Alcatel-Lucent 7750 SR-OS Configuration Manual
  1. Manuals
  2. Brands
  3. Alcatel-Lucent Manuals
  4. Network Router
  5. 7750 SR-OS
  6. Configuration manual
Alcatel-Lucent 7750 SR-OS Configuration Manual

Alcatel-Lucent 7750 SR-OS Configuration Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
Table of Contents

Advertisement

Quick Links

Download this manual
Alcatel-Lucent
Service Router | Release 12.0 R1
7 7 5 0 S R - O S R o u t e r C o n f i g u r a t i o n G u i d e
93 - 00 73 -1 1 -0 1 Edi t i on 2
93-0073-11-01
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright © 2014 Alcatel-Lucent
All Rights Reserved.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 7750 SR-OS and is the answer not in the manual?

Questions and answers

Related Manuals for Alcatel-Lucent 7750 SR-OS

Summary of Contents for Alcatel-Lucent 7750 SR-OS

  • Page 1 93 - 00 73 -1 1 -0 1 Edi t i on 2 93-0073-11-01 Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
  • Page 2 This document is protected by copyright. Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice.

  • Page 3: Table Of Contents

    Getting Started Alcatel-Lucent 7750 SR-Series Router Configuration Process ....... . .17 IP Router Configuration Configuring IP Router Parameters .
  • Page 4 Table of Contents Configuring IPv6 Over IPv4 Parameters ..........68 Tunnel Ingress Node .
  • Page 5 Table of Contents Inherit Master VRRP Router’s Advertisement Interval Timer ......313 IPv6 Virtual Router Instance Operationally Up ........313 Policies .
  • Page 6 Table of Contents Priority Policy Port Down Event Commands .........373 Priority Policy LAG Events Commands .
  • Page 7 Table of Contents Apply IP (v4/v6) and MAC Filter Policies to a Service ........456 Applying (IPv4/v6) Filter Policies to a Network Port .
  • Page 8 Table of Contents Cflowd Filter Matching .............605 Cflowd Configuration Process Overview .
  • Page 9 List of Tables Getting Started Table 1: Configuration Process ............17 IP Router Configuration Table 2: QPPB Interactions with SAP Ingress QoS .
  • Page 10 List of Tables Page 10 7750 SR OS Router Configuration Guide...
  • Page 11 IST OF IGURES IP Router Configuration Figure 1: Use of QPPB to Differentiate Traffic in an ISP Network .......27 Figure 2: Confederation Configuration .
  • Page 12 List of Figures Page 12 7750 SR OS Router Configuration Guide...

  • Page 13: Ip Router Configuration

    Preface About This Guide This guide describes logical IP routing interfaces, virtual routers, IP and MAC-based filtering, and cflowd support and presents configuration and implementation examples. This document is organized into functional chapters and provides concepts and descriptions of the implementation flow, as well as Command Line Interface (CLI) syntax and command usage.

  • Page 14: List Of Technical Publications

    OS Multi-Service ISA Guide This guide describes services provided by integrated service adapters such as Application Assurance, IPSec, ad insertion (ADI) and Network Address Translation (NAT). • 7750 SR-OS RADIUS Attributes Reference Guide Page 14 7750 SR OS Router Configuration Guide...
  • Page 15 Preface This guide describes all supported RADIUS Authentication, Authorization and Accounting attributes. 7750 SR OS Router Configuration Guide Page 15...

  • Page 16: Technical Support

    If you purchased a service agreement for your router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased an Alcatel-Lucent service agreement, contact your welcome center at: Web: http://www.alcatel-lucent.com/wps/portal/support...

  • Page 17: Getting Started

    In This Chapter This chapter provides process flow information to configure routing entities, virtual routers, IP and MAC filters, and Cflowd. Alcatel-Lucent 7750 SR-Series Router Configuration Pro- cess Table 1 lists the tasks necessary to configure logical IP routing interfaces, virtual routers, IP and MAC-based filtering, and Cflowd.

  • Page 18: Getting Started

    Getting Started Page 18 7750 SR OS Router Configuration Guide...

  • Page 19: Ip Router Configuration

    IP Router Configuration In This Chapter This chapter provides information about commands required to configure basic router parameters. Topics in this chapter include: • Configuring IP Router Parameters on page 20  Interfaces on page 20  Autonomous Systems (AS) on page 37 ...

  • Page 20: Configuring Ip Router Parameters

    Configuring IP Router Parameters Configuring IP Router Parameters In order to provision services on an Alcatel-Lucent router, logical IP routing interfaces must be configured to associate attributes such as an IP address, port or the system with the IP interface.

  • Page 21: Network Domains

    IP Router Configuration Network Domains In order to determine which network ports (and hence which network complexes) are eligible to transport traffic of individual SDPs, network-domain is introduced. This information is then used for the sap-ingress queue allocation algorithm applied to VPLS SAPs. This algorithm is optimized in such a way that no sap-ingress queues are allocated if the given port does not belong to the network-domain used in the given VPLS.

  • Page 22: System Interface

    Configuring IP Router Parameters System Interface The system interface is associated with the network entity (such as a specific router or switch), not a specific interface. The system interface is also referred to as the loopback address. The system interface is associated during the configuration of the following entities: •...

  • Page 23: Unicast Reverse Path Forwarding Check (Urpf)

    IP Router Configuration Unicast Reverse Path Forwarding Check (uRPF) This section applies to the 7750-SR, 7710-SR, 7950-SR and the 7450-ESS. uRPF helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.

  • Page 24: Creating An Ip Address Range

    Configuring IP Router Parameters Creating an IP Address Range An IP address range can be reserved for exclusive use for services by defining the config>router>service-prefix command. When the service is configured, the IP address must be in the range specified as a service prefix. If no service prefix command is configured, then no limitation exists.

  • Page 25: Qos Policy Propagation Using Bgp (Qppb)

    IP Router Configuration QoS Policy Propagation Using BGP (QPPB) This section discusses QPPB as it applies to VPRN, IES, and router interfaces. Refer to the Internet Enhanced Service section in the Services Guide and the IP Router Configuration section in the 7x50 SR OS Router Configuration Guide. QoS policy propagation using BGP (QPPB) is a feature that allows a route to be installed in the routing table with a forwarding-class and priority so that packets matching the route can receive the associated QoS.
  • Page 26 Configuring IP Router Parameters achieved by advertising the source prefix with a BGP community, as discussed above. However, in this case other approaches are equally valid, such as marking the DSCP or other CoS fields based on source IP address so that downstream domains can take action based on a common understanding of the QoS treatment implied by different DSCP values.

  • Page 27: Ip Router Configuration

    IP Router Configuration Route Policy: Route Policy: Accept all routes with AS_PATH Accept all routes with AS_PATH ending with ASN 300 and set fcto ending with ASN 300 and set fcto high-1 high-1 QoSPolicy: QoSPolicy: Lookup the source IP address of all Lookup the destination IP address packets arriving on this interface to of all packets arriving on this...

  • Page 28: Qppb

    Configuring IP Router Parameters QPPB There are two main aspects of the QPPB feature: • The ability to associate a forwarding-class and priority with certain routes in the routing table. • The ability to classify an IP packet arriving on a particular IP interface to the forwarding- class and priority associated with the route that best matches the packet.
  • Page 29 IP Router Configuration • BGP import policies:  config>router>bgp>import  config>router>bgp>group>import  config>router>bgp>group>neighbor>import  config>service>vprn>bgp>import  config>service>vprn>bgp>group>import  config>service>vprn>bgp>group>neighbor>import • RIP import policies:  config>router>rip>import  config>router>rip>group>import  config>router>rip>group>neighbor>import  config>service>vprn>rip>import  config>service>vprn>rip>group>import  config>service>vprn>rip>group>neighbor>import As evident from above, QPPB route policies support routes learned from RIP and BGP neighbors of a VPRN as well as for routes learned from RIP and BGP neighbors of the base/global routing instance.
  • Page 30 Configuring IP Router Parameters Priority is optional when specifying the forwarding class of a static route, but once configured it can only be deleted and returned to unspecified by deleting the entire static route. Displaying QoS Information Associated with Routes The following commands are enhanced to show the forwarding-class and priority associated with the displayed routes: •...
  • Page 31 IP Router Configuration Enabling QPPB on an IP interface To enable QoS classification of ingress IP packets on an interface based on the QoS information associated with the routes that best match the packets the qos-route-lookup command is necessary in the configuration of the IP interface. The qos-route-lookup command has parameters to indicate whether the QoS result is based on lookup of the source or destination IP address in every packet.
  • Page 32 Configuring IP Router Parameters QPPB When Next-Hops are Resolved by QPPB Routes In some circumstances (IP VPN inter-AS model C, Carrier Supporting Carrier, indirect static routes, etc.) an IPv4 or IPv6 packet may arrive on a QPPB-enabled interface and match a route A1 whose next-hop N1 is resolved by a route A2 with next-hop N2 and perhaps N2 is resolved by a route A3 with next-hop N3, etc.

  • Page 33: Qppb And Grt Lookup

    IP Router Configuration QPPB and GRT Lookup Source-address based QPPB is not supported on any SAP or spoke SDP interface of a VPRN configured with the grt-lookup command. QPPB Interaction with SAP Ingress QoS Policy When QPPB is enabled on a SAP IP interface the forwarding class of a packet may change from fc1, the original fc determined by the SAP ingress QoS policy to fc2, the new fc determined by QPPB.

  • Page 34: Table 2: Qppb Interactions With Sap Ingress Qos

    Configuring IP Router Parameters Table 2: QPPB Interactions with SAP Ingress QoS Original FC New FC Profile Priority (drop DE=1 In/out of profile object object preference) override marking mapping mapping Profile mode Profile mode From new From QPPB, unless From new From original FC queue queue...
  • Page 35 IP Router Configuration Table 2: QPPB Interactions with SAP Ingress QoS (Continued) Original FC New FC Profile Priority (drop DE=1 In/out of profile object object preference) override marking mapping mapping Profile mode Priority Ignored If DE=1 override then From new From original FC queue mode queue...

  • Page 36: Router Id

    Configuring IP Router Parameters Router ID The router ID, a 32-bit number, uniquely identifies the router within an autonomous system (AS) (see Autonomous Systems (AS) on page 37). In protocols such as OSPF, routing information is exchanged between areas, groups of networks that share routing information. It can be set to be the same as the loopback address.

  • Page 37: Autonomous Systems (As)

    IP Router Configuration Autonomous Systems (AS) Networks can be grouped into areas. An area is a collection of network segments within an AS that have been administratively assigned to the same group. An area’s topology is concealed from the rest of the AS, which results in a significant reduction in routing traffic. Routing in the AS takes place on two levels, depending on whether the source and destination of a packet reside in the same area (intra-area routing) or different areas (inter-area routing).

  • Page 38: Confederations

    Configuring IP Router Parameters Confederations Configuring confederations is optional and should only be implemented to reduce the IBGP mesh inside an AS. An AS can be logically divided into smaller groupings called sub-confederations and then assigned a confederation ID (similar to an autonomous system number). Each sub- confederation has fully meshed IBGP and connections to other ASs outside of the confederation.

  • Page 39: Figure 2: Confederation Configuration

    IP Router Configuration There are no default confederations. Router confederations must be explicitly created. Figure 2 depicts a confederation configuration example. Confederation 2002 AS 200 AS 300 Confederation Member 1 Confederation Member 3 ALA-B ALA-C ALA-E ALA-F AS 100 ALA-A ALA-D ALA-G AS 400...

  • Page 40: Proxy Arp

    Static ARP is used when an Alcatel-Lucent router needs to know about a device on an interface that cannot or does not respond to ARP requests. Thus, the configuration can state that if it has a packet with a certain IP address to send it to the corresponding ARP address.

  • Page 41: Exporting An Inactive Bgp Route From A Vprn

    IP Router Configuration Exporting an Inactive BGP Route from a VPRN The export-inactive-bgp command under config>service>vprn introduces an IP VPN configuration option that allows the best BGP route learned by a VPRN to be exported as a VPN- IP route even when that BGP route is inactive due to the presence of a more preferred BGP-VPN route from another PE.

  • Page 42: Dhcp Relay

    Configuring IP Router Parameters DHCP Relay Refer to 7750 SROS Triple Play Guide for information about DHCP and support provided by the 7750 SR as well as configuration examples. Page 42 7750 SR OS Router Configuration Guide...

  • Page 43: Internet Protocol Versions

    IP Router Configuration Internet Protocol Versions The TiMOS implements IP routing functionality, providing support for IP version 4 (IPv4) and IP version 6 (IPv6). IP version 6 (RFC 1883, Internet Protocol, Version 6 (IPv6)) is a newer version of the Internet Protocol designed as a successor to IP version 4 (IPv4) (RFC-791, Internet Protocol).

  • Page 44: Table 3: Ipv6 Header Field Descriptions

    Configuring IP Router Parameters Table 3: IPv6 Header Field Descriptions Field Description Version 4-bit Internet Protocol version number = 6. Prio. 4-bit priority value. Flow Label 24-bit flow label. Payload Length 16-bit unsigned integer. The length of payload, for example, the rest of the packet following the IPv6 header, in octets.

  • Page 45: Ipv6 Applications

    IP Router Configuration IPv6 Applications Examples of the IPv6 applications supported by the TiMOS include: • IPv6 Internet exchange peering — Figure 4 shows an IPv6 Internet exchange where multiple ISPs peer over native IPv6. IPv6 IX ISP A ISP B Peering IPIPE_007 Figure 4: IPv6 Internet Exchange...

  • Page 46: Figure 6: Ipv6 Services To Enterprise Customers And Home Users

    IPv6 in an environment where not only IPv4 exists but native IPv6 networks depend on IPv4 for greater IPv6 connectivity. Alcatel-Lucent router supports dynamic IPv6 over IPv4 tunneling. The ipv4 source and destination address are taken from configuration, the source address is the ipv4 system address and the ipv4 destination is the next hop from the configured 6over4 tunnel.

  • Page 47: Dns

    IP Router Configuration The DNS client is extended to use IPv6 as transport and to handle the IPv6 address in the DNS AAAA resource record from an IPv4 or IPv6 DNS server. An assigned name can be used instead of an IPv6 address since IPv6 addresses are more difficult to remember than IPv4 addresses. 7750 SR OS Router Configuration Guide Page 47...

  • Page 48: Ipv6 Provider Edge Router Over Mpls (6Pe)

    Configuring IP Router Parameters IPv6 Provider Edge Router over MPLS (6PE) 6PE allows IPv6 domains to communicate with each other over an IPv4 MPLS core network. This architecture requires no backbone infrastructure upgrades and no re-configuration of core routers, because forwarding is purely based on MPLS labels. 6PE is a cost effective solution for IPv6 deployment.
  • Page 49 IP Router Configuration 6PE Control Plane Support The 6PE MP-BGP routers support: • IPv4/IPv6 dual-stack • MP-BGP can be used between 6PE routers to exchange IPv6 reachability information.  The 6PE routers exchange IPv6 prefixes over MP-BGP sessions running over IPv4 transport.

  • Page 50: Bi-Directional Forwarding Detection

    Configuring IP Router Parameters Bi-directional Forwarding Detection Bi-directional Forwarding Detection (BFD) is a light-weight, low-overhead, short-duration detection of failures in the path between two systems. If a system stops receiving BFD messages for a long enough period (based on configuration) it is assumed that a failure along the path has occurred and the associated protocol or service is notified of the failure.

  • Page 51: Control Packet Format

    IP Router Configuration Control Packet Format The BFD control packet has 2 sections, a mandatory section and an optional authentication section. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Vers | Diag...
  • Page 52 Configuring IP Router Parameters Table 4: BFD Control Packet Field Descriptions (Continued) Field Description (Continued) Length Length of the BFD control packet, in bytes. My Discriminator A unique, nonzero discriminator value generated by the transmitting system, used to demultiplex multiple BFD sessions between the same pair of systems. Your Discriminator The discriminator received from the corresponding remote system.

  • Page 53: Bfd For Rsvp-Te

    IP Router Configuration BFD for RSVP-TE BFD will notify RSVP-TE if the BFD session goes down, in addition to notifying other configured BFD enabled protocols (for example, OSPF, IS-IS and PIM). This notification will then be used by RSVP-TE to begin the reconvergence process. This greatly accelerates the overall RSVP-TE response to network failures.

  • Page 54: Echo Support

    Configuring IP Router Parameters Echo Support Echo support for BFD calls for the support of the echo function within BFD. By supporting BFD echo, the router loops back received BFD echo messages to the original sender based on the destination IP address in the packet. The echo function is useful when the local router does not have sufficient CPU power to handle a periodic polling rate at a high frequency.

  • Page 55: Bfd Support For Bgp

    IP Router Configuration BFD Support for BGP This feature enhancement allows BGP peers to be associated with the BFD session. If the BFD session failed, then BGP peering will also be torn down. Centralized BFD The following applications of centralized BFD require BFD to run on the SF/CPM. •...

  • Page 56: Figure 10: Bfd For Ies/Vprn Over Spoke Sdp

    Configuring IP Router Parameters Metro Metro POP 1 POP 2 IES/ IES/ VPRN VPRN Primary Path Spoke Spoke Headend Router Headend Router Secondary Path IES/ IES/ Note: VPRN VPRN In this case BFD is run between the IES/VPRN interfaces Metro Metro independent of the SPD/LSP paths POP 4...

  • Page 57: Figure 11: Bfd Over Lag

    IP Router Configuration BFD Over LAG and VSM Interfaces A second application for a central BFD implementation is so BFD can be supported over LAG or VSM interface. This is useful where BFD is not used for link failure detection but instead for node failure detection.

  • Page 58: Aggregate Next Hop

    Configuring IP Router Parameters Aggregate Next Hop This feature adds the ability to configure an indirect next-hop for aggregate routes. The indirect next-hop specifies where packets will be forwarded if they match the aggregate route but not a more-specific route in the IP forwarding table. Page 58 7750 SR OS Router Configuration Guide...

  • Page 59: Process Overview

    IP Router Configuration Process Overview The following items are components to configure basic router parameters. • Interface — A logical IP routing interface. Once created, attributes like an IP address, port, link aggregation group or the system can be associated with the IP interface. •...

  • Page 60: Configuration Notes

    Configuration Notes Configuration Notes The following information describes router configuration caveats. • A system interface and associated IP address should be specified. • Boot options file (BOF) parameters must be configured prior to configuring router parameters. • Confederations can be configured before protocol connections (such as BGP) and peering parameters are configured.

  • Page 61: Configuring An Ip Router With Cli

    IP Router Configuration Configuring an IP Router with CLI This section provides information to configure an IP router. Topics in this section include: • Router Configuration Overview on page 62 • Basic Configuration on page 63 • Common Configuration Tasks on page 64 ...

  • Page 62: Router Configuration Overview

    Router Configuration Overview Router Configuration Overview In an Alcatel-Lucent router, an interface is a logical named entity. An interface is created by specifying an interface name under the context. This is the global router configure>router configuration context where objects like static routes are defined. An IP interface name can be up to 32 alphanumeric characters long, must start with a letter, and is case-sensitive;...

  • Page 63: Basic Configuration

    IP Router Configuration Basic Configuration NOTE: Refer to each specific chapter for specific routing protocol information and command syntax to configure protocols such as OSPF and BGP. The most basic router configuration must have the following: • System name • System address The following example displays a router configuration: A:ALA-A>...

  • Page 64: Common Configuration Tasks

    Common Configuration Tasks Common Configuration Tasks The following sections describe basic system tasks. • Configuring a System Name on page 64 • Configuring Interfaces on page 65  Configuring a System Interface on page 65  Configuring a Network Interface on page 65 •...

  • Page 65: Configuring Interfaces

    IP Router Configuration Configuring Interfaces The following command sequences create a system and a logical IP interface. The system interface assigns an IP address to the interface, and then associates the IP interface with a physical port. The logical interface can associate attributes like an IP address or port. Note that the system interface cannot be deleted.
  • Page 66 Common Configuration Tasks The following displays an IP configuration output showing interface information. A:ALA-A>config>router# info #------------------------------------------ # IP Configuration #------------------------------------------ interface "system" address 10.10.0.4/32 exit interface "to-ALA-2" address 10.10.24.4/24 port 1/1/1 egress filter ip 10 exit exit #------------------------------------------ A:ALA-A>config>router# To enable CPU protection: CLI Syntax: config>router interface interface-name cpu-protection policy-id...

  • Page 67: Configuring Ipv6 Parameters

    IP Router Configuration Configuring IPv6 Parameters IPv6 interfaces and associated routing protocols may only be configured on the following systems: • Chassis systems running in chassis mode c or d. • Chassis systems running in mixed-mode, with IPv6 functionality limited to those interface on slots with IOM3-XPs/IMMs or later line cards.

  • Page 68: Configuring Ipv6 Over Ipv4 Parameters

    Common Configuration Tasks Configuring IPv6 Over IPv4 Parameters This section provides several examples of the features that must be configured in order to implement IPv6 over IPv4 relay services. • Tunnel Ingress Node on page 68  Learning the Tunnel Endpoint IPv4 System Address on page 70 ...
  • Page 69 IP Router Configuration Both the IPv4 and IPv6 system addresses must to configured CLI Syntax: config>router interface ip-int-name address {ip-address/mask|ip-address netmask} [broad- cast all-ones|host-ones] ipv6 address ipv6-address/prefix-length [eui-64] The following displays configuration output showing interface information. A:ALA-49>configure>router# info ---------------------------------------------- interface "system" address 200.200.200.1/32 ipv6 address 3FFE::C8C8:C801/128...
  • Page 70 Common Configuration Tasks Learning the Tunnel Endpoint IPv4 System Address This configuration displays the OSPF configuration to learn the IPv4 system address of the tunnel endpoint. CLI Syntax: config>router ospf area area-id interface ip-int-name The following displays a configuration showing OSPF output. A:ALA-49>configure>router# info ---------------------------------------------- ospf...
  • Page 71 IP Router Configuration Configuring an IPv4 BGP Peer This configuration display the commands to configure an IPv4 BGP peer with (IPv4 and) IPv6 protocol families. CLI Syntax: config>router export policy-name [policy-name...(upto 5 max)] router-id ip-address group name family [ipv4][vpn-ipv4] [ipv6] [mcast-ipv4] type {internal|external} neighbor ip-address local-as as-number [private]...
  • Page 72 Common Configuration Tasks An Example of a IPv6 Over IPv4 Tunnel Configuration The IPv6 address is the next-hop as it is received through BGP. The IPv4 address is the system address of the tunnel's endpoint static-route ::C8C8:C802/128 indirect 200.200.200.2. This configuration displays an example to configure a policy to export IPv6 routes into BGP. CLI Syntax: config>router export policy-name [policy-name...(upto 5 max)] router-id ip-address...

  • Page 73: Tunnel Egress Node

    IP Router Configuration Tunnel Egress Node This configuration shows how the interface through which the IPv6 over IPv4 traffic leaves the node. It must be configured on a network interface. Both the IPv4 and IPv6 system addresses must be configured. CLI Syntax: config>router configure router static-route ::C8C8:C801/128 indirect 200.200.200.1...
  • Page 74 Common Configuration Tasks Learning the Tunnel Endpoint IPv4 System Address This configuration displays the OSPF configuration to learn the IPv4 system address of the tunnel endpoint. CLI Syntax: config>router ospf area area-id interface ip-int-name The following displays OSPF configuration information. A:ALA-49>configure>router# info ---------------------------------------------- ospf...
  • Page 75 IP Router Configuration Configuring an IPv4 BGP Peer This configuration display the commands to configure an IPv4 BGP peer with (IPv4 and) IPv6 protocol families. CLI Syntax: config>router export policy-name [policy-name...(upto 5 max)] router-id ip-address group name family [ipv4] [vpn-ipv4] [ipv6] [mcast-ipv4] type {internal|external} neighbor ip-address local-as as-number [private]...
  • Page 76 Common Configuration Tasks An Example of a IPv6 Over IPv4 Tunnel Configuration The IPv6 address is the next-hop as it is received through BGP. The IPv4 address is the system address of the tunnel's endpoint static-route ::C8C8:C802/128 indirect 200.200.200.2 This configuration displays an example to configure a policy to export IPv6 routes into BGP. CLI Syntax: config>router export policy-name [policy-name...(upto 5 max)] router-id ip-address...

  • Page 77: Router Advertisement

    IP Router Configuration Router Advertisement To configure the router to originate router advertisement messages on an interface, the interface must be configured under the router-advertisement context and be enabled (no shutdown). All other router advertisement configuration parameters are optional. Use the following CLI syntax to enable router advertisement and configure router advertisement parameters: CLI Syntax: config>router# router-advertisement interface ip-int-name...

  • Page 78: Configuring Ipv6 Parameters

    Common Configuration Tasks Configuring IPv6 Parameters The following displays the interface configuration showing the IPv6 default configuration when IPv6 is enabled on the interface. A:ALA-49>config>router>if>ipv6# info detail ---------------------------------------------- port 1/3/37 ipv6 packet-too-big 100 10 param-problem 100 10 redirects 100 10 time-exceeded 100 10 unreachables 100 10 exit...
  • Page 79 IP Router Configuration A:ALA-49>configure>router# info ---------------------------------------------- policy-options policy-statement "ospf3" description "Plcy Stmnt For 'From ospf3 To bgp'" entry 10 description "Entry From Protocol ospf3 To bgp" from protocol ospf3 exit protocol bgp exit action accept exit exit exit exit ---------------------------------------------- A:ALA-49>configure>router# 7750 SR OS Router Configuration Guide Page 79...

  • Page 80: Configuring Proxy Arp

    Common Configuration Tasks Configuring Proxy ARP To configure proxy ARP, you can configure: • A prefix list in the config>router>policy-options>prefix-list context. • A route policy statement in the config>router>policy-options>policy-statement context and apply the specified prefix list.  In the policy statement entry>to context, specify the host source address(es) for which ARP requests can or cannot be forwarded to non-local networks, depending on the specified action.
  • Page 81 IP Router Configuration prefix-list "prefixlist2" prefix 10.10.10.0/24 through 32 exit policy-statement "ProxyARPpolicy" entry 10 from prefix-list "prefixlist1" exit prefix-list "prefixlist2" exit action reject exit default-action accept exit exit ---------------------------------------------- A:ALA-49>config>router>policy-options# Use the following CLI to configure proxy ARP: CLI Syntax: config>router>interface interface-name local-proxy-arp proxy-arp-policy policy-name [policy-name...(upto 5 max)] remote-proxy-arp...

  • Page 82: Creating An Ip Address Range

    Common Configuration Tasks Creating an IP Address Range An IP address range can be reserved for exclusive use for services by defining the command. When the service is configured, the IP address config>router>service-prefix must be in the range specified as a service prefix. If no service prefix command is configured, then no limitation exists.
  • Page 83 IP Router Configuration Assume the egress LER advertised a FEC for some /24 prefix using the fec-originate command. At the ingress LER, LDP resolves the FEC by checking in RTM that an exact match exists for this prefix. Once LDP activated the FEC, it programs the NHLFE in the egress data path and the LDP tunnel information in the ingress data path tunnel table.
  • Page 84 Common Configuration Tasks When the preferred RTM entry corresponds to an LDP shortcut route, spraying will be performed across the multiple next-hops for the LDP FEC. The FEC next-hops can either be direct link LDP neighbors or T-LDP neighbors reachable over RSVP LSPs in the case of LDP-over-RSVP but not both.
  • Page 85 IP Router Configuration Interaction with LDP Shortcut for Static Route Resolution There is no interaction between LDP shortcut for static route resolution and the LDP shortcut for IGP route resolution. A static route will continue to be resolved by searching an LDP LSP which FEC prefix matches the specified indirect next-hop for the route.

  • Page 86: Deriving The Router Id

    Common Configuration Tasks Deriving the Router ID The router ID defaults to the address specified in the system interface command. If the system interface is not configured with an IP address, then the router ID inherits the last four bytes of the MAC address.

  • Page 87: Configuring A Confederation

    IP Router Configuration Configuring a Confederation Configuring a confederation is optional. The AS and confederation topology design should be carefully planned. Autonomous system (AS), confederation, and BGP connection and peering parameters must be explicitly created on each participating router. Identify AS numbers, confederation numbers, and members participating in the confederation.

  • Page 88: Configuring An Autonomous System

    Common Configuration Tasks Configuring an Autonomous System Configuring an autonomous system is optional. Use the following CLI syntax to configure an autonomous system: CLI Syntax: config>router autonomous-system as-number The following displays an autonomous system configuration example: A;ALA-A>config>router# info #------------------------------------------ # IP Configuration #------------------------------------------ interface "system"...

