) =============================================================================== ------------------------------------------------------------------------------- Interface ------------------------------------------------------------------------------- If Name : mda-3-1 Admin State : Up Oper (v4/v6) : Up/Down Protocols : None IP Addr/mask : 20.12.0.46/32 Address Type : Primary IGP Inhibit : Disabled...
Page 206 Show Commands Instance Router Name Interfaces Admin-Up Oper-Up ------------------------------------------------------------------------------- Base =============================================================================== routes Syntax routes alternative show:router>isis Context This command displays IS-IS route information. Description Sample Output *A:SRR# show router isis routes 1.1.1.0/24 =============================================================================== Route Table =============================================================================== Prefix[Flags] Metric Lvl/Typ Ver. SysID/Hostname NextHop AdminTag...
Page 207 IP Router Configuration 10.20.1.3/32 [L] 2/Int. Dut-C 10.20.3.3 10.20.1.4/32 2/Int. Dut-D 10.20.4.4 10.20.1.5/32 2/Int. Dut-C 10.20.3.3 10.20.1.6/32 2/Int. Dut-D 10.20.4.4 10.20.3.0/24 1/Int. Dut-B 0.0.0.0 10.20.4.0/24 1/Int. Dut-B 0.0.0.0 10.20.5.0/24 2/Int. Dut-C 10.20.3.3 10.20.6.0/24 2/Int. Dut-D 10.20.4.4 10.20.9.0/24 2/Int. Dut-D 10.20.4.4 10.20.10.0/24 2/Int.
Page 208 Show Commands ---------------------------------------------------------------------------- Routes : 11 Flags: LFA = Loop-Free Alternate nexthop ============================================================================ *A:Dut-B# bindings Syntax bindings active show>router>ldp Context This command displays LDP bindings information. Description Sample Output *A:Dut-A# show router ldp bindings active ======================================================================== Legend: (S) - Static (M) - Multi-homed Secondary Support (B) - BGP Next Hop (BU) - Alternate Next-hop for Fast Re-Route ========================================================================...
Page 209 IP Router Configuration ------------------------------------------------------------------------ No Matching Entries Found ======================================================================== *A:Dut-A# show router ldp bindings ======================================================================== LDP LSR ID: 10.20.1.1 ======================================================================== Legend: U - Label In Use, N - Label Not In Use, W - Label Withdrawn S - Status Signaled Up, D - Status Signaled Down E - Epipe Service, V - VPLS Service, M - Mirror Service A - Apipe Service, F - Fpipe Service, I - IES Service, R - VPRN service...
Page 210 Show Commands ======================================================================== ======================================================================== mvpn Syntax mvpn show>router router-instance Context This command displays Multicast VPN related information. The router instance must be specified. Description Sample Output *A:Dut-C# show router 1 mvpn =============================================================================== MVPN 1 configuration data =============================================================================== signaling : Bgp auto-discovery : Enabled UMH Selection...
Page 211 IP Router Configuration Label Description Displays the IPv6 address. IPv6 Address Displays the name of the IPv6 interface name. Interface Specifies the link-layer address. MAC Address Displays the current administrative state. State Displays the number of seconds until the entry expires. Displays the type of IPv6 interface.
Page 212 Show Commands Sample *A:Dut-T>config>router# show router network-domains =============================================================================== Network Domain Table =============================================================================== Network Domain Description ------------------------------------------------------------------------------- net1 Network domain 1 default Default Network Domain ------------------------------------------------------------------------------- Network Domains : 2 =============================================================================== *A:Dut-T>config>router# *A:Dut-T>config>router# show router network-domains detail =============================================================================== Network Domain Table (Router: Base) =============================================================================== ------------------------------------------------------------------------------- Network Domain...
Page 213 IP Router Configuration SDPs : 1 =============================================================================== *A:Dut-T>config>service# policy policy [name | damping | prefix-list name | as-path name | community name | admin] Syntax show>router Context This command displays policy-related information. Description name — Specify an existing policy-statement name. Parameters damping —...
Page 214 Show Commands policy-edits Syntax policy-edits show>router Context This command displays edited policy information. Description route-table route-table [family] [ip-prefix[/prefix-length] [longer|exact|protocol protocol-name] [all]] Syntax [next-hop-type type][qos][alternative] route-table [family] summary route-table tunnel-endpoints [ip-prefix[/prefix-length]] [longer|exact] [detail] show>router Context This command displays the active routes in the routing table. Description If no command line arguments are specified, all routes are displayed, sorted by prefix.
Page 215 IP Router Configuration Label Description (Continued) Local — The route is a local route. Type Remote — The route is a remote route. The protocol through which the route was learned. Protocol The route age in seconds for the route. The route metric value for the route.
Page 216 Show Commands ---------------------------------------------------------------------------- No. of Routes: 16 Flags: L = LFA nexthop available B = BGP backup route available ============================================================================ *A:Dut-B# show router route-table alternative ============================================================================ Route Table (Router: Base) ============================================================================ Dest Prefix[Flags] Type Proto Age Pref Next Hop[Interface Name] Metric Alt-NextHop Alt-Metric ---------------------------------------------------------------------------- 10.10.1.0/24 Local Local 00h02m28s 0...
Page 217 IP Router Configuration ============================================================================ *A:Dut-C# show router route-table 1.1.1.1/32 =============================================================================== Route Table (Router: Base) =============================================================================== Dest Prefix Type Proto Pref Next Hop[Interface Name] Metric ------------------------------------------------------------------------------- 1.1.1.1/32 Remote 00h00m09s 10.20.1.1 (tunneled:RSVP:1) ------------------------------------------------------------------------------- No. of Routes: 1 =============================================================================== A:ALA# show router route-table =============================================================================== Route Table (Router: Base) ===============================================================================...
Page 218 Show Commands =============================================================================== B:ALA-B# A:ALA-A# show router route-table 10.10.0.4 =============================================================================== Route Table =============================================================================== Dest Address Next Hop Type Protocol Metric Pref ------------------------------------------------------------------------------- 10.10.0.4/32 10.10.34.4 Remote OSPF 3523 1001 ------------------------------------------------------------------------------- A:ALA-A# A:ALA-A# show router route-table 10.10.0.4/32 longer =============================================================================== Route Table =============================================================================== Dest Address Next Hop Type...
Page 219 IP Router Configuration vprn1:mda-2-1 20.12.0.45/32 Remote Static 00h44m31s vprn1:mda-2-2 20.12.0.46/32 Remote Static 00h44m30s vprn1:mda-3-1 100.0.0.1/32 Remote 00h34m39s vprn1:mda-1-1 100.0.0.1/32 Remote 00h34m39s vprn1:mda-3-1 138.203.71.202/32 Remote Static 00h44m29s 10.12.0.2 ------------------------------------------------------------------------------- No. of Routes: 17 Flags: L = LFA nexthop available B = BGP backup route available n = Number of times nexthop is repeated =============================================================================== A:ALA-A# show router route-table protocol ospf...
Page 220 Show Commands 10.20.1.5/32 Remote OSPF 00h02m20s 10.20.1.5 (tunneled:RSVP:1) 10.20.1.6/32 Remote OSPF 00h02m20s 10.20.1.5 (tunneled:RSVP:1) 1100 ------------------------------------------------------------------------------- No. of Routes: 4 =============================================================================== *A:Dut-B# show router route-table 10.20.1.5/32 next-hop-type tunneled =============================================================================== Route Table (Router: Base) =============================================================================== Dest Prefix Type Proto Pref Next Hop[Interface Name] Metric ------------------------------------------------------------------------------- 10.20.1.5/32...
Page 221 IP Router Configuration ------------------------------------------------------------------------------- Total =============================================================================== NOTE: ISIS LFA routes and BGP Backup routes are not counted towards the total. Summary Route Table Output — Summary output for the route table displays the number of active routes and the number of routes learned by the router by protocol. Total active and available routes are also displayed.
Page 222 Show Commands rtr-advertisement rtr-advertisement [interface interface-name] Syntax rtr-advertisement [conflicts] show>router Context This command displays router advertisement information. Description If no command line arguments are specified, all routes are displayed, sorted by prefix. interface-name — Maximum 32 characters. Parameters Router-Advertisement Table Output — The following table describes the output fields for router- Output advertisement.
Page 223 IP Router Configuration Label Description (Continued) The minimum interval between sending ICMPv6 neighbor discovery Min Advert Inter- router advertisement messages. True — Indicates there are other stateful configurations. Other Config False — Indicates there are no other stateful configurations. Displays the router lifetime in seconds. Router Lifetime Displays the current hop limit.
Page 224 Show Commands ------------------------------------------------------------------------------- Rtr Advertisement Tx : 8 Last Sent : 00h06m41s Nbr Solicitation Tx : 166 Last Sent : 00h00m04s Nbr Advertisement Tx : 143 Last Sent : 00h00m05s Rtr Advertisement Rx : 8 Rtr Solicitation Rx Nbr Advertisement Rx : 166 Nbr Solicitation Rx : 143 -------------------------------------------------------------------------------...
Page 225 IP Router Configuration Router-Advertisement Conflicts Output — The following table describes the output fields for Output router- advertisement conflicts. Label Description The address of the advertising router. Advertisement from The time, in milliseconds, that a node assumes a neighbor is reachable Reachable Time after receiving a reachability confirmation.
Page 226 Show Commands ------------------------------------------------------------------------------- Interface: interfaceServiceNonDefault ------------------------------------------------------------------------------- Advertisement from: FE80::200:FF:FE00:2 Managed Config : FALSE [TRUE] Other Config : FALSE [TRUE] Reachable Time : 00h00m00s0ms [00h00m00s400ms] Router Lifetime : 00h30m00s [00h30m01s] Retransmit Time : 00h00m00s0ms [00h00m00s400ms] Hop Limit : 64 [63] Link MTU : 0 [1500] Prefix not present in own router advertisement Prefix: 2::/120...
Page 227 IP Router Configuration Static ARP Table Output — The following table describes the output fields for the ARP table. Output Label Description The IP address of the static ARP entry. IP Address The MAC address of the static ARP entry. MAC Address The age of the ARP entry.
Page 228 Show Commands A:ALA-A# show router static-arp mac 00:00:5a:40:00:01 =============================================================================== ARP Table =============================================================================== IP Address MAC Address Type Interface ------------------------------------------------------------------------------- 10.200.0.253 00:00:5a:40:00:01 00:00:00 Sta to-ser1 =============================================================================== A:ALA-A# static-route static-route [family] [[ip-prefix /mask] | [preference preference] | [next-hop ip-address] | tag Syntax tag] show>router Context...
Page 229 IP Router Configuration Label Description (Continued) BH — The static route is a black hole route. The for this type of Type Nexthop route is black-hole ID — The static route is an indirect route, where the for this nexthop type of route is the non-directly connected next hop.
Page 230 Show Commands =============================================================================== Route Table =============================================================================== IP Addr/mask Pref Metric Type Nexthop Interface Active ------------------------------------------------------------------------------- 192.168.254.0/24 black-hole =============================================================================== A:ALA-A# A:ALA-A# show router static-route next-hop 10.10.0.254 =============================================================================== Route Table =============================================================================== IP Addr/mask Pref Metric Type Nexthop Interface Active ------------------------------------------------------------------------------- 192.168.253.0/24 10.10.0.254 =============================================================================== A:ALA-A# *A:CPM133>config>router# show router static-route 3.3.3.3/32 detail...
Page 231 IP Router Configuration Label Description (Continued) false — Addresses in the range are not exclusively for use for service Exclusive IP addresses. true — Addresses in the range are exclusively for use for service IP addresses and cannot be assigned to network IP interfaces. Sample Output A:ALA-A# show router service-prefix =================================================...
Page 232 Show Commands dscp-map dscp-map [dscp-name] Syntax show>router>sgt-qos Context This command displays DSCP to FC mappings. Description dscp-name — The specific DSCP name. Parameters be, ef, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cp9, cs1, cs2, cs3, cs4, cs5, nc1, nc2, af11, Values af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cp11, cp13, cp15, cp17, cp19, cp21, cp23, cp25, cp27, cp29, cp31, cp33, cp35, cp37, cp39, cp41, cp42,...
Page 233 IP Router Configuration Label Description (Continued) state — Current single SFM state service-id — Last time this vRtr went into overload, after having start respected the hold-off time interval — How long the vRtr remained or is in overload No — Triggered route policy re-evaluation is disabled. Triggered Poli- Yes —...
Page 234 Show Commands OSPFv2-6 Down Down OSPFv2-7 Down Down OSPFv2-8 Down Down OSPFv2-9 Down Down OSPFv2-10 Down Down OSPFv2-11 Down Down OSPFv2-12 Down Down OSPFv2-13 Down Down OSPFv2-14 Down Down OSPFv2-15 Down Down OSPFv2-16 Down Down OSPFv2-17 Down Down OSPFv2-18 Down Down OSPFv2-19 Down...
Page 235 IP Router Configuration Sample Output show router <router-instance> tms routes ------------------------------------------- *A:Dut-C# show router 1 tms routes =============================================================================== TMS Routes (IPv4) =============================================================================== Status Network Next Hop[Interface Name] ------------------------------------------------------------------------------- Active 100.0.0.1/32 mda-2-1 Inactive 101.0.0.1/32 mda-2-1 Inactive 102.0.0.1/32 mda-2-1 Inactive 103.0.0.1/32 mda-2-1 Inactive 104.0.0.1/32 mda-2-1...
Page 236 Show Commands Tunnel Table Output — The following table describes tunnel table output fields. Output Label Description The route’s destination address and mask. Destination Specifies the tunnel owner. Owner Specifies the tunnel’s encapsulation type. Encap Specifies the tunnel (SDP) identifier. Tunnel ID Specifies the route preference for routes learned from the configured Pref...
Page 237 IP Router Configuration Last Mgmt Change : 12/14/2012 12:42:19 Force Vlan-Vc : Disabled Endpoint : N/A Precedence PW Status Sig : Enabled Class Fwding State : Down Flags : None Time to RetryReset : never Retries Left Mac Move : Blockable Blockable Level : Tertiary Local Pw Bits...
Page 238 Show Commands Associated LSP List : No LSPs Associated ----------------------------------------------------------------------- Class-based forwarding : ----------------------------------------------------------------------- Class forwarding : Disabled EnforceDSTELspFc : Disabled Default LSP : Uknwn Multicast LSP : None ======================================================================= FC Mapping Table ======================================================================= FC Name LSP Name ----------------------------------------------------------------------- No FC Mappings ----------------------------------------------------------------------- Stp Service Destination Point specifics -----------------------------------------------------------------------...
Page 239 IP Router Configuration Tunnel Table ================================================================== DestinationOwnerEncapTunnel IdPrefNexthopMetric ------------------------------------------------------------------------------- 10.0.0.1/32 sdp GRE 10 5 10.0.0.1 0 10.0.0.1/32 sdp GRE 21 5 10.0.0.1 0 10.0.0.1/32 sdp GRE 31 5 10.0.0.1 0 10.0.0.1/32 sdp GRE 41 5 10.0.0.1 0 =============================================================================== A:ALA-A>config>service# A:ALA-A>config>service# show router tunnel-table summary =============================================================================== Tunnel Table Summary (Router: Base)
