7750 SR OS Router Configuration Guide Software Version: 7750 SR OS 5.
This document is protected by copyright. Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent.
Table of Contents Getting Started Alcatel-Lucent 7750 SR-Series Router Configuration Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 IP Router Configuration Configuring IP Router Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Configuring an Autonomous System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Service Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Changing the System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Modifying Interface Parameters. . . . . . . . . . . . . . . . . . . .
Table of Contents Non-Owner Access Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Non-Owner Access SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 VRRP Configuration Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 VRRP Configuration Components . . . . . . . . . . . . . . . . . . . . .
Table of Contents Web Redirection (Captive Portal) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280 Creating Redirect Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Packet Matching Criteria . . . . . . . . . . . . . . . . . .
Table of Contents Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357 Generic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357 Global Filter Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358 Filter Log Destination Commands . . . . . . . . . . . . . . . . . . . . .
Table of Contents Cflowd Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465 Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465 Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471 Clear Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Tables Getting Started Table 1: Configuration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 IP Router Configuration Table 2: Table 3: Table 4: Table 5: IPv6 Header Field Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 BFD Control Packet Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Tables Page 10 7750 SR OS Router Configuration Guide
LIST OF FIGURES IP Router Configuration Figure 1: Figure 2: Figure 3: Figure 4: Figure 5: Figure 6: Figure 7: Figure 8: Figure 9: Figure 10: Figure 11: Figure 12: Confederation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 IPv6 Header Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 IPv6 Internet Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Figures Page 12 7750 SR OS Router Configuration Guide
Preface About This Guide This guide describes logical IP routing interfaces, virtual routers, IP and MAC-based filtering, and cflowd support provided by the 7750 SR OS and presents configuration and implementation examples. This document is organized into functional chapters and provides concepts and descriptions of the implementation flow, as well as Command Line Interface (CLI) syntax and command usage.
Preface List of Technical Publications The 7750 SR documentation set is composed of the following books: • 7750 SR OS Basic System Configuration Guide This guide describes basic system configurations and operations. • 7750 SR OS System Management Guide This guide describes system security and access configurations as well as event logging and accounting logs. • 7750 SR OS Interface Configuration Guide This guide describes card, Media Dependent Adapter (MDA), and port provisioning.
Preface Technical Support If you purchased a service agreement for your 7750 SR-Series router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased an Alcatel-Lucent service agreement, contact your welcome center at: Web: http://www1.alcatel-lucent.com/comps/pages/carrier_support.
Preface Page 16 7750 SR OS Router Configuration Guide
Getting Started In This Chapter This chapter provides process flow information to configure routing entities, virtual routers, IP and MAC filters, and Cflowd. Alcatel-Lucent 7750 SR-Series Router Configuration Process Table 1 lists the tasks necessary to configure logical IP routing interfaces, virtual routers, IP and MAC-based filtering, and Cflowd. This guide is presented in an overall logical configuration flow.
Getting Started Page 18 7750 SR OS Router Configuration Guide
IP Router Configuration In This Chapter This chapter provides information about commands required to configure basic router parameters.
Configuring IP Router Parameters Configuring IP Router Parameters In order to provision services on a 7750 SR-Series router, logical IP routing interfaces must be configured to associate attributes such as an IP address, port or the system with the IP interface. A special type of IP interface is the system interface. A system interface must have an IP address with a 32-bit subnet mask.
IP Router Configuration System Interface The system interface is associated with the network entity (such as a specific router or switch), not a specific interface. The system interface is also referred to as the loopback address.
Configuring IP Router Parameters IP Addresses Creating an IP Address Range An IP address range can be reserved for exclusive use for services by defining the config>router>service-prefix command. When the service is configured, the IP address must be in the range specified as a service prefix. If no service prefix command is configured, then no limitation exists. Addresses in the range of a service prefix can be allocated to a network port unless the exclusive parameter is used.
IP Router Configuration Autonomous Systems (AS) Networks can be grouped into areas. An area is a collection of network segments within an AS that have been administratively assigned to the same group. An area’s topology is concealed from the rest of the AS, which results in a significant reduction in routing traffic. Routing in the AS takes place on two levels, depending on whether the source and destination of a packet reside in the same area (intra-area routing) or different areas (inter-area routing).
Configuring IP Router Parameters Confederations Configuring confederations is optional and should only be implemented to reduce the IBGP mesh inside an AS. An AS can be logically divided into smaller groupings called sub-confederations and then assigned a confederation ID (similar to an autonomous system number). Each subconfederation has fully meshed IBGP and connections to other ASs outside of the confederation.
IP Router Configuration There are no default confederations. Router confederations must be explicitly created. Figure 1 depicts a confederation configuration example.
Configuring IP Router Parameters Proxy ARP Proxy ARP is the technique in which a router answers ARP requests intended for another node. The router appears to be present on the same network as the “real” node that is the target of the ARP and takes responsibility for routing packets to the “real” destination. Proxy ARP can help nodes on a subnet reach remote subnets without configuring routing or a default gateway.
IP Router Configuration Internet Protocol Versions The 7750 SR OS implements IP routing functionality, providing support for IP version 4 (IPv4) and IP version 6 (IPv6). IP version 6 (IPv6) (RFC 1883, Internet Protocol, Version 6 (IPv6)) is a newer version of the Internet Protocol designed as a successor to IP version 4 (IPv4) (RFC-791, Internet Protocol).
Configuring IP Router Parameters Table 2: IPv6 Header Field Descriptions Field Description Version 4-bit Internet Protocol version number = 6. Prio. 4-bit priority value. Flow Label 24-bit flow label. Payload Length 16-bit unsigned integer. The length of payload, for example, the rest of the packet following the IPv6 header, in octets. If the value is zero, the payload length is carried in a jumbo payload hop-by-hop option. Next Header 8-bit selector.
IP Router Configuration IPv6 Applications Examples of the IPv6 applications supported by the 7750 SR OS include: • IPv6 Internet exchange peering — Figure 3 shows an IPv6 Internet exchange where multiple ISPs peer over native IPv6. IPv6 IX ISP A ISP B Peering IPIPE_007 Figure 3: IPv6 Internet Exchange • IPv6 transit services — Figure 4 shows IPv6 transit provided by an ISP.
Configuring IP Router Parameters • IPv6 services to enterprise customers and home users — Figure 5 shows IPv6 connectivity to enterprise and home broadband users.
IP Router Configuration IPv6 Provider Edge Router over MPLS (6PE) 6PE allows IPv6 domains to communicate with each other over an IPv4 MPLS core network. This architecture requires no backbone infrastructure upgrades and no reconfiguration of core routers, because forwarding is purely based on MPLS labels. 6PE is a cost effective solution for IPv6 deployment.
Configuring IP Router Parameters • LDP is used to create the MPLS full mesh between the 6PE routers and the IPv4 addresses that are embedded in the next-hop field are reachable by LDP LSPs. The ingress 6PE router uses the LDP LSPs to reach remote 6PE routers. 6PE Data Plane Support The ingress 6PE router can push two MPLS labels to send the packets to the egress 6PE router. The top label is an LDP label used to reach the egress 6PE router. The bottom label is advertised in MPBGP by the remote 6PE router.
IP Router Configuration Bidirectional Forwarding Detection Bidirectional Forwarding Detection (BFD) is a light-weight, low-overhead, short-duration detection of failures in the path between two systems. If a system stops receiving BFD messages for a long enough period (based on configuration) it is assumed that a failure along the path has occurred and the associated protocol or service is notified of the failure.
Configuring IP Router Parameters If multiple BFD sessions exist between two nodes, the BFD discriminator is used to de-multiplex the BFD control packet to the appropriate BFD session. Control Packet Format The BFD control packet has 2 sections, a mandatory section and an optional authentication section.
IP Router Configuration Table 3: BFD Control Packet Field Descriptions (Continued) Field Description D Bit The “demand mode” bit. If set, the transmitting system wishes to operate in demand mode. P Bit The poll bit. If set, the transmitting system is requesting verification of connectivity, or of a parameter change. F Bit The final bit. If set, the transmitting system is responding to a received BFD control packet that had the poll (P) bit set. Rsvd Reserved bits.
Router Configuration Process Overview Router Configuration Process Overview Figure 9 displays the process to configure basic router parameters.
IP Router Configuration Router Configuration Process Overview Figure 9 displays the process to configure basic router parameters.
Router Configuration Process Overview Router Configuration Process Overview Figure 10 displays the process to configure basic router parameters. Page 38 • Interface — A logical IP routing interface. Once created, attributes like an IP address, port, link aggregation group or the system can be associated with the IP interface. • Address — The address associates the device’s system name with the IP system address. An IP address must be assigned to each IP interface.
IP Router Configuration Configuration Notes The following information describes router configuration caveats. • A system interface and associated IP address should be specified. • Boot options file (BOF) parameters must be configured prior to configuring router parameters. • Confederations can be configured before protocol connections (such as BGP) and peering parameters are configured.
Configuration Notes Page 40 7750 SR OS Router Configuration Guide
IP Router Configuration Configuring an IP Router with CLI This section provides information to configure an IP router.
Router Configuration Overview Router Configuration Overview In a 7750 SR, an interface is a logical named entity. An interface is created by specifying an interface name under the configure>router context. This is the global router configuration context where objects like static routes are defined. An IP interface name can be up to 32 alphanumeric characters long, must start with a letter, and is case-sensitive; for example, the interface name “1.1.1.1” is not allowed, but “int-1.1.1.1” is allowed.
IP Router Configuration CLI Command Structure Figure 11 displays the CLI command structure to configure router parameters. The commands are located under the config>router context. ROOT CONFIG ROUTER INTERFACE SYSTEM INTERFACE ADDRESS PORT ROUTER ID AUTONOMOUS SYSTEM CONFEDERATION show router arp interface route-table Figure 11: CLI Configuration Context Figure 12 displays the brief CLI command structure to configure the system name. The commands are located under the config>system context.
List of Commands List of Commands Table 4 lists all the configuration commands to configure a 7750 SR-Series router, indicating the configuration level at which each command is implemented with a short command description. Refer to each specific chapter for specific routing protocol information and command syntax to configure protocols such as OSPF and BGP.
IP Router Configuration Table 4: CLI Commands to Configure Basic IP Router Parameters (Continued) Command Description Page autonomous-system Assigns an autonomous system (AS) number to the router. 87 confederation Creates a confederation within an AS. 87 ecmp Enables ECMP and configures the number of routes for path sharing. 88 ignore-icmpredirect Drops or accepts ICMP redirects received on the management interface.
List of Commands Table 4: CLI Commands to Configure Basic IP Router Parameters (Continued) Command Description Page static-arp Configures a static ARP entry associating an IP address with a MAC address for the core router instance. 104 tos-marking-state Specifies the TOS marking state. 104 unnumbered Sets an IP interface as an unnumbered interface and the IP address to be used for the interface.
IP Router Configuration Table 4: CLI Commands to Configure Basic IP Router Parameters (Continued) Command Description Page managedconfiguration Sets the managed address configuration flag. This flag indicates that DHCPv6 is available for address configuration in addition to any address autoconfigured using stateless address autoconfiguration. 116 max-advertisementinterval Configures the maximum interval between sending router advertisement messages.
Basic Configuration Basic Configuration NOTE: Refer to each specific chapter for specific routing protocol information and command syntax to configure protocols such as OSPF and BGP. The most basic router configuration must have the following: • System name • System address The following example displays a router configuration: A:ALA-A> config# info . . . #-----------------------------------------# Router Configuration #-----------------------------------------router interface "system" address 10.10.
IP Router Configuration Common Configuration Tasks The following sections describe basic system tasks.
Common Configuration Tasks The following example displays the system name output. A#ALA-A>config>system# info #-----------------------------------------# System Configuration #-----------------------------------------name "ALA-A" location "Mt.View, CA, NE corner of FERG 1 Building" coordinates "37.390, -122.05500 degrees lat." snmp exit . . .
IP Router Configuration Configuring Interfaces The following command sequences create a system and a logical IP interface. The system interface assigns an IP address to the interface, and then associates the IP interface with a physical port. The logical interface can associate attributes like an IP address or port. Note that the system interface cannot be deleted.
Common Configuration Tasks config>router>if>egress# filter ip 10 config>router>if>egress# exit config>router>if# cflowd acl config>router>if# exit The following displays the IP configuration output showing the interface information. A:ALA-A>config>router# info #-----------------------------------------# IP Configuration #-----------------------------------------interface "system" address 10.10.0.4/32 exit interface "to-ALA-2" address 10.10.24.4/24 port 8/1/1 egress filter ip 10 exit exit ...
IP Router Configuration Configuring IPv6 Parameters To configure IPv6 parameters, you must first: • The chassis mode must be set to c in the config>system>chassis-mode context. Use the force keyword to upgrade to c mode with cards provisioned as iom-20g or iom-20g-b. The following displays the interface configuration showing the IPv6 default configuration when IPv6 is enabled on the interface.
Common Configuration Tasks The following example displays IPv6 interface configuration command usage. These commands are configured in the config>router context. Example: config>router# interface gemini_5_21 config>router>if# address 10.11.10.1/24 config>router>if# port 1/2/37 config>router>if# ipv6 config>router>if>ipv6# address 10::1/24 config>router>if>ipv6# exit config>router>if# no shutdown The following displays the configuration output showing the interface information.
IP Router Configuration Configuring IPv6 Over IPv4 Parameters This section provides several examples of the features that must be configured in order to implement IPv6 over IPv4 relay services.
Common Configuration Tasks Both the IPv4 and IPv6 system addresses must to configured CLI Syntax: config>router interface ip-int-name address {ip-address/mask>|ip-address netmask} [broadcast all-ones|host-ones] ipv6 address ipv6-address/prefix-length [eui-64] Example: config>router# interface system config>router>if# address 200.200.200.1/32 config>router>if# ipv6 config>router>if>ipv6# interface “ip-1.1.1.
IP Router Configuration Learning the Tunnel Endpoint IPv4 System Address This configuration displays the OSPF configuration to learn the IPv4 system address of the tunnel endpoint. CLI Syntax: config>router ospf area area-id interface ip-int-name Example: config>router# ospf config>router>ospf# interface system config>router>ospf>if# exit config>router>ospf# interface ip-1.1.1.1 config>router>ospf>if# exit The following displays the configuration showing the OSPF output.
Common Configuration Tasks Configuring an IPv4 BGP Peer This configuration display the commands to configure an IPv4 BGP peer with (IPv4 and) IPv6 protocol families. CLI Syntax: config>router bgp export policy-name [policy-name...(upto 5 max)] router-id ip-address group name family [ipv4] [vpn-ipv4] [ipv6] [mcast-ipv4] type {internal|external} neighbor ip-address local-as as-number [private] peer-as as-number Example: config>router# bgp config>router>bgp# export ospf3 config>router>bgp# router-id 200.200.
IP Router Configuration An Example of a IPv6 Over IPv4 Tunnel Configuration The IPv6 address is the next-hop as it is received through BGP. The IPv4 address is the system address of the tunnel's endpoint static-route ::C8C8:C802/128 indirect 200.200.200.2. This configuration displays an example to configure a policy to export IPv6 routes into BGP. CLI Syntax: config>router bgp export policy-name [policy-name...
Common Configuration Tasks protocol ospf3 exit to protocol bgp exit action accept exit exit exit exit ...
IP Router Configuration Tunnel Egress Node This configuration shows how the interface through which the IPv6 over IPv4 traffic leaves the node. It must be configured on a network interface. Both the IPv4 and IPv6 system addresses must be configured. CLI Syntax: config>router configure router static-route ::C8C8:C801/128 indirect 200.200.200.
Common Configuration Tasks Learning the Tunnel Endpoint IPv4 System Address This configuration displays the OSPF configuration to learn the IPv4 system address of the tunnel endpoint. CLI Syntax: config>router ospf area area-id interface ip-int-name Example: config>router# ospf config>router>ospf# interface system config>router>ospf>if# exit config>router>ospf# interface ip-1.1.1.2 config>router>ospf>if# exit config>router>ospf# exit The following displays the configuration showing the OSPF output.
IP Router Configuration Configuring an IPv4 BGP Peer This configuration display the commands to configure an IPv4 BGP peer with (IPv4 and) IPv6 protocol families. CLI Syntax: config>router bgp export policy-name [policy-name...(upto 5 max)] router-id ip-address group name family [ipv4] [vpn-ipv4] [ipv6] [mcast-ipv4] type {internal|external} neighbor ip-address local-as as-number [private] peer-as as-number Example: config>router# bgp config>router>bgp# export ospf3 config>router>bgp# router-id 200.200.
Common Configuration Tasks An Example of a IPv6 Over IPv4 Tunnel Configuration The IPv6 address is the next-hop as it is received through BGP. The IPv4 address is the system address of the tunnel's endpoint static-route ::C8C8:C802/128 indirect 200.200.200.2 This configuration displays an example to configure a policy to export IPv6 routes into BGP. CLI Syntax: config>router bgp export policy-name [policy-name...
IP Router Configuration protocol ospf3 exit to protocol bgp exit action accept exit exit exit exit ---------------------------------------------A:ALA-49>configure>router# 7750 SR OS Router Configuration Guide Page 65
Common Configuration Tasks Router Advertisement To configure the router to originate router advertisement messages, the router-advertisement command must be enabled. All other router advertisement configuration parameters are optional. Router advertisement on all IPv6-enabled interfaces will be enabled.
IP Router Configuration The following example displays router advertisement command usage. These commands are configured in the config>router context.
Common Configuration Tasks Configuring Proxy ARP To configure proxy ARP, you can configure: • A prefix list in the config>router>policy-options>prefix-list context. • A route policy statement in the config>router>policy-options>policystatement context and apply the specified prefix list. → In the policy statement entry>to context, specify the host source address(es) for which ARP requests can or cannot be forwarded to non-local networks, depending on the specified action.
IP Router Configuration Use the following CLI syntax to configure the policy statement specified in the proxy-arppolicy policy-statement command. CLI Syntax: config>router# policy-options begin commit policy-statement name default-action {accept|next-entry|next-policy|reject} entry entry-id action {accept|next-entry|next-policy|reject} to prefix-list name [name...(upto 5 max)] from prefix-list name [name...
Common Configuration Tasks exit exit ... ---------------------------------------------A:ALA-49>config>router>policy-options# Use the following CLI to configure proxy ARP: CLI Syntax: config>router>interface interface-name local-proxy-arp proxy-arp-policy policy-name [policy-name...(upto 5 max)] remote-proxy-arp Example: config>router# interface “testARP” config>router>if# address 128.251.10.
IP Router Configuration Creating an IP Address Range An IP address range can be reserved for exclusive use for services by defining the config>router>service-prefix command. When the service is configured, the IP address must be in the range specified as a service prefix. If no service prefix command is configured, then no limitation exists. The no service-prefix ip-prefix/mask command removes all address reservations.
Common Configuration Tasks Deriving the Router ID The router ID defaults to the address specified in the system interface command. If the system interface is not configured with an IP address, then the router ID inherits the last four bytes of the MAC address. The router ID can also be manually configured in the config>router routerid context. On the BGP protocol level, a BGP router ID can be defined in the config>router>bgp router-id context and is only used within BGP.
IP Router Configuration Configuring a Confederation Configuring a confederation is optional. The AS and confederation topology design should be carefully planned. Autonomous system (AS), confederation, and BGP connection and peering parameters must be explicitly created on each participating SR. Identify AS numbers, confederation numbers, and members participating in the confederation. Refer to the BGP section for CLI syntax and command descriptions.