  • Page 89: Configuring Overload State On A Single Sfm

    IP Router Configuration Configuring Overload State on a Single SFM A 7x50 system with a single SFM installed has a system multicast throughput that is only a half of a 7x50 system with dual SFMs installed. For example, in a mixed environment in which IOM1s, IOM2s, and IOM3s are installed in the same system (chassis mode B or C), system multicast throughput doubles when redundant SFMs are used instead of a single SFM.

  • Page 90: Service Management Tasks

    Service Management Tasks Service Management Tasks This section discusses the following service management tasks: • Changing the System Name on page 90 • Modifying Interface Parameters on page 91 • Deleting a Logical IP Interface on page 92 Changing the System Name em command sets the name of the device and is used in the prompt string.

  • Page 91: Modifying Interface Parameters

    IP Router Configuration Modifying Interface Parameters Starting at the level, navigate down to the router interface context. config>router To modify an IP address, perform the following steps: Example A:ALA-A>config>router# interface “to-sr1” A:ALA-A>config>router>if# shutdown A:ALA-A>config>router>if# no address A:ALA-A>config>router>if# address 10.0.0.25/24 A:ALA-A>config>router>if# no shutdown To modify a port, perform the following steps: Example A:ALA-A>config>router# interface “to-sr1”...

  • Page 92: Deleting A Logical Ip Interface

    Service Management Tasks Deleting a Logical IP Interface The no form of the command typically removes the entry, but all entity associations interface must be shut down and/or deleted before an interface can be deleted. 1. Before an IP interface can be deleted, it must first be administratively disabled with the command.

  • Page 93: Ip Router Command Reference

    IP Router Configuration IP Router Command Reference Command Hierarchies Configuration Commands • Router Commands on page 94 • Router L2TP Commands on page 96 • Router Interface Commands on page 99 • Router Interface IPv6 Commands on page 102 • Router Advertisement Commands on page 103 •...
  • Page 94 IP Router Command Reference Router Commands config — router [router-name] — aggregate ip-prefix/ip-prefix-length [summary-only] [as-set] [aggregator as-number: ip- address] [community comm-id] [black-hole | indirect ip-address] — no aggregate ip-prefix/mask — autonomous-system autonomous-system — no autonomous-system — confederation confed-as-num members as-number [as-number...(up to 15 max)] —...
  • Page 95 IP Router Configuration Router BFD commands config — router — bfd — bfd-template name [create] — bfd-template name — transmit-interval transmit-interval — no transmit-interval — receive-interval receive-interval — no receive-interval — cv-tx transmit-interval — no cv-tx — echo-receive echo-interval — no echo-receive —...
  • Page 96 IP Router Command Reference Router L2TP Commands config — router [router-name] — l2tp — calling-number-format ascii-spec — no calling-number-format — challenge {always} — no challenge — destruct-timeout destruct-timeout — no destruct-timeout — exclude-avps calling-number — no exclude-avps — group tunnel-group-name [create] —...
  • Page 97 IP Router Configuration — session-assign-method weighted — no session-assign-method — session-limit session-limit — no session-limit — tunnel tunnel-name [create] — no tunnel tunnel-name — [no] auto-establish — avp-hiding {never | sensitive | always} — no avp-hiding — challenge challenge-mode — no challenge —...
  • Page 98 IP Router Command Reference configure — router — l2tp — tunnel-selection-blacklist — add-tunnel never — add-tunnel on reason>[reason...(upto 8 max)] — no add-tunnel — add-tunnel — max-list-length count — no max-list-length — max-time minutes — no max-time — timeout-action action —...
  • Page 99 IP Router Configuration Router Interface Commands config — router [router-name] — if-attribute — admin-group group-name value group-value — no admin-group group-name — srlg-group group-name value group-value — no srlg-group group-name — [no] interface ip-int-name [unnumbered-mpls-tp] — address {ip-address/mask | ip-address netmask} [broadcast {all-ones | host- ones}] —...
  • Page 100 IP Router Command Reference — lag-link-map-profile lnk-map-profile-id — no lag-link-map-profile — [no] ldp-shortcut — ldp-sync-timer seconds — no ldp-sync-timer — [no] local-proxy-arp — [no] loopback — lsr-load-balancing hashing-algorithm — no lsr-load-balancing — ieee-mac-addr — no — [no] multihoming primary|secondary [hold-time holdover-time] —...
  • Page 101 IP Router Configuration — no description — [no] shutdown — route-next-hop-policy — [no] template template-name — include-group group-name [pref pref] — no include-group group-name — [no] exclude-group group-name — [no] srlg-enable — protection-type {link | node} — no protection-type — nh-type {ip | tunnel} —...
  • Page 102 IP Router Command Reference Router Interface IPv6 Commands config — router [router-name] — [no] interface ip-int-name — [no] ipv6 — address ipv6-address/prefix-length [eui-64] — no address ipv6-address/prefix-length — transmit-interval [receive receive-interval] [multiplier multiplier] [echo-receive echo-interval [type cpm-np] — no — icmp6 —...
  • Page 103 IP Router Configuration Router Advertisement Commands config — router — [no] router-advertisement — [no] interface ip-int-name — current-hop-limit number — no current-hop-limit — [no] managed-configuration — max-advertisement-interval seconds — no max-advertisement-interval — min-advertisement-interval seconds — no min-advertisement-interval — mtu-bytes — no —...
  • Page 104 IP Router Command Reference Show Commands show — router router-instance — router service-name service-name — aggregate [family] [active] — [ ip-int-name | ip-address/mask | mac ieee-mac-address | summary] [local | dynamic | static | managed] — authentication — statistics — statistics interface [ip-int-name | ip-address] —...
  • Page 105 IP Router Configuration — bindings active — mvpn — neighbor [ip-address | ip-int-name | mac ieee-mac-address | summary] — network-domains [detail] [network-domain-name] — policy [name | damping | prefix-list name | as-path name | community name | admin] — policy-edits —...
  • Page 106 IP Router Command Reference Clear Commands clear — router [router-instance] — {all | ip-addr | interface {ip-int-name | ip-addr}} — — session src-ip ip-address dst-ip ip-address — statistics src-ip ip-address dst-ip ip-address — statistics — dhcp — statistics [ip-int-name | ip-address] —...
  • Page 107 IP Router Configuration Debug Commands debug — trace — destination trace-destination — enable — [no] trace-point [module module-name] [type event-type] [class event-class] [task task- name] [function function-name] — router router-instance — — [no] — icmp — no icmp — icmp6 [ip-int-name] —...
  • Page 108 IP Router Command Reference Page 108 7750 SR OS Router Configuration Guide...

  • Page 109: Configuration Commands

    IP Router Configuration Configuration Commands Generic Commands shutdown Syntax [no] shutdown Context config>router>interface Description The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.

  • Page 110: Router Global Commands

    Router Global Commands Router Global Commands router Syntax router router-name Context config Description This command enables the context to configure router parameters, and interfaces, route policies, and protocols. Parameters router-name — Specify the router-name. Values router-name: Base, management Default Base aggregate Syntax aggregate ip-prefix/ip-prefix-length [summary-only] [as-set] [aggregator as-number: ip-...
  • Page 111 IP Router Configuration Parameters ip-prefix — The destination address of the aggregate route in dotted decimal notation. Values ipv4-prefix a.b.c.d (host bits must be 0) ipv4-prefix-length 0 — 32 ipv6-prefix x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d [0 — FFFF]H [0 — 255]D ipv6-prefix-length 0 —...
  • Page 112 Router Global Commands Context config>router Description This command configures the autonomous system (AS) number for the router. A router can only belong to one AS. An AS number is a globally unique number with an AS. This number is used to exchange exterior routing information with neighboring ASs and as an identifier of the AS itself.
  • Page 113 IP Router Configuration Description This command enables ECMP and configures the number of routes for path sharing; for example, the value 2 means two equal cost routes will be used for cost sharing. ECMP can only be used for routes learned with the same preference and same protocol. See the discussion on preferences in the static-route command.
  • Page 114 Router Global Commands IP interface or to an IES SAP interface or spoke interface. It is also supported for VPRN VPN-IPv4 OSPF prefixes and VPN-IPv6 OSPF prefixes forwarded to a VPRN SAP interface or spoke interface. IP FRR also provides a LFA backup next-hop for the destination prefix of a GRE tunnel used in an SDP or in VPRN auto-bind.
  • Page 115 IP Router Configuration mpls-labels Syntax mpls-labels Context config>router Description This command creates a context for the configuration of glocal parameters related to MPLS labels. static-label Syntax static-label max-lsp-labels number static-svc-labels number no static-label Context config>router>mpls-labels Description This command enables the range of MPLS static label values reserved for LSPs and for VCs (pseudowires) to be configured.
  • Page 116 Router Global Commands Parameters policy-name — Specifies the policy name. Values 32 chars max network-domains Syntax network-domains Context config>router Description This command opens context for defining network-domains. This command is applicable only in the base routing context. description Syntax [no] description string Context config>router>network-domains>network-domain Description...
  • Page 117 IP Router Configuration Context config>router Description This command configures the router ID for the router instance. The router ID is used by both OSPF and BGP routing protocols in this instance of the routing table manager. IS-IS uses the router ID value as its system ID. When configuring a new router ID, protocols are not automatically restarted with the new router ID.
  • Page 118 Router Global Commands Parameters ip-prefix/mask — The IP address prefix to include in the service prefix allocation in dotted decimal notation. Values ipv4-prefix: a.b.c.d (host bits must be 0) ipv4-prefix-length: 0 — 32 ipv6-prefix: x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d [0 — FFFF]H [0 —...
  • Page 119 IP Router Configuration dot1p-priority — Specifies the Dot1p priority. Values none, 0 — 7 dot1p-app-name — Specifies the Dot1p application name. Values arp, isis, pppoe dscp Syntax dscp dscp-name fc fc-name no dscp dscp-name Context config>router>sgt-qos Description This command configures DSCP name to FC mapping. Parameters dscp-name —...
  • Page 120 Router Global Commands Context config>router>bfd>bfd-template Description This command specifies the transmit timer used for BFD packets. If the template is used for a BFD session on an MPLS-TP LSP, then this timer is used for CC packets. Default no transmit-interval Parameters transmit-interval —...
  • Page 121 IP Router Configuration echo-receive Syntax echo-receive echo-interval no echo-receive Context config>router>bfd>bfd-template Description This command sets the minimum echo receive interval, in milliseconds, for a session. This is not used by a BFD session for MPLS-TP. Default no echo-receive Parameters echo-interval — Specifies the echo receive interval. Values 100 ms —...
  • Page 122 Router Global Commands Context config>router Description This command triggers route policy re-evaluation. By default, when a change is made to a policy in the config router policy options context and then committed, the change is effective immediately. There may be circumstances when the changes should or must be delayed;...
  • Page 123 IP Router Configuration [no] static-route {ip-prefix/prefix-length | ip-prefix netmask} [preference preference] [metric metric] [tag tag] [community comm-id] [enable | disable] black-hole [mcast-family] {prefix-list prefix-list-name [all | none]} Context config>router Description This command creates static route entries for both the network and access routes. When configuring a static route, either next-hop, indirect or black-hole must be configured.
  • Page 124 Router Global Commands ldp-sync — Extends the LDP synchronization feature to a static route. When an interface comes back up, it is possible that a preferred static route using the interface as next-hop for a given prefix is enabled before the LDP adjacency to the peer LSR comes up on this interface. In this case, traffic on an SDP that uses the static route for the far-end address would be black-holed until the LDP session comes up and the FECs exchanged.

  • Page 125: Table 5: Default Route Preferences

    IP Router Configuration The ip-address configured here can be either on the network side or the access side on this node. This address must be associated with a network directly connected to a network configured on this node. Values ip-int-name 32 chars max ipv4-address a.b.c.d...
  • Page 126 Router Global Commands Table 5: Default Route Preferences Label Preference Configurable IS-IS level 2 internal OSPF external IS-IS level 1 external IS-IS level 2 external Default Values 1 — 255 enable — Static routes can be administratively enabled or disabled. Use the enable parameter to re- enable a disabled static route.
  • Page 127 IP Router Configuration the same subnet as the static route subnet itself to avoid possible circular references. This option is mutually exclusive with BFD support on a given static route. Default no cpe-check enabled interval seconds — This optional parameter specifies the interval between ICMP pings to the target IP address.
  • Page 128 Router Global Commands 1::/96 Remote Static 00h01m09s 3000::AC1F:7567 3000::/96 Local Local 05h04m12s management 3FFE::/96 Remote Static 00h00m11s 3000::AC1F:7567 ------------------------------------------------------------------------------- No. of Routes: 3 =============================================================================== *B:Dut-C>config>router# Note that the help info output (?) is inherited from the basic router context and does not reflect the specific syntax for the management context.

  • Page 129: Router L2Tp Commands

    IP Router Configuration Router L2TP Commands l2tp Syntax l2tp Context config>router Description This command enables the context to configure L2TP parameters. L2TP extends the PPP model by allowing Layer 2 and PPP endpoints to reside on different devices interconnected by a packet- switched network.
  • Page 130 Router L2TP Commands next-attempt Syntax next-attempt {same-preference-level | next-preference-level} no next-attempt Context configure>router>l2tp configure>service>vprn>l2tp Description This command enables tunnel selection algorithm based on the tunnel preference level. Parameters same-preference-level — In case that the tunnel-spec selection algorithm evaluates into a tunnel that is currently unavailable (for example tunnel in a blacklist) then the next elected tunnel, if available, will be chosen within the same preference-level as the last attempted tunnel.
  • Page 131 IP Router Configuration tunnel-selection-blacklist Syntax tunnel-selection-blacklist Context config>router>l2tp Description This command enables the context to configure L2TP Tunnel Selection Blacklist parameters. add-tunnel Syntax add-tunnel never add-tunnel on reason [reason...(upto 8 max)] no add-tunnel Context configure>router>l2tp>tunnel-selection-blacklist configure>service>vprn>l2tp>tunnel-selection-blacklist Description This command will force the tunnel to the blacklist and render it unavailable for new sessions for the duration of pre-configured time.
  • Page 132 Router L2TP Commands The receipt of the following Result Codes will NEVER blacklist a tunnel: (0) Reserved (3) Control channel already exist (7) Finite state machine error (8) Undefined Transmission of the following Result Codes will NEVER blacklist a tunnel: (1) General request to clear control connection (3) Control channel already exist (6) Requestor is being shutdown...
  • Page 133 IP Router Configuration max-time Syntax max-time minutes no max-time Context configure>router>l2tp>tunnel-selection-blacklist configure>service>vprn>l2tp>tunnel-selection-blacklist Description This command configures time for which an entity (peer or a tunnel) are kept in the blacklist. Default 5 minutes Parameters minutes — Specifies the maximum time a tunnel or peer may remain in the blacklist Values 1..60 timeout-action...
  • Page 134 Router L2TP Commands Description This command specifies what to do in case the system receives a L2TP responsefrom another address than the one the request was sent to. Parameters accept — Specifies that this system accepts any source IP address change of received L2TP control messages related to a locally originated tunnel in the state waitReply and rejectsany peer address change for other tunnels;...
  • Page 135 IP Router Configuration create — This keyword is mandatory when creating a tunnel group name. The create keyword requirement can be enabled/disabled in the environment>create context. session-limit Syntax session-limit session-limit no session-limit Context config>router>l2tp Description This command configures the L2TP session limit for the router. L2TP is connection-oriented. The L2TP Network Server (LNS) and LAC maintain state for each call that is initiated or answered by an LAC.
  • Page 136 Router L2TP Commands Description This command configures the use of challenge-response authentication. The no form of the command reverts to the default never value. Parameters always — Specifies that the challenge-response authentication is always used. Default no challenge Values always destruct-timeout Syntax destruct-timeout destruct-timeout...
  • Page 137 IP Router Configuration idle-timeout Syntax idle-timeout idle-timeout no idle-timeout Context config>router>l2tp>group Description This command configures the period of time that an established tunnel with no active sessions will persist before being disconnected. Enter the no form of the command to maintain a persistent tunnel. The no form of the command removes the idle timeout from the configuration.
  • Page 138 Router L2TP Commands • HPol intermediate destination arbiters where the intermediate destination is an L2TP tunnel. local-address Syntax local-address ip-address no local-address Context config>router>l2tp>group>tunnel Description This command configures the local address. Parameters ip-address — Specifies the IP address used during L2TP authentication. local-name Syntax local-name host-name...
  • Page 139 IP Router Configuration Default no max-retries-estab Values 2 — 7 max-retries-not-estab Syntax max-retries-not-estab max-retries no max-retries-not-estab Context config>router>l2tp>group config>router>l2tp>group>tunnel Description This command configures the number of retries allowed for this L2TP tunnel while it is not established, before its control connection goes down. The no form of the command removes the value from the configuration.
  • Page 140 Router L2TP Commands Syntax Context config>router>l2tp>group Description This command configures PPP for the L2TP tunnel group. authentication Syntax authentication {chap|pap|pref-chap} Context config>router>l2tp>group>ppp Description This command configures the PPP authentication protocol to negotiate. authentication-policy Syntax authentication-policy auth-policy-name no authentication-policy Context config>router>l2tp>group>ppp Description This command configures the authentication policy.
  • Page 141 IP Router Configuration keepalive Syntax keepalive seconds [hold-up-multiplier multiplier] no keepalive Context config>router>l2tp>group>ppp Description This command configures the PPP keepalive interval and multiplier. Parameters seconds — Specifies in seconds the interval. Values 10 — 300 multiplier — Specifies the multiplier. Values 1 —...
  • Page 142 Router L2TP Commands no user-db Context config>router>l2tp>group>ppp Description This command configures the local user database to use for PPP PAP/CHAP authentication. Parameters local-user-db-name — Specifies the local user database name. Values 32 chars max session-assign-method Syntax session-assign-method weighted no session-assign-method Context config>router>l2tp>group Description...
  • Page 143 IP Router Configuration Router L2TP Tunnel Commands tunnel Syntax tunnel tunnel-name [create] no tunnel tunnel-name Context config>router>l2tp>group Description This command configures an L2TP tunnel. A tunnel exists between a LAC-LNS pair and consists of a Control Connection and zero or more L2TP sessions. The tunnel carries encapsulated PPP datagrams and control messages between the LAC and the L2TP Network Server (LNS).
  • Page 144 Router L2TP Commands challenge Syntax challenge challenge-mode no challenge Context config>router>l2tp>group>tunnel Description This command configures the use of challenge-response authentication. The no form of the command removes the parameter from the configuration and indicates that the value on group level will be taken. Default no challenge Parameters...
  • Page 145 IP Router Configuration Parameters idle-timeout — Specifies the idle timeout, in seconds. Values 0 — 3600 infinite — Specifies that the tunnel will not be closed when idle. peer Syntax peer ip-address no peer Context config>router>l2tp>group>tunnel Description This command configures the peer address. The no form of the command removes the IP address from the tunnel configuration.
  • Page 146 Router L2TP Commands tunnel-selection-blacklist Syntax tunnel-selection-blacklist Context config>router>l2tp Description This command enables the context to configure L2TP Tunnel Selection Blacklist parameters. add-tunnel Syntax add-tunnel never add-tunnel on reason [reason...(upto 8 max)] no add-tunnel Context configure>router>l2tp>tunnel-selection-blacklist configure>service>vprn>l2tp>tunnel-selection-blacklist Description This command will force the tunnel to the blacklist and render it unavailable for new sessions for the duration of pre-configured time.
  • Page 147 IP Router Configuration (5) Protocol version not supported The receipt of the following Result Codes will NEVER blacklist a tunnel: (0) Reserved (3) Control channel already exist (7) Finite state machine error (8) Undefined Transmission of the following Result Codes will NEVER blacklist a tunnel: (1) General request to clear control connection (3) Control channel already exist (6) Requestor is being shutdown...
  • Page 148 Router L2TP Commands configure>service>vprn>l2tp>tunnel-selection-blacklist Description This command configures time for which an entity (peer or a tunnel) are kept in the blacklist. Default 5 minutes Parameters minutes — Specifies the maximum time a tunnel or peer may remain in the blacklist Values 1..60 timeout-action...

  • Page 149: Router Interface Commands

    IP Router Configuration Router Interface Commands interface Syntax [no] interface ip-int-name [unnumbered-mpls-tp] Context config>router Description This command creates a logical IP routing or unnumbered MPLS-TP interface. Once created, attributes like IP address, port, or system can be associated with the IP interface. Interface names are case-sensitive and must be unique within the group of IP interfaces defined for config router interface and config service ies interface.
  • Page 150 Router Interface Commands unnumbered-mpls-tp, then it can only be associated with an Ethernet port or VLAN, using the port command. Either a unicast, multicast or broadcast remote MAC address may be configured using the static-arp command. Only static ARP is supported. Page 150 7750 SR OS Router Configuration Guide...
  • Page 151 IP Router Configuration address Syntax address {ip-address/mask | ip-address netmask} [broadcast {all-ones | host-ones}] no address Context config>router>interface Description This command assigns an IP address, IP subnet, and broadcast address format to an IP interface. Only one IP address can be associated with an IP interface. An IP address must be assigned to each IP interface.
  • Page 152 Router Interface Commands parameter indicates the complete mask that will be used in a logical ‘AND’ function to derive the local subnet of the IP address. Note that a mask of 255.255.255.255 is reserved for system IP addresses. Values 128.0.0.0 — 255.255.255.255 netmask —...
  • Page 153 IP Router Configuration When enabled, a frame destined to the local subnet on this IP interface is sent as a subnet broadcast out this interface. NOTE: Allowing directed broadcasts is a well-known mechanism used for denial- of-service attacks. By default, directed broadcasts are not allowed and are discarded at this egress IP interface. The no form of the command disables directed broadcasts forwarding out of the IP interface.
  • Page 154 Router Interface Commands The service is shut down (shutdown) The interval is specified 10 — 100000. The service is re-enabled (no shutdown) To remove the type cpm-np option, re-issue the bfd command without specifying the type parameter. Default no bfd Parameters transmit-interval —...
  • Page 155 IP Router Configuration Default no cflowd Parameters acl — Specifies the policy associated with a filter. interface — Specifies the policy associated with an IP interface. direction — Specifies the direction to collect traffic flow samples. Values ingress-only — Enables ingress sampling only on the associated interface. egress-only —...
  • Page 156 Router Interface Commands egr-ip-load-balancing Syntax egr-ip-load-balancing {src-ip | dst-ip} no egr-ip-load-balancing Context config>router>interface Description This command specifies whether to include source address or destination address or both in LAG/ ECMP hash on IP interfaces. Additionally, when l4-load-balancing is enabled the command applies also to inclusion of source/destination port in the hash inputs.
  • Page 157 IP Router Configuration Description This command enables MAC Accounting functionality for the interface. if-attribute Syntax if-attribute Context config>router>interface Description This command adds and removes interface attributes. if-admin-group Syntax [no] if-admin-group group-name [group-name...(upto 5 max)] Context config>router>interface Description This command configures interface Admin Group memberships for this interface. if-srlg-group Syntax [no] if-srlg-group group-name [group-name...(upto 5 max)]...
  • Page 158 Router Interface Commands The no form of this command reverts the SAP/network interface to use per-flow, service or link hash as configured for the service/LAG. Default no lag-link-map-profile Parameters link-map-profile-id — An integer from 1 to 32 that defines a unique lag link map profile on which the LAG the SAP/network interface exist.
  • Page 159 IP Router Configuration Context config>router>interface Description This command enables synchronization of IGP and LDP. When a link is restored after a failure, IGP sets the link cost to infinity and advertises it. The actual value advertised in OSPF is 0xFFFF (65535). The actual value advertised in IS-IS regular metric is 0x3F (63) and in IS-IS wide-metric is 0xFFFFFE (16777214).
  • Page 160 Router Interface Commands Context config>router>interface Description This command configures the interface as a loopback interface. Default Not enabled lsr-load-balancing Syntax lsr-load-balancing hashing-algorithm no lsr-load-balancing Context config>router>if Description This command specifies whether the IP header is used in the LAG and ECMP LSR hashing algorithm.
  • Page 161 IP Router Configuration multihoming Syntax [no] multihoming primary|secondary [hold-time holdover-time] Context config>router>interface Description This command sets the associated loopback interface to be an anycast address used in multi-homing resiliency, as either the primary or a secondary (a primary address on the alternate router). The optional hold-time parameter is only applicable for the secondary context and specifies how long label information learned about the secondary anycast address should be kept after that peer is declared down.
  • Page 162 Router Interface Commands The no form of the command disables SNTP broadcast received on the IP interface. Default no ntp-broadcast port Syntax port port-name no port Context config>router>interface Description This command creates an association with a logical IP interface and a physical port. An interface can also be associated with the system (loopback address).
  • Page 163 IP Router Configuration ccag-id ccag-id.path-id[cc-type] ccag keyword 1..8 path-id a, b cc-type .sap-net, .net-sap lag-id lag-id keyword 1..200 proxy-arp-policy Syntax [no] proxy-arp-policy policy-name [policy-name...(up to 5 max)] Context config>router>interface Description This command enables and configure proxy ARP on the interface and specifies an existing policy- statement to analyze match and action criteria that controls the flow of routing information to and from a given protocol, set of protocols, or a particular neighbor.
  • Page 164 Router Interface Commands qos-route-lookup Syntax qos-route-lookup [source | destination] no qos-route-lookup Context config>router>interface config>router>interface>ipv6 Description This command enables QoS classification of the ingress IP packets on an interface based on the QoS information associated with routes in the forwarding table. If the optional destination parameter is specified and the destination address of an incoming IP packet matches a route with QoS information the packet is classified to the fc and priority associated with that route, overriding the fc and priority/profile determined from the sap-ingress or network qos...
  • Page 165 IP Router Configuration Context config>router>interface Description This command associates a network Quality of Service (QoS) policy with a network IP interface. Only one network QoS policy can be associated with an IP interface at one time. Attempts to associate a second QoS policy return an error. Associating a network QoS policy with a network interface is useful for the following purposes: •...
  • Page 166 Router Interface Commands remote-proxy-arp Context config>router>interface Description This command enables remote proxy ARP on the interface. Default no remote-proxy-arp secondary Syntax secondary {[ip-address/mask | ip-address netmask]} [broadcast {all-ones | host-ones}] [igp-inhibit] no secondary ip-addr Context config>router>interface Description Use this command to assign up to 16 secondary IP addresses to the interface. Each address can be configured in an IP address, IP subnet or broadcast address format.
  • Page 167 IP Router Configuration The all-ones keyword following the broadcast parameter specifies that the broadcast address used by the IP interface for this IP address will be 255.255.255.255, also known as the local broadcast. The host-ones keyword following the broadcast parameter specifies that the broadcast address used by the IP interface for this IP address will be the subnet broadcast address.
  • Page 168 Router Interface Commands strip-label Syntax [no] strip-label Context config>router>interface Description This command forces packets to be stripped of all (max 5) MPLS labels before the packets are handed over for possible filter (PBR) processing. If the packets do not have an IP header immediately following the MPLS label stack after the strip, they are discarded.
  • Page 169 IP Router Configuration egress network interface treats all IES and network IP interface as untrusted. When the ingress network IP interface is set to untrusted, all egress network IP interfaces will remark IP packets received on the network interface according to the egress marking definitions on each network interface.
  • Page 170 Router Interface Commands qos-route-lookup Syntax qos-route-lookup [source | destination] no qos-route-lookup Context config>router>if config>router>if>ipv6 Description This command enables QoS classification of the ingress IP packets on an interface based on the QoS information associated with routes in the forwarding table. If the optional destination parameter is specified and the destination address of an incoming IP packet matches a route with QoS information the packet is classified to the fc and priority associated with that route, overriding the fc and priority/profile determined from the sap-ingress or network qos...
  • Page 171 IP Router Configuration config>router>if>ipv6 Description This command allows the TCP MSS value used for TCP connections associated with the IPv4 or IPv6 interface to be set to a static value insted of beign determined by the IP MTU value. The configured TCP MSS value will onlt be used for future TCP connections associated with the IPv4 or IPv6 interface, existing TCP connections are not affected by the static value.
  • Page 172 Router Interface Commands strict-no-ecmp — When a packet is received on an interface in this mode and the SA matches an ECMP route the packet is dropped by uRPF. mh-primary-interface Syntax [no] mh-primary-interface Context config>router Description This command creates a loopback interface for use in multihoming resiliency. Once active, this interface can be used to advertise reachability information to the rest of the network using the primary address, which is backed up by the secondary.
  • Page 173 IP Router Configuration shutdown), which reinitializes the protocol interfaces and MPLS LSPs associated with that IP interface. If a new address is entered while another address is still active, the new address wil be rejected. Parameters ip-address — The IP address of the IP interface. The ip-addr portion of the address command specifies the IP host address that will be used by the IP interface within the subnet.
  • Page 174 Router Interface Commands shutdown Syntax [no] shutdown Context config>router>mh-primary-interface config>router>mh-secondary-interface Description The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
  • Page 175 IP Router Configuration When applied to MPLS interfaces, the interfaces can be included or excluded in the LSP path definition by inferring the admin-group name. CSPF will compute a path that satisfies the admin- group include and exclude constraints. When applied to IES, VPRN, or network IP interfaces, the interfaces can be included or excluded in the route next-hop selection by inferring the admin-group name in a route next-hop policy template applied to an interface or a set of prefixes.
  • Page 176 Router Interface Commands Parameters group-name — Specifies the name of the group with up to 32 characters. The association of group name and value should be unique within an IP/MPLS domain. srlg-group Syntax srlg-group group-name value group-value no srlg-group group-name Context config>router>if-attribute Description...
  • Page 177 IP Router Configuration srlg-group Syntax srlg-group group-name [group-name...(up to 5 max)] no srlg-group group-name [group-name...(up to 5 max)] no srlg-group Context config>router>interface>if-attribute config>service>ies>interface>if-attribute config>service>vprn>interface>if-attribute config>router>mpls>interface Description This command configures the SRLG membership of an interface. The user can apply SRLGs to an IES, VPRN, network IP, or MPLS interface.
  • Page 178 Router Interface Commands A policy template can be used in both IS-IS and OSPF to apply the specific criteria to prefixes protected by LFA. Each instance of IS-IS or OSPF can apply the same policy template to one or more interface.
  • Page 179 IP Router Configuration The exclude-group statement simply prunes all links belonging to the specified admin group before making the LFA backup next-hop selection for a prefix. If the same group name is part of both include and exclude statements, the exclude statement will win.
  • Page 180 Router Interface Commands srlg-enable Syntax [no] srlg-enable Context config>router>route-next-hop-policy>template Description This command configures the SRLG constraint into the route next-hop policy template. When this command is applied to a prefix, the LFA SPF will attempt to select an LFA next-hop, among the computed ones, which uses an outgoing interface that does not participate in any of the SLRGs of the outgoing interface used by the primary next-hop.
  • Page 181 IP Router Configuration When the route next-hop policy template is applied to an IP interface, all prefixes using this interface as a primary next-hop will follow the next-hop type preference specified in the template. The no form deletes the next-hop type constraint from the route next-hop policy template. Parameters {ip | tunnel} —...
  • Page 182 Router Interface Commands The implementation already allows the user to exclude an interface in IS-IS or OSPF, an OSPF area, or an IS-IS level from the LFA SPF. If a prefix is excluded from LFA, then it will not be included in LFA calculation regardless of its priority.
  • Page 183 IP Router Configuration reconverge after a router failure before the anycast based label assignments are flushed from the forwarding plane. Values 0-65535 Default 7750 SR OS Router Configuration Guide Page 183...
  • Page 184 Router Interface Commands Router Interface Filter Commands egress Syntax egress Context config>router>interface Description This command enables access to the context to configure egress network filter policies for the IP interface. If an egress filter is not defined, no filtering is performed. ingress Syntax ingress...
  • Page 185 IP Router Configuration Description This command enables IPv6 flowspec filtering on a network IP interface. Filtering is based on all of the IPv6 flowspec routes that have been received and accepted by the base router BGP instance. Ingress IPv6 traffic on an interface can be filtered by both a user-defined IPv4 filter and flowspec. Evaluation proceeds in this order: 1.user-defined IPv6 filter entries 2.flowspec-derived filter entries...
  • Page 186 Router Interface Commands Router Interface ICMP Commands icmp Syntax icmp Context config>router>interface Description This command enables access to the context to configure Internet Control Message Protocol (ICMP) parameters on a network IP interface. ICMP is a message control and error reporting protocol that also provides information relevant to IP packet processing.
  • Page 187 IP Router Configuration Default redirects 100 10 — Maximum of 100 redirect messages in 10 seconds. Parameters number — The maximum number of ICMP redirect messages to send, expressed as a decimal integer. This parameter must be specified with the time parameter. Values 10 —...
  • Page 188 Router Interface Commands By default, generation of ICMP destination unreachables messages is enabled at a maximum rate of 100 per 10 second time interval. The no form of the command disables the generation of ICMP destination unreachables on the router interface.
  • Page 189 IP Router Configuration Router Interface IPv6 Commands ipv6 Syntax [no] ipv6 Context config>router>interface Description This command configures IPv6 for a router interface. The no form of the command disables IPv6 on the interface. Default not enabled address Syntax address {ipv6-address/prefix-length} [eui-64] no address {ipv6-address/prefix-length} Context config>router>if>ipv6...
  • Page 190 Router Interface Commands packet-too-big Syntax packet-too-big [number seconds] no packet-too-big Context config>router>if>ipv6>icmp6 Description This command configures the rate for ICMPv6 packet-too-big messages. Parameters number — Limits the number of packet-too-big messages issued per the time frame specifed in the seconds parameter. Values 10 —...
  • Page 191 IP Router Configuration Parameters number — Limits the number of redirects issued per the time frame specifed in seconds parameter. Values 10 — 1000 seconds — Determines the time frame, in seconds, that is used to limit the number of redirects issued per time frame.
  • Page 192 Router Interface Commands link-local-address Syntax link-local-address ipv6-address [preferred] no link-local-address Context config>router>if>ipv6 Description This command configures the link local address. local-proxy-nd Syntax [no] local-proxy-nd Context config>router>if>ipv6 Description This command enables local proxy neighbor discovery on the interface. The no form of the command disables local proxy neighbor discovery. proxy-nd-policy Syntax proxy-nd-policy policy-name [policy-name...(up to 5 max)]...
  • Page 193 IP Router Configuration Parameters ipv6-address — The IPv6 address assigned to a router interface. Values ipv6-address: x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d [0 — FFFF]H [0 — 255]D mac-address — Specifies the MAC address for the neighbor in the form of xx:xx:xx:xx:xx:xx or xx- xx-xx-xx-xx-xx.