Page 240: L2Tp Show Commands
Show Commands L2TP Show Commands l2tp Syntax l2tp show>router Context This command enables the context to display L2TP related information. Description group group [tunnel-group-name [statistics]] Syntax show>router>l2tp Context This command displays L2TP group operational information. Description tunnel-group-name — Displays information for the specified tunnel group. Parameters statistics —...
Page 241 IP Router Configuration 143523840 2190 17525 established isp1.group-2 isp1.tunnel-3 236912640 3615 58919 closedByPeer isp1.group-2 isp1.tunnel-2 658178048 10043 33762 draining isp1.group-2 isp1.tunnel-2 ------------------------------------------------------------------------------- No. of tunnels: 3 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp group isp1.group-2 statistics Group Name: isp1.group-2 ------------------------------------------------------------------------------- Attempts Failed Failed-Aut Active...
Page 242 Show Commands =============================================================================== Peer IP Tun Active Ses Active Drain Unreach Role Tun Total Ses Total ------------------------------------------------------------------------------- 10.10.14.8 10.10.20.100 drain 10.10.20.101 unreach LAC ------------------------------------------------------------------------------- No. of peers: 3 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp peer unreachable =============================================================================== L2TP Peers =============================================================================== Peer IP Tun Active Ses Active Drain Unreach Role Tun Total...
Page 243 IP Router Configuration ------------------------------------------------------------------------------- 10.10.20.100 drain ------------------------------------------------------------------------------- No. of peers: 1 =============================================================================== *A:Dut-C# *A:Fden-Dut2-BSA2# show router l2tp peer 10.0.0.1 statistics =============================================================================== Peer IP: 10.0.0.1 =============================================================================== tunnels tunnels active sessions sessions active rx ctrl octets : 541 rx ctrl packets tx ctrl octets : 272 tx ctrl packets tx error packets...
Page 244 Show Commands connection-id connection-id — Specifies the identification number for a Layer Two Tunneling Parameters Protocol connection. 1 — 429496729 Values detail — Displays detailed L2TP session information. session-id session-id (v2) — Specifies the identification number for a Layer Two Tunneling Protocol session.
Page 245 IP Router Configuration =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp session state established =============================================================================== L2TP Session Summary =============================================================================== Control Conn ID Tunnel-ID Session-ID State ------------------------------------------------------------------------------- 143524786 143523840 2190 established 143526923 143523840 2190 3083 established 379407426 379387904 5789 19522 established 658187773 658178048 10043 9725 established...
Page 246 Show Commands State : closed Tunnel Group : isp1.group-2 Assignment ID : isp1.tunnel-2 Error Message : tunnel was closed Control Conn ID : 236912640 Remote Conn ID : 3861317210 Tunnel ID : 3615 Remote Tunnel ID : 58919 Session ID : 15275 Remote Session ID : 1626 Time Started...
Page 247 IP Router Configuration 658198275 658178048 10043 20227 established 658210606 658178048 10043 32558 established ------------------------------------------------------------------------------- No. of sessions: 8 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp session tunnel-id 2190 state closed detail =============================================================================== L2TP Session Status =============================================================================== Connection ID : 143531662 State : closed Tunnel Group : isp1.group-2...
Page 248 Show Commands *A:Dut-C# *A:Dut-C# show router l2tp session control-connection-id 658178048 =============================================================================== L2TP Session Summary =============================================================================== Control Conn ID Tunnel-ID Session-ID State ------------------------------------------------------------------------------- 658187773 658178048 10043 9725 established 658198275 658178048 10043 20227 established 658210606 658178048 10043 32558 established ------------------------------------------------------------------------------- No. of sessions: 3 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp session peer 10.10.20.100...
Page 249 IP Router Configuration Error Message : tunnel was closed Control Conn ID : 236912640 Remote Conn ID : 3861317210 Tunnel ID : 3615 Remote Tunnel ID : 58919 Session ID : 15275 Remote Session ID : 1626 Time Started : 04/17/2009 18:41:03 Time Established : 04/17/2009 18:41:03 Time Closed : 04/17/2009 18:43:20...
Page 250 Show Commands ip-address: 10.100.2.1 =============================================================================== *A:Fden-Dut2-BSA2# show router l2tp session connection-id 600407016 detail =============================================================================== L2TP Session Status =============================================================================== Connection ID: 600407016 State : established Tunnel Group : base_lns_base_lac Assignment ID: t1 Error Message: N/A Control Conn ID : 600375296 Remote Conn ID : 1026712216 Tunnel ID : 9161...
Page 251 IP Router Configuration statistics Syntax statistics show>router>l2tp Context This command displays L2TP statistics. Description Sample Output *A:Dut-C# show router l2tp statistics =============================================================================== L2TP Statistics =============================================================================== Tunnels Sessions ------------------------------------------------------------------------------- Active Active Setup history since 04/17/2009 18:38:41 Total Total Failed Failed Failed Auth =============================================================================== *A:Dut-C# 7450 ESS OS Router Configuration Guide...
Page 252 Show Commands tunnel tunnel [statistics] [detail] [peer ip-address] [state tunnel-state] [remote-connection-id Syntax remote-connection-id (v3)] [group group-name] [assignment-id assignment-id] [local-name host-name] [remote-name host-name]| tunnel [statistics] [detail] [peer ip-address] [state tunnel-state] [remote-tunnel-id remote- tunnel-id (v2)] [group group-name] [assignment-id assignment-id] [local-name host-name] [remote-name host-name] tunnel tunnel-id tunnel-id (v2) [statistics] [detail] tunnel connection-id connection-id (v3) [statistics] [detail] show>router>l2tp...
Page 253 IP Router Configuration In L2TP version 2, it is the 16-bit tunnel ID. 1 — 65535 Values control-connection-id connection-id (v3) — Displays information for the specified ID of a L2TP tunnel. In L2TP version 3, it is the 32-bit control connection ID. 1 —...
Page 254 Show Commands Time Started : 04/17/2009 18:41:03 Time Idle : 04/17/2009 18:43:20 Time Established : 04/17/2009 18:41:03 Time Closed : 04/17/2009 18:43:20 Stop CCN Result : generalReq General Error : noError ------------------------------------------------------------------------------- No. of tunnels: 1 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp tunnel state established =============================================================================== Conn ID Loc-Tu-ID Rem-Tu-ID State...
Page 255 IP Router Configuration ------------------------------------------------------------------------------- Ctrl Packets Ctrl Octets 1450 Error Packets 0 ------------------------------------------------------------------------------- *A:Dut-C# *A:Dut-C# show router l2tp tunnel remote-tunnel-id 17525 detail =============================================================================== L2TP Tunnel Status =============================================================================== Connection ID : 143523840 State : established : 10.20.1.3 Peer IP : 10.10.20.101 Name : lac1.wholesaler.com Remote Name...
Page 256 Show Commands *A:Dut-C# *A:Dut-C# show router l2tp tunnel peer 10.10.20.100 state closed-by-peer detail =============================================================================== L2TP Tunnel Status =============================================================================== Connection ID : 236912640 State : closedByPeer : 10.20.1.3 Peer IP : 10.10.20.100 Name : lac1.wholesaler.com Remote Name : lns2.retailer1.net Assignment ID : isp1.tunnel-2 Group Name : isp1.group-2 Error Message : Goodbye!
Page 257 IP Router Configuration L2TP Tunnel Statistics =============================================================================== Connection ID: 143523840 ------------------------------------------------------------------------------- Attempts Failed Active Total ------------------------------------------------------------------------------- Sessions ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Ctrl Packets Ctrl Octets 1310 1690 Error Packets 0 ------------------------------------------------------------------------------- No. of tunnels: 1 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp tunnel local-name lac1.wholesaler.com remote-name lns2.retailer1.net state draining =============================================================================== Conn ID...
Page 258 Show Commands ------------------------------------------------------------------------------- Fsm Messages 4 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Unsent Max Unsent Cur Ack Max Ack Cur ------------------------------------------------------------------------------- Q Length ------------------------------------------------------------------------------- Window Size Cur acceptedMsgType StartControlConnectionRequest StartControlConnectionConnected IncomingCallRequest IncomingCallConnected ZeroLengthBody originalTransmittedMsgType StartControlConnectionReply Hello IncomingCallReply ZeroLengthBody last cleared time : N/A =============================================================================== Page 258 7450 ESS OS Router Configuration Guide...
Page 259: Clear Commands
IP Router Configuration Clear Commands router Syntax router router-instance clear>router Context This command clears for a the router instance in which they are entered. Description router-instance — Specify the router name or service ID. Parameters Base, management, vpls-management Values router-name: 1 —...
Page 260 Clear Commands session Syntax session src-ip ip-address dst-ip ip-address clear>router>bfd Context This command clears BFD sessions. Description src-ip ip-address — Specifies the address of the local endpoint of this BFD session. Parameters dst-ip ip-address — Specifies the address of the remote endpoint of this BFD session. statistics Syntax statistics src-ip ip-address dst-ip ip-address...
Page 261 IP Router Configuration forwarding-table forwarding-table [slot-number] Syntax clear>router Context This command clears entries in the forwarding table (maintained by the IOMs). Description If the slot number is not specified, the command forces the route table to be recalculated. slot-number — Clears the specified card slot. Parameters all IOMs Default...
Page 262 Clear Commands interface interface [ip-int-name | ip-addr] [icmp] [urpf-stats] [statistics] Syntax clear>router Context This command clears IP interface statistics. Description If no IP interface is specified either by IP interface name or IP address, the command will perform the clear operation on all IP interfaces. ip-int-name | ip-addr —...
Page 263 IP Router Configuration statistics Syntax statistics clear>router>l2tp Context clear>router>l2tp>group clear>router>l2tp> tunnel This command clears statistics for the specified context. Description statistics statistics [ip-address | ip-int-name] Syntax clear>router>dhcp Context clear>router>dhcp6 Description This command clear statistics for DHCP and DHCP6and DHCP6 relay and snooping statistics. If no IP address or interface name is specified, then statistics are cleared for all configured interfaces.
Page 264: Debug Commands
Debug Commands Debug Commands destination Syntax destination trace-destination debug>trace Context This command specifies the destination to send trace messages. Description trace-destination — The destination to send trace messages. Parameters stdout, console, logger, memory Values enable [no] enable Syntax debug>trace Context This command enables the trace.
Page 265 IP Router Configuration Base Default Syntax debug>router Context This command configures debugging for IP. Description Syntax debug>router>ip Context This command configures route table debugging. Description icmp [no] icmp Syntax Context debug>router>ip This command enables ICMP debugging. Description icmp6 icmp6 [ip-int-name] Syntax no icmp6 debug>router>ip...
Page 266 Debug Commands ip-address — Only displays the interface information associated with the specified IP address. Parameters ipv4-address a.b.c.d (host bits must be 0) Values ip-int-name — Only displays the interface information associated with the specified IP interface name. 32 characters maximum Values packet packet [ip-int-name | ip-address] [headers] [protocol-id]...
Page 267 IP Router Configuration tunnel-table tunnel-table [ip-address] [ldp | rsvp [tunnel-id tunnel-id]| sdp [sdp-id sdp-id]] Syntax debug>router>ip Context This command enables debugging for tunnel tables. Description 7450 ESS OS Router Configuration Guide Page 267...
Page 268 Debug Commands Page 268 7450 ESS OS Router Configuration Guide...
Page 269: Vrrp
VRRP In This Chapter This chapter provides information about configuring Virtual Router Redundancy Protocol (VRRP) parameters. Topics in this chapter include: • VRRP Overview on page 270  Virtual Router on page 271  IP Address Owner on page 271 ...
Page 270: Vrrp Overview
VRRP Overview The Virtual Router Redundancy Protocol (VRRP) for IPv4 is defined in the IETF RFC 3768, Virtual Router Redundancy Protocol. VRRP describes a method of implementing a redundant IP interface shared between two or more routers on a common LAN segment, allowing a group of routers to function as one virtual router.
Page 271: Vrrp Components
This is a common mechanism that allows multiple local subnet attachment on a single routing interface. Up to four virtual routers are possible on a single Alcatel-Lucent IP interface. The virtual routers must be in the same subnet. Each virtual router has its own VRID, state machine and messaging instance.
Page 272: Primary And Secondary Ip Addresses
An IP interface must always have a primary IP address assigned for VRRP to be active on the interface. Alcatel-Lucent routers supports both primary and secondary IP addresses (multi-netting) on the IP interface. The virtual router’s VRID primary IP address is always the primary address on the IP interface.
Page 273: Virtual Router Backup
VRRP Virtual Router Backup A new virtual router master is selected from the set of VRRP routers available to assume forwarding responsibility for a virtual router should the current master fail. Owner and Non-Owner VRRP The owner controls the IP address of the virtual router and is responsible for forwarding packets sent to this IP address.
Page 274: Configurable Parameters
Configurable Parameters In addition to backup IP addresses, to facilitate configuration of a virtual router on Alcatel-Lucent routers, the following parameters can be defined in owner configurations: • Virtual Router ID (VRID) on page 274 • Message Interval and Master Inheritance on page 276 •...
Page 275: Ip Addresses
VRRP the defined IP address on the IP interface is different than the virtual router IP address (non-owner mode). When the IP address on the IP interface matches the virtual router IP address (owner mode), the priority value is fixed at 255, the highest value possible. This virtual router member is considered the owner of the virtual router IP address.
Page 276: Message Interval And Master Inheritance
Message Interval and Master Inheritance Each virtual router is configured with a message interval per VRID within which it participates. This parameter must be the same for every virtual router on the VRID. For IPv4, the default advertisement interval is 1 second and can be configured between 100 milliseconds and 255 seconds 900 milliseconds.
Page 277: Master Down Interval
VRRP Master Down Interval The master down interval is a calculated value used to load the master down timer. When the master down timer expires, the virtual router enters the master state. To calculate the master down interval, the virtual router evaluates the following formula: Master Down Interval = (3 x Operational Advertisement Interval) + Skew Time The operational advertisement interval is dependent upon the state of the inherit parameter.
Page 278: Vrrp Message Authentication
VRRP Message Authentication The authentication type parameter defines the type of authentication used by the virtual router in VRRP advertisement message authentication. VRRP message authentication is applicable to IPv4 only. The current master uses the configured authentication type to indicate any egress message manipulation that must be performed in conjunction with any supporting authentication parameters before transmitting a VRRP advertisement message.
Page 279 VRRP • VRRP message checks  Version field – Must be set to the value 2  Type field – Must be set to the value of 1 (advertisement)  Virtual router ID field – Must match one of the configured VRID on the ingress IP interface (All other fields are dependent on matching the virtual router ID field to one of the interfaces configured VRID parameters) ...
Page 280: Authentication Data
VRRP advertisement messages contain an IP address count field that indicates the number of IP addresses listed in the sequential IP address fields at the end of the message. The Alcatel-Lucent routersimplementation always logs mismatching events. The decision on where and whether to forward the generated messages depends on the configuration of the event manager.
Page 281: Inherit Master Vrrp Router's Advertisement Interval Timer