Common Configuration Tasks NOTES: • Confederations can be preconfigured prior to configuring BGP connections and peering. • Each confederation can have up to 15 members. The following example displays the confederation output. A:ALA-B>config>router# info #-----------------------------------------# IP Configuration #-----------------------------------------interface "system" address 10.10.10.103/32 exit interface "to-104" shutdown address 10.0.0.
IP Router Configuration Configuring an Autonomous System Configuring an autonomous system is optional.
Service Management Tasks Service Management Tasks This section discusses the following service management tasks: • Changing the System Name on page 76 • Modifying Interface Parameters on page 77 • Deleting a Logical IP Interface on page 78 Changing the System Name The system command sets the name of the device and is used in the prompt string. Only one system name can be configured. If multiple system names are configured, the last one configured will overwrite the previous entry.
IP Router Configuration Modifying Interface Parameters Starting at the config>router level, navigate down to the router interface context. To modify an IP address, perform the following steps: Example: A:ALA-A>config>router# interface “to-sr1” A:ALA-A>config>router>if# shutdown A:ALA-A>config>router>if# no address A:ALA-A>config>router>if# address 10.0.0.
Service Management Tasks Deleting a Logical IP Interface The no form of the interface command typically removes the entry, but all entity associations must be shut down and/or deleted before an interface can be deleted. 1. Before an IP interface can be deleted, it must first be administratively disabled with the shutdown command. 2. After the interface has been shut down, it can then be deleted with the no interface command.
IP Router Configuration IP Router Command Reference Command Hierarchies Configuration Commands • Router Commands • Router Interface Commands • Router Interface IPv6 Commands • Router Advertisement Commands • Show Commands • Clear Commands • Debug Commands Router Commands config — router [router-name] — aggregate ip-prefix/mask [summary-only] [as-set] [aggregator as-number:ip-address] — no aggregate ip-prefix/mask — autonomous-system as-number — no autonomous-system — confederation confed-as-num members as
IP Router Command Reference Router Interface Commands config — router [router-name] — [no] interface ip-int-name — address {ip-address/mask | ip-address netmask} [broadcast {all-ones | hostones}] — no address — [no] allow-directed-broadcasts — arp-timeout seconds — no arp-timeout — bfd transmit-interval [receive receive-interval] [multiplier multiplier] — no bfd — cflowd {acl | interface} — no cflowd — description description-string — no description — egress — filter ip ip-filter-id — filter ipv6 ipv6-filt
IP Router Configuration For router interface VRRP commands, see “VRRP Command Reference” on page 223.
IP Router Command Reference — — — — Page 82 no retransmit-time router-lifetime seconds no router-lifetime [no] shutdown 7750 SR OS Router Configuration Guide
IP Router Configuration Show Commands show — router router-instance — aggregate [family] [active] — arp [ ip-int-name | ip-address/mask | mac ieee-mac-address | summary] [local|dynamic|static|managed] — authentication — statistics — statistics interface [ip-int-name|ip-address] — statistics policy name — bfd — interface — session [src ip-address [dst ip-address] | [detail]] — dhcp — statistics [ip-int-name | ip-address] — summary — dhcp6 — statistics [ip-int-name | ip-address] — summary — ecmp — fib slot-n
IP Router Command Reference Clear Commands clear — router — arp {all | ip-addr | interface {ip-int-name | ip-addr}} — bfd — session src-ip ip-address dst-ip ip-address — session all — statistics src-ip ip-address dst-ip ip-address — statistics all — dhcp — statistics [ip-int-name | ip-address] — dhcp6 — statistics [ip-int-name | ip-address] — forwarding-table [slot-number] — icmp-redirect-route {all | ip-address} — icmp6 all — icmp6 global — icmp6 interface interface-name — interface [ip-int-name | ip-addr
IP Router Configuration Configuration Commands Generic Commands shutdown Syntax Context Description [no] shutdown config>router>interface ip-int-name The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. The shutdown command administratively disables an entity.
Configuration Commands Router Global Commands router Syntax Context router router-name config Description This command enables the context to configure router parameters, interfaces, route policies, and protocols. Parameters router-name — Specify the router-name.
IP Router Configuration ipv6-prefix-length Values d: [0 — 255]D 0 — 128 mask The mask associated with the network address expressed as a mask length. Values 0 — 32 summary-only — This optional parameter suppresses advertisement of more specific component routes for the aggregate. To remove the summary-only option, enter the same aggregate command without the summary-only parameter.
Configuration Commands Syntax Context Description confederation confed-as-num members as-number [as-number...up to 15 max] no confederation [confed-as-num members as-number...up to 15 max] config>router This command creates confederation autonomous systems within an AS. This technique is used to reduce the number of IBGP sessions required within an AS. Route reflection is another technique that is commonly deployed to reduce the number of IBGP sessions.
IP Router Configuration ignore-icmp-redirect Syntax Context Description [no] ignore-icmp-redirect config>router This command drops or accepts ICMP redirects received on the management interface. mc-maximum-routes Syntax Context Description mc-maximum-routes number [log-only] [threshold threshold] no mc-maximum-routes config>router This command specifies the maximum number of multicast routes that can be held within a VPN routing/forwarding (VRF) context.
Configuration Commands To force the new router ID to be used, issue the shutdown and no shutdown commands for each protocol that uses the router ID, or restart the entire router. The no form of the command to reverts to the default value. Default Parameters The system uses the system interface address (which is also the loopback address). If a system interface address is not configured, use the last 32 bits of the chassis MAC address.
IP Router Configuration ipv6-prefix-length: Values d: [0 — 255]D 0 — 128 exclusive When this option is specified, the addresses configured are exclusively used for services and cannot be assigned to network ports. triggered-policy Syntax Context Description triggered-policy no triggered-policy config>router This command triggers route policy re-evaluation. By default, when a change is made to a policy in the config router policy options context and then committed, the change is effective immediately.
Configuration Commands ipv6-prefix-length x:x:x:x:x:x:d.d.d.d x [0 — FFFF]H d [0 — 255]D 0 — 128 ip-address — The IP address of the IP interface. The ip-addr portion of the address command specifies the IP host address that will be used by the IP interface within the subnet. This address must be unique within the subnet and specified in dotted decimal notation. Values ipv4-address ipv6-address a.b.c.d (host bits must be 0) x:x:x:x:x:x:x:x[-interface] x:x:x:x:x:x:d.d.d.d[-interface] x: [0..FFFF]H d: [0.
IP Router Configuration The next-hop keyword and the indirect or black-hole keywords are mutually exclusive. If an identical command is entered (with the exception of either the indirect or black-hole parameters), then this static route will be replaced with the newly entered command, and unless specified, the respective defaults for preference and metric will be applied. The ip-address configured here can be either on the network side or the access side on this node.
Configuration Commands Table 5: Default Route Preferences Route Type Preference Configurable Static-route 5 Yes OSPF Internal routes 10 Yes IS-IS level 1 internal 15 Yes IS-IS level 2 internal 18 Yes OSPF External 150 Yes IS-IS level 1 external 160 Yes IS-IS level 2 external 165 Yes BGP 170 Yes Default 5 Values 1 — 255 enable — Static routes can be administratively enabled or disabled. Use the enable parameter to reenable a disabled static route.
IP Router Configuration Router Interface Commands interface Syntax Context Description [no] interface ip-int-name config>router This command creates a logical IP routing interface. Once created, attributes like IP address, port, or system can be associated with the IP interface. Interface names are case-sensitive and must be unique within the group of IP interfaces defined for config router interface and config service ies interface.
Configuration Commands address Syntax Context Description address {ip-address/mask | ip-address netmask} [broadcast {all-ones | host-ones}] no address config>router>interface ip-int-name This command assigns an IP address, IP subnet, and broadcast address format to an IP interface. Only one IP address can be associated with an IP interface. An IP address must be assigned to each IP interface. An IP address and a mask combine to create a local IP prefix.
IP Router Configuration addr, the “/” and the mask-length parameter. If a forward slash does not immediately follow the ip-addr, a dotted decimal mask must follow the prefix. mask-length — The subnet mask length when the IP prefix is specified in CIDR notation. When the IP prefix is specified in CIDR notation, a forward slash (/) separates the ip-addr from the masklength parameter.
Configuration Commands allow-directed-broadcasts Syntax Context Description [no] allow-directed-broadcasts config>router>interface ip-int-name This command enables the forwarding of directed broadcasts out of the IP interface. A directed broadcast is a packet received on a local router interface destined for the subnet broadcast address of another IP interface.
IP Router Configuration The multiplier specifies the number of consecutive BFD messages that must be missed from the peer before the BFD session state is changed to down and the upper level protocols (OSPF, IS-IS or PIM) is notified of the fault. The no form of the command removes BFD from the router interface regardless of the IGP. Default Parameters no bfd transmit-interval — Sets the transmit interval, in milliseconds, for the BFD session.
Configuration Commands loopback Syntax Context Description [no] loopback config>router>interface ip-int-name This command configures the interface as a loopback interface. Default Not enabled Syntax mac ieee-mac-addr no mac mac Context Description config>router>interface ip-int-name This command assigns a specific MAC address to an IP interface. Only one MAC address can be assigned to an IP interface. When multiple mac commands are entered, the last command overwrites the previous command.
IP Router Configuration Syntax Context Description port port-name no port config>router>interface ip-int-name This command creates an association with a logical IP interface and a physical port. An interface can also be associated with the system (loopback address). The command returns an error if the interface is already associated with another port or the system. In this case, the association must be deleted before the command is re-attempted.
Configuration Commands Syntax Context Description [no] proxy-arp-policy policy-name [policy-name...(up to 5 max)] config>router>interface ip-int-name This command enables and configure proxy ARP on the interface and specifies an existing policystatement to analyze match and action criteria that controls the flow of routing information to and from a given protocol, set of protocols, or a particular neighbor. The policy-name is configured in the config>router>policy-options context.
IP Router Configuration secondary Syntax Context Description secondary {[ip-address/mask | ip-address netmask]} [broadcast {all-ones | host-ones}] [igp-inhibit] no secondary ip-addr config>router>interface ip-int-name Use this command to assign up to 16 secondary IP addresses to the interface. Each address can be configured in an IP address, IP subnet or broadcast address format. ip-address — The IP address of the IP interface.
Configuration Commands mask with all the host bits set to binary 1. This is the default broadcast address used by an IP interface. The broadcast parameter within the address command does not have a negate feature, which is usually used to revert a parameter to the default value. To change the broadcast type to hostones after being changed to all-ones, the address command must be executed with the broadcast parameter defined.
IP Router Configuration Syntax Context Description tos-marking-state {trusted | untrusted} no tos-marking-state config>router>interface This command is used on a network IP interface to alter the default trusted state to a non-trusted state.
Configuration Commands Parameters Default Page 106 ip-addr | ip-int-name — Optional. The IP address or IP interface name to associate with the unnumbered IP interface in dotted decimal notation. The configured IP address must exist on this node. It is recommended to use the system IP address as it is not associated with a particular interface and is therefore always reachable. The system IP address is the default if no ip-addr or ip-int-name is configured.
IP Router Configuration Router Interface Filter Commands egress Syntax Context Description egress config>router>interface ip-int-name This command enables access to the context to configure egress network filter policies for the IP interface. If an egress filter is not defined, no filtering is performed. ingress Syntax Context Description ingress config>router>interface ip-int-name This command enables access to the context to configure ingress network filter policies for the IP interface.
Configuration Commands ipv6 ipv6-filter-id — The filter name acts as the ID for the IPv6 filter policy expressed as a decimal integer. The filter policy must already exist within the config>filter>ipv6 context.
IP Router Configuration Router Interface ICMP Commands icmp Syntax Context Description icmp config>router>interface ip-int-name This command enables access to the context to configure Internet Control Message Protocol (ICMP) parameters on a network IP interface. ICMP is a message control and error reporting protocol that also provides information relevant to IP packet processing.
Configuration Commands Parameters number — The maximum number of ICMP redirect messages to send, expressed as a decimal integer. This parameter must be specified with the time parameter. Values 10 — 1000 seconds — The time frame, in seconds, used to limit the number of ICMP redirect messages that can be issued,expressed as a decimal integer.
IP Router Configuration The no form of the command disables the generation of ICMP destination unreachables on the router interface. Default Parameters unreachables 100 10 — maximum of 100 unreachable messages in 10 seconds number — The maximum number of ICMP unreachable messages to send, expressed as a decimal integer. The seconds parameter must also be specified.
Configuration Commands Router Interface IPv6 Commands ipv6 Syntax Context Description [no] ipv6 config>router>interface This command configures IPv6 for a router interface. The no form of the command disables IPv6 on the interface. Default not enabled address (ipv6) Syntax Context Description Default Parameters address {ipv6-address/prefix-length} [eui-64] no address {ipv6-address/prefix-length} config>router>if>ipv6 This command assigns an IPv6 address to the interface.
IP Router Configuration Syntax Context packet-too-big [number seconds] no packet-too-big config>router>if>ipv6>icmp6 Description This command configures the rate for ICMPv6 packet-too-big messages. Parameters number — Limits the number of packet-too-big messages issued per the time frame specifed in the seconds parameter. Values 10 — 1000 seconds — Determines the time frame, in seconds, that is used to limit the number of packet-too-big messages issued per time frame.
Configuration Commands seconds — Determines the time frame, in seconds, that is used to limit the number of redirects issued per time frame. Values 1 — 60 time-exceeded Syntax Context time-exceeded [number seconds] no time-exceeded config>router>if>ipv6>icmp6 Description This command configures rate for ICMPv6 time-exceeded messages. Parameters number — Limits the number of time-exceeded messages issued per the time frame specifed in seconds parameter.
IP Router Configuration Syntax [no] local-proxy-nd Context config>router>if>ipv6 Description This command enables local proxy neighbor discovery on the interface. The no form of the command disables local proxy neighbor discovery. proxy-nd-policy Syntax Context proxy-nd-policy policy-name [policy-name...(up to 5 max)] no proxy-nd-policy config>router>if>ipv6 Description This command configure a proxy neighbor discovery policy for the interface.
Configuration Commands Router Advertisement Commands router-advertisement Syntax Context Description [no] router-advertisement config>router This command configures router advertisement properties. By default, it is disabled for all IPv6 enabled interfaces. The no form of the command disables all IPv6 interface. However, the no interface interface-name command disables a specific interface.
IP Router Configuration Syntax [no] managed-configuration Context config>router>router-advert>if Description Default This command sets the managed address configuration flag. This flag indicates that DHCPv6 is available for address configuration in addition to any address autoconfigured using stateless address autoconfiguration. See RFC 3315, Dynamic Host Configuration Protocol (DHCP) for IPv6.
Configuration Commands Parameters mtu-bytes — Specify the MTU for the nodes to use to send packets on the link. Values 1280 — 9212 other-stateful-configuration Syntax Description [no] other-stateful-configuration This command sets the "Other configuration" flag. This flag indicates that DHCPv6lite is available for autoconfiguration of other (non-address) information such as DNS-related information or information on other servers in the network.
IP Router Configuration on-link Syntax Context Description Default [no] on-link config>router>router-advert>if>prefix This command specifies whether the prefix can be used for onlink determination. enabled preferred-lifetime Syntax Context Description [no] preferred-lifetime {seconds | infinite} config>router>router-advert>if This command configures the remaining length of time in seconds that this prefix will continue to be preferred, such as, time until deprecation.
Configuration Commands Syntax reachable-time milli-seconds no reachable-time Context config>router>router-advert>if Description Default Parameters This command configures how long this router should be considered reachable by other nodes on the link after receiving a reachability confirmation. no reachable-time milli-seconds — Specifies the length of time the router should be considered reachable.
IP Router Configuration Default no shutdown 7750 SR OS Router Configuration Guide Page 121
Configuration Commands Page 122 7750 SR OS Router Configuration Guide
IP Router Configuration Show Commands aggregate Syntax Context aggregate [family][active] show>router Description This command displays aggregate routes. Parameters family — Specifies to display IPv4 or IPv6 aggregate routes. Values ipv4, ipv6 active — When the active keyword is specified, inactive aggregates are filtered out.
Show Commands Label Type Description (Continued) Dyn — The ARP entry is a dynamic ARP entry. Inv — The ARP entry is an inactive static ARP entry (invalid). Oth — The ARP entry is a local or system ARP entry. Sta — The ARP entry is an active static ARP entry. Interface The IP interface name associated with the ARP entry. No. of ARP Entries The number of ARP entries displayed in the list.
IP Router Configuration authentication Syntax Context Description authentication show>router>authentication This command enables the command to display authentication statistics. statistics Syntax Context statistics statistics interface [ip-int-name | ip-address] statistics policy name show>router>authentication Description This command displays interface or policy authentication statistics. Parameters interface [ip-int-name | ip-address] — Specifies an existing interface name or IP address.
Show Commands bfd Syntax Context Description bfd show>router This command enables the context to display bi-directional forwarding detection (BFD) information. interface Syntax Context Description Output interface show>router>bfd This command displays interface information.
IP Router Configuration net25_1_2 100 100 3 net2_1_2 100 100 3 net3_1_2 100 100 3 net4_1_2 100 100 3 net5_1_2 100 100 3 net6_1_2 100 100 3 net7_1_2 100 100 3 net8_1_2 100 100 3 net9_1_2 100 100 3 ------------------------------------------------------------------------------No.
Show Commands Remote Address Protocol Tx Pkts Rx Pkts ------------------------------------------------------------------------------net1_1_2 Up (3) 100 100 3 12.1.2.1 ospf2 isis 5029 5029 net1_2_3 Up (3) 100 100 3 12.2.3.2 ospf2 isis 156367 156365 ------------------------------------------------------------------------------No.
IP Router Configuration Label Description Received Packets The number of packets received from the DHCP clients. Transmitted Packets The number of packets transmitted to the DHCP clients. Received Malformed Packets The number of malformed packets received from the DHCP clients. Received Untrusted Packets The number of untrusted packets received from the DHCP clients. Client Packets Discarded The number of packets received from the DHCP clients that were discarded.
Show Commands -------------------------------------------------------------------------Dhcp6 Drop Reason Counters : -------------------------------------------------------------------------1 Dhcp6 oper state is not Up on src itf 0 2 Dhcp6 oper state is not Up on dst itf 0 3 Relay Reply Msg on Client Itf 0 4 Hop Count Limit reached 0 5 Missing Relay Msg option, or illegal msg type 0 6 Unable to determine destinatinon client Itf 0 7 Out of Memory 0 8 No global Pfx on Client Itf 0 9 Unable to determine src Ip
IP Router Configuration Auto Filter Indicates whether IP Auto Filter is enabled on the interface. Snoop Indicates whether Auto ARP table population is enabled on the interface. Interfaces Indicates tot total number of router interfaces on the 7750 SR.
Show Commands Sample Output A:ALA-A# show router ecmp =============================================================================== Router ECMP =============================================================================== Instance Router Name ECMP Configured-ECMP-Routes ------------------------------------------------------------------------------1 Base True 8 =============================================================================== A:ALA-A# fib Syntax Context fib slot-number [family] [ip-prefi
IP Router Configuration Output icmp6 Output — The following table describes the show router icmp6 output fields: Label Description Total The total number of all messages. Destination Unreachable The number of message that did not reach the destination. Time Exceeded The number of messages that exceeded the time threshold. Echo Request The number of echo requests. Router Solicits The number of times the local router was solicited.