  • Page 194: Router Advertisement Commands

    Router Advertisement Commands Router Advertisement Commands router-advertisement Syntax [no] router-advertisement Context config>router Description This command configures router advertisement properties. By default, it is disabled for all IPv6 enabled interfaces. The no form of the command disables all IPv6 interface. However, the no interface interface-name command disables a specific interface.
  • Page 195 IP Router Configuration managed-configuration Syntax [no] managed-configuration Context config>router>router-advert>if Description This command sets the managed address configuration flag. This flag indicates that DHCPv6 is available for address configuration in addition to any address autoconfigured using stateless address autoconfiguration. See RFC 3315, Dynamic Host Configuration Protocol (DHCP) for IPv6. Default no managed-configuration max-advertisement-interval...
  • Page 196 Router Advertisement Commands Default no mtu — The MTU option is not sent in the router advertisement messages. the MTU for the nodes to use to send packets on the link. Parameters mtu-bytes — Specify Values 1280 — 9212 other-stateful-configuration Syntax [no] other-stateful-configuration Description...
  • Page 197 IP Router Configuration Description This command specifies whether the prefix can be used for stateless address autoconfiguration. Default enabled on-link Syntax [no] on-link Context config>router>router-advert>if>prefix Description This command specifies whether the prefix can be used for onlink determination. Default enabled preferred-lifetime Syntax [no] preferred-lifetime {seconds | infinite}...
  • Page 198 Router Advertisement Commands reachable-time Syntax reachable-time milli-seconds no reachable-time Context config>router>router-advert>if Description This command configures how long this router should be considered reachable by other nodes on the link after receiving a reachability confirmation. Default no reachable-time Parameters milli-seconds — Specifies the length of time the router should be considered reachable. Values 0 —...
  • Page 199 IP Router Configuration use-virtual-mac Syntax [no] use-virtual-mac Context config>router>router-advert>if Description This command enables sending router advertisement messages using the VRRP virtual MAC address, provided that the virtual router is currently the master. If the virtual router is not the master, no router advertisement messages are sent. The no form of the command disables sending router advertisement messages.
  • Page 200 Router Advertisement Commands Page 200 7750 SR OS Router Configuration Guide...

  • Page 201: Show Commands

    IP Router Configuration Show Commands aggregate Syntax aggregate [family] [active] Context show>router Description This command displays aggregate routes. Parameters family — Specifies to display IPv4 or IPv6 aggregate routes. Values ipv4, ipv6 active — When the active keyword is specified, inactive aggregates are filtered out. Sample Output *A:CPM133>config>router# show router aggregate ===============================================================================...
  • Page 202 Show Commands [local | dynamic | static | managed] — Only displays ARP information associated with the keyword. Output ARP Table Output — The following table describes the ARP table output fields: Label Description IP Address The IP address of the ARP entry. MAC Address The MAC address of the ARP entry.
  • Page 203 IP Router Configuration ARP Table =============================================================================== IP Address MAC Address Expiry Type Interface ------------------------------------------------------------------------------- 10.10.13.1 04:5b:01:01:00:02 03:53:09 to-ser1 =============================================================================== A:ALA-A# authentication Syntax authentication Context show>router Description This command enables the command to display authentication statistics. statistics Syntax statistics statistics interface [ip-int-name | ip-address] statistics policy name Context show>router>authentication...
  • Page 204 Show Commands Client Packets Authenticate Ok : 12 =================================================================== A:ALU-3> Syntax Context show>router Description This command enables the context to display bi-directional forwarding detection (BFD) information. Sample Output *A:Dut-D# show router 3 bfd session =============================================================================== BFD Session =============================================================================== InterfaceState Tx Intvl Rx Intvl Multipl Remote Address...
  • Page 205 IP Router Configuration bfd-template Syntax bfd-template template-name Context show>router>bfd Description This command displays BFD template information. Sample Output *A:mlstp-dutA# show router bfd bfd-template "privatebed-bfd-template" =============================================================================== BFD Template privatebed-bfd-template =============================================================================== Template Name : privatebed-* Template Type : cpmNp Transmit Timer : 10 msec Receive Timer : 10 msec CV Transmit Interval...
  • Page 206 Show Commands 0::0.0.0.0 mplsTp cpm-np pp::lsp-35 Up (3) 1000 1000 0::0.0.0.0 mplsTp cpm-np pp::lsp-36 Up (3) 1000 1000 0::0.0.0.0 mplsTp cpm-np pp::lsp-37 Up (3) 1000 1000 0::0.0.0.0 mplsTp cpm-np pp::lsp-38 Up (3) 1000 1000 0::0.0.0.0 mplsTp cpm-np pp::lsp-39 Up (3) 1000 1000 0::0.0.0.0...
  • Page 207 IP Router Configuration port-1-3 port-1-3 port-1-4 port-1-4 port-1-5 =============================================================================== *A:Dut-B# session Syntax session [src ip-address [dst ip-address] | detail] session [type type] session [summary] Context show>router>bfd Description This command displays session information. Parameters ip-address — Only displays the interface information associated with the specified IP address. Values ipv4-address a.b.c.d (host bits must be 0)
  • Page 208 Show Commands =============================================================================== Interface State Tx Intvl Rx Intvl Multipl Remote Address Protocols Tx Pkts Rx Pkts Type ------------------------------------------------------------------------------- port-1-1 Up (3) 10.1.1.3 pim isis 50971 50718 port-1-1 Up (3) 3FFE::A01:103 static bgp cpm-np port-1-1 Up (3) FE80::A0A:A03 pim isis ospf3 cpm-np port-1-2 Up (3)
  • Page 209 IP Router Configuration Local Discr : 42 Local State : Up (3) Local Diag : 3 (Neighbor signalled s* Local Mode : Async Local Min Tx : 10 Local Mult Last Sent (ms) : 6 Local Min Rx : 10 Type : cpm-np Remote Discr...
  • Page 210 Show Commands port-1-4 Up (3) =============================================================================== *A:Dut-B# *A:Dut-D# show router bfd session summary ============================= BFD Session Summary ============================= Termination Session Count ----------------------------- central cpm-np iom, slot 1 iom, slot 2 iom, slot 3 iom, slot 4 iom, slot 5 Total ============================= *A:Dut-D# dhcp...
  • Page 211 IP Router Configuration If an IP address or interface name is specified, then only data regarding the specified interface is displayed. Parameters ip-int-name | ip-address — Displays statistics for the specified IP interface. Output Show DHCP Statistics Output — The following table describes the output fields for DHCP. statistics.
  • Page 212 Show Commands 7 REPLY 8 RELEASE 9 DECLINE 10 RECONFIGURE 11 INFO_REQUEST 12 RELAY_FORW 13 RELAY_REPLY -------------------------------------------------------------------------- Dhcp6 Drop Reason Counters : -------------------------------------------------------------------------- 1 Dhcp6 oper state is not Up on src itf 2 Dhcp6 oper state is not Up on dst itf 3 Relay Reply Msg on Client Itf 4 Hop Count Limit reached 5 Missing Relay Msg option, or illegal msg type...
  • Page 213 IP Router Configuration Indicates whether IP Auto Filter is enabled on the interface. Auto Filter Indicates whether Auto ARP table population is enabled on the interface. Snoop Indicates the total number of router interfaces on the router. Interfaces Sample Output A:ALA-1# show router dhcp summary =============================================================================== DHCP6 Summary (Router: Base)
  • Page 214 Show Commands Sample Output A:ALA-A# show router ecmp =============================================================================== Router ECMP =============================================================================== Instance Router Name ECMP Configured-ECMP-Routes ------------------------------------------------------------------------------- Base True =============================================================================== A:ALA-A# Syntax fib slot-number [family] [ip-prefix/prefix-length] [longer] [secondary] [exclude-services] fib slot-number [family] summary fib slot-number nh-table-usage Context show>router Description This command displays the active FIB entries for a specific IOM.
  • Page 215 IP Router Configuration ======================================================================== FIB Display ======================================================================== Prefix Protocol NextHop ------------------------------------------------------------------------ 131.132.133.134/32 OSPF 66.66.66.66 (loop7) Next-hop type: tunneled, Owner: RSVP, Tunnel-ID: <out-ifindex-from-route> ------------------------------------------------------------------------ Total Entries : 1 ------------------------------------------------------------------------ ======================================================================== *A:Dut-C# show router fib 1 1.1.1.1/32 =============================================================================== FIB Display =============================================================================== Prefix Protocol NextHop -------------------------------------------------------------------------------...
  • Page 216 Show Commands 20.12.0.46/32 STATIC vprn1:mda-3-1 100.0.0.1/32 vprn1:mda-1-1 vprn1:mda-3-1 138.203.71.202/32 STATIC 10.12.0.2 (itfToArborCP_02) ------------------------------------------------------------------------------- Total Entries : 15 ------------------------------------------------------------------------------- =============================================================================== Page 216 7750 SR OS Router Configuration Guide...
  • Page 217 IP Router Configuration fp-tunnel-table Syntax fp-tunnel-table slot-number [ip-prefix/prefix-length] Context show>router Description This command displays the IOM/IMM label, next-hop and outgoing interface information for BGP, LDP and RSVP tunnels used in any of the following applications: • BGP shortcut (configure>router>bgp>igp-shortcut) • IGP shortcut (config>router>isis[ospf]>rsvp-shortcut) •...
  • Page 218 Show Commands Label Description (Continued) Time Exceeded The number of messages that exceeded the time threshold. Echo Request The number of echo requests. Router Solicits The number of times the local router was solicited. Neighbor Solicits The number of times the neighbor router was solicited. Errors The number of error messages.
  • Page 219 IP Router Configuration interface Syntax interface [interface-name] Context show>router>icmpv6 Description This command displays interface ICMPv6 statistics. Parameters interface-name — Only displays entries associated with the specified IP interface name. Output icmp6 interface Output — The following table describes the show router icmp6 interface output fields: Label Description...
  • Page 220 Show Commands Router Solicits Router Advertisements Neighbor Solicits : 20 Neighbor Advertisements : 21 ------------------------------------------------------------------------------- Sent Total : 47 Errors Destination Unreachable : 0 Redirects Time Exceeded Pkt Too Big Echo Request Echo Reply Router Solicits Router Advertisements Neighbor Solicits : 27 Neighbor Advertisements : 20 ===============================================================================...
  • Page 221 IP Router Configuration Label Description Interface-Name The IP interface name. Type n/a — No IP address has been assigned to the IP interface, so the IP address type is not applicable. Pri — The IP address for the IP interface is the Primary address on the IP interface.
  • Page 222 Show Commands Port Id : 1/1/2:1 TOS Marking : Trusted If Type : Network Egress Filter : none Ingress Filter : none Egr IPv6 Flt : none Ingr IPv6 Flt : none BGP IP FlowSpec : Disabled BGP IPv6 FlowSpec: Disabled SNTP B.Cast : False QoS Policy...
  • Page 223 IP Router Configuration "group1" "group2" ---------------------------------------------------------------------- ---------------------------------------------------------------------- Srlg Groups ---------------------------------------------------------------------- "group3" "group4" ---------------------------------------------------------------------- -----------------------------------------------------------------------Qos Details ----------------------------------------------------------------------- Ing Qos Policy : (none) Egr Qos Policy : (none) Ingress FP QGrp : (none) Egress Port QGrp : (none) Ing FP QGrp Inst : (none) Egr Port QGrp Inst: (none) ======================================================================= * indicates that the corresponding row element may have been truncated.
  • Page 224 Show Commands ip-11.4.114.4 Up/Up Up/Up Network 6/1/2 11.4.114.4/24 3FFE::B04:7204/120 PREFERRED FE80::200:FF:FE00:4/64 PREFERRED ip-12.2.4.4 Up/Up Down/Down Network 3/1/2 12.2.4.4/24 3FFE::C02:404/120 ip-13.2.4.4 Up/Up Down/Down Network 3/1/3 13.2.4.4/24 3FFE::D02:404/120 ip-14.2.4.4 Up/Up Down/Down Network 3/1/4 14.2.4.4/24 3FFE::E02:404/120 ip-15.2.4.4 Up/Up Down/Down Network 3/1/5 15.2.4.4/24 3FFE::F02:404/120 ip-21.2.4.4 Up/Up Up/Up...
  • Page 225 IP Router Configuration 20.12.0.43/32 mda-2-1 Up/Down 20.12.0.44/32 mda-2-2 Up/Down 20.12.0.45/32 mda-3-1 Up/Down 20.12.0.46/32 ------------------------------------------------------------------------------- Interfaces : 4 =============================================================================== A:ALA-A# show router interface to-ser1 =============================================================================== Interface Table =============================================================================== Interface-Name Type IP-Address Mode ------------------------------------------------------------------------------- to-ser1 10.10.13.3/24 Network =============================================================================== A:ALA-A# A:ALA-A# show router interface exclude-services =============================================================================== Interface Table ===============================================================================...
  • Page 226 Show Commands Label Description (Continued) Virt If Index The virtual interface index of the IP router interface. Last Oper Change The last change in operational status. Global If Index The global interface index of the IP router interface. Sap ID The SAP identifier.
  • Page 227 IP Router Configuration Interface Table (Router: Base) =============================================================================== ------------------------------------------------------------------------------- Interface ------------------------------------------------------------------------------- If Name : to-sim1621 Admin State : Up Oper (v4/v6) : Up/-- Protocols : None IP Addr/mask : 1.1.1.2/24 Address Type : Primary IGP Inhibit : Disabled Broadcast Address : Host-ones HoldUp-Time Track Srrp Inst -------------------------------------------------------------------------------...
  • Page 228 Show Commands default ------------------------------------------------------------------------------- Qos Details ------------------------------------------------------------------------------- Ing Qos Policy : (none) Egr Qos Policy : (none) Ingress FP QGrp : (none) Egress Port QGrp : (none) Ing FP QGrp Inst : (none) Egr Port QGrp Inst: (none) =============================================================================== * indicates that the corresponding row element may have been truncated. B:bksim1619# *A:Dut-C# show router 1 interface "mda-3-1"...
  • Page 229 IP Router Configuration IGP Inhibit : Disabled Broadcast Address : Host-ones HoldUp-Time Track Srrp Inst ------------------------------------------------------------------------------- Details ------------------------------------------------------------------------------- Description : tms-2-1 If Index Virt. If Index Last Oper Chg : 09/14/2011 08:39:24 Global If Index : 122 If Type : TMS Rx Pkts : 13508 Rx Bytes...
  • Page 230 Show Commands Tx Pkts Tx Bytes Tx V4 Pkts Tx V4 Bytes Tx V4 Discard Pk*: 0 Tx V4 Discard Byt*: 0 Tx V6 Pkts Tx V6 Bytes Tx V6 Discard Pk*: 0 Tx V6 Discard Byt*: 0 uRPF Chk Fail Pk*: 6244 uRPF Fail Bytes : 487032 uRPF Fail V4 Pk...
  • Page 231 IP Router Configuration Rx V4 Pkts : 3122 Rx V4 Bytes : 299712 Rx V6 Pkts : 3122 Rx V6 Bytes : 299712 Tx Pkts Tx Bytes Tx V4 Pkts Tx V4 Bytes Tx V4 Discard Pk*: 0 Tx V4 Discard Byt*: 0 Tx V6 Pkts Tx V6 Bytes Tx V6 Discard Pk*: 0...
  • Page 232 Show Commands If Name : to_Ixia Admin State : Up Oper (v4/v6) : Up/Up Rx Pkts : N/A Rx Bytes : N/A Rx V4 Pkts : N/A Rx V4 Bytes : N/A Rx V6 Pkts : N/A Rx V6 Bytes : N/A Tx Pkts Tx Bytes...
  • Page 233 IP Router Configuration *A:Dut-C# show router 1 interface "mda-3-1" detail =============================================================================== Interface Table (Service: 1) =============================================================================== ------------------------------------------------------------------------------- Interface ------------------------------------------------------------------------------- If Name : mda-3-1 Admin State : Up Oper (v4/v6) : Up/Down Protocols : None IP Addr/mask : 20.12.0.46/32 Address Type : Primary IGP Inhibit : Disabled...
  • Page 234 Show Commands Base =============================================================================== routes Syntax routes alternative Context show:router>isis Description This command displays IS-IS route information. Sample Output *A:SRR# show router isis routes 1.1.1.0/24 =============================================================================== Route Table =============================================================================== Prefix[Flags] Metric Lvl/Typ Ver. SysID/Hostname NextHop AdminTag ------------------------------------------------------------------------------- 1.1.1.0/24 [L] 7540 1/Int.
  • Page 235 IP Router Configuration 10.20.1.4/32 2/Int. Dut-D 10.20.4.4 10.20.1.5/32 2/Int. Dut-C 10.20.3.3 10.20.1.6/32 2/Int. Dut-D 10.20.4.4 10.20.3.0/24 1/Int. Dut-B 0.0.0.0 10.20.4.0/24 1/Int. Dut-B 0.0.0.0 10.20.5.0/24 2/Int. Dut-C 10.20.3.3 10.20.6.0/24 2/Int. Dut-D 10.20.4.4 10.20.9.0/24 2/Int. Dut-D 10.20.4.4 10.20.10.0/24 2/Int. Dut-C 10.20.3.3 ---------------------------------------------------------------------------- Routes : 11 Flags: L = LFA nexthop available ============================================================================...
  • Page 236 Show Commands Flags: LFA = Loop-Free Alternate nexthop ============================================================================ *A:Dut-B# bindings Syntax bindings active Context show>router>ldp Description This command displays LDP bindings information. Sample Output *A:Dut-A# show router ldp bindings active ======================================================================== Legend: (S) - Static (M) - Multi-homed Secondary Support (B) - BGP Next Hop (BU) - Alternate Next-hop for Fast Re-Route ======================================================================== LDP Prefix Bindings (Active)
  • Page 237 IP Router Configuration ======================================================================== *A:Dut-A# show router ldp bindings ======================================================================== LDP LSR ID: 10.20.1.1 ======================================================================== Legend: U - Label In Use, N - Label Not In Use, W - Label Withdrawn S - Status Signaled Up, D - Status Signaled Down E - Epipe Service, V - VPLS Service, M - Mirror Service A - Apipe Service, F - Fpipe Service, I - IES Service, R - VPRN service P - Ipipe Service, WP - Label Withdraw Pending, C - Cpipe Service...
  • Page 238 Show Commands mvpn Syntax mvpn Context show>router router-instance Description This command displays Multicast VPN related information. The router instance must be specified. Sample Output *A:Dut-C# show router 1 mvpn =============================================================================== MVPN 1 configuration data =============================================================================== signaling : Bgp auto-discovery : Enabled UMH Selection : Highest-Ip intersite-shared...
  • Page 239 IP Router Configuration Label Description Displays the IPv6 address. IPv6 Address Interface Displays the name of the IPv6 interface name. Specifies the link-layer address. MAC Address Displays the current administrative state. State Displays the number of seconds until the entry expires. Displays the type of IPv6 interface.
  • Page 240 Show Commands Sample *A:Dut-T>config>router# show router network-domains =============================================================================== Network Domain Table =============================================================================== Network Domain Description ------------------------------------------------------------------------------- net1 Network domain 1 default Default Network Domain ------------------------------------------------------------------------------- Network Domains : 2 =============================================================================== *A:Dut-T>config>router# *A:Dut-T>config>router# show router network-domains detail =============================================================================== Network Domain Table (Router: Base) =============================================================================== ------------------------------------------------------------------------------- Network Domain...
  • Page 241 IP Router Configuration SDPs : 1 =============================================================================== *A:Dut-T>config>service# policy Syntax policy [name | damping | prefix-list name | as-path name | community name | admin] Context show>router Description This command displays policy-related information. Parameters name — Specify an existing policy-statement name. damping —...
  • Page 242 Show Commands policy-edits Syntax policy-edits Context show>router Description This command displays edited policy information. route-table Syntax route-table [family] [ip-prefix[/prefix-length] [longer|exact|protocol protocol-name] [all]] [next-hop-type type][qos][alternative] route-table [family] summary route-table tunnel-endpoints [ip-prefix[/prefix-length]] [longer|exact] [detail] Context show>router Description This command displays the active routes in the routing table. If no command line arguments are specified, all routes are displayed, sorted by prefix.
  • Page 243 IP Router Configuration Output Standard Route Table Output — The following table describes the standard output fields for the route table. Label Description Dest Address The route destination address and mask. Next Hop The next hop IP address for the route destination. Type Local —...
  • Page 244 Show Commands Next Hop[Interface Name] Metric Alt-NextHop Alt- Metric ------------------------------------------------------------------------------- 10.0.0.0/30 Local Local 02h17m23s to_4007 10.0.0.8/30 Remote BGP VPN 00h14m37s 1.1.1.9 (tunneled) 11.0.0.8/30 Remote BGP VPN 00h14m37s 1.1.1.9 (tunneled) 192.168.0.0/16 Remote BGP VPN 00h14m37s 1.1.1.9 (tunneled) 192.168.0.0/16 (Backup) Remote BGP VPN 00h14m37s 2.1.1.9 (tunneled) 192.168.0.0/16 (Best-ext)
  • Page 245 IP Router Configuration 10.10.12.3 13 10.20.1.6/32 [L] Remote ISIS 00h00m58s 15 10.10.4.4 20 ---------------------------------------------------------------------------- No. of Routes: 16 Flags: L = LFA nexthop available B = BGP backup route available ============================================================================ *A:Dut-B# show router route-table alternative ============================================================================ Route Table (Router: Base) ============================================================================ Dest Prefix[Flags] Type Proto Age Pref Next Hop[Interface Name] Metric...
  • Page 246 Show Commands ---------------------------------------------------------------------------- No. of Routes: 16 Flags: Backup = BGP backup routeLFA = Loop-Free Alternate nexthop ============================================================================ *A:Dut-C# show router route-table 1.1.1.1/32 =============================================================================== Route Table (Router: Base) =============================================================================== Dest Prefix Type Proto Pref Next Hop[Interface Name] Metric ------------------------------------------------------------------------------- 1.1.1.1/32 Remote 00h00m09s 10.20.1.1 (tunneled:RSVP:1)
  • Page 247 IP Router Configuration 100.10.0.0/16 Black Hole Remote Static 00h03m17s 1 5 ------------------------------------------------------------------------------- No. of Routes: 1 =============================================================================== B:ALA-B# A:ALA-A# show router route-table 10.10.0.4 =============================================================================== Route Table =============================================================================== Dest Address Next Hop Type Protocol Metric Pref ------------------------------------------------------------------------------- 10.10.0.4/32 10.10.34.4 Remote OSPF 3523 1001 -------------------------------------------------------------------------------...
  • Page 248 Show Commands 20.12.0.43/32 Remote Static 00h44m31s vprn1:mda-1-1 20.12.0.44/32 Remote Static 00h44m31s vprn1:mda-2-1 20.12.0.45/32 Remote Static 00h44m31s vprn1:mda-2-2 20.12.0.46/32 Remote Static 00h44m30s vprn1:mda-3-1 100.0.0.1/32 Remote 00h34m39s vprn1:mda-1-1 100.0.0.1/32 Remote 00h34m39s vprn1:mda-3-1 138.203.71.202/32 Remote Static 00h44m29s 10.12.0.2 ------------------------------------------------------------------------------- No. of Routes: 17 Flags: L = LFA nexthop available B = BGP backup route available n = Number of times nexthop is repeated...
  • Page 249 IP Router Configuration 10.20.1.5 (tunneled:RSVP:1) 1100 10.10.10.0/24 Remote OSPF 00h02m20s 10.20.1.5 (tunneled:RSVP:1) 1100 10.20.1.5/32 Remote OSPF 00h02m20s 10.20.1.5 (tunneled:RSVP:1) 10.20.1.6/32 Remote OSPF 00h02m20s 10.20.1.5 (tunneled:RSVP:1) 1100 ------------------------------------------------------------------------------- No. of Routes: 4 =============================================================================== *A:Dut-B# show router route-table 10.20.1.5/32 next-hop-type tunneled =============================================================================== Route Table (Router: Base) =============================================================================== Dest Prefix...
  • Page 250 Show Commands Aggregate Sub Mgmt Managed ------------------------------------------------------------------------------- Total =============================================================================== NOTE: ISIS LFA routes and BGP Backup routes are not counted towards the total. Summary Route Table Output — Summary output for the route table displays the number of active routes and the number of routes learned by the router by protocol. Total active and available routes are also displayed.
  • Page 251 IP Router Configuration Total 5006 9570 =============================================================================== NOTE: ISIS LFA routes and BGP Backup routes are not counted towards the total. *A:SRR# rtr-advertisement Syntax rtr-advertisement [interface interface-name] [prefix ipv6-prefix[/prefix-length]] rtr-advertisement [conflicts] Context show>router Description This command displays router advertisement information. If no command line arguments are specified, all routes are displayed, sorted by prefix.
  • Page 252 Show Commands Label Description (Continued) False — Indicates that DHCPv6 is not available for address config- uration. Reachable Time The time, in milliseconds, that a node assumes a neighbor is reachable after receiving a reachability confirmation. Retransmit Time The time, in milliseconds, between retransmitted neighbor solicitation messages.
  • Page 253 IP Router Configuration Autonomous Flag : FALSE On-link flag : FALSE Preferred Lifetime : 49710d06h Valid Lifetime : 49710d06h Prefix: 241::/120 Autonomous Flag : TRUE On-link flag : TRUE Preferred Lifetime : 00h00m00s Valid Lifetime : 00h00m00s Prefix: 251::/120 Autonomous Flag : TRUE On-link flag : TRUE...
  • Page 254 Show Commands Preferred Lifetime : 07d00h00m Valid Lifetime : 30d00h00m Prefix: 25::/120 Autonomous Flag : TRUE On-link flag : TRUE Preferred Lifetime : 07d00h00m Valid Lifetime : infinite Prefix: 231::/120 Autonomous Flag : TRUE On-link flag : TRUE Preferred Lifetime : 07d00h00m Valid Lifetime : 30d00h00m...
  • Page 255 IP Router Configuration Prefix: 231::/120 Autonomous Flag : FALSE On-link flag : FALSE Preferred Lifetime : 49710d06h Valid Lifetime : 49710d06h Prefix not present in neighbor router advertisement Prefix: 241::/120 Autonomous Flag : TRUE On-link flag : TRUE Preferred Lifetime : 00h00m00s Valid Lifetime : 00h00m00s...
  • Page 256 Show Commands static-arp Syntax static-arp [ip-addr | ip-int-name | mac ieee-mac-addr] Context show>router Description This command displays the router static ARP table sorted by IP address. If no options are present, all ARP entries are displayed. Parameters ip-addr — Only displays static ARP entries associated with the specified IP address. ip-int-name —...
  • Page 257 IP Router Configuration 12.200.1.1 00:00:5a:01:00:33 00:00:00 Inv to-ser1 =============================================================================== A:ALA-A# A:ALA-A# show router static-arp to-ser1 =============================================================================== ARP Table =============================================================================== IP Address MAC Address Type Interface ------------------------------------------------------------------------------- 10.200.0.253 00:00:5a:40:00:01 00:00:00 Sta to-ser1 =============================================================================== A:ALA-A# A:ALA-A# show router static-arp mac 00:00:5a:40:00:01 =============================================================================== ARP Table =============================================================================== IP Address...
  • Page 258 Show Commands preference preference — Only displays static routes with the specified route preference. Values 0 — 65535 next-hop ip-address — Only displays static routes with the specified next hop IP address. Values ipv4-address: a.b.c.d (host bits must be 0) ipv6-address: x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d...
  • Page 259 IP Router Configuration Route Table =============================================================================== IP Addr/mask Pref Metric Type Nexthop Interface Active ------------------------------------------------------------------------------- 192.168.250.0/24 10.200.10.1 to-ser1 192.168.252.0/24 10.10.0.254 192.168.253.0/24 to-ser1 192.168.253.0/24 10.10.0.254 192.168.254.0/24 black-hole =============================================================================== A:ALA-A# A:ALA-A# show router static-route 192.168.250.0/24 =============================================================================== Route Table =============================================================================== IP Addr/mask Pref Metric Type Nexthop Interface Active -------------------------------------------------------------------------------...
  • Page 260 Show Commands Interval : [value | n/a] Drop Count : <value> : [Y|N] CPE Host Up/Dn Time : 0d 16:32:28 CPE Echo Req Tx CPE Echo Reply Rx: 0 CPE Up Transitions CPE Down Transitions : 0 CPE TTL : 13 =============================================================================== A:sim1# *A:CPM133>config>router# show router static-route 3.3.3.3/32 detail...
  • Page 261 IP Router Configuration Address Ranges reserved for Services ================================================= IP Prefix Mask Exclusive ------------------------------------------------- 172.16.1.0 true 172.16.2.0 false ================================================= A:ALA-A# sgt-qos Syntax sgt-qos Context show>router Description This command displays self-generated traffic QoS related information. application Syntax application [app-name] [dscp|dot1p] Context show>router>sgt-qos Description This command displays application QoS settings.
  • Page 262 Show Commands status Syntax status Context show>router Description This command displays the router status. Output Router Status Output — The following table describes the output fields for router status information. Label Description Router The administrative and operational states for the router. OSPF The administrative and operational states for the OSPF protocol.
  • Page 263 IP Router Configuration Router OSPFv2-0 ISIS MPLS Not configured Not configured RSVP Not configured Not configured Not configured Not configured IGMP Not configured Not configured Not configured Not configured OSPFv3 Not configured Not configured MSDP Not configured Not configured Max Routes No Limit Total IPv4 Routes 244285...
  • Page 264 Show Commands OSPFv2-28 Down Down OSPFv2-29 Down Down OSPFv2-30 Down Down OSPFv2-31 Down Down ISIS MPLS Not configured Not configured RSVP Not configured Not configured Not configured Not configured IGMP Not configured Not configured Not configured Not configured OSPFv3 Not configured Not configured MSDP Not configured...
  • Page 265 IP Router Configuration Inactive 107.0.0.1/32 mda-2-1 Inactive 108.0.0.1/32 mda-2-1 Inactive 109.0.0.1/32 mda-2-1 ------------------------------------------------------------------------------- No. of Routes: 10 =============================================================================== *A:Dut-C# show router 1 tms routes =============================================================================== TMS Routes (IPv4) =============================================================================== Status Network Next Hop[Interface Name] ------------------------------------------------------------------------------- Active 100.0.0.1/32 mda-2-1 ------------------------------------------------------------------------------- No. of Routes: 1 =============================================================================== tunnel-table Syntax...
  • Page 266 Show Commands Label Description (Continued) Metric The route metric value for the route. Sample Output *A:Dut-D>config>service>vpls# show router tunnel-table sdp 17407 ======================================================================= Tunnel Table (Router: Base) =============================================================================== Destination Owner Encap TunnelId Pref Nexthop Metric ----------------------------------------------------------------------- 127.0.68.0/32 MPLS 17407 127.0.68.0 ======================================================================= *A:Dut-D# show service id 1 sdp 17407:4294967294 detail ======================================================================= Service Destination Point (Sdp Id : 17407:4294967294) Details...
  • Page 267 IP Router Configuration MAC Aging : Enabled BPDU Translation : Disabled L2PT Termination : Disabled MAC Pinning : Disabled Ignore Standby Sig : False Block On Mesh Fail: False Oper Group : (none) Monitor Oper Grp : (none) Rest Prot Src Mac : Disabled Auto Learn Mac Prot: Disabled RestProtSrcMacAct : Disable...
  • Page 268 Show Commands ----------------------------------------------------------------------- Stp Service Destination Point specifics ----------------------------------------------------------------------- Stp Admin State : Down Stp Oper State : Down Core Connectivity : Down Port Role : N/A Port State : Forwarding Port Number Port Priority : 128 Port Path Cost : 10 Auto Edge : Enabled...
  • Page 269 IP Router Configuration =============================================================================== A:ALA-A>config>service# 7750 SR OS Router Configuration Guide Page 269...