VRRP With secondary IP address support, multiple IP addresses may be found in the list and it should match the IP address on the virtual router instance. Owner and non-owner virtual router instances have the supported IP addresses explicitly defined, making mismatched supported IP address within the interconnected virtual router instances a provisioning issue.
Page 282: Vrrp Priority Control Policies
VRRP Priority Control Policies This implementation of VRRP supports control policies to manipulate virtual router participation in the VRRP master election process and master self-deprecation. The local priority value for the virtual router instance is used to control the election process and master state. VRRP Virtual Router Policy Constraints Priority control policies can only be applied to non-owner VRRP virtual router instances.
Page 283: Vrrp Priority Control Policy Delta In-Use Priority Limit
VRRP VRRP Priority Control Policy Delta In-Use Priority Limit A VRRP priority control policy enforces an overall minimum value that the policy can inflict on the VRRP virtual router instance base priority. This value provides a lower limit to the delta priority events manipulation of the base priority.
Page 284: Vrrp Priority Control Policy Priority Events
VRRP Priority Control Policy Priority Events The main function of a VRRP priority control policy is to define conditions or events that impact the system’s ability to communicate with outside hosts or portions of the network. When one or multiple of these events are true, the base priority on the virtual router instance is either overwritten with an explicit value, or a sum of delta priorities is subtracted from the base priority.
Page 285: Port Down Priority Event
VRRP Port Down Priority Event The port down priority event is tied to either a physical port or a SONET/SDH channel. The port or channel operational state is evaluated to determine a port down priority event or event clear. When the port or channel operational state is up, the port down priority event is considered false or cleared.
Page 286 Table 6: LAG Events (Continued) Time LAG Port State Parameter State Comments One port up Event State Set - 8 ports down Cannot change until Hold Set Timer expires Event Threshold 6 ports down Hold Set Timer 5 seconds Event does not affect timer All ports up Event State Set - 8 ports down...
Page 287: Host Unreachable Priority Event
VRRP Table 6: LAG Events (Continued) Time LAG Port State Parameter State Comments Seven ports down Event State Set - 7 ports down Changed due to increase Event Threshold 6 ports down Hold Set Timer 5 seconds Set to hold-set due to threshold increase All ports up Event State Set - 7 ports down...
Page 288 When a route prefix exists within the active route table that matches the defined match criteria, the route unknown priority event is considered false or cleared. When a route prefix does not exist within the active route table matching the defined criteria, the route unknown priority event is considered true or set.
Page 289: Vrrp Non-Owner Accessibility
VRRP VRRP Non-Owner Accessibility Although the RFC states that only VRRP owners can respond to ping and other management- oriented protocols directed to the VRID IP addresses, the routers allow an override of this restraint on a per VRRP virtual router instance basis. Non-Owner Access Ping Reply When non-owner access ping reply is enabled on a virtual router instance, ICMP echo request messages destined to the non-owner virtual router instance IP addresses are not discarded at the IP...
Page 290: Non-Owner Access Ssh
Non-Owner Access SSH When non-owner access SSH is enabled on a virtual router instance, authorized SSH sessions may be established that are destined to the virtual router instance IP addresses when operating in master mode. SSH sessions are always discarded at the IP interface when destined to a virtual router IP address operating in backup mode.
Page 291: Vrrp Configuration Process Overview
VRRP VRRP Configuration Process Overview Figure 13 displays the process to provision VRRP parameters. START CONFIGURE VRRP PRIORITY CONTROL POLICIES (optional) CONFIGURE IES SERVICE CONFIGURE ROUTER INTERFACE CONFIGURE INTERFACE CONFIGURE INTERFACE SPECIFY ADDRESS, SECONDARY ADDRESS(ES) SPECIFY ADDRESS, SECONDARY ADDRESS(ES) CONFIGURE VRRP OWNER/NON-OWNER INSTANCE SPECIFY BACKUP IP ADDRESS(ES) CONFIGURE VRRP PARAMETERS APPLY VRRP PRIORITY CONTROL POLICIES (optional)
Page 292: Configuration Notes
Configuration Notes This section describes VRRP configuration caveats. General • Creating and applying VRRP policies are optional. • Backup command:  The backup IP address(es) must be on the same subnet. The backup addresses explicitly define which IP addresses are in the VRRP advertisement message IP address list.
Page 293: Configuring Vrrp With Cli
VRRP Configuring VRRP with CLI This section provides information to configure VRRP using the command line interface. Topics in this section include: • VRRP Configuration Overview on page 294 • Basic VRRP Configurations on page 295 • Common Configuration Tasks on page 298 •...
Page 294: Vrrp Configuration Overview
VRRP Configuration Overview Configuring VRRP policies and configuring VRRP instances on interfaces and router interfaces is optional. The basic owner and non-owner VRRP configurations on an IES or router interface must specify the backup ip-address parameter. VRRP helps eliminate the single point of failure in a routed environment by using virtual router IP address shared between two or more routers connecting the common domain.
Page 295: Basic Vrrp Configurations
VRRP Basic VRRP Configurations Configure VRRP parameters in the following contexts: • VRRP Policy on page 295 • VRRP IES Service Parameters on page 296 • VRRP Router Interface Parameters on page 297 VRRP Policy Configuring and applying VRRP policies are optional. There are no default VRRP policies. Each policy must be explicitly defined.
Page 296: Vrrp Ies Service Parameters
VRRP IES Service Parameters VRRP parameters are configured within an IES service with two contexts, owner or non- owner. The status is specified when the VRRP configuration is created. When configured as owner, the virtual router instance owns the backup IP addresses. All other virtual router instances participating in this message domain must have the same vrid configured and cannot be configured as owner.
Page 297: Vrrp Router Interface Parameters
VRRP VRRP Router Interface Parameters VRRP parameters are configured on a router interface with two contexts, owner or non-owner. The status is specified when the VRRP configuration is created. When configured as owner, the virtual router instance owns the backed up IP addresses. All other virtual router instances participating in this message domain must have the same configured and cannot be vrid...
Page 298: Common Configuration Tasks
Common Configuration Tasks This section provides a brief overview of the tasks that must be performed to configure VRRP and provides the CLI commands. VRRP parameters are defined under a service interface or a router interface context. An IP address must be assigned to each IP interface. Only one IP address can be associated with an IP interface but several secondary IP addresses also be associated.
Page 299: Creating Interface Parameters
VRRP Creating Interface Parameters If you have multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet. The following displays an IP interface configuration example: A:SR1>config>router# info #------------------------------------------ echo "IP Configuration " #------------------------------------------ interface "system" address 10.10.0.1/32 exit interface "testA"...
Page 300: Configuring Vrrp Policy Components
Configuring VRRP Policy Components The following displays a VRRP policy configuration example: A:SR1>config>vrrp# info ---------------------------------------------- policy 1 delta-in-use-limit 50 priority-event port-down 1/1/2 hold-set 43200 priority 100 delta exit route-unknown 0.0.0.0/0 protocol isis exit exit exit ---------------------------------------------- A:SR1>config>vrrp# Page 300 7450 ESS OS Router Configuration Guide...
Page 301: Configuring Service Vrrp Parameters
VRRP Configuring Service VRRP Parameters VRRP parameters can be configured on an interface in aservice to provide virtual default router support which allows traffic to be routed without relying on a single router in case of failure. VRRP can be configured the following ways: •...
Page 302: Owner Service Vrrp
Owner Service VRRP The following displays the owner VRRP configuration example: A:SR4>config>router# info #------------------------------------------ echo "IP Configuration " #------------------------------------------ interface "test2" address 10.10.10.23/24 vrrp 1 owner backup 10.10.10.23 authentication-type password authentication-key "testabc" exit exit #------------------------------------------ A:SR4>config>router# Page 302 7450 ESS OS Router Configuration Guide...
Page 303: Configuring Router Interface Vrrp Parameters
VRRP Configuring Router Interface VRRP Parameters VRRP parameters can be configured on an interface in an interface to provide virtual default router support which allows traffic to be routed without relying on a single router in case of failure. VRRP can be configured the following ways: •...
Page 304: Router Interface Vrrp Owner
Router Interface VRRP Owner The following displays router interface owner VRRP configuration example: A:SR2>config>router# info #------------------------------------------ interface "vrrpowner" address 10.10.10.23/24 vrrp 1 owner backup 10.10.10.23 authentication-type password authentication-key "testabc" exit exit #------------------------------------------ A:SR2>config>router# Page 304 7450 ESS OS Router Configuration Guide...
Page 305: Vrrp Configuration Management Tasks
VRRP VRRP Configuration Management Tasks This section discusses the following VRRP configuration management tasks: • Modifying a VRRP Policy on page 305 • Deleting a VRRP Policy on page 306 • Modifying Service and Interface VRRP Parameters on page 307 ...
Page 306: Deleting A Vrrp Policy
Deleting a VRRP Policy Policies are only applied to non-owner VRRP instances. A VRRP policy cannot be deleted if it is applied to an interface or to an IES service. Each instance in which the policy is applied must be deleted. column in the following example displays whether or not the VRRP policies are Applied applied to an entity.
Page 307: Modifying Service And Interface Vrrp Parameters
VRRP Modifying Service and Interface VRRP Parameters Modifying Non-Owner Parameters Once a VRRP instance is created as non-owner, it cannot be modified to the state. The owner must be deleted and then recreated with the keyword to invoke IP address vrid owner ownership.
Page 308 Page 308 7450 ESS OS Router Configuration Guide...
Page 309: Vrrp Command Reference
VRRP VRRP Command Reference Command Hierarchies Configuration Commands • VRRP Network Interface Commands on page 310 • VRRP Priority Control Event Policy Commands on page 311 • Show Commands on page 313 • Clear Commands on page 313 7450 ESS OS Router Configuration Guide Page 309...
Page 310 VRRP Network Interface Commands config — router — [no] interface interface-name {ip-address/mask | ip-address netmask} [broadcast all-ones | host-ones] — address — no address — [no] allow-directed-broadcasts — arp-timeout seconds — no arp-timeout — description description-string — no description {ip-address/mask | ip-address netmask} [broadcast all-ones | host- —...
Page 311 VRRP VRRP Priority Control Event Policy Commands config — vrrp — [no] policy-id [context service-id] policy — delta-in-use-limit limit — no delta-in-use-limit — description description string — no description — [no] priority-event — [no] host-unreachable ip-address — [no] host-unreachable ipv6-address —...
Page 312 — [no] protocol — [no] protocol static Page 312 7450 ESS OS Router Configuration Guide...
Page 313 VRRP Show Commands show — vrrp [policy-id [event event-type specific-qualifier]] — policy — router — vrrp — instance [interface interface-name [vrid virtual-router-id]] — instance — statistics Monitor Commands monitor — router — vrrp interface interface-name vr-id virtual-router-id [interval seconds] — instance [repeat repeat] [absolute | rate] Clear Commands...
Page 314 Page 314 7450 ESS OS Router Configuration Guide...
Page 315: Configuration Commands
VRRP Configuration Commands Interface Configuration Commands authentication-key authentication-key [authentication-key | hash-key] [hash | hash2] Syntax no authentication-key config>router>if>vrrp Context This command sets the simple text authentication key used to generate master VRRP advertisement Description messages and validates VRRP advertisements. If simple text password authentication is not required, the authenticaton-key command is not required.
Page 316 hash-key — The hash key. The key can be any combination of ASCII characters up to 22 (hash-key1) or 121 (hash-key2) characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (“ ”). This is useful when a user must configure the parameter, but for security purposes, the actual unencrypted key value is not provided.
Page 317 VRRP In IPv4, up to sixteen backup ip-addr commands can be executed within the same virtual router instance. Executing backup multiple times with the same ip-addr results in no operation performed and no error generated. At least one successful backup ip-addr command must be executed before the virtual router instance can enter the operational state.
Page 318 11.11.11.254 Invalid (not equal to parent IP address) 11.11.11.255 Invalid (not equal to parent IP address) Non-Owner Virtual Router IP Address Parental Association — When an IP address is assigned to a non-owner virtual router instance, it must be associated with one of the parental IP interface assigned IP addresses.
Page 319 VRRP to removing the parental IP address. This includes virtual router IP address associations from multiple virtual router instances on the IP interface. no backup — No virtual router IP address is assigned. Default ip-address — The virtual router IP address expressed in dotted decimal notation. The IP virtual router Parameters IP address must be in the same subnet of the parental IP interface IP address or equal to one of the primary or secondary IP addresses for owner virtual router instances.
Page 320 seconds — Specifies the initialization delay timer for VRRP, in seconds. Parameters 1 — 65535 Values Syntax mac mac-address no mac config>router>if>vrrp Context This command sets an explicit MAC address used by the virtual router instance overriding the VRRP Description default derived from the VRID.
Page 321 VRRP routers. The master-int-inherit command has no effect when the virtual router instance is operating as master. If master-int-inherit is not enabled, the locally configured message-interval must match the master’s VRRP advertisement message advertisement interval field value or the message is discarded.
Page 322 The command is available in both non-owner and owner vrrp nodal contexts. By default, a message-interval of 1 second is used. The no form of the command reverts to the default value. 1 — Advertisement timer set to 1 second Default seconds —...
Page 323 VRRP preempt [no] preempt Syntax config>router>if>vrrp Context This command enables the overriding of an existing VRRP master if the virtual router’s in-use Description priority is higher than the current master. The priority of the non-owner virtual router instance, the preempt mode allows the best available virtual router to force itself as the master over other available virtual routers.
Page 324 The priority is the most important parameter set on a non-owner virtual router instance. The priority defines a virtual router’s selection order in the master election process. Together, the priority value and the preempt mode allow the virtual router with the best priority to become the master virtual router.
Page 325 VRRP The no form of the command configures discarding all ICMP echo request messages destined to the non-owner virtual router instance IP addresses. no ping-reply — ICMP echo requests to the virtual router instance IP addresses are discarded. Default shutdown [no] shutdown Syntax config>router>if>vrrp...
Page 326 The ssh-reply command enables the non-owner master to reply to SSH requests directed at the virtual router instances IP addresses. The SSH request can be received on any routed interface. SSH must not have been disabled at the management security level (either on the parental IP interface or based on the SSH source host address).
Page 327 VRRP interface or based on the Telnet source host address). Proper login and CLI command authentication is still enforced. When telnet-reply is not enabled, Telnet requests to non-owner master virtual IP addresses are silently discarded. Non-owner backup virtual routers never respond to Telnet requests regardless of the telnet-reply setting.
Page 328 A vrid is internally associated with the IP interface. This allows the vrid to be used on multiple IP interfaces while representing different virtual router instances. For IPv4, up to four vrrp vrid nodes can be configured on a router interface. Each virtual router instance can manage up to 16 backup IP addresses.
Page 329: Priority Policy Commands
VRRP Priority Policy Commands delta-in-use-limit Syntax delta-in-use-limit in-use-priority-limit no delta-in-use-limit config>vrrp>policy vrrp-policy-id Context This command sets a lower limit on the virtual router in-use priority that can be derived from the delta Description priority control events. Each vrrp-priority-id places limits on the delta priority control events to define the in-use priority of the virtual router instance.
Page 330 description Syntax description string no description config>vrrp>policy vrrp-policy-id Context This command creates a text description stored in the configuration file for a configuration context. Description The description command associates a text string with a configuration context to help identify the content in the configuration file.
Page 331 VRRP vrrp-policy-id — The VRRP priority control ID expressed as a decimal integer that uniquely Parameters identifies this policy from any other VRRP priority control policy defined on the system. Up to 1000 policies can be defined. 1 — 9999 Values context service-id —...
Page 332: Priority Policy Event Commands
Priority Policy Event Commands hold-clear Syntax hold-clear seconds no hold-clear config>vrrp>policy>priority-event>port-down Context config>vrrp>policy>priority-event>lag-port-down config>vrrp>policy>priority-event>route-unknown This command configures the hold clear time for the event. The seconds parameter specifies the hold- Description clear time, the amount of time in seconds by which the effect of a cleared event on the associated virtual router instance is delayed.