Show Commands interface Syntax Context interface [interface-name] show>router>icmpv6 Description This command displays interface ICMPv6 statistics. Parameters interface-name — Only displays entries associated with the specified IP interface name. Output icmp6 interface Output — The following table describes the show router icmp6 interface output fields: Label Description Total The total number of all messages. Destination Unreachable The number of message that did not reach the destination.
IP Router Configuration Echo Request : 0 Echo Reply : 0 Router Solicits : 0 Router Advertisements : 0 Neighbor Solicits : 20 Neighbor Advertisements : 21 ------------------------------------------------------------------------------Sent Total : 47 Errors : 0 Destination Unreachable : 0 Redirects : 0 Time Exceeded : 0 Pkt Too Big : 0 Echo Request : 0 Echo Reply : 0 Router Solicits : 0 Router Advertisements : 0 Neighbor Solicits : 27 Neighbor Advertisements : 20 ==============================================
Show Commands Label Type Description (Continued) n/a — No IP address has been assigned to the IP interface, so the IP address type is not applicable. Pri — The IP address for the IP interface is the Primary address on the IP interface. Sec — The IP address for the IP interface is a secondary address on the IP interface. IP-Address The IP address and subnet mask length of the IP interface. n/a — Indicates no IP address has been assigned to the IP interface.
IP Router Configuration FE80::200:FF:FE00:4/64 PREFERRED ip-12.2.4.4 Up/Up Down/Down Network 3/1/2 12.2.4.4/24 n/a 3FFE::C02:404/120 ip-13.2.4.4 Up/Up Down/Down Network 3/1/3 13.2.4.4/24 n/a 3FFE::D02:404/120 ip-14.2.4.4 Up/Up Down/Down Network 3/1/4 14.2.4.4/24 n/a 3FFE::E02:404/120 ip-15.2.4.4 Up/Up Down/Down Network 3/1/5 15.2.4.4/24 n/a 3FFE::F02:404/120 ip-21.2.4.4 Up/Up Up/Up Network 6/2/11 21.2.4.4/24 n/a 3FFE::1502:404/120 PREFERRED FE80::200:FF:FE00:4/64 PREFERRED ip-22.2.4.
Show Commands =============================================================================== Interface Table =============================================================================== Interface-Name Type IP-Address Adm Opr Mode ------------------------------------------------------------------------------system Pri 10.10.0.3/32 Up Up Network to-ser1 Pri 10.10.13.3/24 Up Up Network to-ser4 Pri 10.10.34.3/24 Up Up Network to-ser5 Pri 10.10.35.
IP Router Configuration Label Description (Continued) MAC Address The MAC address of the IP interface. Arp Timeout The ARP timeout for the interface, in seconds, which is the time an ARP entry is maintained in the ARP cache without being refreshed. IP MTU The IP Maximum Transmission Unit (MTU) for the IP interface. ICMP Mask Reply False — The IP interface will not reply to a received ICMP mask request. True — The IP interface will reply to a received ICMP mask request.
Show Commands TOS Marking SNTP B.
IP Router Configuration Label Description (Continued) Admin-Up The number of administratively enabled IP interfaces in the router instance. Oper-Up The number of operationally enabled IP interfaces in the router instance.
Show Commands Sample Output B:CORE2# show router neighbor =============================================================================== Neighbor Table (Router: Base) =============================================================================== IPv6 Address Interface IPv6 Address Interface MAC Address State Expiry Type RTR ------------------------------------------------------------------------------FE80::203:FAFF:FE78:5C88 net1_1_2 00:16:4d:50:17:a3 STALE 03h52m08s Dynamic Yes FE80::203:FAFF:FE81:6888
IP Router Configuration =============================================================================== Policy Description ------------------------------------------------------------------------------fromStatic ------------------------------------------------------------------------------Policies : 1 =============================================================================== B:CORE2# route-table Syntax Context Description route-table [family] [ip-prefix[/prefix-length] [longer | exact] ] | [protocol
Show Commands Label Type Description (Continued) Local — The route is a local route. Remote — The route is a remote route. Protocol The protocol through which the route was learned. Age The route age in seconds for the route. Metric The route metric value for the route. Pref The route preference value for the route. No. of Routes The number of routes displayed in the list.
IP Router Configuration =============================================================================== B:ALA-B# A:ALA-A# show router route-table 10.10.0.4 =============================================================================== Route Table =============================================================================== Dest Address Next Hop Type Protocol Age Metric Pref ------------------------------------------------------------------------------10.10.0.4/32 10.10.34.
Show Commands ------------------------------------------------------------------------------Static 1 1 Direct 6 6 BGP 0 0 OSPF 9 9 ISIS 0 0 RIP 0 0 Aggregate 0 0 ------------------------------------------------------------------------------Total 15 15 =============================================================================== A:ALA-A# rtr-advertisement Syntax Context Description rtr-advertisement [interface interface-name] [prefix ipv6-prefix[/prefix-length]] rtr-advertisement [conflicts] show>router
IP Router Configuration Label Description (Continued) Max Advert Interval The maximum interval between sending router advertisement messages. Managed Config True — Indicates that DHCPv6 has been configured. False — Indicates that DHCPv6 is not available for address configuration. Reachable Time The time, in milliseconds, that a node assumes a neighbor is reachable after receiving a reachability confirmation.
Show Commands Preferred Lifetime : 07d00h00m Valid Lifetime : 30d00h00m Prefix: 231::/120 Autonomous Flag Preferred Lifetime : FALSE : 49710d06h On-link flag Valid Lifetime : FALSE : 49710d06h Prefix: 241::/120 Autonomous Flag Preferred Lifetime : TRUE : 00h00m00s On-link flag Valid Lifetime : TRUE : 00h00m00s Prefix: 251::/120 Autonomous Flag : TRUE On-link flag : TRUE Preferred Lifetime : 07d00h00m Valid Lifetime : 30d00h00m --------------------------------------------------------------------
IP Router Configuration Autonomous Flag Preferred Lifetime : TRUE : 07d00h00m On-link flag Valid Lifetime : TRUE : 30d00h00m Prefix: 25::/120 Autonomous Flag Preferred Lifetime : TRUE : 07d00h00m On-link flag Valid Lifetime : TRUE : infinite Prefix: 231::/120 Autonomous Flag : TRUE On-link flag : TRUE Preferred Lifetime : 07d00h00m Valid Lifetime : 30d00h00m ------------------------------------------------------------------------------...
Show Commands Prefix: 231::/120 Autonomous Flag Preferred Lifetime : FALSE : 49710d06h On-link flag Valid Lifetime : FALSE : 49710d06h Prefix not present in neighbor router advertisement Prefix: 241::/120 Autonomous Flag : TRUE On-link flag Preferred Lifetime : 00h00m00s Valid Lifetime : TRUE : 00h00m00s Prefix not present in neighbor router advertisement Prefix: 251::/120 Autonomous Flag : TRUE On-link flag : TRUE Preferred Lifetime : 07d00h00m Valid Lifetime : 30d00h00m ----------------------------
IP Router Configuration static-arp Syntax Context Description static-arp [ip-addr | ip-int-name | mac ieee-mac-addr] show>router This command displays the router static ARP table sorted by IP address. If no options are present, all ARP entries are displayed. Parameters ip-addr — Only displays static ARP entries associated with the specified IP address. ip-int-name — Only displays static ARP entries associated with the specified IP interface name.
Show Commands =============================================================================== A:ALA-A# A:ALA-A# show router static-arp to-ser1 =============================================================================== ARP Table =============================================================================== IP Address MAC Address Age Type Interface ------------------------------------------------------------------------------10.200.0.
IP Router Configuration next-hop ip-address — Only displays static routes with the specified next hop IP address. Values ipv4-address: ipv6-address: a.b.c.d (host bits must be 0) x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d x: [0 — FFFF]H d: [0 — 255]D tag tag — Displays the tag used to add a 32-bit integer tag to the static route. The tag is used in route policies to control distribution of the route into other protocols.
Show Commands 192.168.252.0/24 5 1 NH 10.10.0.254 n/a N 192.168.253.0/24 5 1 NH to-ser1 n/a N 192.168.253.0/24 5 1 NH 10.10.0.254 n/a N 192.168.254.0/24 4 1 BH black-hole n/a Y =============================================================================== A:ALA-A# A:ALA-A# show router static-route 192.168.250.
IP Router Configuration Label Exclusive Description (Continued) false — Addresses in the range are not exclusively for use for service IP addresses. true — Addresses in the range are exclusively for use for service IP addresses and cannot be assigned to network IP interfaces.
Show Commands Label Description (Continued) ECMP Max Routes The number of ECMP routes configured for path sharing. Triggered Policies No — Triggered route policy re-evaluation is disabled. Yes — Triggered route policy re-evaluation is enabled. Sample Output Note that there are multiple instances of OSPF. OSPF-0 is persistent. OSPF-1 through OSPF-31 are present when that particular OSPF instance is configured.
IP Router Configuration OSPFv2-9 OSPFv2-10 OSPFv2-11 OSPFv2-12 OSPFv2-13 OSPFv2-14 OSPFv2-15 OSPFv2-16 OSPFv2-17 OSPFv2-18 OSPFv2-19 OSPFv2-20 OSPFv2-21 OSPFv2-22 OSPFv2-23 OSPFv2-24 OSPFv2-25 OSPFv2-26 OSPFv2-27 OSPFv2-28 OSPFv2-29 OSPFv2-30 OSPFv2-31 RIP ISIS MPLS RSVP LDP BGP IGMP PIM OSPFv3 MSDP OSPFv3 MSDP Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Down Up Up Not configured Not configured Not configured Up Not configured Not configure
Show Commands tunnel-table Syntax Context Description tunnel-table [ip-address[/mask]] [protocol protocol | sdp sdp-id] [summary] show>router This command displays tunnel table information. Note that auto-bind GRE tunnels are not displayed in show command output. GRE tunnels are not the same as SDP tunnels that use the GRE encapsulation type. When the auto-bind command is used when configuring a VPRN service, it means the MP-BGP NH resolution is refering to the core routing instance for IP reachability.
IP Router Configuration A:ALA-A>config>service# show router tunnel-table summary =============================================================================== Tunnel Table Summary (Router: Base) =============================================================================== Active Available ------------------------------------------------------------------------------LDP 1 1 SDP 1 1 =============================================================================== A:ALA-A>config>service# 7750 SR OS Router
Clear Commands Clear Commands arp Syntax Context Description arp {all | ip-addr | interface {ip-int-name | ip-addr}} clear>router This command clears all or specific ARP entries. The scope of ARP cache entries cleared depends on the command line option(s) specified. Parameters all — Clears all ARP cache entries. ip-addr — Clears the ARP cache entry for the specified IP address. interface ip-int-name — Clears all ARP cache entries for the IP interface with the specified name.
IP Router Configuration statistics Syntax Context statistics src-ip ip-address dst-ip ip-address statistics all clear>router>bfd Description This command clears BFD statistics. Parameters src-ip ip-address — Specifies the address of the local endpoint of this BFD session. dst-ip ip-address — Specifies the address of the remote endpoint of this BFD session. all — Clears statistics for all BFD sessions.
Clear Commands icmp-redirect-route Syntax Context icmp-redirect-route {all | ip-address} clear>router Description This command deletes routes created as a result of ICMP redirects received on the management interface. Parameters all — Clears all routes. ip-address — Clears the routes associated with the specified IP address. icmp6 Syntax Context icmp6 all icmp6 global icmp6 interface interface-name clear>router Description This command clears ICMP statistics.
IP Router Configuration statistics Syntax Context Description statistics [ip-address | ip-int-name] clear>router>dhcp clear>router>dhcp6 This command clear statistics for DHCP and DHCP6 relay and snooping statistics. If no IP address or interface name is specified, then statistics are cleared for all configured interfaces. If an IP address or interface name is specified, then only data regarding the specified interface is cleared.
Debug Commands Debug Commands destination Syntax Context destination trace-destination debug>trace Description This command specifies the destination to send trace messages. Parameters trace-destination — The destination to send trace messages. Values stdout, console, logger, |memory enable Syntax [no] enable Context debug>trace Description This command enables the trace. The no form of the command disables the trace.
IP Router Configuration ip Syntax Context Description ip debug>router This command configures debugging for IP. arp Syntax Context Description arp debug>router>ip This command configures route table debugging. icmp Syntax Context Description [no] icmp debug>router>ip This command enables ICMP debugging. icmp6 Syntax Context Description icmp6 [ip-int-name] no icmp6 debug>router>ip This command enables ICMP6 debugging.
Debug Commands x:x:x:x:x:x:d.d.d.d x: [0 — FFFF]H d: [0 — 255]D ip-int-name — Only displays the interface information associated with the specified IP interface name. Values 32 characters maximum packet Syntax Context packet [ip-int-name | ip-address] [headers] [protocol-id] no packet [ip-int-name | ip-address] debug>router>ip Description This command enables debugging for IP packets. Parameters ip-int-name — Only displays the interface information associated with the specified IP interface name.
IP Router Configuration ipv6-prefix-length d: [0 — 255]D 0 — 128 longer — Specifies the prefix list entry matches any route that matches the specified ip-prefix and prefix mask length values greater than the specified mask. mtrace Syntax Context Description [no] mtrace debug>router This command configures debugging for mtrace. misc Syntax Context Description [no] misc debug>router>mtrace This command enables debugging for mtrace miscellaneous.
Debug Commands Page 168 7750 SR OS Router Configuration Guide
VRRP In This Chapter This chapter provides information about configuring Virtual Router Redundancy Protocol (VRRP) parameters.
VRRP Overview VRRP Overview The Virtual Router Redundancy Protocol (VRRP) is defined in the IETF RFC 2338, Virtual Router Redundancy Protocol, and further described in draft-ietf-vrrp-spec-v2-06.txt. VRRP describes a method of implementing a redundant IP interface shared between two or more routers on a common LAN segment, allowing a group of routers to function as one virtual router.
VRRP VRRP Components VRRP consists of the following components: • Virtual Router on page 171 • IP Address Owner on page 171 • Primary and Secondary IP Addresses on page 172 • Virtual Router Master on page 172 • Virtual Router Backup on page 173 • Owner and Non-Owner VRRP on page 173 Virtual Router A virtual router is a logical entity managed by VRRP that acts as a default router for hosts on a shared LAN.
VRRP Components Primary and Secondary IP Addresses A primary address is an IP address selected from the set of real interface address. VRRP advertisements are always sent using the primary IP address as the source of the IP packet. A 7750 SR IP interface must always have a primary IP address assigned for VRRP to be active on the interface. 7750 SR OS supports both primary and secondary IP addresses (multi-netting) on the IP interface.
VRRP Virtual Router Backup A new virtual router master is selected from the set of VRRP routers available to assume forwarding responsibility for a virtual router should the current master fail. Owner and Non-Owner VRRP The owner controls the IP address of the virtual router and is responsible for forwarding packets sent to this IP address. The owner assumes the role of the master virtual router. Only one virtual router in the domain can be configured as owner.
VRRP Components Configurable Parameters In addition to backup IP addresses, to facilitate configuration of a virtual router on 7750 SR routers, the following parameters can be defined in owner configurations: • Virtual Router ID (VRID) on page 174 • Message Interval and Master Inheritance on page 176 • VRRP Message Authentication on page 178 • Authentication Data on page 180 • Virtual MAC Address on page 180 The following parameters can be defined in non-owner configurations: • Virtual Router ID
VRRP When the IP address on the IP interface matches the virtual router IP address (owner mode), the priority value is fixed at 255, the highest value possible. This virtual router member is considered the owner of the virtual router IP address. There can only be one owner of the virtual router IP address for all virtual router members. The priority value 0 is reserved for VRRP advertisement message purposes.
VRRP Components Message Interval and Master Inheritance Each virtual router is configured with a message interval per VRID within which it participates. This parameter must be the same for every virtual router on the VRID. The default advertisement interval is 1 second and can be configured between 1 and 255 seconds in 1 second increments. As stated in RFC 2338, the advertisement interval field in every received VRRP advertisement message must match the locally configured advertisement interval.
VRRP Master Down Interval The master down interval is a calculated value used to load the master down timer. When the master down timer expires, the virtual router enters the master state. To calculate the master down interval, the virtual router evaluates the following formula: Master Down Interval = ((3 x Operational Advertisement Interval) + Skew Time) seconds) The operational advertisement interval is dependent upon the state of the inherit parameter.
VRRP Components VRRP Message Authentication The authentication type parameter defines the type of authentication used by the virtual router in VRRP advertisement message authentication. The current master uses the configured authentication type to indicate any egress message manipulation that must be performed in conjunction with any supporting authentication parameters before transmitting a VRRP advertisement message.
VRRP • VRRP message checks → Version field – Must be set to the value 2 → Type field – Must be set to the value of 1 (advertisement) → Virtual router ID field – Must match one of the configured VRID on the ingress IP interface (All other fields are dependent on matching the virtual router ID field to one of the interfaces configured VRID parameters) → Priority field – Must be equal to or greater than the VRID in-use priority or be equal to 0 (Note, equal to the VRID in-use priority and 0 requires further
VRRP Components Authentication Failure Any received VRRP advertisement message that fails authentication must be silently discarded with an invalid authentication counter incremented for the ingress virtual router instance. Authentication Data This feature is different than the VRRP advertisement message field with the same name. This is any required authentication information that is pertinent to the configured authentication type.
VRRP have the supported IP addresses explicitly defined, making mismatched supported IP address within the interconnected virtual router instances a provisioning issue. Inherit Master VRRP Router’s Advertisement Interval Timer The virtual router instance can inherit the master VRRP router’s advertisement interval timer which is used by backup routers to calculate the master down timer. The inheritance is only configurable in the non-owner nodal context.
VRRP Priority Control Policies VRRP Priority Control Policies This implementation of VRRP supports control policies to manipulate virtual router participation in the VRRP master election process and master self-deprecation. The local priority value for the virtual router instance is used to control the election process and master state. VRRP Virtual Router Policy Constraints Priority control policies can only be applied to non-owner VRRP virtual router instances.
VRRP VRRP Priority Control Policy Delta In-Use Priority Limit A VRRP priority control policy enforces an overall minimum value that the policy can inflict on the VRRP virtual router instance base priority. This value provides a lower limit to the delta priority events manipulation of the base priority.
VRRP Priority Control Policies Each event generates a VRRP priority event message indicating the policy-id, the event type, the priority type (delta or explicit) and the event priority value. Another log message is generated when the event is no longer true, indicating that it has been cleared. Priority Event Hold-Set Timers Hold-set timers are used to dampen the effect of a flapping event. A flapping event is where the event continually transitions between clear and set.
VRRP The following example illustrates a LAG priority event and it’s interaction with the hold set timer in changing the in-use priority.
VRRP Priority Control Policies Table 6: LAG Events (Continued) Time 104 105 200 202 206 207 LAG Port State Two ports down Two ports down Four ports down Seven ports down All ports up All ports up Page 186 Parameter State Comments Event State Set - 5 ports down Event Threshold 4 ports down Hold Set Timer 1 second Event State Set - 2 ports down Event Threshold 2 ports down Hold Set Timer Expired Event State Set - 2 ports down Event Threshold 4 ports down Hold Set Timer 5 se
VRRP Host Unreachable Priority Event The host unreachable priority event creates a continuous ping task that is used to test connectivity to a remote host. The path to the remote host and the remote host itself must be capable and configured to accept ICMP echo request and replies for the ping to be successful. The ping task is controlled by interval and size parameters that define how often the ICMP request messages are transmitted and the size of each message.