  • Page 270: L2Tp Show Commands

    Show Commands L2TP Show Commands l2tp Syntax l2tp Context show>router Description This command enables the context to display L2TP related information. group Syntax group [tunnel-group-name [statistics]] Context show>router>l2tp Description This command displays L2TP group operational information. Parameters tunnel-group-name — Displays information for the specified tunnel group. statistics —...
  • Page 271 IP Router Configuration 143523840 2190 17525 established isp1.group-2 isp1.tunnel-3 236912640 3615 58919 closedByPeer isp1.group-2 isp1.tunnel-2 658178048 10043 33762 draining isp1.group-2 isp1.tunnel-2 ------------------------------------------------------------------------------- No. of tunnels: 3 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp group isp1.group-2 statistics Group Name: isp1.group-2 ------------------------------------------------------------------------------- Attempts Failed Failed-Aut Active...
  • Page 272 Show Commands =============================================================================== Peer IP Tun Active Ses Active Drain Unreach Role Tun Total Ses Total ------------------------------------------------------------------------------- 10.10.14.8 10.10.20.100 drain 10.10.20.101 unreach LAC ------------------------------------------------------------------------------- No. of peers: 3 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp peer unreachable =============================================================================== L2TP Peers =============================================================================== Peer IP Tun Active Ses Active Drain Unreach Role Tun Total...
  • Page 273 IP Router Configuration ------------------------------------------------------------------------------- 10.10.20.100 drain ------------------------------------------------------------------------------- No. of peers: 1 =============================================================================== *A:Dut-C# *A:Fden-Dut2-BSA2# show router l2tp peer 10.0.0.1 statistics =============================================================================== Peer IP: 10.0.0.1 =============================================================================== tunnels tunnels active sessions sessions active rx ctrl octets : 541 rx ctrl packets tx ctrl octets : 272 tx ctrl packets tx error packets...
  • Page 274 Show Commands Parameters connection-id connection-id — Specifies the identification number for a Layer Two Tunneling Protocol connection. Values 1 — 429496729 detail — Displays detailed L2TP session information. session-id session-id (v2) — Specifies the identification number for a Layer Two Tunneling Protocol session.
  • Page 275 IP Router Configuration 236926987 236912640 3615 14347 closed 236927915 236912640 3615 15275 closed 379407426 379387904 5789 19522 established 658187773 658178048 10043 9725 established 658198275 658178048 10043 20227 established 658210606 658178048 10043 32558 established ------------------------------------------------------------------------------- No. of sessions: 9 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp session state established =============================================================================== L2TP Session Summary...
  • Page 276 Show Commands Time Started : 04/17/2009 18:41:55 Time Established : 04/17/2009 18:41:55 Time Closed : 04/17/2009 18:43:20 CDN Result : generalError General Error : noError ------------------------------------------------------------------------------- =============================================================================== L2TP Session Status =============================================================================== Connection ID : 236927915 State : closed Tunnel Group : isp1.group-2 Assignment ID : isp1.tunnel-2 Error Message : tunnel was closed...
  • Page 277 IP Router Configuration Control Conn ID Tunnel-ID Session-ID State ------------------------------------------------------------------------------- 143524786 143523840 2190 established 143526923 143523840 2190 3083 established 143531662 143523840 2190 7822 closed 236926987 236912640 3615 14347 closed 236927915 236912640 3615 15275 closed 658187773 658178048 10043 9725 established 658198275 658178048 10043 20227...
  • Page 278 Show Commands Control Conn ID Tunnel-ID Session-ID State ------------------------------------------------------------------------------- 658187773 658178048 10043 9725 established 658198275 658178048 10043 20227 established 658210606 658178048 10043 32558 established ------------------------------------------------------------------------------- No. of sessions: 3 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp session control-connection-id 658178048 =============================================================================== L2TP Session Summary =============================================================================== Control Conn ID Tunnel-ID...
  • Page 279 IP Router Configuration ------------------------------------------------------------------------------- =============================================================================== L2TP Session Status =============================================================================== Connection ID : 236927915 State : closed Tunnel Group : isp1.group-2 Assignment ID : isp1.tunnel-2 Error Message : tunnel was closed Control Conn ID : 236912640 Remote Conn ID : 3861317210 Tunnel ID : 3615 Remote Tunnel ID...
  • Page 280 Show Commands L2TP Session Summary =============================================================================== Control Conn ID Tunnel-ID Session-ID State ------------------------------------------------------------------------------- 600407016 600375296 9161 31720 established simon@base.lac.base.lns interface: gi_base_lns_base_lac service-id: 100 ip-address: 10.100.2.1 =============================================================================== *A:Fden-Dut2-BSA2# show router l2tp session connection-id 600407016 detail =============================================================================== L2TP Session Status =============================================================================== Connection ID: 600407016 State : established Tunnel Group : base_lns_base_lac...
  • Page 281 IP Router Configuration Secondary NBNS : N/A Address-Pool : N/A IPv6 Prefix : N/A IPv6 Del.Pfx. : N/A Primary IPv6 DNS : N/A Secondary IPv6 DNS : N/A Circuit-Id : (Not Specified) Remote-Id : (Not Specified) Session-Timeout : N/A Radius Class : (Not Specified) Radius User-Name : simon@base.lac.base.lns...
  • Page 282 Show Commands tunnel connection-id connection-id (v3) [statistics] [detail] Context show>router>l2tp Description This command displays L2TP tunnel operational information. Parameters statistics — Displays L2TP tunnel statistics. detail — Displays detailed L2TP tunnel information. peer ip-address — Displays information for the the IP address of the peer. state tunnel-state —...
  • Page 283 IP Router Configuration Sample Output *A:Dut-C# show router l2tp tunnel =============================================================================== Conn ID Loc-Tu-ID Rem-Tu-ID State Ses Active Group Ses Total Assignment ------------------------------------------------------------------------------- 143523840 2190 17525 established isp1.group-2 isp1.tunnel-3 236912640 3615 58919 closedByPeer isp1.group-2 isp1.tunnel-2 379387904 5789 4233 established isp1.group-1 isp1.tunnel-1 658178048 10043...
  • Page 284 Show Commands =============================================================================== Conn ID Loc-Tu-ID Rem-Tu-ID State Ses Active Group Ses Total Assignment ------------------------------------------------------------------------------- 143523840 2190 17525 established isp1.group-2 isp1.tunnel-3 379387904 5789 4233 established isp1.group-1 isp1.tunnel-1 ------------------------------------------------------------------------------- No. of tunnels: 2 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp tunnel tunnel-id 2190 statistics =============================================================================== L2TP Tunnel Statistics ===============================================================================...
  • Page 285 IP Router Configuration L2TP Tunnel Status =============================================================================== Connection ID : 143523840 State : established : 10.20.1.3 Peer IP : 10.10.20.101 Name : lac1.wholesaler.com Remote Name : lns3.retailer1.net Assignment ID : isp1.tunnel-3 Group Name : isp1.group-2 Error Message : N/A Remote Conn ID : 1148518400 Tunnel ID : 2190...
  • Page 286 Show Commands Peer IP : 10.10.20.100 Name : lac1.wholesaler.com Remote Name : lns2.retailer1.net Assignment ID : isp1.tunnel-2 Group Name : isp1.group-2 Error Message : Goodbye! Remote Conn ID : 3861315584 Tunnel ID : 3615 Remote Tunnel ID : 58919 UDP Port : 1701 Remote UDP Port : 1701...
  • Page 287 IP Router Configuration ------------------------------------------------------------------------------- Ctrl Packets Ctrl Octets 1310 1690 Error Packets 0 ------------------------------------------------------------------------------- No. of tunnels: 1 =============================================================================== *A:Dut-C# *A:Dut-C# show router l2tp tunnel local-name lac1.wholesaler.com remote-name lns2.retailer1.net state draining =============================================================================== Conn ID Loc-Tu-ID Rem-Tu-ID State Ses Active Group Ses Total Assignment -------------------------------------------------------------------------------...
  • Page 288 Show Commands Window Size Cur acceptedMsgType StartControlConnectionRequest StartControlConnectionConnected IncomingCallRequest IncomingCallConnected ZeroLengthBody originalTransmittedMsgType StartControlConnectionReply Hello IncomingCallReply ZeroLengthBody last cleared time : N/A =============================================================================== Page 288 7750 SR OS Router Configuration Guide...

  • Page 289: Clear Commands

    IP Router Configuration Clear Commands router Syntax router router-instance Context clear>router Description This command clears for a the router instance in which they are entered. Parameters router-instance — Specify the router name or service ID. Values router-name: Base, management, vpls-management service-id: 1 —...
  • Page 290 Clear Commands session Syntax session src-ip ip-address dst-ip ip-address Context clear>router>bfd Description This command clears BFD sessions. Parameters src-ip ip-address — Specifies the address of the local endpoint of this BFD session. dst-ip ip-address — Specifies the address of the remote endpoint of this BFD session. statistics Syntax statistics src-ip ip-address dst-ip ip-address...
  • Page 291 IP Router Configuration forwarding-table Syntax forwarding-table [slot-number] Context clear>router Description This command clears entries in the forwarding table (maintained by the IOMs). If the slot number is not specified, the command forces the route table to be recalculated. Parameters slot-number — Clears the specified card slot. Default all IOMs Values...
  • Page 292 Clear Commands interface-name — Clears ICMP6 statistics for the specified interface. interface Syntax interface [ip-int-name | ip-addr] [icmp] [urpf-stats] [statistics] Context clear>router Description This command clears IP interface statistics. If no IP interface is specified either by IP interface name or IP address, the command will perform the clear operation on all IP interfaces.
  • Page 293 IP Router Configuration Parameters tunnel-group-name — Clears L2TP tunnel statistics. statistics Syntax statistics Context clear>router>l2tp clear>router>l2tp>group clear>router>l2tp> tunnel Description This command clears statistics for the specified context. statistics Syntax statistics [ip-address | ip-int-name] Context clear>router>dhcp clear>router>dhcp6 Description This command clear statistics for DHCP and DHCP6and DHCP6 relay and snooping statistics. If no IP address or interface name is specified, then statistics are cleared for all configured interfaces.
  • Page 294 Clear Commands router-advertisement Syntax router-advertisement all router-advertisement [interface interface-name] Context clear>router Description This command clears all router advertisement counters. Parameters all — Clears all router advertisement counters for all interfaces. interface interface-name — Clear router advertisement counters for the specified interface. Page 294 7750 SR OS Router Configuration Guide...

  • Page 295: Debug Commands

    IP Router Configuration Debug Commands destination Syntax destination trace-destination Context debug>trace Description This command specifies the destination to send trace messages. Parameters trace-destination — The destination to send trace messages. Values stdout, console, logger, memory enable Syntax [no] enable Context debug>trace Description This command enables the trace.
  • Page 296 Debug Commands Default Base Syntax Context debug>router Description This command configures debugging for IP. Syntax Context debug>router>ip Description This command configures route table debugging. icmp Syntax [no] icmp Context debug>router>ip Description This command enables ICMP debugging. icmp6 Syntax icmp6 [ip-int-name] no icmp6 Context debug>router>ip...
  • Page 297 IP Router Configuration Parameters ip-address — Only displays the interface information associated with the specified IP address. Values ipv4-address a.b.c.d (host bits must be 0) ipv6-address x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d x: [0 — FFFF]H d: [0 — 255]D ip-int-name — Only displays the interface information associated with the specified IP interface name. Values 32 characters maximum packet...
  • Page 298 Debug Commands [0 — 255]D ipv6-prefix-length 0 — 128 longer — Specifies the prefix list entry matches any route that matches the specified ip-prefix and pre- fix mask length values greater than the specified mask. tunnel-table Syntax tunnel-table [ip-address] [ldp | rsvp [tunnel-id tunnel-id]| sdp [sdp-id sdp-id]] Context debug>router>ip Description...
  • Page 299 IP Router Configuration 7750 SR OS Router Configuration Guide Page 299...
  • Page 300 Debug Commands Page 300 7750 SR OS Router Configuration Guide...

  • Page 301: Vrrp

    VRRP In This Chapter This chapter provides information about configuring Virtual Router Redundancy Protocol (VRRP) parameters. Topics in this chapter include: • VRRP Overview on page 302  Virtual Router on page 303  IP Address Owner on page 303 ...

  • Page 302: Vrrp Overview

    VRRP Overview The Virtual Router Redundancy Protocol (VRRP) for IPv4 is defined in the IETF RFC 3768, Virtual Router Redundancy Protocol. VRRP for IPv6 is specified in draft-ietf-vrrp-unified-spec- 02.txt. VRRP describes a method of implementing a redundant IP interface shared between two or more routers on a common LAN segment, allowing a group of routers to function as one virtual router.

  • Page 303: Vrrp Components

    This is a common mechanism that allows multiple local subnet attachment on a single routing interface. Up to four virtual routers are possible on a single Alcatel-Lucent IP interface. The virtual routers must be in the same subnet. Each virtual router has its own VRID, state machine and messaging instance.

  • Page 304: Primary And Secondary Ip Addresses

    An IP interface must always have a primary IP address assigned for VRRP to be active on the interface. Alcatel-Lucent routers supports both primary and secondary IP addresses (multi-netting) on the IP interface. The virtual router’s VRID primary IP address is always the primary address on the IP interface.

  • Page 305: Virtual Router Backup

    VRRP Virtual Router Backup A new virtual router master is selected from the set of VRRP routers available to assume forwarding responsibility for a virtual router should the current master fail. Owner and Non-Owner VRRP The owner controls the IP address of the virtual router and is responsible for forwarding packets sent to this IP address.

  • Page 306: Configurable Parameters

    Configurable Parameters In addition to backup IP addresses, to facilitate configuration of a virtual router on Alcatel-Lucent routers, the following parameters can be defined in owner configurations: • Virtual Router ID (VRID) on page 306 • Message Interval and Master Inheritance on page 308 •...

  • Page 307: Ip Addresses

    VRRP the defined IP address on the IP interface is different than the virtual router IP address (non-owner mode). When the IP address on the IP interface matches the virtual router IP address (owner mode), the priority value is fixed at 255, the highest value possible. This virtual router member is considered the owner of the virtual router IP address.

  • Page 308: Message Interval And Master Inheritance

    Message Interval and Master Inheritance Each virtual router is configured with a message interval per VRID within which it participates. This parameter must be the same for every virtual router on the VRID. For IPv4, the default advertisement interval is 1 second and can be configured between 100 milliseconds and 255 seconds 900 milliseconds.

  • Page 309: Master Down Interval

    VRRP Master Down Interval The master down interval is a calculated value used to load the master down timer. When the master down timer expires, the virtual router enters the master state. To calculate the master down interval, the virtual router evaluates the following formula: Master Down Interval = (3 x Operational Advertisement Interval) + Skew Time The operational advertisement interval is dependent upon the state of the inherit parameter.

  • Page 310: Vrrp Message Authentication

    VRRP Message Authentication The authentication type parameter defines the type of authentication used by the virtual router in VRRP advertisement message authentication. VRRP message authentication is applicable to IPv4 only. The current master uses the configured authentication type to indicate any egress message manipulation that must be performed in conjunction with any supporting authentication parameters before transmitting a VRRP advertisement message.
  • Page 311 VRRP • VRRP message checks  Version field – Must be set to the value 2  Type field – Must be set to the value of 1 (advertisement)  Virtual router ID field – Must match one of the configured VRID on the ingress IP interface (All other fields are dependent on matching the virtual router ID field to one of the interfaces configured VRID parameters) ...

  • Page 312: Authentication Data

    VRRP advertisement messages contain an IP address count field that indicates the number of IP addresses listed in the sequential IP address fields at the end of the message. The Alcatel-Lucent routersimplementation always logs mismatching events. The decision on where and whether to forward the generated messages depends on the configuration of the event manager.

  • Page 313: Inherit Master Vrrp Router's Advertisement Interval Timer

    VRRP With secondary IP address support, multiple IP addresses may be found in the list and it should match the IP address on the virtual router instance. Owner and non-owner virtual router instances have the supported IP addresses explicitly defined, making mismatched supported IP address within the interconnected virtual router instances a provisioning issue.

  • Page 314: Vrrp Priority Control Policies

    VRRP Priority Control Policies This implementation of VRRP supports control policies to manipulate virtual router participation in the VRRP master election process and master self-deprecation. The local priority value for the virtual router instance is used to control the election process and master state. VRRP Virtual Router Policy Constraints Priority control policies can only be applied to non-owner VRRP virtual router instances.

  • Page 315: Vrrp Priority Control Policy Delta In-Use Priority Limit

    VRRP VRRP Priority Control Policy Delta In-Use Priority Limit A VRRP priority control policy enforces an overall minimum value that the policy can inflict on the VRRP virtual router instance base priority. This value provides a lower limit to the delta priority events manipulation of the base priority.

  • Page 316: Vrrp Priority Control Policy Priority Events

    VRRP Priority Control Policy Priority Events The main function of a VRRP priority control policy is to define conditions or events that impact the system’s ability to communicate with outside hosts or portions of the network. When one or multiple of these events are true, the base priority on the virtual router instance is either overwritten with an explicit value, or a sum of delta priorities is subtracted from the base priority.

  • Page 317: Port Down Priority Event

    VRRP Port Down Priority Event The port down priority event is tied to either a physical port or a SONET/SDH channel. The port or channel operational state is evaluated to determine a port down priority event or event clear. When the port or channel operational state is up, the port down priority event is considered false or cleared.
  • Page 318 Table 6: LAG Events (Continued) Time LAG Port State Parameter State Comments One port up Event State Set - 8 ports down Cannot change until Hold Set Timer expires Event Threshold 6 ports down Hold Set Timer 5 seconds Event does not affect timer All ports up Event State Set - 8 ports down...

  • Page 319: Host Unreachable Priority Event

    VRRP Table 6: LAG Events (Continued) Time LAG Port State Parameter State Comments Seven ports down Event State Set - 7 ports down Changed due to increase Event Threshold 6 ports down Hold Set Timer 5 seconds Set to hold-set due to threshold increase All ports up Event State Set - 7 ports down...
  • Page 320 When a route prefix exists within the active route table that matches the defined match criteria, the route unknown priority event is considered false or cleared. When a route prefix does not exist within the active route table matching the defined criteria, the route unknown priority event is considered true or set.

  • Page 321: Vrrp Non-Owner Accessibility

    VRRP VRRP Non-Owner Accessibility Although the RFC states that only VRRP owners can respond to ping and other management- oriented protocols directed to the VRID IP addresses, the routers allow an override of this restraint on a per VRRP virtual router instance basis. Non-Owner Access Ping Reply When non-owner access ping reply is enabled on a virtual router instance, ICMP echo request messages destined to the non-owner virtual router instance IP addresses are not discarded at the IP...

  • Page 322: Non-Owner Access Ssh

    Non-Owner Access SSH When non-owner access SSH is enabled on a virtual router instance, authorized SSH sessions may be established that are destined to the virtual router instance IP addresses when operating in master mode. SSH sessions are always discarded at the IP interface when destined to a virtual router IP address operating in backup mode.

  • Page 323: Vrrp Configuration Process Overview

    VRRP VRRP Configuration Process Overview Figure 13 displays the process to provision VRRP parameters. START CONFIGURE VRRP PRIORITY CONTROL POLICIES (optional) CONFIGURE IES/VPRN SERVICE CONFIGURE ROUTER INTERFACE CONFIGURE INTERFACE CONFIGURE INTERFACE SPECIFY ADDRESS, SECONDARY ADDRESS(ES) SPECIFY ADDRESS, SECONDARY ADDRESS(ES) CONFIGURE VRRP OWNER/NON-OWNER INSTANCE SPECIFY BACKUP IP ADDRESS(ES) CONFIGURE VRRP PARAMETERS APPLY VRRP PRIORITY CONTROL POLICIES (optional)

  • Page 324: Configuration Notes

    Configuration Notes This section describes VRRP configuration caveats. General • Creating and applying VRRP policies are optional. • Backup command:  The backup IP address(es) must be on the same subnet. The backup addresses explicitly define which IP addresses are in the VRRP advertisement message IP address list.