Page 333 VRRP Once the hold set timer expires and the event meets the cleared state requirements or is set to a lower threshold, the current set effect on the virtual router instances in-use priority can be removed. As with lag-port-down events, this may be a decrease in the set effect if the clearing amounts to a lower set threshold.
Page 334 0 delta — The set event will subtract 0 from the base priority (no effect). Default priority-level — The priority level adjustment value expressed as a decimal integer. Parameters 0 — 254 Values delta | explicit — Configures what effect the priority-level will have on the base priority value. When delta is specified, the priority-level value is subtracted from the associated virtual router instance’s base priority when the event is set and no explicit events are set.
Page 335: Priority Policy Port Down Event Commands
VRRP Priority Policy Port Down Event Commands port-down [no] port-down port-id Syntax config>vrrp>policy>priority-event Context This command configures a port down priority control event that monitors the operational state of a Description port or SONET/SDH channel. When the port or channel enters the operational down state, the event is considered set.
Page 336 The port-id can only be monitored by a single event in this policy. The port can be monitored by multiple VRRP priority control policies. A port and a specific channel on the port are considered to be separate entities. A port and a channel on the port can be monitored by separate events in the same policy.
Page 337: Priority Policy Lag Events Commands
VRRP Priority Policy LAG Events Commands lag-port-down [no] lag-port-down lag-id Syntax config>vrrp>policy>priority-event Context This command creates the context to configure Link Aggregation Group (LAG) priority control Description events that monitor the operational state of the links in the LAG. The lag-port-down command configures a priority control event. The event monitors the operational state of each port in the specified LAG.
Page 338 The lag-port-down event is considered to have a tiered event set state. While the priority impact per number of ports down is totally configurable, as more ports go down, the effect on the associated virtual router instances in-use priority is expected to increase (lowering the priority). When each configured threshold is crossed, any higher thresholds are considered further event sets and are processed ediately with the hold set timer reset to the configured value of the hold-set command.
Page 339 VRRP The no form of the command deletes the event set threshold. The threshold may be removed at any time. If the removed threshold is the current active threshold, the event set thresholds must be re- evaluated after removal. no number-down — No threshold for the LAG priority event is created. Default number-of-lag-ports-down —...
Page 340: Priority Policy Host Unreachable Event Commands
Priority Policy Host Unreachable Event Commands drop-count Syntax drop-count consecutive-failures no drop-count config>vrrp vrrp-policy-id>priority-event>host-unreachable ip-addr Context This command configures the number of consecutively sent ICMP echo request messages that must Description fail before the host unreachable priority control event is set. The drop-count command is used to define the number of consecutive message send attempts that must fail for the host-unreachable priority event to enter the set state.
Page 341 VRRP Multiple unique (different ip-address) host-unreachable event nodes can be configured within the priority-event node to a maximum of 32 events. The host-unreachable command can reference any valid local or remote IP address. The ability to ARP a local IP address or find a remote IP address within a route prefix in the route table is considered part of the monitoring procedure.
Page 342 prevents the event from clearing until it expires, damping the effect of event flapping. If the event clears and becomes set again before the hold set timer expires, the timer is reset to the hold-set value, extending the time before another clear can take effect. The hold-set timer be expired and the historical success rate must be met prior to the event operational state becoming cleared.
Page 343 VRRP Default size — Specifies amount of increase to to ICMP PDU. Parameters 0 — 16384 Values timeout Syntax timeout seconds no timeout config>vrrp vrrp-policy-id>priority-event>host-unreachable ip-addr Context This command defines the time, in seconds, that must pass before considering the far-end IP host Description unresponsive to an outstanding ICMP echo request message.
Page 344 seconds — The number of seconds before an ICMP echo request message is timed out. Once a Parameters message is timed out, a reply with the same identifier and sequence number is discarded. 1 — 60 Values Page 344 7450 ESS OS Router Configuration Guide...
Page 345: Priority Policy Route Unknown Event Commands
VRRP Priority Policy Route Unknown Event Commands less-specific [no] less-specific [allow-default] Syntax config>vrrp>policy>priority-event>route-unknown prefix/mask-length Context This command allows a CIDR shortest match hit on a route prefix that contains the IP route prefix Description associated with the route unknown priority event. The less-specific command modifies the search parameters for the IP route prefix specified in the route-unknown priority event.
Page 346 When more than one next hop IP addresses are eligible for matching, a next-hop command must be executed for each IP address. Defining the same IP address multiple times has no effect after the first instance. The no form of the command removes the ip-address from the list of acceptable next hops when looking up the route-unknown prefix.
Page 347 VRRP a returned route prefix with a source of IS-IS will not be considered a match and will cause the event to enter the set state. rip — This parameter defines RIP as an eligible route source for a returned route prefix from the RTM when looking up the route-unknown route prefix.
Page 348 route-unknown Description Operational State Set – wrong protocol The route exists in the route table but does not meet the protocol requirements. Set – less specific The route exists in the route table but does is not an exact match and found does not meet any less-specific requirements.
Page 349 VRRP ip-address — The IP address of the host for which the specific event will monitor connectivity. The ip-addr can only be monitored by a single event in this policy. The IP address can be monitored by multiple VRRP priority control policies. The IP address can be used in one or multiple ping requests.
Page 350 Page 350 7450 ESS OS Router Configuration Guide...
Page 351: Show Commands
VRRP Show Commands instance Syntax instance instance [interface interface-name [vrid virtual-router-id] show>vrrp Context This command displays information for VRRP instances. Description If no command line options are specified, summary information for all VRRP instances displays. interface ip-int-name — Displays detailed information for the VRRP instances on the specified IP Parameters interface including status and statistics.
Page 352 Label Description (Continued) When owner, backup defines the IP addresses that are advertised State within VRRP advertisement messages. When non-owner, backup actually creates an IP interface IP address used for routing IP packets and communicating with the system when the access commands are defined (ping-reply, telnet-reply, and ssh- reply).
Page 353 VRRP Label Description (Continued) Yes — A non-owner master is enabled to reply to ICMP Echo Ping Reply requests directed to the virtual router instance IP addresses. Ping Reply is valid only if the VRRP virtual router instance associated with this entry is a non-owner. A non-owner backup virtual router never responds to such ICMP echo requests irrespective if Ping Reply is enabled.
Page 354 Sample Output *A:ALA-A# show router vrrp instance =============================================================================== VRRP Instances =============================================================================== Interface Name VR Id Own Adm State Base Pri Msg Int Pol Id InUse Pri Inh Int ------------------------------------------------------------------------------- Master IPv4 Backup Addr: 5.1.1.10 ------------------------------------------------------------------------------- Instances : 2 =============================================================================== *A:ALA-A# *A:ALA-A# show router vrrp instance interface n2 vrid 1 =============================================================================== VRRP Instance 1 for interface "n2"...
Page 355 VRRP Total Discards =============================================================================== *A:ALA-A# policy policy [vrrp-policy-id [event event-type specific-qualifier]] Syntax show>vrrp Context This command displays VRRP priority control policy information. Description If no command line options are specified, a summary of the VRRP priority control event policies dis- plays.
Page 356 Label Description (Continued) The sum of the priorities of all the delta events when multiple delta Current Delta Sum events associated with the priority control policy happen simultane- ously. This sum is subtracted from the base priority of the virtual router to give the in-use priority.
Page 357 VRRP Label Description (Continued) The sum of the priorities of all the delta events when multiple delta Current Delta Sum events associated with the priority control policy happen simultane- ously. This sum is subtracted from the base priority of the virtual router to give the in-use priority.
Page 358 Label Description (Continued) Explicit — The priority-level value is used to override the base priority of the virtual router instance if the priority event is set and no other explicit priority event is set with a lower priority-level. The set explicit priority value with the lowest priority-level determines the actual in-use protocol value for all virtual router instances associ- ated with the policy.
Page 359 VRRP VRRP Policy Event Output — The following table describes a specific event VRRP policy com- mand output fields. Label Description A text string which describes the VRRP policy. Description The VRRP priority control policy associated with the VRRP virtual Policy Id router instance.
Page 360 Label Description (Continued) The priority of the virtual router instance which is the current master. Master Priority The base priority used by the virtual router instance. Priority Delta — A delta priority event is a conditional event defined in a Priority Effect priority control policy that subtracts a given amount from the base pri- ority to give the current in-use priority for the VRRP virtual router...
Page 361 VRRP Label Description (Continued) No — The event is not affecting the in-use priority of some virtual router. The number of times the event has transitioned to one of the 'set' states. # trans to Set The time and date when the operational state of the event last changed. Last Transition Sample Output A:ALA-A#show vrrp policy 1 event port-down...
Page 362: Table 7: Show Vrrp Statistics Output
Value In Use : No Current State : n/a # trans to Set Previous State : n/a Last Transition : 04/13/2007 23:10:24 =============================================================================== A:ALA-A# A:ALA-A# show vrrp policy 1 event route-unknown =============================================================================== VRRP Policy 1, Event Route Unknown 10.10.100.0/24 =============================================================================== Description : 10.10.200.253 reachability Current Priority: None...
Page 363 VRRP Sample Output A:ALA-48# show router vrrp statistics =============================================================================== VRRP Global Statistics =============================================================================== VR Id Errors Version Errors Checksum Errors =============================================================================== A:ALA-48# 7450 ESS OS Router Configuration Guide Page 363...
Page 364: Monitor Commands
Monitor Commands instance instance interface interface-name vr-id virtual-router-id [interval seconds] [repeat repeat] Syntax [absolute | rate] monitor>router>vrrp Context Monitor statistics for a VRRP instance. Description interface-name — The name of the existing IP interface on which VRRP is configured. Parameters vr-id virtual-router-id —...
Page 365: Clear Commands
VRRP Clear Commands interface interface ip-int-name [vrid virtual-router-id] Syntax clear>router>vrrp Context This command resets VRRP protocol instances on an IP interface. Description ip-int-name — The IP interface to reset the VRRP protocol instances. Parameters vrid vrid — Resets the VRRP protocol instance for the specified VRID on the IP interface. All VRIDs on the IP interface.
Page 366 policy [vrrp-policy-id] — Clears VRRP statistics for all or the specified VRRP priority control pol- icy. All VRRP policies. Default 1 — 9999 Values Page 366 7450 ESS OS Router Configuration Guide...
Page 367: Vrrp Debug Commands
VRRP VRRP Debug Commands events Syntax events events interface ip-int-name [vrid virtual-router-id] no events no events interface ip-int-name [vrid virtual-router-id] debug>router>vrrp Context This command enables debugging for VRRP events. Description The no form of the command disables debugging. ip-int-name — Displays the specified interface name. Parameters vrid virtual-router-id —...
Page 368 Page 368 7450 ESS OS Router Configuration Guide...
Page 369: Filter Policies
Filter Policies In This Chapter The SROS supports filter policies for services and network interfaces (described in this chapter), subscriber management (integrated with service filter policies with the subscriber management specifics defined in the SROS Triple Play Guide), and CPM security and Management Interface (described in SROS Router Configuration Guide).
Page 370: Acl Filter Policy Overview
ACL Filter Policy Overview ACL Filter Policy Overview ACL Filter policies, also referred to as Access Control Lists (ACLs) or filter for short, are sets of ordered rules specifying packet match criteria and actions to be performed upon a match. Filters are applied to services or network ports to control network traffic into (ingress) or out of (egress) a service access port (SAP) or network.
Page 371: Filter Policy Entities
Filter Policies Filter Policy Entities A filter policy is applied to packets coming through the system, in the ascending order the entries are numbered in the policy. When a packet matches all the parameters specified in a filter entry’s match criteria, the system takes the specified action defined in that entry. If a packet does not match the entry parameters, the packet is compared to the next higher numerical filter entry, and so on.
Page 372: Applying Filter Policies
ACL Filter Policy Overview Applying Filter Policies Filter policies can be associated with the following entities: Table 8: Applying Filter Policies IPv4 Filter MAC Filter Security CPM filter Security CPM filter CRON TOD-suite CRON TOD-suite Router interface Egress multicast group Egress multicast group IES interface SAP, spoke VPRN interface SAP, spoke...
Page 373 Filter Policies • 7450 ESS OS Router Configuration Guide Page 373...
Page 374: Acl Filter Policy Scale
ACL Filter Policy Overview ACL Filter Policy Scale Release 11R4 introduces an enhanced flexibility in defining per service or per customer filter policies across services and interfaces that the router supports. Prior to release 11.0, the number of filter policies supported in the system was equal to the number of filter policies supported by a single FlexPath on a line card.
Page 375 Filter Policies Assignment of filter policies to Interfaces, SAPs and SDPs is allowed up to the maximum number of filter policies supported per FlexPath (unchanged). If a maximum supported on a given FlexPath is breached, the configuration change to a filter policy is blocked. Due to a co-existence of dynamic filter policy entries in the system, an operator-configured filter policy may still fail to be installed in hardware later on.
Page 376: Match-List For Filter Policies
ACL Filter Policy Overview Match-list for Filter Policies Figure 15 depicts an approach to implement logical OR on a list of matching criterion (IPv4 address prefixes in this example) in one or more filter policies prior to introduction of match list. Entry K+1 IPv4 Prefix 1 +1: match IPv4 Prefix 1...
Page 377: Auto-Generation Of Filter-Policy Address Prefix Match Lists
Filter Policies Entry K IPv4 Prefix 1 match: IPv4 Prefix List A IPv4 Prefix 2 IPv4 Prefix List A Entry M IPv4 Prefix N match: IPv4 Prefix List A CPM Filter IOM Filters OSSG730 Figure 16: IOM/CPM Filter Policy Using an Address Prefix Match List Note: The hardware resource usage does not change whether filter match lists are used or whether operator creates multiple entries (each per one element of the list): however, a careful consideration must be given to how the lists are used to ensure only desired match permutations...
Page 378 ACL Filter Policy Overview When using auto-generation of address prefixes inside an address prefix match list operators can: • Specify one or more regex expression matches against SROS router configuration per list. • Specify wildcard matches by specifying regex wildcard match expression (“.*”). •...
Page 379: Embedded Filter Support For Acl Filter Policies
Filter Policies Embedded Filter Support for ACL Filter Policies When a large number of standard filter policies are configured in a system, a set of policies will often contain one or more common blocks of entries that define, for example, system-wide and/or service-wide security rules.
Page 380: Figure 17: Embedded Filter Policy
ACL Filter Policy Overview 7. An embedded filter is never embedded partially into an exclusive/template filter; that is, resources must exist to embed all embedded filter entries in a given exclusive/template filter. Although a partial embedding into a single filter will not take place, an embedded filter may be embedded only in a subset of embedding filters (only those where there are sufficient resources available).
Page 381: Redirect Policies