VRRP Non-Owner Accessibility VRRP Non-Owner Accessibility Although RFC 2338 and draft-ietf-vrrp-spec-v2-06.txt states that only VRRP owners can respond to ping and other management-oriented protocols directed to the VRID IP addresses, 7750 SR OS allows an override of this restraint on a per VRRP virtual router instance basis.
VRRP Non-Owner Access SSH When non-owner access SSH is enabled on a virtual router instance, authorized SSH sessions may be established that are destined to the virtual router instance IP addresses when operating in master mode. SSH sessions are always discarded at the IP interface when destined to a virtual router IP address operating in backup mode.
VRRP Configuration Process Overview VRRP Configuration Process Overview Figure 14 displays the process to provision VRRP parameters.
VRRP VRRP Configuration Components Figure 15 displays the major components to configure a VRRP priority control policy. VRRP POLICY PRIORITY-EVENT PORT-DOWN LAG-PORT-DOWN HOST-UNREACHABLE ROUTE-UNKNOWN Figure 15: VRRP Policy Configuration Components • Policy — A VRRP priority control policy can be used to modify the VRRP in-use priority based on priority control events such as port-down, lag-port-down, hostunreachable, and route-unknown parameters.
VRRP Configuration Process Overview ROUTER INTERFACE ADDRESS SECONDARY VRRP OWNER (optional) BACKUP POLICY (optional) NON-OWNER (default) BACKUP POLICY (optional) Figure 16: Interface VRRP Configuration Components • Interface — A logical IP routing interface. • Address — Assigns the primary IP address for the interface. A primary IP address must be assigned to each IP interface. • Secondary — Assigns a secondary IP address, IP subnet/broadcast address format to the interface.
VRRP Figure 17 displays the major components to configure a VRRP instance in an IES service. SERVICE IES INTERFACE ADDRESS SECONDARY VRRP vrid OWNER BACKUP POLICY (optional) NON-OWNER BACKUP POLICY (optional) Figure 17: IES VRRP Configuration Components • IES — The context to creates or modify an IES service. • Interface — A logical IP routing interface. • Address — Assigns the primary IP address for the interface. A primary IP address must be assigned to each IP interface.
Configuration Notes Configuration Notes This section describes VRRP configuration caveats. General • Creating and applying VRRP policies are optional. • Backup command: → You can configure up to 16 backup IP addresses in the non-owner mode. The backup IP address(es) must be on the same subnet. The backup addresses explicitly define which IP addresses are in the VRRP advertisement message IP address list.
VRRP Configuring VRRP with CLI This section provides information to configure VRRP using the command line interface.
VRRP Configuration Overview VRRP Configuration Overview Configuring VRRP policies and configuring VRRP instances on IES or VPRN interfaces and router interfaces is optional. The basic owner and non-owner VRRP configurations on an IES or router interface must specify the backup ip-address parameter. VRRP helps eliminate the single point of failure in a routed environment by using virtual router IP address shared between two or more routers connecting the common domain.
VRRP VRRP CLI Command Structure The 7750 SR OS VRRP command structure is displayed in Figure 18. VRRP policy commands are located under the config>vrrp context. VRRP service configuration commands are located under the config>service>ies> interface context. VRRP interface configuration commands are located under the config>router>interface context. VRRP show commands are located under the show>vrrp context.
VRRP CLI Command Structure ROOT CONFIG VRRP POLICY DELTA-IN-USE LIMIT PRIORITY EVENT HOST UNREACHABLE LAG PORT DOWN SERVICE PORT DOWN IES/VPRN ROUTE UNKNOWN INTERFACE VRRP OWNER BACKUP ROUTER NON-OWNER INTERFACE BACKUP VRRP SHOW OWNER VRRP BACKUP INSTANCE POLICY Page 198 NON-OWNER BACKUP 7750 SR OS Router Configuration Guide
VRRP List of Commands Table 7 lists the commands to configure VRRP policy parameters, indicating the configuration level at which each command is implemented with a short command description. Table 8 lists the commands to configure VRRP parameters on an interface and in an IES or VPRN service, indicating the configuration level at which each command is implemented with a short command description. Refer to the IES chapter of the 7750 SR OS Services Guide for information about IES command syntax and usage.
List of Commands Table 7: CLI Commands to Configure a VRRP Policy (Continued) Command Description Page hold-set Configures the amount of time before the set state for a VRRP priority control event transitions to the cleared state to dampen flapping events. 245 number-down Creates a context for configuring an event set threshold within a lag-portdown priority control event. 251 priority Configures the effect the set event has on the virtual router instance inuse priority.
VRRP Table 8: CLI Commands to Configure IES or VPRN Service VRRP Parameters Command Description Page VRRP IES service and network interface parameters are configured in the following contexts: config>service>ies>interface>vrrp 211 config>service>vprn>interface>vrrp 211 config>router>interface>vrrp 215 Configure IES or VPRN VRRP owner parameters config>service>ies>interface>vrrp virtual-router-id owner config>service>vprn>interface>vrrp virtual-router-id owner interface Creates a logical IP routin
List of Commands Table 8: CLI Commands to Configure IES or VPRN Service VRRP Parameters (Continued) Command backup ip-address Description Assigns virtual router IP addresses associated with the parental IP interface IP addresses. Page 229 Owner instances do not create a routable IP interface address; it defines the existing parental IP interface IP addresses that will be advertised by the virtual router instance.
VRRP Table 8: CLI Commands to Configure IES or VPRN Service VRRP Parameters (Continued) Command backup ip-address Description Page Assigns virtual router IP addresses associated with the parental IP interface IP addresses. 229 Non-owner instances create a routable IP interface address that is operationally dependent on the virtual router instance mode (master or backup). init-delay Configures a VRRP initialization delay timer.
Basic VRRP Configurations Basic VRRP Configurations Configure VRRP parameters in the following contexts: • VRRP Policy on page 204 • VRRP IES Service Parameters on page 205 • VRRP Router Interface Parameters on page 206 VRRP Policy Configuring and applying VRRP policies are optional. There are no default VRRP policies. Each policy must be explicitly defined.
VRRP exit exit ---------------------------------------------A:SR2>config>vrrp>policy# VRRP IES Service Parameters VRRP parameters are configured within an IES service with two contexts, owner or nonowner. The status is specified when the VRRP configuration is created. When configured as owner, the virtual router instance owns the backup IP addresses. All other virtual router instances participating in this message domain must have the same vrid configured and cannot be configured as owner.
Basic VRRP Configurations VRRP Router Interface Parameters VRRP parameters are configured on a router interface with two contexts, owner or non-owner. The status is specified when the VRRP configuration is created. When configured as owner, the virtual router instance owns the backed up IP addresses. All other virtual router instances participating in this message domain must have the same vrid configured and cannot be configured as owner.
VRRP Common Configuration Tasks This section provides a brief overview of the tasks that must be performed to configure VRRP and provides the CLI commands. VRRP parameters are defined under a service interface or a router interface context. An IP address must be assigned to each IP interface. Only one IP address can be associated with an IP interface but several secondary IP addresses also be associated.
Common Configuration Tasks Creating Interface Parameters You can configure up to 4 virtual routers IDs on an IP interface. Each virtual router instance can manage up to 16 backup IP addresses, including up to 16 secondary IP addresses. If you have multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet.
VRRP Configuring VRRP Policy Components Use the CLI syntax displayed below to configure a VRRP policy: CLI Syntax: config>vrrp policy policy-id [context service-id] description string delta-in-use-limit in-use-priority-limit priority-event port-down port-id[.
Configuring VRRP Policy Components The following displays the VRRP policy configuration: A:SR1>config>vrrp# info ---------------------------------------------policy 1 delta-in-use-limit 50 priority-event port-down 1/1/2 hold-set 43200 priority 100 delta exit route-unknown 0.0.0.
VRRP Configuring IES or VPRN Service VRRP Parameters VRRP parameters can be configured on an interface in an IES or VPRN service to provide virtual default router support which allows traffic to be routed without relying on a single router in case of failure.
Configuring VRRP Policy Components Non-Owner IES or VPRN VRRP Example Use the CLI syntax displayed below to configure IES or VPRN service non-owner VRRP parameters: CLI Syntax: config>service# ies service-id [{customer customer-id }] config>service# vprn service-id [customer customer-id ]interface ip-int-name address ip-addr/mask-length [broadcast {all ones|hostones}] no shutdown vrrp vrid authentication-type {password} authentication-key [authentication-key | hash-key] [hash |hash2] backup ip-addr init-de
VRRP The following example displays the basic non-owner VRRP configuration: A:SR2>config>service>ies# info ---------------------------------------------interface "mertz" create address 10.10.65.4/24 backup 10.10.0.
Configuring VRRP Policy Components Owner IES or VPRN VRRP Use the CLI syntax displayed below to configure IES or VPRN service owner VRRP parameters: CLI Syntax: config>service# ies service-id [{customer customer-id }] config>service# vprn service-id [customer customer-id ] interface ip-int-name address ip-addr/mask-length [broadcast {all-ones|hostones}] no shutdown vrrp vrid owner authentication-type {password} authentication-key [authentication-key | hash-key] [hash|hash2] backup ip-addr init-delay second
VRRP Configuring Router Interface VRRP Parameters VRRP parameters can be configured on an interface in an interface to provide virtual default router support which allows traffic to be routed without relying on a single router in case of failure.
Configuring VRRP Policy Components Router Interface VRRP Non-Owner Use the CLI syntax displayed below to configure non-owner router interface VRRP parameters: CLI Syntax: config>router interface ip-int-name address ip-addr/mask-length no shutdown vrrp vrid authentication-type {password} authentication-key [authentication-key | hash-key] [hash|hash2] backup ip-addr init-delay seconds mac ieee-mac-address priority base-priority policy vrrp-policy-id message-interval seconds ping-reply telnet-reply ssh-reply
VRRP The following example displays the non-owner interface VRRP configuration: A:SR2>config># info #-----------------------------------------interface "lucy" address 10.20.30.40/24 secondary 10.10.50.1/24 secondary 10.10.60.1/24 secondary 10.10.70.1/24 vrrp 1 backup 10.10.50.2 backup 10.10.60.2 backup 10.10.70.2 backup 10.20.30.
Configuring VRRP Policy Components Router Interface VRRP Owner Use the CLI syntax displayed below to configure owner router interface VRRP parameters: CLI Syntax: config>router interface ip-int-name address ip-addr/mask-length no shutdown vrrp vrid owner authentication-type {password} authentication-key [authentication-key | hash-key] [hash | hash2] backup ip-addr init-delay seconds mac ieee-mac-address message-interval seconds The following example displays router interface owner VRRP configuration comma
VRRP VRRP Configuration Management Tasks This section discusses the following VRRP configuration management tasks: • Modifying a VRRP Policy on page 219 • Deleting a VRRP Policy on page 220 • Modifying Service and Interface VRRP Parameters on page 221 → Modifying Non-Owner Parameters on page 221 → Modifying Owner Parameters on page 221 → Deleting VRRP on an Interface or Service on page 221 Modifying a VRRP Policy To access a specific VRRP policy, you must specify the policy ID.
VRRP Configuration Management Tasks Deleting a VRRP Policy Policies are only applied to non-owner VRRP instances. A VRRP policy cannot be deleted if it is applied to an interface or to an IES service. Each instance in which the policy is applied must be deleted.
VRRP Modifying Service and Interface VRRP Parameters Modifying Non-Owner Parameters Once a VRRP instance is created as non-owner, it cannot be modified to the owner state. The vrid must be deleted and then recreated with the owner keyword to invoke IP address ownership. Modifying Owner Parameters Once a VRRP instance is created as owner, it cannot be modified to the non-owner state. The vrid must be deleted and then recreated without the owner keyword to remove IP address ownership.
VRRP Configuration Management Tasks Page 222 7750 SR OS Router Configuration Guide
VRRP VRRP Command Reference Command Hierarchies Configuration Commands • VRRP Network Interface Commands on page 223 • VRRP Priority Control Event Policy Commands on page 225 • Show Commands on page 226 • Clear Commands on page 226 VRRP Network Interface Commands config — router — [no] interface interface-name — address {ip-address/mask | ip-address netmask} [broadcast all-ones | host-ones] — no address — [no] allow-directed-broadcasts — arp-timeout seconds — no arp-timeout — description description-strin
VRRP Command Reference — — — — — — — — Page 224 [no] preempt priority priority no priority [no] ssh-reply [no] standby-forwarding [no] telnet-reply [no] shutdown [no] traceroute-reply 7750 SR OS Router Configuration Guide
VRRP VRRP Priority Control Event Policy Commands config — vrrp — [no] policy policy-id [context service-id] — delta-in-use-limit limit — no delta-in-use-limit — description description string — no description — [no] priority-event — [no] host-unreachable ip-addr — drop-count consecutive-failures — no drop-count — hold-clear seconds — no hold-clear — hold-set seconds — no hold-set — interval seconds — no interval — priority priority-level [{delta | explicit}] — no priority — timeout seconds — no timeout — [
VRRP Command Reference Show Commands show — router — vrrp — instance [interface interface-name [vrid virtual-router-id]] — statistics Clear Commands clear — router — vrrp — instance interface-name [vrid virtual-router-id] — statistics [interface interface-name [vrid virtual-router-id]] Page 226 7750 SR OS Router Configuration Guide
VRRP Configuration Commands Interface Configuration Commands authentication-key Syntax Context Description authentication-key [authentication-key | hash-key] [hash | hash2] no authentication-key config>router>if>vrrp This command sets the simple text authentication key used to generate master VRRP advertisement messages and validates VRRP advertisements. If simple text password authentication is not required, the authenticaton-key command is not required.
Configuration Commands Parameters authentication-key — The authentication key. Allowed values are any string up to 8 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes. hash-key — The hash key. The key can be any combination of ASCII characters up to 22 (hash-key1) or 121 (hash-key2) characters in length (encrypted).
VRRP Parameters password — Specifies VRRP Authentication Type 1 is used. Type 1 requires the definition of an eight octet long string. All transmitted VRRP advertisement messages must have the authentication type field set to 1 and the authentication data fields must contain the authentication-key password. All received VRRP advertisement messages must contain a value of 1 in the authentication type field and the authentication data fields must match the defined authentication-key.
Configuration Commands error generated. At least one successful backup ip-addr command must be executed before the virtual router instance can enter the operational state. When operating as (non-owner) master, the default functionality associated with ip-addr is ARP response to ARP requests to ip-addr, routing of packets destined to the virtual router instance source MAC address and silently discarding packets destined to ip-addr.
VRRP Example - Owner Virtual Router Instance Parent IP addresses: 10.10.10.10/24 11.11.11.11/24 Virtual router IP addresses: 10.10.10.11 Invalid (not equal to parent IP address) 10.10.10.10 Associated (same as parent IP address 10.10.10.10) 10.10.11.11 Invalid (not equal to parent IP address) 11.11.11.254 Invalid (not equal to parent IP address) 11.11.11.
Configuration Commands Parent Primary IP Address Changed — When a virtual router IP address is set and the associated parent IP interface IP address is changed, the new parent IP interface IP address is evaluated to ensure it meets the association rules defined in Owner Virtual Router IP Address Parental Association or Non-Owner Virtual Router IP Address Parental Association. If the association check fails, the parental IP address change is not allowed.
VRRP The mac command sets the MAC address used in ARP responses when the virtual router instance is master. Routing of IP packets with ieee-mac-addr as the destination MAC is also enabled. The mac setting must be the same for all virtual routers participating as a virtual router or indeterminate connectivity by the attached IP hosts will result. All VRRP advertisement messages are transmitted with ieee-mac-addr as the source MAC.
Configuration Commands message-interval Syntax Context Description message-interval {[seconds] [milliseconds milliseconds]} no message-interval config>router>if>vrrp This command configures the administrative advertisement message timer used by the master virtual router instance to send VRRP advertisement messages and to derive the master down timer as backup.
VRRP policy Syntax policy vrrp-policy-id no policy Context config>router>if>vrrp Description This command adds a VRRP priority control policy association with the virtual router instance. To further augment the virtual router instance base priority, VRRP priority control policies can be used to override or adjust the base priority value depending on events or conditions within the chassis. The policy can be associated with more than one virtual router instance.
Configuration Commands Non-owner virtual router instances only preempt when preempt is set and the current master has an in-use message priority value less than the virtual router instances in-use priority. A master non-owner virtual router only allows itself to be preempted when the incoming VRRP advertisement message priority field value is one of the following: • Greater than the virtual router in-use priority value.
VRRP ping-reply Syntax Context Description [no] ping-reply config>router>if>vrrp This command enables the non-owner master to reply to ICMP echo requests directed at the vritual router instances IP addresses. Non-owner virtual router instances are limited by the VRRP specifications to responding to ARP requests destined to the virtual router IP addresses and routing IP packets not addressed to the virtual router IP addresses.
Configuration Commands If the shutdown command is executed, no VRRP advertisement messages are generated and all received VRRP advertisement messages are silently discarded with no processing. By default, virtual router instances are created in the no shutdown state. Whenever the administrative state of a virtual router instance transitions, a log message is generated. Whenever the operational state of a virtual router instance transitions, a log message is generated.
VRRP standby-forwarding Syntax Context Description [no] standby-forwarding config>router>if>vrrp This command specifies whether this VRRP instance allows forwarding packets to a standby router. When disabled, a standby router should not forward traffic sent to virtual router's MAC address. However, the standby router should forward traffic sent to the standby router’s real MAC address. When enabled, a standby router should forward all traffic.
Configuration Commands traceroute-reply Syntax [no] traceroute-reply Context config>router>if>vrrp Description This command is valid only if the VRRP virtual router instance associated with this entry is a nonowner. When this command is enabled, a non-owner master can reply to traceroute requests directed to the virtual router instance IP addresses. A non-owner backup virtual router never responds to such traceroute requests regardless of the traceroute-reply status.
VRRP VRRP Owner Command Exclusions — By specifying the VRRP vrid as owner, The following commands are no longer available: • vrrp mismatch-discard — Owner virtual router instances do not accept VRRP advertisement messages; IP address mismatches are not checked or logged. • vrrp priority — The virtual router instance owner is hard-coded with a priority value of 255 and cannot be changed.
Configuration Commands Priority Policy Commands delta-in-use-limit Syntax Context Description delta-in-use-limit in-use-priority-limit no delta-in-use-limit config>vrrp>policy vrrp-policy-id This command sets a lower limit on the virtual router in-use priority that can be derived from the delta priority control events. Each vrrp-priority-id places limits on the delta priority control events to define the in-use priority of the virtual router instance.
VRRP description Syntax Context Description description string no description config>vrrp>policy vrrp-policy-id This command creates a text description stored in the configuration file for a configuration context. The description command associates a text string with a configuration context to help identify the content in the configuration file. The no form of the command removes the string from the configuration. Default Parameters No text description is associated with this configuration.
Configuration Commands Parameters vrrp-policy-id — The VRRP priority control ID expressed as a decimal integer that uniquely identifies this policy from any other VRRP priority control policy defined on the system. Up to 1000 policies can be defined. Values 1 — 9999 context service-id — Specifies the service ID to which this policy applies. A value of zero (0) means that this policy does not apply to a service but applies to the base router instance.
VRRP Priority Policy Event Commands hold-clear Syntax Context Description hold-clear seconds no hold-clear config>vrrp>policy vrrp-policy-id>priority-event>port-down config>vrrp>policy vrrp-policy-id>priority-event>lag-port-down config>vrrp>policy vrrp-policy-id>priority-event>route-unknown This command configures the hold clear time for the event.