  • Page 325: Configuring Vrrp With Cli

    VRRP Configuring VRRP with CLI This section provides information to configure VRRP using the command line interface. Topics in this section include: • VRRP Configuration Overview on page 326 • Basic VRRP Configurations on page 327 • Common Configuration Tasks on page 331 •...

  • Page 326: Vrrp Configuration Overview

    VRRP Configuration Overview Configuring VRRP policies and configuring VRRP instances on interfaces and router interfaces is optional. The basic owner and non-owner VRRP configurations on an IES or router interface must specify the backup ip-address parameter. VRRP helps eliminate the single point of failure in a routed environment by using virtual router IP address shared between two or more routers connecting the common domain.

  • Page 327: Basic Vrrp Configurations

    VRRP Basic VRRP Configurations Configure VRRP parameters in the following contexts: • VRRP Policy on page 327 • VRRP IES Service Parameters on page 328 • VRRP Router Interface Parameters on page 330 VRRP Policy Configuring and applying VRRP policies are optional. There are no default VRRP policies. Each policy must be explicitly defined.

  • Page 328: Vrrp Ies Service Parameters

    VRRP IES Service Parameters VRRP parameters are configured within an IES service with two contexts, owner or non- owner. The status is specified when the VRRP configuration is created. When configured as owner, the virtual router instance owns the backup IP addresses. All other virtual router instances participating in this message domain must have the same vrid configured and cannot be configured as owner.

  • Page 329: Configure Vrrp For Ipv6

    VRRP Configure VRRP for IPv6 The following output shows a VRRP for IPV6 configuration example. The interface must be configured first. *A:nlt7750-3>config>router>router-advert# info ---------------------------------------------- interface "DSC-101-Application" use-virtual-mac no shutdown exit ---------------------------------------------- *A:nlt7750-3>config>router>router-advert# *A:nlt7750-3>config>service>ies# info ---------------------------------------------- description "VLAN 921 for DSC-101 Application" interface "DSC-101-Application"...

  • Page 330: Vrrp Router Interface Parameters

    VRRP Router Interface Parameters VRRP parameters are configured on a router interface with two contexts, owner or non-owner. The status is specified when the VRRP configuration is created. When configured as owner, the virtual router instance owns the backed up IP addresses. All other virtual router instances participating in this message domain must have the same configured and cannot be vrid...

  • Page 331: Common Configuration Tasks

    VRRP Common Configuration Tasks This section provides a brief overview of the tasks that must be performed to configure VRRP and provides the CLI commands. VRRP parameters are defined under a service interface or a router interface context. An IP address must be assigned to each IP interface.

  • Page 332: Creating Interface Parameters

    Creating Interface Parameters If you have multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet. The following displays an IP interface configuration example: A:SR1>config>router# info #------------------------------------------ echo "IP Configuration " #------------------------------------------ interface "system" address 10.10.0.1/32 exit interface "testA"...

  • Page 333: Configuring Vrrp Policy Components

    VRRP Configuring VRRP Policy Components The following displays a VRRP policy configuration example: A:SR1>config>vrrp# info ---------------------------------------------- policy 1 delta-in-use-limit 50 priority-event port-down 1/1/2 hold-set 43200 priority 100 delta exit route-unknown 0.0.0.0/0 protocol isis exit exit exit ---------------------------------------------- A:SR1>config>vrrp# 7750 SR OS Router Configuration Guide Page 333...

  • Page 334: Configuring Service Vrrp Parameters

    Configuring Service VRRP Parameters VRRP parameters can be configured on an interface in aservice to provide virtual default router support which allows traffic to be routed without relying on a single router in case of failure. VRRP can be configured the following ways: •...

  • Page 335: Owner Service Vrrp

    VRRP Owner Service VRRP The following displays the owner VRRP configuration example: A:SR4>config>router# info #------------------------------------------ echo "IP Configuration " #------------------------------------------ interface "test2" address 10.10.10.23/24 vrrp 1 owner backup 10.10.10.23 authentication-type password authentication-key "testabc" exit exit #------------------------------------------ A:SR4>config>router# 7750 SR OS Router Configuration Guide Page 335...

  • Page 336: Configuring Router Interface Vrrp Parameters

    Configuring Router Interface VRRP Parameters VRRP parameters can be configured on an interface in an interface to provide virtual default router support which allows traffic to be routed without relying on a single router in case of failure. VRRP can be configured the following ways: •...

  • Page 337: Router Interface Vrrp Owner

    VRRP Router Interface VRRP Owner The following displays router interface owner VRRP configuration example: A:SR2>config>router# info #------------------------------------------ interface "vrrpowner" address 10.10.10.23/24 vrrp 1 owner backup 10.10.10.23 authentication-type password authentication-key "testabc" exit exit #------------------------------------------ A:SR2>config>router# 7750 SR OS Router Configuration Guide Page 337...

  • Page 338: Vrrp Configuration Management Tasks

    VRRP Configuration Management Tasks This section discusses the following VRRP configuration management tasks: • Modifying a VRRP Policy on page 338 • Deleting a VRRP Policy on page 339 • Modifying Service and Interface VRRP Parameters on page 340  Modifying Non-Owner Parameters on page 340 ...

  • Page 339: Deleting A Vrrp Policy

    VRRP Deleting a VRRP Policy Policies are only applied to non-owner VRRP instances. A VRRP policy cannot be deleted if it is applied to an interface or to an IES service. Each instance in which the policy is applied must be deleted. column in the following example displays whether or not the VRRP policies are Applied applied to an entity.

  • Page 340: Modifying Service And Interface Vrrp Parameters

    Modifying Service and Interface VRRP Parameters Modifying Non-Owner Parameters Once a VRRP instance is created as non-owner, it cannot be modified to the state. The owner must be deleted and then recreated with the keyword to invoke IP address vrid owner ownership.

  • Page 341: Vrrp Command Reference

    VRRP VRRP Command Reference Command Hierarchies Configuration Commands • VRRP Network Interface Commands on page 342 • Router Interface IPv6 Commands on page 343 • Router Interface IPv6 VRRP Commands on page 344 • VRRP Priority Control Event Policy Commands on page 344 •...
  • Page 342 VRRP Network Interface Commands config — router — [no] interface interface-name — address {ip-address/mask | ip-address netmask} [broadcast all-ones | host-ones] — no address — [no] allow-directed-broadcasts — arp-timeout seconds — no arp-timeout — description description-string — no description — secondary {ip-address/mask | ip-address netmask} [broadcast all-ones | host- ones] [igp-inhibit]...
  • Page 343 VRRP Router Interface IPv6 Commands config — router [router-name] — [no] interface ip-int-name — [no] ipv6 — address ipv6-address/prefix-length [eui-64] — no address ipv6-address/prefix-length — icmp6 — packet-too-big [number seconds] — no packet-too-big — param-problem [number seconds] — no param-problem —...
  • Page 344 Router Interface IPv6 VRRP Commands config — router [router-name] — [no] interface ip-int-name — [no] ipv6 — vrrp virtual-router-id [owner] — no vrrp virtual-router-id — [no] backup ipv6-address — [no] bfd-enable service-id interface interface-name dst-ip ip- address — [no] bfd-enable interface interface-name dst-ip ip-address —...
  • Page 345 VRRP — no timeout — [no] lag-port-down lag-id — hold-clear seconds — no hold-clear — hold-set seconds — no hold-set — [no] number-down number-of-lag-ports-down — priority priority-level [delta | explicit] — no priority — mc-ipsec-non-forwarding tunnel-grp-id — [no] port-down port-id —...
  • Page 346 Show Commands show — vrrp — policy [policy-id [event event-type specific-qualifier]] — router — vrrp — instance — instance [interface interface-name [vrid virtual-router-id]] — instance interface interface-name vrid virtual-router-id ipv6 — statistics Monitor Commands monitor — router — vrrp — instance interface interface-name vr-id virtual-router-id [ipv6] [interval sec- onds] [repeat repeat] [absolute | rate]...
  • Page 347 VRRP — no packets interface ip-int-name [vrid virtual-router-id] — no packets interface ip-int-name vrid virtual-router-id ipv6 7750 SR OS Router Configuration Guide Page 347...
  • Page 348 Page 348 7750 SR OS Router Configuration Guide...

  • Page 349: Configuration Commands

    VRRP Configuration Commands Interface Configuration Commands authentication-key Syntax authentication-key [authentication-key | hash-key] [hash | hash2] no authentication-key Context config>router>if>vrrp Description This command sets the simple text authentication key used to generate master VRRP advertisement messages and validates VRRP advertisements. If simple text password authentication is not required, the authenticaton-key command is not required.
  • Page 350 hash-key — The hash key. The key can be any combination of ASCII characters up to 22 (hash-key1) or 121 (hash-key2) characters in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (“ ”). This is useful when a user must configure the parameter, but for security purposes, the actual unencrypted key value is not provided.
  • Page 351 VRRP In IPv4, up to sixteen backup ip-addr commands can be executed within the same virtual router instance. Executing backup multiple times with the same ip-addr results in no operation performed and no error generated. At least one successful backup ip-addr command must be executed before the virtual router instance can enter the operational state.
  • Page 352 11.11.11.254 Invalid (not equal to parent IP address) 11.11.11.255 Invalid (not equal to parent IP address) Non-Owner Virtual Router IP Address Parental Association — When an IP address is assigned to a non-owner virtual router instance, it must be associated with one of the parental IP interface assigned IP addresses.
  • Page 353 VRRP to removing the parental IP address. This includes virtual router IP address associations from multiple virtual router instances on the IP interface. Default no backup — No virtual router IP address is assigned. Parameters ip-address — The virtual router IP address expressed in dotted decimal notation. The IP virtual router IP address must be in the same subnet of the parental IP interface IP address or equal to one of the primary or secondary IP addresses for owner virtual router instances.
  • Page 354 Executing backup multiple times with the same ipv6-addr results in no operation performed and no error generated. At least one successful backup ipv6-addr command must be executed before the virtual router instance can enter the operational state. When operating as (non-owner) master, the default functionality associated with ipv6-addr is ARP response to ARP requests to ip-addr, routing of packets destined to the virtual router instance source MAC address and silently discarding packets destined to ipv6-addr.
  • Page 355 VRRP the parental IP interfaces local subnet. Local subnets are created by the link-local or global IP addresses in conjunction with the IP addresses mask. If the defined virtual router IP address is equal to the associated subnet’s broadcast address, it is invalid. Virtual router IP addresses for non-owner virtual router instances that are equal to a parental IP interface IP address are also invalid.
  • Page 356 bfd-enable Syntax [no] bfd-enable [service-id] interface interface-name dst-ip ip-address [no] bfd-enable interface interface-name dst-ip ip-address Context config>router>if>vrrp config>router>if>ipv6>vrrp Description This commands assigns a bi-directional forwarding (BFD) session providing heart-beat mechanism for the given VRRP/SRRP instance. There can be only one BFD session assigned to any given VRRP/SRRP instance, but there can be multiple SRRP/VRRP sessions using the same BFD session.
  • Page 357 VRRP Syntax mac mac-address no mac Context config>router>if>vrrp config>router>if>ipv6>vrrp Description This command sets an explicit MAC address used by the virtual router instance overriding the VRRP default derived from the VRID. Changing the default MAC address is useful when an existing HSRP or other non-VRRP default MAC is in use by the IP hosts using the virtual router IP address.
  • Page 358 If master-int-inherit is not enabled, the locally configured message-interval must match the master’s VRRP advertisement message advertisement interval field value or the message is discarded. The no form of the command restores the default operating condition which requires the locally configured message-interval to match the received VRRP advertisement message advertisement interval field value.
  • Page 359 VRRP By default, a message-interval of 1 second is used. The no form of the command reverts to the default value. Default 1 — Advertisement timer set to 1 second Parameters seconds — The number of seconds that will transpire before the advertisement timer expires expressed as a decimal integer.
  • Page 360 preempt Syntax [no] preempt Context config>router>if>vrrp config>router>if>ipv6>vrrp Description This command enables the overriding of an existing VRRP master if the virtual router’s in-use priority is higher than the current master. The priority of the non-owner virtual router instance, the preempt mode allows the best available virtual router to force itself as the master over other available virtual routers.
  • Page 361 VRRP The priority is the most important parameter set on a non-owner virtual router instance. The priority defines a virtual router’s selection order in the master election process. Together, the priority value and the preempt mode allow the virtual router with the best priority to become the master virtual router.
  • Page 362 The no form of the command configures discarding all ICMP echo request messages destined to the non-owner virtual router instance IP addresses. Default no ping-reply — ICMP echo requests to the virtual router instance IP addresses are discarded. shutdown Syntax [no] shutdown Context config>router>if>vrrp...
  • Page 363 VRRP This limitation can be disregarded for certain applications. Ping, Telnet and SSH can be individually enabled or disabled on a per-virtual-router-instance basis. The ssh-reply command enables the non-owner master to reply to SSH requests directed at the virtual router instances IP addresses. The SSH request can be received on any routed interface. SSH must not have been disabled at the management security level (either on the parental IP interface or based on the SSH source host address).
  • Page 364 The telnet-reply command enables the non-owner master to reply to Telnet requests directed at the virtual router instances’ IP addresses. The Telnet request can be received on any routed interface. Telnet must not have been disabled at the management security level (either on the parental IP interface or based on the Telnet source host address).
  • Page 365 VRRP All other virtual router instances participating in this message domain must have the same vrid configured and cannot be configured as owner. Once created, the owner keyword is optional when entering the vrid for configuration purposes. A vrid is internally associated with the IP interface. This allows the vrid to be used on multiple IP interfaces while representing different virtual router instances.
  • Page 366 have the owner parameter removed. The vrid must be deleted and than recreated without the owner keyword to remove ownership. Page 366 7750 SR OS Router Configuration Guide...

  • Page 367: Priority Policy Commands

    VRRP Priority Policy Commands delta-in-use-limit Syntax delta-in-use-limit in-use-priority-limit no delta-in-use-limit Context config>vrrp>policy vrrp-policy-id Description This command sets a lower limit on the virtual router in-use priority that can be derived from the delta priority control events. Each vrrp-priority-id places limits on the delta priority control events to define the in-use priority of the virtual router instance.
  • Page 368 description Syntax description string no description Context config>vrrp>policy vrrp-policy-id Description This command creates a text description stored in the configuration file for a configuration context. The description command associates a text string with a configuration context to help identify the content in the configuration file.
  • Page 369 VRRP Parameters vrrp-policy-id — The VRRP priority control ID expressed as a decimal integer that uniquely identifies this policy from any other VRRP priority control policy defined on the system. Up to 1000 policies can be defined. Values 1 — 9999 context service-id —...

  • Page 370: Priority Policy Event Commands

    Priority Policy Event Commands hold-clear Syntax hold-clear seconds no hold-clear Context config>vrrp>policy>priority-event>port-down config>vrrp>policy>priority-event>lag-port-down config>vrrp>policy>priority-event>route-unknown Description This command configures the hold clear time for the event. The seconds parameter specifies the hold- clear time, the amount of time in seconds by which the effect of a cleared event on the associated virtual router instance is delayed.
  • Page 371 VRRP Once the hold set timer expires and the event meets the cleared state requirements or is set to a lower threshold, the current set effect on the virtual router instances in-use priority can be removed. As with lag-port-down events, this may be a decrease in the set effect if the clearing amounts to a lower set threshold.
  • Page 372 Default 0 delta — The set event will subtract 0 from the base priority (no effect). Parameters priority-level — The priority level adjustment value expressed as a decimal integer. Values 0 — 254 delta | explicit — Configures what effect the priority-level will have on the base priority value. When delta is specified, the priority-level value is subtracted from the associated virtual router instance’s base priority when the event is set and no explicit events are set.

  • Page 373: Priority Policy Port Down Event Commands

    VRRP Priority Policy Port Down Event Commands port-down Syntax [no] port-down port-id Context config>vrrp>policy>priority-event Description This command configures a port down priority control event that monitors the operational state of a port or SONET/SDH channel. When the port or channel enters the operational down state, the event is considered set.
  • Page 374 The port-id can only be monitored by a single event in this policy. The port can be monitored by multiple VRRP priority control policies. A port and a specific channel on the port are considered to be separate entities. A port and a channel on the port can be monitored by separate events in the same policy.

  • Page 375: Priority Policy Lag Events Commands

    VRRP Priority Policy LAG Events Commands lag-port-down Syntax [no] lag-port-down lag-id Context config>vrrp>policy>priority-event Description This command creates the context to configure Link Aggregation Group (LAG) priority control events that monitor the operational state of the links in the LAG. The lag-port-down command configures a priority control event. The event monitors the operational state of each port in the specified LAG.
  • Page 376 The lag-port-down event is considered to have a tiered event set state. While the priority impact per number of ports down is totally configurable, as more ports go down, the effect on the associated virtual router instances in-use priority is expected to increase (lowering the priority). When each configured threshold is crossed, any higher thresholds are considered further event sets and are processed ediately with the hold set timer reset to the configured value of the hold-set command.
  • Page 377 VRRP The no form of the command deletes the event set threshold. The threshold may be removed at any time. If the removed threshold is the current active threshold, the event set thresholds must be re- evaluated after removal. Default no number-down —...

  • Page 378: Priority Policy Host Unreachable Event Commands

    Priority Policy Host Unreachable Event Commands drop-count Syntax drop-count consecutive-failures no drop-count Context config>vrrp vrrp-policy-id>priority-event>host-unreachable ip-addr Description This command configures the number of consecutively sent ICMP echo request messages that must fail before the host unreachable priority control event is set. The drop-count command is used to define the number of consecutive message send attempts that must fail for the host-unreachable priority event to enter the set state.
  • Page 379 VRRP Multiple unique (different ip-address) host-unreachable event nodes can be configured within the priority-event node to a maximum of 32 events. The host-unreachable command can reference any valid local or remote IP address. The ability to ARP a local IP address or find a remote IP address within a route prefix in the route table is considered part of the monitoring procedure.
  • Page 380 prevents the event from clearing until it expires, damping the effect of event flapping. If the event clears and becomes set again before the hold set timer expires, the timer is reset to the hold-set value, extending the time before another clear can take effect. The hold-set timer be expired and the historical success rate must be met prior to the event operational state becoming cleared.
  • Page 381 VRRP padding-size Syntax padding-size size no padding-size Context config>vrrp>priority-event>host-unreachable Description This command allows the operator to increase the size of IP packet by padding the PDU. The no form of the command reverts to the default. Default Parameters size — Specifies amount of increase to to ICMP PDU. Values 0 —...
  • Page 382 If an ICMP Echo Reply message with a sequence number equal to an ICMP echo request sequence number that had previously timed out is received, that reply is silently discarded while incrementing the priority event reply discard counter. The no form of the command reverts to the default value. Default Parameters seconds —...

  • Page 383: Priority Policy Route Unknown Event Commands

    VRRP Priority Policy Route Unknown Event Commands less-specific Syntax [no] less-specific [allow-default] Context config>vrrp>policy>priority-event>route-unknown prefix/mask-length Description This command allows a CIDR shortest match hit on a route prefix that contains the IP route prefix associated with the route unknown priority event. The less-specific command modifies the search parameters for the IP route prefix specified in the route-unknown priority event.
  • Page 384 When more than one next hop IP addresses are eligible for matching, a next-hop command must be executed for each IP address. Defining the same IP address multiple times has no effect after the first instance. The no form of the command removes the ip-address from the list of acceptable next hops when looking up the route-unknown prefix.
  • Page 385 VRRP a returned route prefix with a source of BGP will not be considered a match and will cause the event to enter the set state. bgp-vpn — This parameter defines bgp-vpn as an eligible route source for a returned route prefix from the RTM when looking up the route-unknown route prefix.
  • Page 386 Multiple unique (different prefix/mask-length) route-unknown event nodes can be configured within the priority-event node up to the maximum limit of 32 events. The route-unknown command can reference any valid IP addres mask-length pair. The IP address and associated mask length define a unique IP router prefix. The dynamic monitoring of the route prefix results in one of the following event operational states: route-unknown Description...
  • Page 387 VRRP virtual router instances must be reevaluated. The events hold-set timer has no effect on the removal procedure. Default no route-unknown — No route unknown priority control events are defined for the priority control event policy. Parameters prefix — The IP prefix address to be monitored by the route unknown priority control event in dotted decimal notation.
  • Page 388 Page 388 7750 SR OS Router Configuration Guide...

  • Page 389: Show Commands

    VRRP Show Commands instance Syntax instance instance [interface interface-name [vrid virtual-router-id] instance interface interface-name vrid virtual-router-id ipv6 Context show>vrrp Description This command displays information for VRRP instances. If no command line options are specified, summary information for all VRRP instances displays. Parameters interface ip-int-name —...
  • Page 390 Label Description (Continued) State When owner, backup defines the IP addresses that are advertised within VRRP advertisement messages. When non-owner, backup actually creates an IP interface IP address used for routing IP packets and communicating with the system when the access commands are defined (ping-reply, telnet-reply, and ssh- reply).
  • Page 391 VRRP Label Description (Continued) Ping Reply Yes — A non-owner master is enabled to reply to ICMP Echo requests directed to the virtual router instance IP addresses. Ping Reply is valid only if the VRRP virtual router instance associated with this entry is a non-owner. A non-owner backup virtual router never responds to such ICMP echo requests irrespective if Ping Reply is enabled.
  • Page 392 Sample Output *A:ALA-A# show router vrrp instance =============================================================================== VRRP Instances =============================================================================== Interface Name VR Id Own Adm State Base Pri Msg Int Pol Id InUse Pri Inh Int ------------------------------------------------------------------------------- Master IPv4 Backup Addr: 5.1.1.10 Master IPv6 Backup Addr: 5::10 FE80::10 ------------------------------------------------------------------------------- Instances : 2 ===============================================================================...
  • Page 393 VRRP Addr List Discards Addr List Errors Auth Type Mismatch Auth Failures Invalid Auth Type Invalid Pkt Type IP TTL Errors Pkt Length Errors : 0 Total Discards =============================================================================== *A:ALA-A# *A:ALA-A# show router vrrp instance interface n2 vrid 1 ipv6 =============================================================================== VRRP Instance 1 for interface "n2"...
  • Page 394 Auth Failures Invalid Pkt Type IP TTL Errors Pkt Length Errors : 0 =============================================================================== * indicates that the corresponding row element may have been truncated. policy Syntax policy [vrrp-policy-id [event event-type specific-qualifier]] Context show>vrrp Description This command displays VRRP priority control policy information. If no command line options are specified, a summary of the VRRP priority control event policies dis- plays.
  • Page 395 VRRP Label Description (Continued) Current Delta Sum The sum of the priorities of all the delta events when multiple delta events associated with the priority control policy happen simultane- ously. This sum is subtracted from the base priority of the virtual router to give the in-use priority.
  • Page 396 Label Description (Continued) Explicit — The priority-level value is used to override the base priority of the virtual router instance if the priority event is set and no other explicit priority event is set with a lower priority-level. The set explicit priority value with the lowest priority-level determines the actual in-use protocol value for all virtual router instances associ- ated with the policy.
  • Page 397 VRRP VRRP Policy Event Output — The following table describes a specific event VRRP policy com- mand output fields. Label Description Description A text string which describes the VRRP policy. Policy Id The VRRP priority control policy associated with the VRRP virtual router instance.
  • Page 398 Label Description (Continued) Master Priority The priority of the virtual router instance which is the current master. Priority The base priority used by the virtual router instance. Priority Effect Delta — A delta priority event is a conditional event defined in a priority control policy that subtracts a given amount from the base pri- ority to give the current in-use priority for the VRRP virtual router instances to which the policy is applied.
  • Page 399 VRRP Label Description (Continued) No — The event is not affecting the in-use priority of some virtual router. # trans to Set The number of times the event has transitioned to one of the 'set' states. Last Transition The time and date when the operational state of the event last changed. Sample Output A:ALA-A#show vrrp policy 1 event port-down ===============================================================================...

  • Page 400: Table 7: Show Vrrp Statistics Output

    Value In Use : No Current State : n/a # trans to Set Previous State : n/a Last Transition : 04/13/2007 23:10:24 =============================================================================== A:ALA-A# A:ALA-A# show vrrp policy 1 event route-unknown =============================================================================== VRRP Policy 1, Event Route Unknown 10.10.100.0/24 =============================================================================== Description : 10.10.200.253 reachability Current Priority: None...
  • Page 401 VRRP Sample Output A:ALA-48# show router vrrp statistics =============================================================================== VRRP Global Statistics =============================================================================== VR Id Errors Version Errors Checksum Errors =============================================================================== A:ALA-48# 7750 SR OS Router Configuration Guide Page 401...

  • Page 402: Monitor Commands

    Monitor Commands instance Syntax instance interface interface-name vr-id virtual-router-id [ipv6] [interval seconds] [repeat repeat] [absolute | rate] Context monitor>router>vrrp Description Monitor statistics for a VRRP instance. Parameters interface-name — The name of the existing IP interface on which VRRP is configured. vr-id virtual-router-id —...
  • Page 403 VRRP *A:ALA-A# *A:ALA-A# monitor router vrrp instance interface n2 vr-id 10 ipv6 =============================================================================== Monitor statistics for VRRP Instance 10 on interface "n2" =============================================================================== ------------------------------------------------------------------------------- At time t = 0 sec (Base Statistics) ------------------------------------------------------------------------------- Master Transitions Discontinuity Time: 09/09/2004 01:57* Adv Sent : 1365 Adv Received Pri Zero Pkts Sent...

  • Page 404: Clear Commands

    Clear Commands interface Syntax interface ip-int-name [vrid virtual-router-id] interface ip-int-name vrid virtual-router-id ipv6 Context clear>router>vrrp Description This command resets VRRP protocol instances on an IP interface. Parameters ip-int-name — The IP interface to reset the VRRP protocol instances. vrid vrid — Resets the VRRP protocol instance for the specified VRID on the IP interface. Default All VRIDs on the IP interface.
  • Page 405 VRRP vrid virtual-router-id — Clears the VRRP statistics for the specified VRRP instance on the IP inter- face. Default All VRRP instances on the IP interface. Values 1 — 255 policy [vrrp-policy-id] — Clears VRRP statistics for all or the specified VRRP priority control pol- icy.

  • Page 406: Vrrp Debug Commands

    VRRP Debug Commands events Syntax events events interface ip-int-name [vrid virtual-router-id] events interface ip-int-name vrid virtual-router-id ipv6 no events no events interface ip-int-name vrid virtual-router-id ipv6 no events interface ip-int-name [vrid virtual-router-id] Context debug>router>vrrp Description This command enables debugging for VRRP events. The no form of the command disables debugging.

  • Page 407: Filter Policies

    Filter Policies In This Chapter The SROS supports filter policies for services and network interfaces (described in this chapter), subscriber management (integrated with service filter policies with the subscriber management specifics defined in the SROS Triple Play Guide), and CPM security and Management Interface (described in SROS Router Configuration Guide).

  • Page 408: Acl Filter Policy Overview

    ACL Filter Policy Overview ACL Filter Policy Overview ACL Filter policies, also referred to as Access Control Lists (ACLs) or filter for short, are sets of ordered rules specifying packet match criteria and actions to be performed upon a match. Filters are applied to services or network ports to control network traffic into (ingress) or out of (egress) a service access port (SAP) or network.

  • Page 409: Filter Policy Entities

    Filter Policies Filter Policy Entities A filter policy is applied to packets coming through the system, in the ascending order the entries are numbered in the policy. When a packet matches all the parameters specified in a filter entry’s match criteria, the system takes the specified action defined in that entry. If a packet does not match the entry parameters, the packet is compared to the next higher numerical filter entry, and so on.

  • Page 410: Applying Filter Policies

    ACL Filter Policy Overview Applying Filter Policies Filter policies can be associated with the following entities: Table 8: Applying Filter Policies IPv4 Filter MAC Filter IPv6 Filter Security CPM filter Security CPM filter Security CPM filter CRON TOD-suite CRON TOD-suite CRON TOD-suite Router interface Router interface...

  • Page 411: Acl Filter Policy Scale

    Filter Policies ACL Filter Policy Scale Release 11R4 introduces an enhanced flexibility in defining per service or per customer filter policies across services and interfaces that the router supports. Prior to release 11.0, the number of filter policies supported in the system was equal to the number of filter policies supported by a single FlexPath on a line card.
  • Page 412 ACL Filter Policy Overview Assignment of filter policies to Interfaces, SAPs and SDPs is allowed up to the maximum number of filter policies supported per FlexPath (unchanged). If a maximum supported on a given FlexPath is breached, the configuration change to a filter policy is blocked. Due to a co-existence of dynamic filter policy entries in the system, an operator-configured filter policy may still fail to be installed in hardware later on.