Filter Policies Redirect Policies SROS-based routers support redirect policies. Redirection policies are used to identify cache servers (or other redirection target destinations) and define health check test methods used to validate the ability for the destination to receive redirected traffic. This destination monitoring greatly diminishes the likelihood of a destination receiving packets it cannot process.
Page 382: Web Redirection (Captive Portal)
ACL Filter Policy Overview Web Redirection (Captive Portal) Web redirection policies can be configured on 7450 ESS devices. Redirection policies were designed for testing purposes. The new redirection policy can now block a customer’s request from an intended recipient and force the customer to connect to the service’s portal server. 255 unique entries with http-redirect are allowed.
Page 383: Figure 18: Web Redirect Traffic Flow
Filter Policies CUSTOMER’S COMPUTER SR/ESS PORTAL WEBSITE ORIGINAL WEBSITE X>HTTP TCP SYN X>HTTP TCP SYN ACK* X>HTTP TCP ACK HTTP GET HTTP>X TCP ACK* HTTP 302 (moved)* X>HTTP TCP FIN ACK HTTP>X TCP FIN ACK* NORMAL HTTP WITH PORTAL UPDATE POLICY REDIRECT TO ORIGINAL WEBSITE NORMAL HTTP WITH ORGINAL WEBSITE Figure 18: Web Redirect Traffic Flow...
Page 384: Isid Filters
ACL Filter Policy Overview ISID Filters ISID filters are a type of MAC filters that allows filtering based on the ISID values rather than L2 criteria used by MAC filters of type "normal" or "vid". ISID filters can be deployed on iVPLS PBB SAPs and ePipe PBB SAPs in the following scenarios: The MMRP usage of the mrp-policy ensures automatically that traffic using Group BMAC is not flooded between domains.
Page 385: Vid Filters
Filter Policies VID Filters VID Filters are a type of MAC filters that extend the capability of current Ethernet Ports with null or default SAP tag configuration to match and take action on VID tags. Service delimiting tags (for example QinQ 1/1/1:10.20 or dot1q 1/1/1:10, where outer tag 10 and inner tags 20 are service delimiting) allow fine grain control of frame operations based on the VID tag.
Page 386: Figure 19: Vid Filtering Examples
ACL Filter Policy Overview Service 1 SAP 1/1/1:10.* SAP 2/1/1:* MAC 10 20 ...Payload MAC 20 ...Payload MAC 20 ...Payload qinq dot1q Ingress: outer Egress: outer Port Port Encap Encap Service 2 SAP 1/1/2 SAP 2/1/2 MAC 10 20 30 ...Payload MAC 10 20 30 ...Payload MAC 10 20 30 ...Payload null...
Page 387: Arbitrary Bit Matching Of Vid Filters
Filter Policies Arbitrary Bit Matching of VID Filters In addition to matching an exact value, a VID filter mask allows masking any set of bits. The masking operation is ((value & vid-mask) = = (tag and vid-mask)). For example: A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.
Page 388: Port Group Configuration Example
ACL Filter Policy Overview Port Group Configuration Example C-VID Filters are Configured per Sub-group (S-VID) (Example) SVID=1 / CVID=30: Discard SVID=2 / CVID=30: Forward Legend S-TAG Sub-group 2 C-TAG Sub-group 1 : Data : Discard 10 30 Discards Frames With C-VID Not in Contract OSSG734 Figure 20: Port Groups...
Page 389: Creating And Applying Acl Policies
Filter Policies Creating and Applying ACL Policies Figure 21 displays the process to create a redirect policy and to apply that policy to a service SAP or router interface. START CREATE A REDIRECT POLICY SPECIFY DESTINATION, PRIORITY, TEST TYPES CREATE IP FILTER SPECIFY REDIRECT POLICY IN ENTRY’S FORWARDING ACTION ASSOCIATE FILTER TO ROUTER INTERFACE CREATE SERVICE...
Page 390: Figure 22: Creating And Applying Filter Policies
Creating and Applying ACL Policies START SPECIFY SCOPE, DEFAULT ACTION, DESCRIPTION, CREATE AN IP OR MAC FILTER (FILTER ID) FILTER NAME CREATE FILTER ENTRIES (ENTRY ID) SPECIFY ACTION, PACKET MATCHING CRITERIA CREATE SERVICE SELECT NETWORK PORT OR IP INTERFACE ASSOCIATE FILTER ID or FILTER NAME SAVE CONFIGURATION Figure 22: Creating and Applying Filter Policies Page 390...
Page 391: Applying Filters
Filter Policies Applying Filters After filters are created, they can be applied to the following entities: • Applying a Filter to a SAP on page 391 • Applying a Filter to a Network Port a Network IP on page 391 Applying a Filter to a SAP During the SAP creation process, ingress and egress filters are selected from a list of qualifying IP and MAC filters.
Page 392: Packet Match Criteria
MAC filters. Type and scale of each criteria supported depends on the platform, please see your Alcatel-Lucent representative for further details. As few or as many match parameters can be specified as required, but all conditions within a single filter policy entry must be met in order for the packet to be considered a match and the specified action performed.
Page 393: Dscp Values
Filter Policies • src-route-option — Match when a packet contains IP Option 3 or 9 (Loose or Strict Source Route) in the first 3 IP Options or if a packet has more than 3 IP Options. • tcp-ack/tcp-syn — When protocol (IPv4) or next-header (IPv6) specify TCP, match for the TCP ACK/TCP SYNC flag presence/absence in the TCP header of the packet.
Page 394: Table 10: Dscp Name To Dscp Value Table
Creating and Applying ACL Policies Table 10: DSCP Name to DSCP Value Table DSCP Name Decimal Hexadecimal Binary DSCP Value DSCP Value DSCP Value default af10 af11 af12 cp13 cp14 cp15 cp17 af21 cp19 af22 cp21 af23 cp23 cp25 af31 cp27 af32 cp29...
Page 395 Filter Policies Table 10: DSCP Name to DSCP Value Table (Continued) DSCP Name Decimal Hexadecimal Binary DSCP Value DSCP Value DSCP Value cp33 af41 cp35 af42 cp37 af43 cp39 cp41 cp42 cp43 cp44 cp45 cp47 (cs6) cp49 cp50 cp51 cp52 cp53 cp54 cp55...
Page 396: Ip Option Values
Creating and Applying ACL Policies IP Option Values Table 11: IP Option Values Copy Class Number Value Name Description EOOL End of options list No operation Record route Experimental measurement MTUP MTU probe MTUR MTU reply ENCODE Time stamp Traceroute Security Loose source router E-SEC...
Page 397: Ordering Filter Entries
Filter Policies Ordering Filter Entries When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit entry. Filter matching ceases when a packet matches an entry. The entry action is performed on the packet. To be considered a match, the packet must meet all the match criteria defined in the entry.
Page 398: Figure 23: Filtering Process Example
Creating and Applying ACL Policies Figure 23 displays an example of several packets forwarded upon matching the filter criteria and several packets traversing through the filter entries and then dropped. ILTER ID: 5 DEFAULT ACTION: DROP INGRESS PACKETS: SA: 10.10.10.103, DA: 10.10.10.104 INGRESSING PACKETS: SA: 10.10.10.103, DA: 10.10.10.105 #1: SA: 10.10.10.103, DA: 10.10.10.104...
Page 399: Configuration Notes
Filter Policies Configuration Notes The following information describes filter implementation caveats: • Creating a filter policy is optional. • Associating a service with a filter policy is optional. • When a filter policy is configured, it should be defined as having either an exclusive scope for one-time use, or a template scope meaning that the filter can be applied to multiple SAPs.
Page 400: Mac Filters
Configuration Notes MAC Filters • If a MAC filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified. There are no default parameters defined for matching criteria.
Page 401: Ip Filters
Filter Policies IP Filters • IP filters are used for IPv4 traffic only. IPv6 filters are to be used for IPv6 traffic. If a filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified.
Page 402 Configuration Notes Page 402 7450 ESS OS Router Configuration Guide...
Page 403: Configuring Filter Policies With Cli
Filter Policies Configuring Filter Policies with CLI This section provides information to configure filter policies using the command line interface. Topics in this section include: • Basic Configuration on page 404 • Common Configuration Tasks on page 405  Creating an IP Filter Policy on page 405 ...
Page 404: Basic Configuration
Basic Configuration Basic Configuration The most basic IP and MAC filter policies must have the following: • A filter ID • Template scope, either exclusive or template • Default action, either drop or forward • At least one filter entry ...
Page 405: Common Configuration Tasks
Filter Policies Common Configuration Tasks This section provides a brief overview of the tasks that must be performed for both IP and MAC filter configurations and provides the CLI commands. To configure a filter policy, perform the following tasks: • Creating an IP Filter Policy on page 405 •...
Page 406: Ip Filter Policy
Common Configuration Tasks IP Filter Policy The following displays an exclusive filter policy configuration example: A:ALA-7>config>filter# info ---------------------------------------------- ip-filter 12 create description "IP-filter" scope exclusive exit ---------------------------------------------- A:ALA-7>config>filter# Page 406 7450 ESS OS Router Configuration Guide...
Page 407: Ip Filter Entry
Filter Policies IP Filter Entry Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. •...
Page 408 Common Configuration Tasks Configuring the HTTP-Redirect Option If http-redirect is specified as an action, a corresponding forward entry must be specified before the redirect. Note that http-redirect is not supported on 7750 SR-1 or 7450 ESS-1 models. The following displays an http-redirect configuration example: A:ALA-48>config>filter>ip-filter# info ---------------------------------------------- description "filter-main"...
Page 409 Filter Policies Cflowd Filter Sampling Within a filter entry, you can specify that traffic matching the associated IP filter entry is sampled. if the IP interface is set to cflowd acl mode. Enabling filter-sample enables the cflowd tool. The following displays an IP filter entry configuration example. A:ALA-7>config>filter>ip-filter# info ---------------------------------------------- description "filter-main"...
Page 410: Creating A Mac Filter Policy
Common Configuration Tasks Creating a MAC Filter Policy Configuring and applying filter policies is optional. Each filter policy must have the following: • The filter policy type specified (MAC normal, MAC isid, MAC vid). • A filter policy ID. • A default action, either drop or forward.
Page 411: Mac Isid Filter Policy
Filter Policies MAC ISID Filter Policy The following displays an ISID filter configuration example: A;ALA-7>config>filter# info ---------------------------------------------- mac-filter 90 create description "filter-wan-man" scope template type isid entry 1 create description "drop-local-isids" match isid 100 to 1000 exit action drop exit entry 2 create description "allow-wan-isids"...
Page 412: Mac Vid Filter Policy
Common Configuration Tasks MAC VID Filter Policy The following displays VID filter configuration example: A:TOP_NODE>config>filter>mac-filter# info ---------------------------------------------- default-action forward type vic entry 1 create match frame-type ethernet_II ouiter-tag 85 4095 exit action drop exit entry 2 create match frame-type ethernet_II ouiter-tag 43 4095 exit action drop...
Page 413: Mac Filter Entry
Filter Policies MAC Filter Entry Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. •...
Page 414: Creating A Match List For Filter Policies
Common Configuration Tasks Creating a Match List for Filter Policies IP filter policies support usage of match lists as a single match criteria. To create a match list you must: • Specify a type of a match list (IPv4 address prefix for example). •...
Page 415: Applying Filter Policies
Filter Policies Applying Filter Policies Filter policies can be associated with the following entities: Table 13: Applying Filter Policies IP Filter MAC Filter Epipe SAP, spoke SDP Epipe SAP, spoke SDP Fpipe SAP, spoke SDP IES interface SAP Ipipe SAP, spoke SDP VPLS mesh SDP, spoke SDP, SAP VPLS mesh SDP, spoke SDP, SAP VPRN interface SAP, spoke SDP...
Page 416: Apply Ip (V4) And Mac Filter Policies To A Service
Common Configuration Tasks Apply IP (v4) and MAC Filter Policies to a Service IP and MAC filter policies are applied by associating them with a SAP and/or spoke-sdp in ingress and/or egress direction as desired. Filter ID is used to associate an existing filter policy, or if defined, a Filter Name for that Filter ID policy can be used in the CLI.
Page 417: Applying (Ipv4) Filter Policies To A Network Port
Filter Policies Applying (IPv4) Filter Policies to a Network Port IP filter policies can be applied to network IP (v4)interfaces. MAC filters cannot be applied to network IP interfaces or to routable IES services.Similarly to applying filter policies to service, IP (v4) filter policies are applied to network interfaces by associating a policy with ingress and/or egress direction as desired.
Page 418: Creating A Redirect Policy
Common Configuration Tasks Creating a Redirect Policy Configuring and applying redirect policies is optional. Each redirect policy must have the following: • A destination IP address • A priority (default is 100) • At least one of the following tests must be enabled: ...
Page 419: Configuring Policy-Based Forwarding For Deep Packet Inspection In Vpls
Filter Policies Configuring Policy-Based Forwarding for Deep Packet Inspection in VPLS The purpose policy-based forwarding is to capture traffic from a customer and perform a deep packet inspection (DPI) and forward traffic, if allowed, by the DPI. In the following example, the split horizon groups are used to prevent flooding of traffic. Traffic from customers enter at SAP 1/1/5:5.
Page 420 Common Configuration Tasks The following displays a VPLS service configuration with DPI example: *A:ALA-48>config>service# info ---------------------------------------------- vpls 10 customer 1 create service-mtu 1400 split-horizon-group "dpi" residential-group create exit split-horizon-group "split" create exit shutdown exit sap 1/1/21:1 split-horizon-group "split" create disable-learning static-mac 00:00:00:31:11:01 create exit sap 1/1/22:1 split-horizon-group "dpi"...
Page 421 Filter Policies The following displays the MAC filter added to the VPLS service configuration: *A:ALA-48>config>service# info ---------------------------------------------- vpls 10 customer 1 create service-mtu 1400 split-horizon-group "dpi" residential-group create exit split-horizon-group "split" create exit shutdown exit sap 1/1/5:5 split-horizon-group "split" create ingress filter mac 100 exit...
Page 422: Filter Management Tasks
Filter Management Tasks Filter Management Tasks This section discusses the following filter policy management tasks: • Renumbering Filter Policy Entries on page 422 • Modifying a Filter Policy on page 424 • Deleting a Filter Policy on page 426 • Modifying a Redirect Policy on page 427 •...
Page 423 Filter Policies A:ALA-7>config>filter# info A:ALA-7>config>filter# info ---------------------------------------------- ---------------------------------------------- ip-filter 11 create ip-filter 11 create description "filter-main" description "filter-main" scope exclusive scope exclusive entry 10 create entry 1 create description "no-91" match filter-sample dst-ip 10.10.10.91/24 interface-disable-sample src-ip 10.10.10.106/24 match exit dst-ip 10.10.10.91/24 action drop src-ip 10.10.10.103/24 exit...
Page 424: Modifying A Filter Policy
Filter Management Tasks Modifying a Filter Policy There are several ways to modify an existing filter policy. A filter policy can be modified dynamically as part of subscriber management dynamic insertion/removal of filter policy entries (see SROS Triple Play Guide for details). A filter policy can be modified indirectly by configuration change to a match list the filter policy uses (as described earlier in this guide).
Page 425 Filter Policies entry 15 create description "no-91" match dst-ip 10.10.10.91/24 src-ip 10.10.10.103/24 exit action forward exit entry 30 create match dst-ip 10.10.10.91/24 src-ip 10.10.0.200/24 exit action forward exit exit ---------------------------------------------- A:ALA-7>config>filter# 7450 ESS OS Router Configuration Guide Page 425...
Page 426: Deleting A Filter Policy
Filter Management Tasks Deleting a Filter Policy Before you can delete a filter, you must remove the filter association from all the applied ingress and egress SAPs and network interfaces by executing no filter command in all context where the filter is used.
Page 427: Modifying A Redirect Policy
Filter Policies Modifying a Redirect Policy To access a specific redirect policy, you must specify the policy name. Use the form of the command to remove the command parameters or return the parameter to the default setting. Example config>filter# redirect-policy redirect1 config>filter>redirect-policy# description "New redirect info"...
Page 428: Deleting A Redirect Policy
Filter Management Tasks Deleting a Redirect Policy Before you can delete a redirect policy from the filter configuration, you must remove the policy association from the IP filter. The following example shows the command usage to replace the configured redirect policy (redirect1) with a different redirect policy (redirect2) and then removing the redirect1 policy from the filter configuration.
Page 429: Copying Filter Policies
Filter Policies Copying Filter Policies When changes are to be made to an existing filter policy applied to a one or more SAPs/network interfaces, it is recommended to first copy the applied filter policy, then modify the copy and then overwrite the applied policy with the modified copy.
Page 430 Filter Management Tasks Page 430 7450 ESS OS Router Configuration Guide...
Page 431: Filter Command Reference
Filter Policies Filter Command Reference Command Hierarchies • DHCP Filter Policy Commands on page 431 • Match Filter List Commands on page 437 • IP Filter Policy Commands on page 432 • IPv6 Filter Policy Commands on page 434 • Log Filter Commands on page 435 •...
Page 432 Filter Command Reference IP Filter Policy Commands config — filter filter-id [create] — ip-filter {filter-id | filter-name} — ip-filter — no ip-filter filter-id {drop | forward} — default-action — description description-string — no description filter-id [offset offset ] [{active | inactive}] —...
Page 433 Filter Policies — no src-ip {{lt | gt | eq} src-port-number} — src-port — src-port range src-port-number src-port-number — no src-port {true|false} — src-route-option — no src-route-option {true | false} — tcp-ack — no tcp-ack {true | false} — tcp-syn —...
Page 434 Filter Command Reference IPv6 Filter Policy Commands —IPv6 Filter Policy Commands config — filter filter-id [create] — ipv6-filter {filter-id | filter-name} — ipv6-filter — no ipv6-filter filter-id {drop | forward} — default-action — description description-string — no description filter-id [offset offset ] [{active | inactive}] —...