Configuration Commands lag-port-down events, this may be a decrease in the set effect if the clearing amounts to a lower set threshold. The hold-set command can be executed at anytime. If the hold-set timer value is configured larger than the new seconds setting, the timer is loaded with the new hold-set value. The no form of the command reverts the default value. Default Parameters 0 - The hold-set timer is disabled so event transitions are processed immediately.
VRRP Parameters priority-level — The priority level adjustment value expressed as a decimal integer. Values 0 — 254 delta | explicit — Configures what effect the priority-level will have on the base priority value. When delta is specified, the priority-level value is subtracted from the associated virtual router instance’s base priority when the event is set and no explicit events are set.
Configuration Commands Priority Policy Port Down Event Commands port-down Syntax Context Description [no] port-down port-id config>vrrp>policy>priority-event This command configures a port down priority control event that monitors the operational state of a port or SONET/SDH channel. When the port or channel enters the operational down state, the event is considered set. When the port or channel enters the operational up state, the event is considered cleared.
VRRP to be separate entities. A port and a channel on the port can be monitored by separate events in the same policy. Values port-id Values .channel slot/mda/port[.channel] aps-id aps-group-id[.channel] aps keyword group-id 1 — 64 bundle-type-slot/mda. bundle keyword type ima, ppp bundle-num 1 —128 ccag-id ccag-id. path-id[cc-type] ccag keyword id 1—8 path-id a, b cc-type .sap-net, .net-sap The POS channel on the port monitored by the VRRP priority control event. The portid.
Configuration Commands Priority Policy LAG Events Commands lag-port-down Syntax Context Description [no] lag-port-down lag-id config>vrrp>policy vrrp-policy-id>priority-event This command creates the context to configure Link Aggregation Group (LAG) priority control events that monitor the operational state of the links in the LAG. The lag-port-down command configures a priority control event. The event monitors the operational state of each port in the specified LAG.
VRRP configured threshold is crossed, any higher thresholds are considered further event sets and are processed immediately with the hold set timer reset to the configured value of the hold-set command. As the thresholds are crossed in the opposite direction (fewer ports down then previously), the priority effect of the event is not processed until the hold set timer expires.
Configuration Commands Parameters number-of-lag-ports-down — The number of LAG ports down to create a set event threshold. This is the active threshold when the number of down ports in the LAG equals or exceeds number-oflag-ports-down, but does not equal or exceed the next highest configured number-of-lag-portsdown.
VRRP Priority Policy Host Unreachable Event Commands drop-count Syntax Context Description drop-count consecutive-failures no drop-count config>vrrp vrrp-policy-id>priority-event>host-unreachable ip-addr This command configures the number of consecutively sent ICMP echo request messages that must fail before the host unreachable priority control event is set.
Configuration Commands The host-unreachable command can reference any valid local or remote IP address. The ability to ARP a local IP address or find a remote IP address within a route prefix in the route table is considered part of the monitoring procedure. The host-unreachable priority event operational state tracks ARP or route table entries dynamically appearing and disappearing from the system.
VRRP The no form of the command deletes the specific IP host monitoring event. The event may be deleted at anytime. When the event is deleted, the in-use priority of all associated virtual router instances must be reevaluated. The event’s hold-set timer has no effect on the removal procedure. Default Parameters no host-unreachable - No host unreachable priority events are created. ip-addr — The IP address of the host for which the specific event will monitor connectivity.
Configuration Commands With each consecutive attempt to send an ICMP echo request message, the timeout timer is loaded with the timeout value. The timer decrements until: • An internal error occurs preventing message sending (request unsuccessful). • An internal error occurs preventing message reply receiving (request unsuccessful). • A required route table entry does not exist to reach the IP address (request unsuccessful).
VRRP Priority Policy Route Unknown Event Commands less-specific Syntax Context Description [no] less-specific [allow-default] config>vrrp>policy vrrp-policy-id>priority-event>route-unknown prefix/mask-length This command allows a CIDR shortest match hit on a route prefix that contains the IP route prefix associated with the route unknown priority event. The less-specific command modifies the search parameters for the IP route prefix specified in the route-unknown priority event.
Configuration Commands When more than one next hop IP addresses are eligible for matching, a next-hop command must be executed for each IP address. Defining the same IP address multiple times has no effect after the first instance. The no form of the command removes the ip-addr from the list of acceptable next hops when looking up the route-unknown prefix. If this ip-addr is the last next hop defined on the route-unknown event, the returned next hop information is ignored when testing the match criteria.
VRRP is-is — This parameter defines IS-IS as an eligible route source for a returned route prefix from the RTM when looking up the route-unknown route prefix. The is-is parameter is not exclusive from the other available protocol parameters. If protocol is executed without the is-is parameter, a returned route prefix with a source of IS-IS will not be considered a match and will cause the event to enter the set state.
Configuration Commands route-unknown Operational State Description Set – wrong next hop The route exists in the route table but does not meet the next-hop requirements. Set – wrong protocol The route exists in the route table but does not meet the protocol requirements. Set – less specific found The route exists in the route table but does is not an exact match and does not meet any less-specific requirements.
VRRP Show Commands global-statistics Syntax Context Description Output global-statistics show>vrrp This command displays global VRRP statistics. VRRP Global Statistics Output — The following table describes the global statistics command output fields for VRRP. Table 9: Show VRRP Global-Statistics Output Label Output Description VR ID Errors The number of errors the Virtual Router Identifier (VR ID) has reported. Version Errors The number of version errors detected in VRRP messages.
Show Commands vrid vrid — Displays detailed information for the specified VRRP instance on the IP interface. Output Default All VRIDs for the IP interface. Values 1 — 255 VRRP Instance Output — The following table describes the instance command output fields for VRRP. Table 10: Show VRRP Instance Output Label Description Interface name The name of the IP interface.
VRRP Table 10: Show VRRP Instance Output Label Inh Int Description Yes — When the VRRP instance is a non-owner and is operating as a backup and the master-int-inherit command is enabled, the master down timer is indirectly derived from the value in the advertisement interval field of the VRRP message received from the current master.
Show Commands Table 10: Show VRRP Instance Output Label SSH Reply Description Yes — Non-owner masters can to reply to SSH requests directed at the virtual router instances IP addresses. No — All SSH request messages destined to the non-owner virtual router instance IP addresses are discarded. Primary IP of Master The IP address of the VRRP master. Primary IP The IP address of the VRRP owner. Up Time The date and time when the operational state of the event last changed.
VRRP A:ALA-A# A:ALA-A# show vrrp instance d2hub =============================================================================== VRRP Instances for interface "d2hub" =============================================================================== ------------------------------------------------------------------------------VRID 1 ------------------------------------------------------------------------------Owner : No VRRP State : Backup Primary IP of Master: 10.10.2.1 (Other) Primary IP : 10.10.2.
Show Commands policy Syntax Context Description policy [vrrp-policy-id [event event-type specific-qualifier]] show>vrrp This command displays VRRP priority control policy information. If no command line options are specified, a summary of the VRRP priority control event policies displays. Parameters vrrp-policy-id — Displays information on the specified priority control policy ID.
VRRP Table 11: Show VRRP Policy Output (Continued) Label Delta Limit Description The delta-in-use-limit for a VRRP policy. Once the total sum of all delta events has been calculated and subtracted from the base-priority of the virtual router, the result is compared to the delta-in-use-limit value. If the result is less than this value, the delta-in-use-limit value is used as the virtual router in-use priority value.
Show Commands Table 11: Show VRRP Policy Output (Continued) Label Priority & Effect Description Delta — The priority-level value is subtracted from the associated virtual router instance’s base priority when the event is set and no explicit events are set. The sum of the priority event priority-level values on all set delta priority events are subtracted from the virtual router base priority to derive the virtual router instance in-use priority value.
VRRP ------------------------------------------------------------------------------Priority Control Events ------------------------------------------------------------------------------Event Type & ID Event Oper State Hold Set Priority In Remaining &Effect Use ------------------------------------------------------------------------------Host Unreach 10.10.200.252 n/a Expired 20 Del No Host Unreach 10.10.200.253 n/a Expired 10 Del No Route Unknown 10.10.100.
Show Commands Table 12: Show VRRP Policy Event Output (Continued) Label Description Applied to Interface Name The interface name the VRRP policy is applied to. VR ID The virtual router ID for the IP interface Opr Up — Indicates that the operational state of the VRRP instance is up. Down — Indicates that the operational state of the VRRP instance is down. Base Pri The base priority used by the virtual router instance.
VRRP Table 12: Show VRRP Policy Event Output (Continued) Label Priority Effect Description Delta — The priority-level value is subtracted from the associated virtual router instance’s base priority when the event is set and no explicit events are set. The sum of the priority event priority-level values on all set delta priority events are subtracted from the virtual router base priority to derive the virtual router instance in-use priority value.
Show Commands ------------------------------------------------------------------------------Priority Control Event Port Down 1/1/1 ------------------------------------------------------------------------------Priority : 30 Priority Effect : Delta Hold Set Config : 0 sec Hold Set Remaining: Expired Value In Use : No Current State : Cleared # trans to Set : 6 Previous State : Set-down Last Transition : 04/12/2005 04:54:35 =============================================================================== A:ALA-A
VRRP Protocol(s) : None Hold Set Config : 0 sec Hold Set Remaining: Expired Value In Use : No Current State : n/a # trans to Set : 0 Previous State : n/a Last Transition : 12/13/2005 23:10:24 =============================================================================== A:ALA-A# statistics Syntax Context Description Output statistics show>router>vrrp This command displays statistics for VRRP instance. VRRP Policy Output — The following table describes the VRRP policy command output fields.
Clear Commands Clear Commands instance Syntax Context interface ip-int-name [vrid vrid] clear>vrrp Description This command resets VRRP protocol instances on an IP interface. Parameters ip-int-name — The IP interface to reset the VRRP protocol instances. vrid vrid — Resets the VRRP protocol instance for the specified VRID on the IP interface. Default All VRIDs on the IP interface.
Filter Policies In This Chapter This chapter provides information about filter policies and management.
Filter Policy Configuration Overview Filter Policy Configuration Overview Filter policies, also referred to as Access Control Lists (ACLs), are templates applied to services or network ports to control network traffic into (ingress) or out of (egress) a service access port (SAP) or network port based on IP, IPv6, and MAC matching criteria. Filters are applied to services to look at packets entering or leaving a SAP or network interface. Filters can be used on several interfaces.
Filter Policies Filter Policy Entities A filter policy compares the match criteria specified within a filter entry to packets coming through the system, in the order the entries are numbered in the policy. When a packet matches all the parameters specified in the entry, the system takes the specified action to either drop or forward the packet. If a packet does not match the entry parameters, the packet continues through the filter process and is compared to the next filter entry, and so on.
Filter Policy Configuration Overview Table 14: Applying Filter Policies IP Filter MAC Filter IPv6 Filter Ipipe SAP, spoke SDP N/A N/A VPLS mesh SDP, spoke SDP, SAP VPLS mesh SDP, spoke SDP, SAP VPLS mesh SDP, spoke SDP, SAP VPRN interface SAP, spoke SDP, subscriber-interface N/A Subscriber-interface Filter policies can be applied to specific service types: • • • • • Epipe — Both MAC and IP filters are supported on an Epipe SAP and spoke SDPs.
Filter Policies Redirection policies can contain multiple destinations. Each destination is assigned an initial or base priority describing its relative importance within the policy. The destination with the highest priority value is selected. There are no default redirect policies. Each redirect policy must be explicitly configured and specified in an IP filter entry.
Filter Policy Configuration Overview Web Redirection (Captive Portal) The 7xx0 Series introduces a new type of redirection policy. Redirection policies were designed for testing purposes. The new redirection policy can now block a customer’s request from an intended recipient and force the customer to connect to the service’s portal server. 255 unique entries with http-redirect are allowed. Traffic Flow The following example provides a brief scenario of a customer connection with web redirection. 1.
Filter Policies CUSTOMER’S COMPUTER SR/ESS PORTAL WEBSITE ORIGINAL WEBSITE X>HTTP TCP SYN X>HTTP TCP SYN ACK* X>HTTP TCP ACK HTTP GET HTTP>X TCP ACK* HTTP 302 (moved)* X>HTTP TCP FIN ACK HTTP>X TCP FIN ACK* NORMAL HTTP WITH PORTAL UPDATE POLICY REDIRECT TO ORIGINAL WEBSITE NORMAL HTTP WITH ORGINAL WEBSITE Figure 19: Web Redirect Traffic Flow Starred entries (*) are items the router performs masquerading as the destination, regardless of the destination IP address or type of service.
Creating Redirect Policies Creating Redirect Policies Figure 20 displays the process to create redirect policies and apply them to a service SAP or router interface.
Filter Policies Figure 20 displays the process to create filter policies and apply them to a service or network port.
Creating Redirect Policies Policy Components Figure 22 displays the major components of a redirect policy. REDIRECT POLICY NAME: DESTINATION PRIORITY PING-TEST DROP-COUNT INTERVAL TIMEOUT SNMP-TEST DROP-COUNT INTERVAL TIMEOUT OID RETURN-VALUE URL-TEST DROP-COUNT INTERVAL TIMEOUT RETURN-CODE URL Figure 22: Redirect Policy Components Page 284 • Redirect policy — This is the value which identifies the filter. • Destination — An IP address that serves as a cache server destination.
Filter Policies Figure 23 displays the major components of a filter policy. FILTER ID: DESCRIPTION SCOPE DEFAULT ACTION ENTRY ID : ENTRY ID : ENTRY ID : DESCRIPTION DESCRIPTION DESCRIPTION ACTION ACTION ACTION MATCHING CRITERIA MATCHING CRITERIA MATCHING CRITERIA Figure 23: Filter Policy Components • Filter (mandatory) — This is the value which identifies the filter. • Description (optional) — The description provides a brief overview of the filter’s features.
Creating Redirect Policies Packet Matching Criteria Up to 65535 IP and 65535 MAC filter IDs (unique filter policies) can be defined. A maximum of 16384 filter entries can be defined in one filter at the same time. Each filter ID can contain up to 65535 filter entries. A maximum of 16384 filter entries can be defined in 1 filter at the same time.
Filter Policies • Option value — Entering an option value enables the first filter to search for a specific IP option. See Table 16. • TCP-ACK/SYN flags - Entering a TCP-SYN/TCP-ACK flag allows the filter to search for the TCP flags specified in these fields. MAC filter policies match criteria that associate traffic with an ingress or egress SAP.
Creating Redirect Policies DSCP Values Table 15: DSCP Name to DSCP Value Table Page 288 DSCP Name Decimal DSCP Value Hexadecimal DSCP Value default 0 * cp1 1 cp2 2 cp3 3 cp4 4 cp5 5 cp6 6 cp7 7 cs1 8 cp9 9 af10 10 * af11 11 * af12 12 * cp13 13 cp14 14 cp15 15 cs2 16 cp17 17 af21 18 cp19 19 af22 20 cp21 21 af23 22 cp23 23 cs3 24 cp25 25 af31 26 cp27 27 af32 28 cp29 29 af33 30 Binary DSCP Value * * * * * * * * * 7750 SR OS Router Confi
Filter Policies Table 15: DSCP Name to DSCP Value Table (Continued) DSCP Name Decimal DSCP Value cp21 31 cs4 32 cp33 33 af41 34 cp35 35 af42 36 cp37 37 af43 38 cp39 39 cs5 40 cp41 41 cp42 42 cp43 43 cp44 44 cp45 45 ef 46 cp47 47 nc1 48 cp49 49 cp50 50 cp51 51 cp52 52 cp53 53 cp54 54 cp55 55 cp56 56 cp57 57 nc2 58 cp60 60 cp61 61 cp62 62 7750 SR OS Router Configuration Guide Hexadecimal DSCP Value Binary DSCP Value * * * * * * * (cs6) *
Creating Redirect Policies IP Option Values Table 16: IP Option Values Page 290 Copy Class Number Value Name Description 0 0 0 0 EOOL End of options list 0 0 1 1 NOP No operation 0 0 7 7 RR Record route 0 0 10 10 ZSU Experimental measurement 0 0 11 11 MTUP MTU probe 0 0 12 12 MTUR MTU reply 0 0 15 15 ENCODE 0 2 4 68 TS Time stamp 0 2 18 82 TR Traceroute 1 0 2 130 SEC Security 1 0 3 131 LSR Loose source router 1 0 5 133 E-SEC Exte
Filter Policies Ordering Filter Entries When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit. Filter matching ceases when a packet matches an entry. The entry action is performed on the packet, either drop or forward. To be considered a match, the packet must meet all the conditions defined in the entry. Packets are compared to entries in a filter policy in an ascending entry ID order.
Creating Redirect Policies Figure 24 displays an example of several packets forwarded upon matching the filter criteria and several packets traversing through the filter entries and then dropped. FILTER ID: 5 DEFAULT ACTION: DROP FILTER ENTIES: 10 (ACTION: FORWARD) 20 (ACTION: FORWARD) 30 (ACTION: FORWARD) SEARCH CRITERIA: Source Address: 10.10.10.103 Destination Address: 10.10.10.104 INGRESS PACKETS: SA: 10.10.10.103, DA: 10.10.10.104 INGRESSING PACKETS: SA: 10.10.10.103, DA: 10.10.10.105 #1: 10.10.10.
Filter Policies Applying Filters After filters are created, they can be applied to the following entities: • Applying a Filter to a SAP on page 293 • Applying a Filter to a Network Port on page 293 Applying a Filter to a SAP During the SAP creation process, ingress and egress filters are selected from a list of qualifying IP and MAC filters. When ingress filters are applied to a SAP, packets received at the SAP are checked against the matching criteria in the filter entries.
Configuration Notes Configuration Notes The following information describes filter implementation caveats: • Creating a filter policy is optional. • Associating a service with a filter policy is optional. • When a filter policy is configured, it must be defined as having either an exclusive scope for one-time use, or a template scope meaning that the filter can be applied to multiple SAPs. • A specific filter must be explicitly associated with a specific service in order for packets to be matched.
Filter Policies IP Filters • Define filter entry packet matching criteria — If a filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified. There are no default parameters defined for matching criteria. • Action — An action parameter must be specified for the entry to be active.
Configuration Notes Page 296 • In case the mini-table has no more free entries, only Total counter is incremented. • At expiry of the summarization interval, the mini-table for each type is flushed to the syslog destination.
Filter Policies Reference Sources For information on supported IETF drafts and standards, as well as standard and proprietary MIBS, refer to Standards and Protocol Support on page 715.
Configuration Notes Page 298 7750 SR OS Router Configuration Guide
Filter Policies Configuring Filter Policies with CLI This section provides information to configure filter policies using the command line interface.
Filter CLI Command Structure Filter CLI Command Structure Figure 25 displays the 7750 SR OS filter command structure. The filter configuration commands are located under the config>filter context and the show commands are under show>filter ip and show>filter mac.
Filter Policies Figure 26 displays the 7750 SR OS filter redirect policy command structure. The redirect policy configuration commands are located under the config>filter context and the show commands are under show>filter>redirect-policy context.
List of Commands List of Commands Table 18 lists all the filter configuration commands indicating the configuration level at which each command is implemented with a short command description.
Filter Policies Table 18: CLI Commands to Configure Filter Policies Parameters (Continued) Command Description Page filter-sample Specifies that traffic matching the associated IP filter entry is sampled if the IP interface is set to cflowd ip-filter mode. 368 interface-disablesample Specifies that traffic matching the associated IP filter entry is not sampled if the IP interface is set to cflowd ip-filter mode.