  • Page 413: Match-List For Filter Policies

    Filter Policies Match-list for Filter Policies Figure 15 depicts an approach to implement logical OR on a list of matching criterion (IPv4 address prefixes in this example) in one or more filter policies prior to introduction of match list. Entry K+1 IPv4 Prefix 1 +1: match IPv4 Prefix 1 Entry K+2...

  • Page 414: Auto-Generation Of Filter-Policy Address Prefix Match Lists

    ACL Filter Policy Overview Entry K IPv4 Prefix 1 match: IPv4 Prefix List A IPv4 Prefix 2 IPv4 Prefix List A Entry M IPv4 Prefix N match: IPv4 Prefix List A CPM Filter IOM Filters OSSG730 Figure 16: IOM/CPM Filter Policy Using an Address Prefix Match List Note: The hardware resource usage does not change whether filter match lists are used or whether operator creates multiple entries (each per one element of the list): however, a careful consideration must be given to how the lists are used to ensure only desired match permutations...
  • Page 415 Filter Policies When using auto-generation of address prefixes inside an address prefix match list operators can: • Specify one or more regex expression matches against SROS router configuration per list. • Specify wildcard matches by specifying regex wildcard match expression (“.*”). •...

  • Page 416: Embedded Filter Support For Acl Filter Policies

    ACL Filter Policy Overview Embedded Filter Support for ACL Filter Policies When a large number of standard filter policies are configured in a system, a set of policies will often contain one or more common blocks of entries that define, for example, system-wide and/or service-wide security rules.

  • Page 417: Figure 17: Embedded Filter Policy

    Filter Policies 7. An embedded filter is never embedded partially into an exclusive/template filter; that is, resources must exist to embed all embedded filter entries in a given exclusive/template filter. Although a partial embedding into a single filter will not take place, an embedded filter may be embedded only in a subset of embedding filters (only those where there are sufficient resources available).

  • Page 418: Redirect Policies

    ACL Filter Policy Overview Redirect Policies SROS-based routers support redirect policies. Redirection policies are used to identify cache servers (or other redirection target destinations) and define health check test methods used to validate the ability for the destination to receive redirected traffic. This destination monitoring greatly diminishes the likelihood of a destination receiving packets it cannot process.

  • Page 419: Web Redirection (Captive Portal)

    Filter Policies Web Redirection (Captive Portal) Web redirection policies can be configured on 7750 SR devices. Redirection policies were designed for testing purposes. The new redirection policy can now block a customer’s request from an intended recipient and force the customer to connect to the service’s portal server. 255 unique entries with http-redirect are allowed.

  • Page 420: Figure 18: Web Redirect Traffic Flow

    ACL Filter Policy Overview CUSTOMER’S COMPUTER SR/ESS PORTAL WEBSITE ORIGINAL WEBSITE X>HTTP TCP SYN X>HTTP TCP SYN ACK* X>HTTP TCP ACK HTTP GET HTTP>X TCP ACK* HTTP 302 (moved)* X>HTTP TCP FIN ACK HTTP>X TCP FIN ACK* NORMAL HTTP WITH PORTAL UPDATE POLICY REDIRECT TO ORIGINAL WEBSITE NORMAL HTTP WITH ORGINAL WEBSITE...
  • Page 421 Filter Policies Note that the subscriber identification string is available only when used with subscriber management. Refer to the subscriber management section of the SROS Triple Play Guide and the SR OS Router Configuration Guide. Since most web sites are accessed using the domain name the router allows either DNS queries or responds to DNS with the portal’s IP address.

  • Page 422: Isid Filters

    ACL Filter Policy Overview ISID Filters ISID filters are a type of MAC filters that allows filtering based on the ISID values rather than L2 criteria used by MAC filters of type "normal" or "vid". ISID filters can be deployed on iVPLS PBB SAPs and ePipe PBB SAPs in the following scenarios: The MMRP usage of the mrp-policy ensures automatically that traffic using Group BMAC is not flooded between domains.

  • Page 423: Vid Filters

    Filter Policies VID Filters VID Filters are a type of MAC filters that extend the capability of current Ethernet Ports with null or default SAP tag configuration to match and take action on VID tags. Service delimiting tags (for example QinQ 1/1/1:10.20 or dot1q 1/1/1:10, where outer tag 10 and inner tags 20 are service delimiting) allow fine grain control of frame operations based on the VID tag.

  • Page 424: Figure 19: Vid Filtering Examples

    ACL Filter Policy Overview Service 1 SAP 1/1/1:10.* SAP 2/1/1:* MAC 10 20 ...Payload MAC 20 ...Payload MAC 20 ...Payload qinq dot1q Ingress: outer Egress: outer Port Port Encap Encap Service 2 SAP 1/1/2 SAP 2/1/2 MAC 10 20 30 ...Payload MAC 10 20 30 ...Payload MAC 10 20 30 ...Payload null...

  • Page 425: Arbitrary Bit Matching Of Vid Filters

    Filter Policies Arbitrary Bit Matching of VID Filters In addition to matching an exact value, a VID filter mask allows masking any set of bits. The masking operation is ((value & vid-mask) = = (tag and vid-mask)). For example: A value of 6 and a mask of 7 would match all VIDs with the lower 3 bits set to 6.

  • Page 426: Port Group Configuration Example

    ACL Filter Policy Overview Port Group Configuration Example C-VID Filters are Configured per Sub-group (S-VID) (Example) SVID=1 / CVID=30: Discard SVID=2 / CVID=30: Forward Legend S-TAG Sub-group 2 C-TAG Sub-group 1 : Data : Discard 10 30 Discards Frames With C-VID Not in Contract OSSG734 Figure 20: Port Groups...

  • Page 427: Creating And Applying Acl Policies

    Filter Policies Creating and Applying ACL Policies Figure 21 displays the process to create a redirect policy and to apply that policy to a service SAP or router interface. START CREATE A REDIRECT POLICY SPECIFY DESTINATION, PRIORITY, TEST TYPES CREATE IP FILTER SPECIFY REDIRECT POLICY IN ENTRY’S FORWARDING ACTION ASSOCIATE FILTER TO ROUTER INTERFACE CREATE SERVICE...

  • Page 428: Figure 22: Creating And Applying Filter Policies

    Creating and Applying ACL Policies START SPECIFY SCOPE, DEFAULT ACTION, DESCRIPTION, CREATE AN IP OR MAC FILTER (FILTER ID) FILTER NAME CREATE FILTER ENTRIES (ENTRY ID) SPECIFY ACTION, PACKET MATCHING CRITERIA CREATE SERVICE SELECT NETWORK PORT OR IP INTERFACE ASSOCIATE FILTER ID or FILTER NAME SAVE CONFIGURATION Figure 22: Creating and Applying Filter Policies Page 428...

  • Page 429: Applying Filters

    Filter Policies Applying Filters After filters are created, they can be applied to the following entities: • Applying a Filter to a SAP on page 429 • Applying a Filter to a Network Port a Network IP on page 429 Applying a Filter to a SAP During the SAP creation process, ingress and egress filters are selected from a list of qualifying IP and MAC filters.

  • Page 430: Packet Match Criteria

    MAC filters. Type and scale of each criteria supported depends on the platform, please see your Alcatel-Lucent representative for further details. As few or as many match parameters can be specified as required, but all conditions within a single filter policy entry must be met in order for the packet to be considered a match and the specified action performed.
  • Page 431 Filter Policies whether the packet is a fragment or not. For IPv6, match on initial fragment is also supported. • ip-option — Match for the specified option in the first option of the IPv4 packet. • option-present — Match for the presence or absence of the IP options in the IPv4 packet. Padding and EOOL are also considered as IP options.

  • Page 432: Dscp Values

    Creating and Applying ACL Policies criteria is mutually exclusive with all other match criteria under a particular mac-filter policy. A new mac-filter type attribute is defined to control the use of inner-tag/outer-tag match criteria and must be set to vid to allow the use of inner-tag/outer0-tag match criteria. DSCP Values Table 9: DSCP Name to DSCP Value Table DSCP Name...
  • Page 433 Filter Policies Table 9: DSCP Name to DSCP Value Table (Continued) DSCP Name Decimal Hexadecimal Binary DSCP Value DSCP Value DSCP Value af31 cp27 af32 cp29 af33 cp21 cp33 af41 cp35 af42 cp37 af43 cp39 cp41 cp42 cp43 cp44 cp45 cp47 (cs6) cp49...
  • Page 434 Creating and Applying ACL Policies Table 9: DSCP Name to DSCP Value Table (Continued) DSCP Name Decimal Hexadecimal Binary DSCP Value DSCP Value DSCP Value (cs7) cp60 cp61 cp62 Page 434 7750 SR OS Router Configuration Guide...

  • Page 435: Ip Option Values

    Filter Policies IP Option Values Table 10: IP Option Values Copy Class Number Value Name Description EOOL End of options list No operation Record route Experimental measurement MTUP MTU probe MTUR MTU reply ENCODE Time stamp Traceroute Security Loose source router E-SEC Extended security CIPSO...

  • Page 436: Ordering Filter Entries

    Creating and Applying ACL Policies Ordering Filter Entries When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit entry. Filter matching ceases when a packet matches an entry. The entry action is performed on the packet.

  • Page 437: Figure 23: Filtering Process Example

    Filter Policies Figure 23 displays an example of several packets forwarded upon matching the filter criteria and several packets traversing through the filter entries and then dropped. ILTER ID: 5 DEFAULT ACTION: DROP INGRESS PACKETS: SA: 10.10.10.103, DA: 10.10.10.104 INGRESSING PACKETS: SA: 10.10.10.103, DA: 10.10.10.105 #1: SA: 10.10.10.103, DA: 10.10.10.104 SA: 10.10.10.103, DA: 10.10.10.106...

  • Page 438: Configuration Notes

    Configuration Notes Configuration Notes The following information describes filter implementation caveats: • Creating a filter policy is optional. • Associating a service with a filter policy is optional. • When a filter policy is configured, it should be defined as having either an exclusive scope for one-time use, or a template scope meaning that the filter can be applied to multiple SAPs.

  • Page 439: Mac Filters

    Filter Policies MAC Filters • If a MAC filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified. There are no default parameters defined for matching criteria.

  • Page 440: Ip Filters

    Configuration Notes IP Filters • IP filters are used for IPv4 traffic only. IPv6 filters are to be used for IPv6 traffic. If a filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified.
  • Page 441 Filter Policies • In case the mini-table has no more free entries, only total counter is incremented. • At expiry of the summarization interval, the mini-table for each type is flushed to the syslog destination. 7750 SR OS Router Configuration Guide Page 441...
  • Page 442 Configuration Notes Page 442 7750 SR OS Router Configuration Guide...

  • Page 443: Configuring Filter Policies With Cli

    Filter Policies Configuring Filter Policies with CLI This section provides information to configure filter policies using the command line interface. Topics in this section include: • Basic Configuration on page 444 • Common Configuration Tasks on page 445  Creating an IP Filter Policy on page 445 ...

  • Page 444: Basic Configuration

    Basic Configuration Basic Configuration The most basic IP, IPv6 and MAC filter policies must have the following: • A filter ID • Template scope, either exclusive or template • Default action, either drop or forward • At least one filter entry ...

  • Page 445: Common Configuration Tasks

    Filter Policies Common Configuration Tasks This section provides a brief overview of the tasks that must be performed for both IP and MAC filter configurations and provides the CLI commands. To configure a filter policy, perform the following tasks: • Creating an IP Filter Policy on page 445 •...

  • Page 446: Ip Filter Policy

    Common Configuration Tasks IP Filter Policy The following displays an exclusive filter policy configuration example: A:ALA-7>config>filter# info ---------------------------------------------- ip-filter 12 create description "IP-filter" scope exclusive exit ---------------------------------------------- A:ALA-7>config>filter# Page 446 7750 SR OS Router Configuration Guide...

  • Page 447: Ip Filter Entry

    Filter Policies IP Filter Entry Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. •...
  • Page 448 Common Configuration Tasks Configuring the HTTP-Redirect Option If http-redirect is specified as an action, a corresponding forward entry must be specified before the redirect. Note that http-redirect is not supported on 7750 SR-1 or 7450 ESS-1 models. The following displays an http-redirect configuration example: A:ALA-48>config>filter>ip-filter# info ---------------------------------------------- description "filter-main"...
  • Page 449 Filter Policies Cflowd Filter Sampling Within a filter entry, you can specify that traffic matching the associated IP filter entry is sampled. if the IP interface is set to cflowd acl mode. Enabling filter-sample enables the cflowd tool. The following displays an IP filter entry configuration example. A:ALA-7>config>filter>ip-filter# info ---------------------------------------------- description "filter-main"...

  • Page 450: Creating An Ipv6 Filter Policy

    Common Configuration Tasks Creating an IPv6 Filter Policy Configuring and applying IPv6 filter policies is optional. IPv6 Filter Policy must be configured separately from IP (IPv4) filter policy. The configuration mimics IP Filter policy configuration. Please see Creating an IP Filter Policy on page 445.

  • Page 451: Creating A Mac Filter Policy

    Filter Policies Creating a MAC Filter Policy Configuring and applying filter policies is optional. Each filter policy must have the following: • The filter policy type specified (MAC normal, MAC isid, MAC vid). • A filter policy ID. • A default action, either drop or forward. •...

  • Page 452: Mac Isid Filter Policy

    Common Configuration Tasks MAC ISID Filter Policy The following displays an ISID filter configuration example: A;ALA-7>config>filter# info ---------------------------------------------- mac-filter 90 create description "filter-wan-man" scope template type isid entry 1 create description "drop-local-isids" match isid 100 to 1000 exit action drop exit entry 2 create description "allow-wan-isids"...

  • Page 453: Mac Vid Filter Policy

    Filter Policies MAC VID Filter Policy The following displays VID filter configuration example: A:TOP_NODE>config>filter>mac-filter# info ---------------------------------------------- default-action forward type vic entry 1 create match frame-type ethernet_II ouiter-tag 85 4095 exit action drop exit entry 2 create match frame-type ethernet_II ouiter-tag 43 4095 exit action drop exit...

  • Page 454: Mac Filter Entry

    Common Configuration Tasks MAC Filter Entry Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. •...

  • Page 455: Creating A Match List For Filter Policies

    Filter Policies Creating a Match List for Filter Policies IP filter policies support usage of match lists as a single match criteria. To create a match list you must: • Specify a type of a match list (IPv4 address prefix for example). •...

  • Page 456: Apply Ip (V4/V6) And Mac Filter Policies To A Service

    Common Configuration Tasks Apply IP (v4/v6) and MAC Filter Policies to a Service IP and MAC filter policies are applied by associating them with a SAP and/or spoke-sdp in ingress and/or egress direction as desired. Filter ID is used to associate an existing filter policy, or if defined, a Filter Name for that Filter ID policy can be used in the CLI.

  • Page 457: Applying (Ipv4/V6) Filter Policies To A Network Port

    Filter Policies Applying (IPv4/v6) Filter Policies to a Network Port IP filter policies can be applied to network IP (v4/v6)interfaces. MAC filters cannot be applied to network IP interfaces or to routable IES services. Similarly to applying filter policies to service, IP (v4/v6) filter policies are applied to network interfaces by associating a policy with ingress and/or egress direction as desired.

  • Page 458: Creating A Redirect Policy

    Common Configuration Tasks Creating a Redirect Policy Configuring and applying redirect policies is optional. Each redirect policy must have the following: • A destination IP address • A priority (default is 100) • At least one of the following tests must be enabled: ...

  • Page 459: Configuring Policy-Based Forwarding For Deep Packet Inspection In Vpls

    Filter Policies Configuring Policy-Based Forwarding for Deep Packet Inspection in VPLS The purpose policy-based forwarding is to capture traffic from a customer and perform a deep packet inspection (DPI) and forward traffic, if allowed, by the DPI. In the following example, the split horizon groups are used to prevent flooding of traffic. Traffic from customers enter at SAP 1/1/5:5.
  • Page 460 Common Configuration Tasks The following displays a VPLS service configuration with DPI example: *A:ALA-48>config>service# info ---------------------------------------------- vpls 10 customer 1 create service-mtu 1400 split-horizon-group "dpi" residential-group create exit split-horizon-group "split" create exit shutdown exit sap 1/1/21:1 split-horizon-group "split" create disable-learning static-mac 00:00:00:31:11:01 create exit sap 1/1/22:1 split-horizon-group "dpi"...
  • Page 461 Filter Policies The following displays the MAC filter added to the VPLS service configuration: *A:ALA-48>config>service# info ---------------------------------------------- vpls 10 customer 1 create service-mtu 1400 split-horizon-group "dpi" residential-group create exit split-horizon-group "split" create exit shutdown exit sap 1/1/5:5 split-horizon-group "split" create ingress filter mac 100 exit...

  • Page 462: Filter Management Tasks

    Filter Management Tasks Filter Management Tasks This section discusses the following filter policy management tasks: • Renumbering Filter Policy Entries on page 462 • Modifying a Filter Policy on page 464 • Deleting a Filter Policy on page 466 • Modifying a Redirect Policy on page 467 •...
  • Page 463 Filter Policies A:ALA-7>config>filter# info A:ALA-7>config>filter# info ---------------------------------------------- ---------------------------------------------- ip-filter 11 create ip-filter 11 create description "filter-main" description "filter-main" scope exclusive scope exclusive entry 10 create entry 1 create description "no-91" match filter-sample dst-ip 10.10.10.91/24 interface-disable-sample src-ip 10.10.10.106/24 match exit dst-ip 10.10.10.91/24 action drop src-ip 10.10.10.103/24 exit...

  • Page 464: Modifying A Filter Policy

    Filter Management Tasks Modifying a Filter Policy There are several ways to modify an existing filter policy. A filter policy can be modified dynamically as part of subscriber management dynamic insertion/removal of filter policy entries (see SROS Triple Play Guide for details). A filter policy can be modified indirectly by configuration change to a match list the filter policy uses (as described earlier in this guide).
  • Page 465 Filter Policies entry 15 create description "no-91" match dst-ip 10.10.10.91/24 src-ip 10.10.10.103/24 exit action forward exit entry 30 create match dst-ip 10.10.10.91/24 src-ip 10.10.0.200/24 exit action forward exit exit ---------------------------------------------- A:ALA-7>config>filter# 7750 SR OS Router Configuration Guide Page 465...

  • Page 466: Deleting A Filter Policy

    Filter Management Tasks Deleting a Filter Policy Before you can delete a filter, you must remove the filter association from all the applied ingress and egress SAPs and network interfaces by executing no filter command in all context where the filter is used.

  • Page 467: Modifying A Redirect Policy

    Filter Policies Modifying a Redirect Policy To access a specific redirect policy, you must specify the policy name. Use the form of the command to remove the command parameters or return the parameter to the default setting. Example config>filter# redirect-policy redirect1 config>filter>redirect-policy# description "New redirect info"...

  • Page 468: Deleting A Redirect Policy

    Filter Management Tasks Deleting a Redirect Policy Before you can delete a redirect policy from the filter configuration, you must remove the policy association from the IP filter. The following example shows the command usage to replace the configured redirect policy (redirect1) with a different redirect policy (redirect2) and then removing the redirect1 policy from the filter configuration.

  • Page 469: Copying Filter Policies

    Filter Policies Copying Filter Policies When changes are to be made to an existing filter policy applied to a one or more SAPs/network interfaces, it is recommended to first copy the applied filter policy, then modify the copy and then overwrite the applied policy with the modified copy.
  • Page 470 Filter Management Tasks Page 470 7750 SR OS Router Configuration Guide...

  • Page 471: Filter Command Reference

    Filter Policies Filter Command Reference Command Hierarchies • DHCP Filter Policy Commands on page 471 • Match Filter List Commands on page 477 • IP Filter Policy Commands on page 472 • IPv6 Filter Policy Commands on page 474 • Log Filter Commands on page 475 •...
  • Page 472 Filter Command Reference IP Filter Policy Commands config — filter — ip-filter filter-id [create] — ip-filter {filter-id | filter-name} — no ip-filter filter-id — default-action {drop | forward} — description description-string — no description — embed-filter filter-id [offset offset ] [{active | inactive}] —...
  • Page 473 Filter Policies — port port-list port-list-name — port range port-number port-number — no port — src-ip{ip-address/mask | ip-address netmask | ip-prefix-list prefix-list-name} — no src-ip — src-port {{lt | gt | eq} src-port-number} — src-port port-list port-list-name — src-port range src-port-number src-port-number —...
  • Page 474 Filter Command Reference IPv6 Filter Policy Commands —IPv6 Filter Policy Commands config — filter — ipv6-filter filter-id [create] — ipv6-filter {filter-id | filter-name} — no ipv6-filter filter-id — default-action {drop | forward} — description description-string — no description — embed-filter filter-id [offset offset ] [{active | inactive}] —...
  • Page 475 Filter Policies — port port-list port-list-name — port range port-number> port-number — no port — routing-type0 {true|false} — no routing-type0 — src-ip{ipv6-address/prefix-length | mask | ipv6-prefix-list prefix-list-name} — no src-ip — src-port {lt | gt | eq} src-port-number} — src-port port-list port-list-name —...

  • Page 476: Mac Filter Commands

    Filter Command Reference MAC Filter Commands config — filter — mac-filter filter-id [create] — mac-filter {filter-id | filter-name} — no mac-filter filter-id — description description-string — no description — entry entry-id [time-range time-range-name] — no entry entry-id [create] — action [drop] —...
  • Page 477 Filter Policies Match Filter List Commands config — filter — match-list — ip-prefix-list ip-prefix-list-name [create] — no ip-prefix-list ip-prefix-list-name — [no] apply-path — bgp-peers index group reg-exp neighbor reg-exp — no bgp-peers index — description description-string — no description — [no] prefix ip-prefix/prefix-length —...
  • Page 478 Filter Command Reference Redirect Policy Configuration Commands config — filter —Redirect policy commands — redirect-policy redirect-policy-name [create] — no redirect-policy redirect-policy-name — description description-string — no description — destination ip-address [create] — no destination ip-address — description description-string — no description —...
  • Page 479 Filter Policies Copy Filter Commands config — filter — copy ip-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] — copy ipv6-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] — copy mac-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] Show Commands show...
  • Page 480 Filter Command Reference Monitor Commands monitor — filter ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate] — filter ipv6 ipv6-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate] — filter mac mac-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate] Page 480 7750 SR OS Router Configuration Guide...

  • Page 481: Configuration Commands

    Filter Policies Configuration Commands Generic Commands description Syntax description string no description Context config>filter>dhcp-filter config>filter>ip-filter config>filter>ipv6-filter config>filter>ip-filter>entry config>filter>ip-filter>entry config>filter>ipv6-filter>entry config>filter>log config>filter>mac-filter config>filter>mac-filter>entry config>filter>redirect-policy config>filter>redirect-policy>destination config>filter>match-list>ip-prefix-list config>filter>match-list>ip-filter config>filter>match-list>port-list Description This command creates a text description stored in the configuration file for a configuration context. The description command associates a text string with a configuration context to help identify the context in the configuration file.

  • Page 482: Global Filter Commands

    Global Filter Commands Global Filter Commands dhcp-filter Syntax dhcp-filter filter-id [create] no dhcp-filter filter-id Context config>filter Description This command configures the identification number of a DHCP filter. Parameters filter-id — Specifies the DHCP filter policy ID number. Values 1 — 65535 create —...
  • Page 483 Filter Policies ipv6-filter Syntax ipv6-filter filter-id [create] ip-filter {filter-id | filter-name} no ipv6-filter ipv6-filter-id Context config>filter Description This command creates a configuration context for an IP (v6) filter policy. The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple services or multiple network ports as long as the scope of the policy is template.
  • Page 484 Global Filter Commands Parameters filter-id — The MAC filter policy ID number. Values 1 — 65535 create — Keyword required when first creating the configuration context. Once the context is created, one can navigate into the context without the create keyword. filter-name —...

  • Page 485: Dhcp Filter Commands

    Filter Policies DHCP Filter Commands action Syntax action {bypass-host-creation} action drop no action Context config>filter>dhcp-filter>entry Description This command specifies the action to take on DHCP host creation when the filter entry matches. The no form of the command reverts to the default wherein the host creation proceeds as normal Default no action Parameters...

  • Page 486: Filter Log Commands

    Filter Log Commands Filter Log Commands destination Syntax destination memory num-entries destination syslog syslog-id no destination Context config>filter>log Description This command configures the destination for filter log entries for the filter log ID. Filter logs can be sent to either memory (memory) or to an existing Syslog server definition (server). If the filter log destination is memory, the maximum number of entries in the log must be specified.
  • Page 487 Filter Policies Default no shutdown summary Syntax summary Context config>filter>log Description This command enables the context to configure log summarization. These settings will only be taken into account when syslog is the log destination. Note that summary settings will only be taken into account in case the log destination is syslog.
  • Page 488 Filter Log Commands The no form of the command configures the memory filter log to accept filter log entries until full. When the memory filter log is full, filter logging for the log filter ID ceases. Default wrap-around Page 488 7750 SR OS Router Configuration Guide...

  • Page 489: Acl Filter Policy Commands

    Filter Policies ACL Filter Policy Commands default-action Syntax default-action {drop | forward} Context config>filter>ip-filter config>filter>ipv6-filter config>filter>mac-filter Description This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter. When multiple default-action commands are entered, the last command will overwrite the previous command.
  • Page 490 ACL Filter Policy Commands Parameters filter-id — Specifies a previously defined embedded filter policy. offset — a value from 0 to 65535, an embedded filter entry X will have an entry X + offset in the embedding filter. filter-name Syntax filter-name filter-name Context config>filter>ip-filter...
  • Page 491 Filter Policies shared-radius-filter-wmark Syntax shared-radius-filter-wmark low low-watermark high high-watermark no shared-radius-filter-wmark Context config>filter>ip-filter config>filter>ipv6-filter Description This command configures the low and high watermark for the number of RADIUS shared filters reporting Parameters low low-watermark — Specifies the utilization of the filter ranges for filter entry insertion, at which a table full alarm will be raised by the agent.
  • Page 492 ACL Filter Policy Commands The no form of the command reverts to the default. Default none Parameters entry entry-id — Specifies at what place the filter entries received from RADIUS will be inserted in the filter. Values 1 — 65535 count count —...
  • Page 493 Filter Policies high high-watermark — Specifies the utilization of the filter ranges for filter entry insertion, at which a table full alarm will be raised by the agent. Values 0 — 100 type Syntax type filter-type Context config>filter>mac-filter Description This command configures the type of mac-filter as normal, ISID or VID types. Default normal Parameters...

  • Page 494: General Filter Entry Commands

    General Filter Entry Commands General Filter Entry Commands entry Syntax entry entry-id [time-range time-range-name] [create] no entry entry-id Context config>filter>dhcp-filter config>filter>ip-filter config>filter>ipv6-filter config>filter>mac-filter Description This command creates or edits an IP (v4), IPv6, or MAC filter entry. Multiple entries can be created using unique entry-id numbers within the filter.
  • Page 495 Filter Policies destination filter log ID. The filter log ID must exist before a filter entry can be enabled to use the filter log ID. The no form of the command disables logging for the filter entry. Default no log Parameters log-id —...