Page 435 Filter Policies — no src-ip {lt | gt | eq} src-port-number} — src-port — src-port range src-port-number src-port-number — no src-port {true | false} — tcp-ack — no tcp-ack {true | false} — tcp-syn — no tcp-syn — filter-name filter-name —...
Page 436: Mac Filter Commands
Filter Command Reference MAC Filter Commands config — filter filter-id [create] — mac-filter {filter-id | filter-name} — mac-filter — no mac-filter filter-id — description description-string — no description entry-id [time-range time-range-name] — entry entry-id [create] — no entry [drop] — action forward [sap sap-id | sdp sdp-id] —...
Page 437 Filter Policies Match Filter List Commands config — filter — match-list ip-prefix-list-name [create] — ip-prefix-list — no ip-prefix-list ip-prefix-list-name — [no] apply-path — bgp-peers index group reg-exp neighbor reg-exp — no bgp-peers index — description description-string — no description — [no] prefix ip-prefix/prefix-length ipv6-prefix-list-name [create]...
Page 438 Filter Command Reference Redirect Policy Configuration Commands config — filter redirect-policy-name [create] —Redirect policy commands — redirect-policy — no redirect-policy redirect-policy-name — description description-string — no description ip-address [create] — destination — no destination ip-address — description description-string — no description —...
Page 439 Filter Policies Copy Filter Commands config — filter ip-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] — copy [overwrite] ipv6-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] — copy [overwrite] mac-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] — copy [overwrite] Show Commands show...
Page 440 Filter Command Reference Page 440 7450 ESS OS Router Configuration Guide...
Page 441: Configuration Commands
Filter Policies Configuration Commands Generic Commands description Syntax description string no description config>filter>dhcp-filter Context config>filter>ip-filter config>filter>ipv6-filter config>filter>ip-filter>entry config>filter>ip-filter>entry config>filter>ipv6-filter>entry config>filter>log config>filter>mac-filter config>filter>mac-filter>entry config>filter>redirect-policy config>filter>redirect-policy>destination config>filter>match-list>ip-prefix-list config>filter>match-list>ip-filter config>filter>match-list>port-list This command creates a text description stored in the configuration file for a configuration context. Description The description command associates a text string with a configuration context to help identify the context in the configuration file.
Page 442: Global Filter Commands
Global Filter Commands Global Filter Commands dhcp-filter dhcp-filter filter-id [create] Syntax no dhcp-filter filter-id config>filter Context This command configures the identification number of a DHCP filter. Description filter-id — Specifies the DHCP filter policy ID number. Parameters 1 — 65535 Values create —...
Page 443 Filter Policies ipv6-filter ipv6-filter filter-id [create] Syntax ip-filter {filter-id | filter-name} no ipv6-filter ipv6-filter-id config>filter Context This command creates a configuration context for an IP (v6) filter policy. Description The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple services or multiple network ports as long as the scope of the policy is template.
Page 444 Global Filter Commands filter-id — The MAC filter policy ID number. Parameters 1 — 65535 Values create — Keyword required when first creating the configuration context. Once the context is created, one can navigate into the context without the create keyword. filter-name —...
Page 445: Dhcp Filter Commands
Filter Policies DHCP Filter Commands action action {bypass-host-creation} Syntax action drop no action config>filter>dhcp-filter>entry Context This command specifies the action to take on DHCP host creation when the filter entry matches. Description The no form of the command reverts to the default wherein the host creation proceeds as normal no action Default bypass-host-creation —...
Page 446: Filter Log Commands
Filter Log Commands Filter Log Commands destination Syntax destination memory num-entries destination syslog syslog-id no destination config>filter>log Context This command configures the destination for filter log entries for the filter log ID. Description Filter logs can be sent to either memory (memory) or to an existing Syslog server definition (server). If the filter log destination is memory, the maximum number of entries in the log must be specified.
Page 447 Filter Policies no shutdown Default summary Syntax summary config>filter>log Context This command enables the context to configure log summarization. These settings will only be taken Description into account when syslog is the log destination. Note that summary settings will only be taken into account in case the log destination is syslog.
Page 448 Filter Log Commands The no form of the command configures the memory filter log to accept filter log entries until full. When the memory filter log is full, filter logging for the log filter ID ceases. wrap-around Default Page 448 7450 ESS OS Router Configuration Guide...
Page 449: Acl Filter Policy Commands
Filter Policies ACL Filter Policy Commands default-action default-action {drop | forward} Syntax config>filter>ip-filter Context config>filter>mac-filter This command specifies the action to be applied to packets when the packets do not match the Description specified criteria in all of the IP filter entries of the filter. When multiple default-action commands are entered, the last command will overwrite the previous command.
Page 450 ACL Filter Policy Commands offset — a value from 0 to 65535, an embedded filter entry X will have an entry X + offset in the embedding filter. filter-name Syntax filter-name filter-name config>filter>ip-filter Context config>filter>mac-filter This command configures filter-name attribute of a given filter. filter-name, when configured, can be Description used instead of filter ID to reference the given policy in the CLI.
Page 451 Filter Policies shared-radius-filter-wmark Syntax shared-radius-filter-wmark low low-watermark high high-watermark no shared-radius-filter-wmark config>filter>ip-filter Context config>filter>ipv6-filter This command configures the low and high watermark for the number of RADIUS shared filters Description reporting low low-watermark — Specifies the utilization of the filter ranges for filter entry insertion, at which a Parameters table full alarm will be raised by the agent.
Page 452 ACL Filter Policy Commands The no form of the command reverts to the default. none Default entry entry-id — Specifies at what place the filter entries received from RADIUS will be inserted in Parameters the filter. 1 — 65535 Values count count —...
Page 453 Filter Policies high high-watermark — Specifies the utilization of the filter ranges for filter entry insertion, at which a table full alarm will be raised by the agent. 0 — 100 Values type Syntax type filter-type config>filter>mac-filter Context This command configures the type of mac-filter as normal, ISID or VID types. Description normal Default...
Page 454: General Filter Entry Commands
General Filter Entry Commands General Filter Entry Commands entry entry entry-id [time-range time-range-name] [create] Syntax no entry entry-id config>filter>dhcp-filter Context config>filter>ip-filter config>filter>ipv6-filter config>filter>mac-filter This command creates or edits an IP (v4) or MAC filter entry. Multiple entries can be created using Description unique entry-id numbers within the filter.
Page 455 Filter Policies The filter log ID must exist before a filter entry can be enabled to use the filter log ID. The no form of the command disables logging for the filter entry. Default no log log-id — The filter log ID destination expressed as a decimal integer. Parameters 101 —...
Page 456: Ip (V4) Filter Entry Commands
IP (v4/v6) Filter Entry Commands IP (v4/v6) Filter Entry Commands action Syntax For IPv4: action [drop] action forward [next-hop {ip-address|indirect ip-address|interface ip-int-name}] action forward [redirect-policy policy-name] action forward [sap sap-id|sdp sdp-id:vc-id] action http-redirect rdr-url-string action nat [nat-policy-name] action reassemble no action For IPv6: action [drop] action forward...
Page 457 Filter Policies If the next hop is not available, then a routing lookup will be performed and if a match is found the packet will be forwarded to the result of that lookup. If no match is found a "ICMP destination unreachable"...
Page 458 IP (v4/v6) Filter Entry Commands filter-sample [no] filter-sample Syntax config>filter>ip-filter>entry Context This command specifies that traffic matching the associated IP filter entry is sampled if the IP Description interface is set to cflowd acl. If the cflowd is either not enabled or set to cflowd interface mode, this command is ignored. The no form removes this command for the system configuration, disallowing the sampling of packets if the ingress interface is in cflowd acl mode.
Page 459 Filter Policies protocol-id — Configures the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP(1), TCP(6), UDP(17). The no form the command removes the protocol from the match criteria. 0 —...
Page 460 IP (v4/v6) Filter Entry Commands match match [next-header next-header] Syntax no match config>filter>ipv6-filter>entry Context This command enables the context to enter match criteria for the filter entry. When the match criteria Description have been satisfied the action associated with the match criteria is executed. If more than one match criteria (within one match statement) are configured then all criteria must be satisfied (AND function) before the action associated with the match is executed.
Page 461 Filter Policies This command configures a destination IP address range to be used as an IP filter match criterion. Description To match on the destination IP address, specify the address and its associated mask, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used. The no form of the command removes the destination IP address match criterion.
Page 462 IP (v4/v6) Filter Entry Commands eq specifies that dst-port-number must be an exact match. eq — Specifies the operator to use relative to dst-port-number for specifying the port number match criteria. The eq keyword specifies that dst-port-number must be an exact match. dst-port-number —...
Page 463 Filter Policies ah-ext-hdr ah-ext-hdr {true|false } no ah-ext-hdr config>filter>ipv6-filter>entry>match Context This command enables match on existence of AH Extension Header in the IPv6 filter policy. Description The no form of this command ignores AH Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
Page 464 IP (v4/v6) Filter Entry Commands false — Matches a packet without a Hop-by-hop Options Extensions header. icmp-code Syntax icmp-code icmp-code no icmp-code config>filter>ip-filter>entry>match Context config>filter>ipv6-filter>entry>match Configures matching on ICMP code field in the ICMP header of an IPpacket as a filter match Description criterion.
Page 465 Filter Policies ip-option ip-option ip-option-value [ip-option-mask] Syntax no ip-option config>filter>ip-filter>entry>match Context This command configures matching packets with a specific IP option or a range of IP options in the Description first option of the IP header as an IP filter match criterion. The option-type octet contains 3 fields: 1 bit copied flag (copy options in all fragments) 2 bits option class...
Page 466 IP (v4/v6) Filter Entry Commands This command configures matching packets that contain one or more than one option fields in the IP Description header as an IP filter match criterion. The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.
Page 467 Filter Policies routing-type0 routing-type0 {true|false} Syntax no routing-type0 config>filter>ipv6-filter>entry>match Context This command enables match on existence of Routing Type Extension Header type 0 in the IPv6 filter Description policy. The no form of this command ignores Routing Type Extension Header type 0 presence/absence in a packet when evaluating match criteria of a given filter policy entry.
Page 468 IP (v4/v6) Filter Entry Commands netmask — Any mask epressed in dotted quad notation. 0.0.0.0 — 255.255.255.255 Values prefix-length — The IPv6 mask value for the IPv6 filter entry. 1 — 128 Values src-port src-port {lt | gt | eq} src-port-number Syntax src-port range src-port-number src-port-number no src-port...
Page 469 Filter Policies per the value of this object. true — Enables source route option match conditions. Parameters false — Disables source route option match conditions. tcp-ack tcp-ack {true | false} Syntax no tcp-ack config>filter>ip-filter>entry>match Context config>filter>ipv6-filter>entry>match This command configures matching on the ACK bit being set or reset in the control bits of the TCP Description header of an IP packet as an IP filter match criterion.
Page 470 IP (v4/v6) Filter Entry Commands false — Specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header. Page 470 7450 ESS OS Router Configuration Guide...
Page 471: Match List Configuration Commands
Filter Policies Match List Configuration Commands match-list Syntax match-list config>filter Context This command enables the configuration context for match lists to be used in filter policies (IOM and Description CPM). ip-prefix-list Syntax ip-prefix-list ip-prefix-list-name create no ip-prefix-list ip-prefix-list-name config>filter>match-list Context This command creates a list of IPv4 prefixes for match criteria in IPv4 ACL and CPM filter policies.
Page 472 Match List Configuration Commands Please see general description related to match-list usage in filter policies. ipv6-prefix-list-name — A string of up to 32 characters of printable ASCII characters. If special Parameters characters are used, the string must be enclosed within double quotes. apply-path Syntax apply-path...
Page 473 Filter Policies reg-exp — A regular expression defining a macth string to be used to auto generate address prefixes. Matching is performed from the least significant digit. For example a string 10.0 matches all neighbors with addresses starting with 10; like 10.0.x.x or 10.0xx.x.x. port-list Syntax port-list port-list-name create...
Page 474 Match List Configuration Commands start of the range and end of the range are expressed as decimal integers. 1 — 65535 Values port-list-name — A string of up to 32 characters of printable ASCII characters. If special characters are used, the string must be enclosed within double quotes. prefix Syntax prefix ipv6-prefix/prefix-length...
Page 475 Filter Policies To add set of unique prefixes, execute the command with all unique prefixes. The prefixes are allowed to overlap IPv4 address space. An IPv4 prefix addition will be blocked, if resource exhaustion is detected anywhere in the system because of Filter Policies that use this IPv4 address prefix list.
Page 476: Mac Filter Entry Commands
MAC Filter Entry Commands MAC Filter Entry Commands action Syntax action drop action forward [sap sap-id |sdp sdp-id] no action config>filter>mac-filter>entry Context This command configures the action for a MAC filter entry. The action keyword must be entered for Description the entry to be active.
Page 477 Filter Policies SONET/SDH IPCP The SAP is identified by the channel. No BCP is deployed and all traffic is IP. SONET/SDH BCP-Null The SAP is identified with a single service on the channel. Tags are assumed to be part of the customer packet and not a service delimiter.
Page 478 MAC Filter Entry Commands ethernet_II — Specifies the frame type is Ethernet Type II. Page 478 7450 ESS OS Router Configuration Guide...
Page 479: Mac Filter Match Criteria
Filter Policies MAC Filter Match Criteria dot1p dot1p ip-value [mask] Syntax no dot1p config>filter>mac-filter>entry Context Configures an IEEE 802.1p value or range to be used as a MAC filter match criterion. Description When a frame is missing the 802.1p bits, specifying an dot1p match criterion will fail for the frame and result in a non-match for the MAC filter entry.
Page 480 MAC Filter Match Criteria dsap dsap dsap-value [mask] Syntax no dsap config>filter>mac-filter>entry>match Context Configures an Ethernet 802.2 LLC DSAP value or range for a MAC filter match criterion. Description This is a one-byte field that is part of the 802.2 LLC header of the IEEE 802.3 Ethernet Frame. The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria.
Page 481 Filter Policies ieee-address — The MAC address to be used as a match criterion. Parameters HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal Values digit mask — A 48-bit mask to match a range of MAC address values. This 48-bit mask can be configured using the following formats: Format Style Format Syntax Example...
Page 482 MAC Filter Match Criteria isid isid value [to higher-value] Syntax no isid config>filter>mac-filter>entry>match Context This command configures an ISID value or a range of ISID values to be matched by the mac-filter Description parent. The pbb-etype value for the related SAP (inherited from the ethernet port configuration) or for the related SDP binding (inherited from SDP configuration) will be used to identify the ISID tag.
Page 483 Filter Policies outer-tag outer-tag value [vid-mask] Syntax no outer-tag config>filter>mac-filter>entry>match Context This command configures the matching of the first tag that is carried transparently through the Description service. Service delimiting tags are stripped from the frame and outer tag on ingress is the first tag after any service delimiting tags.
Page 484 MAC Filter Match Criteria snap-pid Syntax snap-pid pid-value no snap-pid config>filter>mac-filter>entry Context Configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC filter match Description criterion. This is a two-byte protocol id that is part of the IEEE 802.3 LLC SNAP Ethernet Frame that follows the three-byte OUI field.
Page 485 Filter Policies Format Style Format Syntax Example Binary 0bBBBBBBB...B 0b11110000...B To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000 0xFFFFFFFFFFFF (exact match) Default 0x00000000000000 —...
Page 486: Policy And Entry Maintenance Commands
Policy and Entry Maintenance Commands Policy and Entry Maintenance Commands copy Syntax copy ip-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] copy ipv6-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] copy mac-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] config>filter Context...