List of Commands Table 18: CLI Commands to Configure Filter Policies Parameters (Continued) Command Description Page Configure an IPv6 filter policy config>filter ipv6-filter Creates an IPv6 filter policy. 358 default-action The default action specifies the action to be applied to packets when the packets do not match the specified criteria in any of the IPv6 filter entries of the filter. 363 description A text string describing the IPv6 filter policy.
Filter Policies Table 18: CLI Commands to Configure Filter Policies Parameters (Continued) Command Description Page icmp-type Configures matching on ICMP type field in the ICMP header of an IP packet as an IP filter match criterion. 377 src-ip Configures a source IP address range to be used as an IP filter match criterion. 380 src-port Configures a source TCP or UDP port number or port range for an IP filter match criterion.
List of Commands Table 18: CLI Commands to Configure Filter Policies Parameters (Continued) Command Description Page dot1p Configures an IEEE 802.1p value or range to be used as a MAC filter match criterion. 383 etype Configures an Ethernet type II Ethertype value to be used as a MAC filter match criterion. 385 dsap Configures an Ethernet 802.2 LLC DSAP value or range for a MAC filter match criterion. 383 ssap Configures an Ethernet 802.
Filter Policies Table 18: CLI Commands to Configure Filter Policies Parameters (Continued) Command Description Page configure a filter log policy config>filter log Enables the context to create a filter log policy. destination memory Specifies the destination for filter log entries be sent to memory. destination syslog Specifies the destination for filter log entries be sent to an existing syslog. summary Enables the context to configure log summarization.
Basic Configuration Basic Configuration The most basic IP, IPv6, and MAC filter policies must have the following: • A filter ID • Template scope, either exclusive or template • Default action, either drop or forward • At least one filter entry → Specified action, either drop or forward → Specified matching criteria The following example displays a sample configuration of an IP filter policy.
Filter Policies Common Configuration Tasks This section provides a brief overview of the tasks that must be performed for both IP and MAC filter configurations and provides the CLI commands.
Common Configuration Tasks Creating an IP Filter Policy Configuring and applying filter policies is optional. Each filter policy must have the following: • The filter type specified (IP) • A filter policy ID • A default action, either drop or forward.
Filter Policies The following displays the command usage to create an exclusive IP filter policy: Example: config>filter# ip-filter 11 create config>filter# description "filter-main" config>filter# scope exclusive The following example displays the exclusive filter policy configuration: A:ALA-7>config>filter# info ---------------------------------------------... ip-filter 11 create description "filter-main" scope exclusive exit ...
Common Configuration Tasks IP Filter Entry Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. • Enter a filter entry ID. The system does not dynamically assign a value. • Assign an action, either drop or forward. • Specify matching criteria.
Filter Policies Configuring the HTTP-Redirect Option If http-redirect is specified as an action, a corresponding forward entry must be specified before the redirect.
Common Configuration Tasks exit entry 30 create match protocol tcp dst-ip 10.10.10.91/24 dst-port eq 80 exit action http-redirect "http://100.0.0.2/login.
Filter Policies Filter Sampling Within a filter entry, you can specify that traffic matching the associated IP filter entry is sampled. if the IP interface is set to cflowd ip-filter mode. Enabling filter-sample enables the cflowd tool.
Common Configuration Tasks IP Entry Matching Criteria Use the following CLI syntax to configure IP filter matching criteria: CLI Syntax: config>filter>ip-filter>entry# match dscp dscp-name dst-ip {ip-address/mask|ip-address netmask} dst-port {{lt|gt|eq} dst-port-number} | {range start end} fragment {true|false} icmp-code icmp-code icmp-type icmp-type ip-option ip-option-value [ip-option-mask] multiple-option {true|false} option-present {true|false} src-ip {ip-address/mask|ip-address netmask} src-port {{lt|
Filter Policies Creating an IPv6 Filter Policy Configuring and applying IPv6 filter policies is optional. Each filter policy must have the following: • The IPv6 filter type specified • An IPv6 filter policy ID • A default action, either drop or forward.
Common Configuration Tasks IPv6 Filter Entry Within an IPv6 filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. • Enter an IPv6 filter entry ID. The system does not dynamically assign a value. • Assign an action, either drop or forward. • Specify matching criteria.
Filter Policies The following example displays the IPv6 filter entry configuration.
Common Configuration Tasks Creating a MAC Filter Policy Configuring and applying filter policies is optional. Each filter policy must have the following: • The filter type specified (MAC). • A filter policy ID. • A default action, either drop or forward. • Template scope, either exclusive or template. • At least one filter entry. • Matching criteria specified.
Filter Policies MAC Filter Entry Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. • Enter a filter entry ID. The system does not dynamically assign a value. • Assign an action, either drop or forward. • Specify matching criteria.
Common Configuration Tasks MAC Entry Matching Criteria Use the following CLI syntax to configure MAC filter matching criteria: CLI Syntax: config>filter>mac-filter># entry entry-id match [frame-type {802dot3|802dot2-llc|802dot2snap|ethernet_II}] dot1p dot1p-value [dot1p-mask] dsap dsap-value [dsap-mask] dst-mac ieee-address [ieee-address-mask] etype 0x0600..
Filter Policies Creating Filter Log Policies Use the following CLI syntax to configure filter log policy: CLI Syntax: config>filter>log log-id description description-string destination memory num-entries destination syslog syslog-id no shutdown summary no shutdown summary-crit dst-addr summary-crit src-addr wrap-around The following displays the command usage to configure a filter log policy.
Common Configuration Tasks Applying Filter Policies Filter policies can be associated with the following entities: Table 19: Applying Filter Policies IP Filter MAC Filter IPv6 Filter Epipe SAP, spoke SDP Epipe SAP, spoke SDP N/A Fpipe SAP, spoke SDP N/A N/A IES interface SAP N/A IES interface SAP Ipipe SAP, spoke SDP N/A N/A VPLS mesh SDP, spoke SDP, SAP VPLS mesh SDP, spoke SDP, SAP N/A VPRN interface SAP, spoke SDP N/A N/A Apply IP and MAC Filter Policies The following example shows
Filter Policies config>service>epipe# spoke-sdp 8:8 create config>service>epipe>spoke-sdp$ egress config>service>epipe>spoke-sdp>egress$ filter mac 91 config>service>epipe>spoke-sdp>egress$ exit config>service>epipe>spoke-sdp# ingress config>service>epipe>spoke-sdp>ingress# filter ip 10 config>service>epipe>spoke-sdp>ingress# exit config>service>epipe>spoke-sdp# exit The following output displays the IP and MAC filters assigned to the ingress and egress SAP and spoke SDP: A:ALA-48>config>service>epipe# in
Common Configuration Tasks Apply an IPv6 Filter Policy to an IES SAP Use the following CLI syntax to apply an IPv6 filter policy to an ingress or egress SAP: CLI Syntax: config>service# ies service-id interface interface-name sap sap-id ingress filter ipv6 ipv6-filter-id egress filter ipv6 ipv6-filter-id The following displays the command usage to assign IPv6 filters to an IES service interface: Example: config>service# ies 104 config>service# ies 104 config>service>ies# interface "testA" config>service>
Filter Policies Apply Filter Policies to Network Port IP filter policies can be applied to network IP interfaces. MAC filters cannot be applied to network IP interfaces or to routable IES services. IPv6 filter policies can be applied to network IP interfaces in the IPv6 context within the interface configuration. Filter policies must be created prior to the service creation.
Common Configuration Tasks Apply an IPv6 Interface Use the following CLI syntax to apply an IPv6 filter policy to a network IP interface: CLI Syntax: config>router# interface ip-int-name egress filter ipv6 ipv6-filter-id ingress filter ipv6 ipv6-filter-id Example: config>router# interface ipv6-test config>router>if# ingress filter ipv6 1 config>router>if# egress filter ipv6 1 config>router>if# ingress filter ip 2 config>router>if# egress filter ip 2 A:config>router>if# info ------------------------------
Filter Policies Creating a Redirect Policy Configuring and applying redirect policies is optional.
Common Configuration Tasks The following displays the command usage to create a redirect policy: Example:config>filter# redirect-policy redirect1 config>filter>redirect-policy# destination 10.10.10.
Filter Policies exit no shutdown exit destination 10.10.10.106 create priority 90 url-test "URL_to_106" url "http://aww.alcatel.com/ipd/" interval 60 return-code 2323 4567 raise-priority 96 exit no shutdown exit ...
Common Configuration Tasks Configuring Policy-Based Forwarding for Deep Packet Inspection in VPLS The purpose policy-based forwarding is to capture traffic from a customer and perform a deep packet inspection (DPI) and forward traffic, if allowed, by the DPI. In the following example, the split horizon groups are used to prevent flooding of traffic. Traffic from customers enter at SAP 1/1/5:5.
Filter Policies Configuring the VPLS service: Example: config>service# vpls 10 customer 1 create config>service>vpls$ service-mtu 1400 config>service>vpls$ split-horizon-group "dpi" residential-group create config>service>vpls>split-horizon-group$ exit config>service>vpls# split-horizon-group split create config>service>vpls>split-horizon-group# exit config>service>vpls# sap 1/1/21:1 split-horizon-group split create config>service>vpls>sap$ disable-learning config>service>vpls>sap$ static-mac 00:00:00:31:1
Common Configuration Tasks Configuring the MAC filter policy: Example: config>filter# mac-filter 100 create config>filter>mac-filter$ default-action forward config>filter>mac-filter$ entry 10 create config>filter>mac-filter>entry$ match config>filter>mac-filter>entry>match$ dot1p 07 config>filter>mac-filter>entry>match$ exit config>filter>mac-filter>entry# log 101 config>filter>mac-filter>entry# action forward sap 1/1/22:1 config>filter>mac-filter>entry# exit config>filter>mac-filter# exit The following e
Filter Policies Adding the MAC filter to the VPLS service: Example: config>service# config>service# vpls 10 config>service>vpls# sap 1/1/5:5 split-horizon-group "split" create config>service>vpls>sap$ ingress config>service>vpls>sap>ingress$ filter mac 100 config>service>vpls>sap>ingress$ exit config>service>vpls>sap# static-mac 00:00:00:31:15:05 create config>service>vpls>sap# exit config>service>vpls# spoke-sdp 3:5 create config>service>vpls>spoke-sdp$ exit config>service>vpls# no shutdown The following
Filter Management Tasks Filter Management Tasks This section discusses the following filter policy management tasks: • Renumbering Filter Policy Entries on page 336 • Modifying an IP Filter Policy on page 338 • Modifying a MAC Filter Policy on page 341 • Deleting a Filter Policy on page 342 • Modifying an IP Filter Policy on page 338 • Modifying an IPv6 Filter Policy on page 340 • Modifying a MAC Filter Policy on page 341 • Copying Filter Policies on page 349 Renumbering Filter Policy Entri
Filter Policies The following displays the original filter entry order on the left side and the reordered filter entries on the right side: A:ALA-7>config>filter# info ---------------------------------------------... ip-filter 11 create description "filter-main" scope exclusive entry 10 create description "no-91" filter-sample interface-disable-sample match dst-ip 10.10.10.91/24 src-ip 10.10.10.103/24 exit action forward redirect-policy redirect1 exit entry 20 create match dst-ip 10.10.10.91/24 src-ip 10.
Filter Management Tasks Modifying an IP Filter Policy To access a specific IP filter, you must specify the filter ID. Use the no form of the command to remove the command parameters or return the parameter to the default setting. Example: config>filter>ip-filter# description "New IP filter info" config>filter>ip-filter# entry 2 create config>filter>ip-filter>entry$ description "new entry" config>filter>ip-filter>entry# action drop config>filter>ip-filter>entry# match dst-ip 10.10.10.
Filter Policies exit ..
Filter Management Tasks Modifying an IPv6 Filter Policy To access a specific IPv6 filter, you must specify the filter ID. Use the no form of the command to remove the command parameters or return the parameter to the default setting.
Filter Policies Modifying a MAC Filter Policy To access a specific MAC filter, you must specify the filter ID. Use the no form of the command to remove the command parameters or return the parameter to the default setting.
Filter Management Tasks Deleting a Filter Policy Before you can delete a filter, you must remove the filter association from the applied ingress and egress SAPs and network interfaces.
Filter Policies From a Network Interface To delete a filter from a network interface, enter the following CLI commands: CLI Syntax: config>router# interface ip-int-name ingress no filter Example: config>router# interface 11 config>router>if# shutdown config>filter>if# exit config>filter# no interface 11 IP and IPv6 filters can be assigned and deleted together or separately.
Filter Management Tasks CLI Syntax: config>router>if# egress no filter ip 2 A:ALA-49>config>router>if# info ---------------------------------------------port 1/1/1 ipv6 address 3FFE::101:101/120 exit egress filter ipv6 1 exit ---------------------------------------------A:ALA-49>config>router>if# CLI Syntax: config>router>if# ingress filter ip 2 config>router>if# ingress filter ipv6 1 A:ALA-49>config>router>if# info ---------------------------------------------port 1/1/1 ipv6 address 3FFE::101:101/120 exi
Filter Policies CLI Syntax: config>router>if# ingress no filter A:ALA-49>config>router>if# ---------------------------------------------port 1/1/1 ipv6 address 3FFE::101:101/120 exit egress filter ipv6 1 exit ---------------------------------------------A:ALA-49>config>router>if# CLI Syntax: config>router>if# egress no filter A:ALA-49>config>router>if# ---------------------------------------------port 1/1/1 ipv6 address 3FFE::101:101/120 exit ---------------------------------------------A:ALA-49>config>ro
Filter Management Tasks From the Filter Configuration After you have removed the filter from the SAP, use the following CLI syntax to delete the filter.
Filter Policies Modifying a Redirect Policy To access a specific redirect policy, you must specify the policy name. Use the no form of the command to remove the command parameters or return the parameter to the default setting. Example: config>filter# redirect-policy redirect1 config>filter>redirect-policy# description "New redirect info" config>filter>redirect-policy# destination 10.10.10.
Filter Management Tasks Deleting a Redirect Policy Before you can delete a redirect policy from the filter configuration, you must remove the policy association from the IP filter. The following example shows the command usage to replace the configured redirect policy (redirect1) with a different redirect policy (redirect2) and then removing the redirect1 policy from the filter configuration.
Filter Policies Copying Filter Policies When changes are made to an existing filter policy, they are applied immediately to all services where the policy is applied. If numerous changes are required, the policy can be copied so you can edit the “work in progress” version without affecting the filtering process. When the changes are completed, you can overwrite the work in progress version with the original version.
Filter Management Tasks Page 350 7750 SR OS Router Configuration Guide
Filter Policies Filter Command Reference Command Hierarchies • Log Commands on page 351 • IP Filter Policy Commands on page 351 • IPv6 Filter Policy Commands on page 353 • MAC Filter Policy Commands on page 353 • Redirect Policy Configuration Commands on page 355 • Generic Filter Commands on page 356 • Show Commands on page 356 • Clear Commands on page 356 • Monitor Commands on page 356 Configuration Commands Log Commands config — filter — log log-id [create] — no log log-id — description description-stri
Filter Command Reference — action [drop] — action forward [next-hop {ip-address | indirect ip-address | interface ip-int-name}] — action forward [redirect-policy policy-name] — action forward [sap sap-id | sdp sdp-id] — action http-redirect url — no action — description description-string — no description — [no] filter-sample — [no] interface-disable-sample — log log-id — no log — match [protocol protocol-id] — no match — dscp dscp-name — no dscp — dst-ip {ip-address/mask | ip-address netmask} — no dst-ip —
Filter Policies IPv6 Filter Policy Commands config — filter — ipv6-filter ipv6-filter-id [create] — default-action {drop | forward} — description description-string — no description — entry entry-id [time-range time-range-name] — no entry entry-id — action {drop | forward} — no action — description description-string — no description — log log-id — no log — match [next-header next-header] — no match — dscp dscp-name — no dscp — dst-ip [ipv6-address/prefix-length] — no dst-ip — dst-port {lt | gt | eq} dst-p
Filter Command Reference — — — — — — Page 354 default-action {drop | forward} renum old-entry-id new-entry-id scope {exclusive | template} no scope entry entry-id [time-range time-range-name] no entry entry-id [create] — description description-string — no description — action [drop] — action forward [sap sap-id |sdp sdp-id] — action http-redirect url — no action — log log-id — no log — match [frame-type {802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II}] — no match — dot1p dot1p-value [dot1p-mask] — no
Filter Policies Redirect Policy Configuration Commands —Redirect policy commands — redirect-policy redirect-policy-name [create] — no redirect-policy redirect-policy-name — description description-string — no description — [no] shutdown — destination ip-address [create] — no destination ip-address — description description-string — no description — priority [priority] — no priority — [no] shutdown — [no] ping-test — drop-count consecutive-failures [hold-down seconds] — no drop-count — interval seconds — n
Filter Command Reference Generic Filter Commands config — filter — copy ip-filter | ipv6-filter | mac-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst-entry-id] [overwrite] Show Commands show — filter — — — — — — — — anti-spoof [sap-id] download-failed ip [ip-filter-id [entry entry-id] [association | counters | subscriber] ipv6 [ipv6-filter-id [entry entry-id] [association | counters]] log [bindings] log log-id [match string] mac {mac-filter-id [entry entry-id] [association |
Filter Policies Configuration Commands Generic Commands description Syntax Context Description description string no description config>filter>ip-filter config>filter>ip-filter>entry config>filter>ipv6-filter config>filter>log config>filter>mac-filter config>filter>mac-filter>entry config>filter>redirect-policy config>filter>redirect-policy>destination This command creates a text description stored in the configuration file for a configuration context.
Global Filter Commands ip-filter Syntax Context Description [no] ip-filter filter-id [create] config>filter This command creates a configuration context for an IP filter policy. IP-filter policies specify either a forward or a drop action for packets based on the specified match criteria. The IP filter policy, sometimes referred to as an access control list (ACL), is a template that can be applied to multiple services or multiple network ports as long as the scope of the policy is template.
Filter Policies Context Description config>filter This command enables the context for a MAC filter policy. The mac-filter policy specifies either a forward or a drop action for packets based on the specified match criteria. The mac-filter policy, sometimes referred to as an access control list, is a template that can be applied to multiple services as long as the scope of the policy is template. Note it is not possible to apply a MAC filter policy to a network port or an IES service.
Filter Log Destination Commands destination Syntax Context Description destination memory num-entries destination syslog syslog-id no destination config>filter>log This command configures the destination for filter log entries for the filter log ID. Filter logs can be sent to either memory (memory) or to an existing Syslog server definition (server). If the filter log destination is memory, the maximum number of entries in the log must be specified.
Filter Policies shutdown Syntax Context [no] shutdown config>filter>log config>filter>log>summary config>filter>redirect-policy config>filter>redirect-policy>destination Administratively enables/disabled (AdminUp/AdminDown) an entity. Downing an entity does not change, reset or remove any configuration settings or statistics. Many objects must be shutdown before they may be deleted. The shutdown command administratively downs an entity.
Parameters dst-addr — Specifies that received log packets are summarized based on the destination IP, IPv6 or MAC address. src-addr — Specifies that received log packets are summarized based on the source IP, IPv6 or MAC address. wrap-around Syntax Context Description [no] wrap-around config>filter>log This command configures a memory filter log to log until full or to store the most recent log entries (circular buffer).