  • Page 496: Ip (V4/V6) Filter Entry Commands

    IP (v4/v6) Filter Entry Commands IP (v4/v6) Filter Entry Commands action Syntax For IPv4: action [drop] action forward [next-hop {ip-address|indirect ip-address|interface ip-int-name}] action forward [redirect-policy policy-name] action forward [sap sap-id|sdp sdp-id:vc-id] action http-redirect rdr-url-string [allow-radius-override] action forward [lsp lsp-name] action forward [router router-instance] action forward [router service-name service-name] action gtp-local-breakout action nat [nat-policy-name]...
  • Page 497 Filter Policies indirect ip-address — The IP address of the indirect next-hop to which to forward matching packets in dotted decimal notation. The direct next-hop IP address and egress IP interface are determined by a route table lookup. If the next hop is not available, then a routing lookup will be performed and if a match is found the packet will be forwarded to the result of that lookup.
  • Page 498 IP (v4/v6) Filter Entry Commands nat — specifyies that matching traffic is to be redirected for NAT performed by Integrated Service Adapter(s) running NAT application. reassemble — Packets matching the filter entry are forwarded to the packet reassembly function in the system.
  • Page 499 Filter Policies If more than one match criteria (within one match statement) are configured then all criteria must be satisfied (AND function) before the action associated with the match is executed. A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
  • Page 500 IP (v4/v6) Filter Entry Commands Protocol Protocol ID Description eigrp EIGRP ospf-igp OSPFIGP ether-ip Ethernet-within-IP Encapsulation encap Encapsulation Header pnni PNNI over IP Protocol Independent Multicast vrrp Virtual Router Redundancy Protocol l2tp Layer Two Tunneling Protocol Spanning Tree Protocol Performance Transparency Protocol isis ISIS over IPv4 crtp...
  • Page 501 Filter Policies dscp Syntax dscp dscp-name no dscp Context config>filter>ip-filter>entry>match config>filter>ipv6-filter>entry>match Description This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion. The no form of the command removes the DSCP match criterion. Default no dscp Parameters...
  • Page 502 IP (v4/v6) Filter Entry Commands mask — Eight 16-bit hexadecimal pieces representing bit match criteria. Values x:x:x:x:x:x:x (eight 16-bit pieces) netmask — Any mask epressed in dotted quad notation. Values 0.0.0.0 — 255.255.255.255 dst-ip Syntax dst-ip [ipv6-address/prefix-length|ipv6-prefix-list/ipv6-prefix-list-name] no dst-ip Context config>filter>ipv6-filter>entry>match Description This command matches a destination IPv6 address.
  • Page 503 Filter Policies etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. The no form of the command removes the destination port match criterion. Default none Parameters lt | gt | eq — Specifies the operator to use relative to dst-port-number for specifying the port number match criteria.
  • Page 504 IP (v4/v6) Filter Entry Commands fragment Syntax IPv4: fragment {true|false} no fragment IPv6: fragment {true|false|first-only|non-first-only} no fragment Context config>filter>ip-filter>entry>match config>filter>ipv6-filter>entry>match Description This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion. Note that an entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information.
  • Page 505 Filter Policies Parameters true — Matches a packet with an AH Extension Header. false — Match a packet without an AH Extension Header. esp-ext-hdr Syntax esp-ext-hdr {true|false } no esp-ext-hdr Context config>filter>ipv6-filter>entry>match Description This command enables match on existence of ESP Extension Header in the IPv6 filter policy. The no form of this command ignores ESP Extension Header presence/absence in a packet when evaluating match criteria of a given filter policy entry.
  • Page 506 IP (v4/v6) Filter Entry Commands packet as a filter match criterion. Note that an entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. This option is only meaningful if the protocol match criteria specifies ICMP (1).
  • Page 507 Filter Policies The no form of the command removes the match criterion. Default none Parameters ip-option-value — Enter the 8 bit option-type as a decimal integer. The mask is applied as an AND to the option byte, the result is compared with the option-value. The decimal value entered for the match should be a combined value of the eight bit option type field and not just the option number.
  • Page 508 IP (v4/v6) Filter Entry Commands option-present Syntax option-present {true | false} no option-present Context config>filter>ip-filter>entry>match Description This command configures matching packets that contain the option field in the IP header as an IP filter match criterion. The no form of the command removes the checking of the option field in the IP header as a match criterion.
  • Page 509 Filter Policies Parameters true — match if a packet contains Routing Type Extension Header type 0 false — match if a packet does not contain Routing Type Extension Header type 0 src-ip Syntax src-ip {ip-address [/mask]} [netmask ip-prefix-list prefix-list-name] src-ip {ipv6-address/prefix-length | mask | ipv6-prefix-list prefix-list-name} no src-ip Context config>filter>ip-filter>entry>match...
  • Page 510 IP (v4/v6) Filter Entry Commands src-port Syntax src-port {lt | gt | eq} src-port-number src-port port-list port-list-name src-port range src-port-number src-port-number no src-port Context config>filter>ip-filter>entry>match config>filter>ipv6-filter>entry>match Description This command configures a source TCP or UDP port number or port range for an IP filter match criterion.
  • Page 511 Filter Policies tcp-ack Syntax tcp-ack {true | false} no tcp-ack Context config>filter>ip-filter>entry>match config>filter>ipv6-filter>entry>match Description This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion. Note that an entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information.

  • Page 512: Match List Configuration Commands

    Match List Configuration Commands Match List Configuration Commands match-list Syntax match-list Context config>filter Description This command enables the configuration context for match lists to be used in filter policies (IOM and CPM). ip-prefix-list Syntax ip-prefix-list ip-prefix-list-name create no ip-prefix-list ip-prefix-list-name Context config>filter>match-list Description...
  • Page 513 Filter Policies Please see general description related to match-list usage in filter policies. Parameters ipv6-prefix-list-name — A string of up to 32 characters of printable ASCII characters. If special characters are used, the string must be enclosed within double quotes. apply-path Syntax apply-path...
  • Page 514 Match List Configuration Commands reg-exp — A regular expression defining a macth string to be used to auto generate address prefixes. Matching is performed from the least significant digit. For example a string 10.0 matches all neighbors with addresses starting with 10; like 10.0.x.x or 10.0xx.x.x. port-list Syntax port-list port-list-name create...
  • Page 515 Filter Policies start of the range and end of the range are expressed as decimal integers. Values 1 — 65535 port-list-name — A string of up to 32 characters of printable ASCII characters. If special characters are used, the string must be enclosed within double quotes. prefix Syntax prefix ipv6-prefix/prefix-length...
  • Page 516 Match List Configuration Commands To add set of unique prefixes, execute the command with all unique prefixes. The prefixes are allowed to overlap IPv4 address space. An IPv4 prefix addition will be blocked, if resource exhaustion is detected anywhere in the system because of Filter Policies that use this IPv4 address prefix list.

  • Page 517: Mac Filter Entry Commands

    Filter Policies MAC Filter Entry Commands action Syntax action drop action forward [sap sap-id |sdp sdp-id] no action Context config>filter>mac-filter>entry Description This command configures the action for a MAC filter entry. The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and will be inactive.
  • Page 518 MAC Filter Entry Commands entered per entry. The no form of the command removes the match criteria for the entry-id. Parameters frame-type keyword — The frame-type keyword configures an Ethernet frame type to be used for the MAC filter match criteria. Default 802dot3ethernet_II Values...

  • Page 519: Mac Filter Match Criteria

    Filter Policies MAC Filter Match Criteria dot1p Syntax dot1p ip-value [mask] no dot1p Context config>filter>mac-filter>entry Description Configures an IEEE 802.1p value or range to be used as a MAC filter match criterion. When a frame is missing the 802.1p bits, specifying an dot1p match criterion will fail for the frame and result in a non-match for the MAC filter entry.
  • Page 520 MAC Filter Match Criteria dsap Syntax dsap dsap-value [mask] no dsap Context config>filter>mac-filter>entry>match Description Configures an Ethernet 802.2 LLC DSAP value or range for a MAC filter match criterion. This is a one-byte field that is part of the 802.2 LLC header of the IEEE 802.3 Ethernet Frame. The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria.
  • Page 521 Filter Policies Parameters ieee-address — The MAC address to be used as a match criterion. Values HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit mask — A 48-bit mask to match a range of MAC address values. This 48-bit mask can be configured using the following formats: Format Style Format Syntax Example...
  • Page 522 MAC Filter Match Criteria isid Syntax isid value [to higher-value] no isid Context config>filter>mac-filter>entry>match Description This command configures an ISID value or a range of ISID values to be matched by the mac-filter parent. The pbb-etype value for the related SAP (inherited from the ethernet port configuration) or for the related SDP binding (inherited from SDP configuration) will be used to identify the ISID tag.
  • Page 523 Filter Policies outer-tag Syntax outer-tag value [vid-mask] no outer-tag Context config>filter>mac-filter>entry>match Description This command configures the matching of the first tag that is carried transparently through the service. Service delimiting tags are stripped from the frame and outer tag on ingress is the first tag after any service delimiting tags.
  • Page 524 MAC Filter Match Criteria snap-pid Syntax snap-pid pid-value no snap-pid Context config>filter>mac-filter>entry Description Configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC filter match criterion. This is a two-byte protocol id that is part of the IEEE 802.3 LLC SNAP Ethernet Frame that follows the three-byte OUI field.
  • Page 525 Filter Policies Format Style Format Syntax Example Binary 0bBBBBBBB...B 0b11110000...B To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000 Default 0xFFFFFFFFFFFF (exact match) Values 0x00000000000000 —...

  • Page 526: Policy And Entry Maintenance Commands

    Policy and Entry Maintenance Commands Policy and Entry Maintenance Commands copy Syntax copy ip-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] copy ipv6-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] copy mac-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] Context config>filter...
  • Page 527 Filter Policies Parameters filter-name — Specifies the filter name up to 64 characters in length. group-inserted-entries Syntax group-inserted-entries application application location location Context config>filter>ip-filter config>filter>ipv6-filter Description This command groups filter entries that are inserted in a filter by either RADIUS or Credit Control. Parameters application application —...

  • Page 528: Redirect Policy Commands

    Redirect Policy Commands Redirect Policy Commands destination Syntax [no] destination ip-address Context config>filter>redirect-policy Description This command defines a cache server destination in a redirect policy. More than one destination can be configured. Whether a destination IP address will receive redirected packets depends on the effective priority value after evaluation.
  • Page 529 Filter Policies hold-down seconds — The amount of time, in seconds, that the system should be held down if any of the test has marked it unreachable. Values 0 — 86400 interval Syntax interval seconds no interval Context config>filter>destination>ping-test config>filter>destination>snmp-test config>filter>destination>url-test Description This command specifies the amount of time, in seconds, between consecutive requests sent to the far...
  • Page 530 Redirect Policy Commands Description Redirect policies can contain multiple destinations. Each destination is assigned an initial or base priority which describes its relative importance within the policy. If more than one destination is specified, the destination with the highest effective priority value is selected. Default Parameters priority —...
  • Page 531 Filter Policies within the specified range, the priority can be disabled, lowered or raised. Default none Parameters return-value — Specifies the SNMP value against which the test result is matched. Values A maximum of 256 characters. return-type — Specifies the SNMP object type against which the test result is matched. Values integer, unsigned, string, ip-address, counter, time-ticks, opaque disable —...
  • Page 532 Redirect Policy Commands Parameters return-code-1, return-code-2 — Specifies a range of return codes. When the URL test return-code falls within the specified range, the corresponding action is performed. Values return-code-1: 1 — 4294967294 return-code-2: 2 — 4294967295 disable — Specifies that the destination may not be used for the amount of time specified in the hold-time command when the return code falls within the specified range.

  • Page 533: Show Commands

    Filter Policies Show Commands dhcp Syntax dhcp [filter-id] Context show>filter Description This command displays DHCP filter information. *B:TechPubs>config# show filter dhcp =============================================================================== DHCP Filters =============================================================================== Filter-Id Applied Description ------------------------------------------------------------------------------- test-dhcp-filter ------------------------------------------------------------------------------- Num filter entries: 1 =============================================================================== *B:TechPubs>config# *B:TechPubs>config# show filter dhcp 10 =============================================================================== DHCP Filter ===============================================================================...
  • Page 534 Show Commands Output download-failed Output — The following table describes the filter download-failed output. Label Description Displays the filter type. Filter-type Displays the ID of the filter. Filter-ID Displays the entry number of the filter. Filter-Entry Sample Output A:ALA-48# show filter download-failed ============================================ Filter entries for which download failed ============================================...
  • Page 535 Filter Policies type entry-type — specifies type of filter entry to display, values: Values fixed, radius-insert, credit-control-insert, flowspec, embedded, radius-shared embedded [failed] — Shows all embeddings, optionally shows failed embedding only, if filter-id is not specified shows all embedded filters. Output Show Filter (no filter-id specified) —...
  • Page 536 Show Commands =============================================================================== IP Filters Total: =============================================================================== Filter-Id Scope Applied Description ------------------------------------------------------------------------------- 10001 Template Yes fSpec-1 Template Yes BGP FlowSpec filter for the Base router ------------------------------------------------------------------------------- Num IP filters: 2 =============================================================================== *A:Dut-C>config>filter# show filter ip embedded ================================================ IP Filter embedding ================================================ From Priority...
  • Page 537 Filter Policies Label Description (Continued) Dest. IP The destination IPv6 address and prefix length match criterion. Next-header The next header ID for the match criteria. indicates no Undefined next-header specified. ICMP Type The ICMP type match criterion. indicates no ICMP type Undefined specified.
  • Page 538 Show Commands Label Description (Continued) Matches packets that contain the option field or have an option On — field of zero be used as IP filter match criteria. Int. Sampling Interface traffic sampling is disabled. Off — Interface traffic sampling is enabled. On —...
  • Page 539 Filter Policies Description : BGP FlowSpec filter for the Base router ------------------------------------------------------------------------------- Filter Association : IP ------------------------------------------------------------------------------- Service Id Type : IES - SAP 1/1/3:1.1 (merged in ip-fltr 10001) =============================================================================== *A:Dut-C>config>filter# *A:Dut-C>config>filter# show filter ip 10001 =============================================================================== IP Filter =============================================================================== Filter Id : 10001 Applied...
  • Page 540 Show Commands Dest. IP : 0.0.0.0/0 Dest. Port : None Protocol : 17 Dscp : Undefined ICMP Type : Undefined ICMP Code : Undefined Fragment : Off Option-present : Off Sampling : Off Int. Sampling : On IP-Option : 0/0 Multiple Option: Off TCP-syn : Off...
  • Page 541 Filter Policies Option-pres : Off Match action : Drop Ing. Matches : 0 pkts Egr. Matches : 0 pkts Output Show Filter (with time-range specified) — If a time-range is specified for a filter entry, the following is displayed. A:ALA-49# show filter ip =============================================================================== IP Filter ===============================================================================...
  • Page 542 Show Commands Output Show Filter Associations — The following table describes the fields that display when the associations keyword is specified. Label Description The IP filter policy ID. Filter Id The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive.
  • Page 543 Filter Policies Label Description (Continued) Fragments are not a matching criteria. All fragments and non- Off — fragments implicitly match. Specifies that traffic sampling is disabled. Sampling Off — Specifies that traffic matching the associated IP filter entry is On — sampled.
  • Page 544 Show Commands Label Description (Continued) Configures a match on packets with the ACK flag set to TCP-ack False — false. configures a match on packets with the ACK flag set to true. True — The state of the TCP ACK flag is not considered as part of the Off —...
  • Page 545 Filter Policies Entries ------------------------------------------------------------------------------- Filter Association : IP ------------------------------------------------------------------------------- Tod-suite "english_suite" - ingress, time-range "day" (priority 5) =============================================================================== A:ALA-49# Output Show Filter Counters — The following table describes the output fields when the counters keyword is specified.. Label Description The IP filter policy ID. IP Filter Filter Id The filter policy is of type Template.
  • Page 546 Show Commands Entries Description : IPv6 filter configuration ------------------------------------------------------------------------------- Filter Match Criteria : IPv6 ------------------------------------------------------------------------------- Entry : 10 Ing. Matches : 9788619 pkts (978861900 bytes) Egr. Matches : 9788619 pkts (978861900 bytes) =============================================================================== *A:ALA-48# ipv6 Syntax ipv6 ipv6 embedded [inactive] ipv6 ipv6-filter-id embedded [inactive] ipv6 ipv6-filter-id [detail] ipv6 ipv6-filter-id associations...
  • Page 547 Filter Policies Output Show Filter (no filter-id specified) — The following table describes the command output for the command when no filter ID is specified. Label Description The IP filter ID Filter Id The filter policy is of type template. Scope Template —...
  • Page 548 Show Commands =============================================================================== Configured IP Filters Total: =============================================================================== Filter-Id Scope Applied Description ------------------------------------------------------------------------------- Template Exclusive No Template Embedded =============================================================================== System IP Filters Total: =============================================================================== Filter-Id Description ------------------------------------------------------------------------------- _tmnx_ofs_test of-switch 'test' embedded filter ------------------------------------------------------------------------------- Num IP filters: 5 ============================================================================== Output Show Filter (with filter-id specified) — The following table describes the command output for the command when a filter ID is specified.
  • Page 549 Filter Policies Label Description (Continued) The destination IP address and mask match criterion. indi- Dest. IP 0.0.0.0/0 cates no criterion specified for the filter entry. The protocol ID for the match criteria. indicates no proto- Protocol Undefined col specified. The ICMP type match criterion. indicates no ICMP type ICMP Type Undefined...
  • Page 550 Show Commands Label Description (Continued) Specifies not to search for packets that contain the option field Option-present Off — or have an option field of zero. Matches packets that contain the option field or have an option On — field of zero be used as IP filter match criteria. Interface traffic sampling is disabled.
  • Page 551 Filter Policies Label Description Filter Id The IPv6 filter policy ID. Scope The filter policy is of type Template. Template — The filter policy is of type Exclusive. Exclusive — Entries The number of entries configured in this filter ID. Applied The filter policy ID has not been applied.
  • Page 552 Show Commands Label Description (Continued) Specifies that traffic matching the associated IP filter entry is On — sampled. IP-Option Specifies matching packets with a specific IP option or a range of IP options in the IP header for IP filter match criteria. TCP-syn Configures a match on packets with the SYN flag set to False —...
  • Page 553 Filter Policies Label Description (Continued) The state of the TCP ACK flag is not considered as part of the Off — match criteria. Egr. Matches The number of egress filter matches/hits for the filter entry. Sample Output A:ALA-48# show filter ipv6 1 associations =============================================================================== IPv6 Filter ===============================================================================...
  • Page 554 Show Commands Label Description (Continued) The default action for the filter ID for packets that do not Def. Action Forward — match the filter entries is to forward. The default action for the filter ID for packets that do not Drop —...
  • Page 555 Filter Policies Syntax log log-id [match string] [bindings] Context show>filter Description This command shows the contents of a memory-based or a file-based filter log. If the optional keyword match and string parameter are given, the command displays the given filter log from the first occurence of the given string.
  • Page 556 Show Commands Label Description (Continued) Protocol The IP protocol of the logged packet (TCP, UDP, ICMP or a protocol number in hex). Urgent bit set. Flags URG — Acknowledgement bit set. (TCP flags) ACK — Reset bit set. RST — Synchronize bit set.
  • Page 557 Filter Policies Label Description (Continued) The address type indication of the key in the mini-table. Src... Dst... count The number of messages logged with the specified source/destination address. address The address for which count messages where received. Sample Filter Log Output 2007/04/13 16:23:09 Filter: 100:100 Desc: Entry-100...
  • Page 558 Show Commands 06-06-06-06-06-02 6.6.6.1 6.6.6.2 6.6.6.3 6.6.6.4 6.6.6.5 Ipv6 3FE:1616:1616:1616:1616:1616:: Ipv6 3FE:1616:1616:1616:1616:1616:FFFF:FFFF Ipv6 3FE:1616:1616:1616:1616:1616:FFFF:FFFE Ipv6 3FE:1616:1616:1616:1616:1616:FFFF:FFFD Ipv6 3FE:1616:1616:1616:1616:1616:FFFF:FFFC =============================================================================== A:ALA-A Syntax mac [mac-filter-id [associations | counters] [entry entry-id]] Context show>filter Description This command displays MAC filter information. Parameters mac-filter-id — Displays detailed information for the specified filter ID and its filter entries. Values 1—...
  • Page 559 Filter Policies Filter ID Specified — When the filter ID is specified, detailed filter information for the filter ID Label Description The IP filter ID Filter Id The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive. Exclusiv —...
  • Page 560 Show Commands Label Description (Continued) The IEEE 802.1p value for the match criteria. indicates no Dot1p Undefined value is specified. The Ethertype value match criterion. Ethertype The DSAP value match criterion. DSAP indicates no value specified. Undefined SSAP value match criterion. indicates no value specified.
  • Page 561 Filter Policies DSAP : Undefined SSAP : Undefined Snap-pid : Undefined ESnap-oui-zero : Undefined Match action : Default Ing. Matches Egr. Matches =============================================================================== Filter Associations — The associations for a filter ID will be displayed if the associations keyword is specified. The assocation information is appended to the filter information. The following table describes the fields in the appended associations output.
  • Page 562 Show Commands Sample Output Label Description The MAC filter policy ID. Mac Filter Filter Id The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive. Exclusive — The MAC filter policy description. Description The filter policy ID has not been applied.
  • Page 563 Filter Policies Egr. Matches: 62 pkts (3968 bytes) Entry : 10 FrameType : Ethernet Ing. Matches: 80 pkts (5440 bytes) Egr. Matches: 80 pkts (5120 bytes) li-mac Syntax li-mac [li-mac-filter-id [associations | counters] [entry entry-id]] Context show>filter Description This command displays Lawful Intercept MAC filter information. Parameters li-mac-filter-id —...
  • Page 564 Show Commands Label Description (Continued) The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive. Exclusiv — The IP filter policy description. Description The filter policy ID has not been applied. Applied No — The filter policy ID is applied.
  • Page 565 Filter Policies Label Description (Continued) The filter does not have an explicit forward or drop match Match action Default — action specified. If the filter entry ID indicates the entry is , the Inactive filter entry is incomplete, no action was specified. Packets matching the filter entry criteria will be dropped.
  • Page 566 Show Commands Filter Associations — The associations for a filter ID will be displayed if the associations keyword is specified. The assocation information is appended to the filter information. The following table describes the fields in the appended associations output. Label Description The filter associations displayed are for a MAC filter policy...
  • Page 567 Filter Policies Sample Output Label Description The MAC filter policy ID. Mac Filter Filter Id The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive. Exclusive — The MAC filter policy description. Description The filter policy ID has not been applied.
  • Page 568 Show Commands Ing. Matches: 0 pkts Egr. Matches: 0 pkts Entry : 20 Description : entry 20 Ing. Matches: 0 pkts Egr. Matches: 0 pkts Entry : 30 Description : test 30 Ing. Matches: 0 pkts Egr. Matches: 0 pkts Entry : 50 Description : entry 50...
  • Page 569 Filter Policies Label Description (Continued) Admin State Specifies the configured state of the destination. Tests for this destination will not be conducted. Out of Service — Oper State Specifies the operational state of the destination. Ping Test Specifies the name of the ping test. Timeout Specifies the amount of time in seconds that is allowed for receiving a response from the far-end host.
  • Page 570 Show Commands Destination : 10.10.10.104 ------------------------------------------------------------------------------- Description : SNMP_to_104 Admin Priority : 105 Oper Priority: 105 Admin State : Up Oper State : Up SNMP Test : SNMP-1 Interval : 30 Timeout Drop Count : 30 Hold Down : 120 Hold Remain Last Action at : None Taken -------------------------------------------------------------------------------...
  • Page 571 Filter Policies Priority Change: 0 Return Code =============================================================================== ALA-A# match-list Syntax match-list Context show>filter Description This command displays information for match lists used in filter policies (IOM and CPM). ip-prefix-list Syntax ip-prefix-list [prefix-list-name] ip-prefix-list prefix-list-name references Context show>filter>match-list Description This command displays IPv4 prefixes information for match criteria in IPv4 ACL and CPM filter policies.
  • Page 572 Show Commands port-list Syntax port-list [port-list-name] port-list port-list-name references Context show>filter>match-list Description This command displays TCP/UDP port values or ranges for match criteria in IPv4 and IPv6 ACL and CPM filter policies. Parameters port-list-name — A string of up to 32 characters of printable ASCII characters. If special characters are used, the string must be enclosed within double quotes.

  • Page 573: Clear Commands

    Filter Policies Clear Commands Syntax ip ip-filter-id [entry entry-id] [ingress | egress] Context clear>filter Description Clears the counters associated with the IP filter policy. By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.
  • Page 574 Show Commands egress — Specifies to only clear the egress counters. Syntax log log-id Context clear Description Clears the contents of a memory or file based filter log. This command has no effect on a syslog based filter log. Parameters log-id —...

  • Page 575: Monitor Commands

    Filter Policies Monitor Commands filter Syntax filter ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate] Context monitor Description This command monitors the counters associated with the IP filter policy. Parameters ip-filter-id — The IP filter policy ID. Values 1 —...
  • Page 576 Show Commands interval — Configures the interval for each display in seconds. Default 5 seconds Values 3 — 60 repeat repeat — Configures how many times the command is repeated. Default Values 1 — 999 absolute — When the absolute keyword is specified, the raw statistics are displayed, without pro- cessing.

  • Page 577: Hybrid Openflow Switch

    Hybrid OpenFlow Switch In This Chapter Alcatel-Lucent supports Hybrid OpenFlow Switch (H-OFS) functionality. The hybrid model allows operators to deploy Software Defined Network (SDN) traffic steering using OpenFlow (OF) atop of the existing routing/switching infrastructure. Topics in this chapter include: •...

  • Page 578: Hybrid Openflow Switching

    Hybrid OpenFlow Switching Hybrid OpenFlow Switching The hybrid OpenFlow model allows operators to deploy Software Defined Network (SDN) traffic steering using OpenFlow atop of the existing routing/switching infrastructure. Some of the main benefits of the hybrid model include: • Increased flexibility and speed for new service deployment—H-OFS implements flexible, policy-driven, standard-based Hybrid OpenFlow Switch traffic steering that allows deployment of new services and on-demand services through policy updates rather than service and infrastructure programming.
  • Page 579 Open Flow Switching Hybrid  Steer all traffic arriving on all interfaces with this H-OFS enabled by programming the flow table with match all entry that redirects the traffic. Steer a subset of traffic arriving on all interfaces with this H-OFS enabled by programming the flow table with match rules that select subset of traffic (as per the router supported filter match criteria).

  • Page 580: Hybrid Openflow Switch Steering Using Filter Policies

    Hybrid OpenFlow Switching Hybrid OpenFlow Switch Steering using Filter Policies A router H-OFS instance is embedded into line card IPv4 and IPv6 filter policies to achieve OF- controlled Policy Based Routing (PBR). When H-OFS instance is created, embedded filters (IP and IPv6) required for that instance are automatically created.

  • Page 581: Hybrid Openflow Switch

    Open Flow Switching Hybrid The auto-created embedded filters can be viewed through CLI but cannot be modified and/or deleted through filter policy CLI/SNMP. Operator can see the above embedded filters under show filter context, including the details on the filters themselves, entries programmed, interface association, statistics, etc.
  • Page 582 Hybrid OpenFlow Switching The router supports HA for the OF Flow Table content and statistics. On an activity switch the channel goes down and is re-established by the newly active CPM. “Fail secure mode” operation takes place during channel re-establishment (OpenFlow rules continue to be applied to the arriving traffic).

  • Page 583: Hybrid Openflow Switch Traffic Steering Details

    Open Flow Switching Hybrid Hybrid OpenFlow Switch Traffic Steering Details As described in the previous section, an update to an OpenFlow Switch’s flow table, results in the embedded filter update(s), which triggers update to all filter policies embedding those filters. The router automatically downloads the new set of rules to the line cards as defined through service configuration.

  • Page 584: Forward Action

    Hybrid OpenFlow Switching When an LSP in the H-OFS logical port table goes down, the OF Switch removes the LSP from its logical port table and may notify the controller of that fact if the logical port status reporting is enabled.

  • Page 585: Configuration Notes

    Open Flow Switching Hybrid Configuration Notes The following information describes OF implementation caveats: • SROS Hybrid OpenFlow Switch requires S/W upgrade only and can be enabled on any SROS router/switch running IOM-2 (with restrictions) or newer line cards. For full functionality, performance and future scale IOM3-XP or newer line cards and CPM4 or newer control card is recommended.
  • Page 586 Configuration Notes Page 586 7750 SR OS Router Configuration Guide...

  • Page 587: Openflow Command Reference

    Open Flow Switching Hybrid OpenFlow Command Reference Command Hierarchies • OpenFlow Commands on page 587 • Show Commands on page 587 • Tools Commands on page 587 OpenFlow Commands config — open-flow filter-id [create] — [no] of-switch ofs-name — [no] controller ip-address:port —...
  • Page 588 OpenFlow Command Reference Page 588 7750 SR OS Router Configuration Guide...

  • Page 589: Configuration Commands

    Open Flow Switching Hybrid Configuration Commands Generic Commands open-flow Syntax open-flow Context config Description This command enables configuration content for OpenFlow Hybrid Switch compatiblity. The no form of the command removes the OpenFlow configuration from the context. of-switch Syntax [no] of-switch ofs-name Context config>open-flow Description...
  • Page 590 Generic Commands description Syntax description string no description Context config>open-flow>of-switch Description This command allows the user to configure a description string for the specified OpenFlow controller instance. The no form of this command deletes the description of the specified OpenFlow controller instance. Default no controller Parameters...
  • Page 591 Open Flow Switching Hybrid logical-port-status Syntax [no] logical-port-status [rsvp-te|mpls-tp] Context config>open-flow>of-switch Description This command enables status change reporting to the OpenFlow controller for the specified logical port type. To report on multiple logical port types, the command needs to be executed multiple times with different logical port specified as required.
  • Page 592 Generic Commands Description This command configures the size for the specified flow table. The OpenFlow switch instance must be shutdown to modify this parameter. The no form of this command restores the default size. Default no max-size Parameters size — Specifies the maxiumum size limit for the flow table. Values 1—1000 no-match-action...