Page 487 Filter Policies filter-name — Specifies the filter name up to 64 characters in length. Parameters group-inserted-entries Syntax group-inserted-entries application application location location config>filter>ip-filter Context config>filter>ipv6-filter This command groups filter entries that are inserted in a filter by either RADIUS or Credit Control. Description application application —...
Page 488: Redirect Policy Commands
Redirect Policy Commands Redirect Policy Commands destination [no] destination ip-address Syntax config>filter>redirect-policy Context This command defines a cache server destination in a redirect policy. More than one destination can Description be configured. Whether a destination IP address will receive redirected packets depends on the effective priority value after evaluation.
Page 489 Filter Policies hold-down seconds — The amount of time, in seconds, that the system should be held down if any of the test has marked it unreachable. 0 — 86400 Values interval Syntax interval seconds no interval config>filter>destination>ping-test Context config>filter>destination>snmp-test config>filter>destination>url-test This command specifies the amount of time, in seconds, between consecutive requests sent to the far Description...
Page 490 Redirect Policy Commands Redirect policies can contain multiple destinations. Each destination is assigned an initial or base Description priority which describes its relative importance within the policy. If more than one destination is specified, the destination with the highest effective priority value is selected. Default priority —...
Page 491 Filter Policies within the specified range, the priority can be disabled, lowered or raised. none Default return-value — Specifies the SNMP value against which the test result is matched. Parameters A maximum of 256 characters. Values return-type — Specifies the SNMP object type against which the test result is matched. integer, unsigned, string, ip-address, counter, time-ticks, opaque Values disable —...
Page 492 Redirect Policy Commands return-code-1, return-code-2 — Specifies a range of return codes. When the URL test return-code Parameters falls within the specified range, the corresponding action is performed. 1 — 4294967294 Values return-code-1: 2 — 4294967295 return-code-2: disable — Specifies that the destination may not be used for the amount of time specified in the hold-time command when the return code falls within the specified range.
Page 493: Show Commands
Filter Policies Show Commands dhcp dhcp [filter-id] Syntax show>filter Context This command displays DHCP filter information. Description *B:TechPubs>config# show filter dhcp =============================================================================== DHCP Filters =============================================================================== Filter-Id Applied Description ------------------------------------------------------------------------------- test-dhcp-filter ------------------------------------------------------------------------------- Num filter entries: 1 =============================================================================== *B:TechPubs>config# *B:TechPubs>config# show filter dhcp 10 =============================================================================== DHCP Filter ===============================================================================...
Page 494 Show Commands download-failed Output — The following table describes the filter download-failed output. Output Label Description Displays the filter type. Filter-type Displays the ID of the filter. Filter-ID Displays the entry number of the filter. Filter-Entry Sample Output A:ALA-48# show filter download-failed ============================================ Filter entries for which download failed ============================================...
Page 495 Filter Policies type entry-type — specifies type of filter entry to display, values: Values embedded [failed] — Shows all embeddings, optionally shows failed embedding only, if filter-id is not specified shows all embedded filters. Show Filter (no filter-id specified) — The following table describes the command output for the Output command when no filter ID is specified.
Page 496 Show Commands =============================================================================== IP Filters Total: =============================================================================== Filter-Id Scope Applied Description ------------------------------------------------------------------------------- 10001 Template Yes fSpec-1 Template Yes BGP FlowSpec filter for the Base router ------------------------------------------------------------------------------- Num IP filters: 2 =============================================================================== *A:Dut-C>config>filter# show filter ip embedded ================================================ IP Filter embedding ================================================ From Priority...
Page 497 Filter Policies Label Description (Continued) The next header ID for the match criteria. indicates no Next-header Undefined next-header specified. The ICMP type match criterion. indicates no ICMP type ICMP Type Undefined specified. Configures a match on all non-fragmented IP packets. Fragment False —...
Page 498 Show Commands Label Description (Continued) Interface traffic sampling is disabled. Int. Sampling Off — Interface traffic sampling is enabled. On — The option fields are not checked. Multiple Option Off — Packets containing one or more option fields in the IP header On —...
Page 499 Filter Policies ------------------------------------------------------------------------------- Service Id Type : IES - SAP 1/1/3:1.1 (merged in ip-fltr 10001) =============================================================================== *A:Dut-C>config>filter# *A:Dut-C>config>filter# show filter ip 10001 =============================================================================== IP Filter =============================================================================== Filter Id : 10001 Applied : Yes Scope : Template Def. Action : Drop Radius Ins Pt: n/a CrCtl.
Page 500 Show Commands Fragment : Off Option-present : Off Sampling : Off Int. Sampling : On IP-Option : 0/0 Multiple Option: Off TCP-syn : Off TCP-ack : Off Match action : Drop Ing. Matches : 0 pkts Egr. Matches : 0 pkts =============================================================================== *A:Dut-C>config>filter# Show Filter (with time-range specified) —...
Page 501 Filter Policies Show Filter Associations — The following table describes the fields that display when the Output associations keyword is specified. Label Description The IP filter policy ID. Filter Id The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive.
Page 502 Show Commands Label Description (Continued) Fragments are not a matching criteria. All fragments and non- Off — fragments implicitly match. Specifies that traffic sampling is disabled. Sampling Off — Specifies that traffic matching the associated IP filter entry is On — sampled.
Page 503 Filter Policies Label Description (Continued) Configures a match on packets with the ACK flag set to TCP-ack False — false. configures a match on packets with the ACK flag set to true. True — The state of the TCP ACK flag is not considered as part of the Off —...
Page 504 Show Commands Entries ------------------------------------------------------------------------------- Filter Association : IP ------------------------------------------------------------------------------- Tod-suite "english_suite" - ingress, time-range "day" (priority 5) =============================================================================== A:ALA-49# Show Filter Counters — The following table describes the output fields when the counters Output keyword is specified.. Label Description The IP filter policy ID. IP Filter Filter Id The filter policy is of type Template.
Page 505 Filter Policies mac-filter-id — Displays detailed information for the specified filter ID and its filter entries. Parameters 1— 65535 Values associations — Appends information as to where the filter policy ID is applied to the detailed filter policy ID output. counters —...
Page 506 Show Commands Label Description (Continued) The filter ID filter entry ID. If the filter entry ID indicates the entry is Entry , then the filter entry is incomplete as no action has been (Inactive) specified. The filter entry description. Description The entry ID match frame type is Ethernet IEEE 802.3.
Page 507 Filter Policies Description : Forward SERVER sourced packets ------------------------------------------------------------------------------- Filter Match Criteria : Mac ------------------------------------------------------------------------------- Entry : 200 FrameType : 802.2SNAP Description : Not Available Src Mac : 00:00:5a:00:00:00 ff:ff:ff:00:00:00 Dest Mac : 00:00:00:00:00:00 00:00:00:00:00:00 Dot1p : Undefined Ethertype : 802.2SNAP DSAP : Undefined SSAP...
Page 508 Show Commands ------------------------------------------------------------------------------- Service Id: 1001 Type : VPLS - SAP 1/1/1:1001 (Egress) =============================================================================== A:ALA-49# Filter Entry Counters Output — When the counters keyword is specified, the filter entry output displays the filter matches/hit information. The following table describes the command output for the command.
Page 509 Filter Policies =============================================================================== Mac Filter =============================================================================== Filter Id Applied : Yes Scope : Template Def. Action : Forward Entries Description : Description for Mac Filter Policy id # 8 ------------------------------------------------------------------------------- Filter Match Criteria : Mac ------------------------------------------------------------------------------- Entry FrameType : Ethernet Ing.
Page 510 Show Commands Filter ID Specified — When the filter ID is specified, detailed filter information for the filter ID Label Description The IP filter ID Filter Id The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive. Exclusiv —...
Page 511 Filter Policies Label Description (Continued) The IEEE 802.1p value for the match criteria. indicates no Dot1p Undefined value is specified. The Ethertype value match criterion. Ethertype The DSAP value match criterion. DSAP indicates no value specified. Undefined SSAP value match criterion. indicates no value specified.
Page 512 Show Commands LI Source : Yes Ing. Matches: 0 pkts Egr. Matches: 0 pkts Entry : 30 FrameType : Ethernet Description : test 30 Src Mac Dest Mac LI Source : Yes Ing. Matches: 0 pkts Egr. Matches: 0 pkts Entry : 50 FrameType...
Page 513 Filter Policies - SAP 1/1/6:7 (Ingress) - SAP 1/1/6:9 (Egress) Filter Entry Counters Output — When the counters keyword is specified, the filter entry output displays the filter matches/hit information. The following table describes the command output for the command. Sample Output Label Description...
Page 514 Show Commands =============================================================================== Filter Id : testLiMacFilter Associated : Yes Entries Description : test LI Mac filter setup ------------------------------------------------------------------------------- Filter Match Criteria : Mac ------------------------------------------------------------------------------- Entry : 10 Description : entry 10 Ing. Matches: 0 pkts Egr. Matches: 0 pkts Entry : 20 Description : entry 20...
Page 515 Filter Policies Label Description (Continued) Specifies the destination IP address. Destination Specifies the operational value of the priority for this destination. The Oper Priority highest operational priority across multiple destinations is used as the preferred destination. Specifies the configured base priority for the destination. Admin Priority Specifies the configured state of the destination.
Page 516 Show Commands ALA-A>config>filter# show filter redirect-policy redirect1 =============================================================================== Redirect Policy =============================================================================== Redirect Policy: redirect1 Applied : Yes Description : New redirect info Active Dest : 10.10.10.104 ------------------------------------------------------------------------------- Destination : 10.10.10.104 ------------------------------------------------------------------------------- Description : SNMP_to_104 Admin Priority : 105 Oper Priority: 105 Admin State : Up Oper State...
Page 517 Filter Policies Description : (Not Specified) Admin Priority : 90 Oper Priority: 90 Admin State : Up Oper State : Down URL Test : URL_to_Proxy Interval : 10 Timeout : 10 Drop Count Hold Down Hold Remain Last Action at : 03/19/2007 05:04:15 Action Taken : Disable Priority Change: 0 Return Code...
Page 518: Clear Commands
Show Commands Clear Commands ip ip-filter-id [entry entry-id] [ingress | egress] Syntax clear>filter Context Clears the counters associated with the IP filter policy. Description By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.
Page 519 Filter Policies By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters. Clears all counters associated with the MAC filter policy entries Default mac-filter-id —...
Page 520: Monitor Commands
Show Commands Monitor Commands filter filter ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate] Syntax monitor Context This command monitors the counters associated with the IP filter policy. Description ip-filter-id — The IP filter policy ID. Parameters 1 —...
Page 521 Filter Policies entry-id — Specifies that only the counters associated with the specified filter policy entry will be cleared. 1 — 65535 Values interval — Configures the interval for each display in seconds. 5 seconds Default 3 — 60 Values repeat repeat —...
Page 522 Show Commands Page 522 7450 ESS OS Router Configuration Guide...
Page 523: Cflowd
Cflowd In This Chapter This chapter provides information to configure Cflowd. Topics in this chapter include: • Cflowd Overview on page 524  Operation on page 525  Cflowd Filter Matching on page 529 • Cflowd Configuration Process Overview on page 530 •...
Page 524: Cflowd Overview
Cflowd Overview Cflowd is a tool used to sample IPv4 and MPLS traffic data flows through a router. Cflowd enables traffic sampling and analysis by ISPs and network engineers to support capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Cflowd is also useful for Web host tracking, accounting, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations.
Page 525: Operation
Cflowd Operation Figure 26 depicts the basic operation of the cflowd feature. This sample flow is only used to describe the basic steps that are performed. It is not intended to specify implementation. FINISH FORWARDING FORWARD/ INGRESS PORT SAMPLE? PROCESS AND SEND EGRESS PORT DROP ? TO EGRESS PORT...
Page 526: Version 9
When a flow is exported from the cache, the collected data is sent to an external collector which maintains an accumulation of historical data flows that network operators can use to analyze traffic patterns. Data is exported in one of the following formats: •...
Page 527: Figure 27: V5, V8, V9, V10, And Flow Processing
Cflowd FORMAT AND DATA AGED V5/V8/V9/V10 SEND V5 RECORD FROM ACTIVE v5/v9/v10 FORMAT TO EXTERNAL FLOW CACHE COLLECTOR ADD ENTRY FORMAT AND SEND V8 RECORD AGE AGGREGATE V8 AGGREGATE TO EXTERNAL FLOWS FLOW CACHE COLLECTOR V8 AGGREGATE FLOW CACHE V8 AGGREGATE FLOW CACHE Figure 27: V5, V8, V9, V10, and Flow Processing 1.
Page 528 Version 9 The Version 9 format is a more flexible format and allows for different templates or sets of cflowd data to be sent based on the type of traffic being sampled and the template set configured. Version 9 is interoperable with RFC 3954, Cisco Systems NetFlow Services Export Version 9. Version 10 Version 10 is a new format and protocol that inter-operates with the specifications from the IETF as the IP Flow Information Export (IPFIX) standard.
Page 529: Cflowd Filter Matching
Cflowd Cflowd Filter Matching In the filter-matching process, normally, every packet is matched against filter (access list) criteria to determine acceptability. With cflowd, only the first packet of a flow is checked. If the first packet is forwarded, an entry is added to the cflowd cache. Subsequent packets in the same flow are then forwarded without needing to be matched against the complete set of filters.
Page 530: Cflowd Configuration Process Overview
Cflowd Configuration Process Overview Figure 28 displays the process to configure Cflowd parameters. START ENABLE CFLOWD CONFIGURE COLLECTOR(S) CONFIGURE CFLOWD PARAMETERS ACL OR INTERFACE SPECIFY ROUTER INTERFACE FOR COLLECTION IN AN IP-FILTER ENTRY: FOR CFLOWD ACL MODE: ENABLE ENABLE IP FILTER ENTRY FILTER SAMPLING IN AN IP-FILTER ENTRY: FOR CFLOWD INTERFACE MODE: ENABLE INTERFACE-DISABLE-SAMPLE...
Page 531: Configuration Notes
Cflowd Configuration Notes The following cflowd components must be configured for cflowd to be operational: • Cflowd is enabled globally. • At least one collector must be configured and enabled. • A cflowd option must be specified and enabled on a router interface. •...
Page 532 Page 532 7450 ESS OS Router Configuration Guide...
Page 533: Configuring Cflowd With Cli
Cflowd Configuring Cflowd with CLI This section provides information to configure cflowd using the command line interface. Topics in this section include: • Cflowd Configuration Overview on page 534  Traffic Sampling on page 534  Collectors on page 535 ...
Page 534: Cflowd Configuration Overview
Cflowd Configuration Overview The implementation of cflowd supports the option to analyze traffic flow. The implementation also supports the use of traffic/access list (ACL) filters to limit the type of traffic that is analyzed. Traffic Sampling Traffic sampling does not examine all packets received by a router. Command parameters allow the rate at which traffic is sampled and sent for flow analysis to be modified.
Page 535: Collectors
Cflowd Within the raw flow cache, the following characteristics are used to identify an individual flow: • Ingress interface • Source IP address • Destination IP address • Source transport port number • Destination transport port number • IP protocol type •...
Page 536 • Protocol-port — Flows are aggregated based on the IP protocol, source port number, and destination port number. • Source prefix — Flows are aggregated based on source prefix and mask, source AS, and ingress interface. • Destination prefix — Flows are aggregated based on destination prefix and mask, destination AS, and egress interface.
Page 537: Basic Cflowd Configuration