Filter Policies Filter Policy Commands default-action Syntax Context Description default-action {drop | forward} config>filter>ip-filter config>filter>ipv6-filter config>filter>mac-filter This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter. When multiple default-action commands are entered, the last command will overwrite the previous command.
General Filter Entry Commands entry Syntax Context Description entry entry-id [time-range time-range-name] no entry entry-id config>filter>ip-filter config>filter>ipv6-filter config>filter>mac-filter This command creates or edits an IP, IPv6, or MAC filter entry. Multiple entries can be created using unique entry-id numbers within the filter. The 7750 SR OS implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command.
Filter Policies The filter log ID must exist before a filter entry can be enabled to use the filter log ID. The no form of the command disables logging for the filter entry. Default Parameters no log — no destination filter log ID specified log-id — The filter log ID destination expressed as a decimal integer.
IP Filter Entry Commands action Syntax Context Description action [drop] action forward [next-hop {ip-address | indirect ip-address | interface ip-int-name}] action forward [redirect-policy policy-name] action forward [sap sap-id | sdp sdp-id] action http-redirect url no action config>filter>ip-filter>entry This command specifies to match packets with a specific IP option or a range of IP options in the first option of the IP header as an IP filter match criterion.
Filter Policies frame cisco-hdlc ima-grp [port-id | bundle-id]:dlci slot/mda/port.channel bundle-id[:vpi/vci | vpi | vpi1.vpi2] port-id aps-id slot/mda/port[.channel] aps-group-id[.channel] aps keyword group-id 1 — 16 bundle-type-slot/mda.bundle-num bundle keyword type ima, ppp bundle-num 1 — 128 ccag-id ccag-id.path-id[cc-type]:cc-id ccag keyword id 1—8 path-id a, b cc-type .sap-net, .
qtag1, qtag2 — Specifies the encapsulation value used to identify the SAP on the port or sub-port. If this parameter is not specificially defined, the default value is 0. Values qtag1: qtag2 : 0 — 4094 * | 0 — 4094 sdp-id — The SDP identifier. Values 1 — 17407 vc-id — The virtual circuit identifier. This value is used to validate the VC ID portion of each mesh SDP binding defined in the service. The default value of this object is equal to the service ID.
Filter Policies Default no filter-sample interface-disable-sample Syntax Context Description [no] interface-disable-sample config>filter>ip-filter>entry Specifies that traffic matching the associated IP filter entry is not sampled if the IP interface is set to cflowd interface mode. If the cflowd is either not enabled or set to cflowd acl mode, this command is ignored. The no form of this command enables sampling.
Protocol Page 370 Protocol ID Description igmp 2 Internet Group Management ip 4 IP in IP (encapsulation) tcp 6 Transmission Control egp 8 Exterior Gateway Protocol igp 9 any private interior gateway (used by Cisco for their IGRP) udp 17 User Datagram rdp 27 Reliable Data Protocol ipv6 41 Ipv6 ipv6-route 43 Routing Header for IPv6 ipv6-frag 44 Fragment Header for IPv6 idrp 45 Inter-Domain Routing Protocol rsvp 46 Reservation Protocol gre 47 General Routing Encapsulat
Filter Policies Protocol crudp Protocol ID 127 Description Combat Radio User Datagram match Syntax Context Description match [next-header next-header] no match config>filter>ipv6-filter>entry This command enables the context to enter match criteria for the filter entry. When the match criteria have been satisfied the action associated with the match criteria is executed.
MAC Filter Entry Commands action Syntax Context Description action [drop] action forward [sap sap-id |sdp sdp-id] action http-redirect url no action config>filter>mac-filter>entry This command configures no action, drop or forward for a MAC filter entry. The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and will be inactive.
Filter Policies lag-id qtag1 qtag2 vpi vci dlci id path-id cc-type cc-id lag-id lag id 1—8 a, b .sap-net, .net-sap] 0 — 4094 keyword 1 — 200 0 — 4094 *, 0 — 4094 NNI 0 — 4095 UNI 0 — 255 1, 2, 5 — 65535 16 — 1022 port-id — Specifies the physical port ID in the slot/mda/port format. If the card in the slot has Media Dependent Adapters (MDAs) installed, the port-id must be in the slot_number/MDA_number/port_number format. For example 1/1/3 specifies the port 3 on MDA 1 in slot 1.
http-redirect url — Specifies the HTTP web address that will be sent to the user’s browser. Values 255 characters maximum match Syntax Context Description match [frame-type 802dot3 | 802dot2-llc | 802dot2-snap | ethernet_II] no match config>filter>mac-filter>entry This command creates the context for entering/editing match criteria for the filter entry and specifies an Ethernet frame type for the entry. When the match criteria have been satisfied the action associated with the match criteria is executed.
Filter Policies IP Filter Match Criteria dscp Syntax Context Description dscp dscp-name no dscp config>filter>ip-filter>entry>match config>filter>ipv6-filter>entry>match This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion. The no form of the command removes the DSCP match criterion. Default Parameters no dscp — no dscp match criterion dscp-name — Configure a dscp name that has been previously mapped to a value using the dscpname command.
Syntax Context Description dst-ip [ipv6-address/prefix-length] no dst-ip config>filter>ipv6-filter>entry>match This command matches a destination IPv6 address. To match on the destination IPv6 address, specify the address and prefix length, for example, 11::12/ 128. The no form of the command removes the destination IP address match criterion. Default Parameters No destination IP match criterion ipv6-prefix — The IPv6 prefix for the IP match criterion in dotted decimal notation.
Filter Policies fragment Syntax Context Description fragment {true | false} no fragment config>filter>ip-filter>entry>match Configures fragmented or non-fragmented IP packets as an IP filter match criterion. The no form of the command removes the match criterion. Default Parameters false true — Configures a match on all fragmented IP packets. A match will occur for all packets that have either the MF (more fragment) bit set OR have the Fragment Offset field of the IP header set to a non-zero value.
The no form of the command removes the criterion from the match entry. Default Parameters no icmp-type — no match criterion for the ICMP type icmp-type — The ICMP type values that must be present to match.
Filter Policies multiple-option Syntax Context Description multiple-option {true | false} no multiple-option config>filter>ip-filter>entry>match This command configures matching packets that contain one or more than one option fields in the IP header as an IP filter match criterion. The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.
Default Parameters no src-ip — no source IP match criterion ip-address — The IP prefix for the IP match criterion in dotted decimal notation. Values 0.0.0.0 — 255.255.255.255 mask — The subnet mask length expressed as a decimal integer. Values 0 — 32 netmask — Any mask epressed in dotted quad notation. Values 0.0.0.0 — 255.255.255.
Filter Policies Parameters lt | gt | eq — Specifies the operator to use relative to src-port-number for specifying the port number match criteria. lt specifies all port numbers less than src-port-number match. gt specifies all port numbers greater than src-port-number match. eq specifies that src-port-number must be an exact match. src-port-number — The source port number to be used as a match criteria expressed as a decimal integer.
Default Description No match criterion for the SYN bit no tcp-syn Use the no form of this command to remove this as a criterion from the match entry. Default Parameters none true — Specifies matching on IP packets that have the SYN bit set in the control bits of the TCP header. false — Specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header.
Filter Policies MAC Filter Match Criteria dot1p Syntax Context Description dot1p p-value [mask] no dot1p config>filter>mac-filter>entry Configures an IEEE 802.1p value or range to be used as a MAC filter match criterion. When a frame is missing the 802.1p bits, specifying an dot1p match criterion will fail for the frame and result in a non-match for the MAC filter entry. The no form of the command removes the criterion from the match entry.
Description Configures an Ethernet 802.2 LLC DSAP value or range for a MAC filter match criterion. This is a one-byte field that is part of the 802.2 LLC header of the IEEE 802.3 Ethernet Frame. The snap-pid field, etype field, ssap and dsap fields are mutually exclusive and may not be part of the same match criteria. “MAC Match Criteria Exclusivity Rules” on page 294 describes fields that are exclusive based on the frame format.
Filter Policies This 48-bit mask can be configured using the following formats: Format Style Format Syntax Example Decimal DDDDDDDDDDDDDD 281474959933440 Hexadecimal 0xHHHHHHHHHHHH 0xFFFFFF000000 0bBBBBBBB...B 0b11110000...
The no form of the command removes the criterion from the match criteria. Default Parameters none zero — Specifies to match packets with the three-byte OUI field in the SNAP-ID set to zero. non-zero — Specifies to match packets with the three-byte OUI field in the SNAP-ID not set to zero. snap-pid Syntax Context Description snap-pid pid-value no snap-pid config>filter>mac-filter>entry Configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC filter match criterion.
Filter Policies ieee-address-mask — This 48-bit mask can be configured using: Format Style Format Syntax Example Decimal DDDDDDDDDDDDDD 281474959933440 Hexadecimal 0xHHHHHHHHHHHH 0x0FFFFF000000 0bBBBBBBB...B 0b11110000...
Policy and Entry Maintenance Commands copy Syntax Context Description copy {ip-filter | ipv6-filter | mac-filter} source-filter-id dest-filter-id dest-filter-id [overwrite] config>filter Copies existing filter list entries for a specific filter ID to another filter ID. The copy command is a configuration level maintenance tool used to create new filters using existing filters. It also allows bulk modifications to an existing policy with the use of the overwrite keyword.
Filter Policies Parameters old-entry-id — Enter the entry number of an existing entry. Values 1 — 65535 new-entry-id — Enter the new entry-number to be assigned to the old entry.
Redirect Policy Commands destination Syntax [no] destination ip-address Context config>filter>redirect-policy Description Default Parameters This command defines a cache server destination in a redirect policy. More than one destination can be configured. Whether a destination IP address will receive redirected packets depends on the effective priority value after evaluation. none ip-address — Specifies the IP address to send the redirected traffic.
Filter Policies hold-down seconds — The amount of time, in seconds, that the system should be held down if any of the test has marked it unreachable. Values 0 — 86400 interval Syntax Context Description Default Parameters interval seconds no interval config>filter>destination>ping-test config>filter>destination>snmp-test config>filter>destination>url-test This command specifies the amount of time, in seconds, between consecutive requests sent to the far end host.
Description Default Parameters Redirect policies can contain multiple destinations. Each destination is assigned an initial or base priority which describes its relative importance within the policy. If more than one destination is specified, the destination with the highest effective priority value is selected. 100 priority — The priority, expressed as a decimal integer, used to weigh the destination’s relative importance within the policy.
Filter Policies within the specified range, the priority can be disabled, lowered or raised. Default Parameters none return-value — Specifies the SNMP value against which the test result is matched. Values A maximum of 256 characters return-type — Specifies the SNMP object type against which the test result is matched.
Parameters return-code-1, return-code-2 — Specifies a range of return codes. When the URL test return-code falls within the specified range, the corresponding action is performed. Values return-code-1: return-code-2: 1 — 4294967294 2 — 4294967295 disable — Specifies that the destination may not be used for the amount of time specified in the hold-time command when the return code falls within the specified range.
Filter Policies Show Commands anti-spoof Syntax Context anti-spoof [sap-id] show>filter Description Displays anti-spoofing filter information. Parameters sap-id — When the sap-id is specified, it specifies the physical port identifier portion of the SAP definition. If not specified, all anti-spoof filters in the system are displayed. The sap-id can be configured in one of the following formats: Type Syntax Example null [port-id | bundle-id | lag-id | aps-id] port-id: 6/2/3 bundle-id: bundle-5/1.
Show Commands Values null dot1q qinq atm frame cisco-hdlc ima-grp [port-id | bundle-id | lag-id | aps-id] [port-id | bundle-id | lag-id | aps-id]:qtag1 [port-id | bundle-id | lag-id]:qtag1.qtag2 [port-id | aps-id][:vpi/vci|vpi|vpi1.vpi2] [port-id | aps-id]:dlci slot/mda/port.channel [bundle-id[:vpi/vci|vpi|vpi1.vpi2] port-id aps-id slot/mda/port[.channel] aps-group-id[.channel] aps keyword group-id 1 — 64 bundle-type-slot/mda
Filter Policies The values depends on the encapsulation type configured for the interface. The following table describes the allowed values for the port and encapsulation types.. Port Type Encap-Type Allowed Values Comments Ethernet Null 0 The SAP is identified by the port. Ethernet Dot1q 0 — 4094 The SAP is identified by the 802.1Q tag on the port. Note that a 0 qtag1 value also accepts untagged packets on the dot1q port.
Show Commands download-failed Syntax Context Description Output download-failed show>filter This command shows all filter entries for which the download has failed. download-failed Output — The following table describes the filter download-failed output. Label Description Filter-type Displays the filter type. Filter-ID Displays the ID of the filter. Filter-Entry Displays the entry number of the filter.
Filter Policies Output Show Filter (no filter-id specified) — The following table describes the command output for the command when no filter ID is specified. Label Description Filter Id The IP filter ID Scope Template — The filter policy is of type template. Exclusive — The filter policy is of type exclusive. Applied No — The filter policy ID has not been applied. Yes — The filter policy ID is applied. Description The IP filter policy description.
Show Commands Label Def. Action Description (Continued) Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. Filter Match Criteria IP — Indicates the filter is an IP filter policy. Entry The filter ID filter entry ID.
Filter Policies Label Description (Continued) Ing. Matches The number of ingress filter matches/hits for the filter entry. Src. Port The source TCP or UDP port number or port range. Dest. Port The destination TCP or UDP port number or port range. Dscp The DiffServ Code Point (DSCP) name. ICMP Code The ICMP code field in the ICMP header of an IP packet. Option-present Off — Specifies not to search for packets that contain the option field or have an option field of zero.
Show Commands Output Show Filter (with time-range specified) — If a time-range is specified for a filter entry, it is displayed. A:ALA-49# show filter ip 10 =============================================================================== IP Filter =============================================================================== Filter Id : 10 Applied : No Scope : Template Def.
Filter Policies Label Applied Description (Continued) No — The filter policy ID has not been applied. Yes — The filter policy ID is applied. Def. Action Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. Service Id The service ID on which the filter policy ID is applied.
Show Commands Label Match action Description (Continued) Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. Drop — Drop packets matching the filter entry. Forward — The explicit action to perform is forwarding of the packet.
Filter Policies Filter Id : 1 Applied : Yes Scope : Template Def.
Show Commands Label Description (Continued) No — The filter policy ID has not been applied. Applied Yes — The filter policy ID is applied. Forward — The default action for the filter ID for packets that do not Def. Action match the filter entries is to forward. Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. Filter Match Criteria IP — Indicates the filter is an IP filter policy. Entry The filter ID filter entry ID.
Filter Policies entry entry-id — Displays information on the specified IPv6 filter entry ID for the specified filter ID. Values 1 — 9999 associations — Appends information as to where the IPv6 filter policy ID is applied to the detailed filter policy ID output. counters — Displays counter information for the specified IPv6 filter ID. Output Show Filter (no filter-id specified) — The following table describes the command output for the command when no filter ID is specified.
Show Commands Label Applied Description (Continued) No — The filter policy ID has not been applied. Yes — The filter policy ID is applied. Def. Action Forward — The default action for the filter ID for packets that do not match the filter entries is to forward. Drop — The default action for the filter ID for packets that do not match the filter entries is to drop. Filter Match Criteria IP — Indicates the filter is an IP filter policy. Entry The filter ID filter entry ID.
Filter Policies Label Match action Description (Continued) Default — The filter does not have an explicit forward or drop match action specified. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. Drop — Drop packets matching the filter entry. Forward — The explicit action to perform is forwarding of the packet.
Show Commands IPv6 Filter =============================================================================== Filter Id : 100 Applied : Yes Scope : Template Def. Action : Forward Entries : 1 Description : test ------------------------------------------------------------------------------Filter Match Criteria : IPv6 ------------------------------------------------------------------------------Entry : 10 Log Id : 101 Src. IP : ::/0 Src. Port : None Dest. IP : ::/0 Dest.
Filter Policies Label Description (Continued) Entry The filter ID filter entry ID. If the filter entry ID indicates the entry is (Inactive), then the filter entry is incomplete as no action has been specified. Log Id The filter log ID. Src. IP The source IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry. Dest. IP The destination IP address and mask match criterion. 0.0.0.0/0 indicates no criterion specified for the filter entry.
Show Commands Label Description (Continued) Dest. Port The destination TCP or UDP port number or port range. Dscp The DiffServ Code Point (DSCP) name. ICMP Code The ICMP code field in the ICMP header of an IP packet. Option-present Off — Specifies not to search for packets that contain the option field or have an option field of zero. On — Matches packets that contain the option field or have an option field of zero be used as IP filter match criteria. Int.
Filter Policies A:ALA-48# Output Show Filter Counters — The following table describes the output fields when the counters keyword is specified.. Label Description IP Filter Filter Id The IP filter policy ID. Scope Template — The filter policy is of type template. Exclusive — The filter policy is of type exclusive. Applied No — The filter policy ID has not been applied. Yes — The filter policy ID is applied. Def.
Show Commands log Syntax Context Description log log-id [match string] [bindings] show>filter Displays the contents of a memory-based or a file-based filter log. If the optional keyword match and string parameter are given, the command displays the given filter log from the first occurence of the given string. Parameters log-id — The filter log ID destination expressed as a decimal integer.
Filter Policies Label Description (Continued) Protocol The IP protocol of the logged packet (TCP, UDP, ICMP or a protocol number in hex). Flags URG — Urgent bit set. (TCP flags) ACK — Acknowledgement bit set. RST — Reset bit set. SYN — Synchronize bit set. FIN — Finish bit set. If an IP protocol does not have a supported decode, the first 32 bytes following the IP header are printed in a hex dump.
Show Commands Label Description (Continued) ArpCnt Total Number messages logged for this log ID ArpCnt Number of arp messages logged. Mac/IP/IPv6 Address type indication of the key in the mini-table. count The number of messages logged with the specified Mac/IP/IPv6 src/ dst-address. address The 'Crit1' 'Mac/IP/IPv6' address for which 'count' messages where received.
Filter Policies Mac 8 06-06-06-06-06-06 Mac 8 06-06-06-06-06-05 Mac 8 06-06-06-06-06-04 Mac 8 06-06-06-06-06-03 Mac 8 06-06-06-06-06-02 Ip 16 6.6.6.1 Ip 16 6.6.6.2 Ip 16 6.6.6.3 Ip 16 6.6.6.4 Ip 8 6.6.6.
Show Commands Sample Output =============================================================================== Mac Filters =============================================================================== Filter-Id Scope Applied Description ------------------------------------------------------------------------------100 Template No 200 Exclusiv No Forward SERVER sourced packets =============================================================================== Filter ID Specified — When the filter ID is specified
Filter Policies Label Description (Continued) Dest MAC The destination MAC address and mask match criterion. When both the MAC address and mask are all zeroes, no criterion specified for the filter entry. Dot1p The IEEE 802.1p value for the match criteria. Undefined indicates no value is specified. Ethertype The Ethertype value match criterion. DSAP The DSAP value match criterion. Undefined indicates no value specified. SSAP The SSAP value match criterion. Undefined indicates no value specified.
Show Commands DSAP : Snap-pid : Match action: Ing. Matches: Undefined Undefined Forward 0 SSAP ESnap-oui-zero : Undefined : Undefined Egr. Matches : 0 Entry : Description : Src Mac : Dest Mac : Dot1p : DSAP : Snap-pid : Match action: Ing. Matches: 300 (Inactive) FrameType Not Available 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 Undefined Ethertype Undefined SSAP Undefined ESnap-oui-zero Default 0 Egr.