  • Page 593: Show Commands

    Open Flow Switching Hybrid Show Commands open-flow Syntax open-flow Context show Description Displays OpenFlow switch hybrid information. of-switch Syntax of-switch of-switch ofs-name controller ip-address:port detail of-switch ofs-name status controller [ip-address:port] of-switch ofs-name controller of-switch ofs-name flowtable of-switch ofs-name status of-switch ofs-name port Context show>open-flow Description...
  • Page 594 Show Commands =============================================================================== Switch Name : s1 Data Path ID Admin Status : Up Echo Interval : 10 seconds Echo Multiple Logical Port Type : all Buffer Size : 256 Num. of Tables Description : test-sw1 Capabilities Supp. : flow-stats table-stats port-stats =============================================================================== *A:Dut-A# show open-flow of-switch "s1"...
  • Page 595 Open Flow Switching Hybrid Echo Request Echo Reply Experimenter Feat. Request Feat. Reply Get Cfg Request Get Cfg Reply Set Config Packet In Flow Removed Port Status Packet Out Flow Modify Group Modify Port Modify Table Modify Multipart Req Multipart Reply Barrier Request Barrier Reply Get Q Cfg Req...

  • Page 596: Debug Commands

    Show Commands Debug Commands open-flow Syntax open-flow Context tools>dump Description This command enables dumping of the open-flow information. of-switch Syntax of-switch [ofs-name] [flowtable of-table-id] [cookie cookie-id] [priority priority] Context tools>dump>open-flow Description This command can be used to dump information for a given open-flow switch or its flowtable. Prioirty and cookie filters are provided no focus on part of a flow table.
  • Page 597 Open Flow Switching Hybrid Mod TS Stats TS : 8502534 #Packets #Bytes ------------------------------------------------------------------------------- Table Flow Pri : 89 Cookie : 0x0000000000000000 Controller: 20.11.2.1:6631 Filter Hnd: 0x4300000100000001 Filter Pri: 1 EthType : 0x86dd Src IP : 3FFE::101:2:0:0:0:0/128 Dst IP : 3FFE::303:2:0:0:0:0/128 IP Proto DSCP : be...
  • Page 598 Show Commands Page 598 7750 SR OS Router Configuration Guide...

  • Page 599: Cflowd

    Cflowd In This Chapter This chapter provides information to configure Cflowd. Topics in this chapter include: • Cflowd Overview on page 600  Operation on page 601  Cflowd Filter Matching on page 605 • Cflowd Configuration Process Overview on page 606 •...

  • Page 600: Cflowd Overview

    Cflowd Overview Cflowd is a tool used to sample IPv4, IPv6, MPLS, and Ethernet traffic data flows through a router. Cflowd enables traffic sampling and analysis by ISPs and network engineers to support capacity planning, trends analysis, and characterization of workloads in a network service provider environment.

  • Page 601: Operation

    Cflowd Operation Figure 28 depicts the basic operation of the cflowd feature. This sample flow is only used to describe the basic steps that are performed. It is not intended to specify implementation. FINISH FORWARDING FORWARD/ INGRESS PORT SAMPLE? PROCESS AND SEND EGRESS PORT DROP ? TO EGRESS PORT...

  • Page 602: Version 8

    When a flow is exported from the cache, the collected data is sent to an external collector which maintains an accumulation of historical data flows that network operators can use to analyze traffic patterns. Data is exported in one of the following formats: •...

  • Page 603: Version 9

    Cflowd As the entries within the aggregate matrices are aged out, they are accumulated to be sent to the external flow collector in Version 8 format. The sample rate and cache size are configurable values. The cache size default is 64K flow entries. A flow terminates when one of the following conditions is met: •...

  • Page 604: Version 10

    Version 10 Version 10 is a new format and protocol that inter-operates with the specifications from the IETF as the IP Flow Information Export (IPFIX) standard. Like Version 9, the version 10 format uses templates to allow for different data elements regarding a flow that is to be exported and to handle different type of data flows such as IPv4, IPv6, and MPLS.

  • Page 605: Cflowd Filter Matching

    Cflowd Cflowd Filter Matching In the filter-matching process, normally, every packet is matched against filter (access list) criteria to determine acceptability. With cflowd, only the first packet of a flow is checked. If the first packet is forwarded, an entry is added to the cflowd cache. Subsequent packets in the same flow are then forwarded without needing to be matched against the complete set of filters.

  • Page 606: Cflowd Configuration Process Overview

    Cflowd Configuration Process Overview Figure 30 displays the process to configure Cflowd parameters. START ENABLE CFLOWD CONFIGURE COLLECTOR(S) CONFIGURE CFLOWD PARAMETERS ACL OR INTERFACE SPECIFY ROUTER INTERFACE FOR COLLECTION IN AN IP-FILTER ENTRY: FOR CFLOWD ACL MODE: ENABLE ENABLE IP FILTER ENTRY FILTER SAMPLING IN AN IP-FILTER ENTRY: FOR CFLOWD INTERFACE MODE: ENABLE INTERFACE-DISABLE-SAMPLE...

  • Page 607: Configuration Notes

    Cflowd Configuration Notes The following cflowd components must be configured for cflowd to be operational: • Cflowd is enabled globally. • At least one collector must be configured and enabled. • A cflowd option must be specified and enabled on a router interface. •...
  • Page 608 Page 608 7750 SR OS Router Configuration Guide...

  • Page 609: Configuring Cflowd With Cli

    Cflowd Configuring Cflowd with CLI This section provides information to configure cflowd using the command line interface. Topics in this section include: • Cflowd Configuration Overview on page 610  Traffic Sampling on page 610  Collectors on page 611 ...

  • Page 610: Cflowd Configuration Overview

    Cflowd Configuration Overview The 7750 SR OS implementation of cflowd supports the option to analyze traffic flow. The imple- mentation also supports the use of traffic/access list (ACL) filters to limit the type of traffic that is analyzed. Cflowd is not supported on the 7750 SR-1 chassis. Traffic Sampling Traffic sampling does not examine all packets received by a router.

  • Page 611: Collectors

    Cflowd Within the raw flow cache, the following characteristics are used to identify an individual flow: • Ingress interface • Source IP address • Destination IP address • Source transport port number • Destination transport port number • IP protocol type •...
  • Page 612 • Protocol-port — Flows are aggregated based on the IP protocol, source port number, and destination port number. • Source prefix — Flows are aggregated based on source prefix and mask, source AS, and ingress interface. • Destination prefix — Flows are aggregated based on destination prefix and mask, destination AS, and egress interface.

  • Page 613: Basic Cflowd Configuration

    Cflowd Basic Cflowd Configuration This section provides information to configure cflowd and configuration examples of common configuration tasks. In order to sample traffic, the minimal cflowd parameters that need to be configured are: • Cflowd must be enabled. • At least one collector must be configured and enabled. •...

  • Page 614: Common Configuration Tasks

    Common Configuration Tasks This section provides a brief overview of the tasks that must be performed to configure cflowd and provides the CLI commands. In order to begin traffic flow sampling, cflowd must be enabled and at least one collector must be configured. Global Cflowd Components The following common (global) attributes apply to all instances of cflowd: •...

  • Page 615: Configuring Cflowd

    Cflowd Configuring Cflowd Use the CLI syntax displayed below to perform the following tasks: • Enabling Cflowd on page 616 • Configuring Global Cflowd Parameters on page 617 • Configuring Cflowd Collectors on page 618 • Enabling Cflowd on Interfaces and Filters on page 629 CLI Syntax: config>cflowd# active-timeout minutes cache-size num-entries...

  • Page 616: Enabling Cflowd

    Enabling Cflowd Cflowd is disabled by default. Executing the command configure cflowd will enable cflowd, by default cflowd is not shutdown but must be configured including at least one collector to be active. Use the following CLI syntax to enable cflowd: CLI Syntax: config# cflowd no shutdown The following example displays the default values when cflowd is initially enabled.

  • Page 617: Configuring Global Cflowd Parameters

    Cflowd Configuring Global Cflowd Parameters The following cflowd parameters apply to all instances where cflowd (traffic sampling) is enabled. Use the following CLI commands to configure cflowd parameters: CLI Syntax: config>cflowd# active-timeout minutes cache-size num-entries inactive-timeout seconds overflow percent rate sample-rate template-retransmit seconds no shutdown The following example displays a common cflowd component configuration:...

  • Page 618: Configuring Cflowd Collectors

    Configuring Cflowd Collectors To configure cflowd collector parameters, enter the following commands: CLI Syntax: config>cflowd# collector ip-address[:port] [version version] aggregation as-matrix destination-prefix protocol-port source-destination-prefix source-prefix autonomous-system-type [origin | peer] description description-string no shutdown template-set {basic | mpls-ip} The following example displays a basic cflowd configuration: A:ALA-1>config>cflowd# info ----------------------------------------- active-timeout 20...

  • Page 619: Version 9 And Version 10 Templates

    Cflowd Version 9 and Version 10 Templates If the collector is configured to use either version 9 or 10 (IPFIX) formats, the flow data is sent to the designated collector using one of the pre-defined templates. The template used is based on the type of flow for which the data was collected (IPv4, IPv6, MPLS or Ethernet (Layer 2)), and the configuration of the template-set parameter.

  • Page 620: Table 14: Mpls-Ipv4 Template

    Table 13: Basic IPv4 Template (Continued) Flow Start Milliseconds Flow End Milliseconds Src Port Dest Port Forwarding Status TCP control Bits (Flags) IPv4 Protocol IPv4 TOS IP version ICMP Type & Code Direction BGP Source ASN BGP Dest ASN Source IPv4 Prefix Length Dest IPv4 Prefix Length 1.Only sent to collectors configured for...
  • Page 621 Cflowd Table 14: MPLS-IPv4 Template (Continued) Field Name Field ID Packet Count Byte Count Start Time End Time Flow Start Milliseconds Flow End Milliseconds Src Port Dest Port Forwarding Status TCP control Bits (Flags) IPv4 Protocol IPv4 TOS IP version ICMP Type &...

  • Page 622: Table 15: Basic Ipv6 Template

    Table 14: MPLS-IPv4 Template (Continued) Field Name Field ID MPLS Label 4 MPLS Label 5 MPLS Label 6 1.Only sent to collectors configured for v10 format Table 15: Basic IPv6 Template Field Name Field ID IPv6 Src Addr IPv6 Dest Addr IPv6 Nexthop IPv6 BGP Nexthop IPv4 Nexthop...

  • Page 623: Table 16: Mpls-Ipv6 Template

    Cflowd Table 15: Basic IPv6 Template Field Name Field ID Protocol IPv6 Extension Hdr IPv6 Next Header IPv6 Flow Label IP version IPv6 ICMP Type & Code Direction BGP Source ASN BGP Dest ASN IPv6 Src Mask IPv6 Dest Mask 1.Only sent to collectors configured for v10 format Table 16: MPLS-IPv6 Template...
  • Page 624 Table 16: MPLS-IPv6 Template Field Name Field ID Byte Count Start Time End Time Flow Start Milliseconds Flow End Milliseconds Src Port Dest Port Forwarding Status TCP control Bits (Flags) Protocol IPv6 Extension Hdr IPv6 Next Header IPv6 Flow Label IP version IPv6 ICMP Type &...

  • Page 625: Table 17: Basic Mpls Template

    Cflowd Table 16: MPLS-IPv6 Template Field Name Field ID MPLS Label 4 MPLS Label 5 MPLS Label 6 1.Only sent to collectors configured for v10 format Table 17: Basic MPLS Template Field Name Field ID Start Time End Time Flow Start Milliseconds Flow End Milliseconds Ingress Interface Egress Interface...

  • Page 626: Table 18: Mpls-Ip Template

    Table 18: MPLS-IP Template Field Name Field ID IPv4 Src Addr IPv4 Dest Addr IPv4 Nexthop IPv6 Src Addr IPv6 Dest Addr IPv6 Nexthop Ingress Interface Egress Interface Packet Count Byte Count Start Time End Time Flow Start Milliseconds Flow End Milliseconds Src Port Dest Port TCP control Bits (Flags)

  • Page 627: Table 19: Ethernet (L2-Ip) Flow Template

    Cflowd Table 18: MPLS-IP Template Field Name Field ID MPLS Label 1 MPLS Label 2 MPLS Label 3 MPLS Label 4 MPLS Label 5 MPLS Label 6 1.Only sent to collectors configured for v10 format Table 19: Ethernet (L2-IP) Flow Template Field Name Field ID MAC Src Addr...
  • Page 628 Table 19: Ethernet (L2-IP) Flow Template Field Name Field ID Flow Start Milliseconds Flow End Milliseconds Src Port Dest Port TCP control Bits (Flags) Protocol IPv6 Option Header IPv6 Next Header IPv6 Flow Label IP Version ICMP Type Code 1.Ohe Ethernet (L2-IP) flow template is only supported and exported to IPFIX (v10) col- lectors.

  • Page 629: Enabling Cflowd On Interfaces And Filters

    Cflowd Enabling Cflowd on Interfaces and Filters This section discusses the following cflowd configuration management tasks: • Specifying Cflowd Options on an IP Interface on page 630  Interface Configurations on page 630  Service Interfaces on page 631 • Specifying Sampling Options in Filter Entries on page 632 ...

  • Page 630: Specifying Cflowd Options On An Ip Interface

    Specifying Cflowd Options on an IP Interface When cflowd is enabled on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration and sorted according to the collector configuration(s). Refer to Table 20, Cflowd Configuration Dependencies, on page 634 for configuration combinations.

  • Page 631: Service Interfaces

    Cflowd Service Interfaces CLI Syntax: config>service>vpls service-id# interface ip-int-name cflowd {acl|interface} When enabled on a service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN services interfaces only. Layer 2 traffic is excluded.

  • Page 632: Specifying Sampling Options In Filter Entries

    Specifying Sampling Options in Filter Entries Packets are matched against filter entries to determine acceptability. With cflowd, only the first packet of a flow is compared. If the first packet matches the filter criteria, then an entry is added to the cflowd cache.

  • Page 633: Dependencies

    Cflowd Dependencies In order for cflowd to be operational, the following requirements must be met: • Cflowd must be enabled on a global level. If cflowd is disabled, any traffic sampling instances are also disabled. • At least one collector must be configured and enabled in order for traffic sampling to occur on an enabled entity.

  • Page 634: Table 20: Cflowd Configuration Dependencies

    Table 20: Cflowd Configuration Dependencies Interface Setting router>interface Command Expected Results cflowd [acl | interface] ip-filter entry Setting IP-filter mode Traffic matching is sampled at filter-sampled specified rate. IP-filter mode No traffic is sampled on this no filter-sampled interface. IP-filter mode or Command is ignored.

  • Page 635: Cflowd Configuration Management Tasks

    Cflowd Cflowd Configuration Management Tasks This section discusses the following cflowd configuration management tasks: • Modifying Global Cflowd Components on page 635 • Modifying Cflowd Collector Parameters on page 636 Modifying Global Cflowd Components Cflowd parameter modifications apply to all instances where cflowd or traffic sampling is enabled. Changes are applied immediately.

  • Page 636: Modifying Cflowd Collector Parameters

    Modifying Cflowd Collector Parameters Use the following commands to modify cflowd collector and aggregation parameters: CLI Syntax: config>cflowd# collector ip-address[:port] [version version] no collector ip-address[:port] [no] aggregation [no] as-matrix [no] destination-prefix [no] protocol-port [no] raw [no] source-destination-prefix [no] source-prefix [no] autonomous-system-type [origin | peer] [no] description description-string [no] shutdown template-set {basic | mpls-ip | l2-ip}...

  • Page 637: Cflowd Command Reference

    Cflowd Cflowd Command Reference Command Hierarchies Configuration Commands config — [no] cflowd — active-timeout minutes — no active-timeout — cache-size num-entries — no cache-size — collector ip-address[:port] [version {[5 | 8 | 9 |10]} — no collector ip-address[:port] — [no] aggregation —...
  • Page 638 Show Commands show — cflowd — collector [ip-address[:port]] [detail] — interface [ip-int-name | ip-address] — status Tools Commands tools — dump — cflowd — top-protocols [clear] — top-flows [ipv4 | ipv6 | mpls] [clear] — packet-size [ipv4 | ipv6] [clear] Clear Commands clear —...

  • Page 639: Cflowd Configuration Commands

    Cflowd Cflowd Configuration Commands Global Commands cflowd Syntax [no] cflowd Context config>cflowd Description This command creates the context to configure cflowd. The no form of this command removes all configuration under cflowd including the deletion of all configured collectors. This can only be executed if cflowd is in a shutdown state. Default no cflowd active-timeout...
  • Page 640 cache-size Syntax cache-size num-entries no cache-size Context config>cflowd Description This command specifies the maximum number of active flows to maintain in the flow cache table. The no form of this command resets the number of active entries back to the default value. Default 65536 (64K) Parameters...
  • Page 641 Cflowd version — Specifies the version of the flow data collector. Values Netflow v5, v8, v9, v10 (IPFIX) format Default aggregation Syntax [no] aggregation Context config>cflowd>collector Description This command configures the type of aggregation scheme to be exported. Specifies the type of data to be aggregated and to the collector. To configure aggregation, you must decide which type of aggregation scheme to configure: autonomous system, destination prefix, protocol port, raw, source destination, or source prefix.
  • Page 642 protocol-port Syntax [no] protocol-port Context config>cflowd>collector>aggregation Description This command specifies that flows be aggregated based on the IP protocol, source port number, and destination port number. The no form of this command removes this type of aggregation from the collector configuration. Default none Syntax...
  • Page 643 Cflowd autonomous-system-type Syntax autonomous-system-type {origin | peer} no autonomous-system-type Context config>cflowd>collector Description This command defines whether the autonomous system (AS) information included in the flow data is based on the originating AS or external peer AS of the routes. This option is only allowed if the collector is configured as Version 5 or Version 8. The no form of this command resets the AS type to the default value.
  • Page 644 Unlike other commands and parameters where the default state is not indicated in the configuration file. The shutdown and no shutdown states are always indicated in system generated configuration files. template-set Syntax template-set {basic | mpls-ip | l2-ip} Context config>cflowd>collector Description This command specifies the set of templates sent to the collector when using cflowd Version 9 or Version 10.
  • Page 645 Cflowd overflow Syntax overflow percent no overflow Context config>cflowd Description This command specifies the percentage of the flow cache entries removed when the maximum number of entries is exceeded. The entries removed are the entries that have not been updated for the longest amount of time.
  • Page 646 Page 646 7750 SR OS Router Configuration Guide...

  • Page 647: Show Commands

    Cflowd Show Commands collector Syntax collector [ip-addr[:port]] [detail] Context show>cflowd Description This command displays administrative and operational status of data collector configuration. Parameters ip-addr — Display only information about the specified collector IP address. Default all collectors :port — Display only information the collector on the specified UDP port. Default all UDP ports Values...

  • Page 648: Table 22: Show Cflowd Collector Detailed Output Fields

    Sample Output A:SR1 # show cflowd collector detail =============================================================================== Cflowd Collectors (detail) =============================================================================== Address : 138.120.135.103 Port : 2055 Description : Test v9 Collector Version : 9 Admin State : up Oper State : up Packets Sent : 51 Last Changed : 09/03/2009 17:24:04 Last Pkt Sent : 09/03/2009 18:07:10 Template Set : Basic -------------------------------------------------------------------------------...
  • Page 649 Cflowd Table 22: Show Cflowd Collector Detailed Output Fields (Continued) Label Description (Continued) The style of AS reporting used in the exported flow data. AS Type Reflects the endpoints of the AS path which the flow is origin — following. Reflects the AS of the previous and next hops for the flow.
  • Page 650 Records Sent : 1260 Last Changed : 09/03/2009 17:24:04 Last Pkt Sent : 09/03/2009 18:07:10 ------------------------------------------------------------------------------- Sent Open Errors ------------------------------------------------------------------------------- =============================================================================== Address : 138.120.135.103 Port : 9555 Description : Test v8 Collector Version AS Type : origin Admin State : up Oper State : up Records Sent...
  • Page 651 Cflowd ip-int-name — Display only information for the IP interface with the specified name. Default all interfaces with cflowd enabled. Output cflowd Interface Output — The following table describes the show cflowd interface output fields. Label Description Displays the physical port identifier. Interface Displays the primary IPv4 address for the associated IP interface.

  • Page 652: Table 23: Cflowd Status Output

    B:sr-002# show cflowd interface 11.10.1.2 =============================================================================== Cflowd Interfaces =============================================================================== Interface: To_Sr1 IP address: 11.10.1.2/24 Admin/Oper state: Up/Up Sampling Mode: (ingress | egress | both) Total Flows seen: 1302000 Pkts sampled (ingress/egress) : 60103/70102 Bytes sampled (ingress/egress) : 6010300/7010200 Active flows (ingress/egress) : 6010/7010 B:sr-002# show cflowd interface ===============================================================================...
  • Page 653 Cflowd Table 23: Cflowd Status Output (Continued) Label Description (Continued) The maximum amount of time, in minutes, before an active flow will Active Timeout be exported. If an individual flow is active for this amount of time, the flow is exported and a new flow is created. Inactive timeout in seconds.
  • Page 654 Cflowd Oper Status : Enabled Active Timeout : 1 minutes Inactive Timeout : 30 seconds Template Retransmit : 60 seconds Cache Size : 65536 entries Overflow : 1% Sample Rate : 1 Active Flows : 34000 Overflow events 10 Dropped Flows: 0 Pkts Rcvd : 801600 Total Pkts Dropped : 0 Times flow created...

  • Page 655: Tools Commands

    Cflowd Tools Commands top-protocols Syntax top-protocols Context tools>dump>cflowd [clear] Description This command displays the summary information for the top 20 protocol traffic seen in the cflowd cache. All statistics are calculated based on the data collected since the last clearing of the cflowd stats with clear keyword for this command.

  • Page 656: Table 25: Tools Dump Cflowd Top-Flows Out Put Fields

    Sample Output SR# tools dump cflowd top-protocols The top 20 IPv4 protocols seen by cflowd are: Current Time: 08/29/2011 15:36:15 Last Cleared Time: 08/29/2011 15:35:08 Protocol ID Total Flows Packets Bytes Packets Duration % Total -------- Flows /Sec /Flow /Pkt /Sec /Flow Bandwidth...
  • Page 657 Cflowd Table 25: Tools Dump Cflowd Top-flows Out put Fields Label Description Displays the source protocol port number. S-Port Src Port Displays the route prefix length for route to source IP address. Displays the Autonomous Systems number for the source route (the AS is either originating AS or peer AS depending on cflowd configura- tion).
  • Page 658 12345678901234567890123456789012345678901234567890123456789012345678901234567890 Sr1# tools dump cflowd top-flows mpls Label-1 Label-2 Label-3 Label-4 Total Pkts Avg Pkt Active(s) SrcIP (up to IPv6) Ingress i/f Src Port DstIP (upto IPv6) Egress i/f Dst Port Proto Flags -------------------------------------------------------------------------------- packet-size Syntax packet-size [ipv4 | ipv6] [clear] Context tools>dump>cflowd Description...

  • Page 659: Clear Commands

    Cflowd Clear Commands cflowd Syntax cflowd Context clear Description Clears the raw and aggregation flow caches which are sending flow data to the configured collectors. This action will trigger all the flows to be discarded. The cache restarts flow data collection from a fresh state.
  • Page 660 Page 660 7750 SR OS Router Configuration Guide...

  • Page 661: Common Cli Command Descriptions

    Common CLI Command Descriptions In This Chapter This section provides information about common Command Line Interface (CLI) syntax and command usage. Topics in this chapter include: • SAP syntax on page 662 7750 SR OS Router Configuration Guide Page 661...

  • Page 662: Common Service Commands

    Common CLI Command Descriptions Common Service Commands SAP syntax Syntax [no] sap sap-id Description This command specifies the physical port identifier portion of the SAP definition. Parameters sap-id — Specifies the physical port identifier portion of the SAP definition. The sap-id can be configured in one of the following formats: Type Syntax Example...
  • Page 663 Common CLI Command Descriptions Values: sap-id null [port-id | bundle-id | bpgrp-id | lag-id | aps-id] dot1q [port-id | bundle-id | bpgrp-id | lag-id | aps-id]:qtag1 qinq [port-id | bundle-id | bpgrp-id | lag-id]:qtag1.qtag2 [port-id | aps-id][:vpi/vci|vpi| vpi1.vpi2] frame [port-id | aps-id]:dlci cisco-hdlc slot/mda/port.channel slot/mda/port.channel...
  • Page 664 Common CLI Command Descriptions *A:ALA-12>config# port bundle-ppp-5/1.1 *A:ALA-12>config>port# multilink-bundle bgprp-id — Specifies the bundle protection group ID to be associated with this IP interface. The bpgrp keyword must be entered at the beginning of the parameter. The command syntax must be configured as follows: bpgrp-id: bpgrp-type-bpgrp-num type:...
  • Page 665 Common CLI Command Descriptions sap ipsec-id.private|public:tag — This parameter associates an IPSec group SAP with this interface. This is the public side for an IPSec tunnel. Tunnels referencing this IPSec group in the private side may be created if their local IP is in the subnet of the interface subnet and the routing context specified matches with the one of the interface.
  • Page 666 Common CLI Command Descriptions Page 666 7750 SR OS Router Configuration Guide...

  • Page 667: Standards And Protocol Support

    Standards and Protocol Support Ethernet Standards RFC 3630 Traffic Engineering (TE) RFC 4659 BGP-MPLS IP Virtual Private Extensions to OSPF Version 2 Network (VPN) Extension for IPv6 IEEE 802.1ab-REV/D3 Station and RFC 4203 OSPF Extensions in Support Media Access Control Connectivity RFC 4684 Constrained Route Discovery Distribution for Border Gateway...
  • Page 668 Standards and Protocols Intermediate System to Intermediate Certificate Request Message RFC 4552 Authentication/Confidentiality System (IS-IS) Format (CRMF) for OSPFv3 RFC 3787 Recommendations for RFC 5996 Internet Key Exchange RFC 4659 BGP-MPLS IP Virtual Private Interoperable IP Networks using Protocol Version 2 (IKEv2) Network (VPN) Extension for IPv6 Intermediate System to Intermediate RFC 5998 An Extension for EAP-Only...
  • Page 669 Standards and Protocols RFC 2961 RSVP Refresh Overhead RFC 5817 Graceful Shutdown in GMPLS draft-ietf-l3vpn-2547bis-mcast-bgp- Reduction Extensions Traffic Engineering Networks 05: BGP Encodings and Procedures RFC3097 RSVP Cryptographic for Multicast in MPLS/BGP IP VPNs MPLS — OAM Authentication - Updated Message RFC 3956: Embedding the Type Value RFC 4379 Detecting Multi-Protocol...
  • Page 670 Standards and Protocols RFC 2347 TFTP option Extension Frame Relay AF-TM-0150.00 Addendum to Traffic Management v4.1 optional RFC 2328 TFTP Blocksize Option FRF.1.2 - PVC User-to-Network minimum desired cell rate indication Interface (UNI) Implementation RFC 2349 TFTP Timeout Interval and for UBR Agreement Transfer...
  • Page 671 Standards and Protocols draft-ietf-l2vpn-vpls-mcast-13.txt RFC6391 Flow Aware Transport of MEF-8 Implementation Agreement for Multicast in VPLS Pseudowires over an MPLS PSN the Emulation of PDH Circuits over Metro Ethernet Networks, October RFC 7041 Extensions to the Virtual RFC 6575, ARP Mediation for IP 2004 Private LAN Service (VPLS) Interworking of Layer 2 VPN...
  • Page 672 Standards and Protocols ITU-T G.8261 Telecommunication RFC 2574 SNMP-USER-BASED- draft-ietf-mpls-lsr-mib-06.txt Standardization Section of ITU, SMMIB draft-ietf-mpls-te-mib-04.txt Timing and synchronization aspects RFC 2575 SNMP-VIEW-BASEDACM- draft-ietf-mpls-ldp-mib-07.txt in packet networks, issued 04/2008. draft-ietf-isis-wg-mib-05.txt ITU-T G.8262 Telecommunication RFC 2576 SNMP-COMMUNITY-MIB IANA-IFType-MIB Standardization Section of ITU, RFC 2578 Structure of Management IEEE8023-LAG-MIB Timing characteristics of...

  • Page 673: Index

    Index basic IP filter policy Cflowd MAC filter policy overview redirect policy collectors management tasks filter matching operation V5 and V8 flow processing configuring IP Router basic overview collectors autonomous systems enabling confederations global parameters interfaces interfaces and filters network IP interfaces system overview...
  • Page 674 Index configuring basic command reference IES parameters non-owner owner management tasks overview router interface non-owner owner VRRP policy parameters Page 674 7750 SR OS Router Configuration Guide...

Table of Contents