Cflowd Basic Cflowd Configuration This section provides information to configure cflowd and configuration examples of common configuration tasks. In order to sample traffic, the minimal cflowd parameters that need to be configured are: • Cflowd must be enabled. • At least one collector must be configured and enabled. •...
Page 538: Common Configuration Tasks
Common Configuration Tasks This section provides a brief overview of the tasks that must be performed to configure cflowd and provides the CLI commands. In order to begin traffic flow sampling, cflowd must be enabled and at least one collector must be configured. Global Cflowd Components The components common (global) to all instances of cflowd include the following parameters: •...
Page 539: Configuring Cflowd
Cflowd Configuring Cflowd Use the CLI syntax displayed below to perform the following tasks: • Enabling Cflowd on page 540 • Configuring Global Cflowd Parameters on page 541 • Configuring Cflowd Collectors on page 542 • Enabling Cflowd on Interfaces and Filters on page 547 CLI Syntax: config>cflowd# active-timeout minutes cache-size num-entries...
Page 540: Enabling Cflowd
Enabling Cflowd Cflowd is disabled by default. Executing the command configure cflowd will enable cflowd, by default cflowd is not shutdown but must be configured including at least one collector to be active. Use the following CLI syntax to enable cflowd: CLI Syntax: config# cflowd no shutdown The following example displays the default values when cflowd is initially enabled.
Page 541: Configuring Global Cflowd Parameters
Cflowd Configuring Global Cflowd Parameters The following cflowd parameters apply to all instances where cflowd (traffic sampling) is enabled. Use the following CLI commands to configure cflowd parameters: CLI Syntax: config>cflowd# active-timeout minutes cache-size num-entries inactive-timeout seconds overflow percent rate sample-rate template-retransmit seconds no shutdown The following example displays a common cflowd component configuration:...
Page 542: Configuring Cflowd Collectors
Configuring Cflowd Collectors To configure cflowd collector parameters, enter the following commands: CLI Syntax: config>cflowd# collector ip-address[:port] [version version] aggregation as-matrix destination-prefix protocol-port source-destination-prefix source-prefix autonomous-system-type [origin | peer] description description-string no shutdown template-set {basic | mpls-ip} The following example displays a basic cflowd configuration: A:ALA-1>config>cflowd# info ----------------------------------------- active-timeout 20...
Page 543: Table 14: Template-Set
Cflowd exit Version 9 and Verison 10 Templates If the collector is configured to use either version 9 or 10 formats, the flow data is sent to the designated collector using one of the pre-defined templates. The template used is based on the type of flow for which the data was collected(IPv4, IPv6, or MPLS), and the configuration of the template-set parameter.
Page 544 IPv4 Dest Addr (12) IPv4 Nexthop (15) BGP Nexthop (18) Ingress Interface (10) Egress Interface (14) Packet Count (2) Byte Count (1) Start Time (22) End Time (21) Flow Start Milliseconds (152) Flow End Milliseconds (153) Src Port (7) Dest Port (11) TCP control Bits (Flags) (6) IPv4 Protocol (4) IPv4 TOS (5)
Page 545 Cflowd IPv6 Src Mask (29) IPv6 Dest Mask (30) MPLS-IPv6 Template: IPv6 Src Addr (27) IPv6 Dest Addr (28) IPv6 Nexthop (62) IPv6 BGP Nexthop (63) IPv4 Nexthop (15) IPv4 BGP Nexthop (18) Ingress Interface (10) Egress Interface (14) Packet Count (2) Byte Count (1) Start Time (22) End Time (21)
Page 546 MPLS-IP flows: IPv4 Src Addr (8) IPv4 Dest Addr (12) IPv4 Nexthop (15) IPv6 Src Addr (27) IPv6 Dest Addr (28) IPv6 Nexthop (62) Ingress Interface (10) Egress Interface (14) Packet Count (2) Byte Count (1) Start Time (22) End Time (21) Flow Start Milliseconds (152) Flow End Milliseconds (153) Src Port (7)
Page 547: Enabling Cflowd On Interfaces And Filters
Cflowd Enabling Cflowd on Interfaces and Filters This section discusses the following cflowd configuration management tasks: • Dependencies on page 551 • Specifying Cflowd Options on an IP Interface on page 548  Interface Configurations on page 548  Service Interfaces on page 549 •...
Page 548: Specifying Cflowd Options On An Ip Interface
Specifying Cflowd Options on an IP Interface When cflowd is enabled on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration and sorted according to the collector configuration(s). Refer to Table 15, Cflowd Configuration Dependencies, on page 552 for configuration combinations.
Page 549: Service Interfaces
Cflowd Service Interfaces CLI Syntax: config>service>vpls service-id# interface ip-int-name cflowd {acl|interface} When enabled on a service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN services interfaces only. Layer 2 traffic is excluded.
Page 550: Specifying Sampling Options In Filter Entries
Specifying Sampling Options in Filter Entries Packets are matched against filter entries to determine acceptability. With cflowd, only the first packet of a flow is compared. If the first packet matches the filter criteria, then an entry is added to the cflowd cache.
Page 551: Dependencies
Cflowd Dependencies In order for cflowd to be operational, the following requirements must be met: • Cflowd must be enabled on a global level. If cflowd is disabled, any traffic sampling instances are also disabled. • At least one collector must be configured and enabled in order for traffic sampling to occur on an enabled entity.
Page 552: Table 15: Cflowd Configuration Dependencies
Table 15: Cflowd Configuration Dependencies Interface Setting router>interface Command Expected Results cflowd [acl | interface] ip-filter entry Setting IP-filter mode Traffic matching is sampled at filter-sampled specified rate. IP-filter mode No traffic is sampled on this no filter-sampled interface. IP-filter mode or Command is ignored.
Page 553: Cflowd Configuration Management Tasks
Cflowd Cflowd Configuration Management Tasks This section discusses the following cflowd configuration management tasks: • Modifying Global Cflowd Components on page 553 • Modifying Cflowd Collector Parameters on page 554 Modifying Global Cflowd Components Cflowd parameter modifications apply to all instances where cflowd or traffic sampling is enabled. Changes are applied immediately.
Page 554: Modifying Cflowd Collector Parameters
Modifying Cflowd Collector Parameters Use the following commands to modify cflowd collector and aggregation parameters: CLI Syntax: config>cflowd# collector ip-address[:port] [version version] no collector ip-address[:port] [no] aggregation [no] as-matrix [no] destination-prefix [no] protocol-port [no] raw [no] source-destination-prefix [no] source-prefix [no] autonomous-system-type [origin | peer] [no] description description-string [no] shutdown template-set {basic | mpls-ip}...
Page 555: Cflowd Configuration Commands
Cflowd Cflowd Configuration Commands Global Commands cflowd [no] cflowd Syntax Context config>cflowd This command creates the context to configure cflowd. Description The no form of this command removes all configuration under cflowd including the deletion of all configured collectors. This can only be executed if cflowd is in a shutdown state. no cflowd Default active-timeout...
Page 556 cache-size Syntax cache-size num-entries no cache-size config>cflowd Context This command specifies the maximum number of active flows to maintain in the flow cache table. Description The no form of this command resets the number of active entries back to the default value. 65536 (64K) Default num-entries —...
Page 557 Cflowd version — Specifies the version of the flow data collector. Netflow v5, v8, v9, v10 (IPFIX) format Values Default aggregation [no] aggregation Syntax config>cflowd>collector Context This command configures the type of aggregation scheme to be exported. Description Specifies the type of data to be aggregated and to the collector. To configure aggregation, you must decide which type of aggregation scheme to configure: autonomous system, destination prefix, protocol port, raw, source destination, or source prefix.
Page 558 protocol-port [no] protocol-port Syntax config>cflowd>collector>aggregation Context This command specifies that flows be aggregated based on the IP protocol, source port number, and Description destination port number. The no form of this command removes this type of aggregation from the collector configuration. none Default [no] raw...
Page 559 Cflowd autonomous-system-type autonomous-system-type {origin | peer} Syntax no autonomous-system-type config>cflowd>collector Context This command defines whether the autonomous system (AS) information included in the flow data is Description based on the originating AS or external peer AS of the routes. This option is only allowed if the collector is configured as Version 5 or Version 8. The no form of this command resets the AS type to the default value.
Page 560 Unlike other commands and parameters where the default state is not indicated in the configuration file. The shutdown and no shutdown states are always indicated in system generated configuration files. template-set template-set {basic | mpls-ip} Syntax config>cflowd>collector Context This command specifies the set of templates sent to the collector when using cflowd Version 9 or Description Version 10.
Page 561 Cflowd overflow Syntax overflow percent no overflow config>cflowd Context This command specifies the percentage of the flow cache entries removed when the maximum Description number of entries is exceeded. The entries removed are the entries that have not been updated for the longest amount of time.
Page 562 Page 562 7450 ESS OS Router Configuration Guide...
Page 563: Cflowd Command Reference
Cflowd Cflowd Command Reference Command Hierarchies Configuration Commands config — [no] cflowd — active-timeout minutes — no active-timeout — cache-size num-entries — no cache-size ip-address[:port] [version {[5 | 8 | 9 |10]} — collector — no collector ip-address[:port] — [no] aggregation —...
Page 564 Show Commands show — cflowd [ip-address[:port]] [detail] — collector [ip-int-name | ip-address] — interface — status Tools Commands tools — dump — cflowd [clear] — top-protocols [ipv4 | ipv6 | mpls] [clear] — top-flows [ipv4 | ipv6] [clear] — packet-size Clear Commands clear —...
Page 565: Show Commands
Cflowd Show Commands collector collector [ip-addr[:port]] [detail] Syntax show>cflowd Context This command displays administrative and operational status of data collector configuration. Description ip-addr — Display only information about the specified collector IP address. Parameters all collectors Default :port — Display only information the collector on the specified UDP port. all UDP ports Default 1 —...
Page 566: Table 17: Show Cflowd Collector Detailed Output Fields
Sample Output A:SR1 # show cflowd collector detail =============================================================================== Cflowd Collectors (detail) =============================================================================== Address : 138.120.135.103 Port : 2055 Description : Test v9 Collector Version : 9 Admin State : up Oper State : up Packets Sent : 51 Last Changed : 09/03/2009 17:24:04 Last Pkt Sent : 09/03/2009 18:07:10 Template Set : Basic -------------------------------------------------------------------------------...
Page 567 Cflowd Table 17: Show Cflowd Collector Detailed Output Fields (Continued) Label Description (Continued) The style of AS reporting used in the exported flow data. AS Type Reflects the endpoints of the AS path which the flow is origin — following. Reflects the AS of the previous and next hops for the flow.
Page 568 Records Sent : 1260 Last Changed : 09/03/2009 17:24:04 Last Pkt Sent : 09/03/2009 18:07:10 ------------------------------------------------------------------------------- Sent Open Errors ------------------------------------------------------------------------------- =============================================================================== Address : 138.120.135.103 Port : 9555 Description : Test v8 Collector Version AS Type : origin Admin State : up Oper State : up Records Sent...
Page 569 Cflowd ip-int-name — Display only information for the IP interface with the specified name. all interfaces with cflowd enabled. Default cflowd Interface Output — The following table describes the show cflowd interface output Output fields. Label Description Displays the physical port identifier. Interface Displays the primary IPv4 address for the associated IP interface.
Page 570: Table 18: Cflowd Status Output
B:sr-002# show cflowd interface 11.10.1.2 =============================================================================== Cflowd Interfaces =============================================================================== Interface: To_Sr1 IP address: 11.10.1.2/24 Admin/Oper state: Up/Up Sampling Mode: (ingress | egress | both) Total Flows seen: 1302000 Pkts sampled (ingress/egress) : 60103/70102 Bytes sampled (ingress/egress) : 6010300/7010200 Active flows (ingress/egress) : 6010/7010 B:sr-002# show cflowd interface ===============================================================================...
Page 571 Cflowd Table 18: Cflowd Status Output (Continued) Label Description (Continued) The maximum amount of time, in minutes, before an active flow will Active Timeout be exported. If an individual flow is active for this amount of time, the flow is exported and a new flow is created. Inactive timeout in seconds.
Page 572 Cflowd Oper Status : Enabled Active Timeout : 1 minutes Inactive Timeout : 30 seconds Template Retransmit : 60 seconds Cache Size : 65536 entries Overflow : 1% Sample Rate : 1 Active Flows : 34000 Overflow events 10 Dropped Flows: 0 Pkts Rcvd : 801600 Total Pkts Dropped : 0 Times flow created...
Page 573: Tools Commands
Cflowd Tools Commands top-protocols Syntax top-protocols tools>dump>cflowd [clear] Context This command displays the summary information for the top 20 protocol traffic seen in the cflowd Description cache. All statistics are calculated based on the data collected since the last clearing of the cflowd stats with clear keyword for this command.
Page 574: Table 20: Tools Dump Cflowd Top-Flows Out Put Fields
Sample Output SR# tools dump cflowd top-protocols The top 20 IPv4 protocols seen by cflowd are: Current Time: 08/29/2011 15:36:15 Last Cleared Time: 08/29/2011 15:35:08 Protocol ID Total Flows Packets Bytes Packets Duration % Total -------- Flows /Sec /Flow /Pkt /Sec /Flow Bandwidth...
Page 575 Cflowd Table 20: Tools Dump Cflowd Top-flows Out put Fields Label Description Displays the source protocol port number. S-Port Src Port Displays the route prefix length for route to source IP address. Displays the Autonomous Systems number for the source route (the AS is either originating AS or peer AS depending on cflowd configura- tion).
Page 576 12345678901234567890123456789012345678901234567890123456789012345678901234567890 Sr1# tools dump cflowd top-flows mpls Label-1 Label-2 Label-3 Label-4 Total Pkts Avg Pkt Active(s) SrcIP (up to IPv6) Ingress i/f Src Port DstIP (upto IPv6) Egress i/f Dst Port Proto Flags -------------------------------------------------------------------------------- packet-size packet-size [ipv4 | ipv6] [clear] Syntax tools>dump>cflowd Context...
Page 577: Clear Commands
Cflowd Clear Commands cflowd Syntax cflowd clear Context Clears the raw and aggregation flow caches which are sending flow data to the configured collectors. Description This action will trigger all the flows to be discarded. The cache restarts flow data collection from a fresh state.
Page 578 Page 578 7450 ESS OS Router Configuration Guide...
Page 579: Standards And Protocol Support
Standards and Protocol Support RFC 3623 Graceful OSPF Restart – GR RFC 4659 BGP-MPLS IP Virtual Private Standards Compliance helper Network (VPN) Extension for IPv6 IEEE 802.1ab-REV/D3 Station and RFC 3630 Traffic Engineering (TE) Media Access Control Connectivity Extensions to OSPF Version 2 RFC 4684 Constrained Route Discovery Distribution for Border Gateway...
Page 580 Standards and Protocols RFC 3719 Recommendations for RFC 2463 Internet Control Message RFC 3446 Anycast Rendevous Point Interoperable Networks using IS-IS Protocol (ICMPv6) for the Internet (RP) mechanism using Protocol Independent Multicast (PIM) and Protocol Version 6 Specification RFC 3784 Intermediate System to Multicast Source Discovery Intermediate System (IS-IS) RFC 2464 Transmission of IPv6 Packets...
Page 581 Standards and Protocols RFC 4124 Protocol Extensions for RFC6426 MPLS On-Demand MPLS — LDP Support of Diffserv-aware MPLS Connectivity and Route Tracing RFC 3037 LDP Applicability Traffic Engineering RFC6478 Pseudowire Status for Static RFC 3478 Graceful Restart Mechanism RFC 4125 Maximum Allocation Pseudowires for LDP –...
Page 582 Standards and Protocols RFC 4619 Encapsulation Methods for ETSI TS 101 329-5 Annex E extensions- VRRP Transport of Frame Relay over QoS Measurement for VoIP - RFC 2787 Definitions of Managed Method for determining an MPLS Networks (draft-ietf-pwe3- Objects for the Virtual Router frame-relay-07.txt) Equipment Impairment Factor using Redundancy Protocol...
Page 583 Standards and Protocols RFC 4251 The Secure Shell (SSH) Management Protocol (SNMP) NETWORK MANAGEMENT Protocol Architecture Management Frameworks ITU-T X.721: Information technology- OSI-Structure of Management RFC 3412 - Message Processing and RFC 4252 The Secure Shell (SSH) Dispatching for the Simple Network Authentication Protocol Information Management Protocol (SNMP)
Page 584 Standards and Protocols Page 584 Standards and Protocols...
Page 585: Index
NDEX configuring basic Cflowd IP filter policy overview MAC filter policy collectors redirect policy filter matching management tasks operation V5 and V8 flow processing configuring basic IP Router collectors overview enabling autonomous systems global parameters confederations interfaces and filters interfaces IP interfaces network overview...
Page 586 Index virtual router backup virtual router master VRID configuring basic command reference IES parameters non-owner owner management tasks overview router interface non-owner owner VRRP policy parameters Page 586 7450 ESS OS Router Configuration Guide...

Alcatel-Lucent 7450 ESS Series Configuration Manual

Preface

Getting Started

Getting Started

IP Router Configuration

IP Router Configuration

Vrrp

Vrrp

Vrrp

Filter Policies

Filter Policies

Filter Policies

Cflowd

Cflowd

Cflowd

Quick Links

Related Manuals for Alcatel-Lucent 7450 ESS Series

Summary of Contents for Alcatel-Lucent 7450 ESS Series