Filter Policies Filter Entry Counters Output — When the counters keyword is specified, the filter entry output displays the filter matches/hit information. The following table describes the command output for the command. Label Description Mac Filter Filter Id The MAC filter policy ID. Scope Template — The filter policy is of type Template. Exclusive — The filter policy is of type Exclusive. Description The MAC filter policy description. Applied No — The filter policy ID has not been applied.
Show Commands Entry : 200 Ing. Matches: 0 FrameType Egr. Matches : 802.2SNAP : 0 Entry : 300 (Inactive) Ing. Matches: 0 FrameType Egr. Matches : Ethernet : 0 =============================================================================== redirect-policy Syntax Context redirect-policy {redirect-policy-name [dest ip-address] [association]} show>filter Description Displays redirect filter information. Parameters redirect-policy-name — Displays information for the specified redirect policy.
Filter Policies Label Description (Continued) Interval Specifies the amount of time in seconds between consecutive requests sent to the far end host. Drop Count Specifies the number of consecutive requests that must fail for the destination to declared unreachable. Hold Down Specifies the amount of time in seconds that the system should be held down if any of the test has marked it unreachable.
Show Commands Destination : 10.10.10.105 ------------------------------------------------------------------------------Description : another test Admin Priority : 95 Oper Priority: 105 Admin State : Up Oper State : Down Ping Test Interval Drop Count Hold Down Last Action at : : : : 1 5 0 03/19/2005 00:46:55 Timeout : 30 Hold Remain : 0 Action Taken : Disable ------------------------------------------------------------------------------Destination : 10.10.10.
Filter Policies Clear Commands ip Syntax Context Description ip ip-filter-id [entry entry-id] [ingress | egress] clear>filter Clears the counters associated with the IP filter policy. By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters. Default Parameters clears all counters associated with the IP filter policy entries. ip-filter-id — The IP filter policy ID.
Clear Commands log Syntax Context Description log log-id clear Clears the contents of a memory or file based filter log. This command has no effect on a syslog based filter log. Parameters log-id — The filter log ID destination expressed as a decimal integer. Values 101 — 199 mac Syntax Context mac mac-filter-id [entry entry-id] [ingress | egress] clear>filter Clears the counters associated with the MAC filter policy. By default, all counters associated with the filter policy entries are reset.
Filter Policies Monitor Commands filter Syntax Context filter ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate] monitor Description This command monitors the counters associated with the IP filter policy. Parameters ip-filter-id — The IP filter policy ID. Values 1 — 65535 entry-id — Specifies that only the counters associated with the specified filter policy entry will be monitored. Values 1 — 65535 interval — Configures the interval for each display in seconds.
Monitor Commands Default 5 seconds Values 3 — 60 repeat repeat — Configures how many times the command is repeated. Default 10 Values 1 — 999 absolute — When the absolute keyword is specified, the raw statistics are displayed, without processing. No calculations are performed on the delta or rate statistics. rate — When the rate keyword is specified, the rate-per-second for each statistic is displayed instead of the delta.
Cflowd In This Chapter This chapter provides information to configure Cflowd.
Cflowd Overview Cflowd Overview Cflowd is a tool used to sample IP traffic data flows through a router. Cflowd enables traffic sampling and analysis by ISPs and network engineers to support capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Cflowd is also useful for Web host tracking, accounting, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations.
Cflowd Operation Figure 29 depicts the basic operation of the cflowd feature. This sample flow is only used to describe the basic steps that are performed. It is not intended to specify implementation.
Cflowd Overview When a flow is exported from the cache, the collected data is sent to an external collector which maintains an accumulation of historical data flows that network operators can use to analyze traffic patterns. Data is exported in one of two formats: • Version 5 (V5) — V5 generates an export record for each individual flow captured. • Version 8 (V8) — V8 aggregates multiple individual flows into an aggregate flow.
Cflowd Figure 30 depicts V5 and V8 flow processing. DATA AGED FROM ACTIVE FLOW CACHE V5 OR V8 FORMAT V5 FORMAT AND SEND V5 RECORD TO EXTERNAL COLLECTOR V8 ADD ENTRY V8 AGGREGATE FLOW CACHE V8 AGGREGATE FLOW CACHE V8 AGGREGATE FLOW CACHE AGE AGGREGATE FLOWS FORMAT AND SEND V8 RECORD TO EXTERNAL COLLECTOR Figure 30: V5 and V8 Flow Processing 1. As flows are exported from the active flow cache, the export format must be determined, either V5 or V8. 2.
Cflowd Configuration Process Overview Cflowd Configuration Process Overview Figure 31 displays the process to configure Cflowd parameters.
Cflowd Cflowd Configuration Components Figure 32 displays the major components to configure Cflowd parameters. CONFIG CFLOWD ACTIVE-TIMEOUT INACTIVE-TIMEOUT CACHE-SIZE OVERFLOW RATE COLLECTOR AGGREGATION AUTONOMOUS-SYSTEM-TYPE Figure 32: Cflowd Configuration Components • Active timeout — Specifies the time, in minutes, before an active flow is removed from the active cache.
Cflowd Configuration Components Figure 33 displays the components to specify router interface cflowd parameters. CONFIG ROUTER INTERFACE CFLOWD ACL CFLOWD INTERFACE Figure 33: Router Interface Cflowd Configuration Components • Interface — A specific logical IP routing interface in which cflowd parameters can be configured. • Cflowd ACL — Cflowd can collect traffic flow samples according to filter parameters for analysis.
Cflowd Configuration Notes This section describes cflowd caveats. • Cflowd is enabled globally. • At least one collector must be configured and enabled. • A cflowd option must be specified and enabled on a router interface. • Sampling can only be enabled on either: → An IP filter which is applied to a port or service. → An interface on a port or service.
Configuration Notes Reference Sources For information on supported IETF drafts and standards, as well as standard and proprietary MIBS, refer to Standards and Protocol Support on page 715.
Cflowd Configuring Cflowd with CLI This section provides information to configure cflowd using the command line interface.
Cflowd Configuration Overview The 7750 SR OS implementation of cflowd supports the option to analyze traffic flow. The implementation also supports the use of traffic/access list (ACL) filters to limit the type of traffic that is analyzed. Traffic blocked (dropped) by ACL filters is not sent to cflowd for analysis. Traffic Sampling Traffic sampling does not examine all packets received by a router. Command parameters allow the rate at which traffic is sampled and sent for flow analysis to be modified.
Cflowd Within the active flow cache, the following characteristics are used to identify an individual flow: • Ingress interface • Source IP address • Destination IP address • Source transport port number • Destination transport port number • IP protocol type • IP TOS byte The 7750 SR OS implementation allows you to enable cflowd either at the interface level or as an action to a filter.
• Page 442 Source-destination prefix — Flows are aggregated based on source prefix and mask, destination prefix and mask, source and destination AS, ingress interface and egress interface.
Cflowd Cflowd CLI Command Structure The 7750 SR OS cflowd command structure is displayed in Figure 35. Cflowd configuration commands are located under the config>cflowd context and the show commands are under show>cflowd.
List of Commands Table 20 lists all the cflowd configuration commands indicating the configuration level at which each command is implemented with a short command description.
Cflowd Table 20: CLI Commands to Configure Cflowd Parameters (Continued) Command Description Page protocol-port Specifies that flows be aggregated based on the IP protocol, source port number, and destination port number. 467 raw Configures raw flow data to be sent in version 5. 467 source-destinationprefix Configures cflowd aggregation based on source and destination prefixes. 468 source-prefix Configures cflowd aggregation based on source prefix information.
Basic Cflowd Configuration This section provides information to configure cflowd and configuration examples of common configuration tasks. In order to sample traffic, the minimal cflowd parameters that need to be configured are: • Cflowd must be enabled. • At least one collector must be configured and enabled. • Sampling must be enabled on either: → An IP filter entry and applied to a service or an port. → An interface applied to a port. The following example displays a cflowd configuration.
Cflowd Common Configuration Tasks This section provides a brief overview of the tasks that must be performed to configure cflowd and provides the CLI commands. In order to begin traffic flow sampling, cflowd must be enabled and at least one collector must be configured.
Configuring Cflowd Use the CLI syntax displayed below to perform the following tasks: • Enabling Cflowd on page 449 • Configuring Global Cflowd Parameters on page 450 • Configuring Cflowd Collectors on page 451 • Enabling Cflowd on Interfaces and Filters on page 453 CLI Syntax: config>cflowd# active-timeout minutes cache-size num-entries inactive-timeout seconds overflow percent rate sample-rate collector ip-address[:port] aggregation as-matrix destination-prefix protocol-port raw source-destination
Cflowd Enabling Cflowd Cflowd is disabled by default. You must enter the no shutdown command to administratively enable traffic sampling. Use the following CLI syntax to enable cflowd: CLI Syntax: config# cflowd no shutdown The following example displays the default values when cflowd is initially enabled. No collectors or collector options are configured. ALA-1>config# info detail ...
Configuring Global Cflowd Parameters The following cflowd parameters apply to all instances where cflowd (traffic sampling) is enabled.
Cflowd Configuring Cflowd Collectors To configure cflowd collector parameters, enter the following commands: CLI Syntax: config>cflowd# collector ip-address[:port] aggregation as-matrix destination-prefix protocol-port raw source-destination-prefix source-prefix autonomous-system-type [origin | peer] description description-string no shutdown The following example displays collector and aggregation configuration command usage: Example: config>cflowd# collector 10.10.10.
The following example displays the basic cflowd configuration: ALA-1>config>cflowd# info ----------------------------------------active-timeout 20 inactive-timeout 10 overflow 10 rate 100 collector 10.10.10.1:2000 aggregation as-matrix raw exit description "AS info collector" exit collector 10.10.10.
Cflowd Enabling Cflowd on Interfaces and Filters This section discusses the following cflowd configuration management tasks: • Dependencies on page 453 • Specifying Cflowd Options on an IP Interface on page 455 → Interface Configurations on page 455 → Service Interfaces on page 456 • Specifying Sampling Options in Filter Entries on page 457 → Interface Configurations on page 455 Dependencies In order for cflowd to be operational, the following requirements must be met: • Cflowd must be enabled on a
Table 21: Cflowd Configuration Dependencies Interface Setting router>interface cflowd [acl | interface] Setting Command ip-filter entry Expected Results IP-filter mode ACL filter-sampled Traffic matching is sampled at specified rate. IP-filter mode ACL no filter-sampled No traffic is sampled on this interface. Interface mode or cflowd not enabled on interface interface filter-sampled Command is ignored. No sampling occurs.
Cflowd Specifying Cflowd Options on an IP Interface When cflowd is enabled on an interface, all packets forwarded by the interface are subject to analysis according to the global cflowd configuration and sorted according to the collector configuration(s). Refer to Table 21, Cflowd Configuration Dependencies, on page 454 for configuration combinations. To enable for filter traffic sampling, the following requirements must be met: 1. Cflowd must be enabled globally. 2.
Service Interfaces CLI Syntax: config>service>vpls service-id# interface ip-int-name cflowd {acl|interface} When enabled on a service interface, cflowd collects routed traffic flow samples through a router for analysis. Cflowd is supported on IES and VPRN services interfaces only. Layer 2 traffic is excluded. All packets forwarded by the interface are analyzed according to the cflowd configuration. On the interface level, cflowd can be associated with a filter (ACL) or an IP interface.
Cflowd Specifying Sampling Options in Filter Entries Packets are matched against filter entries to determine acceptability. With cflowd, only the first packet of a flow is compared. If the first packet matches the filter criteria, then an entry is added to the cflowd cache. Subsequent packets in the same flow are also sampled based on the cache entry.
Cflowd Configuration Management Tasks This section discusses the following cflowd configuration management tasks: • Modifying Global Cflowd Components on page 459 • Modifying Cflowd Collector Parameters on page 460 Use the following CLI syntax to modify cflowd parameters.
Cflowd Modifying Global Cflowd Components Cflowd parameter modifications apply to all instances where cflowd or traffic sampling is enabled. Changes are applied immediately.
Modifying Cflowd Collector Parameters Use the following commands to modify cflowd collector and aggregation parameters: CLI Syntax: config>cflowd# [no] collector ip-address[:port] [no] aggregation [no] as-matrix [no] destination-prefix [no] protocol-port [no] raw [no] source-destination-prefix [no] source-prefix autonomous-system-type [origin | peer] no autonomous-system-type description description-string no description [no] shutdown The following example displays collector and aggregation configuration c
Cflowd The following example displays the basic cflowd modifications: ALA-1>config>cflowd# info ----------------------------------------active-timeout 60 overflow 2 rate 10 collector 10.10.10.1:2000 description "AS info collector" exit collector 10.10.10.
Page 462 7750 SR OS Router Configuration Guide
Cflowd Cflowd Command Reference Command Hierarchies Configuration Commands config — [no] cflowd — active-timeout minutes — no active-timeout — cache-size num-entries — no cache-size — [no] collector ip-address[:port] — [no] aggregation — [no] as-matrix — [no] destination-prefix — [no] protocol-port — [no] raw — [no] source-destination-prefix — [no] source-prefix — autonomous-system-type {origin | peer} — no autonomous-system-type — description description-string — no description — [no] shutdown — inactive-
Cflowd Command Reference Page 464 7750 SR OS Router Configuration Guide
Cflowd Cflowd Configuration Commands Global Commands cflowd Syntax Context Description [no] cflowd config>cflowd This command creates the context to configure cflowd. The interface can be set to either sample all packets (interface mode) or sample only packets matching an IP filter with an action of filter-sample. The no form of this command disables cflowd.
Cflowd Configuration Commands cache-size Syntax Context Description cache-size num-entries no cache-size config>cflowd This command specifies the maximum number of active flows to maintain in the flow cache table. The no form of this command resets the number of active entries back to the default value. Default Parameters 65536 (64K) num-entries — The number of entries maintained in the cflowd cache.
Cflowd as-matrix Syntax Context Description [no] as-matrix config>cflowd>collector>aggregation This command specifies that the aggregation data should be based on autonomous system (AS) information. An AS matrix contains packet and byte counters for traffic from either sourcedestination autonomous systems or last-peer to next-peer autonomous systems. The no form of this command removes this type of aggregation from the collector configuration.
Cflowd Configuration Commands source-destination-prefix Syntax Context Description [no] source-destination-prefix config>cflowd>collector>aggregation This command configures cflowd aggregation based on source and destination prefixes. The no form of this command removes this type of aggregation from the collector configuration.
Cflowd Default Parameters No description is associated with the configuration context. description-string — The description character string. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes. shutdown Syntax Context Description [no] shutdown config>cflowd config>cflowd>collector This command administratively disables an entity.
Cflowd Configuration Commands overflow Syntax Context Description overflow percent no overflow config>cflowd This command specifies the percentage of the flow cache entries removed when the maximum number of entries is exceeded. The entries removed are the entries that have not been updated for the longest amount of time. The no form of this command resets the number of entries cleared from the flow cache on overflow to the default value.
Cflowd Show Commands collector Syntax Context collector [ip-addr[:port]] [detail] show>cflowd Description This command displays administrative and operational status of data collector configuration. Parameters ip-addr — Display only information about the specified collector IP address. Default all collectors :port — Display only information the collector on the specified UDP port.
Show Commands Sample Output ALA-1# show cflowd collector 10.10.10.103:5 ========================================================================= Cflowd Collectors ========================================================================= Host Address Port AS Type Admin Oper Recs Sent ------------------------------------------------------------------------10.10.10.
Cflowd Table 23: Show Cflowd Collector Detailed Output Fields (Continued) Label Aggregation Description The bit mask which specifies the aggregation scheme(s) used to aggregate multiple individual flows into an aggregated flow for export to this remote host collector. none — No data will be exported for this remote collector host. raw — Flow data is exported without aggregation in version 5 format. All other aggregation types use version 8 format to export the flow data to this remote host collector.
Show Commands Output cflowd Interface Output — The following table describes the show cflowd interface output fields. Label Description Interface Displays the physical port identifier. IP Address Displays the IP address. Mode Displays the mode. Admin Displays the administrative state of the interface. Oper Displays the operational state of the interface.
Cflowd Table 24: Show Cflowd Status Output Fields Label Description Cflowd Admin Status The desired administrative state for this Cflowd remote collector host. Cflowd Oper Status The current operational status of this Cflowd remote collector host. Active Timeout The maximum amount of time, in minutes, before an active flow will be exported. If an individual flow is active for this amount of time, the flow is exported and a new flow is created.
Clear Commands Clear Commands cflowd Syntax Context Description Page 476 cflowd clear Clears the active and aggregation flow caches which are sending flow data to the configured collectors. This action will trigger all the flows to be exported to the collector(s). The caches restart flow data collection from a fresh state. This command also clears collector statistics, such as, Pkts Sent and Flows Sent.
Standards and Protocol Support Standards Compliance IEEE 802.1d IEEE 802.1p/Q IEEE 802.1s IEEE 802.1w IEEE 802.1x IEEE 802.3 IEEE 802.3ad IEEE 802.3ae IEEE 802.3u IEEE 802.3x IEEE 802.
Standards and Protocols RFC 4644 Transmission of IPv6 Packets over Ethernet Networks RFC 2529 Transmission of IPv6 over IPv4 Domains without Explicit Tunnels RFC 2545 Use of BGP-4 Multiprotocol Extension for IPv6 Inter-Domain Routing RFC 2740 OSPF for IPv6 RFC 3587 IPv6 Global Unicast Address Format RFC 4007 IPv6 Scoped Address Architecture RFC 4193 Unique Local IPv6 Unicast Addresses RFC 4291 IPv6 Addressing Architecture draft-ietf-ipv6-over-ppp-v2-02 draft-ietf-isis-ipv6-05 draft-ietf-isis-wg-multi-topolo
Standards and Protocols VPLS draft-ietf-l2vpn-vpls-ldp-08.txtVirtual Private LAN Services Using LDP PSEUDO-WIRE RFC 3985 Pseudo Wire Emulation Edge-to-Edge (PWE3) RFC 4385 Pseudo Wire Emulation Edge-to-Edge (PWE3) Control Word for Use over an MPLS PSN RFC 3916 Requirements for PseudoWire Emulation Edge-to-Edge (PWE3) draft-ietf-pwe3-atm-encap-10.txt draft-ietf-pwe3-cell-transport-04.txt draft-ietf-pwe3-ethernet-encap-11.txt draft-ietf-pwe3-frame-relay-07.txt draft-ietf-pwe3-control-protocol-17.
Standards and Protocols TIMETRA-VRTR-MIB.
Index C Cflowd overview 430 collectors 430 filter matching 432 operation 431 V5 and V8 flow processing 433 configuring basic 446 collectors 441, 451 enabling 449 global parameters 450 interfaces and filters 453 IP interfaces 455 overview 440 sampling options 457 traffic sampling 440 management tasks 458 command reference 463 F Filters overview 276 applying filter to network ports 293 to SAP 293 entities 278 entries 277 filter entry ordering 291 filter types IP 276, 286 IPv6 276 MAC 276, 287, 294 matching c
Index V VRRP overview 170 components 171 IP address owner 171 IP addresses 172 owner and non-owner 173 virtual router 171 virtual router backup 173 virtual router master 172 VRID 174 configuring basic 204 command reference 223 IES parameters 211 non-owner 212 owner 214 management tasks 219 overview 196 router interface 208, 215 non-owner 216 owner 218 VRRP policy parameters 209 Page 482 7750 SR OS Router Configuration Guide
